audit.h revision 155195 
1/*
2 * Copyright (c) 1999-2005 Apple Computer, Inc.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1.  Redistributions of source code must retain the above copyright
9 *     notice, this list of conditions and the following disclaimer.
10 * 2.  Redistributions in binary form must reproduce the above copyright
11 *     notice, this list of conditions and the following disclaimer in the
12 *     documentation and/or other materials provided with the distribution.
13 * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
14 *     its contributors may be used to endorse or promote products derived
15 *     from this software without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 * POSSIBILITY OF SUCH DAMAGE.
28 *
29 * $FreeBSD: head/sys/security/audit/audit.h 155195 2006-02-02 00:37:05Z rwatson $
30 */
31
32/*
33 * This header includes function prototypes and type definitions that are
34 * necessary for the kernel as a whole to interact with the audit subsystem.
35 */
36
37#ifndef _BSM_AUDIT_KERNEL_H
38#define	_BSM_AUDIT_KERNEL_H
39
40#ifndef _KERNEL
41#error "no user-serviceable parts inside"
42#endif
43
44#include <bsm/audit.h>
45
46#include <sys/file.h>
47#include <sys/sysctl.h>
48#include <sys/user.h>
49
50/*
51 * Audit subsystem condition flags.  The audit_enabled flag is set and
52 * removed automatically as a result of configuring log files, and
53 * can be observed but should not be directly manipulated.  The audit
54 * suspension flag permits audit to be temporarily disabled without
55 * reconfiguring the audit target.
56 */
57extern int	audit_enabled;
58extern int	audit_suspended;
59
60/*
61 * Define the masks for the audited arguments.
62 *
63 * XXXRW: These need to remain in audit.h for now because our vnode and name
64 * lookup audit calls rely on passing in flags to indicate which name or
65 * vnode is being logged.  These should move to audit_private.h when that is
66 * fixed.
67 */
68#define ARG_EUID		0x0000000000000001ULL
69#define ARG_RUID		0x0000000000000002ULL
70#define ARG_SUID		0x0000000000000004ULL
71#define ARG_EGID		0x0000000000000008ULL
72#define ARG_RGID		0x0000000000000010ULL
73#define ARG_SGID		0x0000000000000020ULL
74#define ARG_PID			0x0000000000000040ULL
75#define ARG_UID			0x0000000000000080ULL
76#define ARG_AUID		0x0000000000000100ULL
77#define ARG_GID			0x0000000000000200ULL
78#define ARG_FD			0x0000000000000400ULL
79#define ARG_POSIX_IPC_PERM 	0x0000000000000800ULL
80#define ARG_FFLAGS		0x0000000000001000ULL
81#define ARG_MODE		0x0000000000002000ULL
82#define ARG_DEV			0x0000000000004000ULL
83#define ARG_ADDR		0x0000000000008000ULL
84#define ARG_LEN			0x0000000000010000ULL
85#define ARG_MASK		0x0000000000020000ULL
86#define ARG_SIGNUM		0x0000000000040000ULL
87#define ARG_LOGIN		0x0000000000080000ULL
88#define ARG_SADDRINET		0x0000000000100000ULL
89#define ARG_SADDRINET6		0x0000000000200000ULL
90#define ARG_SADDRUNIX		0x0000000000400000ULL
91#define ARG_UNUSED1		0x0000000000800000ULL
92#define ARG_UNUSED2		0x0000000001000000ULL
93#define ARG_UPATH1		0x0000000002000000ULL
94#define ARG_UPATH2		0x0000000004000000ULL
95#define ARG_TEXT		0x0000000008000000ULL
96#define ARG_VNODE1		0x0000000010000000ULL
97#define ARG_VNODE2		0x0000000020000000ULL
98#define ARG_SVIPC_CMD		0x0000000040000000ULL
99#define ARG_SVIPC_PERM		0x0000000080000000ULL
100#define ARG_SVIPC_ID		0x0000000100000000ULL
101#define ARG_SVIPC_ADDR		0x0000000200000000ULL
102#define ARG_GROUPSET		0x0000000400000000ULL
103#define ARG_CMD			0x0000000800000000ULL
104#define ARG_SOCKINFO		0x0000001000000000ULL
105#define ARG_ASID		0x0000002000000000ULL
106#define ARG_TERMID		0x0000004000000000ULL
107#define ARG_AUDITON		0x0000008000000000ULL
108#define ARG_VALUE		0x0000010000000000ULL
109#define ARG_AMASK		0x0000020000000000ULL
110#define ARG_CTLNAME		0x0000040000000000ULL
111#define ARG_PROCESS		0x0000080000000000ULL
112#define ARG_MACHPORT1		0x0000100000000000ULL
113#define ARG_MACHPORT2		0x0000200000000000ULL
114#define	ARG_EXIT		0x0000400000000000ULL
115#define ARG_NONE		0x0000000000000000ULL
116#define ARG_ALL			0xFFFFFFFFFFFFFFFFULL
117
118void			 audit_syscall_enter(unsigned short code,
119				struct thread *td);
120void			 audit_syscall_exit(int error, struct thread *td);
121
122/*
123 * The remaining kernel functions are conditionally compiled in as they
124 * are wrapped by a macro, and the macro should be the only place in
125 * the source tree where these functions are referenced.
