audit.h revision f48205be61a214698b763ff550ab9e657525104c
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* or http://www.opensolaris.org/os/licensing.
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2007 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
/*
* This file contains the declarations of the various data structures
* used by the auditing module(s).
*/
#ifndef _BSM_AUDIT_H
#define _BSM_AUDIT_H
#pragma ident "%Z%%M% %I% %E% SMI"
#ifdef __cplusplus
extern "C" {
#endif
#include <sys/shm.h> /* for shmid_ds structure */
#include <sys/sem.h> /* for semid_ds structure */
#include <sys/msg.h> /* for msqid_ds structure */
#include <sys/atomic.h> /* using atomics */
/*
* Audit conditions, statements reguarding what's to be done with
* audit records. Neither AUC_ENABLED, AUC_DISABLED, nor AUC_UNSET
* are returned on an auditconfig -getcond call.
*/
/* global state */
#define AUC_DISABLED -1 /* audit module loaded but not enabled */
#define AUC_UNSET 0 /* on/off hasn't been decided */
#define AUC_ENABLED 1 /* loaded and enabled */
/* local zone state */
#define AUC_INIT_AUDIT 4 /* c2audit is ready but auditd has not run */
#define AUC_AUDITING 1 /* auditing is being done */
#define AUC_NOAUDIT 2 /* auditing is not being done */
#define AUC_NOSPACE 3 /* audit enabled, no space for audit records */
/*
* The user id -2 is never audited - in fact, a setauid(AU_NOAUDITID)
* will turn off auditing.
*/
#define AU_NOAUDITID ((au_id_t)-2)
/*
* success/failure bits for asynchronous events
*/
#define AUM_SUCC 1 /* use the system success preselection mask */
#define AUM_FAIL 2 /* use the system failure preselection mask */
/*
* Defines for event modifier field
*/
#define PAD_READ 0x0001 /* object read */
#define PAD_WRITE 0x0002 /* object write */
#define PAD_NONATTR 0x4000 /* non-attributable event */
#define PAD_FAILURE 0x8000 /* fail audit event */
#define PAD_SPRIVUSE 0x0080 /* successfully used privileged */
#define PAD_FPRIVUSE 0x0100 /* failed use of privileged */
/*
* Some typedefs for the fundamentals
*/
typedef pid_t au_asid_t;
typedef uint_t au_class_t;
typedef short au_event_t;
typedef short au_emod_t;
typedef uid_t au_id_t;
/*
* An audit event mask.
*/
#define AU_MASK_ALL 0xFFFFFFFF /* all bits on for unsigned int */
#define AU_MASK_NONE 0x0 /* all bits off = no:invalid class */
struct au_mask {
unsigned int am_success; /* success bits */
unsigned int am_failure; /* failure bits */
};
typedef struct au_mask au_mask_t;
#define as_success am_success
#define as_failure am_failure
/*
* The structure of the terminal ID (ipv4)
*/
struct au_tid {
dev_t port;
uint_t machine;
};
#if defined(_SYSCALL32)
struct au_tid32 {
uint_t port;
uint_t machine;
};
typedef struct au_tid32 au_tid32_t;
#endif
typedef struct au_tid au_tid_t;
/*
* The structure of the terminal ID (ipv6)
*/
struct au_tid_addr {
dev_t at_port;
uint_t at_type;
uint_t at_addr[4];
};
struct au_port_s {
uint32_t at_major; /* major # */
uint32_t at_minor; /* minor # */
};
typedef struct au_port_s au_port_t;
struct au_tid_addr64 {
au_port_t at_port;
uint_t at_type;
uint_t at_addr[4];
};
typedef struct au_tid_addr64 au_tid64_addr_t;
#if defined(_SYSCALL32)
struct au_tid_addr32 {
uint_t at_port;
uint_t at_type;
uint_t at_addr[4];
};
typedef struct au_tid_addr32 au_tid32_addr_t;
#endif
typedef struct au_tid_addr au_tid_addr_t;
struct au_ip {
uint16_t at_r_port; /* remote port */
uint16_t at_l_port; /* local port */
uint32_t at_type; /* AU_IPv4,... */
uint32_t at_addr[4]; /* remote IP */
};
typedef struct au_ip au_ip_t;
/*
* Generic network address structure
*/
struct au_generic_tid {
uchar_t gt_type; /* AU_IPADR, AU_DEVICE,... */
union {
au_ip_t at_ip;
au_port_t at_dev;
} gt_adr;
};
typedef struct au_generic_tid au_generic_tid_t;
/*
* au_generic_tid_t gt_type values
* 0 is reserved for uninitialized data
*/
#define AU_IPADR 1
#define AU_ETHER 2
#define AU_DEVICE 3
/*
* at_type values - address length used to identify address type
*/
#define AU_IPv4 4 /* ipv4 type IP address */
#define AU_IPv6 16 /* ipv6 type IP address */
/*
* Compatability with SunOS 4.x BSM module
*
* New code should not contain audit_state_t,
* au_state_t, nor au_termid as these types
* may go away in future releases.
