1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License, Version 1.0 only 6 * (the "License"). You may not use this file except in compliance 7 * with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 /* 23 * Copyright 2005 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 /* 28 * This file contains the declarations of the various data structures 29 * used by the auditing module(s). 30 */ 31 32 #ifndef _BSM_AUDIT_H 33 #define _BSM_AUDIT_H 34 35 #pragma ident "%Z%%M% %I% %E% SMI" 36 37 #ifdef __cplusplus 38 extern "C" { 39 #endif 40 41 42 #include <sys/shm.h> /* for shmid_ds structure */ 43 #include <sys/sem.h> /* for semid_ds structure */ 44 #include <sys/msg.h> /* for msqid_ds structure */ 45 #include <sys/atomic.h> /* using atomics */ 46 47 /* 48 * Audit conditions, statements reguarding what's to be done with 49 * audit records. Neither AUC_ENABLED, AUC_DISABLED, nor AUC_UNSET 50 * are returned on an auditconfig -getcond call. 51 */ 52 /* global state */ 53 #define AUC_DISABLED -1 /* audit module loaded but not enabled */ 54 #define AUC_UNSET 0 /* on/off hasn't been decided */ 55 #define AUC_ENABLED 1 /* loaded and enabled */ 56 /* local zone state */ 57 #define AUC_INIT_AUDIT 4 /* c2audit is ready but auditd has not run */ 58 #define AUC_AUDITING 1 /* auditing is being done */ 59 #define AUC_NOAUDIT 2 /* auditing is not being done */ 60 #define AUC_NOSPACE 3 /* audit enabled, no space for audit records */ 61 62 /* 63 * The user id -2 is never audited - in fact, a setauid(AU_NOAUDITID) 64 * will turn off auditing. 65 */ 66 #define AU_NOAUDITID -2 67 68 /* 69 * success/failure bits for asynchronous events 70 */ 71 72 #define AUM_SUCC 1 /* use the system success preselection mask */ 73 #define AUM_FAIL 2 /* use the system failure preselection mask */ 74 75 76 /* 77 * Defines for event modifier field 78 */ 79 #define PAD_READ 0x0001 /* object read */ 80 #define PAD_WRITE 0x0002 /* object write */ 81 #define PAD_NONATTR 0x4000 /* non-attributable event */ 82 #define PAD_FAILURE 0x8000 /* fail audit event */ 83 #define PAD_SPRIVUSE 0x0080 /* successfully used privileged */ 84 #define PAD_FPRIVUSE 0x0100 /* failed use of privileged */ 85 86 /* 87 * Some typedefs for the fundamentals 88 */ 89 typedef pid_t au_asid_t; 90 typedef uint_t au_class_t; 91 typedef short au_event_t; 92 typedef short au_emod_t; 93 typedef uid_t au_id_t; 94 95 /* 96 * An audit event mask. 97 */ 98 #define AU_MASK_ALL 0xFFFFFFFF /* all bits on for unsigned int */ 99 #define AU_MASK_NONE 0x0 /* all bits off = no:invalid class */ 100 101 struct au_mask { 102 unsigned int am_success; /* success bits */ 103 unsigned int am_failure; /* failure bits */ 104 }; 105 typedef struct au_mask au_mask_t; 106 #define as_success am_success 107 #define as_failure am_failure 108 109 /* 110 * The structure of the terminal ID (ipv4) 111 */ 112 struct au_tid { 113 dev_t port; 114 uint_t machine; 115 }; 116 117 #if defined(_SYSCALL32) 118 struct au_tid32 { 119 uint_t port; 120 uint_t machine; 121 }; 122 123 typedef struct au_tid32 au_tid32_t; 124 #endif 125 126 typedef struct au_tid au_tid_t; 127 128 /* 129 * The structure of the terminal ID (ipv6) 130 */ 131 struct au_tid_addr { 132 dev_t at_port; 133 uint_t at_type; 134 uint_t at_addr[4]; 135 }; 136 137 struct au_port_s { 138 uint32_t at_major; /* major # */ 139 uint32_t at_minor; /* minor # */ 140 }; 141 typedef struct au_port_s au_port_t; 142 143 struct au_tid_addr64 { 144 au_port_t at_port; 145 uint_t at_type; 146 uint_t at_addr[4]; 147 }; 148 typedef struct au_tid_addr64 au_tid64_addr_t; 149 150 #if