xref: /freebsd/contrib/openbsm/bsm/libbsm.h (revision e8d8bef961a50d4dc22501cde4fb9fb0be1b2532)
1 /*-
2  * Copyright (c) 2004-2009 Apple Inc.
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1.  Redistributions of source code must retain the above copyright
9  *     notice, this list of conditions and the following disclaimer.
10  * 2.  Redistributions in binary form must reproduce the above copyright
11  *     notice, this list of conditions and the following disclaimer in the
12  *     documentation and/or other materials provided with the distribution.
13  * 3.  Neither the name of Apple Inc. ("Apple") nor the names of
14  *     its contributors may be used to endorse or promote products derived
15  *     from this software without specific prior written permission.
16  *
17  * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
18  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20  * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
21  * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
25  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
26  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27  * POSSIBILITY OF SUCH DAMAGE.
28  */
29 
30 #ifndef _LIBBSM_H_
31 #define	_LIBBSM_H_
32 
33 /*
34  * NB: definitions, etc., marked with "OpenSSH compatibility" were introduced
35  * solely to allow OpenSSH to compile; Darwin/Apple code should not use them.
36  */
37 
38 #include <sys/types.h>
39 #include <sys/cdefs.h>
40 
41 #include <inttypes.h>		/* Required for audit.h. */
42 #include <time.h>		/* Required for clock_t on Linux. */
43 
44 #include <bsm/audit.h>
45 #include <bsm/audit_record.h>
46 
47 #include <stdio.h>
48 
49 #ifdef __APPLE__
50 #include <mach/mach.h>		/* audit_token_t */
51 #endif
52 
53 /*
54  * Size parsed token vectors for execve(2) arguments and environmental
55  * variables.  Note: changing these sizes affects the ABI of the token
56  * structure, and as the token structure is often placed in the caller stack,
57  * this is undesirable.
58  */
59 #define	AUDIT_MAX_ARGS	128
60 #define	AUDIT_MAX_ENV	128
61 
62 /*
63  * Arguments to au_preselect(3).
64  */
65 #define	AU_PRS_USECACHE	0
66 #define	AU_PRS_REREAD	1
67 
68 #define	AU_PRS_SUCCESS	1
69 #define	AU_PRS_FAILURE	2
70 #define	AU_PRS_BOTH	(AU_PRS_SUCCESS|AU_PRS_FAILURE)
71 
72 #define	AUDIT_EVENT_FILE	"/etc/security/audit_event"
73 #define	AUDIT_CLASS_FILE	"/etc/security/audit_class"
74 #define	AUDIT_CONTROL_FILE	"/etc/security/audit_control"
75 #define	AUDIT_USER_FILE		"/etc/security/audit_user"
76 
77 #define	DIR_CONTROL_ENTRY		"dir"
78 #define	DIST_CONTROL_ENTRY		"dist"
79 #define	FILESZ_CONTROL_ENTRY		"filesz"
80 #define	FLAGS_CONTROL_ENTRY		"flags"
81 #define	HOST_CONTROL_ENTRY		"host"
82 #define	MINFREE_CONTROL_ENTRY		"minfree"
83 #define	NA_CONTROL_ENTRY		"naflags"
84 #define	POLICY_CONTROL_ENTRY		"policy"
85 #define	EXPIRE_AFTER_CONTROL_ENTRY	"expire-after"
86 #define	QSZ_CONTROL_ENTRY		"qsize"
87 
88 #define	AU_CLASS_NAME_MAX	8
89 #define	AU_CLASS_DESC_MAX	72
90 #define	AU_EVENT_NAME_MAX	30
91 #define	AU_EVENT_DESC_MAX	50
92 #define	AU_USER_NAME_MAX	50
93 #define	AU_LINE_MAX		256
94 #define	MAX_AUDITSTRING_LEN	256
95 #define	BSM_TEXTBUFSZ		MAX_AUDITSTRING_LEN	/* OpenSSH compatibility */
96 
97 #define USE_DEFAULT_QSZ		-1	/* Use system default queue size */
98 
99 /*
100  * Arguments to au_close(3).
101  */
102 #define	AU_TO_NO_WRITE		0	/* Abandon audit record. */
103 #define	AU_TO_WRITE		1	/* Commit audit record. */
104 
105 /*
106  * Output format flags for au_print_flags_tok().
