xref: /illumos-gate/usr/src/uts/common/c2/audit_record.h (revision b5c366f4aa9361f18dccd4d00380b3e2e36be40c)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  *
25  * Copyright 2018 Nexenta Systems, Inc.  All rights reserved.
26  */
27 
28 #ifndef _BSM_AUDIT_RECORD_H
29 #define	_BSM_AUDIT_RECORD_H
30 
31 
32 #ifdef _KERNEL
33 #include <sys/priv.h>
34 #else
35 #include <priv.h>
36 #endif
37 #include <sys/socket.h>
38 #include <sys/acl.h>
39 
40 #include <sys/tsol/label.h>
41 
42 #ifdef __cplusplus
43 extern "C" {
44 #endif
45 
46 /*
47  * Version of audit attributes
48  *
49  * OS Release      Version Number    Comments
50  * ==========      ==============    ========
51  * SunOS 5.1              2        Unbundled Package
52  * SunOS 5.3              2        Bundled into the base OS
53  * SunOS 5.4-5.x          2
54  * Trusted Solaris 2.5    3        To distinguish potential new tokens
55  * Trusted Solaris 7-8    4        Redefine X tokens that overlap with
56  *                                 SunOS 5.7
57  */
58 
59 #define	TOKEN_VERSION   2
60 
61 /*
62  * Audit record token type codes
63  */
64 
65 /*
66  * Control token types
67  */
68 
69 #define	AUT_INVALID		((char)0x00)
70 #define	AUT_OTHER_FILE		((char)0x11)
71 #define	AUT_OTHER_FILE32	AUT_OTHER_FILE
72 #define	AUT_OHEADER		((char)0x12)
73 #define	AUT_TRAILER		((char)0x13)
74 #define	AUT_HEADER		((char)0x14)
75 #define	AUT_HEADER32		AUT_HEADER
76 #define	AUT_HEADER32_EX		((char)0x15)
77 #define	AUT_TRAILER_MAGIC	((short)0xB105)
78 
79 /*
80  * Data token types
81  */
82 
83 #define	AUT_FMRI		((char)0x20)
84 #define	AUT_DATA		((char)0x21)
85 #define	AUT_IPC			((char)0x22)
86 #define	AUT_PATH		((char)0x23)
87 #define	AUT_SUBJECT		((char)0x24)
88 #define	AUT_SUBJECT32		AUT_SUBJECT
89 #define	AUT_XATPATH		((char)0x25)
90 #define	AUT_PROCESS		((char)0x26)
91 #define	AUT_PROCESS32		AUT_PROCESS
92 #define	AUT_RETURN		((char)0x27)
93 #define	AUT_RETURN32		AUT_RETURN
94 #define	AUT_TEXT		((char)0x28)
95 #define	AUT_OPAQUE		((char)0x29)
96 #define	AUT_IN_ADDR		((char)0x2A)
97 #define	AUT_IP			((char)0x2B)
98 #define	AUT_IPORT		((char)0x2C)
99 #define	AUT_ARG			((char)0x2D)
100 #define	AUT_ARG32		AUT_ARG
101 #define	AUT_SOCKET		((char)0x2E)
102 #define	AUT_SEQ			((char)0x2F)
103 #define	AUT_USER		((char)0x36)	/* out of order */
104 #define	AUT_TID			((char)0x61)	/* out of order */
105 
106 /*
107  * Modifier token types
108  */
109 
110 #define	AUT_ACL			((char)0x30)
111 #define	AUT_ATTR		((char)0x31)
112 #define	AUT_IPC_PERM		((char)0x32)
113 #define	AUT_LABEL		((char)0x33)
114 #define	AUT_GROUPS		((char)0x34)
115 #define	AUT_ACE			((char)0x35)
116 	/* 0x37 unused */
117 #define	AUT_PRIV		((char)0x38)
