audit.h revision 195104 
162473Sphk/*-
262473Sphk * Copyright (c) 1999-2005 Apple Inc.
362473Sphk * All rights reserved.
462473Sphk *
562473Sphk * Redistribution and use in source and binary forms, with or without
662473Sphk * modification, are permitted provided that the following conditions
762473Sphk * are met:
862473Sphk * 1.  Redistributions of source code must retain the above copyright
962473Sphk *     notice, this list of conditions and the following disclaimer.
1062473Sphk * 2.  Redistributions in binary form must reproduce the above copyright
1162473Sphk *     notice, this list of conditions and the following disclaimer in the
1262473Sphk *     documentation and/or other materials provided with the distribution.
1362473Sphk * 3.  Neither the name of Apple Inc. ("Apple") nor the names of
1462473Sphk *     its contributors may be used to endorse or promote products derived
1562473Sphk *     from this software without specific prior written permission.
1662473Sphk *
1762473Sphk * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
1862473Sphk * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1962473Sphk * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
2062473Sphk * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
2162473Sphk * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
2262473Sphk * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
2362473Sphk * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
2462473Sphk * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
2562473Sphk * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
2662473Sphk * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
2762473Sphk * POSSIBILITY OF SUCH DAMAGE.
2862473Sphk *
2962473Sphk * $FreeBSD: head/sys/security/audit/audit.h 195104 2009-06-27 13:58:44Z rwatson $
3062473Sphk */
3162473Sphk
3262473Sphk/*
3362473Sphk * This header includes function prototypes and type definitions that are
3462473Sphk * necessary for the kernel as a whole to interact with the audit subsystem.
3562473Sphk */
3662473Sphk
3762473Sphk#ifndef _SECURITY_AUDIT_KERNEL_H_
3862473Sphk#define	_SECURITY_AUDIT_KERNEL_H_
3962473Sphk
4062473Sphk#ifndef _KERNEL
4162473Sphk#error "no user-serviceable parts inside"
4262473Sphk#endif
4362473Sphk
4462473Sphk#include <bsm/audit.h>
4562473Sphk
4662473Sphk#include <sys/file.h>
4762473Sphk#include <sys/sysctl.h>
4862473Sphk
4962473Sphk/*
5062473Sphk * Audit subsystem condition flags.  The audit_enabled flag is set and
5162473Sphk * removed automatically as a result of configuring log files, and can be
5262473Sphk * observed but should not be directly manipulated.  The audit suspension
5362473Sphk * flag permits audit to be temporarily disabled without reconfiguring the
5462473Sphk * audit target.
5562473Sphk */
5662473Sphkextern int	audit_enabled;
5762473Sphkextern int	audit_suspended;
5862473Sphk
5962473Sphk/*
6063673Sarchie * Define the masks for the audited arguments.
6162473Sphk *
6262473Sphk * XXXRW: These need to remain in audit.h for now because our vnode and name
6362473Sphk * lookup audit calls rely on passing in flags to indicate which name or
6462473Sphk * vnode is being logged.  These should move to audit_private.h when that is
6562473Sphk * fixed.
6662473Sphk */
6762473Sphk#define	ARG_EUID		0x0000000000000001ULL
6862473Sphk#define	ARG_RUID		0x0000000000000002ULL
6962473Sphk#define	ARG_SUID		0x0000000000000004ULL
7062473Sphk#define	ARG_EGID		0x0000000000000008ULL
7162473Sphk#define	ARG_RGID		0x0000000000000010ULL
7262473Sphk#define	ARG_SGID		0x0000000000000020ULL
7362473Sphk#define	ARG_PID			0x0000000000000040ULL
7462473Sphk#define	ARG_UID			0x0000000000000080ULL
7562473Sphk#define	ARG_AUID		0x0000000000000100ULL
7662473Sphk#define	ARG_GID			0x0000000000000200ULL
7762473Sphk#define	ARG_FD			0x0000000000000400ULL
7862473Sphk#define	ARG_POSIX_IPC_PERM	0x0000000000000800ULL
7962473Sphk#define	ARG_FFLAGS		0x0000000000001000ULL
8062473Sphk#define	ARG_MODE		0x0000000000002000ULL
8162473Sphk#define	ARG_DEV			0x0000000000004000ULL
8262473Sphk#define	ARG_ADDR		0x0000000000008000ULL
8362473Sphk#define	ARG_LEN			0x0000000000010000ULL
8462473Sphk#define	ARG_MASK		0x0000000000020000ULL
8562473Sphk#define	ARG_SIGNUM		0x0000000000040000ULL
8662473Sphk#define	ARG_LOGIN		0x0000000000080000ULL
8762473Sphk#define	ARG_SADDRINET		0x0000000000100000ULL
8862473Sphk#define	ARG_SADDRINET6		0x0000000000200000ULL
8962473Sphk#define	ARG_SADDRUNIX		0x0000000000400000ULL
