xref: /freebsd/contrib/openbsm/bsm/libbsm.h (revision 1e413cf93298b5b97441a21d9a50fdcd0ee9945e)
1 /*
2  * Copyright (c) 2004 Apple Computer, Inc.
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1.  Redistributions of source code must retain the above copyright
9  *     notice, this list of conditions and the following disclaimer.
10  * 2.  Redistributions in binary form must reproduce the above copyright
11  *     notice, this list of conditions and the following disclaimer in the
12  *     documentation and/or other materials provided with the distribution.
13  * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
14  *     its contributors may be used to endorse or promote products derived
15  *     from this software without specific prior written permission.
16  *
17  * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
18  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20  * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
21  * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
25  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
26  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27  * POSSIBILITY OF SUCH DAMAGE.
28  *
29  * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#33 $
30  */
31 
32 #ifndef _LIBBSM_H_
33 #define	_LIBBSM_H_
34 
35 /*
36  * NB: definitions, etc., marked with "OpenSSH compatibility" were introduced
37  * solely to allow OpenSSH to compile; Darwin/Apple code should not use them.
38  */
39 
40 #include <sys/types.h>
41 #include <sys/cdefs.h>
42 
43 #include <inttypes.h>		/* Required for audit.h. */
44 #include <time.h>		/* Required for clock_t on Linux. */
45 
46 #include <bsm/audit.h>
47 #include <bsm/audit_record.h>
48 
49 #include <stdio.h>
50 
51 #ifdef __APPLE__
52 #include <mach/mach.h>		/* audit_token_t */
53 #endif
54 
55 /*
56  * Size parsed token vectors for execve(2) arguments and environmental
57  * variables.  Note: changing these sizes affects the ABI of the token
58  * structure, and as the token structure is often placed in the caller stack,
59  * this is undesirable.
60  */
61 #define	AUDIT_MAX_ARGS	128
62 #define	AUDIT_MAX_ENV	128
63 
64 /*
65  * Arguments to au_preselect(3).
66  */
67 #define	AU_PRS_USECACHE	0
68 #define	AU_PRS_REREAD	1
69 
70 #define	AU_PRS_SUCCESS	1
71 #define	AU_PRS_FAILURE	2
72 #define	AU_PRS_BOTH	(AU_PRS_SUCCESS|AU_PRS_FAILURE)
73 
74 #define	AUDIT_EVENT_FILE	"/etc/security/audit_event"
75 #define	AUDIT_CLASS_FILE	"/etc/security/audit_class"
76 #define	AUDIT_CONTROL_FILE	"/etc/security/audit_control"
77 #define	AUDIT_USER_FILE		"/etc/security/audit_user"
78 
79 #define	DIR_CONTROL_ENTRY	"dir"
80 #define	MINFREE_CONTROL_ENTRY	"minfree"
81 #define	FILESZ_CONTROL_ENTRY	"filesz"
82 #define	FLAGS_CONTROL_ENTRY	"flags"
83 #define	NA_CONTROL_ENTRY	"naflags"
84 #define	POLICY_CONTROL_ENTRY	"policy"
85 
86 #define	AU_CLASS_NAME_MAX	8
87 #define	AU_CLASS_DESC_MAX	72
88 #define	AU_EVENT_NAME_MAX	30
89 #define	AU_EVENT_DESC_MAX	50
90 #define	AU_USER_NAME_MAX	50
91 #define	AU_LINE_MAX		256
92 #define	MAX_AUDITSTRING_LEN	256
93 #define	BSM_TEXTBUFSZ		MAX_AUDITSTRING_LEN	/* OpenSSH compatibility */
94 
95 /*
96  * Arguments to au_close(3).
97  */
98 #define	AU_TO_NO_WRITE		0	/* Abandon audit record. */
99 #define	AU_TO_WRITE		1	/* Commit audit record. */
100 
101 __BEGIN_DECLS
102 struct au_event_ent {
103 	au_event_t	 ae_number;
104 	char		*ae_name;
105 	char		*ae_desc;
106 	au_class_t	 ae_class;
107 };
108 typedef struct au_event_ent au_event_ent_t;
109 
110 struct au_class_ent {
111 	char		*ac_name;
112 	au_class_t	 ac_class;
113 	char		*ac_desc;
114 };
115 typedef struct au_class_ent au_class_ent_t;
116 
117 struct au_user_ent {
118 	char		*au_name;
119 	au_mask_t	 au_always;
120 	au_mask_t	 au_never;
121 };
122 typedef struct au_user_ent au_user_ent_t;
123 __END_DECLS
124 
125 #define	ADD_TO_MASK(m, c, sel) do {					\
126 	if (sel & AU_PRS_SUCCESS)					\
127 		(m)->am_success |= c;					\
128 	if (sel & AU_PRS_FAILURE)					\
129 		(m)->am_failure |= c;					\
130 } while (0)
131 
132 #define	SUB_FROM_MASK(m, c, sel) do {					\
133 	if (sel & AU_PRS_SUCCESS)					\
134 		(m)->am_success &= ((m)->am_success ^ c);		\
135 	if (sel & AU_PRS_FAILURE)					\
136 		(m)->am_failure &= ((m)->am_failure ^ c);		\
137 } while (0)
138 
