1 | /*- |
2 | * Copyright (c) 2005-2009 Apple Inc. |
3 | * All rights reserved. |
4 | * |
5 | * Redistribution and use in source and binary forms, with or without |
6 | * modification, are permitted provided that the following conditions |
7 | * are met: |
8 | * |
9 | * 1. Redistributions of source code must retain the above copyright |
10 | * notice, this list of conditions and the following disclaimer. |
11 | * 2. Redistributions in binary form must reproduce the above copyright |
12 | * notice, this list of conditions and the following disclaimer in the |
13 | * documentation and/or other materials provided with the distribution. |
14 | * 3. Neither the name of Apple Inc. ("Apple") nor the names of |
15 | * its contributors may be used to endorse or promote products derived |
16 | * from this software without specific prior written permission. |
17 | * |
18 | * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY |
19 | * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED |
20 | * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE |
21 | * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY |
22 | * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES |
23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND |
25 | * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
27 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
28 | * |
29 | * $P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit.h#10 $ |
30 | */ |
31 | |
32 | #ifndef _BSM_AUDIT_H |
33 | #define _BSM_AUDIT_H |
34 | |
35 | #include <sys/param.h> |
36 | #include <sys/types.h> |
37 | |
38 | #define AUDIT_RECORD_MAGIC 0x828a0f1b |
39 | #define MAX_AUDIT_RECORDS 20 |
40 | #define MAXAUDITDATA (0x8000 - 1) |
41 | #define MAX_AUDIT_RECORD_SIZE MAXAUDITDATA |
42 | #define MIN_AUDIT_FILE_SIZE (512 * 1024) |
43 | |
44 | /* |
45 | * Minimum noumber of free blocks on the filesystem containing the audit |
46 | * log necessary to avoid a hard log rotation. DO NOT SET THIS VALUE TO 0 |
47 | * as the kernel does an unsigned compare, plus we want to leave a few blocks |
48 | * free so userspace can terminate the log, etc. |
49 | */ |
50 | #define AUDIT_HARD_LIMIT_FREE_BLOCKS 4 |
51 | |
52 | /* |
53 | * Triggers for the audit daemon. |
54 | */ |
55 | #define AUDIT_TRIGGER_MIN 1 |
56 | #define AUDIT_TRIGGER_LOW_SPACE 1 /* Below low watermark. */ |
57 | #define AUDIT_TRIGGER_ROTATE_KERNEL 2 /* Kernel requests rotate. */ |
58 | #define AUDIT_TRIGGER_READ_FILE 3 /* Re-read config file. */ |
59 | #define AUDIT_TRIGGER_CLOSE_AND_DIE 4 /* Terminate audit. */ |
60 | #define AUDIT_TRIGGER_NO_SPACE 5 /* Below min free space. */ |
61 | #define AUDIT_TRIGGER_ROTATE_USER 6 /* User requests rotate. */ |
62 | #define AUDIT_TRIGGER_INITIALIZE 7 /* User initialize of auditd. */ |
63 | #define AUDIT_TRIGGER_EXPIRE_TRAILS 8 /* User expiration of trails. */ |
64 | #define AUDIT_TRIGGER_MAX 8 |
65 | |
66 | /* |
67 | * The special device filename (FreeBSD). |
68 | */ |
69 | #define AUDITDEV_FILENAME "audit" |
70 | #define AUDIT_TRIGGER_FILE ("/dev/" AUDITDEV_FILENAME) |
71 | |
72 | /* |
73 | * Pre-defined audit IDs |
74 | */ |
75 | #define AU_DEFAUDITID (uid_t)(-1) |
76 | #define AU_DEFAUDITSID 0 |
77 | #define AU_ASSIGN_ASID -1 |
78 | |
79 | /* |
80 | * IPC types. |
81 | */ |
82 | #define AT_IPC_MSG ((unsigned char)1) /* Message IPC id. */ |
83 | #define AT_IPC_SEM ((unsigned char)2) /* Semaphore IPC id. */ |
84 | #define AT_IPC_SHM ((unsigned char)3) /* Shared mem IPC id. */ |
85 | |
86 | /* |
87 | * Audit conditions. |
88 | */ |
89 | #define AUC_UNSET 0 |
90 | #define AUC_AUDITING 1 |