107  */
108 #define	AU_OFLAG_NONE		0x0000	/* Default form. */
109 #define	AU_OFLAG_RAW		0x0001	/* Raw, numeric form. */
110 #define	AU_OFLAG_SHORT		0x0002	/* Short form. */
111 #define	AU_OFLAG_XML		0x0004	/* XML form. */
112 #define	AU_OFLAG_NORESOLVE	0x0008	/* No user/group name resolution. */
113 
114 __BEGIN_DECLS
115 struct au_event_ent {
116 	au_event_t	 ae_number;
117 	char		*ae_name;
118 	char		*ae_desc;
119 	au_class_t	 ae_class;
120 };
121 typedef struct au_event_ent au_event_ent_t;
122 
123 struct au_class_ent {
124 	char		*ac_name;
125 	au_class_t	 ac_class;
126 	char		*ac_desc;
127 };
128 typedef struct au_class_ent au_class_ent_t;
129 
130 struct au_user_ent {
131 	char		*au_name;
132 	au_mask_t	 au_always;
133 	au_mask_t	 au_never;
134 };
135 typedef struct au_user_ent au_user_ent_t;
136 __END_DECLS
137 
138 #define	ADD_TO_MASK(m, c, sel) do {					\
139 	if (sel & AU_PRS_SUCCESS)					\
140 		(m)->am_success |= c;					\
141 	if (sel & AU_PRS_FAILURE)					\
142 		(m)->am_failure |= c;					\
143 } while (0)
144 
145 #define	SUB_FROM_MASK(m, c, sel) do {					\
146 	if (sel & AU_PRS_SUCCESS)					\
147 		(m)->am_success &= ((m)->am_success ^ c);		\
148 	if (sel & AU_PRS_FAILURE)					\
149 		(m)->am_failure &= ((m)->am_failure ^ c);		\
150 } while (0)
151 
152 #define	ADDMASK(m, v) do {						\
153 	(m)->am_success |= (v)->am_success;				\
154 	(m)->am_failure |= (v)->am_failure;				\
155 } while(0)
156 
157 #define	SUBMASK(m, v) do {						\
158 	(m)->am_success &= ((m)->am_success ^ (v)->am_success);		\
159 	(m)->am_failure &= ((m)->am_failure ^ (v)->am_failure);		\
160 } while(0)
161 
162 __BEGIN_DECLS
163 
164 typedef struct au_tid32 {
165 	u_int32_t	port;
166 	u_int32_t	addr;
167 } au_tid32_t;
168 
169 typedef struct au_tid64 {
170 	u_int64_t	port;
171 	u_int32_t	addr;
172 } au_tid64_t;
173 
174 typedef struct au_tidaddr32 {
175 	u_int32_t	port;
176 	u_int32_t	type;
177 	u_int32_t	addr[4];
178 } au_tidaddr32_t;
179 
180 typedef struct au_tidaddr64 {
181 	u_int64_t	port;
182 	u_int32_t	type;
183 	u_int32_t	addr[4];
184 } au_tidaddr64_t;
185 
186 /*
187  * argument #              1 byte
188  * argument value          4 bytes/8 bytes (32-bit/64-bit value)
189  * text length             2 bytes
190  * text                    N bytes + 1 terminating NULL byte
191  */
192 typedef struct {
193 	u_char		 no;
194 	u_int32_t	 val;
195 	u_int16_t	 len;
196 	char		*text;
197 } au_arg32_t;
198 
199 typedef struct {
200 	u_char		 no;
201 	u_int64_t	 val;
202 	u_int16_t	 len;
203 	char		*text;
204 } au_arg64_t;
205 
206 /*
207  * how to print            1 byte
208  * basic unit              1 byte
209  * unit count              1 byte
210  * data items              (depends on basic unit)
211  */
212 typedef struct {
213 	u_char	 howtopr;
214 	u_char	 bu;
215 	u_char	 uc;
216 	u_char	*data;
217 } au_arb_t;
218 
219 /*
220  * file access mode        4 bytes
221  * owner user ID           4 bytes
222  * owner group ID          4 bytes
223  * file system ID          4 bytes
224  * node ID                 8 bytes
225  * device                  4 bytes/8 bytes (32-bit/64-bit)
226  */
227 typedef struct {
228 	u_int32_t	mode;
229 	u_int32_t	uid;
230 	u_int32_t	gid;
231 	u_int32_t	fsid;
232 	u_int64_t	nid;
233 	u_int32_t	dev;
234 } au_attr32_t;
235 
236 typedef struct {
237 	u_int32_t	mode;
238 	u_int32_t	uid;
239 	u_int32_t	gid;
240 	u_int32_t	fsid;
241 	u_int64_t	nid;
242 	u_int64_t	dev;
243 } au_attr64_t;
244 
245 /*
246  * count                   4 bytes
247  * text                    count null-terminated string(s)
248  */
249 typedef struct {
250 	u_int32_t	 count;
251 	char		*text[AUDIT_MAX_ARGS];
252 } au_execarg_t;
253 
254 /*
255  * count                   4 bytes
256  * text                    count null-terminated string(s)
257  */
258 typedef struct {
259 	u_int32_t	 count;
260 	char		*text[AUDIT_MAX_ENV];
261 } au_execenv_t;
262 
263 /*
264  * status                  4 bytes
265  * return value            4 bytes
266  */
267 typedef struct {
268 	u_int32_t	status;
269 	u_int32_t	ret;
270 } au_exit_t;
271 
272 /*
273  * seconds of time         4 bytes
274  * milliseconds of time    4 bytes
275  * file name length        2 bytes
276  * file pathname           N bytes + 1 terminating NULL byte
277  */
278 typedef struct {
279 	u_int32_t	 s;
280 	u_int32_t	 ms;
281 	u_int16_t	 len;
282 	char		*name;
283 } au_file_t;
284 
285 
286 /*
287  * number groups           2 bytes
288  * group list              N * 4 bytes
289  */
290 typedef struct {
291 	u_int16_t	no;
292 	u_int32_t	list[AUDIT_MAX_GROUPS];
293 } au_groups_t;
294 
295 /*
296  * record byte count       4 bytes
297  * version #               1 byte    [2]
298  * event type              2 bytes
299  * event modifier          2 bytes
300  * seconds of time         4 bytes/8 bytes (32-bit/64-bit value)
301  * milliseconds of time    4 bytes/8 bytes (32-bit/64-bit value)
302  */
303 typedef struct {
304 	u_int32_t	size;
305 	u_char		version;
306 	u_int16_t	e_type;
307 	u_int16_t	e_mod;
308 	u_int32_t	s;