139 #define	ADDMASK(m, v) do {						\
140 	(m)->am_success |= (v)->am_success;				\
141 	(m)->am_failure |= (v)->am_failure;				\
142 } while(0)
143 
144 #define	SUBMASK(m, v) do {						\
145 	(m)->am_success &= ((m)->am_success ^ (v)->am_success);		\
146 	(m)->am_failure &= ((m)->am_failure ^ (v)->am_failure);		\
147 } while(0)
148 
149 __BEGIN_DECLS
150 
151 typedef struct au_tid32 {
152 	u_int32_t	port;
153 	u_int32_t	addr;
154 } au_tid32_t;
155 
156 typedef struct au_tid64 {
157 	u_int64_t	port;
158 	u_int32_t	addr;
159 } au_tid64_t;
160 
161 typedef struct au_tidaddr32 {
162 	u_int32_t	port;
163 	u_int32_t	type;
164 	u_int32_t	addr[4];
165 } au_tidaddr32_t;
166 
167 typedef struct au_tidaddr64 {
168 	u_int64_t	port;
169 	u_int32_t	type;
170 	u_int32_t	addr[4];
171 } au_tidaddr64_t;
172 
173 /*
174  * argument #              1 byte
175  * argument value          4 bytes/8 bytes (32-bit/64-bit value)
176  * text length             2 bytes
177  * text                    N bytes + 1 terminating NULL byte
178  */
179 typedef struct {
180 	u_char		 no;
181 	u_int32_t	 val;
182 	u_int16_t	 len;
183 	char		*text;
184 } au_arg32_t;
185 
186 typedef struct {
187 	u_char		 no;
188 	u_int64_t	 val;
189 	u_int16_t	 len;
190 	char		*text;
191 } au_arg64_t;
192 
193 /*
194  * how to print            1 byte
195  * basic unit              1 byte
196  * unit count              1 byte
197  * data items              (depends on basic unit)
198  */
199 typedef struct {
200 	u_char	 howtopr;
201 	u_char	 bu;
202 	u_char	 uc;
203 	u_char	*data;
204 } au_arb_t;
205 
206 /*
207  * file access mode        4 bytes
208  * owner user ID           4 bytes
209  * owner group ID          4 bytes
210  * file system ID          4 bytes
211  * node ID                 8 bytes
212  * device                  4 bytes/8 bytes (32-bit/64-bit)
213  */
214 typedef struct {
215 	u_int32_t	mode;
216    	u_int32_t	uid;
217 	u_int32_t	gid;
218 	u_int32_t	fsid;
219 	u_int64_t	nid;
220 	u_int32_t	dev;
221 } au_attr32_t;
222 
223 typedef struct {
224 	u_int32_t	mode;
225    	u_int32_t	uid;
226 	u_int32_t	gid;
227 	u_int32_t	fsid;
228 	u_int64_t	nid;
229 	u_int64_t	dev;
230 } au_attr64_t;
231 
232 /*
233  * count                   4 bytes
234  * text                    count null-terminated string(s)
235  */
236 typedef struct {
237 	u_int32_t	 count;
238 	char		*text[AUDIT_MAX_ARGS];
239 } au_execarg_t;
240 
241 /*
242  * count                   4 bytes
243  * text                    count null-terminated string(s)
244  */
245 typedef struct {
246 	u_int32_t	 count;
247 	char		*text[AUDIT_MAX_ENV];
248 } au_execenv_t;
249 
250 /*
251  * status                  4 bytes
252  * return value            4 bytes
253  */
254 typedef struct {
255 	u_int32_t	status;
256 	u_int32_t	ret;
257 } au_exit_t;
258 
259 /*
260  * seconds of time         4 bytes
261  * milliseconds of time    4 bytes
262  * file name length        2 bytes
263  * file pathname           N bytes + 1 terminating NULL byte
264  */
265 typedef struct {
266 	u_int32_t	 s;
267 	u_int32_t	 ms;
268 	u_int16_t	 len;
269 	char		*name;
270 } au_file_t;
271 
272 
273 /*
274  * number groups           2 bytes
275  * group list              N * 4 bytes
276  */
277 typedef struct {
278 	u_int16_t	no;
279 	u_int32_t	list[AUDIT_MAX_GROUPS];
280 } au_groups_t;
281 
282 /*
283  * record byte count       4 bytes
284  * version #               1 byte    [2]
285  * event type              2 bytes
286  * event modifier          2 bytes
287  * seconds of time         4 bytes/8 bytes (32-bit/64-bit value)
288  * milliseconds of time    4 bytes/8 bytes (32-bit/64-bit value)
289  */
290 typedef struct {
291 	u_int32_t	size;
292 	u_char		version;
293 	u_int16_t	e_type;
294 	u_int16_t	e_mod;
295 	u_int32_t	s;
296 	u_int32_t	ms;
297 } au_header32_t;
298 
299 /*
300  * record byte count       4 bytes
301  * version #               1 byte     [2]
302  * event type              2 bytes
303  * event modifier          2 bytes
304  * address type/length     1 byte (XXX: actually, 4 bytes)
305  * machine address         4 bytes/16 bytes (IPv4/IPv6 address)
306  * seconds of time         4 bytes/8 bytes  (32/64-bits)
307  * nanoseconds of time     4 bytes/8 bytes  (32/64-bits)
308  */
309 typedef struct {
310 	u_int32_t	size;
