xref: /titanic_51/usr/src/uts/common/c2/audit.h (revision 355b4669e025ff377602b6fc7caaf30dbc218371)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 /*
27  * This file contains the declarations of the various data structures
28  * used by the auditing module(s).
29  */
30 
31 #ifndef	_BSM_AUDIT_H
32 #define	_BSM_AUDIT_H
33 
34 #pragma ident	"%Z%%M%	%I%	%E% SMI"
35 
36 #ifdef __cplusplus
37 extern "C" {
38 #endif
39 
40 
41 #include <sys/shm.h>	/* for shmid_ds structure */
42 #include <sys/sem.h>	/* for semid_ds structure */
43 #include <sys/msg.h>	/* for msqid_ds structure */
44 #include <sys/atomic.h>	/* using atomics */
45 
46 /*
47  * Audit conditions, statements reguarding what's to be done with
48  * audit records.  Neither AUC_ENABLED, AUC_DISABLED, nor AUC_UNSET
49  * are returned on an auditconfig -getcond call.
50  */
51 /* global state */
52 #define	AUC_DISABLED	-1	/* audit module loaded but not enabled */
53 #define	AUC_UNSET	0	/* on/off hasn't been decided */
54 #define	AUC_ENABLED	1	/* loaded and enabled */
55 /* local zone state */
56 #define	AUC_INIT_AUDIT	4	/* c2audit is ready but auditd has not run */
57 #define	AUC_AUDITING	1	/* auditing is being done */
58 #define	AUC_NOAUDIT	2	/* auditing is not being done */
59 #define	AUC_NOSPACE	3	/* audit enabled, no space for audit records */
60 
61 /*
62  * The user id -2 is never audited - in fact, a setauid(AU_NOAUDITID)
63  * will turn off auditing.
64  */
65 #define	AU_NOAUDITID	-2
66 
67 /*
68  * success/failure bits for asynchronous events
69  */
70 
71 #define	AUM_SUCC	1	/* use the system success preselection mask */
72 #define	AUM_FAIL	2	/* use the system failure preselection mask */
73 
74 
75 /*
76  * Defines for event modifier field
77  */
78 #define	PAD_READ	0x0001		/* object read */
79 #define	PAD_WRITE	0x0002		/* object write */
80 #define	PAD_NONATTR	0x4000		/* non-attributable event */
81 #define	PAD_FAILURE	0x8000		/* fail audit event */
82 #define	PAD_SPRIVUSE	0x0080		/* successfully used privileged */
83 #define	PAD_FPRIVUSE	0x0100		/* failed use of privileged */
84 
85 /*
86  * Some typedefs for the fundamentals
87  */
88 typedef pid_t au_asid_t;
89 typedef uint_t  au_class_t;
90 typedef short au_event_t;
91 typedef short au_emod_t;
92 typedef uid_t au_id_t;
93 
94 /*
95  * An audit event mask.
