| 1 | /*- |
|---|---|
| 2 | * Copyright (c) 2005-2009 Apple Inc. |
| 3 | * All rights reserved. |
| 4 | * |
| 5 | * Redistribution and use in source and binary forms, with or without |
| 6 | * modification, are permitted provided that the following conditions |
| 7 | * are met: |
| 8 | * |
| 9 | * 1. Redistributions of source code must retain the above copyright |
| 10 | * notice, this list of conditions and the following disclaimer. |
| 11 | * 2. Redistributions in binary form must reproduce the above copyright |
| 12 | * notice, this list of conditions and the following disclaimer in the |
| 13 | * documentation and/or other materials provided with the distribution. |
| 14 | * 3. Neither the name of Apple Inc. ("Apple") nor the names of |
| 15 | * its contributors may be used to endorse or promote products derived |
| 16 | * from this software without specific prior written permission. |
| 17 | * |
| 18 | * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY |
| 19 | * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED |
| 20 | * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE |
| 21 | * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY |
| 22 | * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES |
| 23 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
| 24 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND |
| 25 | * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
| 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 27 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 28 | * |
| 29 | * $P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit.h#10 $ |
| 30 | */ |
| 31 | |
| 32 | #ifndef _BSM_AUDIT_H |
| 33 | #define _BSM_AUDIT_H |
| 34 | |
| 35 | #include <sys/param.h> |
| 36 | #include <sys/types.h> |
| 37 | |
| 38 | #define AUDIT_RECORD_MAGIC 0x828a0f1b |
| 39 | #define MAX_AUDIT_RECORDS 20 |
| 40 | #define MAXAUDITDATA (0x8000 - 1) |
| 41 | #define MAX_AUDIT_RECORD_SIZE MAXAUDITDATA |
| 42 | #define MIN_AUDIT_FILE_SIZE (512 * 1024) |
| 43 | |
| 44 | /* |
| 45 | * Minimum noumber of free blocks on the filesystem containing the audit |
| 46 | * log necessary to avoid a hard log rotation. DO NOT SET THIS VALUE TO 0 |
| 47 | * as the kernel does an unsigned compare, plus we want to leave a few blocks |
| 48 | * free so userspace can terminate the log, etc. |
| 49 | */ |
| 50 | #define AUDIT_HARD_LIMIT_FREE_BLOCKS 4 |
| 51 | |
| 52 | /* |
| 53 | * Triggers for the audit daemon. |
| 54 | */ |
| 55 | #define AUDIT_TRIGGER_MIN 1 |
| 56 | #define AUDIT_TRIGGER_LOW_SPACE 1 /* Below low watermark. */ |
| 57 | #define AUDIT_TRIGGER_ROTATE_KERNEL 2 /* Kernel requests rotate. */ |
| 58 | #define AUDIT_TRIGGER_READ_FILE 3 /* Re-read config file. */ |
| 59 | #define AUDIT_TRIGGER_CLOSE_AND_DIE 4 /* Terminate audit. */ |
| 60 | #define AUDIT_TRIGGER_NO_SPACE 5 /* Below min free space. */ |
| 61 | #define AUDIT_TRIGGER_ROTATE_USER 6 /* User requests rotate. */ |
| 62 | #define AUDIT_TRIGGER_INITIALIZE 7 /* User initialize of auditd. */ |
| 63 | #define AUDIT_TRIGGER_EXPIRE_TRAILS 8 /* User expiration of trails. */ |
| 64 | #define AUDIT_TRIGGER_MAX 8 |
