17c478bd9Sstevel@tonic-gate /* 27c478bd9Sstevel@tonic-gate * CDDL HEADER START 37c478bd9Sstevel@tonic-gate * 47c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the 545916cd2Sjpk * Common Development and Distribution License (the "License"). 645916cd2Sjpk * You may not use this file except in compliance with the License. 77c478bd9Sstevel@tonic-gate * 87c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 97c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 107c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions 117c478bd9Sstevel@tonic-gate * and limitations under the License. 127c478bd9Sstevel@tonic-gate * 137c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 147c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 157c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 167c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 177c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 187c478bd9Sstevel@tonic-gate * 197c478bd9Sstevel@tonic-gate * CDDL HEADER END 207c478bd9Sstevel@tonic-gate */ 217c478bd9Sstevel@tonic-gate /* 2291b2cbb3Sgww * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved. 237c478bd9Sstevel@tonic-gate */ 247c478bd9Sstevel@tonic-gate 257c478bd9Sstevel@tonic-gate /* 267c478bd9Sstevel@tonic-gate * This file contains the declarations of the various data structures 277c478bd9Sstevel@tonic-gate * used by the auditing module(s). 287c478bd9Sstevel@tonic-gate */ 297c478bd9Sstevel@tonic-gate 307c478bd9Sstevel@tonic-gate #ifndef _BSM_AUDIT_H 317c478bd9Sstevel@tonic-gate #define _BSM_AUDIT_H 327c478bd9Sstevel@tonic-gate 337c478bd9Sstevel@tonic-gate #ifdef __cplusplus 347c478bd9Sstevel@tonic-gate extern "C" { 357c478bd9Sstevel@tonic-gate #endif 367c478bd9Sstevel@tonic-gate 377c478bd9Sstevel@tonic-gate 387c478bd9Sstevel@tonic-gate #include <sys/shm.h> /* for shmid_ds structure */ 397c478bd9Sstevel@tonic-gate #include <sys/sem.h> /* for semid_ds structure */ 407c478bd9Sstevel@tonic-gate #include <sys/msg.h> /* for msqid_ds structure */ 417c478bd9Sstevel@tonic-gate #include <sys/atomic.h> /* using atomics */ 427c478bd9Sstevel@tonic-gate 437c478bd9Sstevel@tonic-gate /* 447c478bd9Sstevel@tonic-gate * Audit conditions, statements reguarding what's to be done with 4591b2cbb3Sgww * audit records. None of the "global state" is returned by an 4691b2cbb3Sgww * auditconfig -getcond call. AUC_NOSPACE no longer seems used. 477c478bd9Sstevel@tonic-gate */ 487c478bd9Sstevel@tonic-gate /* global state */ 497c478bd9Sstevel@tonic-gate #define AUC_UNSET 0 /* on/off hasn't been decided */ 507c478bd9Sstevel@tonic-gate #define AUC_ENABLED 1 /* loaded and enabled */ 5191b2cbb3Sgww /* pseudo state used in libbsm */ 5291b2cbb3Sgww #define AUC_DISABLED 0x100 /* c2audit module is excluded */ 537c478bd9Sstevel@tonic-gate /* local zone state */ 5491b2cbb3Sgww #define AUC_AUDITING 0x1 /* audit daemon is active */ 5591b2cbb3Sgww #define AUC_NOAUDIT 0x2 /* audit daemon is not active */ 5691b2cbb3Sgww #define AUC_INIT_AUDIT 0x4 /* audit ready but auditd has not run */ 57005d3febSMarek Pospisil #define AUC_NOSPACE 0x8 /* audit enabled, no space for audit records */ 587c478bd9Sstevel@tonic-gate 597c478bd9Sstevel@tonic-gate /* 607c478bd9Sstevel@tonic-gate * The user id -2 is never audited - in fact, a setauid(AU_NOAUDITID) 617c478bd9Sstevel@tonic-gate * will turn off auditing. 627c478bd9Sstevel@tonic-gate */ 63f48205beScasper #define AU_NOAUDITID ((au_id_t)-2) 647c478bd9Sstevel@tonic-gate 657c478bd9Sstevel@tonic-gate /* 667c478bd9Sstevel@tonic-gate * success/failure bits for asynchronous events 677c478bd9Sstevel@tonic-gate */ 687c478bd9Sstevel@tonic-gate 697c478bd9Sstevel@tonic-gate #define AUM_SUCC 1 /* use the system success preselection mask */ 707c478bd9Sstevel@tonic-gate #define AUM_FAIL 2 /* use the system failure preselection mask */ 717c478bd9Sstevel@tonic-gate 727c478bd9Sstevel@tonic-gate 737c478bd9Sstevel@tonic-gate /* 747c478bd9Sstevel@tonic-gate * Defines for event modifier field 757c478bd9Sstevel@tonic-gate */ 767c478bd9Sstevel@tonic-gate #define PAD_READ 0x0001 /* object read */ 777c478bd9Sstevel@tonic-gate #define PAD_WRITE 0x0002 /* object write */ 787c478bd9Sstevel@tonic-gate #define PAD_NONATTR 0x4000 /* non-attributable event */ 