1185573Srwatson/*- 2189279Srwatson * Copyright (c) 2004-2009 Apple Inc. 3155131Srwatson * All rights reserved. 4155131Srwatson * 5155131Srwatson * Redistribution and use in source and binary forms, with or without 6155131Srwatson * modification, are permitted provided that the following conditions 7155131Srwatson * are met: 8155131Srwatson * 1. Redistributions of source code must retain the above copyright 9155131Srwatson * notice, this list of conditions and the following disclaimer. 10155131Srwatson * 2. Redistributions in binary form must reproduce the above copyright 11155131Srwatson * notice, this list of conditions and the following disclaimer in the 12155131Srwatson * documentation and/or other materials provided with the distribution. 13185573Srwatson * 3. Neither the name of Apple Inc. ("Apple") nor the names of 14155131Srwatson * its contributors may be used to endorse or promote products derived 15155131Srwatson * from this software without specific prior written permission. 16155131Srwatson * 17155131Srwatson * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 18155131Srwatson * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19155131Srwatson * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20155131Srwatson * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 21155131Srwatson * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22155131Srwatson * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23155131Srwatson * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24155131Srwatson * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25155131Srwatson * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26155131Srwatson * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27155131Srwatson * POSSIBILITY OF SUCH DAMAGE. 28155131Srwatson * 29244390Srwatson * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#50 $ 30155131Srwatson */ 31155131Srwatson 32155131Srwatson#ifndef _LIBBSM_H_ 33155131Srwatson#define _LIBBSM_H_ 34155131Srwatson 35155131Srwatson/* 36155131Srwatson * NB: definitions, etc., marked with "OpenSSH compatibility" were introduced 37155131Srwatson * solely to allow OpenSSH to compile; Darwin/Apple code should not use them. 38155131Srwatson */ 39155131Srwatson 40155131Srwatson#include <sys/types.h> 41155131Srwatson#include <sys/cdefs.h> 42155131Srwatson 43159985Srwatson#include <inttypes.h> /* Required for audit.h. */ 44156283Srwatson#include <time.h> /* Required for clock_t on Linux. */ 45155518Srwatson 46155131Srwatson#include <bsm/audit.h> 47155131Srwatson#include <bsm/audit_record.h> 48155131Srwatson 49155131Srwatson#include <stdio.h> 50155131Srwatson 51155131Srwatson#ifdef __APPLE__ 52155131Srwatson#include <mach/mach.h> /* audit_token_t */ 53155131Srwatson#endif 54155131Srwatson 55162503Srwatson/* 56162503Srwatson * Size parsed token vectors for execve(2) arguments and environmental 57162503Srwatson * variables. Note: changing these sizes affects the ABI of the token 58162503Srwatson * structure, and as the token structure is often placed in the caller stack, 59162503Srwatson * this is undesirable. 60162503Srwatson */ 61162503Srwatson#define AUDIT_MAX_ARGS 128 62162503Srwatson#define AUDIT_MAX_ENV 128 63162503Srwatson 64162503Srwatson/* 65162503Srwatson * Arguments to au_preselect(3). 66162503Srwatson */ 67162503Srwatson#define AU_PRS_USECACHE 0 68162503Srwatson#define AU_PRS_REREAD 1 69162503Srwatson 70155131Srwatson#define AU_PRS_SUCCESS 1 71155131Srwatson#define AU_PRS_FAILURE 2 72155131Srwatson#define AU_PRS_BOTH (AU_PRS_SUCCESS|AU_PRS_FAILURE) 73155131Srwatson 74155131Srwatson#define AUDIT_EVENT_FILE "/etc/security/audit_event" 75155131Srwatson#define AUDIT_CLASS_FILE "/etc/security/audit_class" 76155131Srwatson#define AUDIT_CONTROL_FILE "/etc/security/audit_control" 77155131Srwatson#define AUDIT_USER_FILE "/etc/security/audit_user" 78155131Srwatson 79189279Srwatson#define DIR_CONTROL_ENTRY "dir" 80244390Srwatson#define DIST_CONTROL_ENTRY "dist" 81189279Srwatson#define FILESZ_CONTROL_ENTRY "filesz" 82189279Srwatson#define FLAGS_CONTROL_ENTRY "flags" 83244390Srwatson#define HOST_CONTROL_ENTRY "host" 84244390Srwatson#define MINFREE_CONTROL_ENTRY "minfree" 85189279Srwatson#define NA_CONTROL_ENTRY "naflags" 86189279Srwatson#define POLICY_CONTROL_ENTRY "policy" 87189279Srwatson#define EXPIRE_AFTER_CONTROL_ENTRY "expire-after" 88155131Srwatson 89155131Srwatson#define AU_CLASS_NAME_MAX 8 90155131Srwatson#define AU_CLASS_DESC_MAX 72 91155131Srwatson#define AU_EVENT_NAME_MAX 30 92155131Srwatson#define AU_EVENT_DESC_MAX 50 93155131Srwatson#define AU_USER_NAME_MAX 50 94155131Srwatson#define AU_LINE_MAX 256 95155131Srwatson#define MAX_AUDITSTRING_LEN 256 96155131Srwatson#define BSM_TEXTBUFSZ MAX_AUDITSTRING_LEN /* OpenSSH compatibility */ 97155131Srwatson 98155131Srwatson/* 99161630Srwatson * Arguments to au_close(3). 100155131Srwatson */ 101161630Srwatson#define AU_TO_NO_WRITE 0 /* Abandon audit record. */ 102161630Srwatson#define AU_TO_WRITE 1 /* Commit audit record. */ 103155131Srwatson 104244390Srwatson/* 105244390Srwatson * Output format flags for au_print_flags_tok(). 106244390Srwatson */ 107244390Srwatson#define AU_OFLAG_NONE 0x0000 /* Default form. */ 108244390Srwatson#define AU_OFLAG_RAW 0x0001 /* Raw, numeric form. */ 109244390Srwatson#define AU_OFLAG_SHORT 0x0002 /* Short form. */ 110244390Srwatson#define AU_OFLAG_XML 0x0004 /* XML form. */ 111244390Srwatson#define AU_OFLAG_NORESOLVE 0x0008 /* No user/group name resolution. */ 112244390Srwatson 113155131Srwatson__BEGIN_DECLS 114155131Srwatsonstruct au_event_ent { 115155131Srwatson au_event_t ae_number; 116155131Srwatson char *ae_name; 117155131Srwatson char *ae_desc; 118155131Srwatson au_class_t ae_class; 119155131Srwatson}; 120155131Srwatsontypedef struct au_event_ent au_event_ent_t; 121155131Srwatson 122155131Srwatsonstruct au_class_ent { 123155131Srwatson char *ac_name; 124155131Srwatson au_class_t ac_class; 125155131Srwatson char *ac_desc; 126155131Srwatson}; 127155131Srwatsontypedef struct au_class_ent au_class_ent_t; 128155131Srwatson 129155131Srwatsonstruct au_user_ent { 130155131Srwatson char *au_name; 131155131Srwatson au_mask_t au_always; 132155131Srwatson au_mask_t au_never; 133155131Srwatson}; 134155131Srwatsontypedef struct au_user_ent au_user_ent_t; 135155131Srwatson__END_DECLS 136155131Srwatson 137155131Srwatson#define ADD_TO_MASK(m, c, sel) do { \ 138155131Srwatson if (sel & AU_PRS_SUCCESS) \ 139155131Srwatson (m)->am_success |= c; \ 140155131Srwatson if (sel & AU_PRS_FAILURE) \ 141155131Srwatson (m)->am_failure |= c; \ 142155131Srwatson} while (0) 143155131Srwatson 144155131Srwatson#define SUB_FROM_MASK(m, c, sel) do { \ 145155131Srwatson if (sel & AU_PRS_SUCCESS) \ 146155131Srwatson (m)->am_success &= ((m)->am_success ^ c); \ 147155131Srwatson if (sel & AU_PRS_FAILURE) \ 148155131Srwatson (m)->am_failure &= ((m)->am_failure ^ c); \ 149155131Srwatson} while (0) 150155131Srwatson 151155131Srwatson#define ADDMASK(m, v) do { \ 152155131Srwatson (m)->am_success |= (v)->am_success; \ 153155131Srwatson (m)->am_failure |= (v)->am_failure; \ 154155131Srwatson} while(0) 155155131Srwatson 156155131Srwatson#define SUBMASK(m, v) do { \ 157155131Srwatson (m)->am_success &= ((m)->am_success ^ (v)->am_success); \ 158155131Srwatson (m)->am_failure &= ((m)->am_failure ^ (v)->am_failure); \ 159155131Srwatson} while(0) 160155131Srwatson 161155131Srwatson__BEGIN_DECLS 162155131Srwatson 163155131Srwatsontypedef struct au_tid32 { 164155131Srwatson u_int32_t port; 165155131Srwatson u_int32_t addr; 166155131Srwatson} au_tid32_t; 167155131Srwatson 168155131Srwatsontypedef struct au_tid64 { 169155131Srwatson u_int64_t port; 170155131Srwatson u_int32_t addr; 171155131Srwatson} au_tid64_t; 172155131Srwatson 173155131Srwatsontypedef struct au_tidaddr32 { 174155131Srwatson u_int32_t port; 175155131Srwatson u_int32_t type; 176155131Srwatson u_int32_t addr[4]; 177155131Srwatson} au_tidaddr32_t; 178155131Srwatson 179168777Srwatsontypedef struct au_tidaddr64 { 180168777Srwatson u_int64_t port; 181168777Srwatson u_int32_t type; 182168777Srwatson u_int32_t addr[4]; 183168777Srwatson} au_tidaddr64_t; 184168777Srwatson 185155131Srwatson/* 186155131Srwatson * argument # 1 byte 187155131Srwatson * argument value 4 bytes/8 bytes (32-bit/64-bit value) 188155131Srwatson * text length 2 bytes 189155131Srwatson * text N bytes + 1 terminating NULL byte 190155131Srwatson */ 191155131Srwatsontypedef struct { 192155131Srwatson u_char no; 193155131Srwatson u_int32_t val; 194155131Srwatson u_int16_t len; 195155131Srwatson char *text; 196155131Srwatson} au_arg32_t; 197155131Srwatson 198155131Srwatsontypedef struct { 199155131Srwatson u_char no; 200155131Srwatson u_int64_t val; 201155131Srwatson u_int16_t len; 202155131Srwatson char *text; 203155131Srwatson} au_arg64_t; 204155131Srwatson 205155131Srwatson/* 206155131Srwatson * how to print 1 byte 207155131Srwatson * basic unit 1 byte 208155131Srwatson * unit count 1 byte 209155131Srwatson * data items (depends on basic unit) 210155131Srwatson */ 211155131Srwatsontypedef struct { 212155131Srwatson u_char howtopr; 213155131Srwatson u_char bu; 214155131Srwatson u_char uc; 215155131Srwatson u_char *data; 216155131Srwatson} au_arb_t; 217155131Srwatson 218155131Srwatson/* 219155131Srwatson * file access mode 4 bytes 220155131Srwatson * owner user ID 4 bytes 221155131Srwatson * owner group ID 4 bytes 222155131Srwatson * file system ID 4 bytes 223155131Srwatson * node ID 8 bytes 224155131Srwatson * device 4 bytes/8 bytes (32-bit/64-bit) 225155131Srwatson */ 226155131Srwatsontypedef struct { 227155131Srwatson u_int32_t mode; 228244390Srwatson u_int32_t uid; 229155131Srwatson u_int32_t gid; 230155131Srwatson u_int32_t fsid; 231155131Srwatson u_int64_t nid; 232155131Srwatson u_int32_t dev; 233155131Srwatson} au_attr32_t; 234155131Srwatson 235155131Srwatsontypedef struct { 236155131Srwatson u_int32_t mode; 237244390Srwatson u_int32_t uid; 238155131Srwatson u_int32_t gid; 239155131Srwatson u_int32_t fsid; 240155131Srwatson u_int64_t nid; 241155131Srwatson u_int64_t dev; 242155131Srwatson} au_attr64_t; 243155131Srwatson 244155131Srwatson/* 245155131Srwatson * count 4 bytes 246155131Srwatson * text count null-terminated string(s) 247155131Srwatson */ 248155131Srwatsontypedef struct { 249155131Srwatson u_int32_t count; 250161630Srwatson char *text[AUDIT_MAX_ARGS]; 251155131Srwatson} au_execarg_t; 252155131Srwatson 253155131Srwatson/* 254155131Srwatson * count 4 bytes 255155131Srwatson * text count null-terminated string(s) 256155131Srwatson */ 257155131Srwatsontypedef struct { 258155131Srwatson u_int32_t count; 259161630Srwatson char *text[AUDIT_MAX_ENV]; 260155131Srwatson} au_execenv_t; 261155131Srwatson 262155131Srwatson/* 263155131Srwatson * status 4 bytes 264155131Srwatson * return value 4 bytes 265155131Srwatson */ 266155131Srwatsontypedef struct { 267155131Srwatson u_int32_t status; 268155131Srwatson u_int32_t ret; 269155131Srwatson} au_exit_t; 270155131Srwatson 271155131Srwatson/* 272155131Srwatson * seconds of time 4 bytes 273155131Srwatson * milliseconds of time 4 bytes 274155131Srwatson * file name length 2 bytes 275155131Srwatson * file pathname N bytes + 1 terminating NULL byte 276155131Srwatson */ 277155131Srwatsontypedef struct { 278155131Srwatson u_int32_t s; 279155131Srwatson u_int32_t ms; 280155131Srwatson u_int16_t len; 281155131Srwatson char *name; 282155131Srwatson} au_file_t; 283155131Srwatson 284155131Srwatson 285155131Srwatson/* 286155131Srwatson * number groups 2 bytes 287155131Srwatson * group list N * 4 bytes 288155131Srwatson */ 289155131Srwatsontypedef struct { 290155131Srwatson u_int16_t no; 291161630Srwatson u_int32_t list[AUDIT_MAX_GROUPS]; 292155131Srwatson} au_groups_t; 293155131Srwatson 294155131Srwatson/* 295155131Srwatson * record byte count 4 bytes 296155131Srwatson * version # 1 byte [2] 297155131Srwatson * event type 2 bytes 298155131Srwatson * event modifier 2 bytes 299155131Srwatson * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 300155131Srwatson * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 301155131Srwatson */ 302155131Srwatsontypedef struct { 303155131Srwatson u_int32_t size; 304155131Srwatson u_char version; 305155131Srwatson u_int16_t e_type; 306155131Srwatson u_int16_t e_mod; 307155131Srwatson u_int32_t s; 308155131Srwatson u_int32_t ms; 309155131Srwatson} au_header32_t; 310155131Srwatson 311155131Srwatson/* 312155131Srwatson * record byte count 4 bytes 313155131Srwatson * version # 1 byte [2] 314155131Srwatson * event type 2 bytes 315155131Srwatson * event modifier 2 bytes 316155131Srwatson * address type/length 1 byte (XXX: actually, 4 bytes) 317155131Srwatson * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 318155131Srwatson * seconds of time 4 bytes/8 bytes (32/64-bits) 319155131Srwatson * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 320155131Srwatson */ 321155131Srwatsontypedef struct { 322155131Srwatson u_int32_t size; 323155131Srwatson u_char version; 324155131Srwatson u_int16_t e_type; 325155131Srwatson u_int16_t e_mod; 326155131Srwatson u_int32_t ad_type; 327155131Srwatson u_int32_t addr[4]; 328155131Srwatson u_int32_t s; 329155131Srwatson u_int32_t ms; 330155131Srwatson} au_header32_ex_t; 331155131Srwatson 332155131Srwatsontypedef struct { 333155131Srwatson u_int32_t size; 334155131Srwatson u_char version; 335155131Srwatson u_int16_t e_type; 336155131Srwatson u_int16_t e_mod; 337155131Srwatson u_int64_t s; 338155131Srwatson u_int64_t ms; 339155131Srwatson} au_header64_t; 340155131Srwatson 341155131Srwatsontypedef struct { 342155131Srwatson u_int32_t size; 343155131Srwatson u_char version; 344155131Srwatson u_int16_t e_type; 345155131Srwatson u_int16_t e_mod; 346155131Srwatson u_int32_t ad_type; 347155131Srwatson u_int32_t addr[4]; 348155131Srwatson u_int64_t s; 349155131Srwatson u_int64_t ms; 350155131Srwatson} au_header64_ex_t; 351155131Srwatson 352155131Srwatson/* 353155131Srwatson * internet address 4 bytes 354155131Srwatson */ 355155131Srwatsontypedef struct { 356155131Srwatson u_int32_t addr; 357155131Srwatson} au_inaddr_t; 358155131Srwatson 359155131Srwatson/* 360155131Srwatson * type 4 bytes 361155131Srwatson * internet address 16 bytes 362155131Srwatson */ 363155131Srwatsontypedef struct { 364155131Srwatson u_int32_t type; 365155131Srwatson u_int32_t addr[4]; 366155131Srwatson} au_inaddr_ex_t; 367155131Srwatson 368155131Srwatson/* 369155131Srwatson * version and ihl 1 byte 370155131Srwatson * type of service 1 byte 371155131Srwatson * length 2 bytes 372155131Srwatson * id 2 bytes 373155131Srwatson * offset 2 