96  */
97 #define	AU_MASK_ALL	0xFFFFFFFF	/* all bits on for unsigned int */
98 #define	AU_MASK_NONE	0x0		/* all bits off = no:invalid class */
99 
100 struct au_mask {
101 	unsigned int	am_success;	/* success bits */
102 	unsigned int	am_failure;	/* failure bits */
103 };
104 typedef struct au_mask au_mask_t;
105 #define	as_success am_success
106 #define	as_failure am_failure
107 
108 /*
109  * The structure of the terminal ID (ipv4)
110  */
111 struct au_tid {
112 	dev_t port;
113 	uint_t machine;
114 };
115 
116 #if defined(_SYSCALL32)
117 struct au_tid32 {
118 	uint_t port;
119 	uint_t machine;
120 };
121 
122 typedef struct au_tid32 au_tid32_t;
123 #endif
124 
125 typedef struct au_tid au_tid_t;
126 
127 /*
128  * The structure of the terminal ID (ipv6)
129  */
130 struct au_tid_addr {
131 	dev_t  at_port;
132 	uint_t at_type;
133 	uint_t at_addr[4];
134 };
135 
136 struct au_port_s {
137 	uint32_t at_major;	/* major # */
138 	uint32_t at_minor;	/* minor # */
139 };
140 typedef struct au_port_s au_port_t;
141 
142 struct au_tid_addr64 {
143 	au_port_t	at_port;
144 	uint_t		at_type;
145 	uint_t		at_addr[4];
146 };
147 typedef struct au_tid_addr64 au_tid64_addr_t;
148 
149 #if defined(_SYSCALL32)
150 struct au_tid_addr32 {
151 	uint_t at_port;
152 	uint_t at_type;
153 	uint_t at_addr[4];
154 };
155 
156 typedef struct au_tid_addr32 au_tid32_addr_t;
157 #endif
158 
159 typedef struct au_tid_addr au_tid_addr_t;
160 
161 struct au_ip {
162 	uint16_t	at_r_port;	/* remote port */
163 	uint16_t	at_l_port;	/* local port */
164 	uint32_t	at_type;	/* AU_IPv4,... */
165 	uint32_t	at_addr[4];	/* remote IP */
166 };
167 typedef struct au_ip au_ip_t;
168 
169 /*
170  * Generic network address structure
171  */
172 struct au_generic_tid {
173 	uchar_t	gt_type;	/* AU_IPADR, AU_DEVICE,... */
174 	union {
175 		au_ip_t		at_ip;
176 		au_port_t	at_dev;
177 	} gt_adr;
178 };
179 typedef struct au_generic_tid au_generic_tid_t;
180 
181 /*
182  * au_generic_tid_t gt_type values
183  * 0 is reserved for uninitialized data
184  */
185 #define	AU_IPADR	1
186 #define	AU_ETHER	2
187 #define	AU_DEVICE	3
188 
189 /*
190  * at_type values - address length used to identify address type
191  */
192 #define	AU_IPv4 4	/* ipv4 type IP address */
193 #define	AU_IPv6 16	/* ipv6 type IP address */
194 
195 /*
196  * Compatability with SunOS 4.x BSM module
197  *
198  * New code should not contain audit_state_t,
199  * au_state_t, nor au_termid as these types
200  * may go away in future releases.
201  *
202  * typedef new-5.x-bsm-name old-4.x-bsm-name
203  */
204 
205 typedef au_class_t au_state_t;
206 typedef au_mask_t audit_state_t;
207 typedef au_id_t auid_t;
208 #define	ai_state ai_mask;
209 
210 /*
211  * Opcodes for bsm system calls
212  */
213 
214 #define	BSM_GETAUID		19
215 #define	BSM_SETAUID		20
216 #define	BSM_GETAUDIT		21
217 #define	BSM_SETAUDIT		22
218 #define	BSM_GETUSERAUDIT	23
219 #define	BSM_SETUSERAUDIT	24
220 #define	BSM_AUDIT		25
221 #define	BSM_AUDITUSER		26
222 #define	BSM_AUDITSVC		27	/* EOL announced for Sol 10 */
223 #define	BSM_AUDITON		28
224 #define	BSM_AUDITCTL		29
225 #define	BSM_GETKERNSTATE	30
226 #define	BSM_SETKERNSTATE	31
