xref: /freebsd/sys/security/audit/audit.h (revision d3d381b2b194b4d24853e92eecef55f262688d1a)
1 /*-
2  * SPDX-License-Identifier: BSD-3-Clause
3  *
4  * Copyright (c) 1999-2005 Apple Inc.
5  * Copyright (c) 2016-2017 Robert N. M. Watson
6  * All rights reserved.
7  *
8  * This software was developed by BAE Systems, the University of Cambridge
9  * Computer Laboratory, and Memorial University under DARPA/AFRL contract
10  * FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent Computing
11  * (TC) research program.
12  *
13  * Redistribution and use in source and binary forms, with or without
14  * modification, are permitted provided that the following conditions
15  * are met:
16  * 1.  Redistributions of source code must retain the above copyright
17  *     notice, this list of conditions and the following disclaimer.
18  * 2.  Redistributions in binary form must reproduce the above copyright
19  *     notice, this list of conditions and the following disclaimer in the
20  *     documentation and/or other materials provided with the distribution.
21  * 3.  Neither the name of Apple Inc. ("Apple") nor the names of
22  *     its contributors may be used to endorse or promote products derived
23  *     from this software without specific prior written permission.
24  *
25  * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
26  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
27  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
28  * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
29  * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
30  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
31  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
32  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
33  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
34  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
35  * POSSIBILITY OF SUCH DAMAGE.
36  *
37  * $FreeBSD$
38  */
39 
40 /*
41  * This header includes function prototypes and type definitions that are
42  * necessary for the kernel as a whole to interact with the audit subsystem.
43  */
44 
45 #ifndef _SECURITY_AUDIT_KERNEL_H_
46 #define	_SECURITY_AUDIT_KERNEL_H_
47 
48 #ifndef _KERNEL
49 #error "no user-serviceable parts inside"
50 #endif
51 
52 #include <bsm/audit.h>
53 
54 #include <sys/file.h>
55 #include <sys/sysctl.h>
56 
57 /*
58  * Audit subsystem condition flags.  The audit_enabled flag is set and
59  * removed automatically as a result of configuring log files, and can be
60  * observed but should not be directly manipulated.  The audit suspension
61  * flag permits audit to be temporarily disabled without reconfiguring the
62  * audit target.
63  */
64 extern int	audit_enabled;
65 extern int	audit_suspended;
66 
67 void	 audit_syscall_enter(unsigned short code, struct thread *td);
68 void	 audit_syscall_exit(int error, struct thread *td);
69 
70 /*
71  * The remaining kernel functions are conditionally compiled in as they are
72  * wrapped by a macro, and the macro should be the only place in the source
73  * tree where these functions are referenced.
74  */
75 #ifdef AUDIT
76 struct ipc_perm;
77 struct sockaddr;
78 union auditon_udata;
79 void	 audit_arg_addr(void * addr);
80 void	 audit_arg_exit(int status, int retval);
81 void	 audit_arg_len(int len);
82 void	 audit_arg_atfd1(int atfd);
