152267f74SRobert Watson /*- 2c0020399SRobert Watson * Copyright (c) 2005-2009 Apple Inc. 35e386598SRobert Watson * Copyright (c) 2016 Robert N. M. Watson 452267f74SRobert Watson * All rights reserved. 552267f74SRobert Watson * 65e386598SRobert Watson * Portions of this software were developed by BAE Systems, the University of 75e386598SRobert Watson * Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL 85e386598SRobert Watson * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent 95e386598SRobert Watson * Computing (TC) research program. 105e386598SRobert Watson * 1152267f74SRobert Watson * Redistribution and use in source and binary forms, with or without 1252267f74SRobert Watson * modification, are permitted provided that the following conditions 1352267f74SRobert Watson * are met: 1452267f74SRobert Watson * 1552267f74SRobert Watson * 1. Redistributions of source code must retain the above copyright 1652267f74SRobert Watson * notice, this list of conditions and the following disclaimer. 1752267f74SRobert Watson * 2. Redistributions in binary form must reproduce the above copyright 1852267f74SRobert Watson * notice, this list of conditions and the following disclaimer in the 1952267f74SRobert Watson * documentation and/or other materials provided with the distribution. 2052267f74SRobert Watson * 3. Neither the name of Apple Inc. ("Apple") nor the names of 2152267f74SRobert Watson * its contributors may be used to endorse or promote products derived 2252267f74SRobert Watson * from this software without specific prior written permission. 2352267f74SRobert Watson * 2452267f74SRobert Watson * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY 2552267f74SRobert Watson * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 2652267f74SRobert Watson * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 2752267f74SRobert Watson * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY 2852267f74SRobert Watson * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 2952267f74SRobert Watson * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 3052267f74SRobert Watson * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 3152267f74SRobert Watson * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 3252267f74SRobert Watson * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 3352267f74SRobert Watson * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 3452267f74SRobert Watson */ 3552267f74SRobert Watson 3652267f74SRobert Watson #ifndef _BSM_AUDIT_H 3752267f74SRobert Watson #define _BSM_AUDIT_H 3852267f74SRobert Watson 397a0a89d2SRobert Watson #include <sys/param.h> 40c0020399SRobert Watson #include <sys/types.h> 417a0a89d2SRobert Watson 4252267f74SRobert Watson #define AUDIT_RECORD_MAGIC 0x828a0f1b 4352267f74SRobert Watson #define MAX_AUDIT_RECORDS 20 4452267f74SRobert Watson #define MAXAUDITDATA (0x8000 - 1) 4552267f74SRobert Watson #define MAX_AUDIT_RECORD_SIZE MAXAUDITDATA 4652267f74SRobert Watson #define MIN_AUDIT_FILE_SIZE (512 * 1024) 4752267f74SRobert Watson 4852267f74SRobert Watson /* 49*3008333dSChristian S.J. Peron * Minimum number of free blocks on the filesystem containing the audit 507a0a89d2SRobert Watson * log necessary to avoid a hard log rotation. DO NOT SET THIS VALUE TO 0 517a0a89d2SRobert Watson * as the kernel does an unsigned compare, plus we want to leave a few blocks 527a0a89d2SRobert Watson * free so userspace can terminate the log, etc. 537a0a89d2SRobert Watson */ 547a0a89d2SRobert Watson #define AUDIT_HARD_LIMIT_FREE_BLOCKS 4 557a0a89d2SRobert Watson 567a0a89d2SRobert Watson /* 5752267f74SRobert Watson * Triggers for the audit daemon. 