]> git.saurik.com Git - apple/xnu.git/blob - bsd/bsm/audit_kernel.h
projects / apple / xnu.git / blob
? search:


b51c7b07ed295937214f35c59497f2862105762b
[apple/xnu.git] / bsd / bsm / audit_kernel.h
1 /*
2 * @APPLE_BSD_LICENSE_HEADER_START@
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 *
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of Apple Inc. ("Apple") nor the names of its
14 * contributors may be used to endorse or promote products derived from
15 * this software without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
18 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
19 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
20 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
21 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
22 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
23 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
24 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 *
28 * @APPLE_BSD_LICENSE_HEADER_END@
29 */
30
31 #ifndef _BSM_AUDIT_KERNEL_H
32 #define _BSM_AUDIT_KERNEL_H
33
34 #ifdef KERNEL
35
36 #include <bsm/audit.h>
37
38 #include <sys/sysctl.h>
39 #include <sys/user.h>
40 #include <sys/ipc.h>
41
42 /*
43 * Audit subsystem condition flags. The audit_enabled flag is set and
44 * removed automatically as a result of configuring log files, and
45 * can be observed but should not be directly manipulated. The audit
46 * suspension flag permits audit to be temporarily disabled without
47 * reconfiguring the audit target.
48 */
49 extern int audit_enabled;
50 extern int audit_suspended;
51
52 #define BSM_SUCCESS 0
53 #define BSM_FAILURE 1
54 #define BSM_NOAUDIT 2
55
56 /*
57 * Define the masks for the audited arguments.
58 */
59 #define ARG_EUID 0x0000000000000001ULL
60 #define ARG_RUID 0x0000000000000002ULL
61 #define ARG_SUID 0x0000000000000004ULL
62 #define ARG_EGID 0x0000000000000008ULL
63 #define ARG_RGID 0x0000000000000010ULL
64 #define ARG_SGID 0x0000000000000020ULL
65 #define ARG_PID 0x0000000000000040ULL
66 #define ARG_UID 0x0000000000000080ULL
67 #define ARG_AUID 0x0000000000000100ULL
68 #define ARG_GID 0x0000000000000200ULL
69 #define ARG_FD 0x0000000000000400ULL
70 #define ARG_POSIX_IPC_PERM 0x0000000000000800ULL
71 #define ARG_FFLAGS 0x0000000000001000ULL
72 #define ARG_MODE 0x0000000000002000ULL
73 #define ARG_DEV 0x0000000000004000ULL
74 #define ARG_ADDR 0x0000000000008000ULL
75 #define ARG_LEN 0x0000000000010000ULL
76 #define ARG_MASK 0x0000000000020000ULL
77 #define ARG_SIGNUM 0x0000000000040000ULL
78 #define ARG_LOGIN 0x0000000000080000ULL
79 #define ARG_SADDRINET 0x0000000000100000ULL
80 #define ARG_SADDRINET6 0x0000000000200000ULL
81 #define ARG_SADDRUNIX 0x0000000000400000ULL
82 #define ARG_KPATH1 0x0000000000800000ULL
83 #define ARG_KPATH2 0x0000000001000000ULL
84 #define ARG_UPATH1 0x0000000002000000ULL
85 #define ARG_UPATH2 0x0000000004000000ULL
86 #define ARG_TEXT 0x0000000008000000ULL
87 #define ARG_VNODE1 0x0000000010000000ULL
88 #define ARG_VNODE2 0x0000000020000000ULL
89 #define ARG_SVIPC_CMD 0x0000000040000000ULL
90 #define ARG_SVIPC_PERM 0x0000000080000000ULL
91 #define ARG_SVIPC_ID 0x0000000100000000ULL
92 #define ARG_SVIPC_ADDR 0x0000000200000000ULL
93 #define ARG_GROUPSET 0x0000000400000000ULL
94 #define ARG_CMD 0x0000000800000000ULL
95 #define ARG_SOCKINFO 0x0000001000000000ULL
96 #define ARG_ASID 0x0000002000000000ULL
97 #define ARG_TERMID 0x0000004000000000ULL
98 #define ARG_AUDITON 0x0000008000000000ULL
99 #define ARG_VALUE 0x0000010000000000ULL
