audit.h revision 4321:a8930ec16e52 
1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21/*
22 * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
23 * Use is subject to license terms.
24 */
25
26/*
27 * This file contains the declarations of the various data structures
28 * used by the auditing module(s).
29 */
30
31#ifndef	_BSM_AUDIT_H
32#define	_BSM_AUDIT_H
33
34#pragma ident	"%Z%%M%	%I%	%E% SMI"
35
36#ifdef __cplusplus
37extern "C" {
38#endif
39
40
41#include <sys/shm.h>	/* for shmid_ds structure */
42#include <sys/sem.h>	/* for semid_ds structure */
43#include <sys/msg.h>	/* for msqid_ds structure */
44#include <sys/atomic.h>	/* using atomics */
45
46/*
47 * Audit conditions, statements reguarding what's to be done with
48 * audit records.  Neither AUC_ENABLED, AUC_DISABLED, nor AUC_UNSET
49 * are returned on an auditconfig -getcond call.
50 */
51/* global state */
52#define	AUC_DISABLED	-1	/* audit module loaded but not enabled */
53#define	AUC_UNSET	0	/* on/off hasn't been decided */
54#define	AUC_ENABLED	1	/* loaded and enabled */
55/* local zone state */
56#define	AUC_INIT_AUDIT	4	/* c2audit is ready but auditd has not run */
57#define	AUC_AUDITING	1	/* auditing is being done */
58#define	AUC_NOAUDIT	2	/* auditing is not being done */
59#define	AUC_NOSPACE	3	/* audit enabled, no space for audit records */
60
61/*
62 * The user id -2 is never audited - in fact, a setauid(AU_NOAUDITID)
63 * will turn off auditing.
64 */
65#define	AU_NOAUDITID	((au_id_t)-2)
66
67/*
68 * success/failure bits for asynchronous events
69 */
70
71#define	AUM_SUCC	1	/* use the system success preselection mask */
72#define	AUM_FAIL	2	/* use the system failure preselection mask */
73
74
75/*
76 * Defines for event modifier field
77 */
78#define	PAD_READ	0x0001		/* object read */
79#define	PAD_WRITE	0x0002		/* object write */
80#define	PAD_NONATTR	0x4000		/* non-attributable event */
81#define	PAD_FAILURE	0x8000		/* fail audit event */
82#define	PAD_SPRIVUSE	0x0080		/* successfully used privileged */
83#define	PAD_FPRIVUSE	0x0100		/* failed use of privileged */
84
85/*
86 * Some typedefs for the fundamentals
87 */
88typedef pid_t au_asid_t;
89typedef uint_t  au_class_t;
90typedef short au_event_t;
91typedef short au_emod_t;
92typedef uid_t au_id_t;
93
94/*
95 * An audit event mask.
96 */
97#define	AU_MASK_ALL	0xFFFFFFFF	/* all bits on for unsigned int */
98#define	AU_MASK_NONE	0x0		/* all bits off = no:invalid class */
99
100struct au_mask {
101	unsigned int	am_success;	/* success bits */
102	unsigned int	am_failure;	/* failure bits */
103};
104typedef struct au_mask au_mask_t;
105#define	as_success am_success
106#define	as_failure am_failure
107
108/*
109 * The structure of the terminal ID (ipv4)
110 */
111struct au_tid {
112	dev_t port;
113	uint_t machine;
114};
115
116#if defined(_SYSCALL32)
117struct au_tid32 {
118	uint_t port;
119	uint_t machine;
120};
121
122typedef struct au_tid32 au_tid32_t;
123#endif
124
125typedef struct au_tid au_tid_t;
126
127/*
128 * The structure of the terminal ID (ipv6)
129 */
130struct au_tid_addr {
131	dev_t  at_port;
132	uint_t at_type;
133	uint_t at_addr[4];
134};
135
136struct au_port_s {
137	uint32_t at_major;	/* major # */
138	uint32_t at_minor;	/* minor # */
139};
140typedef struct au_port_s au_port_t;
141
142struct au_tid_addr64 {
143	au_port_t	at_port;
144	uint_t		at_type;
145	uint_t		at_addr[4];
146};
147typedef struct au_tid_addr64 au_tid64_addr_t;
148
149#if defined(_SYSCALL32)
150struct au_tid_addr32 {
151	uint_t at_port;
152	uint_t at_type;
153	uint_t at_addr[4];
154};
155
156typedef struct au_tid_addr32 au_tid32_addr_t;
157#endif
158
159typedef struct au_tid_addr au_tid_addr_t;
160
161struct au_ip {
162	uint16_t	at_r_port;	/* remote port */
163	uint16_t	at_l_port;	/* local port */
164	uint32_t	at_type;	/* AU_IPv4,... */
165	uint32_t	at_addr[4];	/* remote IP */
166};
167typedef struct au_ip au_ip_t;
168
169/*
170 * Generic network address structure
171 */
172struct au_generic_tid {
173	uchar_t	gt_type;	/* AU_IPADR, AU_DEVICE,... */
174	union {
175		au_ip_t		at_ip;
176		au_port_t	at_dev;
177	} gt_adr;
178};
179typedef struct au_generic_tid au_generic_tid_t;
180
181/*
182 * au_generic_tid_t gt_type values
183 * 0 is reserved for uninitialized data
184 */
185#define	AU_IPADR	1
186#define	AU_ETHER	2
187#define	AU_DEVICE	3
188
189/*
190 * at_type values - address length used to identify address type
191 */
192#define	AU_IPv4 4	/* ipv4 type IP address */
193#define	AU_IPv6 16	/* ipv6 type IP address */
194
195/*
196 * Compatability with SunOS 4.x BSM module
197 *
198 * New code should not contain audit_state_t,
199 * au_state_t, nor au_termid as these types
200 * may go away in future releases.
