git.saurik.com Git - apple/xnu.git/blob - bsd/security/audit/audit

1 /*-

4 *

5 * Redistribution and use in source and binary forms, with or without

6 * modification, are permitted provided that the following conditions

7 * are met:

8 * 1. Redistributions of source code must retain the above copyright

9 * notice, this list of conditions and the following disclaimer.

10 * 2. Redistributions in binary form must reproduce the above copyright

11 * notice, this list of conditions and the following disclaimer in the

12 * documentation and/or other materials provided with the distribution.

13 * 3. Neither the name of Apple Inc. ("Apple") nor the names of

14 * its contributors may be used to endorse or promote products derived

15 * from this software without specific prior written permission.

16 *

17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND

18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR

21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING

26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE

27 * POSSIBILITY OF SUCH DAMAGE.

28 */

29 /*

30 * NOTICE: This file was modified by SPARTA, Inc. in 2005 to introduce

31 * support for mandatory and extensible security protections. This notice

32 * is included in support of clause 2.2 (b) of the Apple Public License,

33 * Version 2.0.

34 */

36 /*

37 * This include file contains function prototypes and type definitions used

38 * within the audit implementation.

39 */

41 #ifndef _SECURITY_AUDIT_PRIVATE_H_

42 #define _SECURITY_AUDIT_PRIVATE_H_

44 #if defined(_KERNEL) || defined(KERNEL)

46 #if CONFIG_MACF

47 #include <sys/queue.h>

48 #include <security/mac_framework.h>

49 #endif

51 #include <sys/ipc.h>

52 #include <sys/proc_internal.h> /* for PID_MAX */

53 #include <sys/socket.h>

54 #include <sys/ucred.h>

56 #ifdef MALLOC_DECLARE

57 MALLOC_DECLARE(M_AUDITBSM);

58 MALLOC_DECLARE(M_AUDITDATA);

59 MALLOC_DECLARE(M_AUDITPATH);

60 MALLOC_DECLARE(M_AUDITTEXT);

61 #endif

62 KALLOC_HEAP_DECLARE(KHEAP_AUDIT);

63 #if CONFIG_AUDIT

64 /*

65 * mac_audit_data_zone is the zone used for data pushed into the audit

66 * record by policies. Using a zone simplifies memory management of this

67 * data, and allows tracking of the amount of data in flight.

68 */

69 extern zone_t mac_audit_data_zone;

70 #endif

72 /*

73 * Audit control variables that are usually set/read via system calls and

74 * used to control various aspects of auditing.

75 */

76 extern struct au_qctrl audit_qctrl;

77 extern struct audit_fstat audit_fstat;

78 extern struct au_mask audit_nae_mask;

79 extern int audit_panic_on_write_fail;

80 extern int audit_fail_stop;

81 extern int audit_argv;

82 extern int audit_arge;

83 extern au_ctlmode_t audit_ctl_mode;

84 extern au_expire_after_t audit_expire_after;

86 /*

87 * Kernel mask that is used to check to see if system calls need to be audited.

88 */

89 extern au_class_t audit_kevent_mask;

91 /*

92 * The macro used to check to see if the system calls need to be auditing.

93 * This will pessimisticly set the audit syscalls flag if the audit kevent

94 * mask has not been created yet. User code should build the event/class

95 * mapping table before setting preselection masks to avoid this.

96 */

97 #define AUDIT_CHECK_IF_KEVENTS_MASK(m) do { \

98 if ((m).am_success || (m).am_failure) \

99 if (!audit_kevent_mask || \

100 (audit_kevent_mask & (m).am_success) || \

101 (audit_kevent_mask & (m).am_failure)) \

102 audit_syscalls = 1; \

103 } while (0)

104

105 /*

106 * Success/failure conditions for the conversion of a kernel audit record to

107 * BSM format.

108 */

109 #define BSM_SUCCESS 0

110 #define BSM_FAILURE 1

111 #define BSM_NOAUDIT 2

112

113 /*

114 * Defines for the kernel audit record k_ar_commit field. Flags are set to

115 * indicate what sort of record it is, and which preselection mechanism

116 * selected it.

