audit.h revision 180701
1138593Ssam/* 2138593Ssam * Copyright (c) 1999-2005 Apple Inc. 3138593Ssam * All rights reserved. 4138593Ssam * 5138593Ssam * Redistribution and use in source and binary forms, with or without 6138593Ssam * modification, are permitted provided that the following conditions 7138593Ssam * are met: 8138593Ssam * 1. Redistributions of source code must retain the above copyright 9138593Ssam * notice, this list of conditions and the following disclaimer. 10138593Ssam * 2. Redistributions in binary form must reproduce the above copyright 11138593Ssam * notice, this list of conditions and the following disclaimer in the 12138593Ssam * documentation and/or other materials provided with the distribution. 13138593Ssam * 3. Neither the name of Apple Inc. ("Apple") nor the names of 14138593Ssam * its contributors may be used to endorse or promote products derived 15138593Ssam * from this software without specific prior written permission. 16138593Ssam * 17138593Ssam * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 18138593Ssam * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19138593Ssam * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20138593Ssam * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 21138593Ssam * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22138593Ssam * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23138593Ssam * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24138593Ssam * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25138593Ssam * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26138593Ssam * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27138593Ssam * POSSIBILITY OF SUCH DAMAGE. 28138593Ssam * 29138593Ssam * $FreeBSD: head/sys/security/audit/audit.h 180701 2008-07-22 15:29:48Z rwatson $ 30138593Ssam */ 31138593Ssam 32138593Ssam/* 33138593Ssam * This header includes function prototypes and type definitions that are 34138593Ssam * necessary for the kernel as a whole to interact with the audit subsystem. 35138593Ssam */ 36138593Ssam 37138593Ssam#ifndef _SECURITY_AUDIT_KERNEL_H_ 38138593Ssam#define _SECURITY_AUDIT_KERNEL_H_ 39138593Ssam 40138593Ssam#ifndef _KERNEL 41138593Ssam#error "no user-serviceable parts inside" 42138593Ssam#endif 43138593Ssam 44138593Ssam#include <bsm/audit.h> 45138593Ssam 46138593Ssam#include <sys/file.h> 47138593Ssam#include <sys/sysctl.h> 48138593Ssam 49138593Ssam/* 50138593Ssam * Audit subsystem condition flags. The audit_enabled flag is set and 51138593Ssam * removed automatically as a result of configuring log files, and can be 52138593Ssam * observed but should not be directly manipulated. The audit suspension 53138593Ssam * flag permits audit to be temporarily disabled without reconfiguring the 54138593Ssam * audit target. 55138593Ssam */ 56138593Ssamextern int audit_enabled; 57138593Ssamextern int audit_suspended; 58138593Ssam 59138593Ssam/* 60138593Ssam * Define the masks for the audited arguments. 61138593Ssam * 62138593Ssam * XXXRW: These need to remain in audit.h for now because our vnode and name 63138593Ssam * lookup audit calls rely on passing in flags to indicate which name or 64138593Ssam * vnode is being logged. These should move to audit_private.h when that is 65138593Ssam * fixed. 