xref: /illumos-gate/usr/src/uts/common/c2/audit.h (revision 2aeafac3612e19716bf8164f89c3c9196342979c)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
23  */
24 
25 /*
26  * This file contains the declarations of the various data structures
27  * used by the auditing module(s).
28  */
29 
30 #ifndef	_BSM_AUDIT_H
31 #define	_BSM_AUDIT_H
32 
33 #ifdef __cplusplus
34 extern "C" {
35 #endif
36 
37 
38 #include <sys/shm.h>	/* for shmid_ds structure */
39 #include <sys/sem.h>	/* for semid_ds structure */
40 #include <sys/msg.h>	/* for msqid_ds structure */
41 #include <sys/atomic.h>	/* using atomics */
42 #include <sys/secflags.h>
43 
44 /*
45  * Audit conditions, statements reguarding what's to be done with
46  * audit records.  None of the "global state" is returned by an
47  * auditconfig -getcond call.  AUC_NOSPACE no longer seems used.
48  */
49 /* global state */
50 #define	AUC_UNSET	0	/* on/off hasn't been decided */
51 #define	AUC_ENABLED	1	/* loaded and enabled */
52 /* pseudo state used in libbsm */
53 #define	AUC_DISABLED	0x100	/* c2audit module is excluded */
54 /* local zone state */
55 #define	AUC_AUDITING	0x1	/* audit daemon is active */
56 #define	AUC_NOAUDIT	0x2	/* audit daemon is not active */
57 #define	AUC_INIT_AUDIT	0x4	/* audit ready but auditd has not run */
58 #define	AUC_NOSPACE	0x8	/* audit enabled, no space for audit records */
59 
60 /*
61  * The user id -2 is never audited - in fact, a setauid(AU_NOAUDITID)
62  * will turn off auditing.
63  */
64 #define	AU_NOAUDITID	((au_id_t)-2)
65 
66 /*
67  * success/failure bits for asynchronous events
68  */
69 
70 #define	AUM_SUCC	1	/* use the system success preselection mask */
71 #define	AUM_FAIL	2	/* use the system failure preselection mask */
72 
73 
74 /*
75  * Defines for event modifier field
76  */
77 #define	PAD_READ	0x0001		/* object read */
78 #define	PAD_WRITE	0x0002		/* object write */
79 #define	PAD_NONATTR	0x4000		/* non-attributable event */
80 #define	PAD_FAILURE	0x8000		/* fail audit event */
81 #define	PAD_SPRIVUSE	0x0080		/* successfully used privileged */
82 #define	PAD_FPRIVUSE	0x0100		/* failed use of privileged */
83 
84 /*
85  * Some typedefs for the fundamentals
86  */
87 typedef uint_t au_asid_t;
88 typedef uint_t  au_class_t;
89 typedef ushort_t au_event_t;
90 typedef ushort_t au_emod_t;
91 typedef uid_t au_id_t;
92 
93 /*
94  * An audit event mask.
