1/* 2 * Copyright (c) 1999-2007 Apple Inc. All Rights Reserved. 3 * 4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. The rights granted to you under the License 10 * may not be used to create, or enable the creation or redistribution of, 11 * unlawful or unlicensed copies of an Apple operating system, or to 12 * circumvent, violate, or enable the circumvention or violation of, any 13 * terms of an Apple operating system software license agreement. 14 * 15 * Please obtain a copy of the License at 16 * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 * 18 * The Original Code and all software distributed under the License are 19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 * Please see the License for the specific language governing rights and 24 * limitations under the License. 25 * 26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 */ 28/* 29 * NOTICE: This file was modified by SPARTA, Inc. in 2005 to introduce 30 * support for mandatory and extensible security protections. This notice 31 * is included in support of clause 2.2 (b) of the Apple Public License, 32 * Version 2.0. 33 */ 34 35#ifndef _BSM_AUDIT_KERNEL_H 36#define _BSM_AUDIT_KERNEL_H 37 38#if CONFIG_MACF 39#include <sys/queue.h> 40#include <security/mac_framework.h> 41#endif 42 43#ifdef KERNEL 44 45#include <bsm/audit.h> 46 47#include <sys/sysctl.h> 48#include <sys/user.h> 49#include <sys/ipc.h> 50 51/* 52 * Audit subsystem condition flags. The audit_enabled flag is set and 53 * removed automatically as a result of configuring log files, and 54 * can be observed but should not be directly manipulated. The audit 55 * suspension flag permits audit to be temporarily disabled without 56 * reconfiguring the audit target. 57 */ 58extern int audit_enabled; 59extern int audit_suspended; 60 61#define BSM_SUCCESS 0 62#define BSM_FAILURE 1 63#define BSM_NOAUDIT 2 64 65/* 66 * Define the masks for the audited arguments. 67 */ 68#define ARG_EUID 0x0000000000000001ULL 69#define ARG_RUID 0x0000000000000002ULL 70#define ARG_SUID 0x0000000000000004ULL 71#define ARG_EGID 0x0000000000000008ULL 72#define ARG_RGID 0x0000000000000010ULL 73#define ARG_SGID 0x0000000000000020ULL 74#define ARG_PID 0x0000000000000040ULL 75#define ARG_UID 0x0000000000000080ULL 76#define ARG_AUID 0x0000000000000100ULL 77#define ARG_GID 0x0000000000000200ULL 78#define ARG_FD 0x0000000000000400ULL 79#define ARG_POSIX_IPC_PERM 0x0000000000000800ULL 80#define ARG_FFLAGS 0x0000000000001000ULL 81#define ARG_MODE 0x0000000000002000ULL 82#define ARG_DEV 0x0000000000004000ULL 83#define ARG_ADDR 0x0000000000008000ULL 84#define ARG_LEN 0x0000000000010000ULL 85#define ARG_MASK 0x0000000000020000ULL 86#define ARG_SIGNUM 0x0000000000040000ULL 87#define ARG_LOGIN 0x0000000000080000ULL 88#define ARG_SADDRINET 0x0000000000100000ULL 89#define ARG_SADDRINET6 0x0000000000200000ULL 90#define ARG_SADDRUNIX 0x0000000000400000ULL 91#define ARG_KPATH1 0x0000000000800000ULL 92#define ARG_KPATH2 0x0000000001000000ULL 93#define ARG_UPATH1 0x0000000002000000ULL 94#define ARG_UPATH2 0x0000000004000000ULL 95#define ARG_TEXT 0x0000000008000000ULL 96#define ARG_VNODE1 0x0000000010000000ULL 97#define ARG_VNODE2 0x0000000020000000ULL 98#define ARG_SVIPC_CMD 0x0000000040000000ULL 99#define ARG_SVIPC_PERM 0x0000000080000000ULL 100#define ARG_SVIPC_ID 0x0000000100000000ULL 101#define ARG_SVIPC_ADDR 0x0000000200000000ULL 102#define ARG_GROUPSET 0x0000000400000000ULL 103#define ARG_CMD 0x0000000800000000ULL 104#define ARG_SOCKINFO 0x0000001000000000ULL 105#define ARG_ASID 0x0000002000000000ULL 106#define ARG_TERMID 0x0000004000000000ULL 107#define ARG_AUDITON 0x0000008000000000ULL 108#define ARG_VALUE 0x0000010000000000ULL 109#define ARG_AMASK 0x0000020000000000ULL 