audit.h revision 4321:a8930ec16e52
1/* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21/* 22 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26/* 27 * This file contains the declarations of the various data structures 28 * used by the auditing module(s). 29 */ 30 31#ifndef _BSM_AUDIT_H 32#define _BSM_AUDIT_H 33 34#pragma ident "%Z%%M% %I% %E% SMI" 35 36#ifdef __cplusplus 37extern "C" { 38#endif 39 40 41#include <sys/shm.h> /* for shmid_ds structure */ 42#include <sys/sem.h> /* for semid_ds structure */ 43#include <sys/msg.h> /* for msqid_ds structure */ 44#include <sys/atomic.h> /* using atomics */ 45 46/* 47 * Audit conditions, statements reguarding what's to be done with 48 * audit records. Neither AUC_ENABLED, AUC_DISABLED, nor AUC_UNSET 49 * are returned on an auditconfig -getcond call. 50 */ 51/* global state */ 52#define AUC_DISABLED -1 /* audit module loaded but not enabled */ 53#define AUC_UNSET 0 /* on/off hasn't been decided */ 54#define AUC_ENABLED 1 /* loaded and enabled */ 55/* local zone state */ 56#define AUC_INIT_AUDIT 4 /* c2audit is ready but auditd has not run */ 57#define AUC_AUDITING 1 /* auditing is being done */ 58#define AUC_NOAUDIT 2 /* auditing is not being done */ 59#define AUC_NOSPACE 3 /* audit enabled, no space for audit records */ 60 61/* 62 * The user id -2 is never audited - in fact, a setauid(AU_NOAUDITID) 63 * will turn off auditing. 64 */ 65#define AU_NOAUDITID ((au_id_t)-2) 66 67/* 68 * success/failure bits for asynchronous events 69 */ 70 71#define AUM_SUCC 1 /* use the system success preselection mask */ 72#define AUM_FAIL 2 /* use the system failure preselection mask */ 73 74 75/* 76 * Defines for event modifier field 77 */ 78#define PAD_READ 0x0001 /* object read */ 79#define PAD_WRITE 0x0002 /* object write */ 80#define PAD_NONATTR 0x4000 /* non-attributable event */ 81#define PAD_FAILURE 0x8000 /* fail audit event */ 82#define PAD_SPRIVUSE 0x0080 /* successfully used privileged */ 83#define PAD_FPRIVUSE 0x0100 /* failed use of privileged */ 84 85/* 86 * Some typedefs for the fundamentals 87 */ 88typedef pid_t au_asid_t; 89typedef uint_t au_class_t; 90typedef short au_event_t; 91typedef short au_emod_t; 92typedef uid_t au_id_t; 93 94/* 95 * An audit event mask. 96 */ 97#define AU_MASK_ALL 0xFFFFFFFF /* all bits on for unsigned int */ 98#define AU_MASK_NONE 0x0 /* all bits off = no:invalid class */ 99 100struct au_mask { 101 unsigned int am_success; /* success bits */ 102 unsigned int am_failure; /* failure bits */ 103}; 104typedef struct au_mask au_mask_t; 105#define as_success am_success 106#define as_failure am_failure 107 108/* 109 * The structure of the terminal ID (ipv4) 110 */ 111struct au_tid { 112 dev_t port; 113 uint_t machine; 114}; 115 116#if defined(_SYSCALL32) 117struct au_tid32 { 118 uint_t port; 119 uint_t machine; 120}; 121 122typedef struct au_tid32 au_tid32_t; 123#endif 124 125typedef struct au_tid au_tid_t; 126 127/* 128 * The structure of the terminal ID (ipv6) 129 */ 130struct au_tid_addr { 131 dev_t at_port; 132 uint_t at_type; 133 uint_t at_addr[4]; 134}; 135 136struct au_port_s { 137 uint32_t at_major; /* major # */ 138 uint32_t at_minor; /* minor # */ 139}; 140typedef struct au_port_s au_port_t; 141 142struct au_tid_addr64 { 143 au_port_t at_port; 144 uint_t at_type; 145 uint_t at_addr[4]; 146}; 147typedef struct au_tid_addr64 au_tid64_addr_t; 148 149#if defined(_SYSCALL32) 150struct au_tid_addr32 { 151 uint_t at_port; 152 uint_t at_type; 153 uint_t at_addr[4]; 154}; 155 156typedef struct