309 	u_int32_t	ms;
310 } au_header32_t;
311 
312 /*
313  * record byte count       4 bytes
314  * version #               1 byte     [2]
315  * event type              2 bytes
316  * event modifier          2 bytes
317  * address type/length     1 byte (XXX: actually, 4 bytes)
318  * machine address         4 bytes/16 bytes (IPv4/IPv6 address)
319  * seconds of time         4 bytes/8 bytes  (32/64-bits)
320  * nanoseconds of time     4 bytes/8 bytes  (32/64-bits)
321  */
322 typedef struct {
323 	u_int32_t	size;
324 	u_char		version;
325 	u_int16_t	e_type;
326 	u_int16_t	e_mod;
327 	u_int32_t	ad_type;
328 	u_int32_t	addr[4];
329 	u_int32_t	s;
330 	u_int32_t	ms;
331 } au_header32_ex_t;
332 
333 typedef struct {
334 	u_int32_t	size;
335 	u_char		version;
336 	u_int16_t	e_type;
337 	u_int16_t	e_mod;
338 	u_int64_t	s;
339 	u_int64_t	ms;
340 } au_header64_t;
341 
342 typedef struct {
343 	u_int32_t	size;
344 	u_char		version;
345 	u_int16_t	e_type;
346 	u_int16_t	e_mod;
347 	u_int32_t	ad_type;
348 	u_int32_t	addr[4];
349 	u_int64_t	s;
350 	u_int64_t	ms;
351 } au_header64_ex_t;
352 
353 /*
354  * internet address        4 bytes
355  */
356 typedef struct {
357 	u_int32_t	addr;
358 } au_inaddr_t;
359 
360 /*
361  * type                 4 bytes
362  * internet address     16 bytes
363  */
364 typedef struct {
365 	u_int32_t	type;
366 	u_int32_t	addr[4];
367 } au_inaddr_ex_t;
368 
369 /*
370  * version and ihl         1 byte
371  * type of service         1 byte
372  * length                  2 bytes
373  * id                      2 bytes
374  * offset                  2 bytes
375  * ttl                     1 byte
376  * protocol                1 byte
377  * checksum                2 bytes
378  * source address          4 bytes
379  * destination address     4 bytes
380  */
381 typedef struct {
382 	u_char		version;
383 	u_char		tos;
384 	u_int16_t	len;
385 	u_int16_t	id;
386 	u_int16_t	offset;
387 	u_char		ttl;
388 	u_char		prot;
389 	u_int16_t	chksm;
390 	u_int32_t	src;
391 	u_int32_t	dest;
392 } au_ip_t;
393 
394 /*
395  * object ID type          1 byte
396  * object ID               4 bytes
397  */
398 typedef struct {
399 	u_char		type;
400 	u_int32_t	id;
401 } au_ipc_t;
402 
403 /*
404  * owner user ID           4 bytes
405  * owner group ID          4 bytes
406  * creator user ID         4 bytes
407  * creator group ID        4 bytes
408  * access mode             4 bytes
409  * slot sequence #         4 bytes
410  * key                     4 bytes
411  */
412 typedef struct {
413 	u_int32_t	uid;
414 	u_int32_t	gid;
415 	u_int32_t	puid;
416 	u_int32_t	pgid;
417 	u_int32_t	mode;
418 	u_int32_t	seq;
419 	u_int32_t	key;
420 } au_ipcperm_t;
421 
422 /*
423  * port IP address         2 bytes
424  */
425 typedef struct {
426 	u_int16_t	port;
427 } au_iport_t;
428 
429 /*
430  * length		2 bytes
431  * data			length bytes
432  */
433 typedef struct {
434 	u_int16_t	 size;
435 	char		*data;
436 } au_opaque_t;
437 
438 /*
439  * path length             2 bytes
440  * path                    N bytes + 1 terminating NULL byte
441  */
442 typedef struct {
443 	u_int16_t	 len;
444 	char		*path;
445 } au_path_t;
446 
447 /*
448  * audit ID                4 bytes
449  * effective user ID       4 bytes
450  * effective group ID      4 bytes
451  * real user ID            4 bytes
452  * real group ID           4 bytes
453  * process ID              4 bytes
454  * session ID              4 bytes
455  * terminal ID
456  * port ID               4 bytes/8 bytes (32-bit/64-bit value)
457  * machine address       4 bytes
458  */
459 typedef struct {
460 	u_int32_t	auid;
461 	u_int32_t	euid;
462 	u_int32_t	egid;
463 	u_int32_t	ruid;
464 	u_int32_t	rgid;
465 	u_int32_t	pid;
466 	u_int32_t	sid;
467 	au_tid32_t	tid;
468 } au_proc32_t;
469 
470 typedef struct {
471 	u_int32_t	auid;
472 	u_int32_t	euid;
473 	u_int32_t	egid;
474 	u_int32_t	ruid;
475 	u_int32_t	rgid;
476 	u_int32_t	pid;
477 	u_int32_t	sid;
478 	au_tid64_t	tid;
479 } au_proc64_t;
480 
481 /*
482  * audit ID                4 bytes
483  * effective user ID       4 bytes
484  * effective group ID      4 bytes
485  * real user ID            4 bytes
486  * real group ID           4 bytes
487  * process ID              4 bytes
488  * session ID              4 bytes
489  * terminal ID
490  * port ID               4 bytes/8 bytes (32-bit/64-bit value)
491  * type                  4 bytes
492  * machine address       16 bytes
493  */
494 typedef struct {
495 	u_int32_t	auid;
496 	u_int32_t	euid;
497 	u_int32_t	egid;
498 	u_int32_t	ruid;
499 	u_int32_t	rgid;
500 	u_int32_t	pid;
501 	u_int32_t	sid;
502 	au_tidaddr32_t	tid;
503 } au_proc32ex_t;
504 
505 typedef struct {
506 	u_int32_t	auid;
507 	u_int32_t	euid;
508 	u_int32_t	egid;
509 	u_int32_t	ruid;
510 	u_int32_t	rgid;
511 	u_int32_t	pid;
512 	u_int32_t	sid;
513 	au_tidaddr64_t	tid;
514 } au_proc64ex_t;
515 
516 /*
517  * error status            1 byte
518  * return value            4 bytes/8 bytes (32-bit/64-bit value)
519  */
520 typedef struct {
521 	u_char		status;
522 	u_int32_t	ret;