83 void	 audit_arg_atfd2(int atfd);
84 void	 audit_arg_fd(int fd);
85 void	 audit_arg_fflags(int fflags);
86 void	 audit_arg_gid(gid_t gid);
87 void	 audit_arg_uid(uid_t uid);
88 void	 audit_arg_egid(gid_t egid);
89 void	 audit_arg_euid(uid_t euid);
90 void	 audit_arg_rgid(gid_t rgid);
91 void	 audit_arg_ruid(uid_t ruid);
92 void	 audit_arg_sgid(gid_t sgid);
93 void	 audit_arg_suid(uid_t suid);
94 void	 audit_arg_groupset(gid_t *gidset, u_int gidset_size);
95 void	 audit_arg_login(char *login);
96 void	 audit_arg_ctlname(int *name, int namelen);
97 void	 audit_arg_mask(int mask);
98 void	 audit_arg_mode(mode_t mode);
99 void	 audit_arg_dev(int dev);
100 void	 audit_arg_value(long value);
101 void	 audit_arg_owner(uid_t uid, gid_t gid);
102 void	 audit_arg_pid(pid_t pid);
103 void	 audit_arg_process(struct proc *p);
104 void	 audit_arg_signum(u_int signum);
105 void	 audit_arg_socket(int sodomain, int sotype, int soprotocol);
106 void	 audit_arg_sockaddr(struct thread *td, int dirfd, struct sockaddr *sa);
107 void	 audit_arg_auid(uid_t auid);
108 void	 audit_arg_auditinfo(struct auditinfo *au_info);
109 void	 audit_arg_auditinfo_addr(struct auditinfo_addr *au_info);
110 void	 audit_arg_upath1(struct thread *td, int dirfd, char *upath);
111 void	 audit_arg_upath1_canon(char *upath);
112 void	 audit_arg_upath2(struct thread *td, int dirfd, char *upath);
113 void	 audit_arg_upath2_canon(char *upath);
114 void	 audit_arg_vnode1(struct vnode *vp);
115 void	 audit_arg_vnode2(struct vnode *vp);
116 void	 audit_arg_text(char *text);
117 void	 audit_arg_cmd(int cmd);
118 void	 audit_arg_svipc_cmd(int cmd);
119 void	 audit_arg_svipc_perm(struct ipc_perm *perm);
120 void	 audit_arg_svipc_id(int id);
121 void	 audit_arg_svipc_addr(void *addr);
122 void	 audit_arg_svipc_which(int which);
123 void	 audit_arg_posix_ipc_perm(uid_t uid, gid_t gid, mode_t mode);
124 void	 audit_arg_auditon(union auditon_udata *udata);
125 void	 audit_arg_file(struct proc *p, struct file *fp);
126 void	 audit_arg_argv(char *argv, int argc, int length);
127 void	 audit_arg_envv(char *envv, int envc, int length);
128 void	 audit_arg_rights(cap_rights_t *rightsp);
129 void	 audit_arg_fcntl_rights(uint32_t fcntlrights);
130 void	 audit_sysclose(struct thread *td, int fd);
131 void	 audit_cred_copy(struct ucred *src, struct ucred *dest);
132 void	 audit_cred_destroy(struct ucred *cred);
133 void	 audit_cred_init(struct ucred *cred);
134 void	 audit_cred_kproc0(struct ucred *cred);
135 void	 audit_cred_proc1(struct ucred *cred);
136 void	 audit_proc_coredump(struct thread *td, char *path, int errcode);
137 void	 audit_thread_alloc(struct thread *td);
138 void	 audit_thread_free(struct thread *td);
139 
140 /*
141  * Define macros to wrap the audit_arg_* calls by checking the global
142  * audit_enabled flag before performing the actual call.
143  */
144 #define	AUDITING_TD(td)		((td)->td_pflags & TDP_AUDITREC)
145 
146 #define	AUDIT_ARG_ADDR(addr) do {					\
147 	if (AUDITING_TD(curthread))					\
148 		audit_arg_addr((addr));					\
149 } while (0)
150 
151 #define	AUDIT_ARG_ARGV(argv, argc, length) do {				\
152 	if (AUDITING_TD(curthread))					\
153 		audit_arg_argv((argv), (argc), (length));		\
154 } while (0)
155 
156 #define	AUDIT_ARG_ATFD1(atfd) do {					\
157 	if (AUDITING_TD(curthread))					\
158 		audit_arg_atfd1((atfd));				\
