X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/3903760236c30e3b5ace7a4eefac3a269d68957c..b226f5e54a60dc81db17b1260381d7dbfea3cdf1:/bsd/security/audit/audit_private.h

diff --git a/bsd/security/audit/audit_private.h b/bsd/security/audit/audit_private.h
index 8a5a556d8..8b58b79c1 100644
--- a/bsd/security/audit/audit_private.h
+++ b/bsd/security/audit/audit_private.h
@@ -71,6 +71,8 @@ extern int			audit_panic_on_write_fail;
 extern int			audit_fail_stop;
 extern int			audit_argv;
 extern int			audit_arge;
+extern au_ctlmode_t	audit_ctl_mode;
+extern au_expire_after_t	audit_expire_after;
 
 /*
  * Kernel mask that is used to check to see if system calls need to be audited.
@@ -182,6 +184,8 @@ union auditon_udata {
 	au_stat_t		au_stat;
 	au_fstat_t		au_fstat;
 	auditinfo_addr_t	au_kau_info;
+	au_ctlmode_t	au_ctl_mode;
+	au_expire_after_t	au_expire_after;
 };
 
 struct posix_ipc_perm {
@@ -190,6 +194,16 @@ struct posix_ipc_perm {
 	mode_t	pipc_mode;
 };
 
+struct au_identity_info {
+	u_int32_t	signer_type;
+	char		*signing_id;
+	u_char		signing_id_trunc;
+	char		*team_id;
+	u_char		team_id_trunc;
+	u_int8_t	*cdhash;
+	u_int16_t	cdhash_len;
+};
+
 struct audit_record {
 	/* Audit record header. */
 	u_int32_t		ar_magic;
@@ -285,6 +299,7 @@ struct audit_record {
 	LIST_HEAD(mac_audit_record_list_t, mac_audit_record)	*ar_mac_records;
 	int			ar_forced_by_mac;
 #endif
+	struct au_identity_info	ar_arg_identity;
 };
 
 /*
@@ -333,7 +348,7 @@ struct kaudit_record	*audit_new(int event, proc_t p, struct uthread *td);
  */
 struct au_record;
 int	 kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau);
-int	 bsm_rec_verify(void *rec);
+int	 bsm_rec_verify(void *rec, int length);
 
 /*
  * Kernel versions of the libbsm audit record functions.
@@ -421,6 +436,10 @@ void			 audit_free(struct kaudit_record *ar);
 void			 audit_rotate_vnode(struct ucred *cred,
 			    struct vnode *vp);
 void			 audit_worker_init(void);
+void			 audit_identity_info_construct(
+			    struct au_identity_info *id_info);
+void			 audit_identity_info_destruct(
+			    struct au_identity_info *id_info);
 
 /*
  * Audit pipe functions.
@@ -459,6 +478,36 @@ int	audit_session_lookup(au_asid_t asid, auditinfo_addr_t *ret_aia);
 #define	ASSIGNED_ASID_MIN	(PID_MAX + 1)
 #define	ASSIGNED_ASID_MAX	(0xFFFFFFFF - 1)
 
+/*
+ * Entitlement required to control various audit subsystem settings
+ */
+#define AU_CLASS_RESERVED_ENTITLEMENT "com.apple.private.dz.audit"
+
+/*
+ * Entitlement required to control auditctl sys call
+ */
+#define AU_AUDITCTL_RESERVED_ENTITLEMENT "com.apple.private.protected-audit-control"
+
+/*
+ * Max sizes used by the kernel for signing id and team id values of the
+ * identity tokens. These lengths include space for the null terminator.
+ */
+#define MAX_AU_IDENTITY_SIGNING_ID_LENGTH 129
+#define MAX_AU_IDENTITY_TEAM_ID_LENGTH 17
+
+struct __attribute__((__packed__)) hdr_tok_partial {
+	u_char type;
+	uint32_t len;
+};
+static_assert(sizeof(struct hdr_tok_partial) == 5);
+
+struct __attribute__((__packed__)) trl_tok_partial {
+	u_char type;
+	uint16_t magic;
+	uint32_t len;
+};
+static_assert(sizeof(struct trl_tok_partial) == 7);
+
 #endif /* defined(KERNEL) || defined(_KERNEL) */
 
 #endif /* ! _SECURITY_AUDIT_PRIVATE_H_ */