9062473Sphk#define	ARG_TERMID_ADDR		0x0000000000400000ULL
9162473Sphk#define	ARG_UNUSED2		0x0000000001000000ULL
9262473Sphk#define	ARG_UPATH1		0x0000000002000000ULL
9362473Sphk#define	ARG_UPATH2		0x0000000004000000ULL
9462473Sphk#define	ARG_TEXT		0x0000000008000000ULL
9562473Sphk#define	ARG_VNODE1		0x0000000010000000ULL
9662473Sphk#define	ARG_VNODE2		0x0000000020000000ULL
9762473Sphk#define	ARG_SVIPC_CMD		0x0000000040000000ULL
9862473Sphk#define	ARG_SVIPC_PERM		0x0000000080000000ULL
9962473Sphk#define	ARG_SVIPC_ID		0x0000000100000000ULL
10062473Sphk#define	ARG_SVIPC_ADDR		0x0000000200000000ULL
10162473Sphk#define	ARG_GROUPSET		0x0000000400000000ULL
10262473Sphk#define	ARG_CMD			0x0000000800000000ULL
10362473Sphk#define	ARG_SOCKINFO		0x0000001000000000ULL
104#define	ARG_ASID		0x0000002000000000ULL
105#define	ARG_TERMID		0x0000004000000000ULL
106#define	ARG_AUDITON		0x0000008000000000ULL
107#define	ARG_VALUE		0x0000010000000000ULL
108#define	ARG_AMASK		0x0000020000000000ULL
109#define	ARG_CTLNAME		0x0000040000000000ULL
110#define	ARG_PROCESS		0x0000080000000000ULL
111#define	ARG_MACHPORT1		0x0000100000000000ULL
112#define	ARG_MACHPORT2		0x0000200000000000ULL
113#define	ARG_EXIT		0x0000400000000000ULL
114#define	ARG_IOVECSTR		0x0000800000000000ULL
115#define	ARG_ARGV		0x0001000000000000ULL
116#define	ARG_ENVV		0x0002000000000000ULL
117#define	ARG_NONE		0x0000000000000000ULL
118#define	ARG_ALL			0xFFFFFFFFFFFFFFFFULL
119
120void	 audit_syscall_enter(unsigned short code, struct thread *td);
121void	 audit_syscall_exit(int error, struct thread *td);
122
123/*
124 * The remaining kernel functions are conditionally compiled in as they are
125 * wrapped by a macro, and the macro should be the only place in the source
126 * tree where these functions are referenced.
127 */
128#ifdef AUDIT
129struct ipc_perm;
130struct sockaddr;
131union auditon_udata;
132void	 audit_arg_addr(void * addr);
133void	 audit_arg_exit(int status, int retval);
134void	 audit_arg_len(int len);
135void	 audit_arg_fd(int fd);
136void	 audit_arg_fflags(int fflags);
137void	 audit_arg_gid(gid_t gid);
138void	 audit_arg_uid(uid_t uid);
139void	 audit_arg_egid(gid_t egid);
140void	 audit_arg_euid(uid_t euid);
141void	 audit_arg_rgid(gid_t rgid);
142void	 audit_arg_ruid(uid_t ruid);
143void	 audit_arg_sgid(gid_t sgid);
144void	 audit_arg_suid(uid_t suid);
145void	 audit_arg_groupset(gid_t *gidset, u_int gidset_size);
146void	 audit_arg_login(char *login);
147void	 audit_arg_ctlname(int *name, int namelen);
148void	 audit_arg_mask(int mask);
149void	 audit_arg_mode(mode_t mode);
150void	 audit_arg_dev(int dev);
151void	 audit_arg_value(long value);
152void	 audit_arg_owner(uid_t uid, gid_t gid);
153void	 audit_arg_pid(pid_t pid);
154void	 audit_arg_process(struct proc *p);
155void	 audit_arg_signum(u_int signum);
156void	 audit_arg_socket(int sodomain, int sotype, int soprotocol);
157void	 audit_arg_sockaddr(struct thread *td, struct sockaddr *sa);
158void	 audit_arg_auid(uid_t auid);
159void	 audit_arg_auditinfo(struct auditinfo *au_info);
160void	 audit_arg_auditinfo_addr(struct auditinfo_addr *au_info);
161void	 audit_arg_upath(struct thread *td, char *upath, u_int64_t flags);
162void	 audit_arg_vnode(struct vnode *vp, u_int64_t flags);
163void	 audit_arg_text(char *text);
164void	 audit_arg_cmd(int cmd);
165void	 audit_arg_svipc_cmd(int cmd);
166void	 audit_arg_svipc_perm(struct ipc_perm *perm);
167void	 audit_arg_svipc_id(int id);
168void	 audit_arg_svipc_addr(void *addr);
169void	 audit_arg_posix_ipc_perm(uid_t uid, gid_t gid, mode_t mode);
170void	 audit_arg_auditon(union auditon_udata *udata);
171void	 audit_arg_file(struct proc *p, struct file *fp);
172void	 audit_arg_argv(char *argv, int argc, int length);
173void	 audit_arg_envv(char *envv, int envc, int length);
174void	 audit_sysclose(struct thread *td, int fd);
175void	 audit_cred_copy(struct ucred *src, struct ucred *dest);
176void	 audit_cred_destroy(struct ucred *cred);
177void	 audit_cred_init(struct ucred *cred);
178void	 audit_cred_kproc0(struct ucred *cred);
179void	 audit_cred_proc1(struct ucred *cred);
180void	 audit_proc_coredump(struct thread *td, char *path, int errcode);
181void	 audit_thread_alloc(struct thread *td);
182void	 audit_thread_free(struct thread *td);
183
184/*
185 * Define macros to wrap the audit_arg_* calls by checking the global
186 * audit_enabled flag before performing the actual call.