bytes 374155131Srwatson * ttl 1 byte 375155131Srwatson * protocol 1 byte 376155131Srwatson * checksum 2 bytes 377155131Srwatson * source address 4 bytes 378155131Srwatson * destination address 4 bytes 379155131Srwatson */ 380155131Srwatsontypedef struct { 381155131Srwatson u_char version; 382155131Srwatson u_char tos; 383155131Srwatson u_int16_t len; 384155131Srwatson u_int16_t id; 385155131Srwatson u_int16_t offset; 386155131Srwatson u_char ttl; 387155131Srwatson u_char prot; 388155131Srwatson u_int16_t chksm; 389155131Srwatson u_int32_t src; 390155131Srwatson u_int32_t dest; 391155131Srwatson} au_ip_t; 392155131Srwatson 393155131Srwatson/* 394155131Srwatson * object ID type 1 byte 395155131Srwatson * object ID 4 bytes 396155131Srwatson */ 397155131Srwatsontypedef struct { 398155131Srwatson u_char type; 399155131Srwatson u_int32_t id; 400155131Srwatson} au_ipc_t; 401155131Srwatson 402155131Srwatson/* 403155131Srwatson * owner user ID 4 bytes 404155131Srwatson * owner group ID 4 bytes 405155131Srwatson * creator user ID 4 bytes 406155131Srwatson * creator group ID 4 bytes 407155131Srwatson * access mode 4 bytes 408155131Srwatson * slot sequence # 4 bytes 409155131Srwatson * key 4 bytes 410155131Srwatson */ 411155131Srwatsontypedef struct { 412155131Srwatson u_int32_t uid; 413155131Srwatson u_int32_t gid; 414155131Srwatson u_int32_t puid; 415155131Srwatson u_int32_t pgid; 416155131Srwatson u_int32_t mode; 417155131Srwatson u_int32_t seq; 418155131Srwatson u_int32_t key; 419155131Srwatson} au_ipcperm_t; 420155131Srwatson 421155131Srwatson/* 422155131Srwatson * port IP address 2 bytes 423155131Srwatson */ 424155131Srwatsontypedef struct { 425155131Srwatson u_int16_t port; 426155131Srwatson} au_iport_t; 427155131Srwatson 428155131Srwatson/* 429155131Srwatson * length 2 bytes 430155131Srwatson * data length bytes 431155131Srwatson */ 432155131Srwatsontypedef struct { 433155131Srwatson u_int16_t size; 434155131Srwatson char *data; 435155131Srwatson} au_opaque_t; 436155131Srwatson 437155131Srwatson/* 438155131Srwatson * path length 2 bytes 439155131Srwatson * path N bytes + 1 terminating NULL byte 440155131Srwatson */ 441155131Srwatsontypedef struct { 442155131Srwatson u_int16_t len; 443155131Srwatson char *path; 444155131Srwatson} au_path_t; 445155131Srwatson 446155131Srwatson/* 447155131Srwatson * audit ID 4 bytes 448155131Srwatson * effective user ID 4 bytes 449155131Srwatson * effective group ID 4 bytes 450155131Srwatson * real user ID 4 bytes 451155131Srwatson * real group ID 4 bytes 452155131Srwatson * process ID 4 bytes 453155131Srwatson * session ID 4 bytes 454155131Srwatson * terminal ID 455155131Srwatson * port ID 4 bytes/8 bytes (32-bit/64-bit value) 456155131Srwatson * machine address 4 bytes 457155131Srwatson */ 458155131Srwatsontypedef struct { 459155131Srwatson u_int32_t auid; 460155131Srwatson u_int32_t euid; 461155131Srwatson u_int32_t egid; 462155131Srwatson u_int32_t ruid; 463155131Srwatson u_int32_t rgid; 464155131Srwatson u_int32_t pid; 465155131Srwatson u_int32_t sid; 466155131Srwatson au_tid32_t tid; 467155131Srwatson} au_proc32_t; 468155131Srwatson 469155131Srwatsontypedef struct { 470155131Srwatson u_int32_t auid; 471155131Srwatson u_int32_t euid; 472155131Srwatson u_int32_t egid; 473155131Srwatson u_int32_t ruid; 474155131Srwatson u_int32_t rgid; 475155131Srwatson u_int32_t pid; 476155131Srwatson u_int32_t sid; 477155131Srwatson au_tid64_t tid; 478155131Srwatson} au_proc64_t; 479155131Srwatson 480155131Srwatson/* 481155131Srwatson * audit ID 4 bytes 482155131Srwatson * effective user ID 4 bytes 483155131Srwatson * effective group ID 4 bytes 484155131Srwatson * real user ID 4 bytes 485155131Srwatson * real group ID 4 bytes 486155131Srwatson * process ID 4 bytes 487155131Srwatson * session ID 4 bytes 488155131Srwatson * terminal ID 489155131Srwatson * port ID 4 bytes/8 bytes (32-bit/64-bit value) 490155131Srwatson * type 4 bytes 491155131Srwatson * machine address 16 bytes 492155131Srwatson */ 493155131Srwatsontypedef struct { 494155131Srwatson u_int32_t auid; 495155131Srwatson u_int32_t euid; 496155131Srwatson u_int32_t egid; 497155131Srwatson u_int32_t ruid; 498155131Srwatson u_int32_t rgid; 499155131Srwatson u_int32_t pid; 500155131Srwatson u_int32_t sid; 501155131Srwatson au_tidaddr32_t tid; 502155131Srwatson} au_proc32ex_t; 503155131Srwatson 504168777Srwatsontypedef struct { 505168777Srwatson u_int32_t auid; 506168777Srwatson u_int32_t euid; 507168777Srwatson u_int32_t egid; 508168777Srwatson u_int32_t ruid; 509168777Srwatson u_int32_t rgid; 510168777Srwatson u_int32_t pid; 511168777Srwatson u_int32_t sid; 512168777Srwatson au_tidaddr64_t tid; 513168777Srwatson} au_proc64ex_t; 514168777Srwatson 515155131Srwatson/* 516155131Srwatson * error status 1 byte 517155131Srwatson * return value 4 bytes/8 bytes (32-bit/64-bit value) 518155131Srwatson */ 519155131Srwatsontypedef struct { 520155131Srwatson u_char status; 521155131Srwatson u_int32_t ret; 522155131Srwatson} au_ret32_t; 523155131Srwatson 524155131Srwatsontypedef struct { 525155131Srwatson u_char err; 526155131Srwatson u_int64_t val; 527155131Srwatson} au_ret64_t; 528155131Srwatson 529155131Srwatson/* 530155131Srwatson * sequence number 4 bytes 531155131Srwatson */ 532155131Srwatsontypedef struct { 533155131Srwatson u_int32_t seqno; 534155131Srwatson} au_seq_t; 535155131Srwatson 536155131Srwatson/* 537155131Srwatson * socket type 2 bytes 538155131Srwatson * local port 2 bytes 539155131Srwatson * local Internet address 4 bytes 540155131Srwatson * remote port 2 bytes 541155131Srwatson * remote Internet address 4 bytes 542155131Srwatson */ 543155131Srwatsontypedef struct { 544155131Srwatson u_int16_t type; 545155131Srwatson u_int16_t l_port; 546155131Srwatson u_int32_t l_addr; 547155131Srwatson u_int16_t r_port; 548155131Srwatson u_int32_t r_addr; 549155131Srwatson} au_socket_t; 550155131Srwatson 551155131Srwatson/* 552155131Srwatson * socket type 2 bytes 553155131Srwatson * local port 2 bytes 554155131Srwatson * address type/length 4 bytes 555155131Srwatson * local Internet address 4 bytes/16 bytes (IPv4/IPv6 address) 556155131Srwatson * remote port 4 bytes 557155131Srwatson * address type/length 4 bytes 558155131Srwatson * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address) 559155131Srwatson */ 560155131Srwatsontypedef struct { 561186647Srwatson u_int16_t domain; 562155131Srwatson u_int16_t type; 563186647Srwatson u_int16_t atype; 564155131Srwatson u_int16_t l_port; 565186647Srwatson u_int32_t l_addr[4]; 566155131Srwatson u_int32_t r_port; 567186647Srwatson u_int32_t r_addr[4]; 568155131Srwatson} au_socket_ex32_t; 569155131Srwatson 570155131Srwatson/* 571155131Srwatson * socket family 2 bytes 572155131Srwatson * local port 2 bytes 573155131Srwatson * socket address 4 bytes/16 bytes (IPv4/IPv6 address) 574155131Srwatson */ 575155131Srwatsontypedef struct { 576155131Srwatson u_int16_t family; 577155131Srwatson u_int16_t port; 578191273Srwatson u_int32_t addr[4]; 579191273Srwatson} au_socketinet_ex32_t; 580191273Srwatson 581191273Srwatsontypedef struct { 582191273Srwatson u_int16_t family; 583191273Srwatson u_int16_t port; 584155131Srwatson u_int32_t addr; 585155131Srwatson} au_socketinet32_t; 586155131Srwatson 587155131Srwatson/* 588155131Srwatson * socket family 2 bytes 