| 65 | |
| 66 | /* |
| 67 | * The special device filename (FreeBSD). |
| 68 | */ |
| 69 | #define AUDITDEV_FILENAME "audit" |
| 70 | #define AUDIT_TRIGGER_FILE ("/dev/" AUDITDEV_FILENAME) |
| 71 | |
| 72 | /* |
| 73 | * Pre-defined audit IDs |
| 74 | */ |
| 75 | #define AU_DEFAUDITID (uid_t)(-1) |
| 76 | #define AU_DEFAUDITSID 0 |
| 77 | #define AU_ASSIGN_ASID -1 |
| 78 | |
| 79 | /* |
| 80 | * IPC types. |
| 81 | */ |
| 82 | #define AT_IPC_MSG ((unsigned char)1) /* Message IPC id. */ |
| 83 | #define AT_IPC_SEM ((unsigned char)2) /* Semaphore IPC id. */ |
| 84 | #define AT_IPC_SHM ((unsigned char)3) /* Shared mem IPC id. */ |
| 85 | |
| 86 | /* |
| 87 | * Audit conditions. |
| 88 | */ |
| 89 | #define AUC_UNSET 0 |
| 90 | #define AUC_AUDITING 1 |
| 91 | #define AUC_NOAUDIT 2 |
| 92 | #define AUC_DISABLED -1 |
| 93 | |
| 94 | /* |
| 95 | * auditon(2) commands. |
| 96 | */ |
| 97 | #define A_OLDGETPOLICY 2 |
| 98 | #define A_OLDSETPOLICY 3 |
| 99 | #define A_GETKMASK 4 |
| 100 | #define A_SETKMASK 5 |
| 101 | #define A_OLDGETQCTRL 6 |
| 102 | #define A_OLDSETQCTRL 7 |
| 103 | #define A_GETCWD 8 |
| 104 | #define A_GETCAR 9 |
| 105 | #define A_GETSTAT 12 |
| 106 | #define A_SETSTAT 13 |
| 107 | #define A_SETUMASK 14 |
| 108 | #define A_SETSMASK 15 |
| 109 | #define A_OLDGETCOND 20 |
| 110 | #define A_OLDSETCOND 21 |
| 111 | #define A_GETCLASS 22 |
| 112 | #define A_SETCLASS 23 |
| 113 | #define A_GETPINFO 24 |
| 114 | #define A_SETPMASK 25 |
| 115 | #define A_SETFSIZE 26 |
| 116 | #define A_GETFSIZE 27 |
| 117 | #define A_GETPINFO_ADDR 28 |
| 118 | #define A_GETKAUDIT 29 |
| 119 | #define A_SETKAUDIT 30 |
| 120 | #define A_SENDTRIGGER 31 |
| 121 | #define A_GETSINFO_ADDR 32 |
| 122 | #define A_GETPOLICY 33 |
| 123 | #define A_SETPOLICY 34 |
| 124 | #define A_GETQCTRL 35 |
| 125 | #define A_SETQCTRL 36 |
| 126 | #define A_GETCOND 37 |
| 127 | #define A_SETCOND 38 |
| 128 | #define A_GETSFLAGS 39 |
| 129 | #define A_SETSFLAGS 40 |
| 130 | #define A_GETCTLMODE 41 |
| 131 | #define A_SETCTLMODE 42 |
| 132 | #define A_GETEXPAFTER 43 |
| 133 | #define A_SETEXPAFTER 44 |
| 134 | |
| 135 | /* |
| 136 | * Audit policy controls. |
| 137 | */ |
| 138 | #define AUDIT_CNT 0x0001 |
| 139 | #define AUDIT_AHLT 0x0002 |
| 140 | #define AUDIT_ARGV 0x0004 |
| 141 | #define AUDIT_ARGE 0x0008 |
| 142 | #define AUDIT_SEQ 0x0010 |
| 143 | #define AUDIT_WINDATA 0x0020 |
| 144 | #define AUDIT_USER 0x0040 |
| 145 | #define AUDIT_GROUP 0x0080 |
| 146 | #define AUDIT_TRAIL 0x0100 |
| 147 | #define AUDIT_PATH 0x0200 |
| 148 | #define AUDIT_SCNT 0x0400 |
| 149 | #define AUDIT_PUBLIC 0x0800 |
| 150 | #define AUDIT_ZONENAME 0x1000 |
| 151 | #define AUDIT_PERZONE 0x2000 |
| 152 | |
| 153 | /* |
| 154 | * Default audit queue control parameters. |
| 155 | */ |
| 156 | #define AQ_HIWATER 100 |
| 157 | #define AQ_MAXHIGH 10000 |
| 158 | #define AQ_LOWATER 10 |
| 159 | #define AQ_BUFSZ MAXAUDITDATA |
| 160 | #define AQ_MAXBUFSZ 1048576 |
| 161 | |
| 162 | /* |
| 163 | * Default minimum percentage free space on file system. |
| 164 | */ |
| 165 | #define AU_FS_MINFREE 20 |
| 166 | |
| 167 | /* |
