1/*- 2 * Copyright (c) 2004-2009 Apple Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 14 * its contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 * POSSIBILITY OF SUCH DAMAGE. 28 * 29 */ 30/* 31 * NOTICE: This file was modified by SPARTA, Inc. in 2005 to introduce 32 * support for mandatory and extensible security protections. This notice 33 * is included in support of clause 2.2 (b) of the Apple Public License, 34 * Version 2.0. 35 */ 36 37/* 38 * This header includes function prototypes and type definitions that are 39 * necessary for the kernel as a whole to interact with the audit subsystem. 40 */ 41 42#ifndef _SECURITY_AUDIT_AUDIT_H 43#define _SECURITY_AUDIT_AUDIT_H 44 45#if defined(_KERNEL) || defined(KERNEL) 46 47#if CONFIG_MACF 48#include <sys/queue.h> 49#include <security/mac_framework.h> 50#endif 51 52#include <bsm/audit.h> 53 54#include <sys/sysctl.h> 55#include <sys/user.h> 56#include <sys/ipc.h> 57 58/* 59 * Audit subsystem condition flags. The audit_enabled flag is set and 60 * removed automatically as a result of configuring log files, and can be 61 * observed but should not be directly manipulated. The audit suspension 62 * flag permits audit to be temporarily disabled without reconfiguring the 63 * audit target. The audit syscalls flag is set at the first hint that kernel 64 * events (system and mach calls) need to be audited. It is used for 65 * performance so an event class map table lookup doesn't have be done for 66 * every system call if only user events are being audited. 67 */ 68extern int audit_enabled; 69extern int audit_suspended; 70extern int audit_syscalls; 71 72/* 73 * Define the masks for the audited arguments. 74 * 75 * XXXRW: These need to remain in audit.h for now because our vnode and name 76 * lookup audit calls rely on passing in flags to indicate which name or 77 * vnode is being logged. These should move to audit_private.h when that is 78 * fixed. 79 */ 80#define ARG_EUID 0x0000000000000001ULL 81#define ARG_RUID 0x0000000000000002ULL 82#define ARG_SUID 0x0000000000000004ULL 83#define ARG_EGID 0x0000000000000008ULL 84#define ARG_RGID 0x0000000000000010ULL 85#define ARG_SGID 0x0000000000000020ULL 86#define ARG_PID 0x0000000000000040ULL 87#define ARG_UID 0x0000000000000080ULL 88#define ARG_AUID 0x0000000000000100ULL 89#define ARG_GID 0x0000000000000200ULL 90#define ARG_FD 0x0000000000000400ULL 91#define ARG_POSIX_IPC_PERM 0x0000000000000800ULL 92#define ARG_FFLAGS 0x0000000000001000ULL 93#define ARG_MODE 0x0000000000002000ULL 94#define ARG_VALUE32 0x0000000000004000ULL 95#define ARG_ADDR32 0x0000000000008000ULL 96#define ARG_ADDR ARG_ADDR32 97#define ARG_LEN 0x0000000000010000ULL 98#define ARG_MASK 0x0000000000020000ULL 99#define ARG_SIGNUM 0x0000000000040000ULL 100#define ARG_LOGIN 0x0000000000080000ULL 101#define ARG_SADDRINET 0x0000000000100000ULL 102#define ARG_SADDRINET6 0x0000000000200000ULL 103#define ARG_SADDRUNIX 0x0000000000400000ULL 104#define ARG_TERMID_ADDR ARG_SADDRUNIX 105#define ARG_KPATH1 0x0000000000800000ULL /* darwin-only */ 106#define ARG_KPATH2 0x0000000001000000ULL /* darwin-only */ 107#define ARG_UPATH1 0x0000000002000000ULL 108#define ARG_UPATH2 0x0000000004000000ULL 109#define ARG_TEXT 0x0000000008000000ULL 110#define ARG_VNODE1 0x0000000010000000ULL 111#define ARG_VNODE2 0x0000000020000000ULL 112#define ARG_SVIPC_CMD 0x0000000040000000ULL 113#define ARG_SVIPC_PERM 0x0000000080000000ULL 114#define ARG_SVIPC_ID 0x0000000100000000ULL 115#define ARG_SVIPC_ADDR 0x0000000200000000ULL 116#define ARG_GROUPSET 0x0000000400000000ULL 117#define ARG_CMD 0x0000000800000000ULL 118#define ARG_SOCKINFO 0x0000001000000000ULL 119#define ARG_ASID 