defined(_SYSCALL32) 151 struct au_tid_addr32 { 152 uint_t at_port; 153 uint_t at_type; 154 uint_t at_addr[4]; 155 }; 156 157 typedef struct au_tid_addr32 au_tid32_addr_t; 158 #endif 159 160 typedef struct au_tid_addr au_tid_addr_t; 161 162 struct au_ip { 163 uint16_t at_r_port; /* remote port */ 164 uint16_t at_l_port; /* local port */ 165 uint32_t at_type; /* AU_IPv4,... */ 166 uint32_t at_addr[4]; /* remote IP */ 167 }; 168 typedef struct au_ip au_ip_t; 169 170 /* 171 * Generic network address structure 172 */ 173 struct au_generic_tid { 174 uchar_t gt_type; /* AU_IPADR, AU_DEVICE,... */ 175 union { 176 au_ip_t at_ip; 177 au_port_t at_dev; 178 } gt_adr; 179 }; 180 typedef struct au_generic_tid au_generic_tid_t; 181 182 /* 183 * au_generic_tid_t gt_type values 184 * 0 is reserved for uninitialized data 185 */ 186 #define AU_IPADR 1 187 #define AU_ETHER 2 188 #define AU_DEVICE 3 189 190 /* 191 * at_type values - address length used to identify address type 192 */ 193 #define AU_IPv4 4 /* ipv4 type IP address */ 194 #define AU_IPv6 16 /* ipv6 type IP address */ 195 196 /* 197 * Compatability with SunOS 4.x BSM module 198 * 199 * New code should not contain audit_state_t, 200 * au_state_t, nor au_termid as these types 201 * may go away in future releases. 202 * 203 * typedef new-5.x-bsm-name old-4.x-bsm-name 204 */ 205 206 typedef au_class_t au_state_t; 207 typedef au_mask_t audit_state_t; 208 typedef au_id_t auid_t; 209 #define ai_state ai_mask; 210 211 /* 212 * Opcodes for bsm system calls 213 */ 214 215 #define BSM_GETAUID 19 216 #define BSM_SETAUID 20 217 #define BSM_GETAUDIT 21 218 #define BSM_SETAUDIT 22 219 #define BSM_GETUSERAUDIT 23 220 #define BSM_SETUSERAUDIT 24 221 #define BSM_AUDIT 25 222 #define BSM_AUDITUSER 26 223 #define BSM_AUDITSVC 27 /* EOL announced for Sol 10 */ 224 #define BSM_AUDITON 28 225 #define BSM_AUDITCTL 29 226 #define BSM_GETKERNSTATE 30 227 #define BSM_SETKERNSTATE 31 228 #define BSM_GETPORTAUDIT 32 229 #define BSM_REVOKE 33 230 #define BSM_AUDITSTAT 34 231 #define BSM_GETAUDIT_ADDR 35 232 #define BSM_SETAUDIT_ADDR 36 233 #define BSM_AUDITDOOR 37 234 235 /* 236 * Auditctl(2) commands 237 */ 238 #define A_GETPOLICY 2 /* get audit policy */ 239 #define A_SETPOLICY 3 /* set audit policy */ 240 #define A_GETKMASK 4 /* get kernel event preselection mask */ 241 #define A_SETKMASK 5 /* set kernel event preselection mask */ 242 #define A_GETQCTRL 6 /* get kernel audit queue ctrl parameters */ 243 #define A_SETQCTRL 7 /* set kernel audit queue ctrl parameters */ 244 #define A_GETCWD 8 /* get process current working directory */ 245 #define A_GETCAR 9 /* get process current active root */ 246 #define A_GETSTAT 12 /* get audit statistics */ 247 #define A_SETSTAT 13 /* (re)set audit statistics */ 248 #define A_SETUMASK 14 /* set preselection mask for procs with auid */ 249 #define A_SETSMASK 15 /* set preselection mask for procs with asid */ 250 #define A_GETCOND 20 /* get audit system on/off condition */ 251 #define A_SETCOND 21 /* set audit system on/off condition */ 252 #define A_GETCLASS 22 /* get audit event to class mapping */ 253 #define A_SETCLASS 23 /* set audit event to class mapping */ 254 #define A_GETPINFO 24 /* get audit info for an arbitrary pid */ 255 #define A_SETPMASK 25 /* set preselection mask for an given pid */ 256 #define A_SETFSIZE 26 /* set audit file size */ 257 #define A_GETFSIZE 27 /* get audit file size */ 258 #define A_GETPINFO_ADDR 28 /* get audit info for an arbitrary pid */ 259 #define A_GETKAUDIT 29 /* get kernel audit characteristics */ 260 #define A_SETKAUDIT 30 /* set