au_tid_addr32 au_tid32_addr_t; 157#endif 158 159typedef struct au_tid_addr au_tid_addr_t; 160 161struct au_ip { 162 uint16_t at_r_port; /* remote port */ 163 uint16_t at_l_port; /* local port */ 164 uint32_t at_type; /* AU_IPv4,... */ 165 uint32_t at_addr[4]; /* remote IP */ 166}; 167typedef struct au_ip au_ip_t; 168 169/* 170 * Generic network address structure 171 */ 172struct au_generic_tid { 173 uchar_t gt_type; /* AU_IPADR, AU_DEVICE,... */ 174 union { 175 au_ip_t at_ip; 176 au_port_t at_dev; 177 } gt_adr; 178}; 179typedef struct au_generic_tid au_generic_tid_t; 180 181/* 182 * au_generic_tid_t gt_type values 183 * 0 is reserved for uninitialized data 184 */ 185#define AU_IPADR 1 186#define AU_ETHER 2 187#define AU_DEVICE 3 188 189/* 190 * at_type values - address length used to identify address type 191 */ 192#define AU_IPv4 4 /* ipv4 type IP address */ 193#define AU_IPv6 16 /* ipv6 type IP address */ 194 195/* 196 * Compatability with SunOS 4.x BSM module 197 * 198 * New code should not contain audit_state_t, 199 * au_state_t, nor au_termid as these types 200 * may go away in future releases. 201 * 202 * typedef new-5.x-bsm-name old-4.x-bsm-name 203 */ 204 205typedef au_class_t au_state_t; 206typedef au_mask_t audit_state_t; 207typedef au_id_t auid_t; 208#define ai_state ai_mask; 209 210/* 211 * Opcodes for bsm system calls 212 */ 213 214#define BSM_GETAUID 19 215#define BSM_SETAUID 20 216#define BSM_GETAUDIT 21 217#define BSM_SETAUDIT 22 218#define BSM_GETUSERAUDIT 23 219#define BSM_SETUSERAUDIT 24 220#define BSM_AUDIT 25 221/* 26 OBSOLETE */ 222#define BSM_AUDITSVC 27 /* EOL announced for Sol 10 */ 223#define BSM_AUDITON 28 224#define BSM_AUDITCTL 29 225#define BSM_GETKERNSTATE 30 226#define BSM_SETKERNSTATE 31 227#define BSM_GETPORTAUDIT 32 228#define BSM_REVOKE 33 229#define BSM_AUDITSTAT 34 230#define BSM_GETAUDIT_ADDR 35 231#define BSM_SETAUDIT_ADDR 36 232#define BSM_AUDITDOOR 37 233 234/* 235 * Auditctl(2) commands 236 */ 237#define A_GETPOLICY 2 /* get audit policy */ 238#define A_SETPOLICY 3 /* set audit policy */ 239#define A_GETKMASK 4 /* get kernel event preselection mask */ 240#define A_SETKMASK 5 /* set kernel event preselection mask */ 241#define A_GETQCTRL 6 /* get kernel audit queue ctrl parameters */ 242#define A_SETQCTRL 7 /* set kernel audit queue ctrl parameters */ 243#define A_GETCWD 8 /* get process current working directory */ 244#define A_GETCAR 9 /* get process current active root */ 245#define A_GETSTAT 12 /* get audit statistics */ 246#define A_SETSTAT 13 /* (re)set audit statistics */ 247#define A_SETUMASK 14 /* set preselection mask for procs with auid */ 248#define A_SETSMASK 15 /* set preselection mask for procs with asid */ 249#define A_GETCOND 20 /* get audit system on/off condition */ 250#define A_SETCOND 21 /* set audit system on/off condition */ 251#define A_GETCLASS 22 /* get audit event to class mapping */ 252#define A_SETCLASS 23 /* set audit event to class mapping */ 253#define A_GETPINFO 24 /* get audit info for an arbitrary pid */ 254#define A_SETPMASK 25 /* set preselection mask for an given pid */ 255#define A_SETFSIZE 26 /* set audit file size */ 256#define A_GETFSIZE 27 /* get audit file size */ 257#define A_GETPINFO_ADDR 28 /* get audit info for an arbitrary pid */ 258#define A_GETKAUDIT 29 /* get kernel audit characteristics */ 259#define A_SETKAUDIT 30 /* set kernel audit characteristics */ 260 261/* 262 * Audit Policy parameters (32 bits) 263 */ 264#define AUDIT_CNT 0x0001 /* do NOT sleep undelivered synch