audit_record.h revision 293163
1122394Sharti/*- 2122394Sharti * Copyright (c) 2005-2009 Apple Inc. 3122394Sharti * All rights reserved. 4122394Sharti * 5122394Sharti * Redistribution and use in source and binary forms, with or without 6122394Sharti * modification, are permitted provided that the following conditions 7133211Sharti * are met: 8216594Ssyrinx * 9216594Ssyrinx * 1. Redistributions of source code must retain the above copyright 10216594Ssyrinx * notice, this list of conditions and the following disclaimer. 11216594Ssyrinx * 2. Redistributions in binary form must reproduce the above copyright 12216594Ssyrinx * notice, this list of conditions and the following disclaimer in the 13216594Ssyrinx * documentation and/or other materials provided with the distribution. 14133211Sharti * 3. Neither the name of Apple Inc. ("Apple") nor the names of 15133211Sharti * its contributors may be used to endorse or promote products derived 16133211Sharti * from this software without specific prior written permission. 17133211Sharti * 18133211Sharti * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY 19122394Sharti * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20122394Sharti * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21122394Sharti * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY 22133211Sharti * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23133211Sharti * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24133211Sharti * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 25133211Sharti * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26133211Sharti * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27133211Sharti * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28133211Sharti * 29133211Sharti * $FreeBSD: stable/10/sys/bsm/audit_record.h 293163 2016-01-04 16:51:56Z brueffer $ 30133211Sharti */ 31133211Sharti 32133211Sharti#ifndef _BSM_AUDIT_RECORD_H_ 33133211Sharti#define _BSM_AUDIT_RECORD_H_ 34122394Sharti 35156066Sharti#include <sys/time.h> /* struct timeval */ 36122394Sharti#include <sys/caprights.h> /* cap_rights_t */ 37122394Sharti 38122394Sharti/* 39216294Ssyrinx * Token type identifiers. 40216294Ssyrinx */ 41122394Sharti#define AUT_INVALID 0x00 42122394Sharti#define AUT_OTHER_FILE32 0x11 43124861Sharti#define AUT_OHEADER 0x12 44150920Sharti#define AUT_TRAILER 0x13 45122394Sharti#define AUT_HEADER32 0x14 46122394Sharti#define AUT_HEADER32_EX 0x15 47122394Sharti#define AUT_DATA 0x21 48122394Sharti#define AUT_IPC 0x22 49122394Sharti#define AUT_PATH 0x23 50122394Sharti#define AUT_SUBJECT32 0x24 51122394Sharti#define AUT_XATPATH 0x25 52122394Sharti#define AUT_PROCESS32 0x26 53122394Sharti#define AUT_RETURN32 0x27 54122394Sharti#define AUT_TEXT 0x28 55122394Sharti#define AUT_OPAQUE 0x29 56122394Sharti#define AUT_IN_ADDR 0x2a 57122394Sharti#define AUT_IP 0x2b 58145557Sharti#define AUT_IPORT 0x2c 59145557Sharti#define AUT_ARG32 0x2d 60145557Sharti#define AUT_SOCKET 0x2e 61145557Sharti#define AUT_SEQ 0x2f 62145557Sharti#define AUT_ACL 0x30 63156066Sharti#define AUT_ATTR 0x31 64122394Sharti#define AUT_IPC_PERM 0x32 65122394Sharti#define AUT_LABEL 0x33 66122394Sharti#define AUT_GROUPS 0x34 67122394Sharti#define AUT_ACE 0x35 68122394Sharti#define AUT_PRIV 0x38 69122394Sharti#define AUT_UPRIV 0x39 70122394Sharti#define AUT_LIAISON 0x3a 71216294Ssyrinx#define AUT_NEWGROUPS 0x3b 72122394Sharti#define AUT_EXEC_ARGS 0x3c 73146525Sharti#define AUT_EXEC_ENV 0x3d 74146525Sharti#define AUT_ATTR32 0x3e 75122394Sharti#define AUT_UNAUTH 0x3f 76122394Sharti#define AUT_XATOM 0x40 77122394Sharti#define AUT_XOBJ 0x41 78122394Sharti#define AUT_XPROTO 0x42 79122394Sharti#define AUT_XSELECT 0x43 80122394Sharti#define AUT_XCOLORMAP 0x44 81122394Sharti#define AUT_XCURSOR 0x45 82122394Sharti#define AUT_XFONT 0x46 83122394Sharti#define AUT_XGC 0x47 