117 */

118 #define AR_COMMIT_KERNEL 0x00000001U

119 #define AR_COMMIT_USER 0x00000010U

120

121 #define AR_PRESELECT_TRAIL 0x00001000U

122 #define AR_PRESELECT_PIPE 0x00002000U

123

124 #define AR_PRESELECT_USER_TRAIL 0x00004000U

125 #define AR_PRESELECT_USER_PIPE 0x00008000U

126

127 #define AR_PRESELECT_FILTER 0x00010000U

128

129 #define AR_DRAIN_QUEUE 0x80000000U

130

131 /*

132 * Audit data is generated as a stream of struct audit_record structures,

133 * linked by struct kaudit_record, and contain storage for possible audit so

134 * that it will not need to be allocated during the processing of a system

135 * call, both improving efficiency and avoiding sleeping at untimely moments.

136 * This structure is converted to BSM format before being written to disk.

137 */

138 struct vnode_au_info {

139 mode_t vn_mode;

140 uid_t vn_uid;

141 gid_t vn_gid;

142 dev_t vn_dev;

143 long vn_fsid;

144 long vn_fileid;

145 long vn_gen;

146 };

147

148 struct groupset {

149 gid_t gidset[NGROUPS];

150 u_int gidset_size;

151 };

152

153 struct socket_au_info {

154 int sai_domain;

155 int sai_type;

156 int sai_protocol;

157

158 /* Foreign (remote) address/port. */

159 struct sockaddr_storage sai_faddr;

160

161 /* Local address/port. */

162 struct sockaddr_storage sai_laddr;

163 };

164

165 /*

166 * The following is used for A_OLDSETQCTRL and A_OLDGETQCTRL and a 64-bit

167 * userland.

168 */

169 struct au_qctrl64 {

170 u_int64_t aq64_hiwater;

171 u_int64_t aq64_lowater;

172 u_int64_t aq64_bufsz;

173 u_int64_t aq64_delay;

174 int64_t aq64_minfree;

175 };

176 typedef struct au_qctrl64 au_qctrl64_t;

177

178 union auditon_udata {

179 char *au_path;

180 int au_cond;

181 int au_policy;

182 int64_t au_cond64;

183 int64_t au_policy64;

184 int au_trigger;

185 au_evclass_map_t au_evclass;

186 au_mask_t au_mask;

187 au_asflgs_t au_flags;

188 auditinfo_t au_auinfo;

189 auditpinfo_t au_aupinfo;

190 auditpinfo_addr_t au_aupinfo_addr;

191 au_qctrl_t au_qctrl;

192 au_qctrl64_t au_qctrl64;

193 au_stat_t au_stat;

194 au_fstat_t au_fstat;

195 auditinfo_addr_t au_kau_info;

196 au_ctlmode_t au_ctl_mode;

197 au_expire_after_t au_expire_after;

198 };

199

200 struct posix_ipc_perm {

201 uid_t pipc_uid;

202 gid_t pipc_gid;

203 mode_t pipc_mode;

204 };

205

206 struct au_identity_info {

207 u_int32_t signer_type;

208 char *signing_id;

209 u_char signing_id_trunc;

210 char *team_id;

211 u_char team_id_trunc;

212 u_int8_t *cdhash;

213 u_int16_t cdhash_len;

214 };

215

216 struct audit_record {

217 /* Audit record header. */

218 u_int32_t ar_magic;

219 int ar_event;

220 int ar_retval; /* value returned to the process */

221 int ar_errno; /* return status of system call */

222 struct timespec ar_starttime;

223 struct timespec ar_endtime;

224 u_int64_t ar_valid_arg; /* Bitmask of valid arguments */

225

226 /* Audit subject information. */

227 struct xucred ar_subj_cred;

228 uid_t ar_subj_ruid;

229 gid_t ar_subj_rgid;

230 gid_t ar_subj_egid;

231 uid_t ar_subj_auid; /* Audit user ID */

232 pid_t ar_subj_asid; /* Audit session ID */

233 pid_t ar_subj_pid;