227 #define	BSM_GETPORTAUDIT	32
228 #define	BSM_REVOKE		33
229 #define	BSM_AUDITSTAT		34
230 #define	BSM_GETAUDIT_ADDR	35
231 #define	BSM_SETAUDIT_ADDR	36
232 #define	BSM_AUDITDOOR		37
233 
234 /*
235  * Auditctl(2) commands
236  */
237 #define	A_GETPOLICY	2	/* get audit policy */
238 #define	A_SETPOLICY	3	/* set audit policy */
239 #define	A_GETKMASK	4	/* get kernel event preselection mask */
240 #define	A_SETKMASK	5	/* set kernel event preselection mask */
241 #define	A_GETQCTRL	6	/* get kernel audit queue ctrl parameters */
242 #define	A_SETQCTRL	7	/* set kernel audit queue ctrl parameters */
243 #define	A_GETCWD	8	/* get process current working directory */
244 #define	A_GETCAR	9	/* get process current active root */
245 #define	A_GETSTAT	12	/* get audit statistics */
246 #define	A_SETSTAT	13	/* (re)set audit statistics */
247 #define	A_SETUMASK	14	/* set preselection mask for procs with auid */
248 #define	A_SETSMASK	15	/* set preselection mask for procs with asid */
249 #define	A_GETCOND	20	/* get audit system on/off condition */
250 #define	A_SETCOND	21	/* set audit system on/off condition */
251 #define	A_GETCLASS	22	/* get audit event to class mapping */
252 #define	A_SETCLASS	23	/* set audit event to class mapping */
253 #define	A_GETPINFO	24	/* get audit info for an arbitrary pid */
254 #define	A_SETPMASK	25	/* set preselection mask for an given pid */
255 #define	A_SETFSIZE	26	/* set audit file size */
256 #define	A_GETFSIZE	27	/* get audit file size */
257 #define	A_GETPINFO_ADDR	28	/* get audit info for an arbitrary pid */
258 #define	A_GETKAUDIT	29	/* get kernel audit characteristics */
259 #define	A_SETKAUDIT	30	/* set kernel audit characteristics */
260 
261 /*
262  * Audit Policy parameters (32 bits)
263  */
264 #define	AUDIT_CNT	0x0001	/* do NOT sleep undelivered synch events */
265 #define	AUDIT_AHLT	0x0002	/* HALT machine on undelivered async event */
266 #define	AUDIT_ARGV	0x0004	/* include argv with execv system call events */
267 #define	AUDIT_ARGE	0x0008	/* include arge with execv system call events */
268 #define	AUDIT_SEQ	0x0010	/* include sequence attribute */
269 #define	AUDIT_WINDATA	0x0020	/* include interwindow moved data */
270 #define	AUDIT_USER	0x0040	/* make audituser(2) un-privileged */
271 #define	AUDIT_GROUP	0x0080	/* include group attribute with each record */
272 #define	AUDIT_TRAIL	0x0100	/* include trailer token */
273 #define	AUDIT_PATH	0x0200	/* allow multiple paths per event */
274 #define	AUDIT_SCNT	0x0400	/* sleep user events but not kernel events */
275 #define	AUDIT_PUBLIC	0x0800	/* audit even "public" files */
276 #define	AUDIT_ZONENAME	0x1000	/* emit zonename token */
277 #define	AUDIT_PERZONE	0x2000	/* auditd and audit queue for each zone */
278 
279 /*
280  * These next (WINDATA*) are used by TSOL. Although per-zone audit is not
281  * used with TSOL, these policies still make sense to be categorized as
282  * "local".
283  */
284 #define	AUDIT_WINDATA_DOWN	0x00010000	/* include downgraded data */
285 #define	AUDIT_WINDATA_UP	0x00020000	/* include upgraded data */
286 
287 /*
288  * If AUDIT_GLOBAL changes, corresponding changes are required in
289  * audit_syscalls.c's setpolicy().