0x0000002000000000ULL 120#define ARG_TERMID 0x0000004000000000ULL 121#define ARG_AUDITON 0x0000008000000000ULL 122#define ARG_VALUE64 0x0000010000000000ULL /* darwin-only */ 123#define ARG_AMASK 0x0000020000000000ULL 124#define ARG_CTLNAME 0x0000040000000000ULL 125#define ARG_PROCESS 0x0000080000000000ULL 126#define ARG_MACHPORT1 0x0000100000000000ULL 127#define ARG_MACHPORT2 0x0000200000000000ULL 128#define ARG_MAC_STRING 0x0000400000000000ULL 129#define ARG_EXIT 0x0000800000000000ULL 130#define ARG_IOVECSTR 0x0001000000000000ULL 131#define ARG_ARGV 0x0002000000000000ULL 132#define ARG_ENVV 0x0004000000000000ULL 133#define ARG_OPAQUE 0x0008000000000000ULL /* darwin-only */ 134#define ARG_DATA 0x0010000000000000ULL /* darwin-only */ 135#define ARG_ADDR64 0x0020000000000000ULL /* darwin-only */ 136#define ARG_NONE 0x0000000000000000ULL 137#define ARG_ALL 0xFFFFFFFFFFFFFFFFULL 138 139#if CONFIG_MACF 140 141#define MAC_AUDIT_LABEL_LEN 1024 142#define MAC_AUDIT_DATA_TYPE 0 143#define MAC_AUDIT_TEXT_TYPE 1 144 145struct mac_audit_record { 146 int type; /* one of the types defined above */ 147 int length; /* byte length of the data field */ 148 u_char *data; /* the payload */ 149 LIST_ENTRY(mac_audit_record) records; 150}; 151 152#endif 153 154struct proc; 155struct vnode; 156struct componentname; 157 158int kau_will_audit(void); 159void audit_init(void); 160void audit_shutdown(void); 161void audit_syscall_enter(unsigned int code, 162 struct proc *proc, struct uthread *uthread); 163#if CONFIG_MACF 164/* 165 * The parameter list of audit_syscall_exit() was modified to also take the 166 * Darwin syscall number, which is required by mac_audit_check_postselect(). 167 */ 168void audit_syscall_exit(unsigned int code, int error, 169 struct proc *proc, struct uthread *uthread); 170#else 171void audit_syscall_exit(int error, struct proc *proc, 172 struct uthread *uthread); 173#endif 174void audit_mach_syscall_enter(unsigned short audit_event); 175void audit_mach_syscall_exit(int retval, struct uthread *uthread); 176 177extern struct auditinfo_addr *audit_default_aia_p; 178 179/* 180 * The remaining kernel functions are conditionally compiled in as they are 181 * wrapped by a macro, and the macro should be the only place in the source 182 * tree where these functions are referenced. 183 */ 184#if CONFIG_AUDIT 185struct ipc_perm; 186struct sockaddr; 187union auditon_udata; 188void audit_arg_addr(struct kaudit_record *ar, user_addr_t addr); 189void audit_arg_exit(struct kaudit_record *ar, int status, int retval); 190void audit_arg_len(struct kaudit_record *ar, user_size_t len); 191void audit_arg_fd(struct kaudit_record *ar, int fd); 192void audit_arg_fflags(struct kaudit_record *ar, int fflags); 193void audit_arg_gid(struct kaudit_record *ar, gid_t gid); 194void audit_arg_uid(struct kaudit_record *ar, uid_t uid); 195void audit_arg_egid(struct kaudit_record *ar, gid_t egid); 196void audit_arg_euid(struct kaudit_record *ar, uid_t euid); 197void audit_arg_rgid(struct kaudit_record *ar, gid_t rgid); 198void audit_arg_ruid(struct kaudit_record *ar, uid_t ruid); 199void audit_arg_sgid(struct kaudit_record *ar, gid_t sgid); 200void audit_arg_suid(struct kaudit_record *ar, uid_t suid); 201void audit_arg_groupset(struct kaudit_record *ar, gid_t *gidset, 202 u_int gidset_size); 203void audit_arg_login(struct kaudit_record *ar, char *login); 204void audit_arg_ctlname(struct kaudit_record *ar, int *name, int namelen); 205void audit_arg_mask(struct kaudit_record *ar, int mask); 206void audit_arg_mode(struct kaudit_record *ar, mode_t mode); 207void audit_arg_value32(struct kaudit_record *ar, uint32_t value32); 208void audit_arg_value64(struct