1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved. 23 */ 24 25 /* 26 * This file contains the declarations of the various data structures 27 * used by the auditing module(s). 28 */ 29 30 #ifndef _BSM_AUDIT_H 31 #define _BSM_AUDIT_H 32 33 #ifdef __cplusplus 34 extern "C" { 35 #endif 36 37 38 #include <sys/shm.h> /* for shmid_ds structure */ 39 #include <sys/sem.h> /* for semid_ds structure */ 40 #include <sys/msg.h> /* for msqid_ds structure */ 41 #include <sys/atomic.h> /* using atomics */ 42 #include <sys/secflags.h> 43 44 /* 45 * Audit conditions, statements reguarding what's to be done with 46 * audit records. None of the "global state" is returned by an 47 * auditconfig -getcond call. AUC_NOSPACE no longer seems used. 48 */ 49 /* global state */ 50 #define AUC_UNSET 0 /* on/off hasn't been decided */ 51 #define AUC_ENABLED 1 /* loaded and enabled */ 52 /* pseudo state used in libbsm */ 53 #define AUC_DISABLED 0x100 /* c2audit module is excluded */ 54 /* local zone state */ 55 #define AUC_AUDITING 0x1 /* audit daemon is active */ 56 #define AUC_NOAUDIT 0x2 /* audit daemon is not active */ 57 #define AUC_INIT_AUDIT 0x4 /* audit ready but auditd has not run */ 58 #define AUC_NOSPACE 0x8 /* audit enabled, no space for audit records */ 59 60 /* 61 * The user id -2 is never audited - in fact, a setauid(AU_NOAUDITID) 62 * will turn off auditing. 63 */ 64 #define AU_NOAUDITID ((au_id_t)-2) 65 66 /* 67 * success/failure bits for asynchronous events 68 */ 69 70 #define AUM_SUCC 1 /* use the system success preselection mask */ 71 #define AUM_FAIL 2 /* use the system failure preselection mask */ 72 73 74 /* 75 * Defines for event modifier field 76 */ 77 #define PAD_READ 0x0001 /* object read */ 78 #define PAD_WRITE 0x0002 /* object write */ 79 #define PAD_NONATTR 0x4000 /* non-attributable event */ 80 #define PAD_FAILURE 0x8000 /* fail audit event */ 81 #define PAD_SPRIVUSE 0x0080 /* successfully used privileged */ 82 #define PAD_FPRIVUSE 0x0100 /* failed use of privileged */ 83 84 /* 85 * Some typedefs for the fundamentals 86 */ 87 typedef uint_t au_asid_t; 88 typedef uint_t au_class_t; 89 typedef ushort_t au_event_t; 90 typedef ushort_t au_emod_t; 91 typedef uid_t au_id_t; 92 93 /* 94 * An audit event mask. 95 */ 96 #define AU_MASK_ALL 0xFFFFFFFF /* all bits on for unsigned int */ 97 #define AU_MASK_NONE 0x0 /* all bits off = no:invalid class */ 98 99 struct au_mask { 100 unsigned int am_success; /* success bits */ 101 unsigned int am_failure; /* failure bits */ 102 }; 103 typedef struct au_mask au_mask_t; 104 #define as_success am_success 105 #define as_failure am_failure 106 107 /* 108 * The structure of the terminal ID (ipv4) 109 */ 110 struct au_tid { 111 dev_t port; 112 uint_t machine; 113 }; 114 115 #if defined(_SYSCALL32) 116 struct au_tid32 { 117 uint_t port; 118 uint_t machine; 119 }; 120 121 typedef struct au_tid32 au_tid32_t; 122 #endif 123 124 typedef struct au_tid au_tid_t; 125 126 /* 127 * The structure of the terminal ID (ipv6) 128 */ 129 struct