| 168 | * Type definitions used indicating the length of variable length addresses |
| 169 | * in tokens containing addresses, such as header fields. |
| 170 | */ |
| 171 | #define AU_IPv4 4 |
| 172 | #define AU_IPv6 16 |
| 173 | |
| 174 | /* |
| 175 | * Reserved audit class mask indicating which classes are unable to have |
| 176 | * events added or removed by unentitled processes. |
| 177 | */ |
| 178 | #define AU_CLASS_MASK_RESERVED 0x10000000 |
| 179 | |
| 180 | /* |
| 181 | * Audit control modes |
| 182 | */ |
| 183 | #define AUDIT_CTLMODE_NORMAL ((unsigned char)1) |
| 184 | #define AUDIT_CTLMODE_EXTERNAL ((unsigned char)2) |
| 185 | |
| 186 | /* |
| 187 | * Audit file expire_after op modes |
| 188 | */ |
| 189 | #define AUDIT_EXPIRE_OP_AND ((unsigned char)0) |
| 190 | #define AUDIT_EXPIRE_OP_OR ((unsigned char)1) |
| 191 | |
| 192 | __BEGIN_DECLS |
| 193 | |
| 194 | typedef uid_t au_id_t; |
| 195 | typedef pid_t au_asid_t; |
| 196 | typedef u_int16_t au_event_t; |
| 197 | typedef u_int16_t au_emod_t; |
| 198 | typedef u_int32_t au_class_t; |
| 199 | typedef u_int64_t au_asflgs_t __attribute__ ((aligned(8))); |
| 200 | typedef unsigned char au_ctlmode_t; |
| 201 | |
| 202 | struct au_tid { |
| 203 | dev_t port; |
| 204 | u_int32_t machine; |
| 205 | }; |
| 206 | typedef struct au_tid au_tid_t; |
| 207 | |
| 208 | struct au_tid_addr { |
| 209 | dev_t at_port; |
| 210 | u_int32_t at_type; |
| 211 | u_int32_t at_addr[4]; |
| 212 | }; |
| 213 | typedef struct au_tid_addr au_tid_addr_t; |
| 214 | |
| 215 | struct au_mask { |
| 216 | unsigned int am_success; /* Success bits. */ |
| 217 | unsigned int am_failure; /* Failure bits. */ |
| 218 | }; |
| 219 | typedef struct au_mask au_mask_t; |
| 220 | |
| 221 | struct auditinfo { |
| 222 | au_id_t ai_auid; /* Audit user ID. */ |
| 223 | au_mask_t ai_mask; /* Audit masks. */ |
| 224 | au_tid_t ai_termid; /* Terminal ID. */ |
| 225 | au_asid_t ai_asid; /* Audit session ID. */ |
| 226 | }; |
| 227 | typedef struct auditinfo auditinfo_t; |
| 228 | |
| 229 | struct auditinfo_addr { |
| 230 | au_id_t ai_auid; /* Audit user ID. */ |
| 231 | au_mask_t ai_mask; /* Audit masks. */ |
| 232 | au_tid_addr_t ai_termid; /* Terminal ID. */ |
| 233 | au_asid_t ai_asid; /* Audit session ID. */ |
| 234 | au_asflgs_t ai_flags; /* Audit session flags. */ |
| 235 | }; |
| 236 | typedef struct auditinfo_addr auditinfo_addr_t; |
| 237 | |
| 238 | struct auditpinfo { |
| 239 | pid_t ap_pid; /* ID of target process. */ |
| 240 | au_id_t ap_auid; /* Audit user ID. */ |
| 241 | au_mask_t ap_mask; /* Audit masks. */ |
| 242 | au_tid_t ap_termid; /* Terminal ID. */ |
| 243 | au_asid_t ap_asid; /* Audit session ID. */ |
| 244 | }; |
| 245 | typedef struct auditpinfo auditpinfo_t; |
| 246 | |
| 247 | struct auditpinfo_addr { |
| 248 | pid_t ap_pid; /* ID of target process. */ |
| 249 | au_id_t ap_auid; /* Audit user ID. */ |
| 250 | au_mask_t ap_mask; /* Audit masks. */ |
| 251 | au_tid_addr_t ap_termid; /* Terminal ID. */ |
| 252 | au_asid_t ap_asid; /* Audit session ID. */ |
| 253 | au_asflgs_t ap_flags; /* Audit session flags. */ |
| 254 | }; |