797c478bd9Sstevel@tonic-gate #define PAD_FAILURE 0x8000 /* fail audit event */ 807c478bd9Sstevel@tonic-gate #define PAD_SPRIVUSE 0x0080 /* successfully used privileged */ 817c478bd9Sstevel@tonic-gate #define PAD_FPRIVUSE 0x0100 /* failed use of privileged */ 827c478bd9Sstevel@tonic-gate 837c478bd9Sstevel@tonic-gate /* 847c478bd9Sstevel@tonic-gate * Some typedefs for the fundamentals 857c478bd9Sstevel@tonic-gate */ 86d0fa49b7STony Nguyen typedef uint_t au_asid_t; 877c478bd9Sstevel@tonic-gate typedef uint_t au_class_t; 88d0fa49b7STony Nguyen typedef ushort_t au_event_t; 89d0fa49b7STony Nguyen typedef ushort_t au_emod_t; 907c478bd9Sstevel@tonic-gate typedef uid_t au_id_t; 917c478bd9Sstevel@tonic-gate 927c478bd9Sstevel@tonic-gate /* 937c478bd9Sstevel@tonic-gate * An audit event mask. 947c478bd9Sstevel@tonic-gate */ 957c478bd9Sstevel@tonic-gate #define AU_MASK_ALL 0xFFFFFFFF /* all bits on for unsigned int */ 967c478bd9Sstevel@tonic-gate #define AU_MASK_NONE 0x0 /* all bits off = no:invalid class */ 977c478bd9Sstevel@tonic-gate 987c478bd9Sstevel@tonic-gate struct au_mask { 997c478bd9Sstevel@tonic-gate unsigned int am_success; /* success bits */ 1007c478bd9Sstevel@tonic-gate unsigned int am_failure; /* failure bits */ 1017c478bd9Sstevel@tonic-gate }; 1027c478bd9Sstevel@tonic-gate typedef struct au_mask au_mask_t; 1037c478bd9Sstevel@tonic-gate #define as_success am_success 1047c478bd9Sstevel@tonic-gate #define as_failure am_failure 1057c478bd9Sstevel@tonic-gate 1067c478bd9Sstevel@tonic-gate /* 1077c478bd9Sstevel@tonic-gate * The structure of the terminal ID (ipv4) 1087c478bd9Sstevel@tonic-gate */ 1097c478bd9Sstevel@tonic-gate struct au_tid { 1107c478bd9Sstevel@tonic-gate dev_t port; 1117c478bd9Sstevel@tonic-gate uint_t machine; 1127c478bd9Sstevel@tonic-gate }; 1137c478bd9Sstevel@tonic-gate 1147c478bd9Sstevel@tonic-gate #if defined(_SYSCALL32) 1157c478bd9Sstevel@tonic-gate struct au_tid32 { 1167c478bd9Sstevel@tonic-gate uint_t port; 1177c478bd9Sstevel@tonic-gate uint_t machine; 1187c478bd9Sstevel@tonic-gate }; 1197c478bd9Sstevel@tonic-gate 1207c478bd9Sstevel@tonic-gate typedef struct au_tid32 au_tid32_t; 1217c478bd9Sstevel@tonic-gate #endif 1227c478bd9Sstevel@tonic-gate 1237c478bd9Sstevel@tonic-gate typedef struct au_tid au_tid_t; 1247c478bd9Sstevel@tonic-gate 1257c478bd9Sstevel@tonic-gate /* 1267c478bd9Sstevel@tonic-gate * The structure of the terminal ID (ipv6) 1277c478bd9Sstevel@tonic-gate */ 1287c478bd9Sstevel@tonic-gate struct au_tid_addr { 1297c478bd9Sstevel@tonic-gate dev_t at_port; 1307c478bd9Sstevel@tonic-gate uint_t at_type; 1317c478bd9Sstevel@tonic-gate uint_t at_addr[4]; 1327c478bd9Sstevel@tonic-gate }; 1337c478bd9Sstevel@tonic-gate 1347c478bd9Sstevel@tonic-gate struct au_port_s { 1357c478bd9Sstevel@tonic-gate uint32_t at_major; /* major # */ 1367c478bd9Sstevel@tonic-gate uint32_t at_minor; /* minor # */ 1377c478bd9Sstevel@tonic-gate }; 1387c478bd9Sstevel@tonic-gate typedef struct au_port_s au_port_t; 1397c478bd9Sstevel@tonic-gate 1407c478bd9Sstevel@tonic-gate struct au_tid_addr64 { 1417c478bd9Sstevel@tonic-gate au_port_t at_port; 1427c478bd9Sstevel@tonic-gate uint_t at_type; 1437c478bd9Sstevel@tonic-gate uint_t at_addr[4]; 1447c478bd9Sstevel@tonic-gate }; 1457c478bd9Sstevel@tonic-gate typedef struct au_tid_addr64 au_tid64_addr_t; 1467c478bd9Sstevel@tonic-gate 1477c478bd9Sstevel@tonic-gate #if defined(_SYSCALL32) 1487c478bd9Sstevel@tonic-gate struct au_tid_addr32 { 1497c478bd9Sstevel@tonic-gate uint_t at_port; 1507c478bd9Sstevel@tonic-gate uint_t at_type; 1517c478bd9Sstevel@tonic-gate uint_t at_addr[4]; 1527c478bd9Sstevel@tonic-gate }; 1537c478bd9Sstevel@tonic-gate 1547c478bd9Sstevel@tonic-gate typedef struct au_tid_addr32 au_tid32_addr_t; 1557c478bd9Sstevel@tonic-gate #endif 1567c478bd9Sstevel@tonic-gate 1577c478bd9Sstevel@tonic-gate typedef struct au_tid_addr au_tid_addr_t; 1587c478bd9Sstevel@tonic-gate 1597c478bd9Sstevel@tonic-gate struct au_ip { 1607c478bd9Sstevel@tonic-gate uint16_t at_r_port; /* remote port */ 1617c478bd9Sstevel@tonic-gate uint16_t at_l_port; /* local port */ 1627c478bd9Sstevel@tonic-gate uint32_t at_type; /* AU_IPv4,... */ 1637c478bd9Sstevel@tonic-gate uint32_t at_addr[4]; /* remote IP */ 1647c478bd9Sstevel@tonic-gate }; 