234 struct au_tid ar_subj_term;

235 struct au_tid_addr ar_subj_term_addr;

236 struct au_mask ar_subj_amask;

237

238 /* Operation arguments. */

239 uid_t ar_arg_euid;

240 uid_t ar_arg_ruid;

241 uid_t ar_arg_suid;

242 gid_t ar_arg_egid;

243 gid_t ar_arg_rgid;

244 gid_t ar_arg_sgid;

245 pid_t ar_arg_pid;

246 pid_t ar_arg_asid;

247 struct au_tid ar_arg_termid;

248 struct au_tid_addr ar_arg_termid_addr;

249 uid_t ar_arg_uid;

250 uid_t ar_arg_auid;

251 gid_t ar_arg_gid;

252 struct groupset ar_arg_groups;

253 int ar_arg_fd;

254 int ar_arg_fflags;

255 mode_t ar_arg_mode;

256 uint32_t ar_arg_value32;

257 uint64_t ar_arg_value64;

258 user_addr_t ar_arg_addr;

259 user_size_t ar_arg_len;

260 int ar_arg_mask;

261 u_int ar_arg_signum;

262 char ar_arg_login[MAXLOGNAME];

263 int ar_arg_ctlname[CTL_MAXNAME];

264 struct socket_au_info ar_arg_sockinfo;

265 char *ar_arg_upath1;

266 char *ar_arg_upath2;

267 char *ar_arg_kpath1; /* darwin-only */

268 char *ar_arg_kpath2; /* darwin-only */

269 #if CONFIG_MACF

270 char *ar_vnode1_mac_labels;

271 char *ar_vnode2_mac_labels;

272 char *ar_cred_mac_labels;

273 char *ar_arg_mac_string;

274 #endif

275 char *ar_arg_text;

276 void *ar_arg_opaque; /* darwin-only */

277 void *ar_arg_data; /* darwin-only */

278 u_int16_t ar_arg_opq_size; /* darwin-only */

279 u_char ar_arg_data_type; /* darwin-only */

280 u_char ar_arg_data_count; /* darwin-only */

281 struct au_mask ar_arg_amask;

282 struct vnode_au_info ar_arg_vnode1;

283 struct vnode_au_info ar_arg_vnode2;

284 int ar_arg_cmd;

285 int ar_arg_svipc_cmd;

286 struct ipc_perm ar_arg_svipc_perm;

287 int ar_arg_svipc_id;

288 user_addr_t ar_arg_svipc_addr;

289 struct posix_ipc_perm ar_arg_pipc_perm;

290 mach_port_name_t ar_arg_mach_port1; /* darwin-only */

291 mach_port_name_t ar_arg_mach_port2; /* darwin-only */

292 union auditon_udata ar_arg_auditon;

293 char *ar_arg_argv;

294 int ar_arg_argc;

295 char *ar_arg_envv;

296 int ar_arg_envc;

297 int ar_arg_exitstatus;

298 int ar_arg_exitretval;

299 struct sockaddr_storage ar_arg_sockaddr;

300 int ar_arg_fd2;

301

302 #if CONFIG_MACF

303 /*

304 * MAC security related fields added by MAC policies ar_forced_by_mac

305 * is 1 if mac_audit_check_preselect() forced this call to be audited,

306 * 0 otherwise.

307 */

         LIST_HEAD(mac_audit_record_list_t, mac_audit_record)    * ar_mac_records;

309 int ar_forced_by_mac;

310 #endif

311 struct au_identity_info ar_arg_identity;

312 };

313

314 /*

315 * Arguments in the audit record are initially not defined; flags are set to

316 * indicate if they are present so they can be included in the audit log

317 * stream only if defined.

318 */

319 #define ARG_IS_VALID(kar, arg) ((kar)->k_ar.ar_valid_arg & (arg))

320 #define ARG_SET_VALID(kar, arg) do { \

321 (kar)->k_ar.ar_valid_arg |= (arg); \

322 } while (0)

323

324 /*

325 * Current thread macro. get_bsdthread_info() returns a void ptr for some

326 * reason.