84122394Sharti#define AUT_XPIXMAP 0x48 85122394Sharti#define AUT_XPROPERTY 0x49 86122394Sharti#define AUT_XWINDOW 0x4a 87122394Sharti#define AUT_XCLIENT 0x4b 88122394Sharti#define AUT_CMD 0x51 89122394Sharti#define AUT_EXIT 0x52 90122394Sharti#define AUT_ZONENAME 0x60 91122394Sharti#define AUT_HOST 0x70 92122394Sharti#define AUT_ARG64 0x71 93122394Sharti#define AUT_RETURN64 0x72 94122394Sharti#define AUT_ATTR64 0x73 95124861Sharti#define AUT_HEADER64 0x74 96122394Sharti#define AUT_SUBJECT64 0x75 97122394Sharti#define AUT_PROCESS64 0x77 98122394Sharti#define AUT_OTHER_FILE64 0x78 99216294Ssyrinx#define AUT_HEADER64_EX 0x79 100216294Ssyrinx#define AUT_SUBJECT32_EX 0x7a 101216294Ssyrinx#define AUT_PROCESS32_EX 0x7b 102216294Ssyrinx#define AUT_SUBJECT64_EX 0x7c 103216294Ssyrinx#define AUT_PROCESS64_EX 0x7d 104122394Sharti#define AUT_IN_ADDR_EX 0x7e 105122394Sharti#define AUT_SOCKET_EX 0x7f 106122394Sharti 107216594Ssyrinx/* 108216594Ssyrinx * Pre-64-bit BSM, 32-bit tokens weren't explicitly named as '32'. We have 109122394Sharti * compatibility defines. 110122394Sharti */ 111122394Sharti#define AUT_HEADER AUT_HEADER32 112122394Sharti#define AUT_ARG AUT_ARG32 113122394Sharti#define AUT_RETURN AUT_RETURN32 114122394Sharti#define AUT_SUBJECT AUT_SUBJECT32 115122394Sharti#define AUT_PROCESS AUT_PROCESS32 116122394Sharti#define AUT_OTHER_FILE AUT_OTHER_FILE32 117122394Sharti 118122394Sharti/* 119122394Sharti * The values for the following token ids are not defined by BSM. 120122394Sharti * 121216294Ssyrinx * XXXRW: Not sure how to handle these in OpenBSM yet, but I'll give them 122216294Ssyrinx * names more consistent with Sun's BSM. These originally came from Apple's 123216294Ssyrinx * BSM. 124216294Ssyrinx */ 125216294Ssyrinx#define AUT_SOCKINET32 0x80 /* XXX */ 126216294Ssyrinx#define AUT_SOCKINET128 0x81 /* XXX */ 127216294Ssyrinx#define AUT_SOCKUNIX 0x82 /* XXX */ 128216294Ssyrinx 129216294Ssyrinx#define AUT_RIGHTS 0x83 130216294Ssyrinx 131216294Ssyrinx/* print values for the arbitrary token */ 132216294Ssyrinx#define AUP_BINARY 0 133216294Ssyrinx#define AUP_OCTAL 1 134216294Ssyrinx#define AUP_DECIMAL 2 135216294Ssyrinx#define AUP_HEX 3 136216294Ssyrinx#define AUP_STRING 4 137216294Ssyrinx 138216294Ssyrinx/* data-types for the arbitrary token */ 139216294Ssyrinx#define AUR_BYTE 0 140216294Ssyrinx#define AUR_CHAR AUR_BYTE 141216294Ssyrinx#define AUR_SHORT 1 142216294Ssyrinx#define AUR_INT32 2 143216294Ssyrinx#define AUR_INT AUR_INT32 144122394Sharti#define AUR_INT64 3 145122394Sharti 146122394Sharti/* ... and their sizes */ 147122394Sharti#define AUR_BYTE_SIZE sizeof(u_char) 148122394Sharti#define AUR_CHAR_SIZE AUR_BYTE_SIZE 149122394Sharti#define AUR_SHORT_SIZE sizeof(uint16_t) 150122394Sharti#define AUR_INT32_SIZE sizeof(uint32_t) 151122394Sharti#define AUR_INT_SIZE AUR_INT32_SIZE 152122394Sharti#define AUR_INT64_SIZE sizeof(uint64_t) 153122394Sharti 154122394Sharti/* Modifiers for the header token */ 155122394Sharti#define PAD_NOTATTR 0x4000 /* nonattributable event */ 156122394Sharti#define PAD_FAILURE 0x8000 /* fail audit event */ 157122394Sharti 158122394Sharti#define AUDIT_MAX_GROUPS 16 159122394Sharti 160122394Sharti/* 161122394Sharti * A number of BSM versions are floating around and defined. Here are 162122394Sharti * constants for them. OpenBSM uses the same token types, etc, used in the 163122394Sharti * Solaris BSM version, but has a separate version number in order to 164122394Sharti * identify a potentially different event identifier name space. 