5852267f74SRobert Watson */ 5952267f74SRobert Watson #define AUDIT_TRIGGER_MIN 1 6052267f74SRobert Watson #define AUDIT_TRIGGER_LOW_SPACE 1 /* Below low watermark. */ 6152267f74SRobert Watson #define AUDIT_TRIGGER_ROTATE_KERNEL 2 /* Kernel requests rotate. */ 6252267f74SRobert Watson #define AUDIT_TRIGGER_READ_FILE 3 /* Re-read config file. */ 6352267f74SRobert Watson #define AUDIT_TRIGGER_CLOSE_AND_DIE 4 /* Terminate audit. */ 6452267f74SRobert Watson #define AUDIT_TRIGGER_NO_SPACE 5 /* Below min free space. */ 657a0a89d2SRobert Watson #define AUDIT_TRIGGER_ROTATE_USER 6 /* User requests rotate. */ 6606edd2f1SRobert Watson #define AUDIT_TRIGGER_INITIALIZE 7 /* User initialize of auditd. */ 6706edd2f1SRobert Watson #define AUDIT_TRIGGER_EXPIRE_TRAILS 8 /* User expiration of trails. */ 6806edd2f1SRobert Watson #define AUDIT_TRIGGER_MAX 8 6952267f74SRobert Watson 7052267f74SRobert Watson /* 7152267f74SRobert Watson * The special device filename (FreeBSD). 7252267f74SRobert Watson */ 7352267f74SRobert Watson #define AUDITDEV_FILENAME "audit" 7452267f74SRobert Watson #define AUDIT_TRIGGER_FILE ("/dev/" AUDITDEV_FILENAME) 7552267f74SRobert Watson 7652267f74SRobert Watson /* 7752267f74SRobert Watson * Pre-defined audit IDs 7852267f74SRobert Watson */ 797a0a89d2SRobert Watson #define AU_DEFAUDITID (uid_t)(-1) 807a0a89d2SRobert Watson #define AU_DEFAUDITSID 0 817a0a89d2SRobert Watson #define AU_ASSIGN_ASID -1 8252267f74SRobert Watson 8352267f74SRobert Watson /* 8452267f74SRobert Watson * IPC types. 8552267f74SRobert Watson */ 8652267f74SRobert Watson #define AT_IPC_MSG ((u_char)1) /* Message IPC id. */ 8752267f74SRobert Watson #define AT_IPC_SEM ((u_char)2) /* Semaphore IPC id. */ 8852267f74SRobert Watson #define AT_IPC_SHM ((u_char)3) /* Shared mem IPC id. */ 8952267f74SRobert Watson 9052267f74SRobert Watson /* 9152267f74SRobert Watson * Audit conditions. 9252267f74SRobert Watson */ 9352267f74SRobert Watson #define AUC_UNSET 0 9452267f74SRobert Watson #define AUC_AUDITING 1 9552267f74SRobert Watson #define AUC_NOAUDIT 2 9652267f74SRobert Watson #define AUC_DISABLED -1 9752267f74SRobert Watson 9852267f74SRobert Watson /* 9952267f74SRobert Watson * auditon(2) commands. 10052267f74SRobert Watson */ 101c0020399SRobert Watson #define A_OLDGETPOLICY 2 102c0020399SRobert Watson #define A_OLDSETPOLICY 3 10352267f74SRobert Watson #define A_GETKMASK 4 10452267f74SRobert Watson #define A_SETKMASK 5 105c0020399SRobert Watson #define A_OLDGETQCTRL 6 106c0020399SRobert Watson #define A_OLDSETQCTRL 7 10752267f74SRobert Watson #define A_GETCWD 8 10852267f74SRobert Watson #define A_GETCAR 9 10952267f74SRobert Watson #define A_GETSTAT 12 11052267f74SRobert Watson #define A_SETSTAT 13 11152267f74SRobert Watson #define A_SETUMASK 14 11252267f74SRobert Watson #define A_SETSMASK 15 113c0020399SRobert Watson #define A_OLDGETCOND 20 114c0020399SRobert Watson #define A_OLDSETCOND 21 11552267f74SRobert Watson #define A_GETCLASS 22 11652267f74SRobert Watson #define A_SETCLASS 23 11752267f74SRobert Watson #define A_GETPINFO 24 11852267f74SRobert Watson #define A_SETPMASK 25 11952267f74SRobert Watson #define A_SETFSIZE 26 12052267f74SRobert Watson #define A_GETFSIZE 27 12152267f74SRobert Watson #define A_GETPINFO_ADDR 28 12252267f74SRobert Watson #define A_GETKAUDIT 29 12352267f74SRobert Watson #define A_SETKAUDIT 30 12452267f74SRobert Watson #define A_SENDTRIGGER 31 1257a0a89d2SRobert Watson #define A_GETSINFO_ADDR 32 126c0020399SRobert Watson #define A_GETPOLICY 33 127c0020399SRobert Watson #define A_SETPOLICY 34 128c0020399SRobert Watson #define A_GETQCTRL 35 129c0020399SRobert Watson #define A_SETQCTRL 36 130c0020399SRobert Watson #define A_GETCOND 37 131c0020399SRobert Watson #define A_SETCOND 38 1325e386598SRobert Watson #define A_GETEVENT 39 /* Get audit event-to-name mapping. */ 1335e386598SRobert Watson #define A_SETEVENT 40 /* Set audit event-to-name mapping. */ 13452267f74SRobert Watson 13552267f74SRobert Watson /* 13652267f74SRobert Watson * Audit policy controls. 