311 	u_char		version;
312 	u_int16_t	e_type;
313 	u_int16_t	e_mod;
314 	u_int32_t	ad_type;
315 	u_int32_t	addr[4];
316 	u_int32_t	s;
317 	u_int32_t	ms;
318 } au_header32_ex_t;
319 
320 typedef struct {
321 	u_int32_t	size;
322 	u_char		version;
323 	u_int16_t	e_type;
324 	u_int16_t	e_mod;
325 	u_int64_t	s;
326 	u_int64_t	ms;
327 } au_header64_t;
328 
329 typedef struct {
330 	u_int32_t	size;
331 	u_char		version;
332 	u_int16_t	e_type;
333 	u_int16_t	e_mod;
334 	u_int32_t	ad_type;
335 	u_int32_t	addr[4];
336 	u_int64_t	s;
337 	u_int64_t	ms;
338 } au_header64_ex_t;
339 
340 /*
341  * internet address        4 bytes
342  */
343 typedef struct {
344 	u_int32_t	addr;
345 } au_inaddr_t;
346 
347 /*
348  * type                 4 bytes
349  * internet address     16 bytes
350  */
351 typedef struct {
352 	u_int32_t	type;
353 	u_int32_t	addr[4];
354 } au_inaddr_ex_t;
355 
356 /*
357  * version and ihl         1 byte
358  * type of service         1 byte
359  * length                  2 bytes
360  * id                      2 bytes
361  * offset                  2 bytes
362  * ttl                     1 byte
363  * protocol                1 byte
364  * checksum                2 bytes
365  * source address          4 bytes
366  * destination address     4 bytes
367  */
368 typedef struct {
369 	u_char		version;
370 	u_char		tos;
371 	u_int16_t	len;
372 	u_int16_t	id;
373 	u_int16_t	offset;
374 	u_char		ttl;
375 	u_char		prot;
376 	u_int16_t	chksm;
377 	u_int32_t	src;
378 	u_int32_t	dest;
379 } au_ip_t;
380 
381 /*
382  * object ID type          1 byte
383  * object ID               4 bytes
384  */
385 typedef struct {
386 	u_char		type;
387 	u_int32_t	id;
388 } au_ipc_t;
389 
390 /*
391  * owner user ID           4 bytes
392  * owner group ID          4 bytes
393  * creator user ID         4 bytes
394  * creator group ID        4 bytes
395  * access mode             4 bytes
396  * slot sequence #         4 bytes
397  * key                     4 bytes
398  */
399 typedef struct {
400 	u_int32_t	uid;
401 	u_int32_t	gid;
402 	u_int32_t	puid;
403 	u_int32_t	pgid;
404 	u_int32_t	mode;
405 	u_int32_t	seq;
406 	u_int32_t	key;
407 } au_ipcperm_t;
408 
409 /*
410  * port IP address         2 bytes
411  */
412 typedef struct {
413 	u_int16_t	port;
414 } au_iport_t;
415 
416 /*
417  * length		2 bytes
418  * data			length bytes
419  */
420 typedef struct {
421 	u_int16_t	 size;
422 	char		*data;
423 } au_opaque_t;
424 
425 /*
426  * path length             2 bytes
427  * path                    N bytes + 1 terminating NULL byte
428  */
429 typedef struct {
430 	u_int16_t	 len;
431 	char		*path;
432 } au_path_t;
433 
434 /*
435  * audit ID                4 bytes
436  * effective user ID       4 bytes
437  * effective group ID      4 bytes
438  * real user ID            4 bytes
439  * real group ID           4 bytes
440  * process ID              4 bytes
441  * session ID              4 bytes
442  * terminal ID
443  * port ID               4 bytes/8 bytes (32-bit/64-bit value)
444  * machine address       4 bytes
445  */
446 typedef struct {
447 	u_int32_t	auid;
448 	u_int32_t	euid;
449 	u_int32_t	egid;
450 	u_int32_t	ruid;
451 	u_int32_t	rgid;
452 	u_int32_t	pid;
453 	u_int32_t	sid;
454 	au_tid32_t	tid;
455 } au_proc32_t;
456 
457 typedef struct {
458 	u_int32_t	auid;
459 	u_int32_t	euid;
460 	u_int32_t	egid;
461 	u_int32_t	ruid;
462 	u_int32_t	rgid;
463 	u_int32_t	pid;
464 	u_int32_t	sid;
465 	au_tid64_t	tid;
466 } au_proc64_t;
467 
468 /*
469  * audit ID                4 bytes
470  * effective user ID       4 bytes
471  * effective group ID      4 bytes
472  * real user ID            4 bytes
473  * real group ID           4 bytes
474  * process ID              4 bytes
475  * session ID              4 bytes
476  * terminal ID
477  * port ID               4 bytes/8 bytes (32-bit/64-bit value)
478  * type                  4 bytes
479  * machine address       16 bytes
480  */
481 typedef struct {
482 	u_int32_t	auid;
483 	u_int32_t	euid;
484 	u_int32_t	egid;
485 	u_int32_t	ruid;
486 	u_int32_t	rgid;
487 	u_int32_t	pid;
488 	u_int32_t	sid;
489 	au_tidaddr32_t	tid;
490 } au_proc32ex_t;
491 
492 typedef struct {
493 	u_int32_t	auid;
494 	u_int32_t	euid;
495 	u_int32_t	egid;
496 	u_int32_t	ruid;
497 	u_int32_t	rgid;
498 	u_int32_t	pid;