100 #define ARG_AMASK 0x0000020000000000ULL
101 #define ARG_CTLNAME 0x0000040000000000ULL
102 #define ARG_PROCESS 0x0000080000000000ULL
103 #define ARG_MACHPORT1 0x0000100000000000ULL
104 #define ARG_MACHPORT2 0x0000200000000000ULL
105 #define ARG_NONE 0x0000000000000000ULL
106 #define ARG_ALL 0xFFFFFFFFFFFFFFFFULL
107
108 /* Defines for the kernel audit record k_ar_commit field */
109 #define AR_COMMIT_KERNEL 0x00000001U
110 #define AR_COMMIT_USER 0x00000010U
111
112 struct vnode_au_info {
113 mode_t vn_mode;
114 uid_t vn_uid;
115 gid_t vn_gid;
116 dev_t vn_dev;
117 long vn_fsid;
118 long vn_fileid;
119 long vn_gen;
120 };
121
122 struct groupset {
123 gid_t gidset[NGROUPS];
124 u_int gidset_size;
125 };
126
127 struct socket_au_info {
128 int so_domain;
129 int so_type;
130 int so_protocol;
131 in_addr_t so_raddr; /* remote address if INET socket */
132 in_addr_t so_laddr; /* local address if INET socket */
133 u_short so_rport; /* remote port */
134 u_short so_lport; /* local port */
135 };
136
137 union auditon_udata {
138 char au_path[MAXPATHLEN];
139 long au_cond;
140 long au_flags;
141 long au_policy;
142 au_evclass_map_t au_evclass;
143 au_mask_t au_mask;
144 auditinfo_t au_auinfo;
145 auditpinfo_t au_aupinfo;
146 auditpinfo_addr_t au_aupinfo_addr;
147 au_qctrl_t au_qctrl;
148 au_stat_t au_stat;
149 au_fstat_t au_fstat;
150 };
151
152 struct posix_ipc_perm {
153 uid_t pipc_uid;
154 gid_t pipc_gid;
155 mode_t pipc_mode;
156 };
157
158 struct audit_record {
159 /* Audit record header. */
160 u_int32_t ar_magic;
161 int ar_event;
162 int ar_retval; /* value returned to the process */
163 int ar_errno; /* return status of system call */
164 struct timespec ar_starttime;
165 struct timespec ar_endtime;
166 u_int64_t ar_valid_arg; /* Bitmask of valid arguments */
167
168 /* Audit subject information. */
169 struct xucred ar_subj_cred;
170 uid_t ar_subj_ruid;
171 gid_t ar_subj_rgid;
172 gid_t ar_subj_egid;
173 uid_t ar_subj_auid; /* Audit user ID */
174 pid_t ar_subj_asid; /* Audit session ID */
175 pid_t ar_subj_pid;
176 struct au_tid ar_subj_term;
177 char ar_subj_comm[MAXCOMLEN + 1];
178 struct au_mask ar_subj_amask;
179
180 /* Operation arguments. */
181 uid_t ar_arg_euid;
182 uid_t ar_arg_ruid;
183 uid_t ar_arg_suid;
184 gid_t ar_arg_egid;
185 gid_t ar_arg_rgid;
186 gid_t ar_arg_sgid;
187 pid_t ar_arg_pid;
188 pid_t ar_arg_asid;
189 struct au_tid ar_arg_termid;
190 uid_t ar_arg_uid;
191 uid_t ar_arg_auid;
192 gid_t ar_arg_gid;
193 struct groupset ar_arg_groups;
194 int ar_arg_fd;
195 int ar_arg_fflags;
196 mode_t ar_arg_mode;
197 int ar_arg_dev;
198 long ar_arg_value;
199 void * ar_arg_addr;
200 int ar_arg_len;
201 int ar_arg_mask;
202 u_int ar_arg_signum;
203 char ar_arg_login[MAXLOGNAME];
204 int ar_arg_ctlname[CTL_MAXNAME];
205 struct sockaddr ar_arg_sockaddr;
206 struct socket_au_info ar_arg_sockinfo;
207 char *ar_arg_upath1;
208 char *ar_arg_upath2;
209 char *ar_arg_kpath1;
210 char *ar_arg_kpath2;
211 char *ar_arg_text;
212 struct au_mask ar_arg_amask;
213 struct vnode_au_info ar_arg_vnode1;
214 struct vnode_au_info ar_arg_vnode2;
215 int ar_arg_cmd;
216 int ar_arg_svipc_cmd;
217 struct ipc_perm ar_arg_svipc_perm;
218 int ar_arg_svipc_id;
219 void * ar_arg_svipc_addr;
220 struct posix_ipc_perm ar_arg_pipc_perm;
221 mach_port_name_t ar_arg_mach_port1;
222 mach_port_name_t ar_arg_mach_port2;
223 union auditon_udata ar_arg_auditon;
224 };
225
226 /*
227 * In-kernel version of audit record; the basic record plus queue meta-data.