13752267f74SRobert Watson */ 13852267f74SRobert Watson #define AUDIT_CNT 0x0001 13952267f74SRobert Watson #define AUDIT_AHLT 0x0002 14052267f74SRobert Watson #define AUDIT_ARGV 0x0004 14152267f74SRobert Watson #define AUDIT_ARGE 0x0008 14252267f74SRobert Watson #define AUDIT_SEQ 0x0010 14352267f74SRobert Watson #define AUDIT_WINDATA 0x0020 14452267f74SRobert Watson #define AUDIT_USER 0x0040 14552267f74SRobert Watson #define AUDIT_GROUP 0x0080 14652267f74SRobert Watson #define AUDIT_TRAIL 0x0100 14752267f74SRobert Watson #define AUDIT_PATH 0x0200 14852267f74SRobert Watson #define AUDIT_SCNT 0x0400 14952267f74SRobert Watson #define AUDIT_PUBLIC 0x0800 15052267f74SRobert Watson #define AUDIT_ZONENAME 0x1000 15152267f74SRobert Watson #define AUDIT_PERZONE 0x2000 15252267f74SRobert Watson 15352267f74SRobert Watson /* 15452267f74SRobert Watson * Default audit queue control parameters. 15552267f74SRobert Watson */ 15652267f74SRobert Watson #define AQ_HIWATER 100 15752267f74SRobert Watson #define AQ_MAXHIGH 10000 15852267f74SRobert Watson #define AQ_LOWATER 10 15952267f74SRobert Watson #define AQ_BUFSZ MAXAUDITDATA 16052267f74SRobert Watson #define AQ_MAXBUFSZ 1048576 16152267f74SRobert Watson 16252267f74SRobert Watson /* 16352267f74SRobert Watson * Default minimum percentage free space on file system. 16452267f74SRobert Watson */ 16552267f74SRobert Watson #define AU_FS_MINFREE 20 16652267f74SRobert Watson 16752267f74SRobert Watson /* 16852267f74SRobert Watson * Type definitions used indicating the length of variable length addresses 16952267f74SRobert Watson * in tokens containing addresses, such as header fields. 17052267f74SRobert Watson */ 17152267f74SRobert Watson #define AU_IPv4 4 17252267f74SRobert Watson #define AU_IPv6 16 17352267f74SRobert Watson 17452267f74SRobert Watson __BEGIN_DECLS 17552267f74SRobert Watson 17652267f74SRobert Watson typedef uid_t au_id_t; 17752267f74SRobert Watson typedef pid_t au_asid_t; 17852267f74SRobert Watson typedef u_int16_t au_event_t; 17952267f74SRobert Watson typedef u_int16_t au_emod_t; 18052267f74SRobert Watson typedef u_int32_t au_class_t; 181597df30eSRobert Watson typedef u_int64_t au_asflgs_t __attribute__ ((aligned (8))); 18252267f74SRobert Watson 18352267f74SRobert Watson struct au_tid { 18452267f74SRobert Watson dev_t port; 18552267f74SRobert Watson u_int32_t machine; 18652267f74SRobert Watson }; 18752267f74SRobert Watson typedef struct au_tid au_tid_t; 18852267f74SRobert Watson 18952267f74SRobert Watson struct au_tid_addr { 19052267f74SRobert Watson dev_t at_port; 19152267f74SRobert Watson u_int32_t at_type; 19252267f74SRobert Watson u_int32_t at_addr[4]; 19352267f74SRobert Watson }; 19452267f74SRobert Watson typedef struct au_tid_addr au_tid_addr_t; 19552267f74SRobert Watson 19652267f74SRobert Watson struct au_mask { 19752267f74SRobert Watson unsigned int am_success; /* Success bits. */ 19852267f74SRobert Watson unsigned int am_failure; /* Failure bits. */ 19952267f74SRobert Watson }; 20052267f74SRobert Watson typedef struct au_mask au_mask_t; 20152267f74SRobert Watson 20252267f74SRobert Watson struct auditinfo { 