1657c478bd9Sstevel@tonic-gate typedef struct au_ip au_ip_t; 1667c478bd9Sstevel@tonic-gate 1677c478bd9Sstevel@tonic-gate /* 1687c478bd9Sstevel@tonic-gate * Generic network address structure 1697c478bd9Sstevel@tonic-gate */ 1707c478bd9Sstevel@tonic-gate struct au_generic_tid { 1717c478bd9Sstevel@tonic-gate uchar_t gt_type; /* AU_IPADR, AU_DEVICE,... */ 1727c478bd9Sstevel@tonic-gate union { 1737c478bd9Sstevel@tonic-gate au_ip_t at_ip; 1747c478bd9Sstevel@tonic-gate au_port_t at_dev; 1757c478bd9Sstevel@tonic-gate } gt_adr; 1767c478bd9Sstevel@tonic-gate }; 1777c478bd9Sstevel@tonic-gate typedef struct au_generic_tid au_generic_tid_t; 1787c478bd9Sstevel@tonic-gate 1797c478bd9Sstevel@tonic-gate /* 1807c478bd9Sstevel@tonic-gate * au_generic_tid_t gt_type values 1817c478bd9Sstevel@tonic-gate * 0 is reserved for uninitialized data 1827c478bd9Sstevel@tonic-gate */ 1837c478bd9Sstevel@tonic-gate #define AU_IPADR 1 1847c478bd9Sstevel@tonic-gate #define AU_ETHER 2 1857c478bd9Sstevel@tonic-gate #define AU_DEVICE 3 1867c478bd9Sstevel@tonic-gate 1877c478bd9Sstevel@tonic-gate /* 1887c478bd9Sstevel@tonic-gate * at_type values - address length used to identify address type 1897c478bd9Sstevel@tonic-gate */ 1907c478bd9Sstevel@tonic-gate #define AU_IPv4 4 /* ipv4 type IP address */ 1917c478bd9Sstevel@tonic-gate #define AU_IPv6 16 /* ipv6 type IP address */ 1927c478bd9Sstevel@tonic-gate 1937c478bd9Sstevel@tonic-gate /* 1947c478bd9Sstevel@tonic-gate * Compatability with SunOS 4.x BSM module 1957c478bd9Sstevel@tonic-gate * 1967c478bd9Sstevel@tonic-gate * New code should not contain audit_state_t, 1977c478bd9Sstevel@tonic-gate * au_state_t, nor au_termid as these types 1987c478bd9Sstevel@tonic-gate * may go away in future releases. 1997c478bd9Sstevel@tonic-gate * 2007c478bd9Sstevel@tonic-gate * typedef new-5.x-bsm-name old-4.x-bsm-name 2017c478bd9Sstevel@tonic-gate */ 2027c478bd9Sstevel@tonic-gate 2037c478bd9Sstevel@tonic-gate typedef au_class_t au_state_t; 2047c478bd9Sstevel@tonic-gate typedef au_mask_t audit_state_t; 2057c478bd9Sstevel@tonic-gate typedef au_id_t auid_t; 2067c478bd9Sstevel@tonic-gate #define ai_state ai_mask; 2077c478bd9Sstevel@tonic-gate 2087c478bd9Sstevel@tonic-gate /* 2097c478bd9Sstevel@tonic-gate * Opcodes for bsm system calls 2107c478bd9Sstevel@tonic-gate */ 2117c478bd9Sstevel@tonic-gate 2127c478bd9Sstevel@tonic-gate #define BSM_GETAUID 19 2137c478bd9Sstevel@tonic-gate #define BSM_SETAUID 20 2147c478bd9Sstevel@tonic-gate #define BSM_GETAUDIT 21 2157c478bd9Sstevel@tonic-gate #define BSM_SETAUDIT 22 216469aa27fSJan Friedel /* 23 OBSOLETE */ 217469aa27fSJan Friedel /* 24 OBSOLETE */ 2187c478bd9Sstevel@tonic-gate #define BSM_AUDIT 25 219731b94c1Stz204579 /* 26 OBSOLETE */ 220787b48eaSgww /* 27 EOL announced for Sol 10 */ 221ddc42f88SMarek Pospisil /* 28 OBSOLETE */ 2227c478bd9Sstevel@tonic-gate #define BSM_AUDITCTL 29 223469aa27fSJan Friedel /* 30 OBSOLETE */ 224469aa27fSJan Friedel /* 31 OBSOLETE */ 225469aa27fSJan Friedel /* 32 OBSOLETE */ 226469aa27fSJan Friedel /* 33 OBSOLETE */ 227469aa27fSJan Friedel /* 34 OBSOLETE */ 2287c478bd9Sstevel@tonic-gate #define BSM_GETAUDIT_ADDR 35 2297c478bd9Sstevel@tonic-gate #define BSM_SETAUDIT_ADDR 36 2307c478bd9Sstevel@tonic-gate #define BSM_AUDITDOOR 37 2317c478bd9Sstevel@tonic-gate 2327c478bd9Sstevel@tonic-gate /* 2337c478bd9Sstevel@tonic-gate * Auditctl(2) commands 2347c478bd9Sstevel@tonic-gate */ 2357c478bd9Sstevel@tonic-gate #define A_GETPOLICY 2 /* get audit policy */ 2367c478bd9Sstevel@tonic-gate #define A_SETPOLICY 3 /* set audit policy */ 2377c478bd9Sstevel@tonic-gate #define A_GETKMASK 4 /* get kernel event preselection mask */ 2387c478bd9Sstevel@tonic-gate #define A_SETKMASK 5 /* set kernel event preselection mask */ 2397c478bd9Sstevel@tonic-gate #define A_GETQCTRL 6 /* get kernel audit queue ctrl parameters */ 2407c478bd9Sstevel@tonic-gate #define A_SETQCTRL 7 /* set kernel audit queue ctrl parameters */ 2417c478bd9Sstevel@tonic-gate #define A_GETCWD 8 /* get process current working directory */ 2427c478bd9Sstevel@tonic-gate #define A_GETCAR 9 /* get process current active root */ 2437c478bd9Sstevel@tonic-gate #define A_GETSTAT 12 /* get audit statistics */ 2447c478bd9Sstevel@tonic-gate #define A_SETSTAT 