327 */

328 #define curthread() ((struct uthread *)get_bsdthread_info(current_thread()))

329

330 /*

331 * In-kernel version of audit record; the basic record plus queue meta-data.

332 * This record can also have a pointer set to some opaque data that will be

333 * passed through to the audit writing mechanism.

334 */

335 struct kaudit_record {

336 struct audit_record k_ar;

337 u_int32_t k_ar_commit;

338 void *k_udata; /* User data. */

339 u_int k_ulen; /* User data length. */

340 struct uthread *k_uthread; /* Audited thread. */

341 TAILQ_ENTRY(kaudit_record) k_q;

342 };

343 TAILQ_HEAD(kaudit_queue, kaudit_record);

344

345 /*

346 * Functions to manage the allocation, release, and commit of kernel audit

347 * records.

348 */

 void                     audit_abort(struct kaudit_record *ar);

 void                     audit_commit(struct kaudit_record *ar, int error,

351 int retval);

 struct kaudit_record    *audit_new(int event, proc_t p, struct uthread *td);

353

354 /*

355 * Functions relating to the conversion of internal kernel audit records to

356 * the BSM file format.

357 */

358 struct au_record;

 int      kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau);

 int      bsm_rec_verify(void *rec, int length, boolean_t kern_events_allowed);

361

362 /*

363 * Kernel versions of the libbsm audit record functions.

364 */

 void     kau_free(struct au_record *rec);

 void     kau_init(void);

367

368 /*

369 * Return values for pre-selection and post-selection decisions.

370 */

371 #define AU_PRS_SUCCESS 1

372 #define AU_PRS_FAILURE 2

373 #define AU_PRS_BOTH (AU_PRS_SUCCESS|AU_PRS_FAILURE)

374

375 /*

376 * Data structures relating to the kernel audit queue. Ideally, these might

377 * be abstracted so that only accessor methods are exposed.

378 */

379 extern struct mtx audit_mtx;

380 extern struct cv audit_watermark_cv;

381 extern struct cv audit_worker_cv;

382 extern struct cv audit_drain_cv;

383 extern struct kaudit_queue audit_q;

384 extern int audit_q_len;

385 extern int audit_pre_q_len;

386 extern int audit_in_failure;

387

388 /*

389 * Flags to use on audit files when opening and closing.

390 */

391 #define AUDIT_OPEN_FLAGS (FWRITE | O_APPEND)

392 #define AUDIT_CLOSE_FLAGS (FWRITE | O_APPEND)

393

394 #include <sys/fcntl.h>

395 #include <sys/kernel.h>

396 #include <sys/malloc.h>

397

398 /*

399 * Some of the BSM tokenizer functions take different parameters in the

400 * kernel implementations in order to save the copying of large kernel data

401 * structures. The prototypes of these functions are declared here.

402 */

 token_t         *kau_to_socket(struct socket_au_info *soi);

404

405 /*

406 * audit_klib prototypes

407 */

 int              au_preselect(au_event_t event, au_class_t class,

409 au_mask_t *mask_p, int sorf);

 void             au_evclassmap_init(void);

 void             au_evclassmap_insert(au_event_t event, au_class_t class);

412 au_class_t au_event_class(au_event_t event);

 au_event_t       audit_ctlname_to_sysctlevent(int name[], uint64_t valid_arg);

 au_event_t       audit_flags_and_error_to_openevent(int oflags, int error);

415 au_event_t audit_flags_and_error_to_openextendedevent(int oflags,

416 int error);

417 au_event_t audit_flags_and_error_to_openatevent(int oflags,

418 int error);

419 au_event_t audit_flags_and_error_to_openbyidevent(int oflags,

420 int error);

421 au_event_t audit_msgctl_to_event(int cmd);

422 au_event_t audit_semctl_to_event(int cmr);

 int              audit_canon_path(struct vnode *cwd_vp, char *path,

424 char *cpath);

425 au_event_t auditon_command_event(int cmd);

 au_event_t       audit_fcntl_command_event(int cmd, int oflags, int error);

427

428 /*

429 * Audit trigger events notify user space of kernel audit conditions

430 * asynchronously.