499 	u_int32_t	sid;
500 	au_tidaddr64_t	tid;
501 } au_proc64ex_t;
502 
503 /*
504  * error status            1 byte
505  * return value            4 bytes/8 bytes (32-bit/64-bit value)
506  */
507 typedef struct {
508 	u_char		status;
509 	u_int32_t	ret;
510 } au_ret32_t;
511 
512 typedef struct {
513 	u_char		err;
514 	u_int64_t	val;
515 } au_ret64_t;
516 
517 /*
518  * sequence number         4 bytes
519  */
520 typedef struct {
521 	u_int32_t	seqno;
522 } au_seq_t;
523 
524 /*
525  * socket type             2 bytes
526  * local port              2 bytes
527  * local Internet address  4 bytes
528  * remote port             2 bytes
529  * remote Internet address 4 bytes
530  */
531 typedef struct {
532 	u_int16_t	type;
533 	u_int16_t	l_port;
534 	u_int32_t	l_addr;
535 	u_int16_t	r_port;
536 	u_int32_t	r_addr;
537 } au_socket_t;
538 
539 /*
540  * socket type             2 bytes
541  * local port              2 bytes
542  * address type/length     4 bytes
543  * local Internet address  4 bytes/16 bytes (IPv4/IPv6 address)
544  * remote port             4 bytes
545  * address type/length     4 bytes
546  * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
547  */
548 typedef struct {
549 	u_int16_t	type;
550 	u_int16_t	l_port;
551 	u_int32_t	l_ad_type;
552 	u_int32_t	l_addr;
553 	u_int32_t	r_port;
554 	u_int32_t	r_ad_type;
555 	u_int32_t	r_addr;
556 } au_socket_ex32_t;
557 
558 /*
559  * socket family           2 bytes
560  * local port              2 bytes
561  * socket address          4 bytes/16 bytes (IPv4/IPv6 address)
562  */
563 typedef struct {
564 	u_int16_t	family;
565 	u_int16_t	port;
566 	u_int32_t	addr;
567 } au_socketinet32_t;
568 
569 /*
570  * socket family           2 bytes
571  * path                    104 bytes
572  */
573 typedef struct {
574 	u_int16_t	family;
575 	char		path[104];
576 } au_socketunix_t;
577 
578 /*
579  * audit ID                4 bytes
580  * effective user ID       4 bytes
581  * effective group ID      4 bytes
582  * real user ID            4 bytes
583  * real group ID           4 bytes
584  * process ID              4 bytes
585  * session ID              4 bytes
586  * terminal ID
587  * 	port ID               4 bytes/8 bytes (32-bit/64-bit value)
588  * 	machine address       4 bytes
589  */
590 typedef struct {
591 	u_int32_t	auid;
592 	u_int32_t	euid;
593 	u_int32_t	egid;
594 	u_int32_t	ruid;
595 	u_int32_t	rgid;
596 	u_int32_t	pid;
597 	u_int32_t	sid;
598 	au_tid32_t	tid;
599 } au_subject32_t;
600 
601 typedef struct {
602 	u_int32_t	auid;
603 	u_int32_t	euid;
604 	u_int32_t	egid;
605 	u_int32_t	ruid;
606 	u_int32_t	rgid;
607 	u_int32_t	pid;
608 	u_int32_t	sid;
609 	au_tid64_t	tid;
610 } au_subject64_t;
611 
612 /*
613  * audit ID                4 bytes
614  * effective user ID       4 bytes
615  * effective group ID      4 bytes
616  * real user ID            4 bytes
617  * real group ID           4 bytes
618  * process ID              4 bytes
619  * session ID              4 bytes
620  * terminal ID
621  * port ID               4 bytes/8 bytes (32-bit/64-bit value)
622  * type                  4 bytes
623  * machine address       16 bytes
624  */
625 typedef struct {
626 	u_int32_t	auid;
627 	u_int32_t	euid;
628 	u_int32_t	egid;
629 	u_int32_t	ruid;
630 	u_int32_t	rgid;
631 	u_int32_t	pid;
632 	u_int32_t	sid;
633 	au_tidaddr32_t	tid;
634 } au_subject32ex_t;
635 
636 typedef struct {
637 	u_int32_t	auid;
638 	u_int32_t	euid;
639 	u_int32_t	egid;
640 	u_int32_t	ruid;
641 	u_int32_t	rgid;
642 	u_int32_t	pid;
643 	u_int32_t	sid;
644 	au_tidaddr64_t	tid;
645 } au_subject64ex_t;
646 
647 /*
648  * text length             2 bytes
649  * text                    N bytes + 1 terminating NULL byte
650  */
651 typedef struct {
652 	u_int16_t	 len;
653 	char		*text;
654 } au_text_t;
655 
656 /*
657  * zonename length	2 bytes
658  * zonename text	N bytes + 1 NULL terminator
659  */
660 typedef struct {
661 	u_int16_t	 len;
662 	char		*zonename;
663 } au_zonename_t;
664 
665 typedef struct {
666 	u_int32_t	ident;
667 	u_int16_t	filter;
668 	u_int16_t	flags;
669 	u_int32_t	fflags;
670 	u_int32_t	data;
671 } au_kevent_t;
672 
673 typedef struct {
674 	u_int16_t	 length;
675 	char		*data;
676 } au_invalid_t;
677 
678 /*
679  * trailer magic number    2 bytes
680  * record byte count       4 bytes