201 *
202 * typedef new-5.x-bsm-name old-4.x-bsm-name
203 */
204
205typedef au_class_t au_state_t;
206typedef au_mask_t audit_state_t;
207typedef au_id_t auid_t;
208#define	ai_state ai_mask;
209
210/*
211 * Opcodes for bsm system calls
212 */
213
214#define	BSM_GETAUID		19
215#define	BSM_SETAUID		20
216#define	BSM_GETAUDIT		21
217#define	BSM_SETAUDIT		22
218#define	BSM_GETUSERAUDIT	23
219#define	BSM_SETUSERAUDIT	24
220#define	BSM_AUDIT		25
221/* 				26	OBSOLETE */
222#define	BSM_AUDITSVC		27	/* EOL announced for Sol 10 */
223#define	BSM_AUDITON		28
224#define	BSM_AUDITCTL		29
225#define	BSM_GETKERNSTATE	30
226#define	BSM_SETKERNSTATE	31
227#define	BSM_GETPORTAUDIT	32
228#define	BSM_REVOKE		33
229#define	BSM_AUDITSTAT		34
230#define	BSM_GETAUDIT_ADDR	35
231#define	BSM_SETAUDIT_ADDR	36
232#define	BSM_AUDITDOOR		37
233
234/*
235 * Auditctl(2) commands
236 */
237#define	A_GETPOLICY	2	/* get audit policy */
238#define	A_SETPOLICY	3	/* set audit policy */
239#define	A_GETKMASK	4	/* get kernel event preselection mask */
240#define	A_SETKMASK	5	/* set kernel event preselection mask */
241#define	A_GETQCTRL	6	/* get kernel audit queue ctrl parameters */
242#define	A_SETQCTRL	7	/* set kernel audit queue ctrl parameters */
243#define	A_GETCWD	8	/* get process current working directory */
244#define	A_GETCAR	9	/* get process current active root */
245#define	A_GETSTAT	12	/* get audit statistics */
246#define	A_SETSTAT	13	/* (re)set audit statistics */
247#define	A_SETUMASK	14	/* set preselection mask for procs with auid */
248#define	A_SETSMASK	15	/* set preselection mask for procs with asid */
249#define	A_GETCOND	20	/* get audit system on/off condition */
250#define	A_SETCOND	21	/* set audit system on/off condition */
251#define	A_GETCLASS	22	/* get audit event to class mapping */
252#define	A_SETCLASS	23	/* set audit event to class mapping */
253#define	A_GETPINFO	24	/* get audit info for an arbitrary pid */
254#define	A_SETPMASK	25	/* set preselection mask for an given pid */
255#define	A_SETFSIZE	26	/* set audit file size */
256#define	A_GETFSIZE	27	/* get audit file size */
257#define	A_GETPINFO_ADDR	28	/* get audit info for an arbitrary pid */
258#define	A_GETKAUDIT	29	/* get kernel audit characteristics */
259#define	A_SETKAUDIT	30	/* set kernel audit characteristics */
260
261/*
262 * Audit Policy parameters (32 bits)
263 */
264#define	AUDIT_CNT	0x0001	/* do NOT sleep undelivered synch events */
265#define	AUDIT_AHLT	0x0002	/* HALT machine on undelivered async event */
266#define	AUDIT_ARGV	0x0004	/* include argv with execv system call events */
267#define	AUDIT_ARGE	0x0008	/* include arge with execv system call events */
268#define	AUDIT_SEQ	0x0010	/* include sequence attribute */
269#define	AUDIT_WINDATA	0x0020	/* include interwindow moved data */
270#define	AUDIT_GROUP	0x0040	/* include group attribute with each record */
271#define	AUDIT_TRAIL	0x0080	/* include trailer token */
272#define	AUDIT_PATH	0x0100	/* allow multiple paths per event */
273#define	AUDIT_SCNT	0x0200	/* sleep user events but not kernel events */
274#define	AUDIT_PUBLIC	0x0400	/* audit even "public" files */
275#define	AUDIT_ZONENAME	0x0800	/* emit zonename token */
276#define	AUDIT_PERZONE	0x1000	/* auditd and audit queue for each zone */
277#define	AUDIT_WINDATA_DOWN	0x2000	/* include paste downgraded data */
278#define	AUDIT_WINDATA_UP	0x4000	/* include paste upgraded data */
279
280/*
281 * If AUDIT_GLOBAL changes, corresponding changes are required in
282 * audit_syscalls.c's setpolicy().
