LXR darwin-xnu/bsd/bsm/audit

   1/*
   2 * @APPLE_LICENSE_HEADER_START@
   3 * 
   4 * Copyright (c) 1999-2004 Apple Computer, Inc.  All Rights Reserved.
   5 * 
   6 * This file contains Original Code and/or Modifications of Original Code
   7 * as defined in and that are subject to the Apple Public Source License
   8 * Version 2.0 (the 'License'). You may not use this file except in
   9 * compliance with the License. Please obtain a copy of the License at
  10 * http://www.opensource.apple.com/apsl/ and read it before using this
  11 * file.
  12 * 
  13 * The Original Code and all software distributed under the License are
  14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18 * Please see the License for the specific language governing rights and
  19 * limitations under the License.
  20 * 
  21 * @APPLE_LICENSE_HEADER_END@
  22 */
  23
  24#ifndef _BSM_AUDIT_KERNEL_H
  25#define _BSM_AUDIT_KERNEL_H
  26
  27#ifdef KERNEL
  28
  29#include <bsm/audit.h>
  30
  31#include <sys/sysctl.h>
  32#include <sys/user.h>
  33#include <sys/ipc.h>
  34
  35/*
  36 * Audit subsystem condition flags.  The audit_enabled flag is set and
  37 * removed automatically as a result of configuring log files, and
  38 * can be observed but should not be directly manipulated.  The audit
  39 * suspension flag permits audit to be temporarily disabled without
  40 * reconfiguring the audit target.
  41 */
  42extern int      audit_enabled;
  43extern int      audit_suspended;
  44
  45#define BSM_SUCCESS             0
  46#define BSM_FAILURE             1
  47#define BSM_NOAUDIT             2
  48
  49/*
  50 * Define the masks for the audited arguments.
  51 */
  52#define ARG_EUID                0x0000000000000001ULL
  53#define ARG_RUID                0x0000000000000002ULL
  54#define ARG_SUID                0x0000000000000004ULL
  55#define ARG_EGID                0x0000000000000008ULL
  56#define ARG_RGID                0x0000000000000010ULL
  57#define ARG_SGID                0x0000000000000020ULL
  58#define ARG_PID                 0x0000000000000040ULL
  59#define ARG_UID                 0x0000000000000080ULL
  60#define ARG_AUID                0x0000000000000100ULL
  61#define ARG_GID                 0x0000000000000200ULL
  62#define ARG_FD                  0x0000000000000400ULL
  63#define ARG_POSIX_IPC_PERM      0x0000000000000800ULL
  64#define ARG_FFLAGS              0x0000000000001000ULL
  65#define ARG_MODE                0x0000000000002000ULL
  66#define ARG_DEV                 0x0000000000004000ULL
  67#define ARG_ADDR                0x0000000000008000ULL
  68#define ARG_LEN                 0x0000000000010000ULL
  69#define ARG_MASK                0x0000000000020000ULL
  70#define ARG_SIGNUM              0x0000000000040000ULL
  71#define ARG_LOGIN               0x0000000000080000ULL
  72#define ARG_SADDRINET           0x0000000000100000ULL
  73#define ARG_SADDRINET6          0x0000000000200000ULL
  74#define ARG_SADDRUNIX           0x0000000000400000ULL
  75#define ARG_KPATH1              0x0000000000800000ULL
  76#define ARG_KPATH2              0x0000000001000000ULL
  77#define ARG_UPATH1              0x0000000002000000ULL
  78#define ARG_UPATH2              0x0000000004000000ULL
  79#define ARG_TEXT                0x0000000008000000ULL
  80#define ARG_VNODE1              0x0000000010000000ULL
  81#define ARG_VNODE2              0x0000000020000000ULL
  82#define ARG_SVIPC_CMD           0x0000000040000000ULL
  83#define ARG_SVIPC_PERM          0x0000000080000000ULL
  84#define ARG_SVIPC_ID            0x0000000100000000ULL
  85#define ARG_SVIPC_ADDR          0x0000000200000000ULL
  86#define ARG_GROUPSET            0x0000000400000000ULL
  87#define ARG_CMD                 0x0000000800000000ULL
  88#define ARG_SOCKINFO            0x0000001000000000ULL
  89#define ARG_ASID                0x0000002000000000ULL
  90#define ARG_TERMID              0x0000004000000000ULL
  91#define ARG_AUDITON             0x0000008000000000ULL
  92#define ARG_VALUE               0x0000010000000000ULL
  93#define ARG_AMASK               0x0000020000000000ULL
  94#define ARG_CTLNAME             0x0000040000000000ULL
  95#define ARG_PROCESS             0x0000080000000000ULL
  96#define ARG_MACHPORT1           0x0000100000000000ULL
  97#define ARG_MACHPORT2           0x0000200000000000ULL
  98#define ARG_NONE                0x0000000000000000ULL
  99#define ARG_ALL                 0xFFFFFFFFFFFFFFFFULL
 100
 101/* Defines for the kernel audit record k_ar_commit field */
 102#define AR_COMMIT_KERNEL        0x00000001U
 103#define AR_COMMIT_USER          0x00000010U
 104
 105struct vnode_au_info {
 106        mode_t          vn_mode;
 107        uid_t           vn_uid;
 108        gid_t           vn_gid;
 109        dev_t           vn_dev;
 110        long            vn_fsid;
 111        long            vn_fileid;
 112        long            vn_gen;
 113};
 114
 115struct groupset {
 116        gid_t   gidset[NGROUPS];
 117        u_int   gidset_size;
 118};
 119
 120struct socket_au_info {