66138593Ssam */ 67138593Ssam#define ARG_EUID 0x0000000000000001ULL 68138593Ssam#define ARG_RUID 0x0000000000000002ULL 69138593Ssam#define ARG_SUID 0x0000000000000004ULL 70138593Ssam#define ARG_EGID 0x0000000000000008ULL 71138593Ssam#define ARG_RGID 0x0000000000000010ULL 72138593Ssam#define ARG_SGID 0x0000000000000020ULL 73138593Ssam#define ARG_PID 0x0000000000000040ULL 74138593Ssam#define ARG_UID 0x0000000000000080ULL 75138593Ssam#define ARG_AUID 0x0000000000000100ULL 76138593Ssam#define ARG_GID 0x0000000000000200ULL 77138593Ssam#define ARG_FD 0x0000000000000400ULL 78138593Ssam#define ARG_POSIX_IPC_PERM 0x0000000000000800ULL 79138593Ssam#define ARG_FFLAGS 0x0000000000001000ULL 80138593Ssam#define ARG_MODE 0x0000000000002000ULL 81138593Ssam#define ARG_DEV 0x0000000000004000ULL 82138593Ssam#define ARG_ADDR 0x0000000000008000ULL 83138593Ssam#define ARG_LEN 0x0000000000010000ULL 84138593Ssam#define ARG_MASK 0x0000000000020000ULL 85138593Ssam#define ARG_SIGNUM 0x0000000000040000ULL 86138593Ssam#define ARG_LOGIN 0x0000000000080000ULL 87138593Ssam#define ARG_SADDRINET 0x0000000000100000ULL 88138593Ssam#define ARG_SADDRINET6 0x0000000000200000ULL 89138593Ssam#define ARG_SADDRUNIX 0x0000000000400000ULL 90138593Ssam#define ARG_TERMID_ADDR 0x0000000000400000ULL 91138593Ssam#define ARG_UNUSED2 0x0000000001000000ULL 92138593Ssam#define ARG_UPATH1 0x0000000002000000ULL 93138593Ssam#define ARG_UPATH2 0x0000000004000000ULL 94138593Ssam#define ARG_TEXT 0x0000000008000000ULL 95138593Ssam#define ARG_VNODE1 0x0000000010000000ULL 96138593Ssam#define ARG_VNODE2 0x0000000020000000ULL 97138593Ssam#define ARG_SVIPC_CMD 0x0000000040000000ULL 98138593Ssam#define ARG_SVIPC_PERM 0x0000000080000000ULL 99138593Ssam#define ARG_SVIPC_ID 0x0000000100000000ULL 100138593Ssam#define ARG_SVIPC_ADDR 0x0000000200000000ULL 101138593Ssam#define ARG_GROUPSET 0x0000000400000000ULL 102138593Ssam#define ARG_CMD 0x0000000800000000ULL 103138593Ssam#define ARG_SOCKINFO 0x0000001000000000ULL 104138593Ssam#define ARG_ASID 0x0000002000000000ULL 105138593Ssam#define ARG_TERMID 0x0000004000000000ULL 106138593Ssam#define ARG_AUDITON 0x0000008000000000ULL 107138593Ssam#define ARG_VALUE 0x0000010000000000ULL 108138593Ssam#define ARG_AMASK 0x0000020000000000ULL 109138593Ssam#define ARG_CTLNAME 0x0000040000000000ULL 110138593Ssam#define ARG_PROCESS 0x0000080000000000ULL 111138593Ssam#define ARG_MACHPORT1 0x0000100000000000ULL 112138593Ssam#define ARG_MACHPORT2 0x0000200000000000ULL 113138593Ssam#define ARG_EXIT 0x0000400000000000ULL 114138593Ssam#define ARG_IOVECSTR 0x0000800000000000ULL 115138593Ssam#define ARG_ARGV 0x0001000000000000ULL 116138593Ssam#define ARG_ENVV 0x0002000000000000ULL 117138593Ssam#define ARG_NONE 0x0000000000000000ULL 118138593Ssam#define ARG_ALL 0xFFFFFFFFFFFFFFFFULL 119138593Ssam 120138593Ssamvoid audit_syscall_enter(unsigned short code, struct thread *td); 121138593Ssamvoid audit_syscall_exit(int error, struct thread *td); 122138593Ssam 123138593Ssam/* 124138593Ssam * The remaining kernel functions are conditionally compiled in as they are 125138593Ssam * wrapped by a macro, and the macro should be the only place in the source 126138593Ssam * tree where these functions are referenced. 127138593Ssam */ 128138593Ssam#ifdef AUDIT 129138593Ssamstruct ipc_perm; 130138593Ssamstruct sockaddr; 131138593Ssamunion auditon_udata; 132138593Ssamvoid audit_arg_addr(void * addr); 133138593Ssamvoid audit_arg_exit(int status, int retval); 134138593Ssamvoid audit_arg_len(int len); 135138593Ssamvoid audit_arg_fd(int fd); 136138593Ssamvoid audit_arg_fflags(int fflags); 137138593Ssamvoid audit_arg_gid(gid_t gid); 138138593Ssamvoid audit_arg_uid(uid_t uid); 139138593Ssamvoid audit_arg_egid(gid_t egid); 140138593Ssamvoid audit_arg_euid(uid_t euid); 141138593Ssamvoid audit_arg_rgid(gid_t rgid); 142138593Ssamvoid audit_arg_ruid(uid_t ruid); 143138593Ssamvoid audit_arg_sgid(gid_t sgid); 144138593Ssamvoid audit_arg_suid(uid_t suid); 145138593Ssamvoid audit_arg_groupset(gid_t *gidset, u_int gidset_size); 146138593Ssamvoid audit_arg_login(char *login); 147138593Ssamvoid audit_arg_ctlname(int *name, int namelen); 148138593Ssamvoid audit_arg_mask(int mask); 149138593Ssamvoid audit_arg_mode(mode_t mode); 150138593Ssamvoid audit_arg_dev(int dev); 151138593Ssamvoid audit_arg_value(long value); 152138593Ssamvoid audit_arg_owner(uid_t uid, gid_t gid); 153138593Ssamvoid audit_arg_pid(pid_t pid); 154138593Ssamvoid audit_arg_process(struct proc *p); 155138593Ssamvoid audit_arg_signum(u_int signum); 156138593Ssamvoid audit_arg_socket(int sodomain, int sotype, int soprotocol); 157138593Ssamvoid audit_arg_sockaddr(struct thread *td, struct sockaddr *sa); 158138593Ssamvoid audit_arg_auid(uid_t auid); 159138593Ssamvoid audit_arg_auditinfo(struct auditinfo *au_info); 160138593Ssamvoid audit_arg_auditinfo_addr(struct auditinfo_addr *au_info); 161138593Ssamvoid audit_arg_upath(struct thread *td, char *upath, u_int64_t flags); 162138593Ssamvoid audit_arg_vnode(struct vnode *vp, u_int64_t flags); 163138593Ssamvoid audit_arg_text(char *text); 164138593Ssamvoid audit_arg_cmd(int cmd); 165138593Ssamvoid audit_arg_svipc_cmd(int cmd); 166138593Ssamvoid audit_arg_svipc_perm(struct ipc_perm *perm); 167138593Ssamvoid audit_arg_svipc_id(int id); 168138593Ssamvoid audit_arg_svipc_addr(void *addr); 169138593Ssamvoid audit_arg_posix_ipc_perm(uid_t uid, gid_t gid, mode_t mode); 170138593Ssamvoid audit_arg_auditon(union auditon_udata *udata); 171138593Ssamvoid audit_arg_file(struct proc *p, struct file *fp); 172138593Ssamvoid audit_arg_argv(char *argv, int argc, int length); 173138593Ssamvoid audit_arg_envv(char *envv, int envc, int length); 174138593Ssamvoid audit_sysclose(struct thread *td, int fd); 175138593Ssamvoid audit_cred_copy(struct ucred *src, struct ucred *dest); 176138593Ssamvoid audit_cred_destroy(struct ucred *cred); 177138593Ssamvoid audit_cred_init(struct ucred *cred); 178138593Ssamvoid audit_cred_kproc0(struct ucred *cred); 179138593Ssamvoid audit_cred_proc1(struct ucred *cred); 180138593Ssamvoid audit_proc_coredump(struct thread *td, char *path, int errcode); 181138593Ssamvoid audit_thread_alloc(struct thread *td); 182138593Ssamvoid audit_thread_free(struct thread *td); 183138593Ssam 184138593Ssam/* 185138593Ssam * Define a macro to wrap the audit_arg_* calls by checking the global 186138593Ssam * audit_enabled flag before performing the actual call. 187138593Ssam */ 188138593Ssam#define AUDIT_ARG(op, args...) do { \ 189138593Ssam if (td->td_ar != NULL) \ 190138593Ssam audit_arg_ ## op (args); \ 191138593Ssam} while (0) 192138593Ssam 193138593Ssam#define AUDIT_SYSCALL_ENTER(code, td) do { \ 194138593Ssam if (audit_enabled) { \ 195138593Ssam audit_syscall_enter(code, td); \ 196138593Ssam } \ 197138593Ssam} while (0) 198138593Ssam 199/* 200 * Wrap the audit_syscall_exit() function so that it is called only when 201 * auditing is enabled, or we have a audit record on the thread. It is 202 * possible that an audit record was begun before auditing was turned off. 203 */ 204#define AUDIT_SYSCALL_EXIT(error, td) do { \ 205 if (audit_enabled || (td->td_ar != NULL)) \ 206 audit_syscall_exit(error, td); \ 207} while (0) 208 209/* 210 * A Macro to wrap the audit_sysclose() function. 211 */ 212#define AUDIT_SYSCLOSE(td, fd) do { \ 213 if (audit_enabled) \ 214 audit_sysclose(td, fd); \ 215} while (0) 216 217#else /* !AUDIT */ 218 219#define AUDIT_ARG(op, args...) do { \ 220} while (0) 221 222#define AUDIT_SYSCALL_ENTER(code, td) do { \ 223} while (0) 224 225#define AUDIT_SYSCALL_EXIT(error, td) do { \ 226} while (0) 227 228#define AUDIT_SYSCLOSE(p, fd) do { \ 229} while (0) 230 231#endif /* AUDIT */ 232 233#endif /* !_SECURITY_AUDIT_KERNEL_H_ */ 234