Deleted Added
sdiff udiff text old ( 161813 ) new ( 162380 )
full compact
audit_private.h (161813) audit_private.h (162380)
1/*
2 * Copyright (c) 1999-2005 Apple Computer, Inc.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
14 * its contributors may be used to endorse or promote products derived
15 * from this software without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 * POSSIBILITY OF SUCH DAMAGE.
28 *
1/*
2 * Copyright (c) 1999-2005 Apple Computer, Inc.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
14 * its contributors may be used to endorse or promote products derived
15 * from this software without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 * POSSIBILITY OF SUCH DAMAGE.
28 *
29 * $FreeBSD: head/sys/security/audit/audit_private.h 161813 2006-09-01 11:45:40Z wsalamon $
29 * $FreeBSD: head/sys/security/audit/audit_private.h 162380 2006-09-17 17:52:57Z csjp $
30 */
31
32/*
33 * This include file contains function prototypes and type definitions used
34 * within the audit implementation.
35 */
36
37#ifndef _SECURITY_AUDIT_PRIVATE_H_
38#define _SECURITY_AUDIT_PRIVATE_H_
39
40#ifndef _KERNEL
41#error "no user-serviceable parts inside"
42#endif
43
44#include <sys/ipc.h>
45#include <sys/socket.h>
46#include <sys/ucred.h>
47
48#ifdef MALLOC_DECLARE
49MALLOC_DECLARE(M_AUDITBSM);
50MALLOC_DECLARE(M_AUDITDATA);
51MALLOC_DECLARE(M_AUDITPATH);
52MALLOC_DECLARE(M_AUDITTEXT);
53#endif
54
55/*
56 * The AUDIT_EXCESSIVELY_VERBOSE define enables a number of gratuitously
57 * noisy printf's to the console. Due to the volume, it should be left off
58 * unless you want your system to churn a lot whenever the audit record flow
59 * gets high.
60 */
61//#define AUDIT_EXCESSIVELY_VERBOSE
62#ifdef AUDIT_EXCESSIVELY_VERBOSE
63#define AUDIT_PRINTF(x) printf x
64#else
65#define AUDIT_PRINTF(x)
66#endif
67
68/*
69 * Audit control variables that are usually set/read via system calls and
70 * used to control various aspects of auditing.
71 */
72extern struct au_qctrl audit_qctrl;
73extern struct audit_fstat audit_fstat;
74extern struct au_mask audit_nae_mask;
75extern int audit_panic_on_write_fail;
76extern int audit_fail_stop;
77extern int audit_argv;
78extern int audit_arge;
79
80/*
81 * Success/failure conditions for the conversion of a kernel audit record to
82 * BSM format.
83 */
84#define BSM_SUCCESS 0
85#define BSM_FAILURE 1
86#define BSM_NOAUDIT 2
87
88/*
89 * Defines for the kernel audit record k_ar_commit field. Flags are set to
90 * indicate what sort of record it is, and which preselection mechanism
91 * selected it.
92 */
93#define AR_COMMIT_KERNEL 0x00000001U
94#define AR_COMMIT_USER 0x00000010U
95
96#define AR_PRESELECT_TRAIL 0x00001000U
97#define AR_PRESELECT_PIPE 0x00002000U
98
30 */
31
32/*
33 * This include file contains function prototypes and type definitions used
34 * within the audit implementation.
35 */
36
37#ifndef _SECURITY_AUDIT_PRIVATE_H_
38#define _SECURITY_AUDIT_PRIVATE_H_
39
40#ifndef _KERNEL
41#error "no user-serviceable parts inside"
42#endif
43
44#include <sys/ipc.h>
45#include <sys/socket.h>
46#include <sys/ucred.h>
47
48#ifdef MALLOC_DECLARE
49MALLOC_DECLARE(M_AUDITBSM);
50MALLOC_DECLARE(M_AUDITDATA);
51MALLOC_DECLARE(M_AUDITPATH);
52MALLOC_DECLARE(M_AUDITTEXT);
53#endif
54
55/*
56 * The AUDIT_EXCESSIVELY_VERBOSE define enables a number of gratuitously
57 * noisy printf's to the console. Due to the volume, it should be left off
58 * unless you want your system to churn a lot whenever the audit record flow
59 * gets high.