523 } au_ret32_t;
524 
525 typedef struct {
526 	u_char		err;
527 	u_int64_t	val;
528 } au_ret64_t;
529 
530 /*
531  * sequence number         4 bytes
532  */
533 typedef struct {
534 	u_int32_t	seqno;
535 } au_seq_t;
536 
537 /*
538  * socket type             2 bytes
539  * local port              2 bytes
540  * local Internet address  4 bytes
541  * remote port             2 bytes
542  * remote Internet address 4 bytes
543  */
544 typedef struct {
545 	u_int16_t	type;
546 	u_int16_t	l_port;
547 	u_int32_t	l_addr;
548 	u_int16_t	r_port;
549 	u_int32_t	r_addr;
550 } au_socket_t;
551 
552 /*
553  * socket type             2 bytes
554  * local port              2 bytes
555  * address type/length     4 bytes
556  * local Internet address  4 bytes/16 bytes (IPv4/IPv6 address)
557  * remote port             4 bytes
558  * address type/length     4 bytes
559  * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
560  */
561 typedef struct {
562 	u_int16_t	domain;
563 	u_int16_t	type;
564 	u_int16_t	atype;
565 	u_int16_t	l_port;
566 	u_int32_t	l_addr[4];
567 	u_int32_t	r_port;
568 	u_int32_t	r_addr[4];
569 } au_socket_ex32_t;
570 
571 /*
572  * socket family           2 bytes
573  * local port              2 bytes
574  * socket address          4 bytes/16 bytes (IPv4/IPv6 address)
575  */
576 typedef struct {
577 	u_int16_t	family;
578 	u_int16_t	port;
579 	u_int32_t	addr[4];
580 } au_socketinet_ex32_t;
581 
582 typedef struct {
583 	u_int16_t	family;
584 	u_int16_t	port;
585 	u_int32_t	addr;
586 } au_socketinet32_t;
587 
588 /*
589  * socket family           2 bytes
590  * path                    104 bytes
591  */
592 typedef struct {
593 	u_int16_t	family;
594 	char		path[104];
595 } au_socketunix_t;
596 
597 /*
598  * audit ID                4 bytes
599  * effective user ID       4 bytes
600  * effective group ID      4 bytes
601  * real user ID            4 bytes
602  * real group ID           4 bytes
603  * process ID              4 bytes
604  * session ID              4 bytes
605  * terminal ID
606  * 	port ID               4 bytes/8 bytes (32-bit/64-bit value)
607  * 	machine address       4 bytes
608  */
609 typedef struct {
610 	u_int32_t	auid;
611 	u_int32_t	euid;
612 	u_int32_t	egid;
613 	u_int32_t	ruid;
614 	u_int32_t	rgid;
615 	u_int32_t	pid;
616 	u_int32_t	sid;
617 	au_tid32_t	tid;
618 } au_subject32_t;
619 
620 typedef struct {
621 	u_int32_t	auid;
622 	u_int32_t	euid;
623 	u_int32_t	egid;
624 	u_int32_t	ruid;
625 	u_int32_t	rgid;
626 	u_int32_t	pid;
627 	u_int32_t	sid;
628 	au_tid64_t	tid;
629 } au_subject64_t;
630 
631 /*
632  * audit ID                4 bytes
633  * effective user ID       4 bytes
634  * effective group ID      4 bytes
635  * real user ID            4 bytes
636  * real group ID           4 bytes
637  * process ID              4 bytes
638  * session ID              4 bytes
639  * terminal ID
640  * port ID               4 bytes/8 bytes (32-bit/64-bit value)
641  * type                  4 bytes
642  * machine address       16 bytes
643  */
644 typedef struct {
645 	u_int32_t	auid;
646 	u_int32_t	euid;
647 	u_int32_t	egid;
648 	u_int32_t	ruid;
649 	u_int32_t	rgid;
650 	u_int32_t	pid;
651 	u_int32_t	sid;
652 	au_tidaddr32_t	tid;
653 } au_subject32ex_t;
654 
655 typedef struct {
656 	u_int32_t	auid;
657 	u_int32_t	euid;
658 	u_int32_t	egid;
659 	u_int32_t	ruid;
660 	u_int32_t	rgid;
661 	u_int32_t	pid;
662 	u_int32_t	sid;
663 	au_tidaddr64_t	tid;
664 } au_subject64ex_t;
665 
666 /*
667  * text length             2 bytes
668  * text                    N bytes + 1 terminating NULL byte
669  */
670 typedef struct {
671 	u_int16_t	 len;
672 	char		*text;
673 } au_text_t;
674 
675 /*
676  * upriv status         1 byte
677  * privstr len          2 bytes
678  * privstr              N bytes + 1 (\0 byte)
679  */
680 typedef struct {
681 	u_int8_t	 sorf;
682 	u_int16_t	 privstrlen;
683 	char		*priv;
684 } au_priv_t;
685 
686 /*
687 * privset
688 * privtstrlen		2 bytes
689 * privtstr		N Bytes + 1
690 * privstrlen		2 bytes
691 * privstr		N Bytes + 1
692 */
693 typedef struct {
694 	u_int16_t	 privtstrlen;
695 	char		*privtstr;
696 	u_int16_t	 privstrlen;
697 	char		*privstr;
698 } au_privset_t;
699 
700 /*
701  * zonename length	2 bytes
702  * zonename text	N bytes + 1 NULL terminator
703  */
704 typedef struct {
705 	u_int16_t	 len;
706 	char		*zonename;
707 } au_zonename_t;
708 
709 typedef struct {
710 	u_int32_t	ident;
711 	u_int16_t	filter;
712 	u_int16_t	flags;
713 	u_int32_t	fflags;
714 	u_int32_t	data;
715 } au_kevent_t;
716 
717 typedef struct {
718 	u_int16_t	 length;
719 	char		*data;
720 } au_invalid_t;
721 
722 /*
723  * trailer magic number    2 bytes
724  * record byte count       4 bytes
725  */
726 typedef struct {
727 	u_int16_t	magic;
728 	u_int32_t	count;
729 } au_trailer_t;
730 
731 struct tokenstr {
732 	u_char	 id;
733 	u_char	*data;
734 	size_t	 len;
735 	union {
736 		au_arg32_t		arg32;
737 		au_arg64_t		arg64;
738 		au_arb_t		arb;
739 		au_attr32_t		attr32;
740 		au_attr64_t		attr64;
741 		au_execarg_t		execarg;