165122394Sharti */ 166122394Sharti#define AUDIT_HEADER_VERSION_OLDDARWIN 1 /* In retrospect, a mistake. */ 167122394Sharti#define AUDIT_HEADER_VERSION_SOLARIS 2 168122394Sharti#define AUDIT_HEADER_VERSION_TSOL25 3 169122394Sharti#define AUDIT_HEADER_VERSION_TSOL 4 170216294Ssyrinx#define AUDIT_HEADER_VERSION_OPENBSM10 10 171216294Ssyrinx#define AUDIT_HEADER_VERSION_OPENBSM11 11 172216294Ssyrinx#define AUDIT_HEADER_VERSION_OPENBSM AUDIT_HEADER_VERSION_OPENBSM11 173122394Sharti 174122394Sharti#define AUT_TRAILER_MAGIC 0xb105 175122394Sharti 176216294Ssyrinx/* BSM library calls */ 177122394Sharti 178124861Sharti__BEGIN_DECLS 179122394Sharti 180122394Shartistruct in_addr; 181124861Shartistruct in6_addr; 182122394Shartistruct ip; 183122394Shartistruct ipc_perm; 184122394Shartistruct kevent; 185122394Shartistruct sockaddr; 186122394Shartistruct sockaddr_in; 187122394Shartistruct sockaddr_in6; 188122394Shartistruct sockaddr_un; 189122394Sharti#if defined(_KERNEL) || defined(KERNEL) 190122394Shartistruct vnode_au_info; 191122394Sharti#endif 192122394Sharti 193122394Shartiint au_open(void); 194122394Shartiint au_write(int d, token_t *m); 195122394Shartiint au_close(int d, int keep, short event); 196122394Shartiint au_close_buffer(int d, short event, u_char *buffer, size_t *buflen); 197122394Shartiint au_close_token(token_t *tok, u_char *buffer, size_t *buflen); 198122394Sharti 199122394Shartitoken_t *au_to_file(const char *file, struct timeval tm); 200216294Ssyrinx 201216294Ssyrinxtoken_t *au_to_header32_tm(int rec_size, au_event_t e_type, au_emod_t e_mod, 202216294Ssyrinx struct timeval tm); 203216294Ssyrinxtoken_t *au_to_header32_ex_tm(int rec_size, au_event_t e_type, au_emod_t e_mod, 204216294Ssyrinx struct timeval tm, struct auditinfo_addr *aia); 205216294Ssyrinxtoken_t *au_to_header64_tm(int rec_size, au_event_t e_type, au_emod_t e_mod, 206122394Sharti struct timeval tm); 207122394Sharti#if !defined(KERNEL) && !defined(_KERNEL) 208122394Shartitoken_t *au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod); 209122394Shartitoken_t *au_to_header_ex(int rec_size, au_event_t e_type, au_emod_t e_mod); 210122394Shartitoken_t *au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod); 211122394Shartitoken_t *au_to_header64(int rec_size, au_event_t e_type, au_emod_t e_mod); 212122394Shartitoken_t *au_to_header32_ex(int rec_size, au_event_t e_type, au_emod_t e_mod); 213216294Ssyrinx#endif 214216294Ssyrinx 215216294Ssyrinxtoken_t *au_to_me(void); 216122394Shartitoken_t *au_to_arg(char n, const char *text, uint32_t v); 217122394Shartitoken_t *au_to_arg32(char n, const char *text, uint32_t v); 218122394Shartitoken_t *au_to_arg64(char n, const char *text, uint64_t v); 219122394Sharti 220122394Sharti#if defined(_KERNEL) || defined(KERNEL) 221216294Ssyrinxtoken_t *au_to_attr(struct vnode_au_info *vni); 222122394Shartitoken_t *au_to_attr32(struct vnode_au_info *vni); 223122394Shartitoken_t *au_to_attr64(struct vnode_au_info *vni); 224122394Sharti#endif 225122394Sharti 226122394Shartitoken_t *au_to_data(char unit_print, char unit_type, char unit_count, 227122394Sharti const char *p); 228145557Shartitoken_t *au_to_exit(int retval, int err); 229145557Shartitoken_t *au_to_groups(int *groups); 230145557Shartitoken_t *au_to_newgroups(uint16_t n, gid_t *groups); 231145557Shartitoken_t *au_to_in_addr(struct in_addr *internet_addr); 232145557Shartitoken_t *au_to_in_addr_ex(struct in6_addr *internet_addr); 233124861Shartitoken_t *au_to_ip(struct ip *ip); 234124861Shartitoken_t *au_to_ipc(char type, int id); 235124861Shartitoken_t *au_to_ipc_perm(struct ipc_perm *perm); 236124861Shartitoken_t *au_to_iport(uint16_t iport); 237124861Shartitoken_t *au_to_opaque(const char *data, uint16_t bytes); 238124861Shartitoken_t *au_to_path(const char *path); 239122394Shartitoken_t *au_to_privset(char *privtypestr, char *privstr); 240122394Shartitoken_t *au_to_process(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 241122394Sharti gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid); 242122394Shartitoken_t *au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 243122394Sharti gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid); 