13 /* (re)set audit statistics */ 2457c478bd9Sstevel@tonic-gate #define A_SETUMASK 14 /* set preselection mask for procs with auid */ 2467c478bd9Sstevel@tonic-gate #define A_SETSMASK 15 /* set preselection mask for procs with asid */ 2477c478bd9Sstevel@tonic-gate #define A_GETCOND 20 /* get audit system on/off condition */ 2487c478bd9Sstevel@tonic-gate #define A_SETCOND 21 /* set audit system on/off condition */ 2497c478bd9Sstevel@tonic-gate #define A_GETCLASS 22 /* get audit event to class mapping */ 2507c478bd9Sstevel@tonic-gate #define A_SETCLASS 23 /* set audit event to class mapping */ 2517c478bd9Sstevel@tonic-gate #define A_GETPINFO 24 /* get audit info for an arbitrary pid */ 2527c478bd9Sstevel@tonic-gate #define A_SETPMASK 25 /* set preselection mask for an given pid */ 2537c478bd9Sstevel@tonic-gate #define A_GETPINFO_ADDR 28 /* get audit info for an arbitrary pid */ 2547c478bd9Sstevel@tonic-gate #define A_GETKAUDIT 29 /* get kernel audit characteristics */ 2557c478bd9Sstevel@tonic-gate #define A_SETKAUDIT 30 /* set kernel audit characteristics */ 2567c478bd9Sstevel@tonic-gate 2577c478bd9Sstevel@tonic-gate /* 2587c478bd9Sstevel@tonic-gate * Audit Policy parameters (32 bits) 2597c478bd9Sstevel@tonic-gate */ 2607c478bd9Sstevel@tonic-gate #define AUDIT_CNT 0x0001 /* do NOT sleep undelivered synch events */ 2617c478bd9Sstevel@tonic-gate #define AUDIT_AHLT 0x0002 /* HALT machine on undelivered async event */ 2627c478bd9Sstevel@tonic-gate #define AUDIT_ARGV 0x0004 /* include argv with execv system call events */ 2637c478bd9Sstevel@tonic-gate #define AUDIT_ARGE 0x0008 /* include arge with execv system call events */ 2647bce2ddcSgww #define AUDIT_SEQ 0x0010 /* include sequence attribute */ 265731b94c1Stz204579 #define AUDIT_GROUP 0x0040 /* include group attribute with each record */ 266731b94c1Stz204579 #define AUDIT_TRAIL 0x0080 /* include trailer token */ 267731b94c1Stz204579 #define AUDIT_PATH 0x0100 /* allow multiple paths per event */ 268731b94c1Stz204579 #define AUDIT_SCNT 0x0200 /* sleep user events but not kernel events */ 269731b94c1Stz204579 #define AUDIT_PUBLIC 0x0400 /* audit even "public" files */ 270731b94c1Stz204579 #define AUDIT_ZONENAME 0x0800 /* emit zonename token */ 271731b94c1Stz204579 #define AUDIT_PERZONE 0x1000 /* auditd and audit queue for each zone */ 272731b94c1Stz204579 #define AUDIT_WINDATA_DOWN 0x2000 /* include paste downgraded data */ 273731b94c1Stz204579 #define AUDIT_WINDATA_UP 0x4000 /* include paste upgraded data */ 27445916cd2Sjpk 2757c478bd9Sstevel@tonic-gate /* 2767c478bd9Sstevel@tonic-gate * If AUDIT_GLOBAL changes, corresponding changes are required in 2777c478bd9Sstevel@tonic-gate * audit_syscalls.c's setpolicy(). 2787c478bd9Sstevel@tonic-gate */ 2797c478bd9Sstevel@tonic-gate #define AUDIT_GLOBAL (AUDIT_AHLT | AUDIT_PERZONE) 2807c478bd9Sstevel@tonic-gate #define AUDIT_LOCAL (AUDIT_CNT | AUDIT_ARGV | AUDIT_ARGE |\ 2819ee9cb3dSJan Friedel AUDIT_SEQ | AUDIT_GROUP | AUDIT_TRAIL | AUDIT_PATH |\ 28245916cd2Sjpk AUDIT_PUBLIC | AUDIT_SCNT | AUDIT_ZONENAME |\ 28345916cd2Sjpk AUDIT_WINDATA_DOWN | AUDIT_WINDATA_UP) 2847c478bd9Sstevel@tonic-gate 2857c478bd9Sstevel@tonic-gate /* 2867c478bd9Sstevel@tonic-gate * Kernel audit queue control parameters 2877c478bd9Sstevel@tonic-gate * 2887c478bd9Sstevel@tonic-gate * audit record recording blocks at hiwater # undelived records 2897c478bd9Sstevel@tonic-gate * audit record recording resumes at lowwater # undelivered audit records 2907c478bd9Sstevel@tonic-gate * bufsz determines how big the data xfers will be to the audit trail 2917c478bd9Sstevel@tonic-gate */ 2927c478bd9Sstevel@tonic-gate struct au_qctrl { 2937c478bd9Sstevel@tonic-gate size_t aq_hiwater; /* kernel audit queue, high water mark */ 2947c478bd9Sstevel@tonic-gate size_t aq_lowater; /* kernel audit queue, low water mark */ 2957c478bd9Sstevel@tonic-gate size_t aq_bufsz; /* kernel audit queue, write size to trail */ 2967c478bd9Sstevel@tonic-gate clock_t aq_delay; /* delay before flushing audit queue */ 2977c478bd9Sstevel@tonic-gate }; 2987c478bd9Sstevel@tonic-gate 2997c478bd9Sstevel@tonic-gate #if defined(_SYSCALL32) 3007c478bd9Sstevel@tonic-gate struct au_qctrl32 { 3017c478bd9Sstevel@tonic-gate size32_t aq_hiwater; 