431 */

 int              audit_send_trigger(unsigned int trigger);

 int              audit_send_analytics(char* id, char* name);

434

435 /*

436 * Accessor functions to manage global audit state.

437 */

 void            audit_set_kinfo(struct auditinfo_addr *);

 void            audit_get_kinfo(struct auditinfo_addr *);

440

441 /*

442 * General audit related functions.

443 */

 struct kaudit_record    *currecord(void);

 void                     audit_free(struct kaudit_record *ar);

 void                     audit_rotate_vnode(struct ucred *cred,

447 struct vnode *vp);

 void                     audit_worker_init(void);

449 void audit_identity_info_construct(

450 struct au_identity_info *id_info);

451 void audit_identity_info_destruct(

452 struct au_identity_info *id_info);

453

454 /*

455 * Audit pipe functions.

456 */

 int      audit_pipe_init(void);

 int      audit_pipe_shutdown(void);

 int      audit_pipe_preselect(au_id_t auid, au_event_t event,

     au_class_t class, int sorf, int trail_select);

 void     audit_pipe_submit(au_id_t auid, au_event_t event, au_class_t class,

     int sorf, int trail_select, void *record, u_int record_len);

 void     audit_pipe_submit_user(void *record, u_int record_len);

464

465 /*

466 * Audit MAC prototypes.

467 */

 int     audit_mac_new(proc_t p, struct kaudit_record *ar);

 void    audit_mac_free(struct kaudit_record *ar);

 int     audit_mac_syscall_enter(unsigned short code, proc_t p,

     struct uthread *uthread, kauth_cred_t my_cred, au_event_t event);

 int     audit_mac_syscall_exit(unsigned short code, struct uthread *uthread,

473 int error, int retval);

474

475 /*

476 * Audit Session.

477 */

 void    audit_session_init(void);

 int     audit_session_setaia(proc_t p, auditinfo_addr_t *aia_p);

 auditinfo_addr_t *audit_session_update(auditinfo_addr_t *new_aia);

 int     audit_session_lookup(au_asid_t asid, auditinfo_addr_t *ret_aia);

482

483 /*

484 * Kernel assigned audit session IDs start at PID_MAX + 1 and ends at

485 * ASSIGNED_ASID_MAX.

486 */

487 #define ASSIGNED_ASID_MIN (PID_MAX + 1)

488 #define ASSIGNED_ASID_MAX (0xFFFFFFFF - 1)

489

490 /*

491 * Entitlement required to control various audit subsystem settings

492 */

493 #define AU_CLASS_RESERVED_ENTITLEMENT "com.apple.private.dz.audit"

494

495 /*

496 * Entitlement required to control auditctl sys call

497 */

498 #define AU_AUDITCTL_RESERVED_ENTITLEMENT "com.apple.private.protected-audit-control"

499

500 /*

501 * Entitlement required to control auditctl sys call

502 */

503 #define AU_AUDIT_USER_ENTITLEMENT "com.apple.private.audit.user"

504

505 /*

506 * Max sizes used by the kernel for signing id and team id values of the

507 * identity tokens. These lengths include space for the null terminator.

508 */

509 #define MAX_AU_IDENTITY_SIGNING_ID_LENGTH 129

510 #define MAX_AU_IDENTITY_TEAM_ID_LENGTH 17

511

 struct __attribute__((__packed__)) hdr_tok_partial {

513 u_char type;

514 uint32_t len;

515 u_char ver;

516 uint16_t e_type;

517 };

 static_assert(sizeof(struct hdr_tok_partial) == 8);

519

 struct __attribute__((__packed__)) trl_tok_partial {

521 u_char type;

522 uint16_t magic;

523 uint32_t len;

524 };

 static_assert(sizeof(struct trl_tok_partial) == 7);

526

527 #endif /* defined(KERNEL) || defined(_KERNEL) */

528

529 #endif /* ! _SECURITY_AUDIT_PRIVATE_H_ */