X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/fe8ab488e9161c46dd9885d58fc52996dc0249ff..eb6b6ca394357805f2bdba989abae309f718b4d8:/bsd/security/audit/audit_private.h diff --git a/bsd/security/audit/audit_private.h b/bsd/security/audit/audit_private.h index 40f0ee658..e9e2e6dec 100644 --- a/bsd/security/audit/audit_private.h +++ b/bsd/security/audit/audit_private.h @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2009 Apple Inc. + * Copyright (c) 1999-2016 Apple Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -39,7 +39,7 @@ */ #ifndef _SECURITY_AUDIT_PRIVATE_H_ -#define _SECURITY_AUDIT_PRIVATE_H_ +#define _SECURITY_AUDIT_PRIVATE_H_ #if defined(_KERNEL) || defined(KERNEL) @@ -49,7 +49,7 @@ #endif #include -#include /* for PID_MAX */ +#include /* for PID_MAX */ #include #include @@ -64,58 +64,60 @@ MALLOC_DECLARE(M_AUDITTEXT); * Audit control variables that are usually set/read via system calls and * used to control various aspects of auditing. */ -extern struct au_qctrl audit_qctrl; -extern struct audit_fstat audit_fstat; -extern struct au_mask audit_nae_mask; -extern int audit_panic_on_write_fail; -extern int audit_fail_stop; -extern int audit_argv; -extern int audit_arge; +extern struct au_qctrl audit_qctrl; +extern struct audit_fstat audit_fstat; +extern struct au_mask audit_nae_mask; +extern int audit_panic_on_write_fail; +extern int audit_fail_stop; +extern int audit_argv; +extern int audit_arge; +extern au_ctlmode_t audit_ctl_mode; +extern au_expire_after_t audit_expire_after; /* * Kernel mask that is used to check to see if system calls need to be audited. */ -extern au_class_t audit_kevent_mask; +extern au_class_t audit_kevent_mask; /* - * The macro used to check to see if the system calls need to be auditing. + * The macro used to check to see if the system calls need to be auditing. * This will pessimisticly set the audit syscalls flag if the audit kevent * mask has not been created yet. User code should build the event/class * mapping table before setting preselection masks to avoid this. */ -#define AUDIT_CHECK_IF_KEVENTS_MASK(m) do { \ - if ((m).am_success || (m).am_failure) \ - if (!audit_kevent_mask || \ - (audit_kevent_mask & (m).am_success) || \ - (audit_kevent_mask & (m).am_failure)) \ - audit_syscalls = 1; \ +#define AUDIT_CHECK_IF_KEVENTS_MASK(m) do { \ + if ((m).am_success || (m).am_failure) \ + if (!audit_kevent_mask || \ + (audit_kevent_mask & (m).am_success) || \ + (audit_kevent_mask & (m).am_failure)) \ + audit_syscalls = 1; \ } while (0) /* * Success/failure conditions for the conversion of a kernel audit record to * BSM format. */ -#define BSM_SUCCESS 0 -#define BSM_FAILURE 1 -#define BSM_NOAUDIT 2 +#define BSM_SUCCESS 0 +#define BSM_FAILURE 1 +#define BSM_NOAUDIT 2 /* * Defines for the kernel audit record k_ar_commit field. Flags are set to * indicate what sort of record it is, and which preselection mechanism * selected it. */ -#define AR_COMMIT_KERNEL 0x00000001U -#define AR_COMMIT_USER 0x00000010U +#define AR_COMMIT_KERNEL 0x00000001U +#define AR_COMMIT_USER 0x00000010U -#define AR_PRESELECT_TRAIL 0x00001000U -#define AR_PRESELECT_PIPE 0x00002000U +#define AR_PRESELECT_TRAIL 0x00001000U +#define AR_PRESELECT_PIPE 0x00002000U -#define AR_PRESELECT_USER_TRAIL 0x00004000U -#define AR_PRESELECT_USER_PIPE 0x00008000U +#define AR_PRESELECT_USER_TRAIL 0x00004000U +#define AR_PRESELECT_USER_PIPE 0x00008000U -#define AR_PRESELECT_FILTER 0x00010000U +#define AR_PRESELECT_FILTER 0x00010000U -#define AR_DRAIN_QUEUE 0x80000000U +#define AR_DRAIN_QUEUE 