187 */
188#define	AUDITING_TD(td)		((td)->td_pflags & TDP_AUDITREC)
189
190#define	AUDIT_ARG_ADDR(addr) do {					\
191	if (AUDITING_TD(curthread))					\
192		audit_arg_addr((addr));					\
193} while (0)
194
195#define	AUDIT_ARG_ARGV(argv, argc, length) do {				\
196	if (AUDITING_TD(curthread))					\
197		audit_arg_argv((argv), (argc), (length));		\
198} while (0)
199
200#define	AUDIT_ARG_AUDITON(udata) do {					\
201	if (AUDITING_TD(curthread))					\
202		audit_arg_auditon((udata));				\
203} while (0)
204
205#define	AUDIT_ARG_CMD(cmd) do {						\
206	if (AUDITING_TD(curthread))					\
207		audit_arg_cmd((cmd));					\
208} while (0)
209
210#define	AUDIT_ARG_DEV(dev) do {						\
211	if (AUDITING_TD(curthread))					\
212		audit_arg_dev((dev));					\
213} while (0)
214
215#define	AUDIT_ARG_EGID(egid) do {					\
216	if (AUDITING_TD(curthread))					\
217		audit_arg_egid((egid));					\
218} while (0)
219
220#define	AUDIT_ARG_ENVV(envv, envc, length) do {				\
221	if (AUDITING_TD(curthread))					\
222		audit_arg_envv((envv), (envc), (length));		\
223} while (0)
224
225#define	AUDIT_ARG_EXIT(status, retval) do {				\
226	if (AUDITING_TD(curthread))					\
227		audit_arg_exit((status), (retval));			\
228} while (0)
229
230#define	AUDIT_ARG_EUID(euid) do {					\
231	if (AUDITING_TD(curthread))					\
232		audit_arg_euid((euid));					\
233} while (0)
234
235#define	AUDIT_ARG_FD(fd) do {						\
236	if (AUDITING_TD(curthread))					\
237		audit_arg_fd((fd));					\
238} while (0)
239
240#define	AUDIT_ARG_FILE(p, fp) do {					\
241	if (AUDITING_TD(curthread))					\
242		audit_arg_file((p), (fp));				\
243} while (0)
244
245#define	AUDIT_ARG_FFLAGS(fflags) do {					\
246	if (AUDITING_TD(curthread))					\
247		audit_arg_fflags((fflags));				\
248} while (0)
249
250#define	AUDIT_ARG_GID(gid) do {						\
251	if (AUDITING_TD(curthread))					\
252		audit_arg_gid((gid));					\
253} while (0)
254
255#define	AUDIT_ARG_GROUPSET(gidset, gidset_size) do {			\
256	if (AUDITING_TD(curthread))					\
257		audit_arg_groupset((gidset), (gidset_size));		\
258} while (0)
259
260#define	AUDIT_ARG_MODE(mode) do {					\
261	if (AUDITING_TD(curthread))					\
262		audit_arg_mode((mode));					\
263} while (0)
264
265#define	AUDIT_ARG_OWNER(uid, gid) do {					\
266	if (AUDITING_TD(curthread))					\
267		audit_arg_owner((uid), (gid));				\
268} while (0)
269
270#define	AUDIT_ARG_PID(pid) do {						\
271	if (AUDITING_TD(curthread))					\
272		audit_arg_pid((pid));					\
273} while (0)
274
275#define	AUDIT_ARG_PROCESS(p) do {					\
276	if (AUDITING_TD(curthread))					\
277		audit_arg_process((p));					\
278} while (0)
279
280#define	AUDIT_ARG_RGID(rgid) do {					\
281	if (AUDITING_TD(curthread))					\
282		audit_arg_gid((rgid));					\
283} while (0)
284
285#define	AUDIT_ARG_RUID(ruid) do {					\
286	if (AUDITING_TD(curthread))					\
287		audit_arg_ruid((ruid));					\
288} while (0)
289
290#define	AUDIT_ARG_SIGNUM(signum) do {					\
291	if (AUDITING_TD(curthread))					\