126 */
127#ifdef AUDIT
128struct ipc_perm;
129struct sockaddr;
130union auditon_udata;
131void			 audit_arg_addr(void * addr);
132void			 audit_arg_exit(int status, int retval);
133void			 audit_arg_len(int len);
134void			 audit_arg_fd(int fd);
135void			 audit_arg_fflags(int fflags);
136void			 audit_arg_gid(gid_t gid);
137void			 audit_arg_uid(uid_t uid);
138void			 audit_arg_egid(gid_t egid);
139void			 audit_arg_euid(uid_t euid);
140void			 audit_arg_rgid(gid_t rgid);
141void			 audit_arg_ruid(uid_t ruid);
142void			 audit_arg_sgid(gid_t sgid);
143void			 audit_arg_suid(uid_t suid);
144void			 audit_arg_groupset(gid_t *gidset, u_int gidset_size);
145void			 audit_arg_login(char *login);
146void			 audit_arg_ctlname(int *name, int namelen);
147void			 audit_arg_mask(int mask);
148void			 audit_arg_mode(mode_t mode);
149void			 audit_arg_dev(int dev);
150void			 audit_arg_value(long value);
151void			 audit_arg_owner(uid_t uid, gid_t gid);
152void			 audit_arg_pid(pid_t pid);
153void			 audit_arg_process(struct proc *p);
154void			 audit_arg_signum(u_int signum);
155void			 audit_arg_socket(int sodomain, int sotype,
156						int soprotocol);
157void			 audit_arg_sockaddr(struct thread *td,
158						struct sockaddr *so);
159void			 audit_arg_auid(uid_t auid);
160void			 audit_arg_auditinfo(struct auditinfo *au_info);
161void			 audit_arg_upath(struct thread *td, char *upath,
162					 u_int64_t flags);
163void			 audit_arg_vnode(struct vnode *vp, u_int64_t flags);
164void			 audit_arg_text(char *text);
165void			 audit_arg_cmd(int cmd);
166void			 audit_arg_svipc_cmd(int cmd);
167void			 audit_arg_svipc_perm(struct ipc_perm *perm);
168void			 audit_arg_svipc_id(int id);
169void			 audit_arg_svipc_addr(void *addr);
170void			 audit_arg_posix_ipc_perm(uid_t uid, gid_t gid,
171						 mode_t mode);
172void			 audit_arg_auditon(union auditon_udata *udata);
173void			 audit_arg_file(struct proc *p, struct file *fp);
174
175void			 audit_sysclose(struct thread *td, int fd);
176
177void			 audit_proc_alloc(struct proc *p);
178void			 audit_proc_kproc0(struct proc *p);
179void			 audit_proc_init(struct proc *p);
180void			 audit_proc_fork(struct proc *parent,
181					 struct proc *child);
182void			 audit_proc_free(struct proc *p);
183void			 audit_thread_alloc(struct thread *td);
184
185/*
186 * Define a macro to wrap the audit_arg_* calls by checking the global
187 * audit_enabled flag before performing the actual call.
188 */
189#define	AUDIT_ARG(op, args...)	do {					\
190	if (audit_enabled)						\
191		audit_arg_ ## op (args);				\
192	} while (0)
193
194#define AUDIT_SYSCALL_ENTER(code, td)	do {				\
195	if (audit_enabled) {						\
196		audit_syscall_enter(code, td);				\
197	}								\
198	} while (0)
199
200/*
201 * Wrap the audit_syscall_exit() function so that it is called only when
202 * auditing is enabled, or we have a audit record on the thread. It is
203 * possible that an audit record was begun before auditing was turned off.
204 */
205#define AUDIT_SYSCALL_EXIT(error, td)	do {				\
206	if (audit_enabled | (td->td_ar != NULL))			\
207		audit_syscall_exit(error, td);				\
208	} while (0)
209
210/*
211 * A Macro to wrap the audit_sysclose() function.
212 */
213#define	AUDIT_SYSCLOSE(td, fd)	do {					\
214	if (audit_enabled)						\
215		audit_sysclose(td, fd);					\
216	} while (0)
217
218#else /* !AUDIT */
219
220void			 audit_proc_init(struct proc *p);
221void			 audit_proc_fork(struct proc *parent,
222					 struct proc *child);
223void			 audit_proc_free(struct proc *p);
224
225#define AUDIT_ARG(op, args...)	do {					\
226	} while (0)
227
228#define AUDIT_SYSCALL_ENTER(code, td)	do {				\
229	} while (0)
230
231#define AUDIT_SYSCALL_EXIT(error, td)	do {				\
232	} while (0)
233
234#define	AUDIT_SYSCLOSE(p, fd)	do {					\
235	} while (0)
236
237#endif /* AUDIT */
238
239#endif /* !_BSM_AUDIT_KERNEL_H */
240