*
* typedef new-5.x-bsm-name old-4.x-bsm-name
*/
typedef au_class_t au_state_t;
typedef au_mask_t audit_state_t;
typedef au_id_t auid_t;
#define ai_state ai_mask;
/*
* Opcodes for bsm system calls
*/
#define BSM_GETAUID 19
#define BSM_SETAUID 20
#define BSM_GETAUDIT 21
#define BSM_SETAUDIT 22
#define BSM_GETUSERAUDIT 23
#define BSM_SETUSERAUDIT 24
#define BSM_AUDIT 25
/* 26 OBSOLETE */
#define BSM_AUDITSVC 27 /* EOL announced for Sol 10 */
#define BSM_AUDITON 28
#define BSM_AUDITCTL 29
#define BSM_GETKERNSTATE 30
#define BSM_SETKERNSTATE 31
#define BSM_GETPORTAUDIT 32
#define BSM_REVOKE 33
#define BSM_AUDITSTAT 34
#define BSM_GETAUDIT_ADDR 35
#define BSM_SETAUDIT_ADDR 36
#define BSM_AUDITDOOR 37
/*
* Auditctl(2) commands
*/
#define A_GETPOLICY 2 /* get audit policy */
#define A_SETPOLICY 3 /* set audit policy */
#define A_GETKMASK 4 /* get kernel event preselection mask */
#define A_SETKMASK 5 /* set kernel event preselection mask */
#define A_GETQCTRL 6 /* get kernel audit queue ctrl parameters */
#define A_SETQCTRL 7 /* set kernel audit queue ctrl parameters */
#define A_GETCWD 8 /* get process current working directory */
#define A_GETCAR 9 /* get process current active root */
#define A_GETSTAT 12 /* get audit statistics */
#define A_SETSTAT 13 /* (re)set audit statistics */
#define A_SETUMASK 14 /* set preselection mask for procs with auid */
#define A_SETSMASK 15 /* set preselection mask for procs with asid */
#define A_GETCOND 20 /* get audit system on/off condition */
#define A_SETCOND 21 /* set audit system on/off condition */
#define A_GETCLASS 22 /* get audit event to class mapping */
#define A_SETCLASS 23 /* set audit event to class mapping */
#define A_GETPINFO 24 /* get audit info for an arbitrary pid */
#define A_SETPMASK 25 /* set preselection mask for an given pid */
#define A_SETFSIZE 26 /* set audit file size */
#define A_GETFSIZE 27 /* get audit file size */
#define A_GETPINFO_ADDR 28 /* get audit info for an arbitrary pid */
#define A_GETKAUDIT 29 /* get kernel audit characteristics */
#define A_SETKAUDIT 30 /* set kernel audit characteristics */
/*
* Audit Policy parameters (32 bits)
*/
#define AUDIT_CNT 0x0001 /* do NOT sleep undelivered synch events */
#define AUDIT_AHLT 0x0002 /* HALT machine on undelivered async event */
#define AUDIT_ARGV 0x0004 /* include argv with execv system call events */
#define AUDIT_ARGE 0x0008 /* include arge with execv system call events */
#define AUDIT_SEQ 0x0010 /* include sequence attribute */
#define AUDIT_WINDATA 0x0020 /* include interwindow moved data */
#define AUDIT_GROUP 0x0040 /* include group attribute with each record */
#define AUDIT_TRAIL 0x0080 /* include trailer token */
#define AUDIT_PATH 0x0100 /* allow multiple paths per event */
#define AUDIT_SCNT 0x0200 /* sleep user events but not kernel events */
#define AUDIT_PUBLIC 0x0400 /* audit even "public" files */
#define AUDIT_ZONENAME 0x0800 /* emit zonename token */