589155131Srwatson * path 104 bytes 590155131Srwatson */ 591155131Srwatsontypedef struct { 592155131Srwatson u_int16_t family; 593155131Srwatson char path[104]; 594155131Srwatson} au_socketunix_t; 595155131Srwatson 596155131Srwatson/* 597155131Srwatson * audit ID 4 bytes 598155131Srwatson * effective user ID 4 bytes 599155131Srwatson * effective group ID 4 bytes 600155131Srwatson * real user ID 4 bytes 601155131Srwatson * real group ID 4 bytes 602155131Srwatson * process ID 4 bytes 603155131Srwatson * session ID 4 bytes 604155131Srwatson * terminal ID 605155131Srwatson * port ID 4 bytes/8 bytes (32-bit/64-bit value) 606155131Srwatson * machine address 4 bytes 607155131Srwatson */ 608155131Srwatsontypedef struct { 609155131Srwatson u_int32_t auid; 610155131Srwatson u_int32_t euid; 611155131Srwatson u_int32_t egid; 612155131Srwatson u_int32_t ruid; 613155131Srwatson u_int32_t rgid; 614155131Srwatson u_int32_t pid; 615155131Srwatson u_int32_t sid; 616155131Srwatson au_tid32_t tid; 617155131Srwatson} au_subject32_t; 618155131Srwatson 619155131Srwatsontypedef struct { 620155131Srwatson u_int32_t auid; 621155131Srwatson u_int32_t euid; 622155131Srwatson u_int32_t egid; 623155131Srwatson u_int32_t ruid; 624155131Srwatson u_int32_t rgid; 625155131Srwatson u_int32_t pid; 626155131Srwatson u_int32_t sid; 627155131Srwatson au_tid64_t tid; 628155131Srwatson} au_subject64_t; 629155131Srwatson 630155131Srwatson/* 631155131Srwatson * audit ID 4 bytes 632155131Srwatson * effective user ID 4 bytes 633155131Srwatson * effective group ID 4 bytes 634155131Srwatson * real user ID 4 bytes 635155131Srwatson * real group ID 4 bytes 636155131Srwatson * process ID 4 bytes 637155131Srwatson * session ID 4 bytes 638155131Srwatson * terminal ID 639155131Srwatson * port ID 4 bytes/8 bytes (32-bit/64-bit value) 640155131Srwatson * type 4 bytes 641155131Srwatson * machine address 16 bytes 642155131Srwatson */ 643155131Srwatsontypedef struct { 644155131Srwatson u_int32_t auid; 645155131Srwatson u_int32_t euid; 646155131Srwatson u_int32_t egid; 647155131Srwatson u_int32_t ruid; 648155131Srwatson u_int32_t rgid; 649155131Srwatson u_int32_t pid; 650155131Srwatson u_int32_t sid; 651155131Srwatson au_tidaddr32_t tid; 652155131Srwatson} au_subject32ex_t; 653155131Srwatson 654168777Srwatsontypedef struct { 655168777Srwatson u_int32_t auid; 656168777Srwatson u_int32_t euid; 657168777Srwatson u_int32_t egid; 658168777Srwatson u_int32_t ruid; 659168777Srwatson u_int32_t rgid; 660168777Srwatson u_int32_t pid; 661168777Srwatson u_int32_t sid; 662168777Srwatson au_tidaddr64_t tid; 663168777Srwatson} au_subject64ex_t; 664168777Srwatson 665155131Srwatson/* 666155131Srwatson * text length 2 bytes 667155131Srwatson * text N bytes + 1 terminating NULL byte 668155131Srwatson */ 669155131Srwatsontypedef struct { 670155131Srwatson u_int16_t len; 671155131Srwatson char *text; 672155131Srwatson} au_text_t; 673155131Srwatson 674168777Srwatson/* 675244390Srwatson * upriv status 1 byte 676244390Srwatson * privstr len 2 bytes 677244390Srwatson * privstr N bytes + 1 (\0 byte) 678244390Srwatson */ 679244390Srwatsontypedef struct { 680244390Srwatson u_int8_t sorf; 681244390Srwatson u_int16_t privstrlen; 682244390Srwatson char *priv; 683244390Srwatson} au_priv_t; 684244390Srwatson 685244390Srwatson/* 686244390Srwatson* privset 687244390Srwatson* privtstrlen 2 bytes 688244390Srwatson* privtstr N Bytes + 1 689244390Srwatson* privstrlen 2 bytes 690244390Srwatson* privstr N Bytes + 1 691244390Srwatson*/ 692244390Srwatsontypedef struct { 693244390Srwatson u_int16_t privtstrlen; 694244390Srwatson char *privtstr; 695244390Srwatson u_int16_t privstrlen; 696244390Srwatson char *privstr; 697244390Srwatson} au_privset_t; 698244390Srwatson 699244390Srwatson/* 700168777Srwatson * zonename length 2 bytes 701168777Srwatson * zonename text N bytes + 1 NULL terminator 702168777Srwatson */ 703155131Srwatsontypedef struct { 704168777Srwatson u_int16_t len; 705168777Srwatson char *zonename; 706168777Srwatson} au_zonename_t; 707168777Srwatson 708168777Srwatsontypedef struct { 709155131Srwatson u_int32_t ident; 710155131Srwatson u_int16_t filter; 711155131Srwatson u_int16_t flags; 712155131Srwatson u_int32_t fflags; 713155131Srwatson u_int32_t data; 714155131Srwatson} au_kevent_t; 715155131Srwatson 716155131Srwatsontypedef struct { 717155131Srwatson u_int16_t length; 718155131Srwatson char *data; 719155131Srwatson} au_invalid_t; 720155131Srwatson 721155131Srwatson/* 722155131Srwatson * trailer magic number 2 bytes 723155131Srwatson * record byte count 4 bytes 724155131Srwatson */ 725155131Srwatsontypedef struct { 726155131Srwatson u_int16_t magic; 727155131Srwatson u_int32_t count; 728155131Srwatson} au_trailer_t; 729155131Srwatson 730155131Srwatsonstruct tokenstr { 731155131Srwatson u_char id; 732155131Srwatson u_char *data; 733155131Srwatson size_t len; 734155131Srwatson union { 735155131Srwatson au_arg32_t arg32; 736155131Srwatson au_arg64_t arg64; 737155131Srwatson au_arb_t arb; 738155131Srwatson au_attr32_t attr32; 739155131Srwatson au_attr64_t attr64; 740155131Srwatson au_execarg_t execarg; 741155131Srwatson au_execenv_t execenv; 742155131Srwatson au_exit_t exit; 743155131Srwatson au_file_t file; 744155131Srwatson au_groups_t grps; 745155131Srwatson au_header32_t hdr32; 746155131Srwatson au_header32_ex_t hdr32_ex; 747155131Srwatson au_header64_t hdr64; 748155131Srwatson au_header64_ex_t hdr64_ex; 749155131Srwatson au_inaddr_t inaddr; 750155131Srwatson au_inaddr_ex_t inaddr_ex; 751155131Srwatson au_ip_t ip; 752155131Srwatson au_ipc_t ipc; 753155131Srwatson au_ipcperm_t ipcperm; 754155131Srwatson au_iport_t iport; 755155131Srwatson au_opaque_t opaque; 756155131Srwatson au_path_t path; 757155131Srwatson au_proc32_t proc32; 758168777Srwatson au_proc32ex_t proc32_ex; 759155131Srwatson au_proc64_t proc64; 760168777Srwatson au_proc64ex_t proc64_ex; 761155131Srwatson au_ret32_t ret32; 762155131Srwatson au_ret64_t ret64; 763155131Srwatson au_seq_t seq; 764155131Srwatson au_socket_t socket; 765155131Srwatson au_socket_ex32_t socket_ex32; 766191273Srwatson au_socketinet_ex32_t sockinet_ex32; 767155131Srwatson au_socketunix_t sockunix; 768155131Srwatson au_subject32_t subj32; 769168777Srwatson au_subject32ex_t subj32_ex; 770155131Srwatson au_subject64_t subj64; 771168777Srwatson au_subject64ex_t subj64_ex; 772155131Srwatson au_text_t text; 773155131Srwatson au_kevent_t kevent; 774155131Srwatson au_invalid_t invalid; 775155131Srwatson au_trailer_t trail; 776168777Srwatson au_zonename_t zonename; 777244390Srwatson au_priv_t priv; 778244390Srwatson au_privset_t privset; 779155131Srwatson } tt; /* The token is one of the above types */ 780155131Srwatson}; 781155131Srwatson 782155131Srwatsontypedef struct tokenstr tokenstr_t; 783155131Srwatson 784159248Srwatsonint audit_submit(short au_event, au_id_t auid, 785159248Srwatson char status, int reterr, const char *fmt, ...); 786159248Srwatson 787155131Srwatson/* 788155131Srwatson * Functions relating to querying audit class information. 