| 255 | typedef struct auditpinfo_addr auditpinfo_addr_t; |
| 256 | |
| 257 | struct au_session { |
| 258 | auditinfo_addr_t *as_aia_p; /* Ptr to full audit info. */ |
| 259 | au_mask_t as_mask; /* Process Audit Masks. */ |
| 260 | }; |
| 261 | typedef struct au_session au_session_t; |
| 262 | |
| 263 | struct au_expire_after { |
| 264 | time_t age; /* Age after which trail files should be expired */ |
| 265 | size_t size; /* Aggregate trail size when files should be expired */ |
| 266 | unsigned char op_type; /* Operator used with the above values to determine when files should be expired */ |
| 267 | }; |
| 268 | typedef struct au_expire_after au_expire_after_t; |
| 269 | |
| 270 | /* |
| 271 | * Contents of token_t are opaque outside of libbsm. |
| 272 | */ |
| 273 | typedef struct au_token token_t; |
| 274 | |
| 275 | /* |
| 276 | * Kernel audit queue control parameters: |
| 277 | * Default: Maximum: |
| 278 | * aq_hiwater: AQ_HIWATER (100) AQ_MAXHIGH (10000) |
| 279 | * aq_lowater: AQ_LOWATER (10) <aq_hiwater |
| 280 | * aq_bufsz: AQ_BUFSZ (32767) AQ_MAXBUFSZ (1048576) |
| 281 | * aq_delay: 20 20000 (not used) |
| 282 | */ |
| 283 | struct au_qctrl { |
| 284 | int aq_hiwater; /* Max # of audit recs in queue when */ |
| 285 | /* threads with new ARs get blocked. */ |
| 286 | |
| 287 | int aq_lowater; /* # of audit recs in queue when */ |
| 288 | /* blocked threads get unblocked. */ |
| 289 | |
| 290 | int aq_bufsz; /* Max size of audit record for audit(2). */ |
| 291 | int aq_delay; /* Queue delay (not used). */ |
| 292 | int aq_minfree; /* Minimum filesystem percent free space. */ |
| 293 | }; |
| 294 | typedef struct au_qctrl au_qctrl_t; |
| 295 | |
| 296 | /* |
| 297 | * Structure for the audit statistics. |
| 298 | */ |
| 299 | struct audit_stat { |
| 300 | unsigned int as_version; |
| 301 | unsigned int as_numevent; |
| 302 | int as_generated; |
| 303 | int as_nonattrib; |
| 304 | int as_kernel; |
| 305 | int as_audit; |
| 306 | int as_auditctl; |
| 307 | int as_enqueue; |
| 308 | int as_written; |
| 309 | int as_wblocked; |
| 310 | int as_rblocked; |
| 311 | int as_dropped; |
| 312 | int as_totalsize; |
| 313 | unsigned int as_memused; |
| 314 | }; |
| 315 | typedef struct audit_stat au_stat_t; |
| 316 | |
| 317 | /* |
| 318 | * Structure for the audit file statistics. |
| 319 | */ |
| 320 | struct audit_fstat { |
| 321 | u_int64_t af_filesz; |
| 322 | u_int64_t af_currsz; |
| 323 | }; |
| 324 | typedef struct audit_fstat au_fstat_t; |
| 325 | |
| 326 | /* |
| 327 | * Audit to event class mapping. |
| 328 | */ |
| 329 | struct au_evclass_map { |
| 330 | au_event_t ec_number; |
| 331 | au_class_t ec_class; |
| 332 | }; |
| 333 | typedef struct au_evclass_map au_evclass_map_t; |
| 334 | |
| 335 | /* |
| 336 | * Audit session flags for the ai_flags member of auditinfo_addr. |
| 337 | */ |
| 338 | enum audit_session_flags { |
| 339 | /* The initial session created by PID 1. */ |
| 340 | AU_SESSION_FLAG_IS_INITIAL = 0x0001, |
| 341 | |
| 342 | /* The graphics subsystem (CoreGraphics, etc.) is available. */ |
| 343 | AU_SESSION_FLAG_HAS_GRAPHIC_ACCESS = 0x0010, |
| 344 | |