159 } while (0)
160 
161 #define	AUDIT_ARG_ATFD2(atfd) do {					\
162 	if (AUDITING_TD(curthread))					\
163 		audit_arg_atfd2((atfd));				\
164 } while (0)
165 
166 #define	AUDIT_ARG_AUDITON(udata) do {					\
167 	if (AUDITING_TD(curthread))					\
168 		audit_arg_auditon((udata));				\
169 } while (0)
170 
171 #define	AUDIT_ARG_CMD(cmd) do {						\
172 	if (AUDITING_TD(curthread))					\
173 		audit_arg_cmd((cmd));					\
174 } while (0)
175 
176 #define	AUDIT_ARG_DEV(dev) do {						\
177 	if (AUDITING_TD(curthread))					\
178 		audit_arg_dev((dev));					\
179 } while (0)
180 
181 #define	AUDIT_ARG_EGID(egid) do {					\
182 	if (AUDITING_TD(curthread))					\
183 		audit_arg_egid((egid));					\
184 } while (0)
185 
186 #define	AUDIT_ARG_ENVV(envv, envc, length) do {				\
187 	if (AUDITING_TD(curthread))					\
188 		audit_arg_envv((envv), (envc), (length));		\
189 } while (0)
190 
191 #define	AUDIT_ARG_EXIT(status, retval) do {				\
192 	if (AUDITING_TD(curthread))					\
193 		audit_arg_exit((status), (retval));			\
194 } while (0)
195 
196 #define	AUDIT_ARG_EUID(euid) do {					\
197 	if (AUDITING_TD(curthread))					\
198 		audit_arg_euid((euid));					\
199 } while (0)
200 
201 #define	AUDIT_ARG_FD(fd) do {						\
202 	if (AUDITING_TD(curthread))					\
203 		audit_arg_fd((fd));					\
204 } while (0)
205 
206 #define	AUDIT_ARG_FILE(p, fp) do {					\
207 	if (AUDITING_TD(curthread))					\
208 		audit_arg_file((p), (fp));				\
209 } while (0)
210 
211 #define	AUDIT_ARG_FFLAGS(fflags) do {					\
212 	if (AUDITING_TD(curthread))					\
213 		audit_arg_fflags((fflags));				\
214 } while (0)
215 
216 #define	AUDIT_ARG_GID(gid) do {						\
217 	if (AUDITING_TD(curthread))					\
218 		audit_arg_gid((gid));					\
219 } while (0)
220 
221 #define	AUDIT_ARG_GROUPSET(gidset, gidset_size) do {			\
222 	if (AUDITING_TD(curthread))					\
223 		audit_arg_groupset((gidset), (gidset_size));		\
224 } while (0)
225 
226 #define	AUDIT_ARG_LOGIN(login) do {					\
227 	if (AUDITING_TD(curthread))					\
228 		audit_arg_login((login));				\
229 } while (0)
230 
231 #define	AUDIT_ARG_MODE(mode) do {					\
232 	if (AUDITING_TD(curthread))					\
233 		audit_arg_mode((mode));					\
234 } while (0)
235 
236 #define	AUDIT_ARG_OWNER(uid, gid) do {					\
237 	if (AUDITING_TD(curthread))					\
238 		audit_arg_owner((uid), (gid));				\
239 } while (0)
240 
241 #define	AUDIT_ARG_PID(pid) do {						\
242 	if (AUDITING_TD(curthread))					\
243 		audit_arg_pid((pid));					\
244 } while (0)
245 
246 #define	AUDIT_ARG_POSIX_IPC_PERM(uid, gid, mode) do {			\
247 	if (AUDITING_TD(curthread))					\
248 		audit_arg_posix_ipc_perm((uid), (gid), (mod));		\
249 } while (0)
250 
251 #define	AUDIT_ARG_PROCESS(p) do {					\
252 	if (AUDITING_TD(curthread))					\
253 		audit_arg_process((p));					\
254 } while (0)
255 
256 #define	AUDIT_ARG_RGID(rgid) do {					\
257 	if (AUDITING_TD(curthread))					\
258 		audit_arg_rgid((rgid));					\
259 } while (0)
260 
261 #define	AUDIT_ARG_RIGHTS(rights) do {					\
262 	if (AUDITING_TD(curthread))					\
263 		audit_arg_rights((rights));				\
264 } while (0)
265 
266 #define	AUDIT_ARG_FCNTL_RIGHTS(fcntlrights) do {			\
267 	if (AUDITING_TD(curthread))					\
268 		audit_arg_fcntl_rights((fcntlrights));			\
269 } while (0)
270 
271 #define	AUDIT_ARG_RUID(ruid) do {					\
272 	if (AUDITING_TD(curthread))					\