681  */
682 typedef struct {
683 	u_int16_t	magic;
684 	u_int32_t	count;
685 } au_trailer_t;
686 
687 struct tokenstr {
688 	u_char	 id;
689 	u_char	*data;
690 	size_t	 len;
691 	union {
692 		au_arg32_t		arg32;
693 		au_arg64_t		arg64;
694 		au_arb_t		arb;
695 		au_attr32_t		attr32;
696 		au_attr64_t		attr64;
697 		au_execarg_t		execarg;
698 		au_execenv_t		execenv;
699 		au_exit_t		exit;
700 		au_file_t		file;
701 		au_groups_t		grps;
702 		au_header32_t		hdr32;
703 		au_header32_ex_t	hdr32_ex;
704 		au_header64_t		hdr64;
705 		au_header64_ex_t	hdr64_ex;
706 		au_inaddr_t		inaddr;
707 		au_inaddr_ex_t		inaddr_ex;
708 		au_ip_t			ip;
709 		au_ipc_t		ipc;
710 		au_ipcperm_t		ipcperm;
711 		au_iport_t		iport;
712 		au_opaque_t		opaque;
713 		au_path_t		path;
714 		au_proc32_t		proc32;
715 		au_proc32ex_t		proc32_ex;
716 		au_proc64_t		proc64;
717 		au_proc64ex_t		proc64_ex;
718 		au_ret32_t		ret32;
719 		au_ret64_t		ret64;
720 		au_seq_t		seq;
721 		au_socket_t		socket;
722 		au_socket_ex32_t	socket_ex32;
723 		au_socketinet32_t	sockinet32;
724 		au_socketunix_t		sockunix;
725 		au_subject32_t		subj32;
726 		au_subject32ex_t	subj32_ex;
727 		au_subject64_t		subj64;
728 		au_subject64ex_t	subj64_ex;
729 		au_text_t		text;
730 		au_kevent_t		kevent;
731 		au_invalid_t		invalid;
732 		au_trailer_t		trail;
733 		au_zonename_t		zonename;
734 	} tt; /* The token is one of the above types */
735 };
736 
737 typedef struct tokenstr tokenstr_t;
738 
739 int			 audit_submit(short au_event, au_id_t auid,
740 			    char status, int reterr, const char *fmt, ...);
741 
742 /*
743  * Functions relating to querying audit class information.
744  */
745 void			 setauclass(void);
746 void			 endauclass(void);
747 struct au_class_ent	*getauclassent(void);
748 struct au_class_ent	*getauclassent_r(au_class_ent_t *class_int);
749 struct au_class_ent	*getauclassnam(const char *name);
750 struct au_class_ent	*getauclassnam_r(au_class_ent_t *class_int,
751 			    const char *name);
752 struct au_class_ent	*getauclassnum(au_class_t class_number);
753 struct au_class_ent	*getauclassnum_r(au_class_ent_t *class_int,
754 			    au_class_t class_number);
755 
756 /*
757  * Functions relating to querying audit control information.
758  */
759 void			 setac(void);
760 void			 endac(void);
761 int			 getacdir(char *name, int len);
762 int			 getacmin(int *min_val);
763 int			 getacfilesz(size_t *size_val);
764 int			 getacflg(char *auditstr, int len);
765 int			 getacna(char *auditstr, int len);
766 int			 getacpol(char *auditstr, size_t len);
767 int			 getauditflagsbin(char *auditstr, au_mask_t *masks);
768 int			 getauditflagschar(char *auditstr, au_mask_t *masks,
769 			    int verbose);
770 int			 au_preselect(au_event_t event, au_mask_t *mask_p,
771 			    int sorf, int flag);
772 ssize_t			 au_poltostr(long policy, size_t maxsize, char *buf);
773 int			 au_strtopol(const char *polstr, long *policy);
774 
775 /*
776  * Functions relating to querying audit event information.
777  */
778 void			 setauevent(void);
779 void			 endauevent(void);
780 struct au_event_ent	*getauevent(void);
781 struct au_event_ent	*getauevent_r(struct au_event_ent *e);
782 struct au_event_ent	*getauevnam(const char *name);
783 struct au_event_ent	*getauevnam_r(struct au_event_ent *e,
784 			    const char *name);
785 struct au_event_ent	*getauevnum(au_event_t event_number);
786 struct au_event_ent	*getauevnum_r(struct au_event_ent *e,
787 			    au_event_t event_number);
788 au_event_t		*getauevnonam(const char *event_name);
789 au_event_t		*getauevnonam_r(au_event_t *ev,
790 			    const char *event_name);
791 
792 /*
793  * Functions relating to querying audit user information.
794  */
795 void			 setauuser(void);
796 void			 endauuser(void);
797 struct au_user_ent	*getauuserent(void);
798 struct au_user_ent	*getauuserent_r(struct au_user_ent *u);
799 struct au_user_ent	*getauusernam(const char *name);
800 struct au_user_ent	*getauusernam_r(struct au_user_ent *u,
801 			    const char *name);
802 int			 au_user_mask(char *username, au_mask_t *mask_p);
803 int			 getfauditflags(au_mask_t *usremask,
804 			    au_mask_t *usrdmask, au_mask_t *lastmask);
805 
806 /*
807  * Functions for reading and printing records and tokens from audit trails.