91 | #define AUC_NOAUDIT 2 |
92 | #define AUC_DISABLED -1 |
93 | |
94 | /* |
95 | * auditon(2) commands. |
96 | */ |
97 | #define A_OLDGETPOLICY 2 |
98 | #define A_OLDSETPOLICY 3 |
99 | #define A_GETKMASK 4 |
100 | #define A_SETKMASK 5 |
101 | #define A_OLDGETQCTRL 6 |
102 | #define A_OLDSETQCTRL 7 |
103 | #define A_GETCWD 8 |
104 | #define A_GETCAR 9 |
105 | #define A_GETSTAT 12 |
106 | #define A_SETSTAT 13 |
107 | #define A_SETUMASK 14 |
108 | #define A_SETSMASK 15 |
109 | #define A_OLDGETCOND 20 |
110 | #define A_OLDSETCOND 21 |
111 | #define A_GETCLASS 22 |
112 | #define A_SETCLASS 23 |
113 | #define A_GETPINFO 24 |
114 | #define A_SETPMASK 25 |
115 | #define A_SETFSIZE 26 |
116 | #define A_GETFSIZE 27 |
117 | #define A_GETPINFO_ADDR 28 |
118 | #define A_GETKAUDIT 29 |
119 | #define A_SETKAUDIT 30 |
120 | #define A_SENDTRIGGER 31 |
121 | #define A_GETSINFO_ADDR 32 |
122 | #define A_GETPOLICY 33 |
123 | #define A_SETPOLICY 34 |
124 | #define A_GETQCTRL 35 |
125 | #define A_SETQCTRL 36 |
126 | #define A_GETCOND 37 |
127 | #define A_SETCOND 38 |
128 | #define A_GETSFLAGS 39 |
129 | #define A_SETSFLAGS 40 |
130 | #define A_GETCTLMODE 41 |
131 | #define A_SETCTLMODE 42 |
132 | #define A_GETEXPAFTER 43 |
133 | #define A_SETEXPAFTER 44 |
134 | |
135 | /* |
136 | * Audit policy controls. |
137 | */ |
138 | #define AUDIT_CNT 0x0001 |
139 | #define AUDIT_AHLT 0x0002 |
140 | #define AUDIT_ARGV 0x0004 |
141 | #define AUDIT_ARGE 0x0008 |
142 | #define AUDIT_SEQ 0x0010 |
143 | #define AUDIT_WINDATA 0x0020 |
144 | #define AUDIT_USER 0x0040 |
145 | #define AUDIT_GROUP 0x0080 |
146 | #define AUDIT_TRAIL 0x0100 |
147 | #define AUDIT_PATH 0x0200 |
148 | #define AUDIT_SCNT 0x0400 |
149 | #define AUDIT_PUBLIC 0x0800 |
150 | #define AUDIT_ZONENAME 0x1000 |
151 | #define AUDIT_PERZONE 0x2000 |
152 | |
153 | /* |
154 | * Default audit queue control parameters. |
155 | */ |
156 | #define AQ_HIWATER 100 |
157 | #define AQ_MAXHIGH 10000 |
158 | #define AQ_LOWATER 10 |
159 | #define AQ_BUFSZ MAXAUDITDATA |
160 | #define AQ_MAXBUFSZ 1048576 |
161 | |
162 | /* |
163 | * Default minimum percentage free space on file system. |
164 | */ |
165 | #define AU_FS_MINFREE 20 |
166 | |
167 | /* |
168 | * Type definitions used indicating the length of variable length addresses |
169 | * in tokens containing addresses, such as header fields. |
170 | */ |
171 | #define AU_IPv4 4 |
172 | #define AU_IPv6 16 |
173 | |
174 | /* |
175 | * Reserved audit class mask indicating which classes are unable to have |
176 | * events added or removed by unentitled processes. |
177 | */ |
178 | #define AU_CLASS_MASK_RESERVED 0x10000000 |
179 | |
180 | /* |
181 | * Audit control modes |
182 | */ |
183 | #define AUDIT_CTLMODE_NORMAL ((unsigned char)1) |
184 | #define AUDIT_CTLMODE_EXTERNAL ((unsigned char)2) |
185 | |
186 | /* |
187 | * Audit file expire_after op modes |
188 | */ |
189 | #define AUDIT_EXPIRE_OP_AND ((unsigned char)0) |
190 | #define AUDIT_EXPIRE_OP_OR ((unsigned char)1) |
191 | |
192 | __BEGIN_DECLS |
193 | |
194 | typedef uid_t au_id_t; |
195 | typedef pid_t au_asid_t; |
196 | typedef u_int16_t au_event_t; |
197 | typedef u_int16_t au_emod_t; |
198 | typedef u_int32_t au_class_t; |
199 | typedef u_int64_t au_asflgs_t __attribute__ ((aligned(8))); |
200 | typedef unsigned char au_ctlmode_t; |
201 | |
202 | struct au_tid { |
203 | dev_t port; |
204 | u_int32_t machine; |
205 | }; |
206 | typedef struct au_tid au_tid_t; |
207 | |
208 | struct au_tid_addr { |
209 | dev_t at_port; |
210 | u_int32_t at_type; |
211 | u_int32_t at_addr[4]; |
212 | }; |
213 | typedef struct au_tid_addr au_tid_addr_t; |