95  */
96 #define	AU_MASK_ALL	0xFFFFFFFF	/* all bits on for unsigned int */
97 #define	AU_MASK_NONE	0x0		/* all bits off = no:invalid class */
98 
99 struct au_mask {
100 	unsigned int	am_success;	/* success bits */
101 	unsigned int	am_failure;	/* failure bits */
102 };
103 typedef struct au_mask au_mask_t;
104 #define	as_success am_success
105 #define	as_failure am_failure
106 
107 /*
108  * The structure of the terminal ID (ipv4)
109  */
110 struct au_tid {
111 	dev_t port;
112 	uint_t machine;
113 };
114 
115 #if defined(_SYSCALL32)
116 struct au_tid32 {
117 	uint_t port;
118 	uint_t machine;
119 };
120 
121 typedef struct au_tid32 au_tid32_t;
122 #endif
123 
124 typedef struct au_tid au_tid_t;
125 
126 /*
127  * The structure of the terminal ID (ipv6)
128  */
129 struct au_tid_addr {
130 	dev_t  at_port;
131 	uint_t at_type;
132 	uint_t at_addr[4];
133 };
134 
135 struct au_port_s {
136 	uint32_t at_major;	/* major # */
137 	uint32_t at_minor;	/* minor # */
138 };
139 typedef struct au_port_s au_port_t;
140 
141 struct au_tid_addr64 {
142 	au_port_t	at_port;
143 	uint_t		at_type;
144 	uint_t		at_addr[4];
145 };
146 typedef struct au_tid_addr64 au_tid64_addr_t;
147 
148 #if defined(_SYSCALL32)
149 struct au_tid_addr32 {
150 	uint_t at_port;
151 	uint_t at_type;
152 	uint_t at_addr[4];
153 };
154 
155 typedef struct au_tid_addr32 au_tid32_addr_t;
156 #endif
157 
158 typedef struct au_tid_addr au_tid_addr_t;
159 
160 struct au_ip {
161 	uint16_t	at_r_port;	/* remote port */
162 	uint16_t	at_l_port;	/* local port */
163 	uint32_t	at_type;	/* AU_IPv4,... */
164 	uint32_t	at_addr[4];	/* remote IP */
165 };
166 typedef struct au_ip au_ip_t;
167 
168 /*
169  * Generic network address structure
170  */
171 struct au_generic_tid {
172 	uchar_t	gt_type;	/* AU_IPADR, AU_DEVICE,... */
173 	union {
174 		au_ip_t		at_ip;
175 		au_port_t	at_dev;
176 	} gt_adr;
177 };
178 typedef struct au_generic_tid au_generic_tid_t;
179 
180 /*
181  * au_generic_tid_t gt_type values
182  * 0 is reserved for uninitialized data
183  */
184 #define	AU_IPADR	1
185 #define	AU_ETHER	2
186 #define	AU_DEVICE	3
187 
188 /*
189  * at_type values - address length used to identify address type
190  */
191 #define	AU_IPv4 4	/* ipv4 type IP address */
192 #define	AU_IPv6 16	/* ipv6 type IP address */
193 
194 /*
195  * Compatability with SunOS 4.x BSM module
196  *
197  * New code should not contain audit_state_t,
198  * au_state_t, nor au_termid as these types
199  * may go away in future releases.
200  *
201  * typedef new-5.x-bsm-name old-4.x-bsm-name
202  */
203 
204 typedef au_class_t au_state_t;
205 typedef au_mask_t audit_state_t;
206 typedef au_id_t auid_t;
207 #define	ai_state ai_mask;
208 
209 /*
210  * Opcodes for bsm system calls
211  */
212 
213 #define	BSM_GETAUID		19
214 #define	BSM_SETAUID		20
215 #define	BSM_GETAUDIT		21
216 #define	BSM_SETAUDIT		22
217 /*				23	OBSOLETE */
218 /*				24	OBSOLETE */
219 #define	BSM_AUDIT		25
220 /* 				26	OBSOLETE */
221 /* 				27	EOL announced for Sol 10 */
222 /*				28	OBSOLETE */
223 #define	BSM_AUDITCTL		29
224 /*				30	OBSOLETE */
225 /*				31	OBSOLETE */
226 /*				32	OBSOLETE */
227 /*				33	OBSOLETE */
228 /*				34	OBSOLETE */
229 #define	BSM_GETAUDIT_ADDR	35
230 #define	BSM_SETAUDIT_ADDR	36