60 */
61//#define AUDIT_EXCESSIVELY_VERBOSE
62#ifdef AUDIT_EXCESSIVELY_VERBOSE
63#define AUDIT_PRINTF(x) printf x
64#else
65#define AUDIT_PRINTF(x)
66#endif
67
68/*
69 * Audit control variables that are usually set/read via system calls and
70 * used to control various aspects of auditing.
71 */
72extern struct au_qctrl audit_qctrl;
73extern struct audit_fstat audit_fstat;
74extern struct au_mask audit_nae_mask;
75extern int audit_panic_on_write_fail;
76extern int audit_fail_stop;
77extern int audit_argv;
78extern int audit_arge;
79
80/*
81 * Success/failure conditions for the conversion of a kernel audit record to
82 * BSM format.
83 */
84#define BSM_SUCCESS 0
85#define BSM_FAILURE 1
86#define BSM_NOAUDIT 2
87
88/*
89 * Defines for the kernel audit record k_ar_commit field. Flags are set to
90 * indicate what sort of record it is, and which preselection mechanism
91 * selected it.
92 */
93#define AR_COMMIT_KERNEL 0x00000001U
94#define AR_COMMIT_USER 0x00000010U
95
96#define AR_PRESELECT_TRAIL 0x00001000U
97#define AR_PRESELECT_PIPE 0x00002000U
98
99#define AR_PRESELECT_USER_TRAIL 0x00004000U
100#define AR_PRESELECT_USER_PIPE 0x00008000U
101
99/*
100 * Audit data is generated as a stream of struct audit_record structures,
101 * linked by struct kaudit_record, and contain storage for possible audit so
102 * that it will not need to be allocated during the processing of a system
103 * call, both improving efficiency and avoiding sleeping at untimely moments.
104 * This structure is converted to BSM format before being written to disk.
105 */
106struct vnode_au_info {
107 mode_t vn_mode;
108 uid_t vn_uid;
109 gid_t vn_gid;
110 dev_t vn_dev;
111 long vn_fsid;
112 long vn_fileid;
113 long vn_gen;
114};
115
116struct groupset {
117 gid_t gidset[NGROUPS];
118 u_int gidset_size;
119};
120
121struct socket_au_info {
122 int so_domain;
123 int so_type;
124 int so_protocol;
125 in_addr_t so_raddr; /* Remote address if INET socket. */
126 in_addr_t so_laddr; /* Local address if INET socket. */
127 u_short so_rport; /* Remote port. */
128 u_short so_lport; /* Local port. */
129};
130
131union auditon_udata {
132 char *au_path;
133 long au_cond;
134 long au_flags;
135 long au_policy;
136 int au_trigger;
137 au_evclass_map_t au_evclass;
138 au_mask_t au_mask;
139 auditinfo_t au_auinfo;
140 auditpinfo_t au_aupinfo;
141 auditpinfo_addr_t au_aupinfo_addr;
142 au_qctrl_t au_qctrl;
143 au_stat_t au_stat;
144 au_fstat_t au_fstat;
145};
146
147struct posix_ipc_perm {
148 uid_t pipc_uid;
149 gid_t pipc_gid;
150 mode_t pipc_mode;
151};
152
153struct audit_record {
154 /* Audit record header. */
155 u_int32_t ar_magic;
156 int ar_event;
157 int ar_retval; /* value returned to the process */
158 int ar_errno; /* return status of system call */
159 struct timespec ar_starttime;
160 struct timespec ar_endtime;
161 u_int64_t ar_valid_arg; /* Bitmask of valid arguments */
162
163 /* Audit subject information. */
164 struct xucred ar_subj_cred;
165 uid_t ar_subj_ruid;
166 gid_t ar_subj_rgid;
167 gid_t ar_subj_egid;
168 uid_t ar_subj_auid; /* Audit user ID */
