1/*
2 * Copyright (c) 1999-2007 Apple Inc.  All Rights Reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28/*
29 * NOTICE: This file was modified by SPARTA, Inc. in 2005 to introduce
30 * support for mandatory and extensible security protections.  This notice
31 * is included in support of clause 2.2 (b) of the Apple Public License,
32 * Version 2.0.
33 */
34
35#ifndef _BSM_AUDIT_KERNEL_H
36#define	_BSM_AUDIT_KERNEL_H
37
38#if CONFIG_MACF
39#include <sys/queue.h>
40#include <security/mac_framework.h>
41#endif
42
43#ifdef KERNEL
44
45#include <bsm/audit.h>
46
47#include <sys/sysctl.h>
48#include <sys/user.h>
49#include <sys/ipc.h>
50
51/*
52 * Audit subsystem condition flags.  The audit_enabled flag is set and
53 * removed automatically as a result of configuring log files, and
54 * can be observed but should not be directly manipulated.  The audit
55 * suspension flag permits audit to be temporarily disabled without
56 * reconfiguring the audit target.
57 */
58extern int	audit_enabled;
59extern int	audit_suspended;
60
61#define BSM_SUCCESS		0
62#define BSM_FAILURE		1
63#define BSM_NOAUDIT		2
64
65/*
66 * Define the masks for the audited arguments.
67 */
68#define ARG_EUID		0x0000000000000001ULL
69#define ARG_RUID		0x0000000000000002ULL
70#define ARG_SUID		0x0000000000000004ULL
71#define ARG_EGID		0x0000000000000008ULL
72#define ARG_RGID		0x0000000000000010ULL
73#define ARG_SGID		0x0000000000000020ULL
74#define ARG_PID			0x0000000000000040ULL
75#define ARG_UID			0x0000000000000080ULL
76#define ARG_AUID		0x0000000000000100ULL
77#define ARG_GID			0x0000000000000200ULL
78#define ARG_FD			0x0000000000000400ULL
79#define ARG_POSIX_IPC_PERM 	0x0000000000000800ULL
80#define ARG_FFLAGS		0x0000000000001000ULL
81#define ARG_MODE		0x0000000000002000ULL
82#define ARG_DEV			0x0000000000004000ULL
83#define ARG_ADDR		0x0000000000008000ULL
84#define ARG_LEN			0x0000000000010000ULL
85#define ARG_MASK		0x0000000000020000ULL
86#define ARG_SIGNUM		0x0000000000040000ULL
87#define ARG_LOGIN		0x0000000000080000ULL
88#define ARG_SADDRINET		0x0000000000100000ULL
89#define ARG_SADDRINET6		0x0000000000200000ULL
90#define ARG_SADDRUNIX		0x0000000000400000ULL
91#define ARG_KPATH1		0x0000000000800000ULL
92#define ARG_KPATH2		0x0000000001000000ULL
93#define ARG_UPATH1		0x0000000002000000ULL
94#define ARG_UPATH2		0x0000000004000000ULL
95#define ARG_TEXT		0x0000000008000000ULL
96#define ARG_VNODE1		0x0000000010000000ULL
97#define ARG_VNODE2		0x0000000020000000ULL
98#define ARG_SVIPC_CMD		0x0000000040000000ULL
99#define ARG_SVIPC_PERM		0x0000000080000000ULL
100#define ARG_SVIPC_ID		0x0000000100000000ULL
101#define ARG_SVIPC_ADDR		0x0000000200000000ULL
102#define ARG_GROUPSET		0x0000000400000000ULL
103#define ARG_CMD			0x0000000800000000ULL
104#define ARG_SOCKINFO		0x0000001000000000ULL
105#define ARG_ASID		0x0000002000000000ULL
106#define ARG_TERMID		0x0000004000000000ULL
107#define ARG_AUDITON		0x0000008000000000ULL
108#define ARG_VALUE		0x0000010000000000ULL
109#define ARG_AMASK		0x0000020000000000ULL
110#define ARG_CTLNAME		0x0000040000000000ULL
111#define ARG_PROCESS		0x0000080000000000ULL
112#define ARG_MACHPORT1		0x0000100000000000ULL
113#define ARG_MACHPORT2		0x0000200000000000ULL
114#define ARG_MAC_STRING		0x0000400000000000ULL
115#define ARG_NONE		0x0000000000000000ULL
116#define ARG_ALL			0xFFFFFFFFFFFFFFFFULL
117
118/* Defines for the kernel audit record k_ar_commit field */
119#define AR_COMMIT_KERNEL	0x00000001U
120#define AR_COMMIT_USER		0x00000010U
121
122struct vnode_au_info {
123	mode_t		vn_mode;
124	uid_t		vn_uid;
125	gid_t		vn_gid;
126	dev_t		vn_dev;
127	long		vn_fsid;
128	long		vn_fileid;
129	long		vn_gen;