290  */
291 #define	AUDIT_GLOBAL	(AUDIT_AHLT | AUDIT_PERZONE)
292 #define	AUDIT_LOCAL	(AUDIT_CNT | AUDIT_ARGV | AUDIT_ARGE |\
293 			AUDIT_SEQ | AUDIT_WINDATA | AUDIT_USER |\
294 			AUDIT_GROUP | AUDIT_TRAIL | AUDIT_PATH |\
295 			AUDIT_PUBLIC | AUDIT_SCNT | AUDIT_ZONENAME |\
296 			AUDIT_WINDATA_DOWN | AUDIT_WINDATA_UP)
297 
298 /*
299  * Kernel audit queue control parameters
300  *
301  *	audit record recording blocks at hiwater # undelived records
302  *	audit record recording resumes at lowwater # undelivered audit records
303  *	bufsz determines how big the data xfers will be to the audit trail
304  */
305 struct au_qctrl {
306 	size_t	aq_hiwater;	/* kernel audit queue, high water mark */
307 	size_t	aq_lowater;	/* kernel audit queue, low  water mark */
308 	size_t	aq_bufsz;	/* kernel audit queue, write size to trail */
309 	clock_t	aq_delay;	/* delay before flushing audit queue */
310 };
311 
312 #if defined(_SYSCALL32)
313 struct au_qctrl32 {
314 	size32_t	aq_hiwater;
315 	size32_t	aq_lowater;
316 	size32_t	aq_bufsz;
317 	clock32_t	aq_delay;
318 };
319 #endif
320 
321 
322 /*
323  * default values of hiwater and lowater (note hi > lo)
324  */
325 #define	AQ_HIWATER  100
326 #define	AQ_MAXHIGH  100000
327 #define	AQ_LOWATER  10
328 #define	AQ_BUFSZ    8192
329 #define	AQ_MAXBUFSZ 1048576
330 #define	AQ_DELAY    20
331 #define	AQ_MAXDELAY 20000
332 
333 struct auditinfo {
334 	au_id_t		ai_auid;
335 	au_mask_t	ai_mask;
336 	au_tid_t	ai_termid;
337 	au_asid_t	ai_asid;
338 };
339 
340 #if defined(_SYSCALL32)
341 struct auditinfo32 {
342 	au_id_t		ai_auid;
343 	au_mask_t	ai_mask;
344 	au_tid32_t	ai_termid;
345 	au_asid_t	ai_asid;
346 };
347 
348 typedef struct auditinfo32 auditinfo32_t;
349 #endif
350 
351 typedef struct auditinfo auditinfo_t;
352 
353 struct auditinfo_addr {
354 	au_id_t		ai_auid;
355 	au_mask_t	ai_mask;
356 	au_tid_addr_t	ai_termid;
357 	au_asid_t	ai_asid;
358 };
359 
360 struct auditinfo_addr64 {
361 	au_id_t		ai_auid;
362 	au_mask_t	ai_mask;
363 	au_tid64_addr_t	ai_termid;
364 	au_asid_t	ai_asid;
365 };
366 typedef struct auditinfo_addr64 auditinfo64_addr_t;
367 
368 #if defined(_SYSCALL32)
369 struct auditinfo_addr32 {
370 	au_id_t		ai_auid;
371 	au_mask_t	ai_mask;
372 	au_tid32_addr_t	ai_termid;
373 	au_asid_t	ai_asid;
374 };
375 
376 typedef struct auditinfo_addr32 auditinfo32_addr_t;
377 #endif
378 
379 typedef struct auditinfo_addr auditinfo_addr_t;
380 
381 struct auditpinfo {
382 	pid_t		ap_pid;
383 	au_id_t		ap_auid;
384 	au_mask_t	ap_mask;
385 	au_tid_t	ap_termid;
386 	au_asid_t	ap_asid;
387 };
388 
389 #if defined(_SYSCALL32)
390 struct auditpinfo32 {
391 	pid_t		ap_pid;
392 	au_id_t		ap_auid;
393 	au_mask_t	ap_mask;
394 	au_tid32_t	ap_termid;
395 	au_asid_t	ap_asid;
396 };
397 #endif
398 
399 
400 struct auditpinfo_addr {
401 	pid_t		ap_pid;
402 	au_id_t		ap_auid;
403 	au_mask_t	ap_mask;
404 	au_tid_addr_t	ap_termid;
405 	au_asid_t	ap_asid;
406 };
407 
408 #if defined(_SYSCALL32)
409 struct auditpinfo_addr32 {
410 	pid_t		ap_pid;
411 	au_id_t		ap_auid;
412 	au_mask_t	ap_mask;
413 	au_tid32_addr_t	ap_termid;
414 	au_asid_t	ap_asid;
415 };
416 #endif
417 
418 
419 struct au_evclass_map {
420 	au_event_t	ec_number;
421 	au_class_t	ec_class;
422 };
423 typedef struct au_evclass_map au_evclass_map_t;
