| audit_private.h (08e57af45b017063650fb576449bd345696e9046) | audit_private.h (871499fef514fd9934f9a8a07194e8ef86c07bd5) |
|---|---|
| 1/* 2 * Copyright (c) 1999-2005 Apple Computer, Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright --- 52 unchanged lines hidden (view full) --- 61//#define AUDIT_EXCESSIVELY_VERBOSE 62#ifdef AUDIT_EXCESSIVELY_VERBOSE 63#define AUDIT_PRINTF(x) printf x 64#else 65#define AUDIT_PRINTF(x) 66#endif 67 68/* | 1/* 2 * Copyright (c) 1999-2005 Apple Computer, Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright --- 52 unchanged lines hidden (view full) --- 61//#define AUDIT_EXCESSIVELY_VERBOSE 62#ifdef AUDIT_EXCESSIVELY_VERBOSE 63#define AUDIT_PRINTF(x) printf x 64#else 65#define AUDIT_PRINTF(x) 66#endif 67 68/* |
| 69 * Audit control variables that are usually set/read via system calls 70 * and used to control various aspects of auditing. | 69 * Audit control variables that are usually set/read via system calls and 70 * used to control various aspects of auditing. |
| 71 */ 72extern struct au_qctrl audit_qctrl; 73extern struct audit_fstat audit_fstat; 74extern struct au_mask audit_nae_mask; 75extern int audit_panic_on_write_fail; 76extern int audit_fail_stop; 77 78/* 79 * Success/failure conditions for the conversion of a kernel audit record to 80 * BSM format. 81 */ | 71 */ 72extern struct au_qctrl audit_qctrl; 73extern struct audit_fstat audit_fstat; 74extern struct au_mask audit_nae_mask; 75extern int audit_panic_on_write_fail; 76extern int audit_fail_stop; 77 78/* 79 * Success/failure conditions for the conversion of a kernel audit record to 80 * BSM format. 81 */ |
| 82#define BSM_SUCCESS 0 83#define BSM_FAILURE 1 84#define BSM_NOAUDIT 2 | 82#define BSM_SUCCESS 0 83#define BSM_FAILURE 1 84#define BSM_NOAUDIT 2 |
| 85 86/* 87 * Defines for the kernel audit record k_ar_commit field. 88 */ 89#define AR_COMMIT_KERNEL 0x00000001U 90#define AR_COMMIT_USER 0x00000010U 91 92/* 93 * Audit data is generated as a stream of struct audit_record structures, 94 * linked by struct kaudit_record, and contain storage for possible audit so 95 * that it will not need to be allocated during the processing of a system 96 * call, both improving efficiency and avoiding sleeping at untimely moments. 97 * This structure is converted to BSM format before being written to disk. 98 */ 99struct vnode_au_info { | 85 86/* 87 * Defines for the kernel audit record k_ar_commit field. 88 */ 89#define AR_COMMIT_KERNEL 0x00000001U 90#define AR_COMMIT_USER 0x00000010U 91 92/* 93 * Audit data is generated as a stream of struct audit_record structures, 94 * linked by struct kaudit_record, and contain storage for possible audit so 95 * that it will not need to be allocated during the processing of a system 96 * call, both improving efficiency and avoiding sleeping at untimely moments. 97 * This structure is converted to BSM format before being written to disk. 98 */ 99struct vnode_au_info { |
| 100 mode_t vn_mode; 101 uid_t vn_uid; 102 gid_t vn_gid; 103 dev_t vn_dev; 104 long vn_fsid; 105 long vn_fileid; 106 long vn_gen; | 100 mode_t vn_mode; 101 uid_t vn_uid; 102 gid_t vn_gid; 103 dev_t vn_dev; 104 long vn_fsid; 105 long vn_fileid; 106 long vn_gen; |
| 107}; 108 109struct groupset { 110 gid_t gidset[NGROUPS]; 111 u_int gidset_size; 112}; 113 114struct socket_au_info { 115 int so_domain; 116 int so_type; 117 int so_protocol; | 107}; 108 109struct groupset { 110 gid_t gidset[NGROUPS]; 111 u_int gidset_size; 112}; 113 114struct socket_au_info { 115 int so_domain; 116 int so_type; 117 int so_protocol; |
| 118 in_addr_t so_raddr; /* remote address if INET socket */ 119 in_addr_t so_laddr; /* local address if INET socket */ 120 u_short so_rport; /* remote port */ 121 u_short so_lport; /* local port */ | 118 in_addr_t so_raddr; /* Remote address if INET socket. */ 119 in_addr_t so_laddr; /* Local address if INET socket. */ 120 u_short so_rport; /* Remote port. */ 121 u_short so_lport; /* Local port. */ |