789155131Srwatson */ 790155131Srwatsonvoid setauclass(void); 791155131Srwatsonvoid endauclass(void); 792155131Srwatsonstruct au_class_ent *getauclassent(void); 793155131Srwatsonstruct au_class_ent *getauclassent_r(au_class_ent_t *class_int); 794155131Srwatsonstruct au_class_ent *getauclassnam(const char *name); 795155131Srwatsonstruct au_class_ent *getauclassnam_r(au_class_ent_t *class_int, 796155131Srwatson const char *name); 797155131Srwatsonstruct au_class_ent *getauclassnum(au_class_t class_number); 798155131Srwatsonstruct au_class_ent *getauclassnum_r(au_class_ent_t *class_int, 799155131Srwatson au_class_t class_number); 800155131Srwatson 801155131Srwatson/* 802155131Srwatson * Functions relating to querying audit control information. 803155131Srwatson */ 804155131Srwatsonvoid setac(void); 805155131Srwatsonvoid endac(void); 806155131Srwatsonint getacdir(char *name, int len); 807244390Srwatsonint getacdist(void); 808244390Srwatsonint getacexpire(int *andflg, time_t *age, size_t *size); 809162621Srwatsonint getacfilesz(size_t *size_val); 810155131Srwatsonint getacflg(char *auditstr, int len); 811244390Srwatsonint getachost(char *auditstr, size_t len); 812244390Srwatsonint getacmin(int *min_val); 813155131Srwatsonint getacna(char *auditstr, int len); 814162503Srwatsonint getacpol(char *auditstr, size_t len); 815155131Srwatsonint getauditflagsbin(char *auditstr, au_mask_t *masks); 816155131Srwatsonint getauditflagschar(char *auditstr, au_mask_t *masks, 817155131Srwatson int verbose); 818155131Srwatsonint au_preselect(au_event_t event, au_mask_t *mask_p, 819155131Srwatson int sorf, int flag); 820191273Srwatsonssize_t au_poltostr(int policy, size_t maxsize, char *buf); 821191273Srwatsonint au_strtopol(const char *polstr, int *policy); 822155131Srwatson 823155131Srwatson/* 824155131Srwatson * Functions relating to querying audit event information. 825155131Srwatson */ 826155131Srwatsonvoid setauevent(void); 827155131Srwatsonvoid endauevent(void); 828155131Srwatsonstruct au_event_ent *getauevent(void); 829155131Srwatsonstruct au_event_ent *getauevent_r(struct au_event_ent *e); 830155131Srwatsonstruct au_event_ent *getauevnam(const char *name); 831155131Srwatsonstruct au_event_ent *getauevnam_r(struct au_event_ent *e, 832155131Srwatson const char *name); 833155131Srwatsonstruct au_event_ent *getauevnum(au_event_t event_number); 834155131Srwatsonstruct au_event_ent *getauevnum_r(struct au_event_ent *e, 835155131Srwatson au_event_t event_number); 836155131Srwatsonau_event_t *getauevnonam(const char *event_name); 837155131Srwatsonau_event_t *getauevnonam_r(au_event_t *ev, 838155131Srwatson const char *event_name); 839155131Srwatson 840155131Srwatson/* 841155131Srwatson * Functions relating to querying audit user information. 842155131Srwatson */ 843155131Srwatsonvoid setauuser(void); 844155131Srwatsonvoid endauuser(void); 845155131Srwatsonstruct au_user_ent *getauuserent(void); 846155131Srwatsonstruct au_user_ent *getauuserent_r(struct au_user_ent *u); 847155131Srwatsonstruct au_user_ent *getauusernam(const char *name); 848155131Srwatsonstruct au_user_ent *getauusernam_r(struct au_user_ent *u, 849155131Srwatson const char *name); 850155131Srwatsonint au_user_mask(char *username, au_mask_t *mask_p); 851155131Srwatsonint getfauditflags(au_mask_t *usremask, 852155131Srwatson au_mask_t *usrdmask, au_mask_t *lastmask); 853155131Srwatson 854155131Srwatson/* 855155131Srwatson * Functions for reading and printing records and tokens from audit trails. 856155131Srwatson */ 857155131Srwatsonint au_read_rec(FILE *fp, u_char **buf); 858155131Srwatsonint au_fetch_tok(tokenstr_t *tok, u_char *buf, int len); 859155131Srwatson//XXX The following interface has different prototype from BSM 860155131Srwatsonvoid au_print_tok(FILE *outfp, tokenstr_t *tok, 861155131Srwatson char *del, char raw, char sfrm); 862244390Srwatsonvoid au_print_flags_tok(FILE *outfp, tokenstr_t *tok, 863244390Srwatson char *del, int oflags); 864168777Srwatsonvoid au_print_tok_xml(FILE *outfp, tokenstr_t *tok, 865168777Srwatson char *del, char raw, char sfrm); 866168777Srwatson 867168777Srwatson/* 868168777Srwatson * Functions relating to XML output. 869168777Srwatson */ 870168777Srwatsonvoid au_print_xml_header(FILE *outfp); 871168777Srwatsonvoid au_print_xml_footer(FILE *outfp); 872155131Srwatson 873161630Srwatson/* 874187214Srwatson * BSM library routines for converting between local and BSM constant spaces. 875187214Srwatson * (Note: some of these are replicated in audit_record.h for the benefit of 876187214Srwatson * the FreeBSD and Mac OS X kernels) 877186647Srwatson */ 878187214Srwatsonint au_bsm_to_domain(u_short bsm_domain, int *local_domainp); 879187214Srwatsonint au_bsm_to_errno(u_char bsm_error, int *errorp); 880191273Srwatsonint au_bsm_to_fcntl_cmd(u_short bsm_fcntl_cmd, int *local_fcntl_cmdp); 881187214Srwatsonint au_bsm_to_socket_type(u_short bsm_socket_type, 882187214Srwatson int *local_socket_typep); 883187214Srwatsonu_short au_domain_to_bsm(int local_domain); 884187214Srwatsonu_char au_errno_to_bsm(int local_errno); 885244390Srwatsonu_short au_fcntl_cmd_to_bsm(int local_fcntl_command); 886187214Srwatsonu_short au_socket_type_to_bsm(int local_socket_type); 887186647Srwatson 888187214Srwatsonconst char *au_strerror(u_char bsm_error); 889187214Srwatson__END_DECLS 890187214Srwatson 891186647Srwatson/* 892161630Srwatson * The remaining APIs are associated with Apple's BSM implementation, in 893161630Srwatson * particular as relates to Mach IPC auditing and triggers passed via Mach 894161630Srwatson * IPC. 895161630Srwatson */ 896155131Srwatson#ifdef __APPLE__ 897155131Srwatson#include <sys/appleapiopts.h> 898155131Srwatson 899155131Srwatson/************************************************************************** 900155131Srwatson ************************************************************************** 901155131Srwatson ** The following definitions, functions, etc., are NOT officially 902155131Srwatson ** supported: they may be changed or removed in the future. Do not use 903155131Srwatson ** them unless you are prepared to cope with that eventuality. 904155131Srwatson ************************************************************************** 905155131Srwatson **************************************************************************/ 906155131Srwatson 907155131Srwatson#ifdef __APPLE_API_PRIVATE 908155131Srwatson#define __BSM_INTERNAL_NOTIFY_KEY "com.apple.audit.change" 909155131Srwatson#endif /* __APPLE_API_PRIVATE */ 910155131Srwatson 911155131Srwatson/* 912155131Srwatson * au_get_state() return values 913155131Srwatson * XXX use AUC_* values directly instead (<bsm/audit.h>); AUDIT_OFF and 914155131Srwatson * AUDIT_ON are deprecated and WILL be removed. 915155131Srwatson */ 916155131Srwatson#ifdef __APPLE_API_PRIVATE 917155131Srwatson#define AUDIT_OFF AUC_NOAUDIT 918155131Srwatson#define AUDIT_ON AUC_AUDITING 919155131Srwatson#endif /* __APPLE_API_PRIVATE */ 920155131Srwatson#endif /* !__APPLE__ */ 921155131Srwatson 922155131Srwatson/* 923155131Srwatson * Error return codes for audit_set_terminal_id(), audit_write() and its 924155131Srwatson * brethren. We have 255 (not including kAUNoErr) to play with. 925155131Srwatson * 926155131Srwatson * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 927155131Srwatson */ 928155131Srwatsonenum { 929155131Srwatson kAUNoErr = 0, 930155131Srwatson kAUBadParamErr = -66049, 931155131Srwatson kAUStatErr, 932155131Srwatson kAUSysctlErr, 933155131Srwatson kAUOpenErr, 934155131Srwatson kAUMakeSubjectTokErr, 935155131Srwatson kAUWriteSubjectTokErr, 936155131Srwatson kAUWriteCallerTokErr, 937155131Srwatson kAUMakeReturnTokErr, 938155131Srwatson kAUWriteReturnTokErr, 939155131Srwatson kAUCloseErr, 940155131Srwatson kAUMakeTextTokErr, 941155131Srwatson kAULastErr 942155131Srwatson}; 943155131Srwatson 944155131Srwatson#ifdef __APPLE__ 945155131Srwatson/* 946155131Srwatson * Error return codes for au_get_state() and/or its private support 947155131Srwatson * functions. These codes are designed to be compatible with the 948155131Srwatson * NOTIFY_STATUS_* codes defined in <notify.h> but non-overlapping. 