audit_internal.h revision 161635 
1155191Srwatson/*
2155191Srwatson * Copyright (c) 2005 Apple Computer, Inc.
3155191Srwatson * Copyright (c) 2005 SPARTA, Inc.
4155191Srwatson * All rights reserved.
5155191Srwatson *
6155191Srwatson * This code was developed in part by Robert N. M. Watson, Senior Principal
7155191Srwatson * Scientist, SPARTA, Inc.
8155191Srwatson *
9155191Srwatson * @APPLE_BSD_LICENSE_HEADER_START@
10155191Srwatson *
11155191Srwatson * Redistribution and use in source and binary forms, with or without
12155191Srwatson * modification, are permitted provided that the following conditions
13155191Srwatson * are met:
14155191Srwatson *
15155191Srwatson * 1.  Redistributions of source code must retain the above copyright
16155191Srwatson *     notice, this list of conditions and the following disclaimer.
17155191Srwatson * 2.  Redistributions in binary form must reproduce the above copyright
18155191Srwatson *     notice, this list of conditions and the following disclaimer in the
19155191Srwatson *     documentation and/or other materials provided with the distribution.
20155191Srwatson * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
21155191Srwatson *     its contributors may be used to endorse or promote products derived
22155191Srwatson *     from this software without specific prior written permission.
23155191Srwatson *
24155191Srwatson * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
25155191Srwatson * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
26155191Srwatson * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
27155191Srwatson * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
28155191Srwatson * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
29155191Srwatson * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
30155191Srwatson * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
31155191Srwatson * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
32155191Srwatson * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
33155191Srwatson * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34155191Srwatson *
35155191Srwatson * @APPLE_BSD_LICENSE_HEADER_END@
36155191Srwatson *
37161635Srwatson * $P4: //depot/projects/trustedbsd/audit3/sys/bsm/audit_internal.h#11 $
38155191Srwatson * $FreeBSD: head/sys/bsm/audit_internal.h 161635 2006-08-26 08:17:58Z rwatson $
39155191Srwatson */
40155191Srwatson
41156289Srwatson#ifndef _AUDIT_INTERNAL_H
42156289Srwatson#define	_AUDIT_INTERNAL_H
43155191Srwatson
44156289Srwatson#if defined(__linux__) && !defined(__unused)
45156289Srwatson#define	__unused
46156289Srwatson#endif
47156289Srwatson
48155191Srwatson/*
49155191Srwatson * audit_internal.h contains private interfaces that are shared by user space
50155191Srwatson * and the kernel for the purposes of assembling audit records.  Applications
51155191Srwatson * should not include this file or use the APIs found within, or it may be
52155191Srwatson * broken with future releases of OpenBSM, which may delete, modify, or
53155191Srwatson * otherwise break these interfaces or the assumptions they rely on.
54155191Srwatson */
55156289Srwatsonstruct au_token {
56156289Srwatson	u_char			*t_data;
57156289Srwatson	size_t			 len;
58156289Srwatson	TAILQ_ENTRY(au_token)	 tokens;
59156289Srwatson};
60155191Srwatson
61156289Srwatsonstruct au_record {
62156289Srwatson	char			 used;		/* Record currently in use? */
63156289Srwatson	int			 desc;		/* Descriptor for record. */
64156289Srwatson	TAILQ_HEAD(, au_token)	 token_q;	/* Queue of BSM tokens. */
65156289Srwatson	u_char			*data;
66156289Srwatson	size_t			 len;
67156289Srwatson	LIST_ENTRY(au_record)	 au_rec_q;
68156289Srwatson};
69156289Srwatsontypedef	struct au_record	au_record_t;
70156289Srwatson
71156289Srwatson
72161635Srwatson/*
73161635Srwatson * We could determined the header and trailer sizes by defining appropriate
74161635Srwatson * structures.  We hold off that approach until we have a consistant way of
75161635Srwatson * using structures for all tokens.  This is not straightforward since these
76161635Srwatson * token structures may contain pointers of whose contents we dont know the
77161635Srwatson * size (e.g text tokens).
78155191Srwatson */
79161635Srwatson#define	AUDIT_HEADER_SIZE	18
80161635Srwatson#define	AUDIT_TRAILER_SIZE	7
81155191Srwatson
82155191Srwatson/*
83155191Srwatson * BSM token streams store fields in big endian byte order, so as to be
84155191Srwatson * portable; when encoding and decoding, we must convert byte orders for
85155191Srwatson * typed values.
86155191Srwatson */
87155191Srwatson#define	ADD_U_CHAR(loc, val)						\
88155191Srwatson	do {								\
89155191Srwatson		*(loc) = (val);						\
90155191Srwatson		(loc) += sizeof(u_char);				\
91155191Srwatson	} while(0)
92155191Srwatson
93155191Srwatson
94155191Srwatson#define	ADD_U_INT16(loc, val)						\
95155191Srwatson	do {								\
96155191Srwatson		be16enc((loc), (val));					\
97155191Srwatson		(loc) += sizeof(u_int16_t);				\
98155191Srwatson	} while(0)
99155191Srwatson
100155191Srwatson#define	ADD_U_INT32(loc, val)						\
101155191Srwatson	do {								\
102155191Srwatson		be32enc((loc), (val));					\
103155191Srwatson		(loc) += sizeof(u_int32_t);				\
104155191Srwatson	} while(0)
105155191Srwatson
106155191Srwatson#define	ADD_U_INT64(loc, val)						\
107155191Srwatson	do {								\
108155191Srwatson		be64enc((loc), (val));					\
109155191Srwatson		(loc) += sizeof(u_int64_t); 				\
110155191Srwatson	} while(0)
111155191Srwatson
112155191Srwatson#define	ADD_MEM(loc, data, size)					\
113155191Srwatson	do {								\
114155191Srwatson		memcpy((loc), (data), (size));				\
115155191Srwatson		(loc) += size;						\
116155191Srwatson	} while(0)
117155191Srwatson
118155191Srwatson#define	ADD_STRING(loc, data, size)	ADD_MEM(loc, data, size)
119155191Srwatson
120156289Srwatson#endif /* !_AUDIT_INTERNAL_H_ */
121