110#define ARG_CTLNAME 0x0000040000000000ULL 111#define ARG_PROCESS 0x0000080000000000ULL 112#define ARG_MACHPORT1 0x0000100000000000ULL 113#define ARG_MACHPORT2 0x0000200000000000ULL 114#define ARG_MAC_STRING 0x0000400000000000ULL 115#define ARG_NONE 0x0000000000000000ULL 116#define ARG_ALL 0xFFFFFFFFFFFFFFFFULL 117 118/* Defines for the kernel audit record k_ar_commit field */ 119#define AR_COMMIT_KERNEL 0x00000001U 120#define AR_COMMIT_USER 0x00000010U 121 122struct vnode_au_info { 123 mode_t vn_mode; 124 uid_t vn_uid; 125 gid_t vn_gid; 126 dev_t vn_dev; 127 long vn_fsid; 128 long vn_fileid; 129 long vn_gen; 130}; 131 132struct groupset { 133 gid_t gidset[NGROUPS]; 134 u_int gidset_size; 135}; 136 137struct socket_au_info { 138 int so_domain; 139 int so_type; 140 int so_protocol; 141 in_addr_t so_raddr; /* remote address if INET socket */ 142 in_addr_t so_laddr; /* local address if INET socket */ 143 u_short so_rport; /* remote port */ 144 u_short so_lport; /* local port */ 145}; 146 147union auditon_udata { 148 char au_path[MAXPATHLEN]; 149 long au_cond; 150 long au_flags; 151 long au_policy; 152 au_evclass_map_t au_evclass; 153 au_mask_t au_mask; 154 auditinfo_t au_auinfo; 155 auditpinfo_t au_aupinfo; 156 auditpinfo_addr_t au_aupinfo_addr; 157 au_qctrl_t au_qctrl; 158 au_stat_t au_stat; 159 au_fstat_t au_fstat; 160}; 161 162struct posix_ipc_perm { 163 uid_t pipc_uid; 164 gid_t pipc_gid; 165 mode_t pipc_mode; 166}; 167 168#if CONFIG_MACF 169 170#define MAC_AUDIT_LABEL_LEN 1024 171#define MAC_AUDIT_DATA_TYPE 0 172#define MAC_AUDIT_TEXT_TYPE 1 173 174struct mac_audit_record { 175 int type; // one of the types defined above 176 int length; // byte length of the data field 177 u_char *data; // the payload 178 LIST_ENTRY(mac_audit_record) records; 179}; 180 181#endif 182 183struct audit_record { 184 /* Audit record header. */ 185 u_int32_t ar_magic; 186 int ar_event; 187 int ar_retval; /* value returned to the process */ 188 int ar_errno; /* return status of system call */ 189 struct timespec ar_starttime; 190 struct timespec ar_endtime; 191 u_int64_t ar_valid_arg; /* Bitmask of valid arguments */ 192 193 /* Audit subject information. */ 194 struct xucred ar_subj_cred; 195 uid_t ar_subj_ruid; 196 gid_t ar_subj_rgid; 197 gid_t ar_subj_egid; 198 uid_t ar_subj_auid; /* Audit user ID */ 199 pid_t ar_subj_asid; /* Audit session ID */ 200 pid_t ar_subj_pid; 201 struct au_tid ar_subj_term; 202 char ar_subj_comm[MAXCOMLEN + 1]; 203 struct au_mask ar_subj_amask; 204 205 /* Operation arguments. */ 206 uid_t ar_arg_euid; 207 uid_t ar_arg_ruid; 208 uid_t ar_arg_suid; 209 gid_t ar_arg_egid; 210 gid_t ar_arg_rgid; 211 gid_t ar_arg_sgid; 212 pid_t ar_arg_pid; 213 pid_t ar_arg_asid; 214 struct au_tid ar_arg_termid; 215 uid_t ar_arg_uid; 216 uid_t ar_arg_auid; 217 gid_t ar_arg_gid; 218 struct groupset ar_arg_groups; 219 int ar_arg_fd; 220 int ar_arg_fflags; 221 mode_t ar_arg_mode; 222 int ar_arg_dev; 223 long ar_arg_value; 224 void * ar_arg_addr; 225 int ar_arg_len; 226 int ar_arg_mask; 227 u_int ar_arg_signum; 228 char ar_arg_login[MAXLOGNAME]; 229 int ar_arg_ctlname[CTL_MAXNAME]; 230 struct sockaddr ar_arg_sockaddr; 231 struct socket_au_info ar_arg_sockinfo; 232 char *ar_arg_upath1; 233 char *ar_arg_upath2; 234 char *ar_arg_kpath1; 235 char *ar_arg_kpath2; 236#if CONFIG_MACF 237 char *ar_vnode1_mac_labels; 238 char *ar_vnode2_mac_labels; 239 char *ar_cred_mac_labels; 240 char *ar_arg_mac_string; 241#endif 242 char *ar_arg_text; 243 struct au_mask ar_arg_amask; 244 struct vnode_au_info ar_arg_vnode1; 245 struct vnode_au_info ar_arg_vnode2; 246 int ar_arg_cmd; 247 int ar_arg_svipc_cmd; 248 struct ipc_perm ar_arg_svipc_perm; 249 int ar_arg_svipc_id; 250 user_addr_t ar_arg_svipc_addr; 251 struct posix_ipc_perm ar_arg_pipc_perm; 252 mach_port_name_t ar_arg_mach_port1; 253 mach_port_name_t ar_arg_mach_port2; 254 union auditon_udata ar_arg_auditon; 255 256#if CONFIG_MACF 257 /* MAC security related fields added by MAC policies 258 * ar_forced_by_mac is 1 if mac_audit_check_preselect() forced this 259 * call to be audited, 0 otherwise. 