/*-
- * Copyright (c) 1999-2009 Apple Inc.
+ * Copyright (c) 1999-2016 Apple Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
extern int audit_fail_stop;
extern int audit_argv;
extern int audit_arge;
+extern au_ctlmode_t audit_ctl_mode;
+extern au_expire_after_t audit_expire_after;
/*
* Kernel mask that is used to check to see if system calls need to be audited.
#define AR_PRESELECT_USER_TRAIL 0x00004000U
#define AR_PRESELECT_USER_PIPE 0x00008000U
+#define AR_PRESELECT_FILTER 0x00010000U
+
#define AR_DRAIN_QUEUE 0x80000000U
/*
int au_trigger;
au_evclass_map_t au_evclass;
au_mask_t au_mask;
+ au_asflgs_t au_flags;
auditinfo_t au_auinfo;
auditpinfo_t au_aupinfo;
auditpinfo_addr_t au_aupinfo_addr;
au_stat_t au_stat;
au_fstat_t au_fstat;
auditinfo_addr_t au_kau_info;
+ au_ctlmode_t au_ctl_mode;
+ au_expire_after_t au_expire_after;
};
struct posix_ipc_perm {
mode_t pipc_mode;
};
+struct au_identity_info {
+ u_int32_t signer_type;
+ char *signing_id;
+ u_char signing_id_trunc;
+ char *team_id;
+ u_char team_id_trunc;
+ u_int8_t *cdhash;
+ u_int16_t cdhash_len;
+};
+
struct audit_record {
/* Audit record header. */
u_int32_t ar_magic;
int ar_arg_exitstatus;
int ar_arg_exitretval;
struct sockaddr_storage ar_arg_sockaddr;
+ int ar_arg_fd2;
#if CONFIG_MACF
/*
LIST_HEAD(mac_audit_record_list_t, mac_audit_record) *ar_mac_records;
int ar_forced_by_mac;
#endif
+ struct au_identity_info ar_arg_identity;
};
/*
*/
struct au_record;
int kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau);
-int bsm_rec_verify(void *rec);
+int bsm_rec_verify(void *rec, int length);
/*
* Kernel versions of the libbsm audit record functions.
au_event_t audit_flags_and_error_to_openevent(int oflags, int error);
au_event_t audit_flags_and_error_to_openextendedevent(int oflags,
int error);
+au_event_t audit_flags_and_error_to_openatevent(int oflags,
+ int error);
+au_event_t audit_flags_and_error_to_openbyidevent(int oflags,
+ int error);
au_event_t audit_msgctl_to_event(int cmd);
au_event_t audit_semctl_to_event(int cmr);
int audit_canon_path(struct vnode *cwd_vp, char *path,
void audit_rotate_vnode(struct ucred *cred,
struct vnode *vp);
void audit_worker_init(void);
+void audit_identity_info_construct(
+ struct au_identity_info *id_info);
+void audit_identity_info_destruct(
+ struct au_identity_info *id_info);
/*
* Audit pipe functions.
* Audit Session.
*/
void audit_session_init(void);
-int audit_session_setaia(proc_t p, auditinfo_addr_t *aia_p, int newprocess);
+int audit_session_setaia(proc_t p, auditinfo_addr_t *aia_p);
auditinfo_addr_t *audit_session_update(auditinfo_addr_t *new_aia);
int audit_session_lookup(au_asid_t asid, auditinfo_addr_t *ret_aia);
#define ASSIGNED_ASID_MIN (PID_MAX + 1)
#define ASSIGNED_ASID_MAX (0xFFFFFFFF - 1)
+/*
+ * Entitlement required to control various audit subsystem settings
+ */
+#define AU_CLASS_RESERVED_ENTITLEMENT "com.apple.private.dz.audit"
+
+/*
+ * Entitlement required to control auditctl sys call
+ */
+#define AU_AUDITCTL_RESERVED_ENTITLEMENT "com.apple.private.protected-audit-control"
+
+/*
+ * Max sizes used by the kernel for signing id and team id values of the
+ * identity tokens. These lengths include space for the null terminator.
+ */
+#define MAX_AU_IDENTITY_SIGNING_ID_LENGTH 129
+#define MAX_AU_IDENTITY_TEAM_ID_LENGTH 17
+
+struct __attribute__((__packed__)) hdr_tok_partial {
+ u_char type;
+ uint32_t len;
+};
+static_assert(sizeof(struct hdr_tok_partial) == 5);
+
+struct __attribute__((__packed__)) trl_tok_partial {
+ u_char type;
+ uint16_t magic;
+ uint32_t len;
+};
+static_assert(sizeof(struct trl_tok_partial) == 7);
+
#endif /* defined(KERNEL) || defined(_KERNEL) */
#endif /* ! _SECURITY_AUDIT_PRIVATE_H_ */
projects / apple / xnu.git / blobdiff