20352267f74SRobert Watson au_id_t ai_auid; /* Audit user ID. */ 20452267f74SRobert Watson au_mask_t ai_mask; /* Audit masks. */ 20552267f74SRobert Watson au_tid_t ai_termid; /* Terminal ID. */ 20652267f74SRobert Watson au_asid_t ai_asid; /* Audit session ID. */ 20752267f74SRobert Watson }; 20852267f74SRobert Watson typedef struct auditinfo auditinfo_t; 20952267f74SRobert Watson 21052267f74SRobert Watson struct auditinfo_addr { 21152267f74SRobert Watson au_id_t ai_auid; /* Audit user ID. */ 21252267f74SRobert Watson au_mask_t ai_mask; /* Audit masks. */ 21352267f74SRobert Watson au_tid_addr_t ai_termid; /* Terminal ID. */ 21452267f74SRobert Watson au_asid_t ai_asid; /* Audit session ID. */ 215597df30eSRobert Watson au_asflgs_t ai_flags; /* Audit session flags. */ 21652267f74SRobert Watson }; 21752267f74SRobert Watson typedef struct auditinfo_addr auditinfo_addr_t; 21852267f74SRobert Watson 21952267f74SRobert Watson struct auditpinfo { 22052267f74SRobert Watson pid_t ap_pid; /* ID of target process. */ 22152267f74SRobert Watson au_id_t ap_auid; /* Audit user ID. */ 22252267f74SRobert Watson au_mask_t ap_mask; /* Audit masks. */ 22352267f74SRobert Watson au_tid_t ap_termid; /* Terminal ID. */ 22452267f74SRobert Watson au_asid_t ap_asid; /* Audit session ID. */ 22552267f74SRobert Watson }; 22652267f74SRobert Watson typedef struct auditpinfo auditpinfo_t; 22752267f74SRobert Watson 22852267f74SRobert Watson struct auditpinfo_addr { 22952267f74SRobert Watson pid_t ap_pid; /* ID of target process. */ 23052267f74SRobert Watson au_id_t ap_auid; /* Audit user ID. */ 23152267f74SRobert Watson au_mask_t ap_mask; /* Audit masks. */ 23252267f74SRobert Watson au_tid_addr_t ap_termid; /* Terminal ID. */ 23352267f74SRobert Watson au_asid_t ap_asid; /* Audit session ID. */ 234597df30eSRobert Watson au_asflgs_t ap_flags; /* Audit session flags. */ 23552267f74SRobert Watson }; 23652267f74SRobert Watson typedef struct auditpinfo_addr auditpinfo_addr_t; 23752267f74SRobert Watson 2387a0a89d2SRobert Watson struct au_session { 2397a0a89d2SRobert Watson auditinfo_addr_t *as_aia_p; /* Ptr to full audit info. */ 2407a0a89d2SRobert Watson au_mask_t as_mask; /* Process Audit Masks. */ 2417a0a89d2SRobert Watson }; 2427a0a89d2SRobert Watson typedef struct au_session au_session_t; 2437a0a89d2SRobert Watson 24452267f74SRobert Watson /* 24552267f74SRobert Watson * Contents of token_t are opaque outside of libbsm. 24652267f74SRobert Watson */ 24752267f74SRobert Watson typedef struct au_token token_t; 24852267f74SRobert Watson 24952267f74SRobert Watson /* 250c0020399SRobert Watson * Kernel audit queue control parameters: 251c0020399SRobert Watson * Default: Maximum: 252c0020399SRobert Watson * aq_hiwater: AQ_HIWATER (100) AQ_MAXHIGH (10000) 253c0020399SRobert Watson * aq_lowater: AQ_LOWATER (10) <aq_hiwater 254c0020399SRobert Watson * aq_bufsz: AQ_BUFSZ (32767) AQ_MAXBUFSZ (1048576) 255c0020399SRobert Watson * aq_delay: 20 20000 (not used) 25652267f74SRobert Watson */ 25752267f74SRobert Watson struct au_qctrl { 258c0020399SRobert Watson int aq_hiwater; /* Max # of audit recs in queue when */ 259c0020399SRobert Watson /* threads with new ARs get blocked. */ 260c0020399SRobert Watson 261c0020399SRobert Watson int aq_lowater; /* # of audit recs in queue when */ 262c0020399SRobert Watson /* blocked threads get unblocked. */ 263c0020399SRobert Watson 264c0020399SRobert Watson int aq_bufsz; /* Max size of audit record for audit(2). */ 265c0020399SRobert Watson int aq_delay; /* Queue delay (not used). */ 26652267f74SRobert Watson int aq_minfree; /* Minimum filesystem percent free space. */ 26752267f74SRobert Watson }; 26852267f74SRobert Watson typedef struct au_qctrl au_qctrl_t; 26952267f74SRobert Watson 27052267f74SRobert Watson /* 27152267f74SRobert Watson * Structure for the audit statistics. 