118 #define	AUT_UPRIV		((char)0x39)
119 #define	AUT_LIAISON		((char)0x3A)
120 #define	AUT_NEWGROUPS		((char)0x3B)
121 #define	AUT_EXEC_ARGS		((char)0x3C)
122 #define	AUT_EXEC_ENV		((char)0x3D)
123 #define	AUT_ATTR32		((char)0x3E)
124 #define	AUT_UAUTH		((char)0x3F)
125 #define	AUT_ZONENAME		((char)0x60)	/* out of order */
126 #define	AUT_SECFLAGS		((char)0x62)	/* out of order */
127 
128 /*
129  * X windows token types
130  */
131 
132 #define	AUT_XATOM		((char)0x40)
133 #define	AUT_XOBJ		((char)0x41)
134 #define	AUT_XPROTO		((char)0x42)
135 #define	AUT_XSELECT		((char)0x43)
136 
137 #if	TOKEN_VERSION != 3
138 #define	AUT_XCOLORMAP		((char)0x44)
139 #define	AUT_XCURSOR		((char)0x45)
140 #define	AUT_XFONT		((char)0x46)
141 #define	AUT_XGC			((char)0x47)
142 #define	AUT_XPIXMAP		((char)0x48)
143 #define	AUT_XPROPERTY		((char)0x49)
144 #define	AUT_XWINDOW		((char)0x4A)
145 #define	AUT_XCLIENT		((char)0x4B)
146 #else	/* TOKEN_VERSION == 3 */
147 #define	AUT_XCOLORMAP		((char)0x74)
148 #define	AUT_XCURSOR		((char)0x75)
149 #define	AUT_XFONT		((char)0x76)
150 #define	AUT_XGC			((char)0x77)
151 #define	AUT_XPIXMAP		((char)0x78)
152 #define	AUT_XPROPERTY		((char)0x79)
153 #define	AUT_XWINDOW		((char)0x7A)
154 #define	AUT_XCLIENT		((char)0x7B)
155 #endif	/* TOKEN_VERSION != 3 */
156 
157 /*
158  * Command token types
159  */
160 
161 #define	AUT_CMD   		((char)0x51)
162 #define	AUT_EXIT   		((char)0x52)
163 
164 /*
165  * Miscellaneous token types
166  */
167 
168 #define	AUT_HOST		((char)0x70)
169 
170 /*
171  * Solaris64 token types
172  */
173 
174 #define	AUT_ARG64		((char)0x71)
175 #define	AUT_RETURN64		((char)0x72)
176 #define	AUT_ATTR64		((char)0x73)
177 #define	AUT_HEADER64		((char)0x74)
178 #define	AUT_SUBJECT64		((char)0x75)
179 #define	AUT_PROCESS64		((char)0x77)
180 #define	AUT_OTHER_FILE64	((char)0x78)
181 
182 /*
183  * Extended network address token types
184  */
185 
186 #define	AUT_HEADER64_EX		((char)0x79)
187 #define	AUT_SUBJECT32_EX	((char)0x7a)
188 #define	AUT_PROCESS32_EX	((char)0x7b)
189 #define	AUT_SUBJECT64_EX	((char)0x7c)
190 #define	AUT_PROCESS64_EX	((char)0x7d)
191 #define	AUT_IN_ADDR_EX		((char)0x7e)
192 #define	AUT_SOCKET_EX		((char)0x7f)
193 
194 /*
195  * Can't do >= 0x80 because these are chars. 0x16/0x17 seem to be free here,
196  * but who knows if they have historical uses
197  */
198 #define	AUT_ACCESS_MASK		((char)0x16)
199 #define	AUT_WSID		((char)0x17)
200 
201 /*
202  * Audit print suggestion types.
203  */
204 
205 #define	AUP_BINARY	((char)0)
206 #define	AUP_OCTAL	((char)1)
207 #define	AUP_DECIMAL	((char)2)
208 #define	AUP_HEX		((char)3)
209 #define	AUP_STRING	((char)4)
210 
211 /*
212  * Audit data member types.