169 pid_t ar_subj_asid; /* Audit session ID */
170 pid_t ar_subj_pid;
171 struct au_tid ar_subj_term;
172 char ar_subj_comm[MAXCOMLEN + 1];
173 struct au_mask ar_subj_amask;
174
175 /* Operation arguments. */
176 uid_t ar_arg_euid;
177 uid_t ar_arg_ruid;
178 uid_t ar_arg_suid;
179 gid_t ar_arg_egid;
180 gid_t ar_arg_rgid;
181 gid_t ar_arg_sgid;
182 pid_t ar_arg_pid;
183 pid_t ar_arg_asid;
184 struct au_tid ar_arg_termid;
185 uid_t ar_arg_uid;
186 uid_t ar_arg_auid;
187 gid_t ar_arg_gid;
188 struct groupset ar_arg_groups;
189 int ar_arg_fd;
190 int ar_arg_fflags;
191 mode_t ar_arg_mode;
192 int ar_arg_dev;
193 long ar_arg_value;
194 void * ar_arg_addr;
195 int ar_arg_len;
196 int ar_arg_mask;
197 u_int ar_arg_signum;
198 char ar_arg_login[MAXLOGNAME];
199 int ar_arg_ctlname[CTL_MAXNAME];
200 struct sockaddr ar_arg_sockaddr;
201 struct socket_au_info ar_arg_sockinfo;
202 char *ar_arg_upath1;
203 char *ar_arg_upath2;
204 char *ar_arg_text;
205 struct au_mask ar_arg_amask;
206 struct vnode_au_info ar_arg_vnode1;
207 struct vnode_au_info ar_arg_vnode2;
208 int ar_arg_cmd;
209 int ar_arg_svipc_cmd;
210 struct ipc_perm ar_arg_svipc_perm;
211 int ar_arg_svipc_id;
212 void * ar_arg_svipc_addr;
213 struct posix_ipc_perm ar_arg_pipc_perm;
214 union auditon_udata ar_arg_auditon;
215 char *ar_arg_argv;
216 int ar_arg_argc;
217 char *ar_arg_envv;
218 int ar_arg_envc;
219 int ar_arg_exitstatus;
220 int ar_arg_exitretval;
221};
222
223/*
224 * Arguments in the audit record are initially not defined; flags are set to
225 * indicate if they are present so they can be included in the audit log
226 * stream only if defined.
227 */
228#define ARG_IS_VALID(kar, arg) ((kar)->k_ar.ar_valid_arg & (arg))
229#define ARG_SET_VALID(kar, arg) do { \
230 (kar)->k_ar.ar_valid_arg |= (arg); \
231} while (0)
232
233/*
234 * In-kernel version of audit record; the basic record plus queue meta-data.
235 * This record can also have a pointer set to some opaque data that will be
236 * passed through to the audit writing mechanism.
237 */
238struct kaudit_record {
239 struct audit_record k_ar;
240 u_int32_t k_ar_commit;
241 void *k_udata; /* User data. */
242 u_int k_ulen; /* User data length. */
243 struct uthread *k_uthread; /* Audited thread. */
244 TAILQ_ENTRY(kaudit_record) k_q;
245};
246TAILQ_HEAD(kaudit_queue, kaudit_record);
247
248/*
249 * Functions to manage the allocation, release, and commit of kernel audit
250 * records.
251 */
252void audit_abort(struct kaudit_record *ar);
253void audit_commit(struct kaudit_record *ar, int error,
254 int retval);
255struct kaudit_record *audit_new(int event, struct thread *td);
256
257/*
258 * Functions relating to the conversion of internal kernel audit records to
259 * the BSM file format.
260 */
261struct au_record;
262int kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau);
263int bsm_rec_verify(void *rec);
264
265/*
266 * Kernel versions of the libbsm audit record functions.
267 */
268void kau_free(struct au_record *rec);
269void kau_init(void);
270
271/*
272 * Return values for pre-selection and post-selection decisions.
