1/* 2 * Copyright (c) 2004,2011,2014 Apple Inc. All Rights Reserved. 3 * 4 * The contents of this file constitute Original Code as defined in and are 5 * subject to the Apple Public Source License Version 1.2 (the 'License'). 6 * You may not use this file except in compliance with the License. Please obtain 7 * a copy of the License at http://www.apple.com/publicsource and read it before 8 * using this file. 9 * 10 * This Original Code and all software distributed under the License are 11 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS 12 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT 13 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 14 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the 15 * specific language governing rights and limitations under the License. 16 */ 17 18 19#ifndef _H_CCAUDIT 20#define _H_CCAUDIT 21 22#include <security_utilities/utilities.h> 23#include <mach/message.h> // audit_token_t 24#include <bsm/audit.h> // au_tid_t, etc. 25#include <bsm/audit_kevents.h> // AUE_NULL 26 27namespace Security { 28namespace CommonCriteria { 29 30class AuditToken; 31 32 33/* 34 * For the most part, we won't have a machine ID to initialize the 35 * au_tid_t's machine field. There's no machine ID in the audit token, 36 * for example, since MIG is localhost-only. 37 */ 38class TerminalId: public PodWrapper<TerminalId, au_tid_t> 39{ 40 public: 41 TerminalId(); 42 TerminalId(const TerminalId &t) { set(t); } 43 TerminalId(const au_tid_t &tid) { set(tid); } 44 ~TerminalId() { } 45 46 void set(const au_tid_t &tid) { port = tid.port; machine = tid.machine; } 47}; 48 49/* 50 * audit_token_t provides all the info required for Common Criteria-mandated 51 * auditing. It's defined in <mach/mach_types.defs>. Its values are filled 52 * in by the kernel during a Mach RPC and it should be treated as read-only 53 * thereafter. 54 */ 55class AuditToken { 56 public: 57 AuditToken(const audit_token_t &token); 58 ~AuditToken() { } 59 60 audit_token_t auditToken() const { return mAuditToken; } 61 uid_t auditId() const { return mAuditId; } 62 uid_t euid() const { return mEuid; } 63 gid_t egid() const { return mEgid; } 64 uid_t ruid() const { return mRuid; } 65 gid_t rgid() const { return mRgid; } 66 pid_t pid() const { return mPid; } 67 au_asid_t sessionId() const { return mSessionId; } 68 const au_tid_t &terminalId() const { return mTerminalId; } 69 70 private: 71 audit_token_t mAuditToken; 72 uid_t mAuditId; 73 uid_t mEuid; 74 gid_t mEgid; 75 uid_t mRuid; 76 gid_t mRgid; 77 pid_t mPid; // of client 78 au_asid_t mSessionId; 79 TerminalId mTerminalId; 80}; 81 82 83/* 84 * The (new) audit information structure 85 */ 86class AuditInfo : public PodWrapper<AuditInfo, auditinfo_addr_t> { 87public: 88 void get(); 89 void get(au_asid_t session); 90 void getPid(pid_t pid); 91 void set(); 92 void create(uint64_t flags, uid_t auid = AU_DEFAUDITID); 93 94 uid_t uid() const { return this->ai_auid; } 95 uint64_t flags() const { return this->ai_flags; } 96 au_asid_t sessionId() const { return this->ai_asid; } 97 98 static AuditInfo current() { AuditInfo info; info.get(); return info; } 99}; 100 101 102// XXX/gh 3926739 103// 104// NB: Qualify all uses of these names with the namespace (CommonCriteria). 105// Existing source code already follows this convention. 106enum ExternalErrors 107{ 108 errNone = 0, 109 errInvalidCredential = 1111, // try to make easier to find in log 110 errUserCanceled, 111 errTooManyTries, 112 errAuthDenied, // "Auth" --> authorization; named to 113 // avoid conflict with the C symbol 114 // errAuthorizationDenied already in 115 // use 116 errEndOfExternalErrors // sentry/placeholder 117}; 118 119 120 121class AuditMask 122{ 123 public: 124 AuditMask(unsigned int s = AUE_NULL, unsigned int f = AUE_NULL) 125 { 126 mMask.am_success = s; mMask.am_failure = f; 127 } 128 ~AuditMask() { } 129 const au_mask_t &get(void) const { return mMask; } 130 131 private: 132 au_mask_t mMask; 133}; 134 135 136// audit session state for the current process; only used by Server 137class AuditSession 138{ 139 public: 140 AuditSession(au_id_t auid, au_asid_t sid) 141 : mAuditId(auid), mSessionId(sid) { } 142 ~AuditSession() { } 143 144 // set audit info for this process in kernel 145 void registerSession(void); 146 147 void auditId(au_id_t auid) { mAuditId = auid; } 148 void eventMask(AuditMask &mask) { mEventMask = mask; } 149 void terminalId(TerminalId &tid) { mTerminalId = tid; } 150 void sessionId(au_asid_t sid) { mSessionId = sid; } 151 152 au_id_t auditId(void) { return mAuditId; } 153 AuditMask &eventMask(void) { return mEventMask; } 154 TerminalId &terminalId(void) { return mTerminalId; } 155 au_asid_t sessionId(void) { return mSessionId; } 156 157 private: 158 au_id_t mAuditId; 159 AuditMask mEventMask; 160 TerminalId mTerminalId; 161 au_asid_t mSessionId; 162}; 163 164// 165// For submitting audit records. Not general-purpose: no ability to 166// submit arbitrary BSM tokens, for example. However, the SecurityServer 167// has only limited auditing requirements under Common Criteria. 168// 169class AuditRecord 170{ 171 public: 172 AuditRecord(const AuditToken &auditToken) 173 : mAuditToken(auditToken) { } 174 AuditRecord(const audit_token_t &auditToken) 175 : mAuditToken(auditToken) { } 176 ~AuditRecord() { } 177 178 // returnCode == 0 --> success; nonzero returnCode --> failure 179 void submit(const short event_code, const int returnCode, 180 const char *msg = NULL); 181 182 private: 183 AuditToken mAuditToken; 184}; 185 186} // end namespace CommonCriteria 187} // end namespace Security 188 189#endif // _H_CCAUDIT 190