213  */
214 
215 #define	AUR_BYTE	((char)0)
216 #define	AUR_CHAR	((char)0)
217 #define	AUR_SHORT	((char)1)
218 #define	AUR_INT		((char)2)
219 #define	AUR_INT32	((char)2)
220 #define	AUR_INT64	((char)3)
221 
222 /*
223  * Adr structures
224  */
225 
226 struct adr_s {
227 	char *adr_stream;	/* The base of the stream */
228 	char *adr_now;		/* The location within the stream */
229 };
230 
231 typedef struct adr_s adr_t;
232 
233 
234 #ifdef _KERNEL
235 
236 #include <sys/param.h>
237 #include <sys/systm.h>		/* for rval */
238 #include <sys/time.h>
239 #include <sys/types.h>
240 #include <sys/vnode.h>
241 #include <sys/mode.h>
242 #include <sys/user.h>
243 #include <sys/session.h>
244 #include <sys/ipc_impl.h>
245 #include <netinet/in_systm.h>
246 #include <netinet/in.h>
247 #include <netinet/ip.h>
248 #include <sys/socket.h>
249 #include <net/route.h>
250 #include <netinet/in_pcb.h>
251 
252 /*
253  * au_close flag arguments
254  */
255 
256 #define	AU_OK		0x1	/* Good audit record */
257 #define	AU_DONTBLOCK	0x2	/* Don't block or discard if queue full */
258 #define	AU_DEFER	0x4	/* Defer record queueing to syscall end */
259 
260 /*
261  * Audit token type is really an au_membuf pointer
262  */
263 typedef au_buff_t token_t;
264 /*
265  * token generation functions
266  */
267 token_t *au_append_token(token_t *, token_t *);
268 token_t *au_set(caddr_t, uint_t);
269 
270 void au_free_rec(au_buff_t *);
271 
272 #define	au_getclr()		((token_t *)au_get_buff())
273 #define	au_toss_token(tok)	(au_free_rec((au_buff_t *)(tok)))
274 
275 token_t *au_to_acl();
276 token_t *au_to_ace();
277 token_t *au_to_attr(struct vattr *);
278 token_t *au_to_data(char, char, char, char *);
279 token_t *au_to_header(int, au_event_t, au_emod_t);
280 token_t *au_to_header_ex(int, au_event_t, au_emod_t);
281 token_t *au_to_ipc(char, int);
282 token_t *au_to_ipc_perm(kipc_perm_t *);
283 token_t *au_to_iport(ushort_t);
284 token_t *au_to_in_addr(struct in_addr *);
285 token_t *au_to_in_addr_ex(int32_t *);
286 token_t *au_to_ip(struct ip *);
287 token_t *au_to_groups(const gid_t *, uint_t);
288 token_t *au_to_path(struct audit_path *);
289 token_t *au_to_seq();
290 token_t *au_to_process(uid_t, gid_t, uid_t, gid_t, pid_t,
291 			au_id_t, au_asid_t, const au_tid_addr_t *);
292 token_t *au_to_subject(uid_t, gid_t, uid_t, gid_t, pid_t,
293 			au_id_t, au_asid_t, const au_tid_addr_t *);
294 token_t *au_to_return32(int, int32_t);
295 token_t *au_to_return64(int, int64_t);
296 token_t *au_to_text(const char *);
297 /* token_t *au_to_tid(au_generic_tid_t *);  no kernel implementation */
298 token_t *au_to_trailer(int);
299 token_t *au_to_uauth(char *);
300 size_t	au_zonename_length(zone_t *);
301 token_t *au_to_zonename(size_t, zone_t *);
302 token_t *au_to_arg32(char, char *, uint32_t);
303 token_t *au_to_arg64(char, char *, uint64_t);
304 token_t *au_to_socket_ex(short, short, char *, char *);
305 token_t *au_to_sock_inet(struct sockaddr_in *);
306 token_t *au_to_exec_args(const char *, ssize_t);
307 token_t *au_to_exec_env(const char *, ssize_t);
308 token_t	*au_to_label(bslabel_t *);
309 token_t	*au_to_privset(const char *, const priv_set_t *, char, int);
310 token_t *au_to_secflags(const char *, secflagset_t);
311 
312 void	au_uwrite();
313 void	au_close(au_kcontext_t *, caddr_t *, int, au_event_t, au_emod_t,
314     timestruc_t *);
315 void	au_close_defer(token_t *, int, au_event_t, au_emod_t, timestruc_t *);