228 * This record can also have a pointer set to some opaque data that will
229 * be passed through to the audit writing mechanism.
230 */
231 struct kaudit_record {
232 struct audit_record k_ar;
233 u_int32_t k_ar_commit;
234 void *k_udata; /* user data */
235 u_int k_ulen; /* user data length */
236 struct uthread *k_uthread; /* thread we are auditing */
237 TAILQ_ENTRY(kaudit_record) k_q;
238 };
239
240 struct proc;
241 struct vnode;
242 struct componentname;
243
244 void audit_abort(struct kaudit_record *ar);
245 void audit_commit(struct kaudit_record *ar, int error,
246 int retval);
247 void audit_init(void);
248 void audit_shutdown(void);
249
250 struct kaudit_record *audit_new(int event, struct proc *p,
251 struct uthread *uthread);
252
253 void audit_syscall_enter(unsigned short code,
254 struct proc *proc, struct uthread *uthread);
255 void audit_syscall_exit(int error, struct proc *proc,
256 struct uthread *uthread);
257 void audit_mach_syscall_enter(unsigned short audit_event);
258 void audit_mach_syscall_exit(int retval,
259 struct uthread *uthread);
260
261 int kaudit_to_bsm(struct kaudit_record *kar,
262 struct au_record **pau);
263
264 int bsm_rec_verify(void *rec);
265
266 /*
267 * Kernel versions of the BSM audit record functions.
268 */
269 struct au_record *kau_open(void);
270 int kau_write(struct au_record *rec, token_t *m);
271 int kau_close(struct au_record *rec,
272 struct timespec *endtime, short event);
273 void kau_free(struct au_record *rec);
274 void kau_init(void);
275 token_t *kau_to_file(const char *file, const struct timeval *tv);
276 token_t *kau_to_header(const struct timespec *ctime, int rec_size,
277 au_event_t e_type, au_emod_t e_mod);
278 token_t *kau_to_header32(const struct timespec *ctime, int rec_size,
279 au_event_t e_type, au_emod_t e_mod);
280 token_t *kau_to_header64(const struct timespec *ctime, int rec_size,
281 au_event_t e_type, au_emod_t e_mod);
282 /*
283 * The remaining kernel functions are conditionally compiled in as they
284 * are wrapped by a macro, and the macro should be the only place in
285 * the source tree where these functions are referenced.