events */ 265#define AUDIT_AHLT 0x0002 /* HALT machine on undelivered async event */ 266#define AUDIT_ARGV 0x0004 /* include argv with execv system call events */ 267#define AUDIT_ARGE 0x0008 /* include arge with execv system call events */ 268#define AUDIT_SEQ 0x0010 /* include sequence attribute */ 269#define AUDIT_WINDATA 0x0020 /* include interwindow moved data */ 270#define AUDIT_GROUP 0x0040 /* include group attribute with each record */ 271#define AUDIT_TRAIL 0x0080 /* include trailer token */ 272#define AUDIT_PATH 0x0100 /* allow multiple paths per event */ 273#define AUDIT_SCNT 0x0200 /* sleep user events but not kernel events */ 274#define AUDIT_PUBLIC 0x0400 /* audit even "public" files */ 275#define AUDIT_ZONENAME 0x0800 /* emit zonename token */ 276#define AUDIT_PERZONE 0x1000 /* auditd and audit queue for each zone */ 277#define AUDIT_WINDATA_DOWN 0x2000 /* include paste downgraded data */ 278#define AUDIT_WINDATA_UP 0x4000 /* include paste upgraded data */ 279 280/* 281 * If AUDIT_GLOBAL changes, corresponding changes are required in 282 * audit_syscalls.c's setpolicy(). 283 */ 284#define AUDIT_GLOBAL (AUDIT_AHLT | AUDIT_PERZONE) 285#define AUDIT_LOCAL (AUDIT_CNT | AUDIT_ARGV | AUDIT_ARGE |\ 286 AUDIT_SEQ | AUDIT_WINDATA |\ 287 AUDIT_GROUP | AUDIT_TRAIL | AUDIT_PATH |\ 288 AUDIT_PUBLIC | AUDIT_SCNT | AUDIT_ZONENAME |\ 289 AUDIT_WINDATA_DOWN | AUDIT_WINDATA_UP) 290 291/* 292 * Kernel audit queue control parameters 293 * 294 * audit record recording blocks at hiwater # undelived records 295 * audit record recording resumes at lowwater # undelivered audit records 296 * bufsz determines how big the data xfers will be to the audit trail 297 */ 298struct au_qctrl { 299 size_t aq_hiwater; /* kernel audit queue, high water mark */ 300 size_t aq_lowater; /* kernel audit queue, low water mark */ 301 size_t aq_bufsz; /* kernel audit queue, write size to trail */ 302 clock_t aq_delay; /* delay before flushing audit queue */ 303}; 304 305#if defined(_SYSCALL32) 306struct au_qctrl32 { 307 size32_t aq_hiwater; 308 size32_t aq_lowater; 309 size32_t aq_bufsz; 310 clock32_t aq_delay; 311}; 312#endif 313 314 315/* 316 * default values of hiwater and lowater (note hi > lo) 317 */ 318#define AQ_HIWATER 100 319#define AQ_MAXHIGH 100000 320#define AQ_LOWATER 10 321#define AQ_BUFSZ 8192 322#define AQ_MAXBUFSZ 1048576 323#define AQ_DELAY 20 324#define AQ_MAXDELAY 20000 325 326struct auditinfo { 327 au_id_t ai_auid; 328 au_mask_t ai_mask; 329 au_tid_t ai_termid; 330 au_asid_t ai_asid; 331}; 332 333#if defined(_SYSCALL32) 334struct auditinfo32 { 335 au_id_t ai_auid; 336 au_mask_t ai_mask; 337 au_tid32_t ai_termid; 338 au_asid_t ai_asid; 339}; 340 341typedef struct auditinfo32 auditinfo32_t; 342#endif 343 344typedef struct auditinfo auditinfo_t; 345 346struct auditinfo_addr { 347 au_id_t ai_auid; 348 au_mask_t ai_mask; 349 au_tid_addr_t ai_termid; 350 au_asid_t ai_asid; 351}; 352 353struct auditinfo_addr64 { 354 au_id_t ai_auid; 355 au_mask_t ai_mask; 356 au_tid64_addr_t ai_termid; 357 au_asid_t ai_asid; 358}; 359typedef struct auditinfo_addr64 auditinfo64_addr_t; 360 361#if defined(_SYSCALL32) 362struct auditinfo_addr32 { 363 au_id_t ai_auid; 364 au_mask_t ai_mask; 365 au_tid32_addr_t ai_termid; 366 au_asid_t ai_asid; 367}; 368 369typedef struct auditinfo_addr32 auditinfo32_addr_t; 370#endif 371 372typedef struct auditinfo_addr auditinfo_addr_t; 373 374struct auditpinfo { 375 pid_t ap_pid; 376 au_id_t ap_auid; 377 au_mask_t ap_mask; 378 au_tid_t ap_termid; 379 au_asid_t ap_asid; 