808  */
809 int			 au_read_rec(FILE *fp, u_char **buf);
810 int			 au_fetch_tok(tokenstr_t *tok, u_char *buf, int len);
811 //XXX The following interface has different prototype from BSM
812 void			 au_print_tok(FILE *outfp, tokenstr_t *tok,
813 			    char *del, char raw, char sfrm);
814 void			 au_print_tok_xml(FILE *outfp, tokenstr_t *tok,
815 			    char *del, char raw, char sfrm);
816 
817 /*
818  * Functions relating to XML output.
819  */
820 void			 au_print_xml_header(FILE *outfp);
821 void			 au_print_xml_footer(FILE *outfp);
822 __END_DECLS
823 
824 /*
825  * The remaining APIs are associated with Apple's BSM implementation, in
826  * particular as relates to Mach IPC auditing and triggers passed via Mach
827  * IPC.
828  */
829 #ifdef __APPLE__
830 #include <sys/appleapiopts.h>
831 
832 /**************************************************************************
833  **************************************************************************
834  ** The following definitions, functions, etc., are NOT officially
835  ** supported: they may be changed or removed in the future.  Do not use
836  ** them unless you are prepared to cope with that eventuality.
837  **************************************************************************
838  **************************************************************************/
839 
840 #ifdef __APPLE_API_PRIVATE
841 #define	__BSM_INTERNAL_NOTIFY_KEY	"com.apple.audit.change"
842 #endif /* __APPLE_API_PRIVATE */
843 
844 /*
845  * au_get_state() return values
846  * XXX  use AUC_* values directly instead (<bsm/audit.h>); AUDIT_OFF and
847  * AUDIT_ON are deprecated and WILL be removed.
848  */
849 #ifdef __APPLE_API_PRIVATE
850 #define	AUDIT_OFF	AUC_NOAUDIT
851 #define	AUDIT_ON	AUC_AUDITING
852 #endif /* __APPLE_API_PRIVATE */
853 #endif /* !__APPLE__ */
854 
855 /*
856  * Error return codes for audit_set_terminal_id(), audit_write() and its
857  * brethren.  We have 255 (not including kAUNoErr) to play with.
858  *
859  * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
860  */
861 enum {
862 	kAUNoErr			= 0,
863 	kAUBadParamErr			= -66049,
864 	kAUStatErr,
865 	kAUSysctlErr,
866 	kAUOpenErr,
867 	kAUMakeSubjectTokErr,
868 	kAUWriteSubjectTokErr,
869 	kAUWriteCallerTokErr,
870 	kAUMakeReturnTokErr,
871 	kAUWriteReturnTokErr,
872 	kAUCloseErr,
873 	kAUMakeTextTokErr,
874 	kAULastErr
875 };
876 
877 #ifdef __APPLE__
878 /*
879  * Error return codes for au_get_state() and/or its private support
880  * functions.  These codes are designed to be compatible with the
881  * NOTIFY_STATUS_* codes defined in <notify.h> but non-overlapping.
882  * Any changes to notify(3) may cause these values to change in future.
883  *
884  * AU_UNIMPL should never happen unless you've changed your system software
885  * without rebooting.  Shame on you.
886  */
887 #ifdef __APPLE_API_PRIVATE
888 #define	AU_UNIMPL	NOTIFY_STATUS_FAILED + 1	/* audit unimplemented */
889 #endif /* __APPLE_API_PRIVATE */
890 #endif /* !__APPLE__ */
891 
892 __BEGIN_DECLS
893 /*
894  * XXX  This prototype should be in audit_record.h
895  *
896  * au_free_token()
897  *
898  * @summary - au_free_token() deallocates a token_t created by any of
899  * the au_to_*() BSM API functions.
900  *
901  * The BSM API generally manages deallocation of token_t objects.  However,
902  * if au_write() is passed a bad audit descriptor, the token_t * parameter
903  * will be left untouched.  In that case, the caller can deallocate the
904  * token_t using au_free_token() if desired.  This is, in fact, what
905  * audit_write() does, in keeping with the existing memory management model
906  * of the BSM API.
907  *
908  * @param tok - A token_t * generated by one of the au_to_*() BSM API
909  * calls.  For convenience, tok may be NULL, in which case
910  * au_free_token() returns immediately.
911  *
912  * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
913  */
914 void	au_free_token(token_t *tok);
915 
916 /*
917  * Lightweight check to determine if auditing is enabled.  If a client
918  * wants to use this to govern whether an entire series of audit calls
919  * should be made--as in the common case of a caller building a set of
920  * tokens, then writing them--it should cache the audit status in a local
921  * variable.  This call always returns the current state of auditing.
922  *
923  * @return - AUC_AUDITING or AUC_NOAUDIT if no error occurred.
924  * Otherwise the function can return any of the errno values defined for
925  * setaudit(2), or AU_UNIMPL if audit does not appear to be supported by
926  * the system.
927  *
928  * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
929  */
930 int	au_get_state(void);
931 __END_DECLS
932 
933 /* OpenSSH compatibility */
934 int	cannot_audit(int);
935 
936 __BEGIN_DECLS
937 /*
938  * audit_set_terminal_id()
939  *
940  * @summary - audit_set_terminal_id() fills in an au_tid_t struct, which is
941  * used in audit session initialization by processes like /usr/bin/login.
942  *
943  * @param tid - A pointer to an au_tid_t struct.
944  *
945  * @return - kAUNoErr on success; kAUBadParamErr if tid is NULL, kAUStatErr
946  * or kAUSysctlErr if one of the underlying system calls fails (a message
947  * is sent to the system log in those cases).