283 */
284#define	AUDIT_GLOBAL	(AUDIT_AHLT | AUDIT_PERZONE)
285#define	AUDIT_LOCAL	(AUDIT_CNT | AUDIT_ARGV | AUDIT_ARGE |\
286			AUDIT_SEQ | AUDIT_WINDATA |\
287			AUDIT_GROUP | AUDIT_TRAIL | AUDIT_PATH |\
288			AUDIT_PUBLIC | AUDIT_SCNT | AUDIT_ZONENAME |\
289			AUDIT_WINDATA_DOWN | AUDIT_WINDATA_UP)
290
291/*
292 * Kernel audit queue control parameters
293 *
294 *	audit record recording blocks at hiwater # undelived records
295 *	audit record recording resumes at lowwater # undelivered audit records
296 *	bufsz determines how big the data xfers will be to the audit trail
297 */
298struct au_qctrl {
299	size_t	aq_hiwater;	/* kernel audit queue, high water mark */
300	size_t	aq_lowater;	/* kernel audit queue, low  water mark */
301	size_t	aq_bufsz;	/* kernel audit queue, write size to trail */
302	clock_t	aq_delay;	/* delay before flushing audit queue */
303};
304
305#if defined(_SYSCALL32)
306struct au_qctrl32 {
307	size32_t	aq_hiwater;
308	size32_t	aq_lowater;
309	size32_t	aq_bufsz;
310	clock32_t	aq_delay;
311};
312#endif
313
314
315/*
316 * default values of hiwater and lowater (note hi > lo)
317 */
318#define	AQ_HIWATER  100
319#define	AQ_MAXHIGH  100000
320#define	AQ_LOWATER  10
321#define	AQ_BUFSZ    8192
322#define	AQ_MAXBUFSZ 1048576
323#define	AQ_DELAY    20
324#define	AQ_MAXDELAY 20000
325
326struct auditinfo {
327	au_id_t		ai_auid;
328	au_mask_t	ai_mask;
329	au_tid_t	ai_termid;
330	au_asid_t	ai_asid;
331};
332
333#if defined(_SYSCALL32)
334struct auditinfo32 {
335	au_id_t		ai_auid;
336	au_mask_t	ai_mask;
337	au_tid32_t	ai_termid;
338	au_asid_t	ai_asid;
339};
340
341typedef struct auditinfo32 auditinfo32_t;
342#endif
343
344typedef struct auditinfo auditinfo_t;
345
346struct auditinfo_addr {
347	au_id_t		ai_auid;
348	au_mask_t	ai_mask;
349	au_tid_addr_t	ai_termid;
350	au_asid_t	ai_asid;
351};
352
353struct auditinfo_addr64 {
354	au_id_t		ai_auid;
355	au_mask_t	ai_mask;
356	au_tid64_addr_t	ai_termid;
357	au_asid_t	ai_asid;
358};
359typedef struct auditinfo_addr64 auditinfo64_addr_t;
360
361#if defined(_SYSCALL32)
362struct auditinfo_addr32 {
363	au_id_t		ai_auid;
364	au_mask_t	ai_mask;
365	au_tid32_addr_t	ai_termid;
366	au_asid_t	ai_asid;
367};
368
369typedef struct auditinfo_addr32 auditinfo32_addr_t;
370#endif
371
372typedef struct auditinfo_addr auditinfo_addr_t;
373
374struct auditpinfo {
375	pid_t		ap_pid;
376	au_id_t		ap_auid;
377	au_mask_t	ap_mask;
378	au_tid_t	ap_termid;
379	au_asid_t	ap_asid;
380};
381
382#if defined(_SYSCALL32)
383struct auditpinfo32 {
384	pid_t		ap_pid;
385	au_id_t		ap_auid;
386	au_mask_t	ap_mask;
387	au_tid32_t	ap_termid;
388	au_asid_t	ap_asid;
389};
390#endif
391
392
393struct auditpinfo_addr {
394	pid_t		ap_pid;
395	au_id_t		ap_auid;
396	au_mask_t	ap_mask;
397	au_tid_addr_t	ap_termid;
398	au_asid_t	ap_asid;
399};
400
401#if defined(_SYSCALL32)
402struct auditpinfo_addr32 {
403	pid_t		ap_pid;
404	au_id_t		ap_auid;
405	au_mask_t	ap_mask;
406	au_tid32_addr_t	ap_termid;
407	au_asid_t	ap_asid;
408};
409#endif
410
411
412struct au_evclass_map {
413	au_event_t	ec_number;
414	au_class_t	ec_class;
415};
416typedef struct au_evclass_map au_evclass_map_t;
417
418/*
419 * Audit stat structures (used to be in audit_stat.h