273 */
274#define AU_PRS_SUCCESS 1
275#define AU_PRS_FAILURE 2
276#define AU_PRS_BOTH (AU_PRS_SUCCESS|AU_PRS_FAILURE)
277
278/*
279 * Data structures relating to the kernel audit queue. Ideally, these might
280 * be abstracted so that only accessor methods are exposed.
281 */
282extern struct mtx audit_mtx;
283extern struct cv audit_watermark_cv;
284extern struct cv audit_worker_cv;
285extern struct kaudit_queue audit_q;
286extern int audit_q_len;
287extern int audit_pre_q_len;
288extern int audit_in_failure;
289
290/*
291 * Flags to use on audit files when opening and closing.
292 */
293#define AUDIT_OPEN_FLAGS (FWRITE | O_APPEND)
294#define AUDIT_CLOSE_FLAGS (FWRITE | O_APPEND)
295
296#include <sys/fcntl.h>
297#include <sys/kernel.h>
298#include <sys/malloc.h>
299
300/*
301 * Some of the BSM tokenizer functions take different parameters in the
302 * kernel implementations in order to save the copying of large kernel data
303 * structures. The prototypes of these functions are declared here.
304 */
305token_t *kau_to_socket(struct socket_au_info *soi);
306
307/*
308 * audit_klib prototypes
309 */
310int au_preselect(au_event_t event, au_class_t class,
311 au_mask_t *mask_p, int sorf);
312au_event_t flags_and_error_to_openevent(int oflags, int error);
313void au_evclassmap_init(void);
314void au_evclassmap_insert(au_event_t event, au_class_t class);
315au_class_t au_event_class(au_event_t event);
316au_event_t ctlname_to_sysctlevent(int name[], uint64_t valid_arg);
317int auditon_command_event(int cmd);
318int msgctl_to_event(int cmd);
319int semctl_to_event(int cmr);
320void canon_path(struct thread *td, char *path, char *cpath);
321
322/*
323 * Audit trigger events notify user space of kernel audit conditions
324 * asynchronously.
325 */
326void audit_trigger_init(void);
327int send_trigger(unsigned int trigger);
328
329/*
330 * General audit related functions.
331 */
332struct kaudit_record *currecord(void);
333void audit_free(struct kaudit_record *ar);
334void audit_shutdown(void *arg, int howto);
335void audit_rotate_vnode(struct ucred *cred,
336 struct vnode *vp);
337void audit_worker_init(void);
338
339/*
340 * Audit pipe functions.
341 */
342int audit_pipe_preselect(au_id_t auid, au_event_t event,
343 au_class_t class, int sorf, int trail_select);
344void audit_pipe_submit(au_id_t auid, au_event_t event, au_class_t class,
345 int sorf, int trail_select, void *record, u_int record_len);
346void audit_pipe_submit_user(void *record, u_int record_len);
347
348#endif /* ! _SECURITY_AUDIT_PRIVATE_H_ */
102/*
103 * Audit data is generated as a stream of struct audit_record structures,
104 * linked by struct kaudit_record, and contain storage for possible audit so
105 * that it will not need to be allocated during the processing of a system
106 * call, both improving efficiency and avoiding sleeping at untimely moments.
107 * This structure is converted to BSM format before being written to disk.