231 #define	BSM_AUDITDOOR		37
232 
233 /*
234  * auditon(2) commands
235  */
236 #define	A_GETPOLICY	2	/* get audit policy */
237 #define	A_SETPOLICY	3	/* set audit policy */
238 #define	A_GETKMASK	4	/* get non-attributable event audit mask */
239 #define	A_SETKMASK	5	/* set non-attributable event audit mask */
240 #define	A_GETQCTRL	6	/* get kernel audit queue ctrl parameters */
241 #define	A_SETQCTRL	7	/* set kernel audit queue ctrl parameters */
242 #define	A_GETCWD	8	/* get process current working directory */
243 #define	A_GETCAR	9	/* get process current active root */
244 #define	A_GETSTAT	12	/* get audit statistics */
245 #define	A_SETSTAT	13	/* (re)set audit statistics */
246 #define	A_SETUMASK	14	/* set preselection mask for procs with auid */
247 #define	A_SETSMASK	15	/* set preselection mask for procs with asid */
248 #define	A_GETCOND	20	/* get audit system on/off condition */
249 #define	A_SETCOND	21	/* set audit system on/off condition */
250 #define	A_GETCLASS	22	/* get audit event to class mapping */
251 #define	A_SETCLASS	23	/* set audit event to class mapping */
252 #define	A_GETPINFO	24	/* get audit info for an arbitrary pid */
253 #define	A_SETPMASK	25	/* set preselection mask for an given pid */
254 #define	A_GETPINFO_ADDR	28	/* get audit info for an arbitrary pid */
255 #define	A_GETKAUDIT	29	/* get kernel audit characteristics */
256 #define	A_SETKAUDIT	30	/* set kernel audit characteristics */
257 #define	A_GETAMASK	31	/* set user default audit event mask */
258 #define	A_SETAMASK	32	/* get user default audit event mask */
259 
260 /*
261  * Audit Policy parameters (32 bits)
262  */
263 #define	AUDIT_CNT	0x0001	/* do NOT sleep undelivered synch events */
264 #define	AUDIT_AHLT	0x0002	/* HALT machine on undelivered async event */
265 #define	AUDIT_ARGV	0x0004	/* include argv with execv system call events */
266 #define	AUDIT_ARGE	0x0008	/* include arge with execv system call events */
267 #define	AUDIT_SEQ	0x0010	/* include sequence attribute */
268 #define	AUDIT_GROUP	0x0040	/* include group attribute with each record */
269 #define	AUDIT_TRAIL	0x0080	/* include trailer token */
270 #define	AUDIT_PATH	0x0100	/* allow multiple paths per event */
271 #define	AUDIT_SCNT	0x0200	/* sleep user events but not kernel events */
272 #define	AUDIT_PUBLIC	0x0400	/* audit even "public" files */
273 #define	AUDIT_ZONENAME	0x0800	/* emit zonename token */
274 #define	AUDIT_PERZONE	0x1000	/* auditd and audit queue for each zone */
275 #define	AUDIT_WINDATA_DOWN	0x2000	/* include paste downgraded data */
276 #define	AUDIT_WINDATA_UP	0x4000	/* include paste upgraded data */
277 
278 /*
279  * If AUDIT_GLOBAL changes, corresponding changes are required in
280  * audit_syscalls.c's setpolicy().
281  */
282 #define	AUDIT_GLOBAL	(AUDIT_AHLT | AUDIT_PERZONE)
283 #define	AUDIT_LOCAL	(AUDIT_CNT | AUDIT_ARGV | AUDIT_ARGE |\
284 			AUDIT_SEQ | AUDIT_GROUP | AUDIT_TRAIL | AUDIT_PATH |\
285 			AUDIT_PUBLIC | AUDIT_SCNT | AUDIT_ZONENAME |\
286 			AUDIT_WINDATA_DOWN | AUDIT_WINDATA_UP)
287 
288 /*
289  * Kernel audit queue control parameters
290  *
291  *	audit record recording blocks at hiwater # undelived records
292  *	audit record recording resumes at lowwater # undelivered audit records