0x80000000U /* * Audit data is generated as a stream of struct audit_record structures, @@ -125,165 +127,179 @@ extern au_class_t audit_kevent_mask; * This structure is converted to BSM format before being written to disk. */ struct vnode_au_info { - mode_t vn_mode; - uid_t vn_uid; - gid_t vn_gid; - dev_t vn_dev; - long vn_fsid; - long vn_fileid; - long vn_gen; + mode_t vn_mode; + uid_t vn_uid; + gid_t vn_gid; + dev_t vn_dev; + long vn_fsid; + long vn_fileid; + long vn_gen; }; struct groupset { - gid_t gidset[NGROUPS]; - u_int gidset_size; + gid_t gidset[NGROUPS]; + u_int gidset_size; }; struct socket_au_info { - int sai_domain; - int sai_type; - int sai_protocol; + int sai_domain; + int sai_type; + int sai_protocol; /* Foreign (remote) address/port. */ - struct sockaddr_storage sai_faddr; + struct sockaddr_storage sai_faddr; /* Local address/port. */ - struct sockaddr_storage sai_laddr; + struct sockaddr_storage sai_laddr; }; /* * The following is used for A_OLDSETQCTRL and A_OLDGETQCTRL and a 64-bit * userland. */ -struct au_qctrl64 { - u_int64_t aq64_hiwater; - u_int64_t aq64_lowater; - u_int64_t aq64_bufsz; - u_int64_t aq64_delay; - int64_t aq64_minfree; +struct au_qctrl64 { + u_int64_t aq64_hiwater; + u_int64_t aq64_lowater; + u_int64_t aq64_bufsz; + u_int64_t aq64_delay; + int64_t aq64_minfree; }; -typedef struct au_qctrl64 au_qctrl64_t; +typedef struct au_qctrl64 au_qctrl64_t; union auditon_udata { - char *au_path; - int au_cond; - int au_policy; - int64_t au_cond64; - int64_t au_policy64; - int au_trigger; - au_evclass_map_t au_evclass; - au_mask_t au_mask; - au_asflgs_t au_flags; - auditinfo_t au_auinfo; - auditpinfo_t au_aupinfo; - auditpinfo_addr_t au_aupinfo_addr; - au_qctrl_t au_qctrl; - au_qctrl64_t au_qctrl64; - au_stat_t au_stat; - au_fstat_t au_fstat; - auditinfo_addr_t au_kau_info; + char *au_path; + int au_cond; + int au_policy; + int64_t au_cond64; + int64_t au_policy64; + int au_trigger; + au_evclass_map_t au_evclass; + au_mask_t au_mask; + au_asflgs_t au_flags; + auditinfo_t au_auinfo; + auditpinfo_t au_aupinfo; + auditpinfo_addr_t au_aupinfo_addr; + au_qctrl_t au_qctrl; + au_qctrl64_t au_qctrl64; + au_stat_t au_stat; + au_fstat_t au_fstat; + auditinfo_addr_t au_kau_info; + au_ctlmode_t au_ctl_mode; + au_expire_after_t au_expire_after; }; struct posix_ipc_perm { - uid_t pipc_uid; - gid_t pipc_gid; - mode_t pipc_mode; + uid_t pipc_uid; + gid_t pipc_gid; + mode_t pipc_mode; +}; + +struct au_identity_info { + u_int32_t signer_type; + char *signing_id; + u_char signing_id_trunc; + char *team_id; + u_char team_id_trunc; + u_int8_t *cdhash; + u_int16_t cdhash_len; }; struct audit_record { /* Audit record header. */ - u_int32_t ar_magic; - int ar_event; - int ar_retval; /* value returned to the process */ - int ar_errno; /* return status of system call */ - struct timespec ar_starttime; - struct timespec ar_endtime; - u_int64_t ar_valid_arg; /* Bitmask of valid arguments */ + u_int32_t ar_magic; + int ar_event; + int ar_retval; /* value returned to the process */ + int ar_errno; /* return status of system call */ + struct timespec ar_starttime; + struct timespec ar_endtime; + u_int64_t ar_valid_arg; /* Bitmask of valid arguments */ /* Audit subject information. */ - struct xucred ar_subj_cred; - uid_t ar_subj_ruid; - gid_t ar_subj_rgid; - gid_t ar_subj_egid; - uid_t ar_subj_auid; /* Audit user ID */ - pid_t ar_subj_asid; /* Audit session ID */ - pid_t ar_subj_pid; - struct au_tid ar_subj_term; - struct au_tid_addr ar_subj_term_addr; - struct au_mask ar_subj_amask; + struct