273 		audit_arg_ruid((ruid));					\
274 } while (0)
275 
276 #define	AUDIT_ARG_SIGNUM(signum) do {					\
277 	if (AUDITING_TD(curthread))					\
278 		audit_arg_signum((signum));				\
279 } while (0)
280 
281 #define	AUDIT_ARG_SGID(sgid) do {					\
282 	if (AUDITING_TD(curthread))					\
283 		audit_arg_sgid((sgid));					\
284 } while (0)
285 
286 #define	AUDIT_ARG_SOCKET(sodomain, sotype, soprotocol) do {		\
287 	if (AUDITING_TD(curthread))					\
288 		audit_arg_socket((sodomain), (sotype), (soprotocol));	\
289 } while (0)
290 
291 #define	AUDIT_ARG_SOCKADDR(td, dirfd, sa) do {				\
292 	if (AUDITING_TD(curthread))					\
293 		audit_arg_sockaddr((td), (dirfd), (sa));		\
294 } while (0)
295 
296 #define	AUDIT_ARG_SUID(suid) do {					\
297 	if (AUDITING_TD(curthread))					\
298 		audit_arg_suid((suid));					\
299 } while (0)
300 
301 #define	AUDIT_ARG_SVIPC_CMD(cmd) do {					\
302 	if (AUDITING_TD(curthread))					\
303 		audit_arg_svipc_cmd((cmd));				\
304 } while (0)
305 
306 #define	AUDIT_ARG_SVIPC_PERM(perm) do {					\
307 	if (AUDITING_TD(curthread))					\
308 		audit_arg_svipc_perm((perm));				\
309 } while (0)
310 
311 #define	AUDIT_ARG_SVIPC_ID(id) do {					\
312 	if (AUDITING_TD(curthread))					\
313 		audit_arg_svipc_id((id));				\
314 } while (0)
315 
316 #define	AUDIT_ARG_SVIPC_ADDR(addr) do {					\
317 	if (AUDITING_TD(curthread))					\
318 		audit_arg_svipc_addr((addr));				\
319 } while (0)
320 
321 #define	AUDIT_ARG_SVIPC_WHICH(which) do {				\
322 	if (AUDITING_TD(curthread))					\
323 		audit_arg_svipc_which((which));				\
324 } while (0)
325 
326 #define	AUDIT_ARG_TEXT(text) do {					\
327 	if (AUDITING_TD(curthread))					\
328 		audit_arg_text((text));					\
329 } while (0)
330 
331 #define	AUDIT_ARG_UID(uid) do {						\
332 	if (AUDITING_TD(curthread))					\
333 		audit_arg_uid((uid));					\
334 } while (0)
335 
336 #define	AUDIT_ARG_UPATH1(td, dirfd, upath) do {				\
337 	if (AUDITING_TD(curthread))					\
338 		audit_arg_upath1((td), (dirfd), (upath));		\
339 } while (0)
340 
341 #define	AUDIT_ARG_UPATH1_CANON(upath) do {				\
342 	if (AUDITING_TD(curthread))					\
343 		audit_arg_upath1_canon((upath));			\
344 } while (0)
345 
346 #define	AUDIT_ARG_UPATH2(td, dirfd, upath) do {				\
347 	if (AUDITING_TD(curthread))					\
348 		audit_arg_upath2((td), (dirfd), (upath));		\
349 } while (0)
350 
351 #define	AUDIT_ARG_UPATH2_CANON(upath) do {				\
352 	if (AUDITING_TD(curthread))					\
353 		audit_arg_upath2_canon((upath));			\
354 } while (0)
355 
356 #define	AUDIT_ARG_VALUE(value) do {					\
357 	if (AUDITING_TD(curthread))					\
358 		audit_arg_value((value));				\
359 } while (0)
360 
361 #define	AUDIT_ARG_VNODE1(vp) do {					\
362 	if (AUDITING_TD(curthread))					\
363 		audit_arg_vnode1((vp));					\
364 } while (0)
365 
366 #define	AUDIT_ARG_VNODE2(vp) do {					\
367 	if (AUDITING_TD(curthread))					\
368 		audit_arg_vnode2((vp));					\
369 } while (0)
370 
371 #define	AUDIT_SYSCALL_ENTER(code, td)	do {				\
372 	if (audit_enabled) {						\
373 		audit_syscall_enter(code, td);				\
374 	}								\
375 } while (0)
376 
377 /*
378  * Wrap the audit_syscall_exit() function so that it is called only when
379  * we have a audit record on the thread.  Audit records can persist after
380  * auditing is disabled, so we don't just check audit_enabled here.