#define AUDIT_PERZONE 0x1000 /* auditd and audit queue for each zone */
#define AUDIT_WINDATA_DOWN 0x2000 /* include paste downgraded data */
#define AUDIT_WINDATA_UP 0x4000 /* include paste upgraded data */
/*
* If AUDIT_GLOBAL changes, corresponding changes are required in
* audit_syscalls.c's setpolicy().
*/
#define AUDIT_GLOBAL (AUDIT_AHLT | AUDIT_PERZONE)
#define AUDIT_LOCAL (AUDIT_CNT | AUDIT_ARGV | AUDIT_ARGE |\
AUDIT_SEQ | AUDIT_WINDATA |\
AUDIT_GROUP | AUDIT_TRAIL | AUDIT_PATH |\
AUDIT_PUBLIC | AUDIT_SCNT | AUDIT_ZONENAME |\
AUDIT_WINDATA_DOWN | AUDIT_WINDATA_UP)
/*
* Kernel audit queue control parameters
*
* audit record recording blocks at hiwater # undelived records
* audit record recording resumes at lowwater # undelivered audit records
* bufsz determines how big the data xfers will be to the audit trail
*/
struct au_qctrl {
size_t aq_hiwater; /* kernel audit queue, high water mark */
size_t aq_lowater; /* kernel audit queue, low water mark */
size_t aq_bufsz; /* kernel audit queue, write size to trail */
clock_t aq_delay; /* delay before flushing audit queue */
};
#if defined(_SYSCALL32)
struct au_qctrl32 {
size32_t aq_hiwater;
size32_t aq_lowater;
size32_t aq_bufsz;
clock32_t aq_delay;
};
#endif
/*
* default values of hiwater and lowater (note hi > lo)
*/
#define AQ_HIWATER 100
#define AQ_MAXHIGH 100000
#define AQ_LOWATER 10
#define AQ_BUFSZ 8192
#define AQ_MAXBUFSZ 1048576
#define AQ_DELAY 20
#define AQ_MAXDELAY 20000
struct auditinfo {
au_id_t ai_auid;
au_mask_t ai_mask;
au_tid_t ai_termid;
au_asid_t ai_asid;
};
#if defined(_SYSCALL32)
struct auditinfo32 {
au_id_t ai_auid;
au_mask_t ai_mask;
au_tid32_t ai_termid;
au_asid_t ai_asid;
};
typedef struct auditinfo32 auditinfo32_t;
#endif
typedef struct auditinfo auditinfo_t;
struct auditinfo_addr {
au_id_t ai_auid;
au_mask_t ai_mask;
au_tid_addr_t ai_termid;
au_asid_t ai_asid;
};
struct auditinfo_addr64 {
au_id_t ai_auid;
au_mask_t ai_mask;
au_tid64_addr_t ai_termid;
au_asid_t ai_asid;
};
typedef struct auditinfo_addr64 auditinfo64_addr_t;
#if defined(_SYSCALL32)
struct auditinfo_addr32 {
au_id_t ai_auid;
au_mask_t ai_mask;
au_tid32_addr_t ai_termid;
au_asid_t ai_asid;
};
typedef struct auditinfo_addr32 auditinfo32_addr_t;
#endif
typedef struct auditinfo_addr auditinfo_addr_t;
struct auditpinfo {
pid_t ap_pid;
au_id_t ap_auid;
au_mask_t ap_mask;
au_tid_t ap_termid;
au_asid_t ap_asid;
};
#if defined(_SYSCALL32)
struct auditpinfo32 {
pid_t ap_pid;
au_id_t ap_auid;
au_mask_t ap_mask;
au_tid32_t ap_termid;
au_asid_t ap_asid;
};
#endif
struct auditpinfo_addr {
pid_t ap_pid;
au_id_t ap_auid;
au_mask_t ap_mask;
au_tid_addr_t ap_termid;
au_asid_t ap_asid;
};
#if defined(_SYSCALL32)
struct auditpinfo_addr32 {
pid_t ap_pid;
au_id_t ap_auid;
au_mask_t ap_mask;
au_tid32_addr_t ap_termid;
au_asid_t ap_asid;
};
#endif
struct au_evclass_map {
au_event_t ec_number;
au_class_t ec_class;
};