27252267f74SRobert Watson */ 27352267f74SRobert Watson struct audit_stat { 27452267f74SRobert Watson unsigned int as_version; 27552267f74SRobert Watson unsigned int as_numevent; 27652267f74SRobert Watson int as_generated; 27752267f74SRobert Watson int as_nonattrib; 27852267f74SRobert Watson int as_kernel; 27952267f74SRobert Watson int as_audit; 28052267f74SRobert Watson int as_auditctl; 28152267f74SRobert Watson int as_enqueue; 28252267f74SRobert Watson int as_written; 28352267f74SRobert Watson int as_wblocked; 28452267f74SRobert Watson int as_rblocked; 28552267f74SRobert Watson int as_dropped; 28652267f74SRobert Watson int as_totalsize; 28752267f74SRobert Watson unsigned int as_memused; 28852267f74SRobert Watson }; 28952267f74SRobert Watson typedef struct audit_stat au_stat_t; 29052267f74SRobert Watson 29152267f74SRobert Watson /* 29252267f74SRobert Watson * Structure for the audit file statistics. 29352267f74SRobert Watson */ 29452267f74SRobert Watson struct audit_fstat { 295c74c7b73SRobert Watson u_int64_t af_filesz; 296c74c7b73SRobert Watson u_int64_t af_currsz; 29752267f74SRobert Watson }; 29852267f74SRobert Watson typedef struct audit_fstat au_fstat_t; 29952267f74SRobert Watson 30052267f74SRobert Watson /* 30152267f74SRobert Watson * Audit to event class mapping. 30252267f74SRobert Watson */ 30352267f74SRobert Watson struct au_evclass_map { 30452267f74SRobert Watson au_event_t ec_number; 30552267f74SRobert Watson au_class_t ec_class; 30652267f74SRobert Watson }; 30752267f74SRobert Watson typedef struct au_evclass_map au_evclass_map_t; 30852267f74SRobert Watson 30952267f74SRobert Watson /* 3105e386598SRobert Watson * Event-to-name mapping. 3115e386598SRobert Watson */ 3125e386598SRobert Watson #define EVNAMEMAP_NAME_SIZE 64 3135e386598SRobert Watson struct au_evname_map { 3145e386598SRobert Watson au_event_t en_number; 3155e386598SRobert Watson char en_name[EVNAMEMAP_NAME_SIZE]; 3165e386598SRobert Watson }; 3175e386598SRobert Watson typedef struct au_evname_map au_evname_map_t; 3185e386598SRobert Watson 3195e386598SRobert Watson /* 32052267f74SRobert Watson * Audit system calls. 32152267f74SRobert Watson */ 32252267f74SRobert Watson #if !defined(_KERNEL) && !defined(KERNEL) 32352267f74SRobert Watson int audit(const void *, int); 32452267f74SRobert Watson int auditon(int, void *, int); 32552267f74SRobert Watson int auditctl(const char *); 32652267f74SRobert Watson int getauid(au_id_t *); 32752267f74SRobert Watson int setauid(const au_id_t *); 32852267f74SRobert Watson int getaudit(struct auditinfo *); 32952267f74SRobert Watson int setaudit(const struct auditinfo *); 33052267f74SRobert Watson int getaudit_addr(struct auditinfo_addr *, int); 33152267f74SRobert Watson int setaudit_addr(const struct auditinfo_addr *, int); 332c0020399SRobert Watson 333c0020399SRobert Watson #ifdef __APPLE_API_PRIVATE 334c0020399SRobert Watson #include <mach/port.h> 335c0020399SRobert Watson mach_port_name_t audit_session_self(void); 336c0020399SRobert Watson au_asid_t audit_session_join(mach_port_name_t port); 337c0020399SRobert Watson #endif /* __APPLE_API_PRIVATE */ 338c0020399SRobert Watson 33952267f74SRobert Watson #endif /* defined(_KERNEL) || defined(KERNEL) */ 34052267f74SRobert Watson 34152267f74SRobert Watson __END_DECLS 34252267f74SRobert Watson 34352267f74SRobert Watson #endif /* !_BSM_AUDIT_H */ 344