| 122}; 123 124union auditon_udata { 125 char *au_path; 126 long au_cond; 127 long au_flags; 128 long au_policy; 129 int au_trigger; 130 au_evclass_map_t au_evclass; 131 au_mask_t au_mask; 132 auditinfo_t au_auinfo; 133 auditpinfo_t au_aupinfo; 134 auditpinfo_addr_t au_aupinfo_addr; 135 au_qctrl_t au_qctrl; 136 au_stat_t au_stat; 137 au_fstat_t au_fstat; 138}; 139 140struct posix_ipc_perm { | 122}; 123 124union auditon_udata { 125 char *au_path; 126 long au_cond; 127 long au_flags; 128 long au_policy; 129 int au_trigger; 130 au_evclass_map_t au_evclass; 131 au_mask_t au_mask; 132 auditinfo_t au_auinfo; 133 auditpinfo_t au_aupinfo; 134 auditpinfo_addr_t au_aupinfo_addr; 135 au_qctrl_t au_qctrl; 136 au_stat_t au_stat; 137 au_fstat_t au_fstat; 138}; 139 140struct posix_ipc_perm { |
| 141 uid_t pipc_uid; 142 gid_t pipc_gid; 143 mode_t pipc_mode; | 141 uid_t pipc_uid; 142 gid_t pipc_gid; 143 mode_t pipc_mode; |
| 144}; 145 146struct audit_record { 147 /* Audit record header. */ 148 u_int32_t ar_magic; 149 int ar_event; 150 int ar_retval; /* value returned to the process */ 151 int ar_errno; /* return status of system call */ 152 struct timespec ar_starttime; 153 struct timespec ar_endtime; 154 u_int64_t ar_valid_arg; /* Bitmask of valid arguments */ 155 156 /* Audit subject information. */ | 144}; 145 146struct audit_record { 147 /* Audit record header. */ 148 u_int32_t ar_magic; 149 int ar_event; 150 int ar_retval; /* value returned to the process */ 151 int ar_errno; /* return status of system call */ 152 struct timespec ar_starttime; 153 struct timespec ar_endtime; 154 u_int64_t ar_valid_arg; /* Bitmask of valid arguments */ 155 156 /* Audit subject information. */ |
| 157 struct xucred ar_subj_cred; 158 uid_t ar_subj_ruid; 159 gid_t ar_subj_rgid; 160 gid_t ar_subj_egid; 161 uid_t ar_subj_auid; /* Audit user ID */ 162 pid_t ar_subj_asid; /* Audit session ID */ 163 pid_t ar_subj_pid; 164 struct au_tid ar_subj_term; 165 char ar_subj_comm[MAXCOMLEN + 1]; 166 struct au_mask ar_subj_amask; | 157 struct xucred ar_subj_cred; 158 uid_t ar_subj_ruid; 159 gid_t ar_subj_rgid; 160 gid_t ar_subj_egid; 161 uid_t ar_subj_auid; /* Audit user ID */ 162 pid_t ar_subj_asid; /* Audit session ID */ 163 pid_t ar_subj_pid; 164 struct au_tid ar_subj_term; 165 char ar_subj_comm[MAXCOMLEN + 1]; 166 struct au_mask ar_subj_amask; |
| 167 168 /* Operation arguments. */ | 167 168 /* Operation arguments. */ |
| 169 uid_t ar_arg_euid; 170 uid_t ar_arg_ruid; 171 uid_t ar_arg_suid; 172 gid_t ar_arg_egid; 173 gid_t ar_arg_rgid; 174 gid_t ar_arg_sgid; 175 pid_t ar_arg_pid; 176 pid_t ar_arg_asid; 177 struct au_tid ar_arg_termid; 178 uid_t ar_arg_uid; 179 uid_t ar_arg_auid; 180 gid_t ar_arg_gid; 181 struct groupset ar_arg_groups; 182 int ar_arg_fd; 183 int ar_arg_fflags; 184 mode_t ar_arg_mode; 185 int ar_arg_dev; 186 long ar_arg_value; 187 void * ar_arg_addr; 188 int ar_arg_len; 189 int ar_arg_mask; 190 u_int ar_arg_signum; 191 char ar_arg_login[MAXLOGNAME]; 192 int ar_arg_ctlname[CTL_MAXNAME]; 193 struct sockaddr ar_arg_sockaddr; 194 struct socket_au_info ar_arg_sockinfo; 195 char *ar_arg_upath1; 196 char *ar_arg_upath2; 197 char *ar_arg_text; 198 struct au_mask ar_arg_amask; 199 struct vnode_au_info ar_arg_vnode1; 200 struct vnode_au_info ar_arg_vnode2; 201 int ar_arg_cmd; 202 int ar_arg_svipc_cmd; 203 struct ipc_perm ar_arg_svipc_perm; 204 int ar_arg_svipc_id; 205 void * ar_arg_svipc_addr; 206 struct posix_ipc_perm ar_arg_pipc_perm; 207 union auditon_udata ar_arg_auditon; 208 int ar_arg_exitstatus; 209 int ar_arg_exitretval; | 169 uid_t ar_arg_euid; 170 uid_t ar_arg_ruid; 171 uid_t ar_arg_suid; 172 gid_t ar_arg_egid; 173 gid_t ar_arg_rgid; 