xucred ar_subj_cred; + uid_t ar_subj_ruid; + gid_t ar_subj_rgid; + gid_t ar_subj_egid; + uid_t ar_subj_auid; /* Audit user ID */ + pid_t ar_subj_asid; /* Audit session ID */ + pid_t ar_subj_pid; + struct au_tid ar_subj_term; + struct au_tid_addr ar_subj_term_addr; + struct au_mask ar_subj_amask; /* Operation arguments. */ - uid_t ar_arg_euid; - uid_t ar_arg_ruid; - uid_t ar_arg_suid; - gid_t ar_arg_egid; - gid_t ar_arg_rgid; - gid_t ar_arg_sgid; - pid_t ar_arg_pid; - pid_t ar_arg_asid; - struct au_tid ar_arg_termid; - struct au_tid_addr ar_arg_termid_addr; - uid_t ar_arg_uid; - uid_t ar_arg_auid; - gid_t ar_arg_gid; - struct groupset ar_arg_groups; - int ar_arg_fd; - int ar_arg_fflags; - mode_t ar_arg_mode; - uint32_t ar_arg_value32; - uint64_t ar_arg_value64; - user_addr_t ar_arg_addr; - user_size_t ar_arg_len; - int ar_arg_mask; - u_int ar_arg_signum; - char ar_arg_login[MAXLOGNAME]; - int ar_arg_ctlname[CTL_MAXNAME]; - struct socket_au_info ar_arg_sockinfo; - char *ar_arg_upath1; - char *ar_arg_upath2; - char *ar_arg_kpath1; /* darwin-only */ - char *ar_arg_kpath2; /* darwin-only */ + uid_t ar_arg_euid; + uid_t ar_arg_ruid; + uid_t ar_arg_suid; + gid_t ar_arg_egid; + gid_t ar_arg_rgid; + gid_t ar_arg_sgid; + pid_t ar_arg_pid; + pid_t ar_arg_asid; + struct au_tid ar_arg_termid; + struct au_tid_addr ar_arg_termid_addr; + uid_t ar_arg_uid; + uid_t ar_arg_auid; + gid_t ar_arg_gid; + struct groupset ar_arg_groups; + int ar_arg_fd; + int ar_arg_fflags; + mode_t ar_arg_mode; + uint32_t ar_arg_value32; + uint64_t ar_arg_value64; + user_addr_t ar_arg_addr; + user_size_t ar_arg_len; + int ar_arg_mask; + u_int ar_arg_signum; + char ar_arg_login[MAXLOGNAME]; + int ar_arg_ctlname[CTL_MAXNAME]; + struct socket_au_info ar_arg_sockinfo; + char *ar_arg_upath1; + char *ar_arg_upath2; + char *ar_arg_kpath1; /* darwin-only */ + char *ar_arg_kpath2; /* darwin-only */ #if CONFIG_MACF - char *ar_vnode1_mac_labels; - char *ar_vnode2_mac_labels; - char *ar_cred_mac_labels; - char *ar_arg_mac_string; + char *ar_vnode1_mac_labels; + char *ar_vnode2_mac_labels; + char *ar_cred_mac_labels; + char *ar_arg_mac_string; #endif - char *ar_arg_text; - void *ar_arg_opaque; /* darwin-only */ - void *ar_arg_data; /* darwin-only */ - u_int16_t ar_arg_opq_size; /* darwin-only */ - u_char ar_arg_data_type; /* darwin-only */ - u_char ar_arg_data_count; /* darwin-only */ - struct au_mask ar_arg_amask; - struct vnode_au_info ar_arg_vnode1; - struct vnode_au_info ar_arg_vnode2; - int ar_arg_cmd; - int ar_arg_svipc_cmd; - struct ipc_perm ar_arg_svipc_perm; - int ar_arg_svipc_id; - user_addr_t ar_arg_svipc_addr; - struct posix_ipc_perm ar_arg_pipc_perm; - mach_port_name_t ar_arg_mach_port1; /* darwin-only */ - mach_port_name_t ar_arg_mach_port2; /* darwin-only */ - union auditon_udata ar_arg_auditon; - char *ar_arg_argv; - int ar_arg_argc; - char *ar_arg_envv; - int ar_arg_envc; - int ar_arg_exitstatus; - int ar_arg_exitretval; + char *ar_arg_text; + void *ar_arg_opaque; /* darwin-only */ + void *ar_arg_data; /* darwin-only */ + u_int16_t ar_arg_opq_size; /* darwin-only */ + u_char ar_arg_data_type; /* darwin-only */ + u_char ar_arg_data_count; /* darwin-only */ + struct au_mask ar_arg_amask; + struct vnode_au_info ar_arg_vnode1; + struct vnode_au_info ar_arg_vnode2; + int ar_arg_cmd; + int ar_arg_svipc_cmd; + struct ipc_perm ar_arg_svipc_perm; + int ar_arg_svipc_id; + user_addr_t ar_arg_svipc_addr; + struct posix_ipc_perm ar_arg_pipc_perm; + mach_port_name_t ar_arg_mach_port1; /* darwin-only */ + mach_port_name_t ar_arg_mach_port2; /* darwin-only */ + union auditon_udata ar_arg_auditon; + char *ar_arg_argv; + int ar_arg_argc; + char *ar_arg_envv; + int ar_arg_envc; + int ar_arg_exitstatus; + int ar_arg_exitretval; struct sockaddr_storage ar_arg_sockaddr; + int ar_arg_fd2; #if CONFIG_MACF /* * MAC security related fields added by MAC policies ar_forced_by_mac * is 1 if mac_audit_check_preselect() forced this call to be audited, * 0 otherwise. - */ - LIST_HEAD(mac_audit_record_list_t, mac_audit_record) *ar_mac_records; - int ar_forced_by_mac; + */ + LIST_HEAD(mac_audit_record_list_t, mac_audit_record) * ar_mac_records; + int ar_forced_by_mac; #endif + struct au_identity_info ar_arg_identity; }; /* @@ -291,16 +307,16 @@ struct audit_record { * indicate if they are present so they can be included in the audit log * stream only if defined. */ -#define ARG_IS_VALID(kar, arg) ((kar)->k_ar.ar_valid_arg & (arg)) -#define ARG_SET_VALID(kar, arg) do { \ - (kar)->k_ar.ar_valid_arg |= (arg); \ +#define ARG_IS_VALID(kar, arg) ((kar)->k_ar.ar_valid_arg & (arg)) +#define ARG_SET_VALID(kar, arg) do { \ + (kar)->k_ar.ar_valid_arg |= (arg); \ } while (0) /* * Current thread macro. get_bsdthread_info() returns a void ptr for some * reason. */ -#define curthread() ((struct uthread *)get_bsdthread_info(current_thread())) +#define curthread() ((struct uthread *)get_bsdthread_info(current_thread())) /* * In-kernel version of audit record; the basic record plus queue meta-data. @@ -308,12 +324,12 @@ struct audit_record { * passed through to the audit writing mechanism. */ struct kaudit_record { - struct audit_record k_ar; - u_int32_t k_ar_commit; - void *k_udata; /* User data. */ - u_int k_ulen; /* User data length. */ - struct uthread *k_uthread; /* Audited thread. */ - TAILQ_ENTRY(kaudit_record) k_q; + struct audit_record k_ar; + u_int32_t k_ar_commit; + void *k_udata; /* User data. */ + u_int k_ulen; /* User data length. */ + struct uthread *k_uthread; /* Audited thread. */ + TAILQ_ENTRY(kaudit_record) k_q; }; TAILQ_HEAD(kaudit_queue, kaudit_record); @@ -321,50 +337,50 @@ TAILQ_HEAD(kaudit_queue, kaudit_record); * Functions to manage the allocation, release, and commit of kernel audit * records. */ -void audit_abort(struct kaudit_record *ar); -void audit_commit(struct kaudit_record *ar, int error, - int retval); -struct kaudit_record *audit_new(int event, proc_t p, struct uthread *td); +void audit_abort(struct kaudit_record *ar); +void audit_commit(struct kaudit_record *ar, int error, + int retval); +struct kaudit_record *audit_new(int event, proc_t p, struct uthread *td); /* * Functions relating to the conversion of internal kernel audit records to * the BSM file format. */ struct au_record; -int kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau); -int bsm_rec_verify(void *rec); +int kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau); +int bsm_rec_verify(void *rec, int length, boolean_t kern_events_allowed); /* * Kernel versions of the libbsm audit record functions. */ -void kau_free(struct au_record *rec); -void kau_init(void); +void kau_free(struct au_record *rec); +void kau_init(void); /* * Return values for pre-selection and post-selection decisions. */ -#define AU_PRS_SUCCESS 1 -#define AU_PRS_FAILURE 2 -#define AU_PRS_BOTH (AU_PRS_SUCCESS|AU_PRS_FAILURE) +#define AU_PRS_SUCCESS 1 +#define AU_PRS_FAILURE 2 +#define AU_PRS_BOTH (AU_PRS_SUCCESS|AU_PRS_FAILURE) /* * Data structures relating to the kernel audit queue. Ideally, these might * be abstracted so that only accessor methods are exposed. */ -extern struct mtx