293  *	bufsz determines how big the data xfers will be to the audit trail
294  */
295 struct au_qctrl {
296 	size_t	aq_hiwater;	/* kernel audit queue, high water mark */
297 	size_t	aq_lowater;	/* kernel audit queue, low  water mark */
298 	size_t	aq_bufsz;	/* kernel audit queue, write size to trail */
299 	clock_t	aq_delay;	/* delay before flushing audit queue */
300 };
301 
302 #if defined(_SYSCALL32)
303 struct au_qctrl32 {
304 	size32_t	aq_hiwater;
305 	size32_t	aq_lowater;
306 	size32_t	aq_bufsz;
307 	clock32_t	aq_delay;
308 };
309 #endif
310 
311 
312 /*
313  * default values of hiwater and lowater (note hi > lo)
314  */
315 #define	AQ_HIWATER  100
316 #define	AQ_MAXHIGH  100000
317 #define	AQ_LOWATER  10
318 #define	AQ_BUFSZ    8192
319 #define	AQ_MAXBUFSZ 1048576
320 #define	AQ_DELAY    20
321 #define	AQ_MAXDELAY 20000
322 
323 struct auditinfo {
324 	au_id_t		ai_auid;
325 	au_mask_t	ai_mask;
326 	au_tid_t	ai_termid;
327 	au_asid_t	ai_asid;
328 };
329 
330 #if defined(_SYSCALL32)
331 struct auditinfo32 {
332 	au_id_t		ai_auid;
333 	au_mask_t	ai_mask;
334 	au_tid32_t	ai_termid;
335 	au_asid_t	ai_asid;
336 };
337 
338 typedef struct auditinfo32 auditinfo32_t;
339 #endif
340 
341 typedef struct auditinfo auditinfo_t;
342 
343 struct k_auditinfo_addr {
344 	au_id_t		ai_auid;
345 	au_mask_t	ai_amask;	/* user default preselection mask */
346 	au_mask_t	ai_namask;	/* non-attributable mask */
347 	au_tid_addr_t	ai_termid;
348 	au_asid_t	ai_asid;
349 };
350 typedef struct k_auditinfo_addr k_auditinfo_addr_t;
351 
352 struct auditinfo_addr {
353 	au_id_t		ai_auid;
354 	au_mask_t	ai_mask;
355 	au_tid_addr_t	ai_termid;
356 	au_asid_t	ai_asid;
357 };
358 
359 struct auditinfo_addr64 {
360 	au_id_t		ai_auid;
361 	au_mask_t	ai_mask;
362 	au_tid64_addr_t	ai_termid;
363 	au_asid_t	ai_asid;
364 };
365 typedef struct auditinfo_addr64 auditinfo64_addr_t;
366 
367 #if defined(_SYSCALL32)
368 struct auditinfo_addr32 {
369 	au_id_t		ai_auid;
370 	au_mask_t	ai_mask;
371 	au_tid32_addr_t	ai_termid;
372 	au_asid_t	ai_asid;
373 };
374 
375 typedef struct auditinfo_addr32 auditinfo32_addr_t;
376 #endif
377 
378 typedef struct auditinfo_addr auditinfo_addr_t;
379 
380 struct auditpinfo {
381 	pid_t		ap_pid;
382 	au_id_t		ap_auid;
383 	au_mask_t	ap_mask;
384 	au_tid_t	ap_termid;
385 	au_asid_t	ap_asid;
386 };
387 
388 #if defined(_SYSCALL32)
389 struct auditpinfo32 {
390 	pid_t		ap_pid;
391 	au_id_t		ap_auid;
392 	au_mask_t	ap_mask;
393 	au_tid32_t	ap_termid;
394 	au_asid_t	ap_asid;
395 };
396 #endif
397 
398 
399 struct auditpinfo_addr {
400 	pid_t		ap_pid;
401 	au_id_t		ap_auid;
402 	au_mask_t	ap_mask;
403 	au_tid_addr_t	ap_termid;
404 	au_asid_t	ap_asid;
405 };
406 
407 #if defined(_SYSCALL32)
408 struct auditpinfo_addr32 {
409 	pid_t		ap_pid;
410 	au_id_t		ap_auid;
411 	au_mask_t	ap_mask;
412 	au_tid32_addr_t	ap_termid;
413 	au_asid_t	ap_asid;
414 };
415 #endif
416 
417 
418 struct au_evclass_map {
419 	au_event_t	ec_number;
420 	au_class_t	ec_class;
421 };
422 typedef struct au_evclass_map au_evclass_map_t;
423 
424 /*
425  * Audit stat structures (used to be in audit_stat.h
426  */
427 
428 struct audit_stat {
429 	unsigned int as_version;	/* version of kernel audit code */
430 	unsigned int as_numevent;	/* number of kernel audit events */