| 345 | /* /dev/tty is available. */ |
| 346 | AU_SESSION_FLAG_HAS_TTY = 0x0020, |
| 347 | |
| 348 | /* The session was created for a remote connection. */ |
| 349 | AU_SESSION_FLAG_IS_REMOTE = 0x1000, |
| 350 | |
| 351 | /* The console and associated devices are available. */ |
| 352 | AU_SESSION_FLAG_HAS_CONSOLE_ACCESS = 0x2000, |
| 353 | |
| 354 | /* An active, authenticated user is associated with the session. */ |
| 355 | AU_SESSION_FLAG_HAS_AUTHENTICATED = 0x4000, |
| 356 | }; |
| 357 | |
| 358 | __END_DECLS |
| 359 | |
| 360 | #if !defined(_KERNEL) && !defined(KERNEL) |
| 361 | #include <Availability.h> |
| 362 | #define __AUDIT_API_DEPRECATED __API_DEPRECATED("audit is deprecated", macos(10.4, 10.16)) |
| 363 | #else |
| 364 | #define __AUDIT_API_DEPRECATED |
| 365 | #endif |
| 366 | |
| 367 | /* |
| 368 | * Audit system calls. |
| 369 | */ |
| 370 | #if !defined(_KERNEL) && !defined(KERNEL) |
| 371 | |
| 372 | __BEGIN_DECLS |
| 373 | |
| 374 | int audit(const void *, int) |
| 375 | __AUDIT_API_DEPRECATED; |
| 376 | int auditon(int, void *, int) |
| 377 | __AUDIT_API_DEPRECATED; |
| 378 | int auditctl(const char *) |
| 379 | __AUDIT_API_DEPRECATED; |
| 380 | int getauid(au_id_t *); |
| 381 | int setauid(const au_id_t *); |
| 382 | int getaudit_addr(struct auditinfo_addr *, int); |
| 383 | int setaudit_addr(const struct auditinfo_addr *, int); |
| 384 | |
| 385 | __END_DECLS |
| 386 | |
| 387 | #if defined(__APPLE__) |
| 388 | #include <Availability.h> |
| 389 | |
| 390 | __BEGIN_DECLS |
| 391 | |
| 392 | /* |
| 393 | * getaudit()/setaudit() are deprecated and have been replaced with |
| 394 | * wrappers to the getaudit_addr()/setaudit_addr() syscalls above. |
| 395 | */ |
| 396 | |
| 397 | int getaudit(struct auditinfo *) |
| 398 | __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_0, __MAC_10_8, |
| 399 | __IPHONE_2_0, __IPHONE_6_0); |
| 400 | int setaudit(const struct auditinfo *) |
| 401 | __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_0, __MAC_10_8, |
| 402 | __IPHONE_2_0, __IPHONE_6_0); |
| 403 | |
| 404 | __END_DECLS |
| 405 | |
| 406 | #else |
| 407 | |
| 408 | __BEGIN_DECLS |
| 409 | |
| 410 | int getaudit(struct auditinfo *) |
| 411 | __AUDIT_API_DEPRECATED; |
| 412 | int setaudit(const struct auditinfo *) |
| 413 | __AUDIT_API_DEPRECATED; |
| 414 | |
| 415 | __END_DECLS |
| 416 | |
| 417 | #endif /* !__APPLE__ */ |
| 418 | |
| 419 | #ifdef __APPLE_API_PRIVATE |
| 420 | #include <mach/port.h> |
| 421 | |
| 422 | __BEGIN_DECLS |
| 423 | |
| 424 | mach_port_name_t audit_session_self(void); |
| 425 | au_asid_t audit_session_join(mach_port_name_t port); |
| 426 | int audit_session_port(au_asid_t asid, mach_port_name_t *portname); |
| 427 | |
| 428 | __END_DECLS |
| 429 | |
| 430 | #endif /* __APPLE_API_PRIVATE */ |
| 431 | |
| 432 | #endif /* defined(_KERNEL) || defined(KERNEL) */ |
| 433 | |
| 434 | #endif /* !_BSM_AUDIT_H */ |
| 435 |
Generated while processing xnu-build/RELEASE_ARM64_VMAPPLE/bsd/RELEASE/audit_kevents.c
Generated on 2024-Jun-06 from project xnu revision 10063.121.3
Powered by 
Code Browser 2.1
Generator usage only permitted with license.