292		audit_arg_signum((signum));				\
293} while (0)
294
295#define	AUDIT_ARG_SGID(sgid) do {					\
296	if (AUDITING_TD(curthread))					\
297		audit_arg_sgid((sgid));					\
298} while (0)
299
300#define	AUDIT_ARG_SUID(suid) do {					\
301	if (AUDITING_TD(curthread))					\
302		audit_arg_suid((suid));					\
303} while (0)
304
305#define	AUDIT_ARG_TEXT(text) do {					\
306	if (AUDITING_TD(curthread))					\
307		audit_arg_text((text));					\
308} while (0)
309
310#define	AUDIT_ARG_UID(uid) do {						\
311	if (AUDITING_TD(curthread))					\
312		audit_arg_uid((uid));					\
313} while (0)
314
315#define	AUDIT_ARG_UPATH(td, upath, flags) do {				\
316	if (AUDITING_TD(curthread))					\
317		audit_arg_upath((td), (upath), (flags));		\
318} while (0)
319
320#define	AUDIT_ARG_VALUE(value) do {					\
321	if (AUDITING_TD(curthread))					\
322		audit_arg_value((value));				\
323} while (0)
324
325#define	AUDIT_ARG_VNODE(vp, flags) do {					\
326	if (AUDITING_TD(curthread))					\
327		audit_arg_vnode((vp), (flags));				\
328} while (0)
329
330#define	AUDIT_SYSCALL_ENTER(code, td)	do {				\
331	if (audit_enabled) {						\
332		audit_syscall_enter(code, td);				\
333	}								\
334} while (0)
335
336/*
337 * Wrap the audit_syscall_exit() function so that it is called only when
338 * we have a audit record on the thread.  Audit records can persist after
339 * auditing is disabled, so we don't just check audit_enabled here.
340 */
341#define	AUDIT_SYSCALL_EXIT(error, td)	do {				\
342	if (td->td_pflags & TDP_AUDITREC)				\
343		audit_syscall_exit(error, td);				\
344} while (0)
345
346/*
347 * A Macro to wrap the audit_sysclose() function.
348 */
349#define	AUDIT_SYSCLOSE(td, fd)	do {					\
350	if (td->td_pflags & TDP_AUDITREC)				\
351		audit_sysclose(td, fd);					\
352} while (0)
353
354#else /* !AUDIT */
355
356#define	AUDIT_ARG_ADDR(addr)
357#define	AUDIT_ARG_ARGV(argv, argc, length)
358#define	AUDIT_ARG_AUDITON(udata)
359#define	AUDIT_ARG_CMD(cmd)
360#define	AUDIT_ARG_DEV(dev)
361#define	AUDIT_ARG_EGID(egid)
362#define	AUDIT_ARG_ENVV(envv, envc, length)
363#define	AUDIT_ARG_EXIT(status, retval)
364#define	AUDIT_ARG_EUID(euid)
365#define	AUDIT_ARG_FD(fd)
366#define	AUDIT_ARG_FILE(p, fp)
367#define	AUDIT_ARG_FFLAGS(fflags)
368#define	AUDIT_ARG_GID(gid)
369#define	AUDIT_ARG_GROUPSET(gidset, gidset_size)
370#define	AUDIT_ARG_MODE(mode)
371#define	AUDIT_ARG_OWNER(uid, gid)
372#define	AUDIT_ARG_PID(pid)
373#define	AUDIT_ARG_PROCESS(p)
374#define	AUDIT_ARG_RGID(rgid)
375#define	AUDIT_ARG_RUID(ruid)
376#define	AUDIT_ARG_SIGNUM(signum)
377#define	AUDIT_ARG_SGID(sgid)
378#define	AUDIT_ARG_SUID(suid)
379#define	AUDIT_ARG_TEXT(text)
380#define	AUDIT_ARG_UID(uid)
381#define	AUDIT_ARG_UPATH(td, upath, flags)
382#define	AUDIT_ARG_VALUE(value)
383#define	AUDIT_ARG_VNODE(vp, flags)
384
385#define	AUDIT_SYSCALL_ENTER(code, td)
386#define	AUDIT_SYSCALL_EXIT(error, td)
387
388#define	AUDIT_SYSCLOSE(p, fd)
389
390#endif /* AUDIT */
391
392#endif /* !_SECURITY_AUDIT_KERNEL_H_ */
393