420 */
421
422struct audit_stat {
423	unsigned int as_version;	/* version of kernel audit code */
424	unsigned int as_numevent;	/* number of kernel audit events */
425	uint32_t as_generated;		/* # records processed */
426	uint32_t as_nonattrib;		/* # non-attributed records produced */
427	uint32_t as_kernel;		/* # records produced by kernel */
428	uint32_t as_audit;		/* # records processed by audit(2) */
429	uint32_t as_auditctl;		/* # records processed by auditctl(2) */
430	uint32_t as_enqueue;		/* # records put onto audit queue */
431	uint32_t as_written;		/* # records written to audit trail */
432	uint32_t as_wblocked;		/* # times write blked on audit queue */
433	uint32_t as_rblocked;		/* # times read blked on audit queue */
434	uint32_t as_dropped;		/* # of dropped audit records */
435	uint32_t as_totalsize;		/* total number bytes of audit data */
436	uint32_t as_memused;		/* no longer used */
437};
438typedef struct audit_stat au_stat_t;
439extern int au_naevent;
440
441/*
442 * Secondary stat structure for file size stuff.  The stat structure was
443 * not combined to preserve the semantics of the 5.1 - 5.3 A_GETSTAT call
444 */
445struct audit_fstat {
446	unsigned int af_filesz;
447	unsigned int af_currsz;
448};
449typedef struct audit_fstat au_fstat_t;
450
451/* get kernel audit context dependent on AUDIT_PERZONE policy */
452#define	GET_KCTX_PZ	(audit_policy & AUDIT_PERZONE) ?\
453			    curproc->p_zone->zone_audit_kctxt :\
454			    global_zone->zone_audit_kctxt
455/* get kernel audit context of global zone */
456#define	GET_KCTX_GZ	global_zone->zone_audit_kctxt
457/* get kernel audit context of non-global zone */
458#define	GET_KCTX_NGZ	curproc->p_zone->zone_audit_kctxt
459
460#define	AS_INC(a, b, c) atomic_add_32(&(c->auk_statistics.a), (b))
461#define	AS_DEC(a, b, c) atomic_add_32(&(c->auk_statistics.a), -(b))
462
463/*
464 * audit token IPC types (shm, sem, msg) [for ipc attribute]
465 */
466
467#define	AT_IPC_MSG	((char)1)		/* message IPC id */
468#define	AT_IPC_SEM	((char)2)		/* semaphore IPC id */
469#define	AT_IPC_SHM	((char)3)		/* shared memory IPC id */
470
471#if defined(_KERNEL)
472
473#ifdef __cplusplus
474}
475#endif
476
477#include <sys/types.h>
478#include <sys/model.h>
479#include <sys/proc.h>
480#include <sys/stream.h>
481#include <sys/stropts.h>
482#include <sys/file.h>
483#include <sys/pathname.h>
484#include <sys/vnode.h>
485#include <sys/systm.h>
486#include <netinet/in.h>
487#include <c2/audit_door_infc.h>
488#include <sys/crypto/ioctladmin.h>
489#include <sys/netstack.h>
490
491#ifdef __cplusplus
492extern "C" {
493#endif
494
495struct fcntla;
496struct t_audit_data;
497struct audit_path;
498struct priv_set;
499struct devplcysys;
500
501struct auditcalls {
502	long	code;
503	long	a1;
504	long	a2;
505	long	a3;
506	long	a4;
507	long	a5;
508};
509
510int	audit(caddr_t, int);
511int	_audit(caddr_t, int);
512int	auditsys(struct auditcalls *, union rval *); /* fake stub */
513int	_auditsys(struct auditcalls *, union rval *); /* real deal */
514void	audit_cryptoadm(int, char *, crypto_mech_name_t *,
515	    uint_t, uint_t, uint32_t, int);
516void	audit_init(void);