260 */ 261 LIST_HEAD(mac_audit_record_list_t, mac_audit_record) *ar_mac_records; 262 int ar_forced_by_mac; 263#endif 264 265}; 266 267/* 268 * In-kernel version of audit record; the basic record plus queue meta-data. 269 * This record can also have a pointer set to some opaque data that will 270 * be passed through to the audit writing mechanism. 271 */ 272struct kaudit_record { 273 struct audit_record k_ar; 274 u_int32_t k_ar_commit; 275 void *k_udata; /* user data */ 276 u_int k_ulen; /* user data length */ 277 struct uthread *k_uthread; /* thread we are auditing */ 278 TAILQ_ENTRY(kaudit_record) k_q; 279}; 280 281struct proc; 282struct vnode; 283struct componentname; 284 285int kau_will_audit(void); 286 287void audit_abort(struct kaudit_record *ar); 288void audit_commit(struct kaudit_record *ar, int error, 289 int retval); 290void audit_init(void); 291void audit_shutdown(void); 292 293struct kaudit_record *audit_new(int event, struct proc *p, 294 struct uthread *uthread); 295 296void audit_syscall_enter(unsigned short code, 297 struct proc *proc, struct uthread *uthread); 298#if CONFIG_MACF 299/* 300 * The parameter list of audit_syscall_exit() was modified to also take the 301 * Darwin syscall number, which is required by mac_audit_check_postselect(). 302 */ 303void audit_syscall_exit(unsigned short code, int error, 304 struct proc *proc, struct uthread *uthread); 305#else 306void audit_syscall_exit(int error, struct proc *proc, 307 struct uthread *uthread); 308#endif 309void audit_mach_syscall_enter(unsigned short audit_event); 310void audit_mach_syscall_exit(int retval, 311 struct uthread *uthread); 312 313int kaudit_to_bsm(struct kaudit_record *kar, 314 struct au_record **pau); 315 316int bsm_rec_verify(void *rec); 317 318/* 319 * Kernel versions of the BSM audit record functions. 320 */ 321struct au_record *kau_open(void); 322int kau_write(struct au_record *rec, token_t *m); 323int kau_close(struct au_record *rec, 324 struct timespec *endtime, short event); 325void kau_free(struct au_record *rec); 326void kau_init(void); 327token_t *kau_to_file(const char *file, const struct timeval *tv); 328token_t *kau_to_header(const struct timespec *ctime, int rec_size, 329 au_event_t e_type, au_emod_t e_mod); 330token_t *kau_to_header32(const struct timespec *ctime, int rec_size, 331 au_event_t e_type, au_emod_t e_mod); 332token_t *kau_to_header64(const struct timespec *ctime, int rec_size, 333 au_event_t e_type, au_emod_t e_mod); 334/* 335 * The remaining kernel functions are conditionally compiled in as they 336 * are wrapped by a macro, and the macro should be the only place in 337 * the source tree where these functions are referenced. 338 */ 339#if AUDIT 340void audit_arg_addr(user_addr_t addr); 341void audit_arg_len(user_size_t len); 342void audit_arg_fd(int fd); 343void audit_arg_fflags(int fflags); 344void audit_arg_gid(gid_t gid, gid_t egid, gid_t rgid, 345 gid_t sgid); 346void audit_arg_uid(uid_t uid, uid_t euid, uid_t ruid, 347 uid_t suid); 348void audit_arg_groupset(const gid_t *gidset, u_int gidset_size); 349void audit_arg_login(const char *login); 350void audit_arg_ctlname(const int *name, int namelen); 351void audit_arg_mask(int mask); 352void audit_arg_mode(mode_t mode); 353void audit_arg_dev(int dev); 354void audit_arg_value(long value); 355void audit_arg_owner(uid_t uid, gid_t gid); 356void audit_arg_pid(pid_t pid); 