 121        int             so_domain;
 122        int             so_type;
 123        int             so_protocol;
 124        in_addr_t       so_raddr;       /* remote address if INET socket */
 125        in_addr_t       so_laddr;       /* local address if INET socket */
 126        u_short         so_rport;       /* remote port */
 127        u_short         so_lport;       /* local port */
 128};
 129
 130union auditon_udata {
 131        char                    au_path[MAXPATHLEN];
 132        long                    au_cond;
 133        long                    au_flags;
 134        long                    au_policy;
 135        au_evclass_map_t        au_evclass;
 136        au_mask_t               au_mask;
 137        auditinfo_t             au_auinfo;
 138        auditpinfo_t            au_aupinfo;
 139        auditpinfo_addr_t       au_aupinfo_addr;
 140        au_qctrl_t              au_qctrl;
 141        au_stat_t               au_stat;
 142        au_fstat_t              au_fstat;
 143};
 144
 145struct posix_ipc_perm {
 146        uid_t                   pipc_uid;
 147        gid_t                   pipc_gid;
 148        mode_t                  pipc_mode;
 149};
 150
 151struct audit_record {
 152        /* Audit record header. */
 153        u_int32_t               ar_magic;
 154        int                     ar_event;
 155        int                     ar_retval; /* value returned to the process */
 156        int                     ar_errno;  /* return status of system call */
 157        struct timespec         ar_starttime;
 158        struct timespec         ar_endtime;
 159        u_int64_t               ar_valid_arg;  /* Bitmask of valid arguments */
 160
 161        /* Audit subject information. */
 162        struct xucred                   ar_subj_cred;
 163        uid_t                           ar_subj_ruid;
 164        gid_t                           ar_subj_rgid;
 165        gid_t                           ar_subj_egid;
 166        uid_t                           ar_subj_auid; /* Audit user ID */
 167        pid_t                           ar_subj_asid; /* Audit session ID */
 168        pid_t                           ar_subj_pid;
 169        struct au_tid                   ar_subj_term;   
 170        char                            ar_subj_comm[MAXCOMLEN + 1];
 171        struct au_mask                  ar_subj_amask;
 172
 173        /* Operation arguments. */
 174        uid_t                           ar_arg_euid;
 175        uid_t                           ar_arg_ruid;
 176        uid_t                           ar_arg_suid;
 177        gid_t                           ar_arg_egid;
 178        gid_t                           ar_arg_rgid;
 179        gid_t                           ar_arg_sgid;
 180        pid_t                           ar_arg_pid;
 181        pid_t                           ar_arg_asid;
 182        struct au_tid                   ar_arg_termid;  
 183        uid_t                           ar_arg_uid;
 184        uid_t                           ar_arg_auid;
 185        gid_t                           ar_arg_gid;
 186        struct groupset                 ar_arg_groups;
 187        int                             ar_arg_fd;
 188        int                             ar_arg_fflags;
 189        mode_t                          ar_arg_mode;
 190        int                             ar_arg_dev;
 191        long                            ar_arg_value;
 192        void *                          ar_arg_addr;
 193        int                             ar_arg_len;
 194        int                             ar_arg_mask;
 195        u_int                           ar_arg_signum;
 196        char                            ar_arg_login[MAXLOGNAME];
 197        int                             ar_arg_ctlname[CTL_MAXNAME];
 198        struct sockaddr                 ar_arg_sockaddr;
 199        struct socket_au_info           ar_arg_sockinfo;
 200        char                            *ar_arg_upath1;
 201        char                            *ar_arg_upath2;
 202        char                            *ar_arg_kpath1;
 203        char                            *ar_arg_kpath2;
 204        char                            *ar_arg_text;
 205        struct au_mask                  ar_arg_amask;
 206        struct vnode_au_info            ar_arg_vnode1;
 207        struct vnode_au_info            ar_arg_vnode2;
 208        int                             ar_arg_cmd;
 209        int                             ar_arg_svipc_cmd;
 210        struct ipc_perm                 ar_arg_svipc_perm;
 211        int                             ar_arg_svipc_id;
 212        void *                          ar_arg_svipc_addr;
 213        struct posix_ipc_perm           ar_arg_pipc_perm;
 214        mach_port_name_t                ar_arg_mach_port1;
 215        mach_port_name_t                ar_arg_mach_port2;
 216        union auditon_udata             ar_arg_auditon;
 217};
 218
 219/*
 220 * In-kernel version of audit record; the basic record plus queue meta-data.