742 		au_execenv_t		execenv;
743 		au_exit_t		exit;
744 		au_file_t		file;
745 		au_groups_t		grps;
746 		au_header32_t		hdr32;
747 		au_header32_ex_t	hdr32_ex;
748 		au_header64_t		hdr64;
749 		au_header64_ex_t	hdr64_ex;
750 		au_inaddr_t		inaddr;
751 		au_inaddr_ex_t		inaddr_ex;
752 		au_ip_t			ip;
753 		au_ipc_t		ipc;
754 		au_ipcperm_t		ipcperm;
755 		au_iport_t		iport;
756 		au_opaque_t		opaque;
757 		au_path_t		path;
758 		au_proc32_t		proc32;
759 		au_proc32ex_t		proc32_ex;
760 		au_proc64_t		proc64;
761 		au_proc64ex_t		proc64_ex;
762 		au_ret32_t		ret32;
763 		au_ret64_t		ret64;
764 		au_seq_t		seq;
765 		au_socket_t		socket;
766 		au_socket_ex32_t	socket_ex32;
767 		au_socketinet_ex32_t	sockinet_ex32;
768 		au_socketunix_t		sockunix;
769 		au_subject32_t		subj32;
770 		au_subject32ex_t	subj32_ex;
771 		au_subject64_t		subj64;
772 		au_subject64ex_t	subj64_ex;
773 		au_text_t		text;
774 		au_kevent_t		kevent;
775 		au_invalid_t		invalid;
776 		au_trailer_t		trail;
777 		au_zonename_t		zonename;
778 		au_priv_t		priv;
779 		au_privset_t		privset;
780 	} tt; /* The token is one of the above types */
781 };
782 
783 typedef struct tokenstr tokenstr_t;
784 
785 int			 audit_submit(short au_event, au_id_t auid,
786 			    char status, int reterr, const char *fmt, ...);
787 
788 /*
789  * Functions relating to querying audit class information.
790  */
791 void			 setauclass(void);
792 void			 endauclass(void);
793 struct au_class_ent	*getauclassent(void);
794 struct au_class_ent	*getauclassent_r(au_class_ent_t *class_int);
795 struct au_class_ent	*getauclassnam(const char *name);
796 struct au_class_ent	*getauclassnam_r(au_class_ent_t *class_int,
797 			    const char *name);
798 struct au_class_ent	*getauclassnum(au_class_t class_number);
799 struct au_class_ent	*getauclassnum_r(au_class_ent_t *class_int,
800 			    au_class_t class_number);
801 
802 /*
803  * Functions relating to querying audit control information.
804  */
805 void			 setac(void);
806 void			 endac(void);
807 int			 getacdir(char *name, int len);
808 int			 getacdist(void);
809 int			 getacexpire(int *andflg, time_t *age, size_t *size);
810 int			 getacfilesz(size_t *size_val);
811 int			 getacqsize(int *size_val);
812 int			 getacflg(char *auditstr, int len);
813 int			 getachost(char *auditstr, size_t len);
814 int			 getacmin(int *min_val);
815 int			 getacna(char *auditstr, int len);
816 int			 getacpol(char *auditstr, size_t len);
817 int			 getauditflagsbin(char *auditstr, au_mask_t *masks);
818 int			 getauditflagschar(char *auditstr, au_mask_t *masks,
819 			    int verbose);
820 int			 au_preselect(au_event_t event, au_mask_t *mask_p,
821 			    int sorf, int flag);
822 ssize_t			 au_poltostr(int policy, size_t maxsize, char *buf);
823 int			 au_strtopol(const char *polstr, int *policy);
824 
825 /*
826  * Functions relating to querying audit event information.
827  */
828 void			 setauevent(void);
829 void			 endauevent(void);
830 struct au_event_ent	*getauevent(void);
831 struct au_event_ent	*getauevent_r(struct au_event_ent *e);
832 struct au_event_ent	*getauevnam(const char *name);
833 struct au_event_ent	*getauevnam_r(struct au_event_ent *e,
834 			    const char *name);
835 struct au_event_ent	*getauevnum(au_event_t event_number);
836 struct au_event_ent	*getauevnum_r(struct au_event_ent *e,
837 			    au_event_t event_number);
838 au_event_t		*getauevnonam(const char *event_name);
839 au_event_t		*getauevnonam_r(au_event_t *ev,
840 			    const char *event_name);
841 
842 /*
843  * Functions relating to querying audit user information.
844  */
845 void			 setauuser(void);
846 void			 endauuser(void);
847 struct au_user_ent	*getauuserent(void);
848 struct au_user_ent	*getauuserent_r(struct au_user_ent *u);
849 struct au_user_ent	*getauusernam(const char *name);
850 struct au_user_ent	*getauusernam_r(struct au_user_ent *u,
851 			    const char *name);
852 int			 au_user_mask(char *username, au_mask_t *mask_p);
853 int			 getfauditflags(au_mask_t *usremask,
854 			    au_mask_t *usrdmask, au_mask_t *lastmask);
855 
856 /*
857  * Functions for reading and printing records and tokens from audit trails.
858  */
859 int			 au_read_rec(FILE *fp, u_char **buf);
860 int			 au_fetch_tok(tokenstr_t *tok, u_char *buf, int len);
861 //XXX The following interface has different prototype from BSM
862 void			 au_print_tok(FILE *outfp, tokenstr_t *tok,
863 			    char *del, char raw, char sfrm);
864 void			 au_print_flags_tok(FILE *outfp, tokenstr_t *tok,
865 			    char *del, int oflags);
866 void			 au_print_tok_xml(FILE *outfp, tokenstr_t *tok,
867 			    char *del, char raw, char sfrm);
868 
869 /*
870  * Functions relating to XML output.
871  */
872 void			 au_print_xml_header(FILE *outfp);
873 void			 au_print_xml_footer(FILE *outfp);
874 
875 const char	 *au_strerror(u_char bsm_error);
876 __END_DECLS
877 
878 /*
879  * The remaining APIs are associated with Apple's BSM implementation, in
880  * particular as relates to Mach IPC auditing and triggers passed via Mach
881  * IPC.