214 | |
215 | struct au_mask { |
216 | unsigned int am_success; /* Success bits. */ |
217 | unsigned int am_failure; /* Failure bits. */ |
218 | }; |
219 | typedef struct au_mask au_mask_t; |
220 | |
221 | struct auditinfo { |
222 | au_id_t ai_auid; /* Audit user ID. */ |
223 | au_mask_t ai_mask; /* Audit masks. */ |
224 | au_tid_t ai_termid; /* Terminal ID. */ |
225 | au_asid_t ai_asid; /* Audit session ID. */ |
226 | }; |
227 | typedef struct auditinfo auditinfo_t; |
228 | |
229 | struct auditinfo_addr { |
230 | au_id_t ai_auid; /* Audit user ID. */ |
231 | au_mask_t ai_mask; /* Audit masks. */ |
232 | au_tid_addr_t ai_termid; /* Terminal ID. */ |
233 | au_asid_t ai_asid; /* Audit session ID. */ |
234 | au_asflgs_t ai_flags; /* Audit session flags. */ |
235 | }; |
236 | typedef struct auditinfo_addr auditinfo_addr_t; |
237 | |
238 | struct auditpinfo { |
239 | pid_t ap_pid; /* ID of target process. */ |
240 | au_id_t ap_auid; /* Audit user ID. */ |
241 | au_mask_t ap_mask; /* Audit masks. */ |
242 | au_tid_t ap_termid; /* Terminal ID. */ |
243 | au_asid_t ap_asid; /* Audit session ID. */ |
244 | }; |
245 | typedef struct auditpinfo auditpinfo_t; |
246 | |
247 | struct auditpinfo_addr { |
248 | pid_t ap_pid; /* ID of target process. */ |
249 | au_id_t ap_auid; /* Audit user ID. */ |
250 | au_mask_t ap_mask; /* Audit masks. */ |
251 | au_tid_addr_t ap_termid; /* Terminal ID. */ |
252 | au_asid_t ap_asid; /* Audit session ID. */ |
253 | au_asflgs_t ap_flags; /* Audit session flags. */ |
254 | }; |
255 | typedef struct auditpinfo_addr auditpinfo_addr_t; |
256 | |
257 | struct au_session { |
258 | auditinfo_addr_t *as_aia_p; /* Ptr to full audit info. */ |
259 | au_mask_t as_mask; /* Process Audit Masks. */ |
260 | }; |
261 | typedef struct au_session au_session_t; |
262 | |
263 | struct au_expire_after { |
264 | time_t age; /* Age after which trail files should be expired */ |
265 | size_t size; /* Aggregate trail size when files should be expired */ |
266 | unsigned char op_type; /* Operator used with the above values to determine when files should be expired */ |
267 | }; |
268 | typedef struct au_expire_after au_expire_after_t; |
269 | |
270 | /* |
271 | * Contents of token_t are opaque outside of libbsm. |
272 | */ |
273 | typedef struct au_token token_t; |
274 | |
275 | /* |
276 | * Kernel audit queue control parameters: |
277 | * Default: Maximum: |
278 | * aq_hiwater: AQ_HIWATER (100) AQ_MAXHIGH (10000) |
279 | * aq_lowater: AQ_LOWATER (10) <aq_hiwater |
280 | * aq_bufsz: AQ_BUFSZ (32767) AQ_MAXBUFSZ (1048576) |
281 | * aq_delay: 20 20000 (not used) |
282 | */ |
283 | struct au_qctrl { |
284 | int aq_hiwater; /* Max # of audit recs in queue when */ |
285 | /* threads with new ARs get blocked. */ |
286 | |
287 | int aq_lowater; /* # of audit recs in queue when */ |
288 | /* blocked threads get unblocked. */ |
289 | |
290 | int aq_bufsz; /* Max size of audit record for audit(2). */ |
291 | int aq_delay; /* Queue delay (not used). */ |
292 | int aq_minfree; /* Minimum filesystem percent free space. */ |
293 | }; |
294 | typedef struct au_qctrl au_qctrl_t; |
295 | |
296 | /* |
297 | * Structure for the audit statistics. |
298 | */ |
299 | struct audit_stat { |
300 | unsigned int as_version; |
301 | unsigned int as_numevent; |
302 | int as_generated; |
303 | int as_nonattrib; |
304 | int as_kernel; |
305 | int as_audit; |
306 | int as_auditctl; |
307 | int as_enqueue; |
308 | int as_written; |
309 | int as_wblocked; |
310 | int as_rblocked; |
311 | int as_dropped; |
312 | int as_totalsize; |
313 | unsigned int as_memused; |
314 | }; |