316 void	au_close_time(au_kcontext_t *, token_t *, int, au_event_t, au_emod_t,
317 	    timestruc_t *);
318 void	au_free_rec(au_buff_t *);
319 void	au_write(caddr_t *, token_t *);
320 void	au_mem_init(void);
321 void	au_zone_setup();
322 void	au_enqueue(au_kcontext_t *, au_buff_t *, adr_t *, adr_t *, int, int);
323 int	au_doorio(au_kcontext_t *);
324 int	au_doormsg(au_kcontext_t *, uint32_t, void *);
325 int	au_token_size(token_t *);
326 int	au_append_rec(au_buff_t *, au_buff_t *, int);
327 int	au_append_buf(const char *, int, au_buff_t *);
328 
329 #else /* !_KERNEL */
330 
331 #include <limits.h>
332 #include <sys/types.h>
333 #include <sys/vnode.h>
334 #include <netinet/in_systm.h>
335 #include <netinet/in.h>
336 #include <netinet/ip.h>
337 #include <sys/ipc.h>
338 
339 struct token_s {
340 	struct token_s	*tt_next;	/* Next in the list	*/
341 	short		tt_size;	/* Size of data		*/
342 	char		*tt_data;	/* The data		*/
343 };
344 typedef struct token_s token_t;
345 
346 /*
347  *	Old socket structure definition, formerly in <sys/socketvar.h>
348  */
349 struct oldsocket {
350 	short	so_type;		/* generic type, see socket.h */
351 	short	so_options;		/* from socket call, see socket.h */
352 	short	so_linger;		/* time to linger while closing */
353 	short	so_state;		/* internal state flags SS_*, below */
354 	struct inpcb	*so_pcb;	/* protocol control block */
355 	struct	protosw *so_proto;	/* protocol handle */
356 /*
357  * Variables for connection queueing.
358  * Socket where accepts occur is so_head in all subsidiary sockets.
359  * If so_head is 0, socket is not related to an accept.
360  * For head socket so_q0 queues partially completed connections,
361  * while so_q is a queue of connections ready to be accepted.
362  * If a connection is aborted and it has so_head set, then
363  * it has to be pulled out of either so_q0 or so_q.
364  * We allow connections to queue up based on current queue lengths
365  * and limit on number of queued connections for this socket.
366  */
367 	struct	oldsocket *so_head;	/* back pointer to accept socket */
368 	struct	oldsocket *so_q0;	/* queue of partial connections */
369 	struct	oldsocket *so_q;	/* queue of incoming connections */
370 	short	so_q0len;		/* partials on so_q0 */
371 	short	so_qlen;		/* number of connections on so_q */
372 	short	so_qlimit;		/* max number queued connections */
373 	short	so_timeo;		/* connection timeout */
374 	ushort_t so_error;		/* error affecting connection */
375 	short	so_pgrp;		/* pgrp for signals */
376 	ulong_t	so_oobmark;		/* chars to oob mark */
377 /*
378  * Variables for socket buffering.
379  */
380 	struct	sockbuf {
381 		ulong_t	sb_cc;		/* actual chars in buffer */
382 		ulong_t	sb_hiwat;	/* max actual char count */
383 		ulong_t	sb_mbcnt;	/* chars of mbufs used */
384 		ulong_t	sb_mbmax;	/* max chars of mbufs to use */
385 		ulong_t	sb_lowat;	/* low water mark (not used yet) */
386 		struct	mbuf *sb_mb;	/* the mbuf chain */
387 		struct	proc *sb_sel;	/* process selecting read/write */
388 		short	sb_timeo;	/* timeout (not used yet) */
389 		short	sb_flags;	/* flags, see below */
390 	} so_rcv, so_snd;
391 /*
392  * Hooks for alternative wakeup strategies.
393  * These are used by kernel subsystems wishing to access the socket
394  * abstraction.  If so_wupfunc is nonnull, it is called in place of
395  * wakeup any time that wakeup would otherwise be called with an
396  * argument whose value is an address lying within a socket structure.