381  */
382 #define	AUDIT_SYSCALL_EXIT(error, td)	do {				\
383 	if (td->td_pflags & TDP_AUDITREC)				\
384 		audit_syscall_exit(error, td);				\
385 } while (0)
386 
387 /*
388  * A Macro to wrap the audit_sysclose() function.
389  */
390 #define	AUDIT_SYSCLOSE(td, fd)	do {					\
391 	if (td->td_pflags & TDP_AUDITREC)				\
392 		audit_sysclose(td, fd);					\
393 } while (0)
394 
395 #else /* !AUDIT */
396 
397 #define	AUDIT_ARG_ADDR(addr)
398 #define	AUDIT_ARG_ARGV(argv, argc, length)
399 #define	AUDIT_ARG_ATFD1(atfd)
400 #define	AUDIT_ARG_ATFD2(atfd)
401 #define	AUDIT_ARG_AUDITON(udata)
402 #define	AUDIT_ARG_CMD(cmd)
403 #define	AUDIT_ARG_DEV(dev)
404 #define	AUDIT_ARG_EGID(egid)
405 #define	AUDIT_ARG_ENVV(envv, envc, length)
406 #define	AUDIT_ARG_EXIT(status, retval)
407 #define	AUDIT_ARG_EUID(euid)
408 #define	AUDIT_ARG_FD(fd)
409 #define	AUDIT_ARG_FILE(p, fp)
410 #define	AUDIT_ARG_FFLAGS(fflags)
411 #define	AUDIT_ARG_GID(gid)
412 #define	AUDIT_ARG_GROUPSET(gidset, gidset_size)
413 #define	AUDIT_ARG_LOGIN(login)
414 #define	AUDIT_ARG_MODE(mode)
415 #define	AUDIT_ARG_OWNER(uid, gid)
416 #define	AUDIT_ARG_PID(pid)
417 #define	AUDIT_ARG_POSIX_IPC_PERM(uid, gid, mode)
418 #define	AUDIT_ARG_PROCESS(p)
419 #define	AUDIT_ARG_RGID(rgid)
420 #define	AUDIT_ARG_RIGHTS(rights)
421 #define	AUDIT_ARG_FCNTL_RIGHTS(fcntlrights)
422 #define	AUDIT_ARG_RUID(ruid)
423 #define	AUDIT_ARG_SIGNUM(signum)
424 #define	AUDIT_ARG_SGID(sgid)
425 #define	AUDIT_ARG_SOCKET(sodomain, sotype, soprotocol)
426 #define	AUDIT_ARG_SOCKADDR(td, dirfd, sa)
427 #define	AUDIT_ARG_SUID(suid)
428 #define	AUDIT_ARG_SVIPC_CMD(cmd)
429 #define	AUDIT_ARG_SVIPC_PERM(perm)
430 #define	AUDIT_ARG_SVIPC_ID(id)
431 #define	AUDIT_ARG_SVIPC_ADDR(addr)
432 #define	AUDIT_ARG_SVIPC_WHICH(which)
433 #define	AUDIT_ARG_TEXT(text)
434 #define	AUDIT_ARG_UID(uid)
435 #define	AUDIT_ARG_UPATH1(td, dirfd, upath)
436 #define	AUDIT_ARG_UPATH1_CANON(upath)
437 #define	AUDIT_ARG_UPATH2(td, dirfd, upath)
438 #define	AUDIT_ARG_UPATH2_CANON(upath)
439 #define	AUDIT_ARG_VALUE(value)
440 #define	AUDIT_ARG_VNODE1(vp)
441 #define	AUDIT_ARG_VNODE2(vp)
442 
443 #define	AUDIT_SYSCALL_ENTER(code, td)
444 #define	AUDIT_SYSCALL_EXIT(error, td)
445 
446 #define	AUDIT_SYSCLOSE(p, fd)
447 
448 #endif /* AUDIT */
449 
450 #endif /* !_SECURITY_AUDIT_KERNEL_H_ */
451