108 */
109struct vnode_au_info {
110 mode_t vn_mode;
111 uid_t vn_uid;
112 gid_t vn_gid;
113 dev_t vn_dev;
114 long vn_fsid;
115 long vn_fileid;
116 long vn_gen;
117};
118
119struct groupset {
120 gid_t gidset[NGROUPS];
121 u_int gidset_size;
122};
123
124struct socket_au_info {
125 int so_domain;
126 int so_type;
127 int so_protocol;
128 in_addr_t so_raddr; /* Remote address if INET socket. */
129 in_addr_t so_laddr; /* Local address if INET socket. */
130 u_short so_rport; /* Remote port. */
131 u_short so_lport; /* Local port. */
132};
133
134union auditon_udata {
135 char *au_path;
136 long au_cond;
137 long au_flags;
138 long au_policy;
139 int au_trigger;
140 au_evclass_map_t au_evclass;
141 au_mask_t au_mask;
142 auditinfo_t au_auinfo;
143 auditpinfo_t au_aupinfo;
144 auditpinfo_addr_t au_aupinfo_addr;
145 au_qctrl_t au_qctrl;
146 au_stat_t au_stat;
147 au_fstat_t au_fstat;
148};
149
150struct posix_ipc_perm {
151 uid_t pipc_uid;
152 gid_t pipc_gid;
153 mode_t pipc_mode;
154};
155
156struct audit_record {
157 /* Audit record header. */
158 u_int32_t ar_magic;
159 int ar_event;
160 int ar_retval; /* value returned to the process */
161 int ar_errno; /* return status of system call */
162 struct timespec ar_starttime;
163 struct timespec ar_endtime;
164 u_int64_t ar_valid_arg; /* Bitmask of valid arguments */
165
166 /* Audit subject information. */
167 struct xucred ar_subj_cred;
168 uid_t ar_subj_ruid;
169 gid_t ar_subj_rgid;
170 gid_t ar_subj_egid;
171 uid_t ar_subj_auid; /* Audit user ID */
172 pid_t ar_subj_asid; /* Audit session ID */
173 pid_t ar_subj_pid;
174 struct au_tid ar_subj_term;
175 char ar_subj_comm[MAXCOMLEN + 1];
176 struct au_mask ar_subj_amask;
177
178 /* Operation arguments. */
179 uid_t ar_arg_euid;
180 uid_t ar_arg_ruid;
181 uid_t ar_arg_suid;
182 gid_t ar_arg_egid;
183 gid_t ar_arg_rgid;
184 gid_t ar_arg_sgid;
185 pid_t ar_arg_pid;
186 pid_t ar_arg_asid;
187 struct au_tid ar_arg_termid;
188 uid_t ar_arg_uid;
189 uid_t ar_arg_auid;
190 gid_t ar_arg_gid;
191 struct groupset ar_arg_groups;
192 int ar_arg_fd;
193 int ar_arg_fflags;
194 mode_t ar_arg_mode;
195 int ar_arg_dev;
196 long ar_arg_value;
197 void * ar_arg_addr;
198 int ar_arg_len;
199 int ar_arg_mask;
200 u_int ar_arg_signum;
201 char ar_arg_login[MAXLOGNAME];
202 int ar_arg_ctlname[CTL_MAXNAME];
203 struct sockaddr ar_arg_sockaddr;
204 struct socket_au_info ar_arg_sockinfo;
205 char *ar_arg_upath1;
206 char *ar_arg_upath2;
207 char *ar_arg_text;
208 struct au_mask ar_arg_amask;
209 struct vnode_au_info ar_arg_vnode1;
210 struct vnode_au_info ar_arg_vnode2;
211 int ar_arg_cmd;
212 int ar_arg_svipc_cmd;
213 struct ipc_perm ar_arg_svipc_perm;
214 int ar_arg_svipc_id;
215 void * ar_arg_svipc_addr;
216 struct posix_ipc_perm ar_arg_pipc_perm;
217 union auditon_udata ar_arg_auditon;
218 char *ar_arg_argv;
219 int ar_arg_argc;
220 char *ar_arg_envv;
221 int ar_arg_envc;
222 int ar_arg_exitstatus;
223 int ar_arg_exitretval;
224};
225
226/*
227 * Arguments in the audit record are initially not defined; flags are set to
228 * indicate if they are present so they can be included in the audit log
229 * stream only if defined.
230 */
231#define ARG_IS_VALID(kar, arg) ((kar)->k_ar.ar_valid_arg & (arg))
232#define ARG_SET_VALID(kar, arg) do { \
233 (kar)->k_ar.ar_valid_arg |= (arg); \
234} while (0)
235
236/*
237 * In-kernel version of audit record; the basic record plus queue meta-data.
238 * This record can also have a pointer set to some opaque data that will be
239 * passed through to the audit writing mechanism.