kernel audit characteristics */ 261 262 /* 263 * Audit Policy parameters (32 bits) 264 */ 265 #define AUDIT_CNT 0x0001 /* do NOT sleep undelivered synch events */ 266 #define AUDIT_AHLT 0x0002 /* HALT machine on undelivered async event */ 267 #define AUDIT_ARGV 0x0004 /* include argv with execv system call events */ 268 #define AUDIT_ARGE 0x0008 /* include arge with execv system call events */ 269 #define AUDIT_PASSWD 0x0010 /* include bad password with "login" events */ 270 #define AUDIT_SEQ 0x0020 /* include sequence attribute */ 271 #define AUDIT_WINDATA 0x0040 /* include interwindow moved data */ 272 #define AUDIT_USER 0x0080 /* make audituser(2) un-privileged */ 273 #define AUDIT_GROUP 0x0100 /* include group attribute with each record */ 274 #define AUDIT_TRAIL 0X0200 /* include trailer token */ 275 #define AUDIT_PATH 0x0400 /* allow multiple paths per event */ 276 #define AUDIT_SCNT 0x0800 /* sleep user events but not kernel events */ 277 #define AUDIT_PUBLIC 0x1000 /* audit even "public" files */ 278 #define AUDIT_ZONENAME 0x2000 /* emit zonename token */ 279 #define AUDIT_PERZONE 0x4000 /* auditd and audit queue for each zone */ 280 /* 281 * If AUDIT_GLOBAL changes, corresponding changes are required in 282 * audit_syscalls.c's setpolicy(). 283 */ 284 #define AUDIT_GLOBAL (AUDIT_AHLT | AUDIT_PERZONE) 285 #define AUDIT_LOCAL (AUDIT_CNT | AUDIT_ARGV | AUDIT_ARGE |\ 286 AUDIT_PASSWD | AUDIT_SEQ | AUDIT_WINDATA |\ 287 AUDIT_USER | AUDIT_GROUP | AUDIT_TRAIL | AUDIT_PATH |\ 288 AUDIT_PUBLIC | AUDIT_SCNT | AUDIT_ZONENAME) 289 290 /* 291 * Kernel audit queue control parameters 292 * 293 * audit record recording blocks at hiwater # undelived records 294 * audit record recording resumes at lowwater # undelivered audit records 295 * bufsz determines how big the data xfers will be to the audit trail 296 */ 297 struct au_qctrl { 298 size_t aq_hiwater; /* kernel audit queue, high water mark */ 299 size_t aq_lowater; /* kernel audit queue, low water mark */ 300 size_t aq_bufsz; /* kernel audit queue, write size to trail */ 301 clock_t aq_delay; /* delay before flushing audit queue */ 302 }; 303 304 #if defined(_SYSCALL32) 305 struct au_qctrl32 { 306 size32_t aq_hiwater; 307 size32_t aq_lowater; 308 size32_t aq_bufsz; 309 clock32_t aq_delay; 310 }; 311 #endif 312 313 314 /* 315 * default values of hiwater and lowater (note hi > lo) 316 */ 317 #define AQ_HIWATER 100 318 #define AQ_MAXHIGH 100000 319 #define AQ_LOWATER 10 320 #define AQ_BUFSZ 8192 321 #define AQ_MAXBUFSZ 1048576 322 #define AQ_DELAY 20 323 #define AQ_MAXDELAY 20000 324 325 struct auditinfo { 326 au_id_t ai_auid; 327 au_mask_t ai_mask; 328 au_tid_t ai_termid; 329 au_asid_t ai_asid; 330 }; 331 332 #if defined(_SYSCALL32) 333 struct auditinfo32 { 334 au_id_t ai_auid; 335 au_mask_t ai_mask; 336 au_tid32_t ai_termid; 337 au_asid_t ai_asid; 338 }; 339 340 typedef struct auditinfo32 auditinfo32_t; 341 #endif 342 343 typedef struct auditinfo auditinfo_t; 344 345 struct auditinfo_addr { 346 au_id_t ai_auid; 347 au_mask_t ai_mask; 348 au_tid_addr_t ai_termid; 349 au_asid_t ai_asid; 350 }; 351 352 struct auditinfo_addr64 { 353 au_id_t ai_auid; 354 au_mask_t ai_mask; 355 au_tid64_addr_t ai_termid; 356 au_asid_t ai_asid; 357 }; 358 typedef struct auditinfo_addr64 auditinfo64_addr_t; 359 360 #if defined(_SYSCALL32) 361 struct auditinfo_addr32 { 362 au_id_t ai_auid; 363 au_mask_t ai_mask; 364 au_tid32_addr_t ai_termid; 365 au_asid_t ai_asid; 366 }; 367 368 typedef struct auditinfo_addr32 auditinfo32_addr_t; 369 #endif 370 371 typedef struct auditinfo_addr auditinfo_addr_t; 372 