3027c478bd9Sstevel@tonic-gate size32_t aq_lowater; 3037c478bd9Sstevel@tonic-gate size32_t aq_bufsz; 3047c478bd9Sstevel@tonic-gate clock32_t aq_delay; 3057c478bd9Sstevel@tonic-gate }; 3067c478bd9Sstevel@tonic-gate #endif 3077c478bd9Sstevel@tonic-gate 3087c478bd9Sstevel@tonic-gate 3097c478bd9Sstevel@tonic-gate /* 3107c478bd9Sstevel@tonic-gate * default values of hiwater and lowater (note hi > lo) 3117c478bd9Sstevel@tonic-gate */ 3127c478bd9Sstevel@tonic-gate #define AQ_HIWATER 100 3137c478bd9Sstevel@tonic-gate #define AQ_MAXHIGH 100000 3147c478bd9Sstevel@tonic-gate #define AQ_LOWATER 10 3157c478bd9Sstevel@tonic-gate #define AQ_BUFSZ 8192 3167c478bd9Sstevel@tonic-gate #define AQ_MAXBUFSZ 1048576 3177c478bd9Sstevel@tonic-gate #define AQ_DELAY 20 3187c478bd9Sstevel@tonic-gate #define AQ_MAXDELAY 20000 3197c478bd9Sstevel@tonic-gate 3207c478bd9Sstevel@tonic-gate struct auditinfo { 3217c478bd9Sstevel@tonic-gate au_id_t ai_auid; 3227c478bd9Sstevel@tonic-gate au_mask_t ai_mask; 3237c478bd9Sstevel@tonic-gate au_tid_t ai_termid; 3247c478bd9Sstevel@tonic-gate au_asid_t ai_asid; 3257c478bd9Sstevel@tonic-gate }; 3267c478bd9Sstevel@tonic-gate 3277c478bd9Sstevel@tonic-gate #if defined(_SYSCALL32) 3287c478bd9Sstevel@tonic-gate struct auditinfo32 { 3297c478bd9Sstevel@tonic-gate au_id_t ai_auid; 3307c478bd9Sstevel@tonic-gate au_mask_t ai_mask; 3317c478bd9Sstevel@tonic-gate au_tid32_t ai_termid; 3327c478bd9Sstevel@tonic-gate au_asid_t ai_asid; 3337c478bd9Sstevel@tonic-gate }; 3347c478bd9Sstevel@tonic-gate 3357c478bd9Sstevel@tonic-gate typedef struct auditinfo32 auditinfo32_t; 3367c478bd9Sstevel@tonic-gate #endif 3377c478bd9Sstevel@tonic-gate 3387c478bd9Sstevel@tonic-gate typedef struct auditinfo auditinfo_t; 3397c478bd9Sstevel@tonic-gate 3407c478bd9Sstevel@tonic-gate struct auditinfo_addr { 3417c478bd9Sstevel@tonic-gate au_id_t ai_auid; 3427c478bd9Sstevel@tonic-gate au_mask_t ai_mask; 3437c478bd9Sstevel@tonic-gate au_tid_addr_t ai_termid; 3447c478bd9Sstevel@tonic-gate au_asid_t ai_asid; 3457c478bd9Sstevel@tonic-gate }; 3467c478bd9Sstevel@tonic-gate 3477c478bd9Sstevel@tonic-gate struct auditinfo_addr64 { 3487c478bd9Sstevel@tonic-gate au_id_t ai_auid; 3497c478bd9Sstevel@tonic-gate au_mask_t ai_mask; 3507c478bd9Sstevel@tonic-gate au_tid64_addr_t ai_termid; 3517c478bd9Sstevel@tonic-gate au_asid_t ai_asid; 3527c478bd9Sstevel@tonic-gate }; 3537c478bd9Sstevel@tonic-gate typedef struct auditinfo_addr64 auditinfo64_addr_t; 3547c478bd9Sstevel@tonic-gate 3557c478bd9Sstevel@tonic-gate #if defined(_SYSCALL32) 3567c478bd9Sstevel@tonic-gate struct auditinfo_addr32 { 3577c478bd9Sstevel@tonic-gate au_id_t ai_auid; 3587c478bd9Sstevel@tonic-gate au_mask_t ai_mask; 3597c478bd9Sstevel@tonic-gate au_tid32_addr_t ai_termid; 3607c478bd9Sstevel@tonic-gate au_asid_t ai_asid; 3617c478bd9Sstevel@tonic-gate }; 3627c478bd9Sstevel@tonic-gate 3637c478bd9Sstevel@tonic-gate typedef struct auditinfo_addr32 auditinfo32_addr_t; 3647c478bd9Sstevel@tonic-gate #endif 3657c478bd9Sstevel@tonic-gate 3667c478bd9Sstevel@tonic-gate typedef struct auditinfo_addr auditinfo_addr_t; 3677c478bd9Sstevel@tonic-gate 3687c478bd9Sstevel@tonic-gate struct auditpinfo { 3697c478bd9Sstevel@tonic-gate pid_t ap_pid; 3707c478bd9Sstevel@tonic-gate au_id_t ap_auid; 3717c478bd9Sstevel@tonic-gate au_mask_t ap_mask; 3727c478bd9Sstevel@tonic-gate au_tid_t ap_termid; 3737c478bd9Sstevel@tonic-gate au_asid_t ap_asid; 3747c478bd9Sstevel@tonic-gate }; 3757c478bd9Sstevel@tonic-gate 3767c478bd9Sstevel@tonic-gate #if defined(_SYSCALL32) 3777c478bd9Sstevel@tonic-gate struct auditpinfo32 { 3787c478bd9Sstevel@tonic-gate pid_t ap_pid; 3797c478bd9Sstevel@tonic-gate au_id_t ap_auid; 3807c478bd9Sstevel@tonic-gate au_mask_t ap_mask; 3817c478bd9Sstevel@tonic-gate au_tid32_t ap_termid; 3827c478bd9Sstevel@tonic-gate au_asid_t ap_asid; 3837c478bd9Sstevel@tonic-gate }; 3847c478bd9Sstevel@tonic-gate #endif 3857c478bd9Sstevel@tonic-gate 3867c478bd9Sstevel@tonic-gate 3877c478bd9Sstevel@tonic-gate struct auditpinfo_addr { 3887c478bd9Sstevel@tonic-gate pid_t ap_pid; 3897c478bd9Sstevel@tonic-gate au_id_t ap_auid; 3907c478bd9Sstevel@tonic-gate au_mask_t ap_mask; 3917c478bd9Sstevel@tonic-gate au_tid_addr_t ap_termid; 3927c478bd9Sstevel@tonic-gate au_asid_t ap_asid; 