typedef struct au_evclass_map au_evclass_map_t;
/*
* Audit stat structures (used to be in audit_stat.h
*/
struct audit_stat {
unsigned int as_version; /* version of kernel audit code */
unsigned int as_numevent; /* number of kernel audit events */
uint32_t as_generated; /* # records processed */
uint32_t as_nonattrib; /* # non-attributed records produced */
uint32_t as_kernel; /* # records produced by kernel */
uint32_t as_audit; /* # records processed by audit(2) */
uint32_t as_auditctl; /* # records processed by auditctl(2) */
uint32_t as_enqueue; /* # records put onto audit queue */
uint32_t as_written; /* # records written to audit trail */
uint32_t as_wblocked; /* # times write blked on audit queue */
uint32_t as_rblocked; /* # times read blked on audit queue */
uint32_t as_dropped; /* # of dropped audit records */
uint32_t as_totalsize; /* total number bytes of audit data */
uint32_t as_memused; /* no longer used */
};
typedef struct audit_stat au_stat_t;
extern int au_naevent;
/*
* Secondary stat structure for file size stuff. The stat structure was
* not combined to preserve the semantics of the 5.1 - 5.3 A_GETSTAT call
*/
struct audit_fstat {
unsigned int af_filesz;
unsigned int af_currsz;
};
typedef struct audit_fstat au_fstat_t;
/* get kernel audit context dependent on AUDIT_PERZONE policy */
#define GET_KCTX_PZ (audit_policy & AUDIT_PERZONE) ?\
curproc->p_zone->zone_audit_kctxt :\
global_zone->zone_audit_kctxt
/* get kernel audit context of global zone */
#define GET_KCTX_GZ global_zone->zone_audit_kctxt
/* get kernel audit context of non-global zone */
#define GET_KCTX_NGZ curproc->p_zone->zone_audit_kctxt
#define AS_INC(a, b, c) atomic_add_32(&(c->auk_statistics.a), (b))
#define AS_DEC(a, b, c) atomic_add_32(&(c->auk_statistics.a), -(b))
/*
* audit token IPC types (shm, sem, msg) [for ipc attribute]
*/
#define AT_IPC_MSG ((char)1) /* message IPC id */
#define AT_IPC_SEM ((char)2) /* semaphore IPC id */
#define AT_IPC_SHM ((char)3) /* shared memory IPC id */
#if defined(_KERNEL)
#ifdef __cplusplus
}
#endif
#include <sys/types.h>
#include <sys/model.h>
#include <sys/proc.h>
#include <sys/stream.h>
#include <sys/stropts.h>
#include <sys/file.h>
#include <sys/pathname.h>
#include <sys/vnode.h>
#include <sys/systm.h>
#include <netinet/in.h>
#include <c2/audit_door_infc.h>
#include <sys/crypto/ioctladmin.h>
#include <sys/netstack.h>
#ifdef __cplusplus
extern "C" {
#endif
struct fcntla;
struct t_audit_data;
struct audit_path;
struct priv_set;
struct devplcysys;
struct auditcalls {
long code;
long a1;
long a2;
long a3;
long a4;
long a5;
};
int audit(caddr_t, int);
int _audit(caddr_t, int);
int auditsys(struct auditcalls *, union rval *); /* fake stub */
int _auditsys(struct auditcalls *, union rval *); /* real deal */
void audit_cryptoadm(int, char *, crypto_mech_name_t *,
uint_t, uint_t, uint32_t, int);
void audit_init(void);
void audit_newproc(struct proc *);