 221 * This record can also have a pointer set to some opaque data that will
 222 * be passed through to the audit writing mechanism.
 223 */
 224struct kaudit_record {
 225        struct audit_record             k_ar;
 226        u_int32_t                       k_ar_commit; 
 227        void                            *k_udata;    /* user data */    
 228        u_int                           k_ulen;     /* user data length */      
 229        struct uthread                  *k_uthread; /* thread we are auditing */
 230        TAILQ_ENTRY(kaudit_record)      k_q;
 231};
 232
 233struct proc;
 234struct vnode;
 235struct componentname;
 236
 237void                     audit_abort(struct kaudit_record *ar);
 238void                     audit_commit(struct kaudit_record *ar, int error, 
 239                                        int retval);
 240void                     audit_init(void);
 241void                     audit_shutdown(void);
 242
 243struct kaudit_record    *audit_new(int event, struct proc *p,
 244                            struct uthread *uthread);
 245
 246void                     audit_syscall_enter(unsigned short code,
 247                                struct proc *proc, struct uthread *uthread);
 248void                     audit_syscall_exit(int error, struct proc *proc,
 249                                struct uthread *uthread);
 250void                     audit_mach_syscall_enter(unsigned short audit_event);
 251void                     audit_mach_syscall_exit(int retval,
 252                                struct uthread *uthread);
 253
 254int                     kaudit_to_bsm(struct kaudit_record *kar,
 255                                        struct au_record **pau);
 256
 257int                     bsm_rec_verify(void *rec);
 258
 259/*
 260 * Kernel versions of the BSM audit record functions.
 261 */
 262struct au_record        *kau_open(void);
 263int                     kau_write(struct au_record *rec, token_t *m);
 264int                     kau_close(struct au_record *rec, 
 265                                 struct timespec *endtime, short event);
 266void                    kau_free(struct au_record *rec);
 267void                    kau_init(void);
 268token_t                 *kau_to_file(const char *file, const struct timeval *tv);
 269token_t                 *kau_to_header(const struct timespec *ctime, int rec_size, 
 270                                        au_event_t e_type, au_emod_t e_mod);
 271token_t                 *kau_to_header32(const struct timespec *ctime, int rec_size, 
 272                                        au_event_t e_type, au_emod_t e_mod);
 273token_t                 *kau_to_header64(const struct timespec *ctime, int rec_size,
 274                                         au_event_t e_type, au_emod_t e_mod);
 275/*
 276 * The remaining kernel functions are conditionally compiled in as they
 277 * are wrapped by a macro, and the macro should be the only place in 
 278 * the source tree where these functions are referenced.