397  */
398 	struct wupalt	*so_wupalt;
399 };
400 extern token_t *au_to_arg32(char, char *, uint32_t);
401 extern token_t *au_to_arg64(char, char *, uint64_t);
402 extern token_t *au_to_acl(struct acl *);
403 extern token_t *au_to_attr(struct vattr *);
404 extern token_t *au_to_cmd(uint_t, char **, char **);
405 extern token_t *au_to_data(char, char, char, char *);
406 extern token_t *au_to_exec_args(char **);
407 extern token_t *au_to_exec_env(char **);
408 extern token_t *au_to_exit(int, int);
409 extern token_t *au_to_fmri(char *);
410 extern token_t *au_to_groups(int *);
411 extern token_t *au_to_newgroups(int, gid_t *);
412 extern token_t *au_to_header(au_event_t, au_emod_t);
413 extern token_t *au_to_header_ex(au_event_t, au_emod_t);
414 extern token_t *au_to_in_addr(struct in_addr *);
415 extern token_t *au_to_in_addr_ex(struct in6_addr *);
416 extern token_t *au_to_ipc(char, int);
417 extern token_t *au_to_ipc_perm(struct ipc_perm *);
418 extern token_t *au_to_iport(ushort_t);
419 extern token_t *au_to_me(void);
420 extern token_t *au_to_mylabel(void);
421 extern token_t *au_to_opaque(char *, short);
422 extern token_t *au_to_path(char *);
423 extern token_t *au_to_privset(const char *, const priv_set_t *);
424 extern token_t *au_to_process(au_id_t, uid_t, gid_t, uid_t, gid_t,
425 				pid_t, au_asid_t, au_tid_t *);
426 extern token_t *au_to_process_ex(au_id_t, uid_t, gid_t, uid_t, gid_t,
427 				pid_t, au_asid_t, au_tid_addr_t *);
428 extern token_t *au_to_return32(char, uint32_t);
429 extern token_t *au_to_return64(char, uint64_t);
430 extern token_t *au_to_seq(int);
431 extern token_t *au_to_label(m_label_t *);
432 extern token_t *au_to_socket(struct oldsocket *);
433 extern token_t *au_to_subject(au_id_t, uid_t, gid_t, uid_t, gid_t,
434 				pid_t, au_asid_t, au_tid_t *);
435 extern token_t *au_to_subject_ex(au_id_t, uid_t, gid_t, uid_t, gid_t,
436 				pid_t, au_asid_t, au_tid_addr_t *);
437 extern token_t *au_to_text(char *);
438 extern token_t *au_to_tid(au_generic_tid_t *);
439 extern token_t *au_to_trailer(void);
440 extern token_t *au_to_uauth(char *);
441 extern token_t *au_to_upriv(char, char *);
442 extern token_t *au_to_user(uid_t, char *);
443 extern token_t *au_to_xatom(char *);
444 extern token_t *au_to_xselect(char *, char *, char *);
445 extern token_t *au_to_xcolormap(int32_t, uid_t);
446 extern token_t *au_to_xcursor(int32_t, uid_t);
447 extern token_t *au_to_xfont(int32_t, uid_t);
448 extern token_t *au_to_xgc(int32_t, uid_t);
449 extern token_t *au_to_xpixmap(int32_t, uid_t);
450 extern token_t *au_to_xwindow(int32_t, uid_t);
451 extern token_t *au_to_xproperty(int32_t, uid_t, char *);
452 extern token_t *au_to_xclient(uint32_t);
453 extern token_t *au_to_zonename(char *);
454 #endif /* _KERNEL */
455 
456 #ifdef	_KERNEL
457 
458 void	adr_char(adr_t *, char *, int);
459 void	adr_int32(adr_t *, int32_t *, int);
460 void	adr_uint32(adr_t *, uint32_t *, int);
461 void	adr_int64(adr_t *, int64_t *, int);
462 void	adr_uint64(adr_t *, uint64_t *, int);
463 void	adr_short(adr_t *, short *, int);
464 void	adr_ushort(adr_t *, ushort_t *, int);
465 void	adr_start(adr_t *, char *);
466 
467 char	*adr_getchar(adr_t *, char *);
468 char	*adr_getshort(adr_t *, short  *);
469 char	*adr_getushort(adr_t *, ushort_t  *);
470 char	*adr_getint32(adr_t *, int32_t *);
471 char	*adr_getuint32(adr_t *, uint32_t *);
472 char	*adr_getint64(adr_t *, int64_t *);
473 char	*adr_getuint64(adr_t *, uint64_t *);
474 
475 int	adr_count(adr_t *);
476 
477 #endif	/* _KERNEL */
478 
479 #ifdef __cplusplus
480 }
481 #endif
482 
483 #endif /* _BSM_AUDIT_RECORD_H */
484