void audit_pfree(struct proc *);
void audit_thread_create(kthread_id_t);
void audit_thread_free(kthread_id_t);
int audit_savepath(struct pathname *, struct vnode *, int, cred_t *);
void audit_addcomponent(struct pathname *);
void audit_anchorpath(struct pathname *, int);
void audit_symlink(struct pathname *, struct pathname *);
void audit_symlink_create(struct vnode *, char *, char *, int);
int file_is_public(struct vattr *);
void audit_attributes(struct vnode *);
void audit_falloc(struct file *);
void audit_unfalloc(struct file *);
void audit_exit(int, int);
void audit_core_start(int);
void audit_core_finish(int);
void audit_stropen(struct vnode *, dev_t *, int, struct cred *);
void audit_strclose(struct vnode *, int, struct cred *);
void audit_strioctl(struct vnode *, int, intptr_t, int, int, struct cred *,
int *);
void audit_strgetmsg(struct vnode *, struct strbuf *, struct strbuf *,
unsigned char *, int *, int);
void audit_strputmsg(struct vnode *, struct strbuf *, struct strbuf *,
unsigned char, int, int);
void audit_closef(struct file *);
int audit_getf(int);
void audit_setf(struct file *, int);
void audit_copen(int, struct file *, struct vnode *);
void audit_reboot(void);
void audit_vncreate_start(void);
void audit_setfsat_path(int argnum);
void audit_vncreate_finish(struct vnode *, int);
void audit_exec(const char *, const char *, ssize_t, ssize_t);
void audit_enterprom(int);
void audit_exitprom(int);
void audit_chdirec(struct vnode *, struct vnode **);
void audit_sock(int, struct queue *, struct msgb *, int);
void audit_free(void);
int audit_start(unsigned int, unsigned int, int, klwp_t *);
void audit_finish(unsigned int, unsigned int, int, union rval *);
int audit_async_start(label_t *, int, int);
void audit_async_finish(caddr_t *, int, int);
void audit_async_discard_backend(void *);
void audit_async_done(caddr_t *, int);
void audit_async_drop(caddr_t *, int);
#ifndef AUK_CONTEXT_T
#define AUK_CONTEXT_T
typedef struct au_kcontext au_kcontext_t;
#endif
int audit_success(au_kcontext_t *, struct t_audit_data *, int, cred_t *);
int auditme(au_kcontext_t *, struct t_audit_data *, au_state_t);
void audit_fixpath(struct audit_path *, int);
void audit_ipc(int, int, void *);
void audit_ipcget(int, void *);
void audit_lookupname();
int audit_pathcomp(struct pathname *, vnode_t *, cred_t *);
void audit_fdsend(int, struct file *, int);
void audit_fdrecv(int, struct file *);
int audit_c2_revoke(struct fcntla *, rval_t *);
void audit_priv(int, const struct priv_set *, int);
void audit_setppriv(int, int, const struct priv_set *, const cred_t *);
void audit_devpolicy(int, const struct devplcysys *);
void audit_update_context(proc_t *, cred_t *);
void audit_kssl(int, void *, int);
void audit_pf_policy(int, cred_t *, netstack_t *, char *, boolean_t, int,
pid_t);
void audit_sec_attributes(caddr_t *, struct vnode *);
#endif
#ifdef __cplusplus
}
#endif
#endif /* _BSM_AUDIT_H */