3937c478bd9Sstevel@tonic-gate }; 3947c478bd9Sstevel@tonic-gate 3957c478bd9Sstevel@tonic-gate #if defined(_SYSCALL32) 3967c478bd9Sstevel@tonic-gate struct auditpinfo_addr32 { 3977c478bd9Sstevel@tonic-gate pid_t ap_pid; 3987c478bd9Sstevel@tonic-gate au_id_t ap_auid; 3997c478bd9Sstevel@tonic-gate au_mask_t ap_mask; 4007c478bd9Sstevel@tonic-gate au_tid32_addr_t ap_termid; 4017c478bd9Sstevel@tonic-gate au_asid_t ap_asid; 4027c478bd9Sstevel@tonic-gate }; 4037c478bd9Sstevel@tonic-gate #endif 4047c478bd9Sstevel@tonic-gate 4057c478bd9Sstevel@tonic-gate 4067c478bd9Sstevel@tonic-gate struct au_evclass_map { 4077c478bd9Sstevel@tonic-gate au_event_t ec_number; 4087c478bd9Sstevel@tonic-gate au_class_t ec_class; 4097c478bd9Sstevel@tonic-gate }; 4107c478bd9Sstevel@tonic-gate typedef struct au_evclass_map au_evclass_map_t; 4117c478bd9Sstevel@tonic-gate 4127c478bd9Sstevel@tonic-gate /* 4137c478bd9Sstevel@tonic-gate * Audit stat structures (used to be in audit_stat.h 4147c478bd9Sstevel@tonic-gate */ 4157c478bd9Sstevel@tonic-gate 4167c478bd9Sstevel@tonic-gate struct audit_stat { 4177c478bd9Sstevel@tonic-gate unsigned int as_version; /* version of kernel audit code */ 4187c478bd9Sstevel@tonic-gate unsigned int as_numevent; /* number of kernel audit events */ 4197c478bd9Sstevel@tonic-gate uint32_t as_generated; /* # records processed */ 4207c478bd9Sstevel@tonic-gate uint32_t as_nonattrib; /* # non-attributed records produced */ 4217c478bd9Sstevel@tonic-gate uint32_t as_kernel; /* # records produced by kernel */ 4227c478bd9Sstevel@tonic-gate uint32_t as_audit; /* # records processed by audit(2) */ 4237c478bd9Sstevel@tonic-gate uint32_t as_auditctl; /* # records processed by auditctl(2) */ 4247c478bd9Sstevel@tonic-gate uint32_t as_enqueue; /* # records put onto audit queue */ 4257c478bd9Sstevel@tonic-gate uint32_t as_written; /* # records written to audit trail */ 4267c478bd9Sstevel@tonic-gate uint32_t as_wblocked; /* # times write blked on audit queue */ 4277c478bd9Sstevel@tonic-gate uint32_t as_rblocked; /* # times read blked on audit queue */ 4287c478bd9Sstevel@tonic-gate uint32_t as_dropped; /* # of dropped audit records */ 4297c478bd9Sstevel@tonic-gate uint32_t as_totalsize; /* total number bytes of audit data */ 4307c478bd9Sstevel@tonic-gate uint32_t as_memused; /* no longer used */ 4317c478bd9Sstevel@tonic-gate }; 4327c478bd9Sstevel@tonic-gate typedef struct audit_stat au_stat_t; 4337c478bd9Sstevel@tonic-gate 4349e9e6ab8Spaulson /* get kernel audit context dependent on AUDIT_PERZONE policy */ 4359e9e6ab8Spaulson #define GET_KCTX_PZ (audit_policy & AUDIT_PERZONE) ?\ 4369e9e6ab8Spaulson curproc->p_zone->zone_audit_kctxt :\ 4379e9e6ab8Spaulson global_zone->zone_audit_kctxt 4389e9e6ab8Spaulson /* get kernel audit context of global zone */ 4399e9e6ab8Spaulson #define GET_KCTX_GZ global_zone->zone_audit_kctxt 4409e9e6ab8Spaulson /* get kernel audit context of non-global zone */ 4419e9e6ab8Spaulson #define GET_KCTX_NGZ curproc->p_zone->zone_audit_kctxt 4427c478bd9Sstevel@tonic-gate 4437c478bd9Sstevel@tonic-gate #define AS_INC(a, b, c) atomic_add_32(&(c->auk_statistics.a), (b)) 4447c478bd9Sstevel@tonic-gate #define AS_DEC(a, b, c) atomic_add_32(&(c->auk_statistics.a), -(b)) 4457c478bd9Sstevel@tonic-gate 4467c478bd9Sstevel@tonic-gate /* 4477c478bd9Sstevel@tonic-gate * audit token IPC types (shm, sem, msg) [for ipc attribute] 4487c478bd9Sstevel@tonic-gate */ 4497c478bd9Sstevel@tonic-gate 4507c478bd9Sstevel@tonic-gate #define AT_IPC_MSG ((char)1) /* message IPC id */ 4517c478bd9Sstevel@tonic-gate #define AT_IPC_SEM ((char)2) /* semaphore IPC id */ 4527c478bd9Sstevel@tonic-gate #define AT_IPC_SHM ((char)3) /* shared memory IPC id */ 4537c478bd9Sstevel@tonic-gate 4547c478bd9Sstevel@tonic-gate #if defined(_KERNEL) 4557c478bd9Sstevel@tonic-gate 4567c478bd9Sstevel@tonic-gate #ifdef __cplusplus 4577c478bd9Sstevel@tonic-gate } 4587c478bd9Sstevel@tonic-gate #endif 4597c478bd9Sstevel@tonic-gate 4607c478bd9Sstevel@tonic-gate #include <sys/types.h> 4617c478bd9Sstevel@tonic-gate #include <sys/model.h> 4627c478bd9Sstevel@tonic-gate #include <sys/proc.h> 4637c478bd9Sstevel@tonic-gate #include <sys/stream.h> 4647c478bd9Sstevel@tonic-gate #include <sys/stropts.h> 4657c478bd9Sstevel@tonic-gate #include <sys/file.h> 4667c478bd9Sstevel@tonic-gate #include <sys/pathname.h> 4677c478bd9Sstevel@tonic-gate #include <sys/vnode.h> 4687c478bd9Sstevel@tonic-gate #include <sys/systm.h> 4697c478bd9Sstevel@tonic-gate #include <netinet/in.h> 4707c478bd9Sstevel@tonic-gate #include <c2/audit_door_infc.h> 4717c478bd9Sstevel@tonic-gate #include <sys/crypto/ioctladmin.h> 472799bd290Spwernau #include <sys/netstack.h> 473005d3febSMarek Pospisil #include <sys/zone.h> 4747c478bd9Sstevel@tonic-gate 4757c478bd9Sstevel@tonic-gate #ifdef __cplusplus 4767c478bd9Sstevel@tonic-gate extern "C" { 4777c478bd9Sstevel@tonic-gate #endif 4787c478bd9Sstevel@tonic-gate 4797c478bd9Sstevel@tonic-gate struct fcntla; 4807c478bd9Sstevel@tonic-gate struct t_audit_data; 4817c478bd9Sstevel@tonic-gate struct audit_path; 4827c478bd9Sstevel@tonic-gate struct priv_set; 4837c478bd9Sstevel@tonic-gate struct devplcysys; 4847c478bd9Sstevel@tonic-gate 4857c478bd9Sstevel@tonic-gate struct auditcalls { 4867c478bd9Sstevel@tonic-gate long code; 4877c478bd9Sstevel@tonic-gate long a1; 4887c478bd9Sstevel@tonic-gate long a2; 4897c478bd9Sstevel@tonic-gate long a3; 4907c478bd9Sstevel@tonic-gate long a4; 4917c478bd9Sstevel@tonic-gate long a5; 4927c478bd9Sstevel@tonic-gate }; 4937c478bd9Sstevel@tonic-gate 4947c478bd9Sstevel@tonic-gate int audit(caddr_t, int); 4957c478bd9Sstevel@tonic-gate int auditsys(struct auditcalls *, union rval *); /* fake stub */ 4967c478bd9Sstevel@tonic-gate void audit_cryptoadm(int, char *, crypto_mech_name_t *, 4977c478bd9Sstevel@tonic-gate uint_t, uint_t, uint32_t, int); 4987c478bd9Sstevel@tonic-gate void audit_init(void); 499005d3febSMarek Pospisil void audit_init_module(void); 5007c478bd9Sstevel@tonic-gate void audit_newproc(struct proc *); 5017c478bd9Sstevel@tonic-gate void audit_pfree(struct proc *); 5027c478bd9Sstevel@tonic-gate void audit_thread_create(kthread_id_t); 5037c478bd9Sstevel@tonic-gate void audit_thread_free(kthread_id_t); 5047c478bd9Sstevel@tonic-gate int audit_savepath(struct pathname *, struct vnode *, int, cred_t *); 5057c478bd9Sstevel@tonic-gate void audit_addcomponent(struct pathname *); 5067c478bd9Sstevel@tonic-gate void audit_anchorpath(struct pathname *, int); 5077c478bd9Sstevel@tonic-gate void audit_symlink(struct pathname *, struct pathname *); 5087c478bd9Sstevel@tonic-gate void audit_symlink_create(struct vnode *, char *, char *, int); 5097c478bd9Sstevel@tonic-gate int file_is_public(struct vattr *); 5107c478bd9Sstevel@tonic-gate void audit_attributes(struct vnode *); 5117c478bd9Sstevel@tonic-gate void audit_falloc(struct file *); 5127c478bd9Sstevel@tonic-gate void audit_unfalloc(struct file *); 5137c478bd9Sstevel@tonic-gate void audit_exit(int, int); 5147c478bd9Sstevel@tonic-gate void audit_core_start(int); 5157c478bd9Sstevel@tonic-gate void audit_core_finish(int); 5167c478bd9Sstevel@tonic-gate void audit_stropen(struct vnode *, dev_t *, int, struct cred *); 5177c478bd9Sstevel@tonic-gate void audit_strclose(struct vnode *, int, struct cred *); 5187c478bd9Sstevel@tonic-gate void audit_strioctl(struct vnode *, int, intptr_t, int, int, struct cred *, 5197c478bd9Sstevel@tonic-gate int *); 5207c478bd9Sstevel@tonic-gate void audit_strgetmsg(struct vnode *, struct strbuf *, struct strbuf *, 5217c478bd9Sstevel@tonic-gate unsigned char *, int *, int); 5227c478bd9Sstevel@tonic-gate void audit_strputmsg(struct vnode *, struct strbuf *, struct strbuf *, 5237c478bd9Sstevel@tonic-gate unsigned char, int, int); 5247c478bd9Sstevel@tonic-gate void audit_closef(struct file *); 5257c478bd9Sstevel@tonic-gate int audit_getf(int); 5267c478bd9Sstevel@tonic-gate void audit_setf(struct file *, int); 5277c478bd9Sstevel@tonic-gate void audit_copen(int, struct file *, struct vnode *); 5287c478bd9Sstevel@tonic-gate void audit_reboot(void); 5297c478bd9Sstevel@tonic-gate void audit_vncreate_start(void); 5307c478bd9Sstevel@tonic-gate void audit_setfsat_path(int argnum); 5317c478bd9Sstevel@tonic-gate void audit_vncreate_finish(struct vnode *, int); 532*134a1f4eSCasper H.S. Dik void audit_exec(const char *, const char *, ssize_t, ssize_t, cred_t *); 5337c478bd9Sstevel@tonic-gate void audit_enterprom(int); 5347c478bd9Sstevel@tonic-gate void audit_exitprom(int); 