174 gid_t ar_arg_sgid; 175 pid_t ar_arg_pid; 176 pid_t ar_arg_asid; 177 struct au_tid ar_arg_termid; 178 uid_t ar_arg_uid; 179 uid_t ar_arg_auid; 180 gid_t ar_arg_gid; 181 struct groupset ar_arg_groups; 182 int ar_arg_fd; 183 int ar_arg_fflags; 184 mode_t ar_arg_mode; 185 int ar_arg_dev; 186 long ar_arg_value; 187 void * ar_arg_addr; 188 int ar_arg_len; 189 int ar_arg_mask; 190 u_int ar_arg_signum; 191 char ar_arg_login[MAXLOGNAME]; 192 int ar_arg_ctlname[CTL_MAXNAME]; 193 struct sockaddr ar_arg_sockaddr; 194 struct socket_au_info ar_arg_sockinfo; 195 char *ar_arg_upath1; 196 char *ar_arg_upath2; 197 char *ar_arg_text; 198 struct au_mask ar_arg_amask; 199 struct vnode_au_info ar_arg_vnode1; 200 struct vnode_au_info ar_arg_vnode2; 201 int ar_arg_cmd; 202 int ar_arg_svipc_cmd; 203 struct ipc_perm ar_arg_svipc_perm; 204 int ar_arg_svipc_id; 205 void * ar_arg_svipc_addr; 206 struct posix_ipc_perm ar_arg_pipc_perm; 207 union auditon_udata ar_arg_auditon; 208 int ar_arg_exitstatus; 209 int ar_arg_exitretval; |
| 210}; 211 212/* 213 * Arguments in the audit record are initially not defined; flags are set to 214 * indicate if they are present so they can be included in the audit log 215 * stream only if defined. 216 */ 217#define ARG_IS_VALID(kar, arg) ((kar)->k_ar.ar_valid_arg & (arg)) 218#define ARG_SET_VALID(kar, arg) do { \ 219 (kar)->k_ar.ar_valid_arg |= (arg); \ 220} while (0) 221 222/* 223 * In-kernel version of audit record; the basic record plus queue meta-data. | 210}; 211 212/* 213 * Arguments in the audit record are initially not defined; flags are set to 214 * indicate if they are present so they can be included in the audit log 215 * stream only if defined. 216 */ 217#define ARG_IS_VALID(kar, arg) ((kar)->k_ar.ar_valid_arg & (arg)) 218#define ARG_SET_VALID(kar, arg) do { \ 219 (kar)->k_ar.ar_valid_arg |= (arg); \ 220} while (0) 221 222/* 223 * In-kernel version of audit record; the basic record plus queue meta-data. |
| 224 * This record can also have a pointer set to some opaque data that will 225 * be passed through to the audit writing mechanism. | 224 * This record can also have a pointer set to some opaque data that will be 225 * passed through to the audit writing mechanism. |
| 226 */ 227struct kaudit_record { | 226 */ 227struct kaudit_record { |
| 228 struct audit_record k_ar; 229 u_int32_t k_ar_commit; 230 void *k_udata; /* user data */ 231 u_int k_ulen; /* user data length */ 232 struct uthread *k_uthread; /* thread we are auditing */ 233 TAILQ_ENTRY(kaudit_record) k_q; | 228 struct audit_record k_ar; 229 u_int32_t k_ar_commit; 230 void *k_udata; /* User data. */ 231 u_int k_ulen; /* User data length. */ 232 struct uthread *k_uthread; /* Audited thread. */ 233 TAILQ_ENTRY(kaudit_record) k_q; |
| 234}; 235TAILQ_HEAD(kaudit_queue, kaudit_record); 236 237/* 238 * Functions to manage the allocation, release, and commit of kernel audit 239 * records. 240 */ 241void audit_abort(struct kaudit_record *ar); 242void audit_commit(struct kaudit_record *ar, int error, 243 int retval); 244struct kaudit_record *audit_new(int event, struct thread *td); 245 246/* 247 * Functions relating to the conversion of internal kernel audit records to 248 * the BSM file format. 249 */ 250struct au_record; | 234}; 235TAILQ_HEAD(kaudit_queue, kaudit_record); 236 237/* 238 * Functions to manage the allocation, release, and commit of kernel audit 239 * records. 240 */ 241void audit_abort(struct kaudit_record *ar); 242void audit_commit(struct kaudit_record *ar, int error, 243 int retval); 244struct kaudit_record *audit_new(int event, struct thread *td); 245 246/* 247 * Functions relating to the conversion of internal kernel audit records to 248 * the BSM file format. 249 */ 250struct au_record; |