286 */
287 #ifdef AUDIT
288 void audit_arg_addr(user_addr_t addr);
289 void audit_arg_len(user_size_t len);
290 void audit_arg_fd(int fd);
291 void audit_arg_fflags(int fflags);
292 void audit_arg_gid(gid_t gid, gid_t egid, gid_t rgid,
293 gid_t sgid);
294 void audit_arg_uid(uid_t uid, uid_t euid, uid_t ruid,
295 uid_t suid);
296 void audit_arg_groupset(const gid_t *gidset, u_int gidset_size);
297 void audit_arg_login(const char *login);
298 void audit_arg_ctlname(const int *name, int namelen);
299 void audit_arg_mask(int mask);
300 void audit_arg_mode(mode_t mode);
301 void audit_arg_dev(int dev);
302 void audit_arg_value(long value);
303 void audit_arg_owner(uid_t uid, gid_t gid);
304 void audit_arg_pid(pid_t pid);
305 void audit_arg_process(struct proc *p);
306 void audit_arg_signum(u_int signum);
307 void audit_arg_socket(int sodomain, int sotype,
308 int soprotocol);
309 void audit_arg_sockaddr(struct proc *p,
310 struct sockaddr *so);
311 void audit_arg_auid(uid_t auid);
312 void audit_arg_auditinfo(const struct auditinfo *au_info);
313 void audit_arg_upath(struct proc *p, char *upath,
314 u_int64_t flags);
315 void audit_arg_vnpath(struct vnode *vp, u_int64_t flags);
316 void audit_arg_vnpath_withref(struct vnode *vp, u_int64_t flags);
317 void audit_arg_text(const char *text);
318 void audit_arg_cmd(int cmd);
319 void audit_arg_svipc_cmd(int cmd);
320 void audit_arg_svipc_perm(const struct ipc_perm *perm);
321 void audit_arg_svipc_id(int id);
322 void audit_arg_svipc_addr(void *addr);
323 void audit_arg_posix_ipc_perm(uid_t uid, gid_t gid,
324 mode_t mode);
325 void audit_arg_auditon(const union auditon_udata *udata);
326 void audit_arg_file(struct proc *p, const struct fileproc *fp);
327 void audit_arg_mach_port1(mach_port_name_t port);
328 void audit_arg_mach_port2(mach_port_name_t port);
329
330 void audit_sysclose(struct proc *p, int fd);
331
332 void audit_proc_init(struct proc *p);
333 void audit_proc_fork(struct proc *parent,
334 struct proc *child);
335 void audit_proc_free(struct proc *p);
336
337 /*
338 * Define a macro to wrap the audit_arg_* calls by checking the global
339 * audit_enabled flag before performing the actual call.
340 */
341 #define AUDIT_ARG(op, args...) do { \
342 if (audit_enabled) \
343 audit_arg_ ## op (args); \
344 } while (0)
345
346 #define AUDIT_SYSCALL_ENTER(args...) do { \
347 if (audit_enabled) { \
348 audit_syscall_enter(args); \
349 } \
350 } while (0)
351
352 /*
353 * Wrap the audit_syscall_exit() function so that it is called only when
354 * auditing is enabled, or we have a audit record on the thread. It is
355 * possible that an audit record was begun before auditing was turned off.
356 */
357 #define AUDIT_SYSCALL_EXIT(error, proc, uthread) do { \
358 if (audit_enabled || (uthread->uu_ar != NULL)) { \
359 audit_syscall_exit(error, proc, uthread); \
360 } \
361 } while (0)
362
363 /*
364 * Wrap the audit_mach_syscall_enter() and audit_mach_syscall_exit()
365 * functions in a manner similar to other system call enter/exit functions.
366 */
367 #define AUDIT_MACH_SYSCALL_ENTER(args...) do { \
368 if (audit_enabled) { \
369 audit_mach_syscall_enter(args); \
370 } \
371 } while (0)
372
373 #define AUDIT_MACH_SYSCALL_EXIT(retval) do { \
374 struct uthread *__uthread = get_bsdthread_info(current_thread()); \
375 if (audit_enabled || (__uthread->uu_ar != NULL)) { \
376 audit_mach_syscall_exit(retval, __uthread); \
377 } \
378 } while (0)
379
380 /*
381 * A Macro to wrap the audit_sysclose() function.
382 */
383 #define AUDIT_SYSCLOSE(args...) do { \
384 if (audit_enabled) \
385 audit_sysclose(args); \
386 } while (0)
387
388 #else /* !AUDIT */
389 #define AUDIT_SYSCALL_ENTER(args...) do { \
390 } while (0)
391
392 #define AUDIT_SYSCALL_EXIT(error, proc, uthread) do { \
393 } while (0)
394
395 #define AUDIT_MACH_SYSCALL_ENTER(args...) do { \
396 } while (0)
397
398 #define AUDIT_MACH_SYSCALL_EXIT(retval) do { \
399 } while (0)
400
401 #define AUDIT_SYSCLOSE(op, args...) do { \
402 } while (0)
403
404 #endif /* AUDIT */
405
406 #endif /* KERNEL */
407
408 #endif /* !_BSM_AUDIT_KERNEL_H */
mirror of XNU