431 	uint32_t as_generated;		/* # records processed */
432 	uint32_t as_nonattrib;		/* # non-attributed records produced */
433 	uint32_t as_kernel;		/* # records produced by kernel */
434 	uint32_t as_audit;		/* # records processed by audit(2) */
435 	uint32_t as_auditctl;		/* # records processed by auditctl(2) */
436 	uint32_t as_enqueue;		/* # records put onto audit queue */
437 	uint32_t as_written;		/* # records written to audit trail */
438 	uint32_t as_wblocked;		/* # times write blked on audit queue */
439 	uint32_t as_rblocked;		/* # times read blked on audit queue */
440 	uint32_t as_dropped;		/* # of dropped audit records */
441 	uint32_t as_totalsize;		/* total number bytes of audit data */
442 	uint32_t as_memused;		/* no longer used */
443 };
444 typedef struct audit_stat au_stat_t;
445 
446 /* get kernel audit context dependent on AUDIT_PERZONE policy */
447 #define	GET_KCTX_PZ	(audit_policy & AUDIT_PERZONE) ?\
448 			    curproc->p_zone->zone_audit_kctxt :\
449 			    global_zone->zone_audit_kctxt
450 /* get kernel audit context of global zone */
451 #define	GET_KCTX_GZ	global_zone->zone_audit_kctxt
452 /* get kernel audit context of non-global zone */
453 #define	GET_KCTX_NGZ	curproc->p_zone->zone_audit_kctxt
454 
455 #define	AS_INC(a, b, c) atomic_add_32(&(c->auk_statistics.a), (b))
456 #define	AS_DEC(a, b, c) atomic_add_32(&(c->auk_statistics.a), -(b))
457 
458 /*
459  * audit token IPC types (shm, sem, msg) [for ipc attribute]
460  */
461 
462 #define	AT_IPC_MSG	((char)1)		/* message IPC id */
463 #define	AT_IPC_SEM	((char)2)		/* semaphore IPC id */
464 #define	AT_IPC_SHM	((char)3)		/* shared memory IPC id */
465 
466 #if defined(_KERNEL)
467 
468 #ifdef __cplusplus
469 }
470 #endif
471 
472 #include <sys/types.h>
473 #include <sys/model.h>
474 #include <sys/proc.h>
475 #include <sys/stream.h>
476 #include <sys/stropts.h>
477 #include <sys/file.h>
478 #include <sys/pathname.h>
479 #include <sys/vnode.h>
480 #include <sys/systm.h>
481 #include <netinet/in.h>
482 #include <c2/audit_door_infc.h>
483 #include <sys/crypto/ioctladmin.h>
484 #include <sys/netstack.h>
485 #include <sys/zone.h>
486 
487 #ifdef __cplusplus
488 extern "C" {
489 #endif
490 
491 struct fcntla;
492 struct t_audit_data;
493 struct audit_path;
494 struct priv_set;
495 struct devplcysys;
496 
497 struct auditcalls {
498 	long	code;
499 	long	a1;
500 	long	a2;
501 	long	a3;
502 	long	a4;
503 	long	a5;
504 };
505 
506 int	audit(caddr_t, int);
507 int	auditsys(struct auditcalls *, union rval *); /* fake stub */
508 void	audit_cryptoadm(int, char *, crypto_mech_name_t *,
509 	    uint_t, uint_t, uint32_t, int);
510 void	audit_init(void);
511 void	audit_init_module(void);
512 void	audit_newproc(struct proc *);
513 void	audit_pfree(struct proc *);
514 void	audit_thread_create(kthread_id_t);
515 void	audit_thread_free(kthread_id_t);
516 int	audit_savepath(struct pathname *, struct vnode *, struct vnode *,
517 		int, cred_t *);
518 void	audit_anchorpath(struct pathname *, int);
519 void	audit_symlink(struct pathname *, struct pathname *);
520 void	audit_symlink_create(struct vnode *, char *, char *, int);
521 int	object_is_public(struct vattr *);
522 void	audit_attributes(struct vnode *);
523 void	audit_falloc(struct file *);
524 void	audit_unfalloc(struct file *);