380}; 381 382#if defined(_SYSCALL32) 383struct auditpinfo32 { 384 pid_t ap_pid; 385 au_id_t ap_auid; 386 au_mask_t ap_mask; 387 au_tid32_t ap_termid; 388 au_asid_t ap_asid; 389}; 390#endif 391 392 393struct auditpinfo_addr { 394 pid_t ap_pid; 395 au_id_t ap_auid; 396 au_mask_t ap_mask; 397 au_tid_addr_t ap_termid; 398 au_asid_t ap_asid; 399}; 400 401#if defined(_SYSCALL32) 402struct auditpinfo_addr32 { 403 pid_t ap_pid; 404 au_id_t ap_auid; 405 au_mask_t ap_mask; 406 au_tid32_addr_t ap_termid; 407 au_asid_t ap_asid; 408}; 409#endif 410 411 412struct au_evclass_map { 413 au_event_t ec_number; 414 au_class_t ec_class; 415}; 416typedef struct au_evclass_map au_evclass_map_t; 417 418/* 419 * Audit stat structures (used to be in audit_stat.h 420 */ 421 422struct audit_stat { 423 unsigned int as_version; /* version of kernel audit code */ 424 unsigned int as_numevent; /* number of kernel audit events */ 425 uint32_t as_generated; /* # records processed */ 426 uint32_t as_nonattrib; /* # non-attributed records produced */ 427 uint32_t as_kernel; /* # records produced by kernel */ 428 uint32_t as_audit; /* # records processed by audit(2) */ 429 uint32_t as_auditctl; /* # records processed by auditctl(2) */ 430 uint32_t as_enqueue; /* # records put onto audit queue */ 431 uint32_t as_written; /* # records written to audit trail */ 432 uint32_t as_wblocked; /* # times write blked on audit queue */ 433 uint32_t as_rblocked; /* # times read blked on audit queue */ 434 uint32_t as_dropped; /* # of dropped audit records */ 435 uint32_t as_totalsize; /* total number bytes of audit data */ 436 uint32_t as_memused; /* no longer used */ 437}; 438typedef struct audit_stat au_stat_t; 439extern int au_naevent; 440 441/* 442 * Secondary stat structure for file size stuff. The stat structure was 443 * not combined to preserve the semantics of the 5.1 - 5.3 A_GETSTAT call 444 */ 445struct audit_fstat { 446 unsigned int af_filesz; 447 unsigned int af_currsz; 448}; 449typedef struct audit_fstat au_fstat_t; 450 451/* get kernel audit context dependent on AUDIT_PERZONE policy */ 452#define GET_KCTX_PZ (audit_policy & AUDIT_PERZONE) ?\ 453 curproc->p_zone->zone_audit_kctxt :\ 454 global_zone->zone_audit_kctxt 455/* get kernel audit context of global zone */ 456#define GET_KCTX_GZ global_zone->zone_audit_kctxt 457/* get kernel audit context of non-global zone */ 458#define GET_KCTX_NGZ curproc->p_zone->zone_audit_kctxt 459 460#define AS_INC(a, b, c) atomic_add_32(&(c->auk_statistics.a), (b)) 461#define AS_DEC(a, b, c) atomic_add_32(&(c->auk_statistics.a), -(b)) 462 463/* 464 * audit token IPC types (shm, sem, msg) [for ipc attribute] 465 */ 466 467#define AT_IPC_MSG ((char)1) /* message IPC id */ 468#define AT_IPC_SEM ((char)2) /* semaphore IPC id */ 469#define AT_IPC_SHM ((char)3) /* shared memory IPC id */ 470 471#if defined(_KERNEL) 472 473#ifdef __cplusplus 474} 475#endif 476 477#include <sys/types.h> 478#include <sys/model.h> 479#include <sys/proc.h> 480#include <sys/stream.h> 481#include <sys/stropts.h> 482#include <sys/file.h> 483#include <sys/pathname.h> 484#include <sys/vnode.h> 485#include <sys/systm.h> 486#include <netinet/in.h> 487#include <c2/audit_door_infc.h> 488#include <sys/crypto/ioctladmin.h> 489#include <sys/netstack.h> 490 491#ifdef __cplusplus 492extern "C" { 493#endif 494 495struct fcntla; 496struct t_audit_data; 497struct audit_path; 498struct priv_set; 499struct devplcysys; 500 501struct auditcalls { 502 long code; 503 long a1; 504 long a2; 505 long a3; 506 long a4; 507 