357void audit_arg_process(struct proc *p); 358void audit_arg_signum(u_int signum); 359void audit_arg_socket(int sodomain, int sotype, 360 int soprotocol); 361void audit_arg_sockaddr(struct vnode *cwd_vp, 362 struct sockaddr *so); 363void audit_arg_auid(uid_t auid); 364void audit_arg_auditinfo(const struct auditinfo *au_info); 365void audit_arg_upath(struct vnode *cwd_vp, char *upath, 366 u_int64_t flags); 367void audit_arg_vnpath(struct vnode *vp, u_int64_t flags); 368void audit_arg_vnpath_withref(struct vnode *vp, u_int64_t flags); 369void audit_arg_text(const char *text); 370void audit_arg_cmd(int cmd); 371void audit_arg_svipc_cmd(int cmd); 372void audit_arg_svipc_perm(const struct ipc_perm *perm); 373void audit_arg_svipc_id(int id); 374void audit_arg_svipc_addr(user_addr_t addr); 375void audit_arg_posix_ipc_perm(uid_t uid, gid_t gid, 376 mode_t mode); 377void audit_arg_auditon(const union auditon_udata *udata); 378void audit_arg_file(struct proc *p, const struct fileproc *fp); 379void audit_arg_mach_port1(mach_port_name_t port); 380void audit_arg_mach_port2(mach_port_name_t port); 381 382void audit_sysclose(struct proc *p, int fd); 383 384void audit_proc_init(struct proc *p); 385void audit_proc_fork(struct proc *parent, 386 struct proc *child); 387void audit_proc_free(struct proc *p); 388 389#if CONFIG_MACF 390/* 391 * audit_mac_data() is the MAC Framework's entry point to the audit subsystem. 392 * It currently creates only text and data audit tokens. 393 */ 394int audit_mac_data(int type, int len, u_char *data); 395void audit_arg_mac_string(const char *string); 396 397#endif 398 399/* 400 * Define a macro to wrap the audit_arg_* calls by checking the global 401 * audit_enabled flag before performing the actual call. 402 */ 403#define AUDIT_ARG(op, args...) do { \ 404 if (audit_enabled) \ 405 audit_arg_ ## op (args); \ 406 } while (0) 407 408#define AUDIT_SYSCALL_ENTER(args...) do { \ 409 if (audit_enabled) { \ 410 audit_syscall_enter(args); \ 411 } \ 412 } while (0) 413 414/* 415 * Wrap the audit_syscall_exit() function so that it is called only when 416 * auditing is enabled, or we have a audit record on the thread. It is 417 * possible that an audit record was begun before auditing was turned off. 418 */ 419#define AUDIT_SYSCALL_EXIT(code, proc, uthread, error) do { \ 420 if (audit_enabled || (uthread->uu_ar != NULL)) { \ 421 audit_syscall_exit(code, error, proc, uthread); \ 422 } \ 423 } while (0) 424 425/* 426 * Wrap the audit_mach_syscall_enter() and audit_mach_syscall_exit() 427 * functions in a manner similar to other system call enter/exit functions. 428 */ 429#define AUDIT_MACH_SYSCALL_ENTER(args...) do { \ 430 if (audit_enabled) { \ 431 audit_mach_syscall_enter(args); \ 432 } \ 433 } while (0) 434 435#define AUDIT_MACH_SYSCALL_EXIT(retval) do { \ 436 struct uthread *__uthread = get_bsdthread_info(current_thread()); \ 437 if (audit_enabled || (__uthread->uu_ar != NULL)) { \ 438 audit_mach_syscall_exit(retval, __uthread); \ 439 } \ 440 } while (0) 441 442/* 443 * A Macro to wrap the audit_sysclose() function. 444 */ 445#define AUDIT_SYSCLOSE(args...) do { \ 446 if (audit_enabled) \ 447 audit_sysclose(args); \ 448 } while (0) 449 450#else /* !AUDIT */ 451 452#define AUDIT_ARG(op, args...) do { \ 453 } while (0) 454 455#define AUDIT_SYSCALL_ENTER(args...) do { \ 456 } while (0) 457 458#define AUDIT_SYSCALL_EXIT(code, proc, uthread, error) do { \ 459 } while (0) 460 461#define AUDIT_MACH_SYSCALL_ENTER(args...) do { \ 462 } while (0) 463 464#define AUDIT_MACH_SYSCALL_EXIT(retval) do { \ 465 } while (0) 466 467#define AUDIT_SYSCLOSE(op, args...) do { \ 468 } while (0) 469 470#endif /* AUDIT */ 471 472#endif /* KERNEL */ 473 474#endif /* !_BSM_AUDIT_KERNEL_H */ 475