audit_mtx; -extern struct cv audit_watermark_cv; -extern struct cv audit_worker_cv; -extern struct cv audit_drain_cv; -extern struct kaudit_queue audit_q; -extern int audit_q_len; -extern int audit_pre_q_len; -extern int audit_in_failure; +extern struct mtx audit_mtx; +extern struct cv audit_watermark_cv; +extern struct cv audit_worker_cv; +extern struct cv audit_drain_cv; +extern struct kaudit_queue audit_q; +extern int audit_q_len; +extern int audit_pre_q_len; +extern int audit_in_failure; /* * Flags to use on audit files when opening and closing. */ -#define AUDIT_OPEN_FLAGS (FWRITE | O_APPEND) -#define AUDIT_CLOSE_FLAGS (FWRITE | O_APPEND) +#define AUDIT_OPEN_FLAGS (FWRITE | O_APPEND) +#define AUDIT_CLOSE_FLAGS (FWRITE | O_APPEND) #include #include @@ -375,88 +391,129 @@ extern int audit_in_failure; * kernel implementations in order to save the copying of large kernel data * structures. The prototypes of these functions are declared here. */ -token_t *kau_to_socket(struct socket_au_info *soi); +token_t *kau_to_socket(struct socket_au_info *soi); /* * audit_klib prototypes */ -int au_preselect(au_event_t event, au_class_t class, - au_mask_t *mask_p, int sorf); -void au_evclassmap_init(void); -void au_evclassmap_insert(au_event_t event, au_class_t class); -au_class_t au_event_class(au_event_t event); -au_event_t audit_ctlname_to_sysctlevent(int name[], uint64_t valid_arg); -au_event_t audit_flags_and_error_to_openevent(int oflags, int error); -au_event_t audit_flags_and_error_to_openextendedevent(int oflags, - int error); -au_event_t audit_flags_and_error_to_openatevent(int oflags, - int error); -au_event_t audit_flags_and_error_to_openbyidevent(int oflags, - int error); -au_event_t audit_msgctl_to_event(int cmd); -au_event_t audit_semctl_to_event(int cmr); -int audit_canon_path(struct vnode *cwd_vp, char *path, - char *cpath); -au_event_t auditon_command_event(int cmd); -au_event_t audit_fcntl_command_event(int cmd, int oflags, int error); +int au_preselect(au_event_t event, au_class_t class, + au_mask_t *mask_p, int sorf); +void au_evclassmap_init(void); +void au_evclassmap_insert(au_event_t event, au_class_t class); +au_class_t au_event_class(au_event_t event); +au_event_t audit_ctlname_to_sysctlevent(int name[], uint64_t valid_arg); +au_event_t audit_flags_and_error_to_openevent(int oflags, int error); +au_event_t audit_flags_and_error_to_openextendedevent(int oflags, + int error); +au_event_t audit_flags_and_error_to_openatevent(int oflags, + int error); +au_event_t audit_flags_and_error_to_openbyidevent(int oflags, + int error); +au_event_t audit_msgctl_to_event(int cmd); +au_event_t audit_semctl_to_event(int cmr); +int audit_canon_path(struct vnode *cwd_vp, char *path, + char *cpath); +au_event_t auditon_command_event(int cmd); +au_event_t audit_fcntl_command_event(int cmd, int oflags, int error); /* * Audit trigger events notify user space of kernel audit conditions * asynchronously. */ -int audit_send_trigger(unsigned int trigger); +int audit_send_trigger(unsigned int trigger); /* * Accessor functions to manage global audit state. */ -void audit_set_kinfo(struct auditinfo_addr *); -void audit_get_kinfo(struct auditinfo_addr *); +void audit_set_kinfo(struct auditinfo_addr *); +void audit_get_kinfo(struct auditinfo_addr *); /* * General audit related functions. */ -struct kaudit_record *currecord(void); -void audit_free(struct kaudit_record *ar); -void audit_rotate_vnode(struct ucred *cred, - struct vnode *vp); -void audit_worker_init(void); +struct kaudit_record *currecord(void); +void