au_tid_addr { 130 dev_t at_port; 131 uint_t at_type; 132 uint_t at_addr[4]; 133 }; 134 135 struct au_port_s { 136 uint32_t at_major; /* major # */ 137 uint32_t at_minor; /* minor # */ 138 }; 139 typedef struct au_port_s au_port_t; 140 141 struct au_tid_addr64 { 142 au_port_t at_port; 143 uint_t at_type; 144 uint_t at_addr[4]; 145 }; 146 typedef struct au_tid_addr64 au_tid64_addr_t; 147 148 #if defined(_SYSCALL32) 149 struct au_tid_addr32 { 150 uint_t at_port; 151 uint_t at_type; 152 uint_t at_addr[4]; 153 }; 154 155 typedef struct au_tid_addr32 au_tid32_addr_t; 156 #endif 157 158 typedef struct au_tid_addr au_tid_addr_t; 159 160 struct au_ip { 161 uint16_t at_r_port; /* remote port */ 162 uint16_t at_l_port; /* local port */ 163 uint32_t at_type; /* AU_IPv4,... */ 164 uint32_t at_addr[4]; /* remote IP */ 165 }; 166 typedef struct au_ip au_ip_t; 167 168 /* 169 * Generic network address structure 170 */ 171 struct au_generic_tid { 172 uchar_t gt_type; /* AU_IPADR, AU_DEVICE,... */ 173 union { 174 au_ip_t at_ip; 175 au_port_t at_dev; 176 } gt_adr; 177 }; 178 typedef struct au_generic_tid au_generic_tid_t; 179 180 /* 181 * au_generic_tid_t gt_type values 182 * 0 is reserved for uninitialized data 183 */ 184 #define AU_IPADR 1 185 #define AU_ETHER 2 186 #define AU_DEVICE 3 187 188 /* 189 * at_type values - address length used to identify address type 190 */ 191 #define AU_IPv4 4 /* ipv4 type IP address */ 192 #define AU_IPv6 16 /* ipv6 type IP address */ 193 194 /* 195 * Compatability with SunOS 4.x BSM module 196 * 197 * New code should not contain audit_state_t, 198 * au_state_t, nor au_termid as these types 199 * may go away in future releases. 200 * 201 * typedef new-5.x-bsm-name old-4.x-bsm-name 202 */ 203 204 typedef au_class_t au_state_t; 205 typedef au_mask_t audit_state_t; 206 typedef au_id_t auid_t; 207 #define ai_state ai_mask; 208 209 /* 210 * Opcodes for bsm system calls 211 */ 212 213 #define BSM_GETAUID 19 214 #define BSM_SETAUID 20 215 #define BSM_GETAUDIT 21 216 #define BSM_SETAUDIT 22 217 /* 23 OBSOLETE */ 218 /* 24 OBSOLETE */ 219 #define BSM_AUDIT 25 220 /* 26 OBSOLETE */ 221 /* 27 EOL announced for Sol 10 */ 222 /* 28 OBSOLETE */ 223 #define BSM_AUDITCTL 29 224 /* 30 OBSOLETE */ 225 /* 31 OBSOLETE */ 226 /* 32 OBSOLETE */ 227 /* 33 OBSOLETE */ 228 /* 34 OBSOLETE */ 229 #define BSM_GETAUDIT_ADDR 35 230 #define BSM_SETAUDIT_ADDR 36 231 #define BSM_AUDITDOOR 37 232 233 /* 234 * auditon(2) commands 235 */ 236 #define A_GETPOLICY 2 /* get audit policy */ 237 #define A_SETPOLICY 3 /* set audit policy */ 238 #define A_GETKMASK 4 /* get non-attributable event audit mask */ 239 #define A_SETKMASK 5 /* set non-attributable event audit mask */ 240 #define A_GETQCTRL 6 /* get kernel audit queue ctrl parameters */ 241 #define A_SETQCTRL 7 /* set kernel audit queue ctrl parameters */ 242 #define A_GETCWD 8 /* get process current working directory */ 243 #define A_GETCAR 9 /* get process current active root */ 244 #define A_GETSTAT 12 /* get audit statistics */ 245 #define