948  *
949  * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
950  */
951 int	audit_set_terminal_id(au_tid_t *tid);
952 
953 /*
954  * BEGIN au_write() WRAPPERS
955  *
956  * The following calls all wrap the existing BSM API.  They use the
957  * provided subject information, if any, to construct the subject token
958  * required for every log message.  They use the provided return/error
959  * value(s), if any, to construct the success/failure indication required
960  * for every log message.  They only permit one "miscellaneous" token,
961  * which should contain the event-specific logging information mandated by
962  * CAPP.
963  *
964  * All these calls assume the caller has previously determined that
965  * auditing is enabled by calling au_get_state().
966  */
967 
968 /*
969  * audit_write()
970  *
971  * @summary - audit_write() is the basis for the other audit_write_*()
972  * calls.  Performs a basic write of an audit record (subject, additional
973  * info, success/failure).  Note that this call only permits logging one
974  * caller-specified token; clients needing to log more flexibly must use
975  * the existing BSM API (au_open(), et al.) directly.
976  *
977  * Note on memory management: audit_write() guarantees that the token_t *s
978  * passed to it will be deallocated whether or not the underlying write to
979  * the audit log succeeded.  This addresses an inconsistency in the
980  * underlying BSM API in which token_t *s are usually but not always
981  * deallocated.
982  *
983  * @param event_code - The code for the event being logged.  This should
984  * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
985  *
986  * @param subject - A token_t * generated by au_to_subject(),
987  * au_to_subject32(), au_to_subject64(), or au_to_me().  If no subject is
988  * required, subject should be NULL.
989  *
990  * @param misctok - A token_t * generated by one of the au_to_*() BSM API
991  * calls.  This should correspond to the additional information required by
992  * CAPP for the event being audited.  If no additional information is
993  * required, misctok should be NULL.
994  *
995  * @param retval - The return value to be logged for this event.  This
996  * should be 0 (zero) for success, otherwise the value is event-specific.
997  *
998  * @param errcode - Any error code associated with the return value (e.g.,
999  * errno or h_errno).  If there was no error, errcode should be 0 (zero).
1000  *
1001  * @return - The status of the call: 0 (zero) on success, else one of the
1002  * kAU*Err values defined above.
1003  *
1004  * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1005  */
1006 int	audit_write(short event_code, token_t *subject, token_t *misctok,
1007 	    char retval, int errcode);
1008 
1009 /*
1010  * audit_write_success()
1011  *
1012  * @summary - audit_write_success() records an auditable event that did not
1013  * encounter an error.  The interface is designed to require as little
1014  * direct use of the au_to_*() API as possible.  It builds a subject token
1015  * from the information passed in and uses that to invoke audit_write().
1016  * A subject, as defined by CAPP, is a process acting on the user's behalf.
1017  *
1018  * If the subject information is the same as the current process, use
1019  * au_write_success_self().
1020  *
1021  * @param event_code - The code for the event being logged.  This should
1022  * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
1023  *
1024  * @param misctok - A token_t * generated by one of the au_to_*() BSM API
1025  * calls.  This should correspond to the additional information required by
1026  * CAPP for the event being audited.  If no additional information is
1027  * required, misctok should be NULL.
1028  *
1029  * @param auid - The subject's audit ID.
1030  *
1031  * @param euid - The subject's effective user ID.
1032  *
1033  * @param egid - The subject's effective group ID.
1034  *
1035  * @param ruid - The subject's real user ID.
1036  *
1037  * @param rgid - The subject's real group ID.
1038  *
1039  * @param pid - The subject's process ID.
1040  *
1041  * @param sid - The subject's session ID.
1042  *
1043  * @param tid - The subject's terminal ID.
1044  *
1045  * @return - The status of the call: 0 (zero) on success, else one of the
1046  * kAU*Err values defined above.
1047  *
1048  * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1049  */
1050 int	audit_write_success(short event_code, token_t *misctok, au_id_t auid,
1051 	    uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, pid_t pid,
1052 	    au_asid_t sid, au_tid_t *tid);
1053 
1054 /*
1055  * audit_write_success_self()
1056  *
1057  * @summary - Similar to audit_write_success(), but used when the subject
1058  * (process) is owned and operated by the auditable user him/herself.
1059  *
1060  * @param event_code - The code for the event being logged.  This should
1061  * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
1062  *
1063  * @param misctok - A token_t * generated by one of the au_to_*() BSM API
1064  * calls.  This should correspond to the additional information required by
1065  * CAPP for the event being audited.  If no additional information is
1066  * required, misctok should be NULL.
1067  *
1068  * @return - The status of the call: 0 (zero) on success, else one of the
1069  * kAU*Err values defined above.
1070  *
1071  * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1072  */
1073 int	audit_write_success_self(short event_code, token_t *misctok);
1074 
1075 /*
1076  * audit_write_failure()
1077  *
1078  * @summary - audit_write_failure() records an auditable event that
1079  * encountered an error.  The interface is designed to require as little
1080  * direct use of the au_to_*() API as possible.  It builds a subject token
1081  * from the information passed in and uses that to invoke audit_write().
1082  * A subject, as defined by CAPP, is a process acting on the user's behalf.
1083  *
1084  * If the subject information is the same as the current process, use
1085  * au_write_failure_self().