949155131Srwatson * Any changes to notify(3) may cause these values to change in future. 950155131Srwatson * 951155131Srwatson * AU_UNIMPL should never happen unless you've changed your system software 952155131Srwatson * without rebooting. Shame on you. 953155131Srwatson */ 954155131Srwatson#ifdef __APPLE_API_PRIVATE 955155131Srwatson#define AU_UNIMPL NOTIFY_STATUS_FAILED + 1 /* audit unimplemented */ 956155131Srwatson#endif /* __APPLE_API_PRIVATE */ 957155131Srwatson#endif /* !__APPLE__ */ 958155131Srwatson 959155131Srwatson__BEGIN_DECLS 960155131Srwatson/* 961155131Srwatson * XXX This prototype should be in audit_record.h 962155131Srwatson * 963155131Srwatson * au_free_token() 964155131Srwatson * 965155131Srwatson * @summary - au_free_token() deallocates a token_t created by any of 966155131Srwatson * the au_to_*() BSM API functions. 967155131Srwatson * 968155131Srwatson * The BSM API generally manages deallocation of token_t objects. However, 969155131Srwatson * if au_write() is passed a bad audit descriptor, the token_t * parameter 970155131Srwatson * will be left untouched. In that case, the caller can deallocate the 971155131Srwatson * token_t using au_free_token() if desired. This is, in fact, what 972155131Srwatson * audit_write() does, in keeping with the existing memory management model 973155131Srwatson * of the BSM API. 974155131Srwatson * 975155131Srwatson * @param tok - A token_t * generated by one of the au_to_*() BSM API 976155131Srwatson * calls. For convenience, tok may be NULL, in which case 977155131Srwatson * au_free_token() returns immediately. 978155131Srwatson * 979155131Srwatson * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 980155131Srwatson */ 981155131Srwatsonvoid au_free_token(token_t *tok); 982155131Srwatson 983155131Srwatson/* 984155131Srwatson * Lightweight check to determine if auditing is enabled. If a client 985155131Srwatson * wants to use this to govern whether an entire series of audit calls 986155131Srwatson * should be made--as in the common case of a caller building a set of 987155131Srwatson * tokens, then writing them--it should cache the audit status in a local 988155131Srwatson * variable. This call always returns the current state of auditing. 989155131Srwatson * 990155131Srwatson * @return - AUC_AUDITING or AUC_NOAUDIT if no error occurred. 991155131Srwatson * Otherwise the function can return any of the errno values defined for 992155131Srwatson * setaudit(2), or AU_UNIMPL if audit does not appear to be supported by 993155131Srwatson * the system. 994155131Srwatson * 995155131Srwatson * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 996155131Srwatson */ 997155131Srwatsonint au_get_state(void); 998186647Srwatson 999186647Srwatson/* 1000186647Srwatson * Initialize the audit notification. If it has not already been initialized 1001186647Srwatson * it will automatically on the first call of au_get_state(). 1002186647Srwatson */ 1003186647Srwatsonuint32_t au_notify_initialize(void); 1004186647Srwatson 1005186647Srwatson/* 1006186647Srwatson * Cancel audit notification and free the resources associated with it. 1007186647Srwatson * Responsible code that no longer needs to use au_get_state() should call 1008186647Srwatson * this. 1009186647Srwatson */ 1010186647Srwatsonint au_notify_terminate(void); 1011155131Srwatson__END_DECLS 1012155131Srwatson 1013155131Srwatson/* OpenSSH compatibility */ 1014155518Srwatsonint cannot_audit(int); 1015155131Srwatson 1016155131Srwatson__BEGIN_DECLS 1017155131Srwatson/* 1018155131Srwatson * audit_set_terminal_id() 1019155131Srwatson * 1020155131Srwatson * @summary - audit_set_terminal_id() fills in an au_tid_t struct, which is 1021155131Srwatson * used in audit session initialization by processes like /usr/bin/login. 1022155131Srwatson * 1023155131Srwatson * @param tid - A pointer to an au_tid_t struct. 1024155131Srwatson * 1025155131Srwatson * @return - kAUNoErr on success; kAUBadParamErr if tid is NULL, kAUStatErr 1026155131Srwatson * or kAUSysctlErr if one of the underlying system calls fails (a message 1027155131Srwatson * is sent to the system log in those cases). 1028155131Srwatson * 1029155131Srwatson * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1030155131Srwatson */ 1031155131Srwatsonint audit_set_terminal_id(au_tid_t *tid); 1032155131Srwatson 1033155131Srwatson/* 1034155131Srwatson * BEGIN au_write() WRAPPERS 1035155131Srwatson * 1036155131Srwatson * The following calls all wrap the existing BSM API. They use the 1037155131Srwatson * provided subject information, if any, to construct the subject token 1038155131Srwatson * required for every log message. They use the provided return/error 1039155131Srwatson * value(s), if any, to construct the success/failure indication required 1040155131Srwatson * for every log message. They only permit one "miscellaneous" token, 1041155131Srwatson * which should contain the event-specific logging information mandated by 1042155131Srwatson * CAPP. 1043155131Srwatson * 1044155131Srwatson * All these calls assume the caller has previously determined that 1045155131Srwatson * auditing is enabled by calling au_get_state(). 1046155131Srwatson */ 1047155131Srwatson 1048155131Srwatson/* 1049155131Srwatson * audit_write() 1050155131Srwatson * 1051155131Srwatson * @summary - audit_write() is the basis for the other audit_write_*() 1052155131Srwatson * calls. Performs a basic write of an audit record (subject, additional 1053155131Srwatson * info, success/failure). Note that this call only permits logging one 1054155131Srwatson * caller-specified token; clients needing to log more flexibly must use 1055155131Srwatson * the existing BSM API (au_open(), et al.) directly. 1056155131Srwatson * 1057155131Srwatson * Note on memory management: audit_write() guarantees that the token_t *s 1058155131Srwatson * passed to it will be deallocated whether or not the underlying write to 1059155131Srwatson * the audit log succeeded. This addresses an inconsistency in the 1060155131Srwatson * underlying BSM API in which token_t *s are usually but not always 1061155131Srwatson * deallocated. 1062155131Srwatson * 1063155131Srwatson * @param event_code - The code for the event being logged. This should 1064155131Srwatson * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1065155131Srwatson * 1066155131Srwatson * @param subject - A token_t * generated by au_to_subject(), 1067155131Srwatson * au_to_subject32(), au_to_subject64(), or au_to_me(). If no subject is 1068155131Srwatson * required, subject should be NULL. 1069155131Srwatson * 1070155131Srwatson * @param misctok - A token_t * generated by one of the au_to_*() BSM API 1071155131Srwatson * calls. This should correspond to the additional information required by 1072155131Srwatson * CAPP for the event being audited. If no additional information is 1073155131Srwatson * required, misctok should be NULL. 1074155131Srwatson * 1075155131Srwatson * @param retval - The return value to be logged for this event. This 1076155131Srwatson * should be 0 (zero) for success, otherwise the value is event-specific. 