244122394Shartitoken_t *au_to_process64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 245122394Sharti gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid); 246122394Shartitoken_t *au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 247122394Sharti gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid); 248122394Shartitoken_t *au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid, 249122394Sharti uid_t ruid, gid_t rgid, pid_t pid, au_asid_t sid, 250122394Sharti au_tid_addr_t *tid); 251122394Shartitoken_t *au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 252122394Sharti gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid); 253124861Shartitoken_t *au_to_rights(cap_rights_t *rightsp); 254122394Shartitoken_t *au_to_return(char status, uint32_t ret); 255122394Shartitoken_t *au_to_return32(char status, uint32_t ret); 256122394Shartitoken_t *au_to_return64(char status, uint64_t ret); 257122394Shartitoken_t *au_to_seq(long audit_count); 258122394Shartitoken_t *au_to_socket_ex(u_short so_domain, u_short so_type, 259122394Sharti struct sockaddr *sa_local, struct sockaddr *sa_remote); 260122394Shartitoken_t *au_to_sock_inet(struct sockaddr_in *so); 261122394Shartitoken_t *au_to_sock_inet32(struct sockaddr_in *so); 262122394Shartitoken_t *au_to_sock_inet128(struct sockaddr_in6 *so); 263122394Shartitoken_t *au_to_sock_unix(struct sockaddr_un *so); 264122394Shartitoken_t *au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 265124861Sharti gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid); 266122394Shartitoken_t *au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 267122394Sharti gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid); 268122394Shartitoken_t *au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 269122394Sharti gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid); 270124861Shartitoken_t *au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 271122394Sharti gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid); 272122394Shartitoken_t *au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 273122394Sharti gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid); 274122394Shartitoken_t *au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, 275122394Sharti gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid); 276122394Sharti#if defined(_KERNEL) || defined(KERNEL) 277124861Shartitoken_t *au_to_exec_args(char *args, int argc); 278122394Shartitoken_t *au_to_exec_env(char *envs, int envc); 279122394Sharti#else 280122394Shartitoken_t *au_to_exec_args(char **argv); 281122394Shartitoken_t *au_to_exec_env(char **envp); 282122394Sharti#endif 283122394Shartitoken_t *au_to_text(const char *text); 284122394Shartitoken_t *au_to_kevent(struct kevent *kev); 285122394Shartitoken_t *au_to_trailer(int rec_size); 286122394Shartitoken_t *au_to_upriv(char sorf, char *priv); 287122394Shartitoken_t *au_to_zonename(const char *zonename); 288122394Sharti 289122394Sharti/* 290122394Sharti * BSM library routines for converting between local and BSM constant spaces. 291122394Sharti */ 292122394Shartiint au_bsm_to_domain(u_short bsm_domain, int *local_domainp); 293122394Shartiint au_bsm_to_errno(u_char bsm_error, int *errorp); 294122394Shartiint au_bsm_to_fcntl_cmd(u_short bsm_fcntl_cmd, int *local_fcntl_cmdp); 295122394Shartiint au_bsm_to_socket_type(u_short bsm_socket_type, 296122394Sharti int *local_socket_typep); 297216294Ssyrinxu_short au_domain_to_bsm(int local_domain); 298122394Shartiu_char au_errno_to_bsm(int local_errno); 299216294Ssyrinxu_short au_fcntl_cmd_to_bsm(int local_fcntl_command); 300216294Ssyrinxu_short au_socket_type_to_bsm(int local_socket_type); 301216294Ssyrinx 302216294Ssyrinx__END_DECLS 303216294Ssyrinx 304216294Ssyrinx#endif /* ! _BSM_AUDIT_RECORD_H_ */ 305216294Ssyrinx