315 | typedef struct audit_stat au_stat_t; |
316 | |
317 | /* |
318 | * Structure for the audit file statistics. |
319 | */ |
320 | struct audit_fstat { |
321 | u_int64_t af_filesz; |
322 | u_int64_t af_currsz; |
323 | }; |
324 | typedef struct audit_fstat au_fstat_t; |
325 | |
326 | /* |
327 | * Audit to event class mapping. |
328 | */ |
329 | struct au_evclass_map { |
330 | au_event_t ec_number; |
331 | au_class_t ec_class; |
332 | }; |
333 | typedef struct au_evclass_map au_evclass_map_t; |
334 | |
335 | /* |
336 | * Audit session flags for the ai_flags member of auditinfo_addr. |
337 | */ |
338 | enum audit_session_flags { |
339 | /* The initial session created by PID 1. */ |
340 | AU_SESSION_FLAG_IS_INITIAL = 0x0001, |
341 | |
342 | /* The graphics subsystem (CoreGraphics, etc.) is available. */ |
343 | AU_SESSION_FLAG_HAS_GRAPHIC_ACCESS = 0x0010, |
344 | |
345 | /* /dev/tty is available. */ |
346 | AU_SESSION_FLAG_HAS_TTY = 0x0020, |
347 | |
348 | /* The session was created for a remote connection. */ |
349 | AU_SESSION_FLAG_IS_REMOTE = 0x1000, |
350 | |
351 | /* The console and associated devices are available. */ |
352 | AU_SESSION_FLAG_HAS_CONSOLE_ACCESS = 0x2000, |
353 | |
354 | /* An active, authenticated user is associated with the session. */ |
355 | AU_SESSION_FLAG_HAS_AUTHENTICATED = 0x4000, |
356 | }; |
357 | |
358 | __END_DECLS |
359 | |
360 | #if !defined(_KERNEL) && !defined(KERNEL) |
361 | #include <Availability.h> |
362 | #define __AUDIT_API_DEPRECATED __API_DEPRECATED("audit is deprecated", macos(10.4, 10.16)) |
363 | #else |
364 | #define __AUDIT_API_DEPRECATED |
365 | #endif |
366 | |
367 | /* |
368 | * Audit system calls. |
369 | */ |
370 | #if !defined(_KERNEL) && !defined(KERNEL) |
371 | |
372 | __BEGIN_DECLS |
373 | |
374 | int audit(const void *, int) |
375 | __AUDIT_API_DEPRECATED; |
376 | int auditon(int, void *, int) |
377 | __AUDIT_API_DEPRECATED; |
378 | int auditctl(const char *) |
379 | __AUDIT_API_DEPRECATED; |
380 | int getauid(au_id_t *); |
381 | int setauid(const au_id_t *); |
382 | int getaudit_addr(struct auditinfo_addr *, int); |
383 | int setaudit_addr(const struct auditinfo_addr *, int); |
384 | |
385 | __END_DECLS |
386 | |
387 | #if defined(__APPLE__) |
388 | #include <Availability.h> |
389 | |
390 | __BEGIN_DECLS |
391 | |
392 | /* |
393 | * getaudit()/setaudit() are deprecated and have been replaced with |
394 | * wrappers to the getaudit_addr()/setaudit_addr() syscalls above. |
395 | */ |
396 | |
397 | int getaudit(struct auditinfo *) |
398 | __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_0, __MAC_10_8, |
399 | __IPHONE_2_0, __IPHONE_6_0); |
400 | int setaudit(const struct auditinfo *) |
401 | __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_0, __MAC_10_8, |
402 | __IPHONE_2_0, __IPHONE_6_0); |
403 | |
404 | __END_DECLS |
405 | |
406 | #else |
407 | |
408 | __BEGIN_DECLS |
409 | |
410 | int getaudit(struct auditinfo *) |
411 | __AUDIT_API_DEPRECATED; |
412 | int setaudit(const struct auditinfo *) |
413 | __AUDIT_API_DEPRECATED; |
414 | |
415 | __END_DECLS |
416 | |
417 | #endif /* !__APPLE__ */ |
418 | |
419 | #ifdef __APPLE_API_PRIVATE |
420 | #include <mach/port.h> |
421 | |
422 | __BEGIN_DECLS |
423 | |
424 | mach_port_name_t audit_session_self(void); |
425 | au_asid_t audit_session_join(mach_port_name_t port); |
426 | int audit_session_port(au_asid_t asid, mach_port_name_t *portname); |
427 | |
428 | __END_DECLS |
429 | |
430 | #endif /* __APPLE_API_PRIVATE */ |
431 | |
432 | #endif /* defined(_KERNEL) || defined(KERNEL) */ |
433 | |
434 | #endif /* !_BSM_AUDIT_H */ |
435 | |