1077155131Srwatson * 1078155131Srwatson * @param errcode - Any error code associated with the return value (e.g., 1079155131Srwatson * errno or h_errno). If there was no error, errcode should be 0 (zero). 1080155131Srwatson * 1081155131Srwatson * @return - The status of the call: 0 (zero) on success, else one of the 1082155131Srwatson * kAU*Err values defined above. 1083155131Srwatson * 1084155131Srwatson * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1085155131Srwatson */ 1086155131Srwatsonint audit_write(short event_code, token_t *subject, token_t *misctok, 1087155131Srwatson char retval, int errcode); 1088155131Srwatson 1089155131Srwatson/* 1090155131Srwatson * audit_write_success() 1091155131Srwatson * 1092155131Srwatson * @summary - audit_write_success() records an auditable event that did not 1093155131Srwatson * encounter an error. The interface is designed to require as little 1094155131Srwatson * direct use of the au_to_*() API as possible. It builds a subject token 1095155131Srwatson * from the information passed in and uses that to invoke audit_write(). 1096155131Srwatson * A subject, as defined by CAPP, is a process acting on the user's behalf. 1097155131Srwatson * 1098155131Srwatson * If the subject information is the same as the current process, use 1099155131Srwatson * au_write_success_self(). 1100155131Srwatson * 1101155131Srwatson * @param event_code - The code for the event being logged. This should 1102155131Srwatson * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1103155131Srwatson * 1104155131Srwatson * @param misctok - A token_t * generated by one of the au_to_*() BSM API 1105155131Srwatson * calls. This should correspond to the additional information required by 1106155131Srwatson * CAPP for the event being audited. If no additional information is 1107155131Srwatson * required, misctok should be NULL. 1108155131Srwatson * 1109155131Srwatson * @param auid - The subject's audit ID. 1110155131Srwatson * 1111155131Srwatson * @param euid - The subject's effective user ID. 1112155131Srwatson * 1113155131Srwatson * @param egid - The subject's effective group ID. 1114155131Srwatson * 1115155131Srwatson * @param ruid - The subject's real user ID. 1116155131Srwatson * 1117155131Srwatson * @param rgid - The subject's real group ID. 1118155131Srwatson * 1119155131Srwatson * @param pid - The subject's process ID. 1120155131Srwatson * 1121155131Srwatson * @param sid - The subject's session ID. 1122155131Srwatson * 1123155131Srwatson * @param tid - The subject's terminal ID. 1124155131Srwatson * 1125155131Srwatson * @return - The status of the call: 0 (zero) on success, else one of the 1126155131Srwatson * kAU*Err values defined above. 1127155131Srwatson * 1128155131Srwatson * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1129155131Srwatson */ 1130155131Srwatsonint audit_write_success(short event_code, token_t *misctok, au_id_t auid, 1131155131Srwatson uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, pid_t pid, 1132155131Srwatson au_asid_t sid, au_tid_t *tid); 1133155131Srwatson 1134155131Srwatson/* 1135155131Srwatson * audit_write_success_self() 1136155131Srwatson * 1137155131Srwatson * @summary - Similar to audit_write_success(), but used when the subject 1138155131Srwatson * (process) is owned and operated by the auditable user him/herself. 1139155131Srwatson * 1140155131Srwatson * @param event_code - The code for the event being logged. This should 1141155131Srwatson * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1142155131Srwatson * 1143155131Srwatson * @param misctok - A token_t * generated by one of the au_to_*() BSM API 1144155131Srwatson * calls. This should correspond to the additional information required by 1145155131Srwatson * CAPP for the event being audited. If no additional information is 1146155131Srwatson * required, misctok should be NULL. 1147155131Srwatson * 1148155131Srwatson * @return - The status of the call: 0 (zero) on success, else one of the 1149155131Srwatson * kAU*Err values defined above. 1150155131Srwatson * 1151155131Srwatson * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1152155131Srwatson */ 1153155131Srwatsonint audit_write_success_self(short event_code, token_t *misctok); 1154155131Srwatson 1155155131Srwatson/* 1156155131Srwatson * audit_write_failure() 1157155131Srwatson * 1158155131Srwatson * @summary - audit_write_failure() records an auditable event that 1159155131Srwatson * encountered an error. The interface is designed to require as little 1160155131Srwatson * direct use of the au_to_*() API as possible. It builds a subject token 1161155131Srwatson * from the information passed in and uses that to invoke audit_write(). 1162155131Srwatson * A subject, as defined by CAPP, is a process acting on the user's behalf. 1163155131Srwatson * 1164155131Srwatson * If the subject information is the same as the current process, use 1165155131Srwatson * au_write_failure_self(). 1166155131Srwatson * 1167155131Srwatson * @param event_code - The code for the event being logged. This should 1168155131Srwatson * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1169155131Srwatson * 1170155131Srwatson * @param errmsg - A text message providing additional information about 1171155131Srwatson * the event being audited. 1172155131Srwatson * 1173155131Srwatson * @param errret - A numerical value providing additional information about 1174155131Srwatson * the error. This is intended to store the value of errno or h_errno if 1175155131Srwatson * it's relevant. This can be 0 (zero) if no additional information is 1176155131Srwatson * available. 1177155131Srwatson * 1178155131Srwatson * @param auid - The subject's audit ID. 1179155131Srwatson * 1180155131Srwatson * @param euid - The subject's effective user ID. 1181155131Srwatson * 1182155131Srwatson * @param egid - The subject's effective group ID. 1183155131Srwatson * 1184155131Srwatson * @param ruid - The subject's real user ID. 1185155131Srwatson * 1186155131Srwatson * @param rgid - The subject's real group ID. 1187155131Srwatson * 1188155131Srwatson * @param pid - The subject's process ID. 1189155131Srwatson * 1190155131Srwatson * @param sid - The subject's session ID. 1191155131Srwatson * 1192155131Srwatson * @param tid - The subject's terminal ID. 1193155131Srwatson * 1194155131Srwatson * @return - The status of the call: 0 (zero) on success, else one of the 1195155131Srwatson * kAU*Err values defined above. 1196155131Srwatson * 1197155131Srwatson * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1198155131Srwatson */ 1199155131Srwatsonint audit_write_failure(short event_code, char *errmsg, int errret, 1200155131Srwatson au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 1201155131Srwatson pid_t pid, au_asid_t sid, au_tid_t *tid); 1202155131Srwatson 1203155131Srwatson/* 1204155131Srwatson * audit_write_failure_self() 1205155131Srwatson * 1206155131Srwatson * @summary - Similar to audit_write_failure(), but used when the subject 1207155131Srwatson * (process) is owned and operated by the auditable user him/herself. 