kaudit_record *ar, uint64_t value64); 209void audit_arg_owner(struct kaudit_record *ar, uid_t uid, gid_t gid); 210void audit_arg_pid(struct kaudit_record *ar, pid_t pid); 211void audit_arg_process(struct kaudit_record *ar, proc_t p); 212void audit_arg_signum(struct kaudit_record *ar, u_int signum); 213void audit_arg_socket(struct kaudit_record *ar, int sodomain, int sotype, 214 int soprotocol); 215void audit_arg_sockaddr(struct kaudit_record *ar, struct vnode *cwd_vp, 216 struct sockaddr *so); 217void audit_arg_auid(struct kaudit_record *ar, uid_t auid); 218void audit_arg_auditinfo(struct kaudit_record *ar, 219 struct auditinfo *au_info); 220void audit_arg_auditinfo_addr(struct kaudit_record *ar, 221 struct auditinfo_addr *au_info); 222void audit_arg_upath(struct kaudit_record *ar, struct vnode *cwd_vp, 223 char *upath, u_int64_t flags); 224void audit_arg_vnpath(struct kaudit_record *ar, struct vnode *vp, 225 u_int64_t flags); 226void audit_arg_vnpath_withref(struct kaudit_record *ar, struct vnode *vp, 227 u_int64_t flags); 228void audit_arg_text(struct kaudit_record *ar, char *text); 229void audit_arg_opaque(struct kaudit_record *ar, void *data, size_t size); 230void audit_arg_data(struct kaudit_record *ar, void *data, size_t size, 231 size_t number); 232void audit_arg_cmd(struct kaudit_record *ar, int cmd); 233void audit_arg_svipc_cmd(struct kaudit_record *ar, int cmd); 234void audit_arg_svipc_perm(struct kaudit_record *ar, struct ipc_perm *perm); 235void audit_arg_svipc_id(struct kaudit_record *ar, int id); 236void audit_arg_svipc_addr(struct kaudit_record *ar, user_addr_t addr); 237void audit_arg_posix_ipc_perm(struct kaudit_record *ar, uid_t uid, 238 gid_t gid, mode_t mode); 239void audit_arg_auditon(struct kaudit_record *ar, 240 union auditon_udata *udata); 241void audit_arg_file(struct kaudit_record *ar, struct proc *p, 242 struct fileproc *fp); 243void audit_arg_argv(struct kaudit_record *ar, char *argv, int argc, 244 int length); 245void audit_arg_envv(struct kaudit_record *ar, char *envv, int envc, 246 int length); 247 248void audit_arg_mach_port1(struct kaudit_record *ar, mach_port_name_t port); 249void audit_arg_mach_port2(struct kaudit_record *ar, mach_port_name_t port); 250void audit_sysclose(struct kaudit_record *ar, struct proc *p, int fd); 251 252void audit_proc_coredump(proc_t proc, char *path, int errcode); 253void audit_proc_init(struct proc *p); 254void audit_proc_fork(struct proc *parent, struct proc *child); 255void audit_proc_free(struct proc *p); 256 257#ifndef _KAUTH_CRED_T 258#define _KAUTH_CRED_T 259struct ucred; 260typedef struct ucred *kauth_cred_t; 261#endif /* !_KAUTH_CRED_T */ 262 263void audit_session_ref(kauth_cred_t cred); 264void audit_session_unref(kauth_cred_t cred); 265void audit_session_procnew(proc_t p); 266void audit_session_procexit(proc_t p); 267int audit_session_spawnjoin(proc_t p, ipc_port_t port); 268 269void audit_sdev_submit(au_id_t auid, au_asid_t asid, void *record, 270 u_int record_len); 271 272/* 273 * Audit session macros. 274 */ 275#define IS_VALID_SESSION(a) ((a) != NULL && (a) != audit_default_aia_p) 276 277#define AUDIT_SESSION_REF(cred) audit_session_ref(cred) 278#define AUDIT_SESSION_UNREF(cred) audit_session_unref(cred) 279 280#define AUDIT_SESSION_PROCNEW(p) audit_session_procnew(p) 281#define AUDIT_SESSION_PROCEXIT(p) audit_session_procexit(p) 282 283#if CONFIG_MACF 284/* 285 * audit_mac_data() is the MAC Framework's entry point to the audit subsystem. 286 * It currently creates only text and data audit tokens. 