audit_free(struct kaudit_record *ar); +void audit_rotate_vnode(struct ucred *cred, + struct vnode *vp); +void audit_worker_init(void); +void audit_identity_info_construct( + struct au_identity_info *id_info); +void audit_identity_info_destruct( + struct au_identity_info *id_info); /* * Audit pipe functions. */ -int audit_pipe_init(void); -int audit_pipe_shutdown(void); -int audit_pipe_preselect(au_id_t auid, au_event_t event, - au_class_t class, int sorf, int trail_select); -void audit_pipe_submit(au_id_t auid, au_event_t event, au_class_t class, - int sorf, int trail_select, void *record, u_int record_len); -void audit_pipe_submit_user(void *record, u_int record_len); +int audit_pipe_init(void); +int audit_pipe_shutdown(void); +int audit_pipe_preselect(au_id_t auid, au_event_t event, + au_class_t class, int sorf, int trail_select); +void audit_pipe_submit(au_id_t auid, au_event_t event, au_class_t class, + int sorf, int trail_select, void *record, u_int record_len); +void audit_pipe_submit_user(void *record, u_int record_len); /* * Audit MAC prototypes. */ -void audit_mac_init(void); -int audit_mac_new(proc_t p, struct kaudit_record *ar); -void audit_mac_free(struct kaudit_record *ar); -int audit_mac_syscall_enter(unsigned short code, proc_t p, - struct uthread *uthread, kauth_cred_t my_cred, au_event_t event); -int audit_mac_syscall_exit(unsigned short code, struct uthread *uthread, - int error, int retval); +void audit_mac_init(void); +int audit_mac_new(proc_t p, struct kaudit_record *ar); +void audit_mac_free(struct kaudit_record *ar); +int audit_mac_syscall_enter(unsigned short code, proc_t p, + struct uthread *uthread, kauth_cred_t my_cred, au_event_t event); +int audit_mac_syscall_exit(unsigned short code, struct uthread *uthread, + int error, int retval); /* * Audit Session. */ -void audit_session_init(void); -int audit_session_setaia(proc_t p, auditinfo_addr_t *aia_p); +void audit_session_init(void); +int audit_session_setaia(proc_t p, auditinfo_addr_t *aia_p); auditinfo_addr_t *audit_session_update(auditinfo_addr_t *new_aia); -int audit_session_lookup(au_asid_t asid, auditinfo_addr_t *ret_aia); +int audit_session_lookup(au_asid_t asid, auditinfo_addr_t *ret_aia); /* * Kernel assigned audit session IDs start at PID_MAX + 1 and ends at * ASSIGNED_ASID_MAX. */ -#define ASSIGNED_ASID_MIN (PID_MAX + 1) -#define ASSIGNED_ASID_MAX (0xFFFFFFFF - 1) +#define ASSIGNED_ASID_MIN (PID_MAX + 1) +#define ASSIGNED_ASID_MAX (0xFFFFFFFF - 1) + +/* + * Entitlement required to control various audit subsystem settings + */ +#define AU_CLASS_RESERVED_ENTITLEMENT "com.apple.private.dz.audit" + +/* + * Entitlement required to control auditctl sys call + */ +#define AU_AUDITCTL_RESERVED_ENTITLEMENT "com.apple.private.protected-audit-control" + +/* + * Entitlement required to control auditctl sys call + */ +#define AU_AUDIT_USER_ENTITLEMENT "com.apple.private.audit.user" + +/* + * Max sizes used by the kernel for signing id and team id values of the + * identity tokens. These lengths include space for the null terminator. + */ +#define MAX_AU_IDENTITY_SIGNING_ID_LENGTH 129 +#define MAX_AU_IDENTITY_TEAM_ID_LENGTH 17 + +struct __attribute__((__packed__)) hdr_tok_partial { + u_char type; + uint32_t len; + u_char ver; + uint16_t e_type; +}; +static_assert(sizeof(struct hdr_tok_partial) == 8); + +struct __attribute__((__packed__)) trl_tok_partial { + u_char type; + uint16_t magic; + uint32_t len; +}; +static_assert(sizeof(struct trl_tok_partial) == 7); #endif /* defined(KERNEL) || defined(_KERNEL) */