1086  *
1087  * @param event_code - The code for the event being logged.  This should
1088  * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
1089  *
1090  * @param errmsg - A text message providing additional information about
1091  * the event being audited.
1092  *
1093  * @param errret - A numerical value providing additional information about
1094  * the error.  This is intended to store the value of errno or h_errno if
1095  * it's relevant.  This can be 0 (zero) if no additional information is
1096  * available.
1097  *
1098  * @param auid - The subject's audit ID.
1099  *
1100  * @param euid - The subject's effective user ID.
1101  *
1102  * @param egid - The subject's effective group ID.
1103  *
1104  * @param ruid - The subject's real user ID.
1105  *
1106  * @param rgid - The subject's real group ID.
1107  *
1108  * @param pid - The subject's process ID.
1109  *
1110  * @param sid - The subject's session ID.
1111  *
1112  * @param tid - The subject's terminal ID.
1113  *
1114  * @return - The status of the call: 0 (zero) on success, else one of the
1115  * kAU*Err values defined above.
1116  *
1117  * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1118  */
1119 int	audit_write_failure(short event_code, char *errmsg, int errret,
1120 	    au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
1121 	    pid_t pid, au_asid_t sid, au_tid_t *tid);
1122 
1123 /*
1124  * audit_write_failure_self()
1125  *
1126  * @summary - Similar to audit_write_failure(), but used when the subject
1127  * (process) is owned and operated by the auditable user him/herself.
1128  *
1129  * @param event_code - The code for the event being logged.  This should
1130  * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
1131  *
1132  * @param errmsg - A text message providing additional information about
1133  * the event being audited.
1134  *
1135  * @param errret - A numerical value providing additional information about
1136  * the error.  This is intended to store the value of errno or h_errno if
1137  * it's relevant.  This can be 0 (zero) if no additional information is
1138  * available.
1139  *
1140  * @return - The status of the call: 0 (zero) on success, else one of the
1141  * kAU*Err values defined above.
1142  *
1143  * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1144  */
1145 int	audit_write_failure_self(short event_code, char *errmsg, int errret);
1146 
1147 /*
1148  * audit_write_failure_na()
1149  *
1150  * @summary - audit_write_failure_na() records errors during login.  Such
1151  * errors are implicitly non-attributable (i.e., not ascribable to any user).
1152  *
1153  * @param event_code - The code for the event being logged.  This should
1154  * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
1155  *
1156  * @param errmsg - A text message providing additional information about
1157  * the event being audited.
1158  *
1159  * @param errret - A numerical value providing additional information about
1160  * the error.  This is intended to store the value of errno or h_errno if
1161  * it's relevant.  This can be 0 (zero) if no additional information is
1162  * available.
1163  *
1164  * @param euid - The subject's effective user ID.
1165  *
1166  * @param egid - The subject's effective group ID.
1167  *
1168  * @param pid - The subject's process ID.
1169  *
1170  * @param tid - The subject's terminal ID.
1171  *
1172  * @return - The status of the call: 0 (zero) on success, else one of the
1173  * kAU*Err values defined above.
1174  *
1175  * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1176  */
1177 int	audit_write_failure_na(short event_code, char *errmsg, int errret,
1178 	    uid_t euid, gid_t egid, pid_t pid, au_tid_t *tid);
1179 
1180 /* END au_write() WRAPPERS */
1181 
1182 #ifdef  __APPLE__
1183 /*
1184  * audit_token_to_au32()
1185  *
1186  * @summary - Extract information from an audit_token_t, used to identify
1187  * Mach tasks and senders of Mach messages as subjects to the audit system.
1188  * audit_tokent_to_au32() is the only method that should be used to parse
1189  * an audit_token_t, since its internal representation may change over
1190  * time.  A pointer parameter may be NULL if that information is not
1191  * needed.
1192  *
1193  * @param atoken - the audit token containing the desired information
1194  *
1195  * @param auidp - Pointer to a uid_t; on return will be set to the task or
1196  * sender's audit user ID
1197  *
1198  * @param euidp - Pointer to a uid_t; on return will be set to the task or
1199  * sender's effective user ID
1200  *
1201  * @param egidp - Pointer to a gid_t; on return will be set to the task or
1202  * sender's effective group ID
1203  *
1204  * @param ruidp - Pointer to a uid_t; on return will be set to the task or
1205  * sender's real user ID
1206  *
1207  * @param rgidp - Pointer to a gid_t; on return will be set to the task or
1208  * sender's real group ID
1209  *
1210  * @param pidp - Pointer to a pid_t; on return will be set to the task or
1211  * sender's process ID
1212  *
1213  * @param asidp - Pointer to an au_asid_t; on return will be set to the
1214  * task or sender's audit session ID
1215  *
1216  * @param tidp - Pointer to an au_tid_t; on return will be set to the task
1217  * or sender's terminal ID
1218  *
1219  * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1220  */
1221 void audit_token_to_au32(
1222 	audit_token_t	 atoken,
1223 	uid_t		*auidp,
1224 	uid_t		*euidp,
1225 	gid_t		*egidp,
1226 	uid_t		*ruidp,
1227 	gid_t		*rgidp,
1228 	pid_t		*pidp,
1229 	au_asid_t	*asidp,
1230 	au_tid_t	*tidp);
1231 #endif /* !__APPLE__ */
1232 
1233 __END_DECLS
1234 
1235 #endif /* !_LIBBSM_H_ */
1236