373 struct auditpinfo { 374 pid_t ap_pid; 375 au_id_t ap_auid; 376 au_mask_t ap_mask; 377 au_tid_t ap_termid; 378 au_asid_t ap_asid; 379 }; 380 381 #if defined(_SYSCALL32) 382 struct auditpinfo32 { 383 pid_t ap_pid; 384 au_id_t ap_auid; 385 au_mask_t ap_mask; 386 au_tid32_t ap_termid; 387 au_asid_t ap_asid; 388 }; 389 #endif 390 391 392 struct auditpinfo_addr { 393 pid_t ap_pid; 394 au_id_t ap_auid; 395 au_mask_t ap_mask; 396 au_tid_addr_t ap_termid; 397 au_asid_t ap_asid; 398 }; 399 400 #if defined(_SYSCALL32) 401 struct auditpinfo_addr32 { 402 pid_t ap_pid; 403 au_id_t ap_auid; 404 au_mask_t ap_mask; 405 au_tid32_addr_t ap_termid; 406 au_asid_t ap_asid; 407 }; 408 #endif 409 410 411 struct au_evclass_map { 412 au_event_t ec_number; 413 au_class_t ec_class; 414 }; 415 typedef struct au_evclass_map au_evclass_map_t; 416 417 /* 418 * Audit stat structures (used to be in audit_stat.h 419 */ 420 421 struct audit_stat { 422 unsigned int as_version; /* version of kernel audit code */ 423 unsigned int as_numevent; /* number of kernel audit events */ 424 uint32_t as_generated; /* # records processed */ 425 uint32_t as_nonattrib; /* # non-attributed records produced */ 426 uint32_t as_kernel; /* # records produced by kernel */ 427 uint32_t as_audit; /* # records processed by audit(2) */ 428 uint32_t as_auditctl; /* # records processed by auditctl(2) */ 429 uint32_t as_enqueue; /* # records put onto audit queue */ 430 uint32_t as_written; /* # records written to audit trail */ 431 uint32_t as_wblocked; /* # times write blked on audit queue */ 432 uint32_t as_rblocked; /* # times read blked on audit queue */ 433 uint32_t as_dropped; /* # of dropped audit records */ 434 uint32_t as_totalsize; /* total number bytes of audit data */ 435 uint32_t as_memused; /* no longer used */ 436 }; 437 typedef struct audit_stat au_stat_t; 438 extern int au_naevent; 439 440 /* 441 * Secondary stat structure for file size stuff. The stat structure was 442 * not combined to preserve the semantics of the 5.1 - 5.3 A_GETSTAT call 443 */ 444 struct audit_fstat { 445 unsigned int af_filesz; 446 unsigned int af_currsz; 447 }; 448 typedef struct audit_fstat au_fstat_t; 449 450 /* set kernel audit context dependent on AUDIT_PERZONE policy */ 451 #define SET_KCTX_PZ zone_getspecific(au_zone_key,\ 452 (audit_policy & AUDIT_PERZONE) ?\ 453 curproc->p_zone :\ 454 global_zone) 455 /* set kernel audit context to global zone */ 456 #define SET_KCTX_GZ zone_getspecific(au_zone_key,\ 457 global_zone) 458 /* set kernel audit context to local zone */ 459 #define SET_KCTX_LZ zone_getspecific(au_zone_key, curproc->p_zone) 460 461 #define AS_INC(a, b, c) atomic_add_32(&(c->auk_statistics.a), (b)) 462 #define AS_DEC(a, b, c) atomic_add_32(&(c->auk_statistics.a), -(b)) 463 464 /* 465 * audit token IPC types (shm, sem, msg) [for ipc attribute] 466 */ 467 468 #define AT_IPC_MSG ((char)1) /* message IPC id */ 469 #define AT_IPC_SEM ((char)2) /* semaphore IPC id */ 470 #define AT_IPC_SHM ((char)3) /* shared memory IPC id */ 471 472 #if defined(_KERNEL) 473 474 #ifdef __cplusplus 475 } 476 #endif 477 478 #include <sys/types.h> 479 #include <sys/model.h> 480 #include <sys/proc.h> 481 #include <sys/stream.h> 482 #include <sys/stropts.h> 483 #include <sys/file.h> 484 #include <sys/pathname.h> 485 #include <sys/vnode.h> 486 #include <sys/systm.h> 487 #include <netinet/in.h> 488 #include <c2/audit_door_infc.h> 489 #include <sys/crypto/ioctladmin.h> 490 491 #ifdef __cplusplus 492 extern "C" { 493 #endif 494 495 struct fcntla; 496 struct t_audit_data; 497 struct audit_path; 498 