audit_internal.h revision 161635
1155191Srwatson/* 2155191Srwatson * Copyright (c) 2005 Apple Computer, Inc. 3155191Srwatson * Copyright (c) 2005 SPARTA, Inc. 4155191Srwatson * All rights reserved. 5155191Srwatson * 6155191Srwatson * This code was developed in part by Robert N. M. Watson, Senior Principal 7155191Srwatson * Scientist, SPARTA, Inc. 8155191Srwatson * 9155191Srwatson * @APPLE_BSD_LICENSE_HEADER_START@ 10155191Srwatson * 11155191Srwatson * Redistribution and use in source and binary forms, with or without 12155191Srwatson * modification, are permitted provided that the following conditions 13155191Srwatson * are met: 14155191Srwatson * 15155191Srwatson * 1. Redistributions of source code must retain the above copyright 16155191Srwatson * notice, this list of conditions and the following disclaimer. 17155191Srwatson * 2. Redistributions in binary form must reproduce the above copyright 18155191Srwatson * notice, this list of conditions and the following disclaimer in the 19155191Srwatson * documentation and/or other materials provided with the distribution. 20155191Srwatson * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 21155191Srwatson * its contributors may be used to endorse or promote products derived 22155191Srwatson * from this software without specific prior written permission. 23155191Srwatson * 24155191Srwatson * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY 25155191Srwatson * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 26155191Srwatson * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 27155191Srwatson * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY 28155191Srwatson * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 29155191Srwatson * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 30155191Srwatson * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 31155191Srwatson * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 32155191Srwatson * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33155191Srwatson * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34155191Srwatson * 35155191Srwatson * @APPLE_BSD_LICENSE_HEADER_END@ 36155191Srwatson * 37161635Srwatson * $P4: //depot/projects/trustedbsd/audit3/sys/bsm/audit_internal.h#11 $ 38155191Srwatson * $FreeBSD: head/sys/bsm/audit_internal.h 161635 2006-08-26 08:17:58Z rwatson $ 39155191Srwatson */ 40155191Srwatson 41156289Srwatson#ifndef _AUDIT_INTERNAL_H 42156289Srwatson#define _AUDIT_INTERNAL_H 43155191Srwatson 44156289Srwatson#if defined(__linux__) && !defined(__unused) 45156289Srwatson#define __unused 46156289Srwatson#endif 47156289Srwatson 48155191Srwatson/* 49155191Srwatson * audit_internal.h contains private interfaces that are shared by user space 50155191Srwatson * and the kernel for the purposes of assembling audit records. Applications 51155191Srwatson * should not include this file or use the APIs found within, or it may be 52155191Srwatson * broken with future releases of OpenBSM, which may delete, modify, or 53155191Srwatson * otherwise break these interfaces or the assumptions they rely on. 54155191Srwatson */ 55156289Srwatsonstruct au_token { 56156289Srwatson u_char *t_data; 57156289Srwatson size_t len; 58156289Srwatson TAILQ_ENTRY(au_token) tokens; 59156289Srwatson}; 60155191Srwatson 61156289Srwatsonstruct au_record { 62156289Srwatson char used; /* Record currently in use? */ 63156289Srwatson int desc; /* Descriptor for record. */ 64156289Srwatson TAILQ_HEAD(, au_token) token_q; /* Queue of BSM tokens. */ 65156289Srwatson u_char *data; 66156289Srwatson size_t len; 67156289Srwatson LIST_ENTRY(au_record) au_rec_q; 68156289Srwatson}; 69156289Srwatsontypedef struct au_record au_record_t; 70156289Srwatson 71156289Srwatson 72161635Srwatson/* 73161635Srwatson * We could determined the header and trailer sizes by defining appropriate 74161635Srwatson * structures. We hold off that approach until we have a consistant way of 75161635Srwatson * using structures for all tokens. This is not straightforward since these 76161635Srwatson * token structures may contain pointers of whose contents we dont know the 77161635Srwatson * size (e.g text tokens). 78155191Srwatson */ 79161635Srwatson#define AUDIT_HEADER_SIZE 18 80161635Srwatson#define AUDIT_TRAILER_SIZE 7 81155191Srwatson 82155191Srwatson/* 83155191Srwatson * BSM token streams store fields in big endian byte order, so as to be 84155191Srwatson * portable; when encoding and decoding, we must convert byte orders for 85155191Srwatson * typed values. 86155191Srwatson */ 87155191Srwatson#define ADD_U_CHAR(loc, val) \ 88155191Srwatson do { \ 89155191Srwatson *(loc) = (val); \ 90155191Srwatson (loc) += sizeof(u_char); \ 91155191Srwatson } while(0) 92155191Srwatson 93155191Srwatson 94155191Srwatson#define ADD_U_INT16(loc, val) \ 95155191Srwatson do { \ 96155191Srwatson be16enc((loc), (val)); \ 97155191Srwatson (loc) += sizeof(u_int16_t); \ 98155191Srwatson } while(0) 99155191Srwatson 100155191Srwatson#define ADD_U_INT32(loc, val) \ 101155191Srwatson do { \ 102155191Srwatson be32enc((loc), (val)); \ 103155191Srwatson (loc) += sizeof(u_int32_t); \ 104155191Srwatson } while(0) 105155191Srwatson 106155191Srwatson#define ADD_U_INT64(loc, val) \ 107155191Srwatson do { \ 108155191Srwatson be64enc((loc), (val)); \ 109155191Srwatson (loc) += sizeof(u_int64_t); \ 110155191Srwatson } while(0) 111155191Srwatson 112155191Srwatson#define ADD_MEM(loc, data, size) \ 113155191Srwatson do { \ 114155191Srwatson memcpy((loc), (data), (size)); \ 115155191Srwatson (loc) += size; \ 116155191Srwatson } while(0) 117155191Srwatson 118155191Srwatson#define ADD_STRING(loc, data, size) ADD_MEM(loc, data, size) 119155191Srwatson 120156289Srwatson#endif /* !_AUDIT_INTERNAL_H_ */ 121