424 
425 /*
426  * Audit stat structures (used to be in audit_stat.h
427  */
428 
429 struct audit_stat {
430 	unsigned int as_version;	/* version of kernel audit code */
431 	unsigned int as_numevent;	/* number of kernel audit events */
432 	uint32_t as_generated;		/* # records processed */
433 	uint32_t as_nonattrib;		/* # non-attributed records produced */
434 	uint32_t as_kernel;		/* # records produced by kernel */
435 	uint32_t as_audit;		/* # records processed by audit(2) */
436 	uint32_t as_auditctl;		/* # records processed by auditctl(2) */
437 	uint32_t as_enqueue;		/* # records put onto audit queue */
438 	uint32_t as_written;		/* # records written to audit trail */
439 	uint32_t as_wblocked;		/* # times write blked on audit queue */
440 	uint32_t as_rblocked;		/* # times read blked on audit queue */
441 	uint32_t as_dropped;		/* # of dropped audit records */
442 	uint32_t as_totalsize;		/* total number bytes of audit data */
443 	uint32_t as_memused;		/* no longer used */
444 };
445 typedef struct audit_stat au_stat_t;
446 extern int au_naevent;
447 
448 /*
449  * Secondary stat structure for file size stuff.  The stat structure was
450  * not combined to preserve the semantics of the 5.1 - 5.3 A_GETSTAT call
451  */
452 struct audit_fstat {
453 	unsigned int af_filesz;
454 	unsigned int af_currsz;
455 };
456 typedef struct audit_fstat au_fstat_t;
457 
458 /* set kernel audit context dependent on AUDIT_PERZONE policy */
459 #define	SET_KCTX_PZ	zone_getspecific(au_zone_key,\
460 			    (audit_policy & AUDIT_PERZONE) ?\
461 			    curproc->p_zone :\
462 			    global_zone)
463 /* set kernel audit context to global zone */
464 #define	SET_KCTX_GZ	zone_getspecific(au_zone_key,\
465 			    global_zone)
466 /* set kernel audit context to local zone */
467 #define	SET_KCTX_LZ	zone_getspecific(au_zone_key, curproc->p_zone)
468 
469 #define	AS_INC(a, b, c) atomic_add_32(&(c->auk_statistics.a), (b))
470 #define	AS_DEC(a, b, c) atomic_add_32(&(c->auk_statistics.a), -(b))
471 
472 /*
473  * audit token IPC types (shm, sem, msg) [for ipc attribute]
474  */
475 
476 #define	AT_IPC_MSG	((char)1)		/* message IPC id */
477 #define	AT_IPC_SEM	((char)2)		/* semaphore IPC id */
478 #define	AT_IPC_SHM	((char)3)		/* shared memory IPC id */
479 
480 #if defined(_KERNEL)
481 
482 #ifdef __cplusplus
483 }
484 #endif
485 
486 #include <sys/types.h>
487 #include <sys/model.h>
488 #include <sys/proc.h>
489 #include <sys/stream.h>
490 #include <sys/stropts.h>
491 #include <sys/file.h>
492 #include <sys/pathname.h>
493 #include <sys/vnode.h>
494 #include <sys/systm.h>
495 #include <netinet/in.h>
496 #include <c2/audit_door_infc.h>
497 #include <sys/crypto/ioctladmin.h>
498 
499 #ifdef __cplusplus
500 extern "C" {
501 #endif
502 
503 struct fcntla;
504 struct t_audit_data;
505 struct audit_path;
506 struct priv_set;
507 struct devplcysys;
508 
509 struct auditcalls {
510 	long	code;
511 	long	a1;
512 	long	a2;
513 	long	a3;
514 	long	a4;
515 	long	a5;
516 };
517 
518 int	audit(caddr_t, int);
519 int	_audit(caddr_t, int);
520 int	auditsys(struct auditcalls *, union rval *); /* fake stub */
521 int	_auditsys(struct auditcalls *, union rval *); /* real deal */
522 void	audit_cryptoadm(int, char *, crypto_mech_name_t *,