882  */
883 #ifdef __APPLE__
884 #include <sys/appleapiopts.h>
885 
886 /**************************************************************************
887  **************************************************************************
888  ** The following definitions, functions, etc., are NOT officially
889  ** supported: they may be changed or removed in the future.  Do not use
890  ** them unless you are prepared to cope with that eventuality.
891  **************************************************************************
892  **************************************************************************/
893 
894 #ifdef __APPLE_API_PRIVATE
895 #define	__BSM_INTERNAL_NOTIFY_KEY	"com.apple.audit.change"
896 #endif /* __APPLE_API_PRIVATE */
897 
898 /*
899  * au_get_state() return values
900  * XXX  use AUC_* values directly instead (<bsm/audit.h>); AUDIT_OFF and
901  * AUDIT_ON are deprecated and WILL be removed.
902  */
903 #ifdef __APPLE_API_PRIVATE
904 #define	AUDIT_OFF	AUC_NOAUDIT
905 #define	AUDIT_ON	AUC_AUDITING
906 #endif /* __APPLE_API_PRIVATE */
907 #endif /* !__APPLE__ */
908 
909 /*
910  * Error return codes for audit_set_terminal_id(), audit_write() and its
911  * brethren.  We have 255 (not including kAUNoErr) to play with.
912  *
913  * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
914  */
915 enum {
916 	kAUNoErr			= 0,
917 	kAUBadParamErr			= -66049,
918 	kAUStatErr,
919 	kAUSysctlErr,
920 	kAUOpenErr,
921 	kAUMakeSubjectTokErr,
922 	kAUWriteSubjectTokErr,
923 	kAUWriteCallerTokErr,
924 	kAUMakeReturnTokErr,
925 	kAUWriteReturnTokErr,
926 	kAUCloseErr,
927 	kAUMakeTextTokErr,
928 	kAULastErr
929 };
930 
931 #ifdef __APPLE__
932 /*
933  * Error return codes for au_get_state() and/or its private support
934  * functions.  These codes are designed to be compatible with the
935  * NOTIFY_STATUS_* codes defined in <notify.h> but non-overlapping.
936  * Any changes to notify(3) may cause these values to change in future.
937  *
938  * AU_UNIMPL should never happen unless you've changed your system software
939  * without rebooting.  Shame on you.
940  */
941 #ifdef __APPLE_API_PRIVATE
942 #define	AU_UNIMPL	NOTIFY_STATUS_FAILED + 1	/* audit unimplemented */
943 #endif /* __APPLE_API_PRIVATE */
944 #endif /* !__APPLE__ */
945 
946 __BEGIN_DECLS
947 /*
948  * XXX  This prototype should be in audit_record.h
949  *
950  * au_free_token()
951  *
952  * @summary - au_free_token() deallocates a token_t created by any of
953  * the au_to_*() BSM API functions.
954  *
955  * The BSM API generally manages deallocation of token_t objects.  However,
956  * if au_write() is passed a bad audit descriptor, the token_t * parameter
957  * will be left untouched.  In that case, the caller can deallocate the
958  * token_t using au_free_token() if desired.  This is, in fact, what
959  * audit_write() does, in keeping with the existing memory management model
960  * of the BSM API.
961  *
962  * @param tok - A token_t * generated by one of the au_to_*() BSM API
963  * calls.  For convenience, tok may be NULL, in which case
964  * au_free_token() returns immediately.
965  *
966  * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
967  */
968 void	au_free_token(token_t *tok);
969 
970 /*
971  * Lightweight check to determine if auditing is enabled.  If a client
972  * wants to use this to govern whether an entire series of audit calls
973  * should be made--as in the common case of a caller building a set of
974  * tokens, then writing them--it should cache the audit status in a local
975  * variable.  This call always returns the current state of auditing.
976  *
977  * @return - AUC_AUDITING or AUC_NOAUDIT if no error occurred.
978  * Otherwise the function can return any of the errno values defined for
979  * setaudit(2), or AU_UNIMPL if audit does not appear to be supported by
980  * the system.
981  *
982  * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
983  */
984 int	au_get_state(void);
985 
986 /*
987  * Initialize the audit notification.  If it has not already been initialized
988  * it will automatically on the first call of au_get_state().
989  */
990 uint32_t	au_notify_initialize(void);
991 
992 /*
993  * Cancel audit notification and free the resources associated with it.
994  * Responsible code that no longer needs to use au_get_state() should call
995  * this.
996  */
997 int		au_notify_terminate(void);
998 __END_DECLS
999 
1000 /* OpenSSH compatibility */
1001 int	cannot_audit(int);
1002 
1003 __BEGIN_DECLS
1004 /*
1005  * audit_set_terminal_id()
1006  *
1007  * @summary - audit_set_terminal_id() fills in an au_tid_t struct, which is
1008  * used in audit session initialization by processes like /usr/bin/login.
1009  *
1010  * @param tid - A pointer to an au_tid_t struct.
1011  *
1012  * @return - kAUNoErr on success; kAUBadParamErr if tid is NULL, kAUStatErr
1013  * or kAUSysctlErr if one of the underlying system calls fails (a message
1014  * is sent to the system log in those cases).
1015  *
1016  * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1017  */
1018 int	audit_set_terminal_id(au_tid_t *tid);
1019 
1020 /*
1021  * BEGIN au_write() WRAPPERS
1022  *
1023  * The following calls all wrap the existing BSM API.  They use the
1024  * provided subject information, if any, to construct the subject token
1025  * required for every log message.  They use the provided return/error
1026  * value(s), if any, to construct the success/failure indication required
1027  * for every log message.  They only permit one "miscellaneous" token,
1028  * which should contain the event-specific logging information mandated by
1029  * CAPP.
1030  *
1031  * All these calls assume the caller has previously determined that
1032  * auditing is enabled by calling au_get_state().