525 void	audit_exit(int, int);
526 void	audit_core_start(int);
527 void	audit_core_finish(int);
528 void	audit_strgetmsg(struct vnode *, struct strbuf *, struct strbuf *,
529 		unsigned char *, int *, int);
530 void	audit_strputmsg(struct vnode *, struct strbuf *, struct strbuf *,
531 		unsigned char, int, int);
532 void	audit_closef(struct file *);
533 void	audit_setf(struct file *, int);
534 void	audit_reboot(void);
535 void	audit_vncreate_start(void);
536 void	audit_setfsat_path(int argnum);
537 void	audit_vncreate_finish(struct vnode *, int);
538 void	audit_exec(const char *, const char *, ssize_t, ssize_t, cred_t *);
539 void	audit_enterprom(int);
540 void	audit_exitprom(int);
541 void	audit_chdirec(struct vnode *, struct vnode **);
542 void	audit_sock(int, struct queue *, struct msgb *, int);
543 int	audit_start(unsigned int, unsigned int, uint32_t, int, klwp_t *);
544 void	audit_finish(unsigned int, unsigned int, int, union rval *);
545 int	audit_async_start(label_t *, au_event_t, int);
546 void	audit_async_finish(caddr_t *, au_event_t, au_emod_t, timestruc_t *);
547 void	audit_async_discard_backend(void *);
548 void	audit_async_done(caddr_t *, int);
549 void	audit_async_drop(caddr_t *, int);
550 
551 #ifndef AUK_CONTEXT_T
552 #define	AUK_CONTEXT_T
553 typedef struct au_kcontext au_kcontext_t;
554 #endif
555 
556 /* Zone audit context setup routine */
557 void au_zone_setup(void);
558 
559 /*
560  * c2audit module states
561  */
562 #define	C2AUDIT_DISABLED    0	/* c2audit module excluded in /etc/system */
563 #define	C2AUDIT_UNLOADED    1	/* c2audit module not loaded */
564 #define	C2AUDIT_LOADED	    2	/* c2audit module loaded */
565 
566 uint32_t    audit_getstate(void);
567 int	    au_zone_getstate(const au_kcontext_t *);
568 
569 /* The audit mask defining in which case is auditing enabled */
570 #define	AU_AUDIT_MASK	(AUC_AUDITING | AUC_NOSPACE)
571 
572 /*
573  * Get the given zone audit status. zcontext != NULL serves
574  * as a protection when c2audit module is not loaded.
575  */
576 #define	AU_ZONE_AUDITING(zcontext)	    \
577 	(audit_active == C2AUDIT_LOADED &&  \
578 	    ((AU_AUDIT_MASK) & au_zone_getstate((zcontext))))
579 
580 /*
581  * Get auditing status
582  */
583 #define	AU_AUDITING() (audit_getstate())
584 
585 int	audit_success(au_kcontext_t *, struct t_audit_data *, int, cred_t *);
586 int	auditme(au_kcontext_t *, struct t_audit_data *, au_state_t);
587 void	audit_fixpath(struct audit_path *, int);
588 void	audit_ipc(int, int, void *);
589 void	audit_ipcget(int, void *);
590 void	audit_fdsend(int, struct file *, int);
591 void	audit_fdrecv(int, struct file *);
592 void	audit_priv(int, const struct priv_set *, int);
593 void	audit_setppriv(int, int, const struct priv_set *, const cred_t *);
594 void	audit_psecflags(proc_t *, psecflagwhich_t,
595     const secflagdelta_t *);
596 void	audit_devpolicy(int, const struct devplcysys *);
597 void	audit_update_context(proc_t *, cred_t *);
598 void	audit_kssl(int, void *, int);
599 void	audit_pf_policy(int, cred_t *, netstack_t *, char *, boolean_t, int,
600     pid_t);
601 void	audit_sec_attributes(caddr_t *, struct vnode *);
602 
603 #endif
604 
605 #ifdef __cplusplus
606 }
607 #endif
608 
609 #endif /* _BSM_AUDIT_H */
610