1208155131Srwatson * 1209155131Srwatson * @param event_code - The code for the event being logged. This should 1210155131Srwatson * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1211155131Srwatson * 1212155131Srwatson * @param errmsg - A text message providing additional information about 1213155131Srwatson * the event being audited. 1214155131Srwatson * 1215155131Srwatson * @param errret - A numerical value providing additional information about 1216155131Srwatson * the error. This is intended to store the value of errno or h_errno if 1217155131Srwatson * it's relevant. This can be 0 (zero) if no additional information is 1218155131Srwatson * available. 1219155131Srwatson * 1220155131Srwatson * @return - The status of the call: 0 (zero) on success, else one of the 1221155131Srwatson * kAU*Err values defined above. 1222155131Srwatson * 1223155131Srwatson * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1224155131Srwatson */ 1225155131Srwatsonint audit_write_failure_self(short event_code, char *errmsg, int errret); 1226155131Srwatson 1227155131Srwatson/* 1228155131Srwatson * audit_write_failure_na() 1229155131Srwatson * 1230155131Srwatson * @summary - audit_write_failure_na() records errors during login. Such 1231155131Srwatson * errors are implicitly non-attributable (i.e., not ascribable to any user). 1232155131Srwatson * 1233155131Srwatson * @param event_code - The code for the event being logged. This should 1234155131Srwatson * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1235155131Srwatson * 1236155131Srwatson * @param errmsg - A text message providing additional information about 1237155131Srwatson * the event being audited. 1238155131Srwatson * 1239155131Srwatson * @param errret - A numerical value providing additional information about 1240155131Srwatson * the error. This is intended to store the value of errno or h_errno if 1241155131Srwatson * it's relevant. This can be 0 (zero) if no additional information is 1242155131Srwatson * available. 1243155131Srwatson * 1244155131Srwatson * @param euid - The subject's effective user ID. 1245155131Srwatson * 1246155131Srwatson * @param egid - The subject's effective group ID. 1247155131Srwatson * 1248155131Srwatson * @param pid - The subject's process ID. 1249155131Srwatson * 1250155131Srwatson * @param tid - The subject's terminal ID. 1251155131Srwatson * 1252155131Srwatson * @return - The status of the call: 0 (zero) on success, else one of the 1253155131Srwatson * kAU*Err values defined above. 1254155131Srwatson * 1255155131Srwatson * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1256155131Srwatson */ 1257155131Srwatsonint audit_write_failure_na(short event_code, char *errmsg, int errret, 1258155131Srwatson uid_t euid, gid_t egid, pid_t pid, au_tid_t *tid); 1259155131Srwatson 1260155131Srwatson/* END au_write() WRAPPERS */ 1261155131Srwatson 1262155131Srwatson#ifdef __APPLE__ 1263155131Srwatson/* 1264155131Srwatson * audit_token_to_au32() 1265155131Srwatson * 1266155131Srwatson * @summary - Extract information from an audit_token_t, used to identify 1267155131Srwatson * Mach tasks and senders of Mach messages as subjects to the audit system. 1268155131Srwatson * audit_tokent_to_au32() is the only method that should be used to parse 1269155131Srwatson * an audit_token_t, since its internal representation may change over 1270155131Srwatson * time. A pointer parameter may be NULL if that information is not 1271155131Srwatson * needed. 1272155131Srwatson * 1273155131Srwatson * @param atoken - the audit token containing the desired information 1274155131Srwatson * 1275155131Srwatson * @param auidp - Pointer to a uid_t; on return will be set to the task or 1276155131Srwatson * sender's audit user ID 1277155131Srwatson * 1278155131Srwatson * @param euidp - Pointer to a uid_t; on return will be set to the task or 1279155131Srwatson * sender's effective user ID 1280155131Srwatson * 1281155131Srwatson * @param egidp - Pointer to a gid_t; on return will be set to the task or 1282155131Srwatson * sender's effective group ID 1283155131Srwatson * 1284155131Srwatson * @param ruidp - Pointer to a uid_t; on return will be set to the task or 1285155131Srwatson * sender's real user ID 1286155131Srwatson * 1287155131Srwatson * @param rgidp - Pointer to a gid_t; on return will be set to the task or 1288155131Srwatson * sender's real group ID 1289155131Srwatson * 1290155131Srwatson * @param pidp - Pointer to a pid_t; on return will be set to the task or 1291155131Srwatson * sender's process ID 1292155131Srwatson * 1293155131Srwatson * @param asidp - Pointer to an au_asid_t; on return will be set to the 1294155131Srwatson * task or sender's audit session ID 1295155131Srwatson * 1296155131Srwatson * @param tidp - Pointer to an au_tid_t; on return will be set to the task 1297155131Srwatson * or sender's terminal ID 1298155131Srwatson * 1299155131Srwatson * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1300155131Srwatson */ 1301155131Srwatsonvoid audit_token_to_au32( 1302155131Srwatson audit_token_t atoken, 1303155131Srwatson uid_t *auidp, 1304155131Srwatson uid_t *euidp, 1305155131Srwatson gid_t *egidp, 1306155131Srwatson uid_t *ruidp, 1307155131Srwatson gid_t *rgidp, 1308155131Srwatson pid_t *pidp, 1309155131Srwatson au_asid_t *asidp, 1310155131Srwatson au_tid_t *tidp); 1311155131Srwatson#endif /* !__APPLE__ */ 1312155131Srwatson 1313191273Srwatson/* 1314191273Srwatson * Wrapper functions to auditon(2). 1315191273Srwatson */ 1316191273Srwatsonint audit_get_car(char *path, size_t sz); 1317191273Srwatsonint audit_get_class(au_evclass_map_t *evc_map, size_t sz); 1318191273Srwatsonint audit_set_class(au_evclass_map_t *evc_map, size_t sz); 1319191273Srwatsonint audit_get_cond(int *cond); 1320191273Srwatsonint audit_set_cond(int *cond); 1321191273Srwatsonint audit_get_cwd(char *path, size_t sz); 1322191273Srwatsonint audit_get_fsize(au_fstat_t *fstat, size_t sz); 1323191273Srwatsonint audit_set_fsize(au_fstat_t *fstat, size_t sz); 1324191273Srwatsonint audit_get_kmask(au_mask_t *kmask, size_t sz); 1325191273Srwatsonint audit_set_kmask(au_mask_t *kmask, size_t sz); 1326191273Srwatsonint audit_get_kaudit(auditinfo_addr_t *aia, size_t sz); 1327191273Srwatsonint audit_set_kaudit(auditinfo_addr_t *aia, size_t sz); 1328191273Srwatsonint audit_set_pmask(auditpinfo_t *api, size_t sz); 1329191273Srwatsonint audit_get_pinfo(auditpinfo_t *api, size_t sz); 1330191273Srwatsonint audit_get_pinfo_addr(auditpinfo_addr_t *apia, size_t sz); 1331191273Srwatsonint audit_get_policy(int *policy); 1332191273Srwatsonint audit_set_policy(int *policy); 1333191273Srwatsonint audit_get_qctrl(au_qctrl_t *qctrl, size_t sz); 1334191273Srwatsonint audit_set_qctrl(au_qctrl_t *qctrl, size_t sz); 1335191273Srwatsonint audit_get_sinfo_addr(auditinfo_addr_t *aia, size_t sz); 1336191273Srwatsonint audit_get_stat(au_stat_t *stats, size_t sz); 1337191273Srwatsonint audit_set_stat(au_stat_t *stats, size_t sz); 1338191273Srwatsonint audit_send_trigger(int *trigger); 1339191273Srwatson 1340155131Srwatson__END_DECLS 1341155131Srwatson 1342155131Srwatson#endif /* !_LIBBSM_H_ */ 1343