287 */ 288int audit_mac_data(int type, int len, u_char *data); 289void audit_arg_mac_string(struct kaudit_record *ar, char *string); 290 291#endif 292 293extern au_event_t sys_au_event[]; 294 295#define AUDIT_RECORD() \ 296 ((struct uthread*)get_bsdthread_info(current_thread()))->uu_ar 297 298#ifndef AUDIT_USE_BUILTIN_EXPECT 299#define AUDIT_USE_BUILTIN_EXPECT 300#endif 301 302#ifdef AUDIT_USE_BUILTIN_EXPECT 303/* 304 * Use branch prediction for the case of auditing enabled but not 305 * auditing system calls. 306 */ 307#define AUDIT_SYSCALLS() __builtin_expect(audit_syscalls, 0) 308#define AUDIT_ENABLED() __builtin_expect(audit_syscalls && \ 309 audit_enabled, 0) 310#define AUDIT_AUDITING(x) __builtin_expect(NULL != (x), 0) 311 312#else 313 314#define AUDIT_SYSCALLS() (audit_syscalls) 315#define AUDIT_ENABLED() (audit_syscalls && audit_enabled) 316#define AUDIT_AUDITING(x) (NULL != (x)) 317 318#endif /* AUDIT_USE_BUILTIN_EXPECT */ 319 320/* 321 * Define a macro to wrap the audit_arg_* calls by checking the global 322 * audit_enabled flag before performing the actual call. 323 */ 324#define AUDIT_ARG(op, args...) do { \ 325 if (AUDIT_SYSCALLS()) { \ 326 struct kaudit_record *__ar = AUDIT_RECORD(); \ 327 if (AUDIT_AUDITING(__ar)) \ 328 audit_arg_ ## op (__ar, args); \ 329 } \ 330} while (0) 331 332#define AUDIT_SYSCALL_ENTER(args...) do { \ 333 if (AUDIT_ENABLED()) { \ 334 audit_syscall_enter(args); \ 335 } \ 336} while (0) 337 338/* 339 * Wrap the audit_syscall_exit() function so that it is called only when 340 * we have a audit record on the thread. Audit records can persist after 341 * auditing is disabled, so we don't just check audit_enabled here. 342 */ 343#define AUDIT_SYSCALL_EXIT(code, proc, uthread, error) do { \ 344 if (AUDIT_AUDITING(uthread->uu_ar)) \ 345 audit_syscall_exit(code, error, proc, uthread); \ 346} while (0) 347 348/* 349 * Wrap the audit_mach_syscall_enter() and audit_mach_syscall_exit() 350 * functions in a manner similar to other system call enter/exit functions. 351 */ 352#define AUDIT_MACH_SYSCALL_ENTER(args...) do { \ 353 if (AUDIT_ENABLED()) { \ 354 audit_mach_syscall_enter(args); \ 355 } \ 356} while (0) 357 358#define AUDIT_MACH_SYSCALL_EXIT(retval) do { \ 359 if (AUDIT_SYSCALLS()) { \ 360 struct uthread *__uthread = \ 361 get_bsdthread_info(current_thread()); \ 362 if (AUDIT_AUDITING(__uthread->uu_ar)) \ 363 audit_mach_syscall_exit(retval, __uthread); \ 364 } \ 365} while (0) 366 367/* 368 * A Macro to wrap the audit_sysclose() function. 369 */ 370#define AUDIT_SYSCLOSE(args...) do { \ 371 if (AUDIT_SYSCALLS()) { \ 372 struct kaudit_record *__ar = AUDIT_RECORD(); \ 373 if (AUDIT_AUDITING(__ar)) \ 374 audit_sysclose(__ar, args); \ 375 } \ 376} while (0) 377 378#else /* !CONFIG_AUDIT */ 379 380#define AUDIT_ARG(op, args...) do { \ 381} while (0) 382 383#define AUDIT_SYSCALL_ENTER(args...) do { \ 384} while (0) 385 386#define AUDIT_SYSCALL_EXIT(code, proc, uthread, error) do { \ 387} while (0) 388 389#define AUDIT_MACH_SYSCALL_ENTER(args...) do { \ 390} while (0) 391 392#define AUDIT_MACH_SYSCALL_EXIT(retval) do { \ 393} while (0) 394 395#define AUDIT_SYSCLOSE(op, args...) do { \ 396} while (0) 397 398#define AUDIT_SESSION_REF(cred) do { \ 399} while (0) 400 401#define AUDIT_SESSION_UNREF(cred) do { \ 402} while (0) 403 404#define AUDIT_SESSION_PROCNEW(cred) do { \ 405} while (0) 406 407#define AUDIT_SESSION_PROCEXIT(cred) do { \ 408} while (0) 409 410#define AUDIT_SESSION_REF(cred) do { \ 411} while (0) 412 413#define AUDIT_SESSION_UNREF(cred) do { \ 414} while (0) 415 416#define AUDIT_SESSION_PROCNEW(cred) do { \ 417} while (0) 418 419#define AUDIT_SESSION_PROCEXIT(cred) do { \ 420} while (0) 421 422#endif /* CONFIG_AUDIT */ 423 424#endif /* KERNEL */ 425 426#endif /* !_SECURITY_AUDIT_ADUIT_H */ 427