130};
131
132struct groupset {
133	gid_t	gidset[NGROUPS];
134	u_int	gidset_size;
135};
136
137struct socket_au_info {
138	int 		so_domain;
139	int		so_type;
140	int		so_protocol;
141	in_addr_t	so_raddr;	/* remote address if INET socket */
142	in_addr_t	so_laddr;	/* local address if INET socket */
143	u_short		so_rport;	/* remote port */
144	u_short		so_lport;	/* local port */
145};
146
147union auditon_udata {
148	char			au_path[MAXPATHLEN];
149	long			au_cond;
150	long			au_flags;
151	long			au_policy;
152	au_evclass_map_t	au_evclass;
153	au_mask_t		au_mask;
154	auditinfo_t		au_auinfo;
155	auditpinfo_t		au_aupinfo;
156	auditpinfo_addr_t	au_aupinfo_addr;
157	au_qctrl_t		au_qctrl;
158	au_stat_t		au_stat;
159	au_fstat_t		au_fstat;
160};
161
162struct posix_ipc_perm {
163	uid_t			pipc_uid;
164	gid_t			pipc_gid;
165	mode_t			pipc_mode;
166};
167
168#if CONFIG_MACF
169
170#define MAC_AUDIT_LABEL_LEN 1024
171#define MAC_AUDIT_DATA_TYPE 0
172#define MAC_AUDIT_TEXT_TYPE 1
173
174struct mac_audit_record {
175	int type;		// one of the types defined above
176	int length;		// byte length of the data field
177	u_char *data;	// the payload
178	LIST_ENTRY(mac_audit_record) records;
179};
180
181#endif
182
183struct audit_record {
184	/* Audit record header. */
185	u_int32_t		ar_magic;
186	int			ar_event;
187	int			ar_retval; /* value returned to the process */
188	int			ar_errno;  /* return status of system call */
189	struct timespec		ar_starttime;
190	struct timespec		ar_endtime;
191	u_int64_t		ar_valid_arg;  /* Bitmask of valid arguments */
192
193	/* Audit subject information. */
194	struct xucred			ar_subj_cred;
195	uid_t				ar_subj_ruid;
196	gid_t				ar_subj_rgid;
197	gid_t				ar_subj_egid;
198	uid_t				ar_subj_auid; /* Audit user ID */
199	pid_t				ar_subj_asid; /* Audit session ID */
200	pid_t				ar_subj_pid;
201	struct au_tid			ar_subj_term;
202	char				ar_subj_comm[MAXCOMLEN + 1];
203	struct au_mask			ar_subj_amask;
204
205	/* Operation arguments. */
206	uid_t				ar_arg_euid;
207	uid_t				ar_arg_ruid;
208	uid_t				ar_arg_suid;
209	gid_t				ar_arg_egid;
210	gid_t				ar_arg_rgid;
211	gid_t				ar_arg_sgid;
212	pid_t				ar_arg_pid;
213	pid_t				ar_arg_asid;
214	struct au_tid			ar_arg_termid;
215	uid_t				ar_arg_uid;
216	uid_t				ar_arg_auid;
217	gid_t				ar_arg_gid;
218	struct groupset			ar_arg_groups;
219	int				ar_arg_fd;
220	int				ar_arg_fflags;
221	mode_t				ar_arg_mode;
222	int				ar_arg_dev;
223	long				ar_arg_value;
224	void *				ar_arg_addr;
225	int				ar_arg_len;
226	int				ar_arg_mask;
227	u_int				ar_arg_signum;
228	char				ar_arg_login[MAXLOGNAME];
229	int				ar_arg_ctlname[CTL_MAXNAME];
230	struct sockaddr			ar_arg_sockaddr;
231	struct socket_au_info		ar_arg_sockinfo;
232	char				*ar_arg_upath1;
233	char				*ar_arg_upath2;
234	char				*ar_arg_kpath1;
235	char				*ar_arg_kpath2;
236#if CONFIG_MACF
237	char				*ar_vnode1_mac_labels;
238	char				*ar_vnode2_mac_labels;
239	char				*ar_cred_mac_labels;
240	char				*ar_arg_mac_string;
241#endif
242	char				*ar_arg_text;
243	struct au_mask			ar_arg_amask;
244	struct vnode_au_info		ar_arg_vnode1;
245	struct vnode_au_info		ar_arg_vnode2;
246	int				ar_arg_cmd;
247	int				ar_arg_svipc_cmd;
248	struct ipc_perm			ar_arg_svipc_perm;
249	int				ar_arg_svipc_id;
250	user_addr_t			ar_arg_svipc_addr;
251	struct posix_ipc_perm		ar_arg_pipc_perm;
252	mach_port_name_t		ar_arg_mach_port1;
253	mach_port_name_t		ar_arg_mach_port2;
254	union auditon_udata		ar_arg_auditon;
255
256#if CONFIG_MACF
257	/* MAC security related fields added by MAC policies
258	 * ar_forced_by_mac is 1 if mac_audit_check_preselect() forced this
259	 * call to be audited, 0 otherwise.