5357c478bd9Sstevel@tonic-gate void audit_chdirec(struct vnode *, struct vnode **); 5367c478bd9Sstevel@tonic-gate void audit_sock(int, struct queue *, struct msgb *, int); 537005d3febSMarek Pospisil int audit_start(unsigned int, unsigned int, uint32_t, int, klwp_t *); 5387c478bd9Sstevel@tonic-gate void audit_finish(unsigned int, unsigned int, int, union rval *); 539d0fa49b7STony Nguyen int audit_async_start(label_t *, au_event_t, int); 540005d3febSMarek Pospisil void audit_async_finish(caddr_t *, au_event_t, au_emod_t, timestruc_t *); 5417c478bd9Sstevel@tonic-gate void audit_async_discard_backend(void *); 5427c478bd9Sstevel@tonic-gate void audit_async_done(caddr_t *, int); 5437c478bd9Sstevel@tonic-gate void audit_async_drop(caddr_t *, int); 5447c478bd9Sstevel@tonic-gate 5457c478bd9Sstevel@tonic-gate #ifndef AUK_CONTEXT_T 5467c478bd9Sstevel@tonic-gate #define AUK_CONTEXT_T 5477c478bd9Sstevel@tonic-gate typedef struct au_kcontext au_kcontext_t; 5487c478bd9Sstevel@tonic-gate #endif 5497c478bd9Sstevel@tonic-gate 550005d3febSMarek Pospisil /* Zone audit context setup routine */ 551005d3febSMarek Pospisil void au_zone_setup(void); 552005d3febSMarek Pospisil 553005d3febSMarek Pospisil /* 554005d3febSMarek Pospisil * c2audit module states 555005d3febSMarek Pospisil */ 556005d3febSMarek Pospisil #define C2AUDIT_DISABLED 0 /* c2audit module excluded in /etc/system */ 557005d3febSMarek Pospisil #define C2AUDIT_UNLOADED 1 /* c2audit module not loaded */ 558005d3febSMarek Pospisil #define C2AUDIT_LOADED 2 /* c2audit module loaded */ 559005d3febSMarek Pospisil 560005d3febSMarek Pospisil uint32_t audit_getstate(void); 561005d3febSMarek Pospisil int au_zone_getstate(const au_kcontext_t *); 562005d3febSMarek Pospisil 563005d3febSMarek Pospisil /* The audit mask defining in which case is auditing enabled */ 564005d3febSMarek Pospisil #define AU_AUDIT_MASK (AUC_AUDITING | AUC_NOSPACE) 565005d3febSMarek Pospisil 566005d3febSMarek Pospisil /* 567005d3febSMarek Pospisil * Get the given zone audit status. zcontext != NULL serves 568005d3febSMarek Pospisil * as a protection when c2audit module is not loaded. 569005d3febSMarek Pospisil */ 570005d3febSMarek Pospisil #define AU_ZONE_AUDITING(zcontext) \ 571005d3febSMarek Pospisil (audit_active == C2AUDIT_LOADED && \ 572005d3febSMarek Pospisil ((AU_AUDIT_MASK) & au_zone_getstate((zcontext)))) 573005d3febSMarek Pospisil 574005d3febSMarek Pospisil /* 575005d3febSMarek Pospisil * Get auditing status 576005d3febSMarek Pospisil */ 577005d3febSMarek Pospisil #define AU_AUDITING() (audit_getstate()) 578005d3febSMarek Pospisil 579799bd290Spwernau int audit_success(au_kcontext_t *, struct t_audit_data *, int, cred_t *); 5807c478bd9Sstevel@tonic-gate int auditme(au_kcontext_t *, struct t_audit_data *, au_state_t); 5817c478bd9Sstevel@tonic-gate void audit_fixpath(struct audit_path *, int); 5827c478bd9Sstevel@tonic-gate void audit_ipc(int, int, void *); 5837c478bd9Sstevel@tonic-gate void audit_ipcget(int, void *); 5847c478bd9Sstevel@tonic-gate void audit_lookupname(); 5857c478bd9Sstevel@tonic-gate int audit_pathcomp(struct pathname *, vnode_t *, cred_t *); 5867c478bd9Sstevel@tonic-gate void audit_fdsend(int, struct file *, int); 5877c478bd9Sstevel@tonic-gate void audit_fdrecv(int, struct file *); 5887c478bd9Sstevel@tonic-gate int audit_c2_revoke(struct fcntla *, rval_t *); 5897c478bd9Sstevel@tonic-gate void audit_priv(int, const struct priv_set *, int); 5907c478bd9Sstevel@tonic-gate void audit_setppriv(int, int, const struct priv_set *, const cred_t *); 5917c478bd9Sstevel@tonic-gate void audit_devpolicy(int, const struct devplcysys *); 5927c478bd9Sstevel@tonic-gate void audit_update_context(proc_t *, cred_t *); 593c28749e9Skais void audit_kssl(int, void *, int); 594799bd290Spwernau void audit_pf_policy(int, cred_t *, netstack_t *, char *, boolean_t, int, 595799bd290Spwernau pid_t); 59645916cd2Sjpk void audit_sec_attributes(caddr_t *, struct vnode *); 5977c478bd9Sstevel@tonic-gate 5987c478bd9Sstevel@tonic-gate #endif 5997c478bd9Sstevel@tonic-gate 6007c478bd9Sstevel@tonic-gate #ifdef __cplusplus 6017c478bd9Sstevel@tonic-gate } 6027c478bd9Sstevel@tonic-gate #endif 6037c478bd9Sstevel@tonic-gate 6047c478bd9Sstevel@tonic-gate #endif /* _BSM_AUDIT_H */ 605