| 251int kaudit_to_bsm(struct kaudit_record *kar, 252 struct au_record **pau); 253int bsm_rec_verify(void *rec); | 251int kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau); 252int bsm_rec_verify(void *rec); |
| 254 255/* 256 * Kernel versions of the libbsm audit record functions. 257 */ | 253 254/* 255 * Kernel versions of the libbsm audit record functions. 256 */ |
| 258void kau_free(struct au_record *rec); 259void kau_init(void); | 257void kau_free(struct au_record *rec); 258void kau_init(void); |
| 260 261/* 262 * Return values for pre-selection and post-selection decisions. 263 */ | 259 260/* 261 * Return values for pre-selection and post-selection decisions. 262 */ |
| 264#define AU_PRS_SUCCESS 1 265#define AU_PRS_FAILURE 2 266#define AU_PRS_BOTH (AU_PRS_SUCCESS|AU_PRS_FAILURE) | 263#define AU_PRS_SUCCESS 1 264#define AU_PRS_FAILURE 2 265#define AU_PRS_BOTH (AU_PRS_SUCCESS|AU_PRS_FAILURE) |
| 267 268/* 269 * Data structures relating to the kernel audit queue. Ideally, these might 270 * be abstracted so that only accessor methods are exposed. 271 */ | 266 267/* 268 * Data structures relating to the kernel audit queue. Ideally, these might 269 * be abstracted so that only accessor methods are exposed. 270 */ |
| 272extern struct mtx audit_mtx; 273extern struct cv audit_commit_cv; 274extern struct cv audit_cv; 275extern struct kaudit_queue audit_q; 276extern int audit_q_len; 277extern int audit_pre_q_len; 278extern int audit_in_failure; | 271extern struct mtx audit_mtx; 272extern struct cv audit_commit_cv; 273extern struct cv audit_cv; 274extern struct kaudit_queue audit_q; 275extern int audit_q_len; 276extern int audit_pre_q_len; 277extern int audit_in_failure; |
| 279 280/* 281 * Flags to use on audit files when opening and closing. 282 */ 283#define AUDIT_OPEN_FLAGS (FWRITE | O_APPEND) 284#define AUDIT_CLOSE_FLAGS (FWRITE | O_APPEND) 285 286#include <sys/fcntl.h> 287#include <sys/kernel.h> 288#include <sys/malloc.h> 289 290/* 291 * Some of the BSM tokenizer functions take different parameters in the | 278 279/* 280 * Flags to use on audit files when opening and closing. 281 */ 282#define AUDIT_OPEN_FLAGS (FWRITE | O_APPEND) 283#define AUDIT_CLOSE_FLAGS (FWRITE | O_APPEND) 284 285#include <sys/fcntl.h> 286#include <sys/kernel.h> 287#include <sys/malloc.h> 288 289/* 290 * Some of the BSM tokenizer functions take different parameters in the |
| 292 * kernel implementations in order to save the copying of large kernel 293 * data structures. The prototypes of these functions are declared here. | 291 * kernel implementations in order to save the copying of large kernel data 292 * structures. The prototypes of these functions are declared here. |
| 294 */ 295token_t *kau_to_socket(struct socket_au_info *soi); 296 297/* 298 * audit_klib prototypes 299 */ 300int au_preselect(au_event_t event, au_mask_t *mask_p, int sorf); 301au_event_t flags_and_error_to_openevent(int oflags, int error); --- 21 unchanged lines hidden (view full) --- 323void audit_shutdown(void *arg, int howto); 324void audit_rotate_vnode(struct ucred *cred, 325 struct vnode *vp); 326void audit_worker_init(void); 327 328/* 329 * Audit pipe functions. 330 */ | 293 */ 294token_t *kau_to_socket(struct socket_au_info *soi); 295 296/* 297 * audit_klib prototypes 298 */ 299int au_preselect(au_event_t event, au_mask_t *mask_p, int sorf); 300au_event_t flags_and_error_to_openevent(int oflags, int error); --- 21 unchanged lines hidden (view full) --- 322void audit_shutdown(void *arg, int howto); 323void audit_rotate_vnode(struct ucred *cred, 324 struct vnode *vp); 325void audit_worker_init(void); 326 327/* 328 * Audit pipe functions. 329 */ |
| 331void audit_pipe_submit(void *record, u_int record_len); | 330void audit_pipe_submit(void *record, u_int record_len); |
| 332 333#endif /* ! _SECURITY_AUDIT_PRIVATE_H_ */ | 331 332#endif /* ! _SECURITY_AUDIT_PRIVATE_H_ */ |