audit_kernel.h revision f89940742f5d14dde79b69b98a414dd7b7f585c7
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
*/
#ifndef _BSM_AUDIT_KERNEL_H
#define _BSM_AUDIT_KERNEL_H
/*
* This file contains the basic auditing control structure definitions.
*/
#include <c2/audit_kevents.h>
#include <sys/priv_impl.h>
#ifdef __cplusplus
extern "C" {
#endif
/*
* This table contains the mapping from the system call ID to a corresponding
* audit event.
*
* au_init() is a function called at the beginning of the system call that
* performs any necessary setup/processing. It maps the call into the
* appropriate event, depending on the system call arguments. It is called
* by audit_start() from trap.c .
*
* au_event is the audit event associated with the system call. Most of the
* time it will map directly from the system call i.e. There is one system
* call associated with the event. In some cases, such as shmsys, or open,
* the au_start() function will map the system call to more than one event,
* depending on the system call arguments.
*
* au_start() is a function that provides per system call processing at the
* beginning of a system call. It is mainly concerned with preseving the
* audit record components that may be altered so that we can determine
* what the original paramater was before as well as after the system call.
* It is possible that au_start() may be taken away. It might be cleaner to
* define flags in au_ctrl to save a designated argument. For the moment we
* support both mechanisms, however the use of au_start() will be reviewed
* for 4.1.1 and CMW and ZEUS to see if such a general method is justified.
*
* au_finish() is a function that provides per system call processing at the
* completion of a system call. In certain circumstances, the type of audit
* event depends on intermidiate results during the processing of the system
* call. It is called in audit_finish() from trap.c .
*
* au_ctrl is a control vector that indicates what processing might have to
* be performed, even if there is no auditing for this system call. At
* present this is mostly for path processing for chmod, chroot. We need to
* process the path information in vfs_lookup, even when we are not auditing
* the system call in the case of chdir and chroot.
*/
/*
* Defines for au_ctrl
*/
/*
* At present, we are using the audit classes imbedded with in the kernel. Each
* event has a bit mask determining which classes the event is associated.
* The table audit_e2s maps the audit event ID to the audit state.
*
* Note that this may change radically. If we use a bit vector for the audit
* class, we can allow granularity at the event ID for each user. In this
* case, the vector would be determined at user level and passed to the kernel
* via the setaudit system call.
*/
/*
* The audit_pad structure holds paths for the current root and directory
* for the process, as well as for open files and directly manipulated objects.
* The reference count minimizes data copies since the process's current
* directory changes very seldom.
*/
struct audit_path {
/* audp_sect[0] is the path name */
/* audp_sect[1+] are attribute paths */
};
/*
* The structure of the terminal ID within the kernel is different from the
* terminal ID in user space. It is a combination of port and IP address.
*/
struct au_termid {
};
typedef struct au_termid au_termid_t;
/*
* Attributes for deferring the queuing of an event.
*/
typedef struct au_defer_info {
void *audi_ad; /* audit record */
int audi_flag; /* au_close*() flags */
/*
* The structure p_audit_data hangs off of the process structure. It contains
* all of the audit information necessary to manage the audit record generation
* for each process.
*
* The pad_lock is constructed in the kmem_cache; the rest is combined
*
* The members have been reordered for maximum packing on 64 bit Solaris.
*/
struct p_audit_data {
struct _pad_data {
int pad_flags;
} pad_data;
};
typedef struct p_audit_data p_audit_data_t;
/*
* Defines for process audit flags (pad_flags)
*/
extern kmem_cache_t *au_pad_cache;
/*
*/
/*
* The structure t_audit_data hangs off of the thread structure. It contains
* all of the audit information necessary to manage the audit record generation
* for each thread.
*
*/
struct t_audit_data {
unsigned int tad_scid; /* system call ID for finish */
void *tad_errjmp; /* error longjmp (audit record aborted) */
int tad_flag; /* to audit or not to audit */
/* until syscall end: */
};
typedef struct t_audit_data t_audit_data_t;
/*
* The f_audit_data structure hangs off of the file structure. It contains
* three fields of data. The audit ID, the audit state, and a path name.
*/
struct f_audit_data {
int fad_flags; /* audit control flags */
};
typedef struct f_audit_data f_audit_data_t;
#define P2A(p) (p->p_audit_data)
#define T2A(t) (t->t_audit_data)
#define F2A(f) (f->f_audit_data)
struct au_buff {
char buf[AU_BUFSIZE];
};
/*
* Kernel audit queue structure.
*/
struct audit_queue {
int wt_block; /* writer is blocked (1) */
int rd_block; /* reader is blocked (1) */
};
union rval;
struct audit_s2e {
/* convert au_event to real audit event ID */
int au_event; /* default audit event for this system call */
void (*au_start)(struct t_audit_data *);
/* pre-system call audit processing */
/* post-system call audit processing */
int au_ctrl; /* control flags for auditing actions */
};
#define AUK_VALID 0x5A5A5A5A
#define AUK_INVALID 0
/*
* per zone audit context
*/
struct au_kcontext {
int auk_sequence;
int auk_auditstate;
int auk_output_active;
struct vnode *auk_current_vp;
struct audit_queue auk_queue;
/* Only one audit svc per zone at a time */
/* With the elimination of auditsvc, can this also go? see 6648414 */
};
#ifndef AUK_CONTEXT_T
#define AUK_CONTEXT_T
typedef struct au_kcontext au_kcontext_t;
#endif
extern zone_key_t au_zone_key;
/*
* Kernel auditing external variables
*/
extern uint32_t audit_policy;
extern int audit_active;
extern struct audit_queue au_queue;
extern struct p_audit_data *pad0;
extern struct t_audit_data *tad0;
/*
* audit_path support routines
*/
void au_pathhold(struct audit_path *);
void au_pathrele(struct audit_path *);
void au_pad_init(void);
int getaudit_addr(caddr_t, int);
int setaudit_addr(caddr_t, int);
/*
* Macros to hide asynchronous, non-blocking audit record start and finish
* processing.
*
* NOTE: must be used in (void) funcction () { ... }
*/
{ \
/* cleanup any residual audit data */ \
return; \
} \
/* auditing enabled and we're preselected for this event? */ \
return; \
} \
}
#ifdef _KERNEL
#endif
/*
* Macro for uniform "subject" token(s) generation
*/
#define AUDIT_SETSUBJ_GENERIC(u, c, a, k, p) \
&((a)->ai_termid)))); \
((is_system_labeled()) ? au_write((u), \
au_to_label(CR_SL((c)))) : (void) 0); \
au_to_groups(crgetgroups(c), \
crgetngroups(c))) : (void) 0)
#define AUDIT_SETSUBJ(u, c, a, k) \
#define AUDIT_SETPROC_GENERIC(u, c, a, p) \
&((a)->ai_termid))));
#define AUDIT_SETPROC(u, c, a) \
/*
* Macros for type conversion
*/
/* au_membuf head, to typed data */
/* au_membuf types */
#define MT_FREE 0 /* should be on free list */
/* flags to au_memget */
#define DONTWAIT 0
#define WAIT 1
#define AU_LINK 0 /* link data in au_append_rec() */
/* flags to async routines */
#ifdef __cplusplus
}
#endif
#endif /* _BSM_AUDIT_KERNEL_H */