240 */
241struct kaudit_record {
242 struct audit_record k_ar;
243 u_int32_t k_ar_commit;
244 void *k_udata; /* User data. */
245 u_int k_ulen; /* User data length. */
246 struct uthread *k_uthread; /* Audited thread. */
247 TAILQ_ENTRY(kaudit_record) k_q;
248};
249TAILQ_HEAD(kaudit_queue, kaudit_record);
250
251/*
252 * Functions to manage the allocation, release, and commit of kernel audit
253 * records.
254 */
255void audit_abort(struct kaudit_record *ar);
256void audit_commit(struct kaudit_record *ar, int error,
257 int retval);
258struct kaudit_record *audit_new(int event, struct thread *td);
259
260/*
261 * Functions relating to the conversion of internal kernel audit records to
262 * the BSM file format.
263 */
264struct au_record;
265int kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau);
266int bsm_rec_verify(void *rec);
267
268/*
269 * Kernel versions of the libbsm audit record functions.
270 */
271void kau_free(struct au_record *rec);
272void kau_init(void);
273
274/*
275 * Return values for pre-selection and post-selection decisions.
276 */
277#define AU_PRS_SUCCESS 1
278#define AU_PRS_FAILURE 2
279#define AU_PRS_BOTH (AU_PRS_SUCCESS|AU_PRS_FAILURE)
280
281/*
282 * Data structures relating to the kernel audit queue. Ideally, these might
283 * be abstracted so that only accessor methods are exposed.
284 */
285extern struct mtx audit_mtx;
286extern struct cv audit_watermark_cv;
287extern struct cv audit_worker_cv;
288extern struct kaudit_queue audit_q;
289extern int audit_q_len;
290extern int audit_pre_q_len;
291extern int audit_in_failure;
292
293/*
294 * Flags to use on audit files when opening and closing.
295 */
296#define AUDIT_OPEN_FLAGS (FWRITE | O_APPEND)
297#define AUDIT_CLOSE_FLAGS (FWRITE | O_APPEND)
298
299#include <sys/fcntl.h>
300#include <sys/kernel.h>
301#include <sys/malloc.h>
302
303/*
304 * Some of the BSM tokenizer functions take different parameters in the
305 * kernel implementations in order to save the copying of large kernel data
306 * structures. The prototypes of these functions are declared here.
307 */
308token_t *kau_to_socket(struct socket_au_info *soi);
309
310/*
311 * audit_klib prototypes
312 */
313int au_preselect(au_event_t event, au_class_t class,
314 au_mask_t *mask_p, int sorf);
315au_event_t flags_and_error_to_openevent(int oflags, int error);
316void au_evclassmap_init(void);
317void au_evclassmap_insert(au_event_t event, au_class_t class);
318au_class_t au_event_class(au_event_t event);
319au_event_t ctlname_to_sysctlevent(int name[], uint64_t valid_arg);
320int auditon_command_event(int cmd);
321int msgctl_to_event(int cmd);
322int semctl_to_event(int cmr);
323void canon_path(struct thread *td, char *path, char *cpath);
324
325/*
326 * Audit trigger events notify user space of kernel audit conditions
327 * asynchronously.
328 */
329void audit_trigger_init(void);
330int send_trigger(unsigned int trigger);
331
332/*
333 * General audit related functions.
334 */
335struct kaudit_record *currecord(void);
336void audit_free(struct kaudit_record *ar);
337void audit_shutdown(void *arg, int howto);
338void audit_rotate_vnode(struct ucred *cred,
339 struct vnode *vp);
340void audit_worker_init(void);
341
342/*
343 * Audit pipe functions.
344 */
345int audit_pipe_preselect(au_id_t auid, au_event_t event,
346 au_class_t class, int sorf, int trail_select);
347void audit_pipe_submit(au_id_t auid, au_event_t event, au_class_t class,
348 int sorf, int trail_select, void *record, u_int record_len);
349void audit_pipe_submit_user(void *record, u_int record_len);
350
351#endif /* ! _SECURITY_AUDIT_PRIVATE_H_ */