struct priv_set; 499 struct devplcysys; 500 501 struct auditcalls { 502 long code; 503 long a1; 504 long a2; 505 long a3; 506 long a4; 507 long a5; 508 }; 509 510 int audit(caddr_t, int); 511 int _audit(caddr_t, int); 512 int auditsys(struct auditcalls *, union rval *); /* fake stub */ 513 int _auditsys(struct auditcalls *, union rval *); /* real deal */ 514 void audit_cryptoadm(int, char *, crypto_mech_name_t *, 515 uint_t, uint_t, uint32_t, int); 516 void audit_init(void); 517 void audit_newproc(struct proc *); 518 void audit_pfree(struct proc *); 519 void audit_thread_create(kthread_id_t); 520 void audit_thread_free(kthread_id_t); 521 int audit_savepath(struct pathname *, struct vnode *, int, cred_t *); 522 void audit_addcomponent(struct pathname *); 523 void audit_anchorpath(struct pathname *, int); 524 void audit_symlink(struct pathname *, struct pathname *); 525 void audit_symlink_create(struct vnode *, char *, char *, int); 526 int file_is_public(struct vattr *); 527 void audit_attributes(struct vnode *); 528 void audit_falloc(struct file *); 529 void audit_unfalloc(struct file *); 530 void audit_exit(int, int); 531 void audit_core_start(int); 532 void audit_core_finish(int); 533 void audit_stropen(struct vnode *, dev_t *, int, struct cred *); 534 void audit_strclose(struct vnode *, int, struct cred *); 535 void audit_strioctl(struct vnode *, int, intptr_t, int, int, struct cred *, 536 int *); 537 void audit_strgetmsg(struct vnode *, struct strbuf *, struct strbuf *, 538 unsigned char *, int *, int); 539 void audit_strputmsg(struct vnode *, struct strbuf *, struct strbuf *, 540 unsigned char, int, int); 541 void audit_closef(struct file *); 542 int audit_getf(int); 543 void audit_setf(struct file *, int); 544 void audit_copen(int, struct file *, struct vnode *); 545 void audit_reboot(void); 546 void audit_vncreate_start(void); 547 void audit_setfsat_path(int argnum); 548 void audit_vncreate_finish(struct vnode *, int); 549 void audit_exec(const char *, const char *, ssize_t, ssize_t); 550 void audit_enterprom(int); 551 void audit_exitprom(int); 552 void audit_chdirec(struct vnode *, struct vnode **); 553 void audit_sock(int, struct queue *, struct msgb *, int); 554 void audit_free(void); 555 int audit_start(unsigned int, unsigned int, int, klwp_t *); 556 void audit_finish(unsigned int, unsigned int, int, union rval *); 557 int audit_async_start(label_t *, int, int); 558 void audit_async_finish(caddr_t *, int, int); 559 void audit_async_discard_backend(void *); 560 void audit_async_done(caddr_t *, int); 561 void audit_async_drop(caddr_t *, int); 562 563 #ifndef AUK_CONTEXT_T 564 #define AUK_CONTEXT_T 565 typedef struct au_kcontext au_kcontext_t; 566 #endif 567 568 int audit_success(au_kcontext_t *, struct t_audit_data *, int); 569 int auditme(au_kcontext_t *, struct t_audit_data *, au_state_t); 570 void audit_fixpath(struct audit_path *, int); 571 void audit_ipc(int, int, void *); 572 void audit_ipcget(int, void *); 573 void audit_lookupname(); 574 int audit_pathcomp(struct pathname *, vnode_t *, cred_t *); 575 void audit_fdsend(int, struct file *, int); 576 void audit_fdrecv(int, struct file *); 577 int audit_c2_revoke(struct fcntla *, rval_t *); 578 void audit_priv(int, const struct priv_set *, int); 579 void audit_setppriv(int, int, const struct priv_set *, const cred_t *); 580 void audit_devpolicy(int, const struct devplcysys *); 581 void audit_update_context(proc_t *, cred_t *); 582 void audit_kssl(int, void *, int); 583 584 #endif 585 586 #ifdef __cplusplus 587 } 588 #endif 589 590 #endif /* _BSM_AUDIT_H */ 591