523 	    uint_t, uint_t, uint32_t, int);
524 void	audit_init(void);
525 void	audit_newproc(struct proc *);
526 void	audit_pfree(struct proc *);
527 void	audit_thread_create(kthread_id_t);
528 void	audit_thread_free(kthread_id_t);
529 int	audit_savepath(struct pathname *, struct vnode *, int, cred_t *);
530 void	audit_addcomponent(struct pathname *);
531 void	audit_anchorpath(struct pathname *, int);
532 void	audit_symlink(struct pathname *, struct pathname *);
533 void	audit_symlink_create(struct vnode *, char *, char *, int);
534 int	file_is_public(struct vattr *);
535 void	audit_attributes(struct vnode *);
536 void	audit_falloc(struct file *);
537 void	audit_unfalloc(struct file *);
538 void	audit_exit(int, int);
539 void	audit_core_start(int);
540 void	audit_core_finish(int);
541 void	audit_stropen(struct vnode *, dev_t *, int, struct cred *);
542 void	audit_strclose(struct vnode *, int, struct cred *);
543 void	audit_strioctl(struct vnode *, int, intptr_t, int, int, struct cred *,
544 		int *);
545 void	audit_strgetmsg(struct vnode *, struct strbuf *, struct strbuf *,
546 		unsigned char *, int *, int);
547 void	audit_strputmsg(struct vnode *, struct strbuf *, struct strbuf *,
548 		unsigned char, int, int);
549 void	audit_closef(struct file *);
550 int	audit_getf(int);
551 void	audit_setf(struct file *, int);
552 void	audit_copen(int, struct file *, struct vnode *);
553 void	audit_reboot(void);
554 void	audit_vncreate_start(void);
555 void	audit_setfsat_path(int argnum);
556 void	audit_vncreate_finish(struct vnode *, int);
557 void	audit_exec(const char *, const char *, ssize_t, ssize_t);
558 void	audit_enterprom(int);
559 void	audit_exitprom(int);
560 void	audit_chdirec(struct vnode *, struct vnode **);
561 void	audit_sock(int, struct queue *, struct msgb *, int);
562 void	audit_free(void);
563 int	audit_start(unsigned int, unsigned int, int, klwp_t *);
564 void	audit_finish(unsigned int, unsigned int, int, union rval *);
565 int	audit_async_start(label_t *, int, int);
566 void	audit_async_finish(caddr_t *, int, int);
567 void	audit_async_discard_backend(void *);
568 void	audit_async_done(caddr_t *, int);
569 void	audit_async_drop(caddr_t *, int);
570 
571 #ifndef AUK_CONTEXT_T
572 #define	AUK_CONTEXT_T
573 typedef struct au_kcontext au_kcontext_t;
574 #endif
575 
576 int	audit_success(au_kcontext_t *, struct t_audit_data *, int);
577 int	auditme(au_kcontext_t *, struct t_audit_data *, au_state_t);
578 void	audit_fixpath(struct audit_path *, int);
579 void	audit_ipc(int, int, void *);
580 void	audit_ipcget(int, void *);
581 void	audit_lookupname();
582 int	audit_pathcomp(struct pathname *, vnode_t *, cred_t *);
583 void	audit_fdsend(int, struct file *, int);
584 void	audit_fdrecv(int, struct file *);
585 int	audit_c2_revoke(struct fcntla *, rval_t *);
586 void	audit_priv(int, const struct priv_set *, int);
587 void	audit_setppriv(int, int, const struct priv_set *, const cred_t *);
588 void	audit_devpolicy(int, const struct devplcysys *);
589 void	audit_update_context(proc_t *, cred_t *);
590 void	audit_kssl(int, void *, int);
591 void	audit_sec_attributes(caddr_t *, struct vnode *);
592 
593 #endif
594 
595 #ifdef __cplusplus
596 }
597 #endif
598 
599 #endif /* _BSM_AUDIT_H */
600