long a5; 508}; 509 510int audit(caddr_t, int); 511int _audit(caddr_t, int); 512int auditsys(struct auditcalls *, union rval *); /* fake stub */ 513int _auditsys(struct auditcalls *, union rval *); /* real deal */ 514void audit_cryptoadm(int, char *, crypto_mech_name_t *, 515 uint_t, uint_t, uint32_t, int); 516void audit_init(void); 517void audit_newproc(struct proc *); 518void audit_pfree(struct proc *); 519void audit_thread_create(kthread_id_t); 520void audit_thread_free(kthread_id_t); 521int audit_savepath(struct pathname *, struct vnode *, int, cred_t *); 522void audit_addcomponent(struct pathname *); 523void audit_anchorpath(struct pathname *, int); 524void audit_symlink(struct pathname *, struct pathname *); 525void audit_symlink_create(struct vnode *, char *, char *, int); 526int file_is_public(struct vattr *); 527void audit_attributes(struct vnode *); 528void audit_falloc(struct file *); 529void audit_unfalloc(struct file *); 530void audit_exit(int, int); 531void audit_core_start(int); 532void audit_core_finish(int); 533void audit_stropen(struct vnode *, dev_t *, int, struct cred *); 534void audit_strclose(struct vnode *, int, struct cred *); 535void audit_strioctl(struct vnode *, int, intptr_t, int, int, struct cred *, 536 int *); 537void audit_strgetmsg(struct vnode *, struct strbuf *, struct strbuf *, 538 unsigned char *, int *, int); 539void audit_strputmsg(struct vnode *, struct strbuf *, struct strbuf *, 540 unsigned char, int, int); 541void audit_closef(struct file *); 542int audit_getf(int); 543void audit_setf(struct file *, int); 544void audit_copen(int, struct file *, struct vnode *); 545void audit_reboot(void); 546void audit_vncreate_start(void); 547void audit_setfsat_path(int argnum); 548void audit_vncreate_finish(struct vnode *, int); 549void audit_exec(const char *, const char *, ssize_t, ssize_t); 550void audit_enterprom(int); 551void audit_exitprom(int); 552void audit_chdirec(struct vnode *, struct vnode **); 553void audit_sock(int, struct queue *, struct msgb *, int); 554void audit_free(void); 555int audit_start(unsigned int, unsigned int, int, klwp_t *); 556void audit_finish(unsigned int, unsigned int, int, union rval *); 557int audit_async_start(label_t *, int, int); 558void audit_async_finish(caddr_t *, int, int); 559void audit_async_discard_backend(void *); 560void audit_async_done(caddr_t *, int); 561void audit_async_drop(caddr_t *, int); 562 563#ifndef AUK_CONTEXT_T 564#define AUK_CONTEXT_T 565typedef struct au_kcontext au_kcontext_t; 566#endif 567 568int audit_success(au_kcontext_t *, struct t_audit_data *, int, cred_t *); 569int auditme(au_kcontext_t *, struct t_audit_data *, au_state_t); 570void audit_fixpath(struct audit_path *, int); 571void audit_ipc(int, int, void *); 572void audit_ipcget(int, void *); 573void audit_lookupname(); 574int audit_pathcomp(struct pathname *, vnode_t *, cred_t *); 575void audit_fdsend(int, struct file *, int); 576void audit_fdrecv(int, struct file *); 577int audit_c2_revoke(struct fcntla *, rval_t *); 578void audit_priv(int, const struct priv_set *, int); 579void audit_setppriv(int, int, const struct priv_set *, const cred_t *); 580void audit_devpolicy(int, const struct devplcysys *); 581void audit_update_context(proc_t *, cred_t *); 582void audit_kssl(int, void *, int); 583void audit_pf_policy(int, cred_t *, netstack_t *, char *, boolean_t, int, 584 pid_t); 585void audit_sec_attributes(caddr_t *, struct vnode *); 586 587#endif 588 589#ifdef __cplusplus 590} 591#endif 592 593#endif /* _BSM_AUDIT_H */ 594