260	 */
261	LIST_HEAD(mac_audit_record_list_t, mac_audit_record)   *ar_mac_records;
262	int                             ar_forced_by_mac;
263#endif
264
265};
266
267/*
268 * In-kernel version of audit record; the basic record plus queue meta-data.
269 * This record can also have a pointer set to some opaque data that will
270 * be passed through to the audit writing mechanism.
271 */
272struct kaudit_record {
273	struct audit_record		k_ar;
274	u_int32_t			k_ar_commit;
275	void 				*k_udata;    /* user data */
276	u_int				k_ulen;     /* user data length */
277	struct uthread			*k_uthread; /* thread we are auditing */
278	TAILQ_ENTRY(kaudit_record)	k_q;
279};
280
281struct proc;
282struct vnode;
283struct componentname;
284
285int			 kau_will_audit(void);
286
287void			 audit_abort(struct kaudit_record *ar);
288void			 audit_commit(struct kaudit_record *ar, int error,
289					int retval);
290void			 audit_init(void);
291void			 audit_shutdown(void);
292
293struct kaudit_record	*audit_new(int event, struct proc *p,
294			    struct uthread *uthread);
295
296void			 audit_syscall_enter(unsigned short code,
297				struct proc *proc, struct uthread *uthread);
298#if CONFIG_MACF
299/*
300 * The parameter list of audit_syscall_exit() was modified to also take the
301 * Darwin syscall number, which is required by mac_audit_check_postselect().
302 */
303void			 audit_syscall_exit(unsigned short code, int error,
304				struct proc *proc, struct uthread *uthread);
305#else
306void			 audit_syscall_exit(int error, struct proc *proc,
307				struct uthread *uthread);
308#endif
309void			 audit_mach_syscall_enter(unsigned short audit_event);
310void			 audit_mach_syscall_exit(int retval,
311				struct uthread *uthread);
312
313int			kaudit_to_bsm(struct kaudit_record *kar,
314					struct au_record **pau);
315
316int			bsm_rec_verify(void *rec);
317
318/*
319 * Kernel versions of the BSM audit record functions.
320 */
321struct au_record 	*kau_open(void);
322int			kau_write(struct au_record *rec, token_t *m);
323int			kau_close(struct au_record *rec,
324				 struct timespec *endtime, short event);
325void			kau_free(struct au_record *rec);
326void			kau_init(void);
327token_t			*kau_to_file(const char *file, const struct timeval *tv);
328token_t			*kau_to_header(const struct timespec *ctime, int rec_size,
329					au_event_t e_type, au_emod_t e_mod);
330token_t			*kau_to_header32(const struct timespec *ctime, int rec_size,
331					au_event_t e_type, au_emod_t e_mod);
332token_t			*kau_to_header64(const struct timespec *ctime, int rec_size,
333					 au_event_t e_type, au_emod_t e_mod);
334/*
335 * The remaining kernel functions are conditionally compiled in as they
336 * are wrapped by a macro, and the macro should be the only place in
337 * the source tree where these functions are referenced.