 279 */
 280#ifdef AUDIT
 281void                     audit_arg_addr(user_addr_t addr);
 282void                     audit_arg_len(user_size_t len);
 283void                     audit_arg_fd(int fd);
 284void                     audit_arg_fflags(int fflags);
 285void                     audit_arg_gid(gid_t gid, gid_t egid, gid_t rgid, 
 286                                        gid_t sgid);
 287void                     audit_arg_uid(uid_t uid, uid_t euid, uid_t ruid, 
 288                                        uid_t suid);
 289void                     audit_arg_groupset(const gid_t *gidset, u_int gidset_size);
 290void                     audit_arg_login(const char *login);
 291void                     audit_arg_ctlname(const int *name, int namelen);
 292void                     audit_arg_mask(int mask);
 293void                     audit_arg_mode(mode_t mode);
 294void                     audit_arg_dev(int dev);
 295void                     audit_arg_value(long value);
 296void                     audit_arg_owner(uid_t uid, gid_t gid);
 297void                     audit_arg_pid(pid_t pid);
 298void                     audit_arg_process(struct proc *p);
 299void                     audit_arg_signum(u_int signum);
 300void                     audit_arg_socket(int sodomain, int sotype, 
 301                                                int soprotocol);
 302void                     audit_arg_sockaddr(struct proc *p, 
 303                                                struct sockaddr *so);
 304void                     audit_arg_auid(uid_t auid);
 305void                     audit_arg_auditinfo(const struct auditinfo *au_info);
 306void                     audit_arg_upath(struct proc *p, char *upath, 
 307                                         u_int64_t flags);
 308void                     audit_arg_vnpath(struct vnode *vp, u_int64_t flags);
 309void                     audit_arg_vnpath_withref(struct vnode *vp, u_int64_t flags);
 310void                     audit_arg_text(const char *text);
 311void                     audit_arg_cmd(int cmd);
 312void                     audit_arg_svipc_cmd(int cmd);
 313void                     audit_arg_svipc_perm(const struct ipc_perm *perm);
 314void                     audit_arg_svipc_id(int id);
 315void                     audit_arg_svipc_addr(void *addr);
 316void                     audit_arg_posix_ipc_perm(uid_t uid, gid_t gid, 
 317                                                 mode_t mode);
 318void                     audit_arg_auditon(const union auditon_udata *udata);
 319void                     audit_arg_file(struct proc *p, const struct fileproc *fp);
 320void                     audit_arg_mach_port1(mach_port_name_t port);
 321void                     audit_arg_mach_port2(mach_port_name_t port);
 322
 323void                     audit_sysclose(struct proc *p, int fd);
 324
 325void                     audit_proc_init(struct proc *p);
 326void                     audit_proc_fork(struct proc *parent, 
 327                                         struct proc *child);
 328void                     audit_proc_free(struct proc *p);
 329
 330/*
 331 * Define a macro to wrap the audit_arg_* calls by checking the global
 332 * audit_enabled flag before performing the actual call.
 333 */
 334#define AUDIT_ARG(op, args...)  do {                                    \
 335        if (audit_enabled)                                              \
 336                audit_arg_ ## op (args);                                \
 337        } while (0)
 338
 339#define AUDIT_SYSCALL_ENTER(args...)    do {                            \
 340        if (audit_enabled) {                                            \
 341                audit_syscall_enter(args);                              \
 342        }                                                               \
 343        } while (0)
 344
 345/*
 346 * Wrap the audit_syscall_exit() function so that it is called only when
 347 * auditing is enabled, or we have a audit record on the thread. It is 
 348 * possible that an audit record was begun before auditing was turned off.
 349 */
 350#define AUDIT_SYSCALL_EXIT(error, proc, uthread)        do {            \
 351        if (audit_enabled || (uthread->uu_ar != NULL)) {                        \
 352                audit_syscall_exit(error, proc, uthread);               \
 353        }                                                               \
 354        } while (0)
 355
 356/*
 357 * Wrap the audit_mach_syscall_enter() and audit_mach_syscall_exit()
 358 * functions in a manner similar to other system call enter/exit functions.
 359 */
 360#define AUDIT_MACH_SYSCALL_ENTER(args...)       do {                    \
 361        if (audit_enabled) {                                            \
 362                audit_mach_syscall_enter(args);                         \
 363        }                                                               \
 364        } while (0)
 365
 366#define AUDIT_MACH_SYSCALL_EXIT(retval)         do {                    \
 367        struct uthread *__uthread = get_bsdthread_info(current_thread());       \
 368        if (audit_enabled || (__uthread->uu_ar != NULL)) {                      \
 369                audit_mach_syscall_exit(retval, __uthread);             \
 370        }                                                               \
 371        } while (0)
 372
 373/*
 374 * A Macro to wrap the audit_sysclose() function.
 375 */
 376#define AUDIT_SYSCLOSE(args...) do {                                    \
 377        if (audit_enabled)                                              \
 378                audit_sysclose(args);                                   \
 379        } while (0)
 380
 381#else /* !AUDIT */
 382#define AUDIT_SYSCALL_ENTER(args...)    do {                            \
 383        } while (0)
 384
 385#define AUDIT_SYSCALL_EXIT(error, proc, uthread)        do {            \
 386        } while (0)
 387
 388#define AUDIT_MACH_SYSCALL_ENTER(args...)       do {                    \
 389        } while (0)
 390
 391#define AUDIT_MACH_SYSCALL_EXIT(retval)         do {                    \
 392        } while (0)
 393
 394#define AUDIT_SYSCLOSE(op, args...)     do {                            \
 395        } while (0)
 396
 397#endif /* AUDIT */
 398
 399#endif /* KERNEL */
 400
 401#endif /* !_BSM_AUDIT_KERNEL_H */
 402