517void	audit_newproc(struct proc *);
518void	audit_pfree(struct proc *);
519void	audit_thread_create(kthread_id_t);
520void	audit_thread_free(kthread_id_t);
521int	audit_savepath(struct pathname *, struct vnode *, int, cred_t *);
522void	audit_addcomponent(struct pathname *);
523void	audit_anchorpath(struct pathname *, int);
524void	audit_symlink(struct pathname *, struct pathname *);
525void	audit_symlink_create(struct vnode *, char *, char *, int);
526int	file_is_public(struct vattr *);
527void	audit_attributes(struct vnode *);
528void	audit_falloc(struct file *);
529void	audit_unfalloc(struct file *);
530void	audit_exit(int, int);
531void	audit_core_start(int);
532void	audit_core_finish(int);
533void	audit_stropen(struct vnode *, dev_t *, int, struct cred *);
534void	audit_strclose(struct vnode *, int, struct cred *);
535void	audit_strioctl(struct vnode *, int, intptr_t, int, int, struct cred *,
536		int *);
537void	audit_strgetmsg(struct vnode *, struct strbuf *, struct strbuf *,
538		unsigned char *, int *, int);
539void	audit_strputmsg(struct vnode *, struct strbuf *, struct strbuf *,
540		unsigned char, int, int);
541void	audit_closef(struct file *);
542int	audit_getf(int);
543void	audit_setf(struct file *, int);
544void	audit_copen(int, struct file *, struct vnode *);
545void	audit_reboot(void);
546void	audit_vncreate_start(void);
547void	audit_setfsat_path(int argnum);
548void	audit_vncreate_finish(struct vnode *, int);
549void	audit_exec(const char *, const char *, ssize_t, ssize_t);
550void	audit_enterprom(int);
551void	audit_exitprom(int);
552void	audit_chdirec(struct vnode *, struct vnode **);
553void	audit_sock(int, struct queue *, struct msgb *, int);
554void	audit_free(void);
555int	audit_start(unsigned int, unsigned int, int, klwp_t *);
556void	audit_finish(unsigned int, unsigned int, int, union rval *);
557int	audit_async_start(label_t *, int, int);
558void	audit_async_finish(caddr_t *, int, int);
559void	audit_async_discard_backend(void *);
560void	audit_async_done(caddr_t *, int);
561void	audit_async_drop(caddr_t *, int);
562
563#ifndef AUK_CONTEXT_T
564#define	AUK_CONTEXT_T
565typedef struct au_kcontext au_kcontext_t;
566#endif
567
568int	audit_success(au_kcontext_t *, struct t_audit_data *, int, cred_t *);
569int	auditme(au_kcontext_t *, struct t_audit_data *, au_state_t);
570void	audit_fixpath(struct audit_path *, int);
571void	audit_ipc(int, int, void *);
572void	audit_ipcget(int, void *);
573void	audit_lookupname();
574int	audit_pathcomp(struct pathname *, vnode_t *, cred_t *);
575void	audit_fdsend(int, struct file *, int);
576void	audit_fdrecv(int, struct file *);
577int	audit_c2_revoke(struct fcntla *, rval_t *);
578void	audit_priv(int, const struct priv_set *, int);
579void	audit_setppriv(int, int, const struct priv_set *, const cred_t *);
580void	audit_devpolicy(int, const struct devplcysys *);
581void	audit_update_context(proc_t *, cred_t *);
582void	audit_kssl(int, void *, int);
583void	audit_pf_policy(int, cred_t *, netstack_t *, char *, boolean_t, int,
584    pid_t);
585void	audit_sec_attributes(caddr_t *, struct vnode *);
586
587#endif
588
589#ifdef __cplusplus
590}
591#endif
592
593#endif /* _BSM_AUDIT_H */
594