338 */
339#if AUDIT
340void			 audit_arg_addr(user_addr_t addr);
341void			 audit_arg_len(user_size_t len);
342void			 audit_arg_fd(int fd);
343void			 audit_arg_fflags(int fflags);
344void			 audit_arg_gid(gid_t gid, gid_t egid, gid_t rgid,
345					gid_t sgid);
346void			 audit_arg_uid(uid_t uid, uid_t euid, uid_t ruid,
347					uid_t suid);
348void			 audit_arg_groupset(const gid_t *gidset, u_int gidset_size);
349void			 audit_arg_login(const char *login);
350void			 audit_arg_ctlname(const int *name, int namelen);
351void			 audit_arg_mask(int mask);
352void			 audit_arg_mode(mode_t mode);
353void			 audit_arg_dev(int dev);
354void			 audit_arg_value(long value);
355void			 audit_arg_owner(uid_t uid, gid_t gid);
356void			 audit_arg_pid(pid_t pid);
357void			 audit_arg_process(struct proc *p);
358void			 audit_arg_signum(u_int signum);
359void			 audit_arg_socket(int sodomain, int sotype,
360						int soprotocol);
361void			 audit_arg_sockaddr(struct vnode *cwd_vp,
362						struct sockaddr *so);
363void			 audit_arg_auid(uid_t auid);
364void			 audit_arg_auditinfo(const struct auditinfo *au_info);
365void			 audit_arg_upath(struct vnode *cwd_vp, char *upath,
366					 u_int64_t flags);
367void			 audit_arg_vnpath(struct vnode *vp, u_int64_t flags);
368void			 audit_arg_vnpath_withref(struct vnode *vp, u_int64_t flags);
369void			 audit_arg_text(const char *text);
370void			 audit_arg_cmd(int cmd);
371void			 audit_arg_svipc_cmd(int cmd);
372void			 audit_arg_svipc_perm(const struct ipc_perm *perm);
373void			 audit_arg_svipc_id(int id);
374void			 audit_arg_svipc_addr(user_addr_t addr);
375void			 audit_arg_posix_ipc_perm(uid_t uid, gid_t gid,
376						 mode_t mode);
377void			 audit_arg_auditon(const union auditon_udata *udata);
378void			 audit_arg_file(struct proc *p, const struct fileproc *fp);
379void			 audit_arg_mach_port1(mach_port_name_t port);
380void			 audit_arg_mach_port2(mach_port_name_t port);
381
382void			 audit_sysclose(struct proc *p, int fd);
383
384void			 audit_proc_init(struct proc *p);
385void			 audit_proc_fork(struct proc *parent,
386					 struct proc *child);
387void			 audit_proc_free(struct proc *p);
388
389#if CONFIG_MACF
390/*
391 * audit_mac_data() is the MAC Framework's entry point to the audit subsystem.
392 * It currently creates only text and data audit tokens.
393 */
394int			 audit_mac_data(int type, int len, u_char *data);
395void			 audit_arg_mac_string(const char *string);
396
397#endif
398
399/*
400 * Define a macro to wrap the audit_arg_* calls by checking the global
401 * audit_enabled flag before performing the actual call.
402 */
403#define	AUDIT_ARG(op, args...)	do {					\
404	if (audit_enabled)						\
405		audit_arg_ ## op (args);				\
406	} while (0)
407
408#define AUDIT_SYSCALL_ENTER(args...)	do {				\
409	if (audit_enabled) {						\
410		audit_syscall_enter(args);				\
411	}								\
412	} while (0)
413
414/*
415 * Wrap the audit_syscall_exit() function so that it is called only when
416 * auditing is enabled, or we have a audit record on the thread. It is
417 * possible that an audit record was begun before auditing was turned off.
418 */
419#define AUDIT_SYSCALL_EXIT(code, proc, uthread, error)	do {		\
420	if (audit_enabled || (uthread->uu_ar != NULL)) {		\
421		audit_syscall_exit(code, error, proc, uthread);		\
422	}								\
423	} while (0)
424
425/*
426 * Wrap the audit_mach_syscall_enter() and audit_mach_syscall_exit()
427 * functions in a manner similar to other system call enter/exit functions.
428 */
429#define AUDIT_MACH_SYSCALL_ENTER(args...)       do {			\
430	if (audit_enabled) {						\
431		audit_mach_syscall_enter(args);				\
432	}								\
433	} while (0)
434
435#define AUDIT_MACH_SYSCALL_EXIT(retval) 	do {			\
436	struct uthread *__uthread = get_bsdthread_info(current_thread());	\
437	if (audit_enabled || (__uthread->uu_ar != NULL)) {			\
438		audit_mach_syscall_exit(retval, __uthread);		\
439	}								\
440	} while (0)
441
442/*
443 * A Macro to wrap the audit_sysclose() function.
444 */
445#define	AUDIT_SYSCLOSE(args...)	do {					\
446	if (audit_enabled)						\
447		audit_sysclose(args);					\
448	} while (0)
449
450#else /* !AUDIT */
451
452#define	AUDIT_ARG(op, args...)	do {					\
453	} while (0)
454
455#define AUDIT_SYSCALL_ENTER(args...)	do {				\
456	} while (0)
457
458#define AUDIT_SYSCALL_EXIT(code, proc, uthread, error)	do {	\
459	} while (0)
460
461#define AUDIT_MACH_SYSCALL_ENTER(args...)       do {			\
462	} while (0)
463
464#define AUDIT_MACH_SYSCALL_EXIT(retval) 	do {			\
465	} while (0)
466
467#define	AUDIT_SYSCLOSE(op, args...)	do {				\
468	} while (0)
469
470#endif /* AUDIT */
471
472#endif /* KERNEL */
473
474#endif /* !_BSM_AUDIT_KERNEL_H */
475