1033  */
1034 
1035 /*
1036  * audit_write()
1037  *
1038  * @summary - audit_write() is the basis for the other audit_write_*()
1039  * calls.  Performs a basic write of an audit record (subject, additional
1040  * info, success/failure).  Note that this call only permits logging one
1041  * caller-specified token; clients needing to log more flexibly must use
1042  * the existing BSM API (au_open(), et al.) directly.
1043  *
1044  * Note on memory management: audit_write() guarantees that the token_t *s
1045  * passed to it will be deallocated whether or not the underlying write to
1046  * the audit log succeeded.  This addresses an inconsistency in the
1047  * underlying BSM API in which token_t *s are usually but not always
1048  * deallocated.
1049  *
1050  * @param event_code - The code for the event being logged.  This should
1051  * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
1052  *
1053  * @param subject - A token_t * generated by au_to_subject(),
1054  * au_to_subject32(), au_to_subject64(), or au_to_me().  If no subject is
1055  * required, subject should be NULL.
1056  *
1057  * @param misctok - A token_t * generated by one of the au_to_*() BSM API
1058  * calls.  This should correspond to the additional information required by
1059  * CAPP for the event being audited.  If no additional information is
1060  * required, misctok should be NULL.
1061  *
1062  * @param retval - The return value to be logged for this event.  This
1063  * should be 0 (zero) for success, otherwise the value is event-specific.
1064  *
1065  * @param errcode - Any error code associated with the return value (e.g.,
1066  * errno or h_errno).  If there was no error, errcode should be 0 (zero).
1067  *
1068  * @return - The status of the call: 0 (zero) on success, else one of the
1069  * kAU*Err values defined above.
1070  *
1071  * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1072  */
1073 int	audit_write(short event_code, token_t *subject, token_t *misctok,
1074 	    char retval, int errcode);
1075 
1076 /*
1077  * audit_write_success()
1078  *
1079  * @summary - audit_write_success() records an auditable event that did not
1080  * encounter an error.  The interface is designed to require as little
1081  * direct use of the au_to_*() API as possible.  It builds a subject token
1082  * from the information passed in and uses that to invoke audit_write().
1083  * A subject, as defined by CAPP, is a process acting on the user's behalf.
1084  *
1085  * If the subject information is the same as the current process, use
1086  * au_write_success_self().
1087  *
1088  * @param event_code - The code for the event being logged.  This should
1089  * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
1090  *
1091  * @param misctok - A token_t * generated by one of the au_to_*() BSM API
1092  * calls.  This should correspond to the additional information required by
1093  * CAPP for the event being audited.  If no additional information is
1094  * required, misctok should be NULL.
1095  *
1096  * @param auid - The subject's audit ID.
1097  *
1098  * @param euid - The subject's effective user ID.
1099  *
1100  * @param egid - The subject's effective group ID.
1101  *
1102  * @param ruid - The subject's real user ID.
1103  *
1104  * @param rgid - The subject's real group ID.
1105  *
1106  * @param pid - The subject's process ID.
1107  *
1108  * @param sid - The subject's session ID.
1109  *
1110  * @param tid - The subject's terminal ID.
1111  *
1112  * @return - The status of the call: 0 (zero) on success, else one of the
1113  * kAU*Err values defined above.
1114  *
1115  * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1116  */
1117 int	audit_write_success(short event_code, token_t *misctok, au_id_t auid,
1118 	    uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, pid_t pid,
1119 	    au_asid_t sid, au_tid_t *tid);
1120 
1121 /*
1122  * audit_write_success_self()
1123  *
1124  * @summary - Similar to audit_write_success(), but used when the subject
1125  * (process) is owned and operated by the auditable user him/herself.
1126  *
1127  * @param event_code - The code for the event being logged.  This should
1128  * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
1129  *
1130  * @param misctok - A token_t * generated by one of the au_to_*() BSM API
1131  * calls.  This should correspond to the additional information required by
1132  * CAPP for the event being audited.  If no additional information is
1133  * required, misctok should be NULL.
1134  *
1135  * @return - The status of the call: 0 (zero) on success, else one of the
1136  * kAU*Err values defined above.
1137  *
1138  * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1139  */
1140 int	audit_write_success_self(short event_code, token_t *misctok);
1141 
1142 /*
1143  * audit_write_failure()
1144  *
1145  * @summary - audit_write_failure() records an auditable event that
1146  * encountered an error.  The interface is designed to require as little
1147  * direct use of the au_to_*() API as possible.  It builds a subject token
1148  * from the information passed in and uses that to invoke audit_write().
1149  * A subject, as defined by CAPP, is a process acting on the user's behalf.
1150  *
1151  * If the subject information is the same as the current process, use
1152  * au_write_failure_self().
1153  *
1154  * @param event_code - The code for the event being logged.  This should
1155  * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
1156  *
1157  * @param errmsg - A text message providing additional information about
1158  * the event being audited.
1159  *
1160  * @param errret - A numerical value providing additional information about
1161  * the error.  This is intended to store the value of errno or h_errno if
1162  * it's relevant.  This can be 0 (zero) if no additional information is
1163  * available.
1164  *
1165  * @param auid - The subject's audit ID.
1166  *
1167  * @param euid - The subject's effective user ID.
1168  *
1169  * @param egid - The subject's effective group ID.
1170  *
1171  * @param ruid - The subject's real user ID.
1172  *
1173  * @param rgid - The subject's real group ID.
1174  *
1175  * @param pid - The subject's process ID.
1176  *
1177  * @param sid - The subject's session ID.
1178  *
1179  * @param tid - The subject's terminal ID.
1180  *
1181  * @return - The status of the call: 0 (zero) on success, else one of the
1182  * kAU*Err values defined above.
1183  *
1184  * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1185  */
1186 int	audit_write_failure(short event_code, char *errmsg, int errret,
1187 	    au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
1188 	    pid_t pid, au_asid_t sid, au_tid_t *tid);
1189 
1190 /*
1191  * audit_write_failure_self()
1192  *
1193  * @summary - Similar to audit_write_failure(), but used when the subject
1194  * (process) is owned and operated by the auditable user him/herself.
1195  *
1196  * @param event_code - The code for the event being logged.  This should
1197  * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
1198  *
1199  * @param errmsg - A text message providing additional information about
1200  * the event being audited.
1201  *
1202  * @param errret - A numerical value providing additional information about
1203  * the error.  This is intended to store the value of errno or h_errno if
1204  * it's relevant.  This can be 0 (zero) if no additional information is
1205  * available.
1206  *
1207  * @return - The status of the call: 0 (zero) on success, else one of the
1208  * kAU*Err values defined above.
1209  *
1210  * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1211  */
1212 int	audit_write_failure_self(short event_code, char *errmsg, int errret);
1213 
1214 /*
1215  * audit_write_failure_na()
1216  *
1217  * @summary - audit_write_failure_na() records errors during login.  Such
1218  * errors are implicitly non-attributable (i.e., not ascribable to any user).
1219  *
1220  * @param event_code - The code for the event being logged.  This should
1221  * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
1222  *
1223  * @param errmsg - A text message providing additional information about
1224  * the event being audited.
1225  *
1226  * @param errret - A numerical value providing additional information about
1227  * the error.  This is intended to store the value of errno or h_errno if
1228  * it's relevant.  This can be 0 (zero) if no additional information is
1229  * available.
1230  *
1231  * @param euid - The subject's effective user ID.
1232  *
1233  * @param egid - The subject's effective group ID.
1234  *
1235  * @param pid - The subject's process ID.
1236  *
1237  * @param tid - The subject's terminal ID.
1238  *
1239  * @return - The status of the call: 0 (zero) on success, else one of the
1240  * kAU*Err values defined above.
1241  *
1242  * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1243  */
1244 int	audit_write_failure_na(short event_code, char *errmsg, int errret,
1245 	    uid_t euid, gid_t egid, pid_t pid, au_tid_t *tid);
1246 
1247 /* END au_write() WRAPPERS */
1248 
1249 #ifdef  __APPLE__
1250 /*
1251  * audit_token_to_au32()
1252  *
1253  * @summary - Extract information from an audit_token_t, used to identify
1254  * Mach tasks and senders of Mach messages as subjects to the audit system.
1255  * audit_tokent_to_au32() is the only method that should be used to parse
1256  * an audit_token_t, since its internal representation may change over
1257  * time.  A pointer parameter may be NULL if that information is not
1258  * needed.
1259  *
1260  * @param atoken - the audit token containing the desired information
1261  *
1262  * @param auidp - Pointer to a uid_t; on return will be set to the task or
1263  * sender's audit user ID
1264  *
1265  * @param euidp - Pointer to a uid_t; on return will be set to the task or
1266  * sender's effective user ID
1267  *
1268  * @param egidp - Pointer to a gid_t; on return will be set to the task or
1269  * sender's effective group ID
1270  *
1271  * @param ruidp - Pointer to a uid_t; on return will be set to the task or
1272  * sender's real user ID
1273  *
1274  * @param rgidp - Pointer to a gid_t; on return will be set to the task or
1275  * sender's real group ID
1276  *
1277  * @param pidp - Pointer to a pid_t; on return will be set to the task or
1278  * sender's process ID
1279  *
1280  * @param asidp - Pointer to an au_asid_t; on return will be set to the
1281  * task or sender's audit session ID
1282  *
1283  * @param tidp - Pointer to an au_tid_t; on return will be set to the task
1284  * or sender's terminal ID
1285  *
1286  * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1287  */
1288 void audit_token_to_au32(
1289 	audit_token_t	 atoken,
1290 	uid_t		*auidp,
1291 	uid_t		*euidp,
1292 	gid_t		*egidp,
1293 	uid_t		*ruidp,
1294 	gid_t		*rgidp,
1295 	pid_t		*pidp,
1296 	au_asid_t	*asidp,
1297 	au_tid_t	*tidp);
1298 #endif /* !__APPLE__ */
1299 
1300 /*
1301  * Wrapper functions to auditon(2).
1302  */
1303 int audit_get_car(char *path, size_t sz);
1304 int audit_get_class(au_evclass_map_t *evc_map, size_t sz);
1305 int audit_set_class(au_evclass_map_t *evc_map, size_t sz);
1306 int audit_get_event(au_evname_map_t *evn_map, size_t sz);
1307 int audit_set_event(au_evname_map_t *evn_map, size_t sz);
1308 int audit_get_cond(int *cond);
1309 int audit_set_cond(int *cond);
1310 int audit_get_cwd(char *path, size_t sz);
1311 int audit_get_fsize(au_fstat_t *fstat, size_t sz);
1312 int audit_set_fsize(au_fstat_t *fstat, size_t sz);
1313 int audit_get_kmask(au_mask_t *kmask, size_t sz);
1314 int audit_set_kmask(au_mask_t *kmask, size_t sz);
1315 int audit_get_kaudit(auditinfo_addr_t *aia, size_t sz);
1316 int audit_set_kaudit(auditinfo_addr_t *aia, size_t sz);
1317 int audit_set_pmask(auditpinfo_t *api, size_t sz);
1318 int audit_get_pinfo(auditpinfo_t *api, size_t sz);
1319 int audit_get_pinfo_addr(auditpinfo_addr_t *apia, size_t sz);
1320 int audit_get_policy(int *policy);
1321 int audit_set_policy(int *policy);
1322 int audit_get_qctrl(au_qctrl_t *qctrl, size_t sz);
1323 int audit_set_qctrl(au_qctrl_t *qctrl, size_t sz);
1324 int audit_get_sinfo_addr(auditinfo_addr_t *aia, size_t sz);
1325 int audit_get_stat(au_stat_t *stats, size_t sz);
1326 int audit_set_stat(au_stat_t *stats, size_t sz);
1327 int audit_send_trigger(int *trigger);
1328 
1329 __END_DECLS
1330 
1331 #endif /* !_LIBBSM_H_ */
1332