A_SETSTAT 13 /* (re)set audit statistics */ 246 #define A_SETUMASK 14 /* set preselection mask for procs with auid */ 247 #define A_SETSMASK 15 /* set preselection mask for procs with asid */ 248 #define A_GETCOND 20 /* get audit system on/off condition */ 249 #define A_SETCOND 21 /* set audit system on/off condition */ 250 #define A_GETCLASS 22 /* get audit event to class mapping */ 251 #define A_SETCLASS 23 /* set audit event to class mapping */ 252 #define A_GETPINFO 24 /* get audit info for an arbitrary pid */ 253 #define A_SETPMASK 25 /* set preselection mask for an given pid */ 254 #define A_GETPINFO_ADDR 28 /* get audit info for an arbitrary pid */ 255 #define A_GETKAUDIT 29 /* get kernel audit characteristics */ 256 #define A_SETKAUDIT 30 /* set kernel audit characteristics */ 257 #define A_GETAMASK 31 /* set user default audit event mask */ 258 #define A_SETAMASK 32 /* get user default audit event mask */ 259 260 /* 261 * Audit Policy parameters (32 bits) 262 */ 263 #define AUDIT_CNT 0x0001 /* do NOT sleep undelivered synch events */ 264 #define AUDIT_AHLT 0x0002 /* HALT machine on undelivered async event */ 265 #define AUDIT_ARGV 0x0004 /* include argv with execv system call events */ 266 #define AUDIT_ARGE 0x0008 /* include arge with execv system call events */ 267 #define AUDIT_SEQ 0x0010 /* include sequence attribute */ 268 #define AUDIT_GROUP 0x0040 /* include group attribute with each record */ 269 #define AUDIT_TRAIL 0x0080 /* include trailer token */ 270 #define AUDIT_PATH 0x0100 /* allow multiple paths per event */ 271 #define AUDIT_SCNT 0x0200 /* sleep user events but not kernel events */ 272 #define AUDIT_PUBLIC 0x0400 /* audit even "public" files */ 273 #define AUDIT_ZONENAME 0x0800 /* emit zonename token */ 274 #define AUDIT_PERZONE 0x1000 /* auditd and audit queue for each zone */ 275 #define AUDIT_WINDATA_DOWN 0x2000 /* include paste downgraded data */ 276 #define AUDIT_WINDATA_UP 0x4000 /* include paste upgraded data */ 277 278 /* 279 * If AUDIT_GLOBAL changes, corresponding changes are required in 280 * audit_syscalls.c's setpolicy(). 281 */ 282 #define AUDIT_GLOBAL (AUDIT_AHLT | AUDIT_PERZONE) 283 #define AUDIT_LOCAL (AUDIT_CNT | AUDIT_ARGV | AUDIT_ARGE |\ 284 AUDIT_SEQ | AUDIT_GROUP | AUDIT_TRAIL | AUDIT_PATH |\ 285 AUDIT_PUBLIC | AUDIT_SCNT | AUDIT_ZONENAME |\ 286 AUDIT_WINDATA_DOWN | AUDIT_WINDATA_UP) 287 288 /* 289 * Kernel audit queue control parameters 290 * 291 * audit record recording blocks at hiwater # undelived records 292 * audit record recording resumes at lowwater # undelivered audit records 293 * bufsz determines how big the data xfers will be to the audit trail 294 */ 295 struct au_qctrl { 296 size_t aq_hiwater; /* kernel audit queue, high water mark */ 297 size_t aq_lowater; /* kernel audit queue, low water mark */ 298 size_t aq_bufsz; /* kernel audit queue, write size to trail */ 299 clock_t aq_delay; /* delay before flushing audit queue */ 300 }; 301 302 #if defined(_SYSCALL32) 303 struct au_qctrl32 { 304 size32_t aq_hiwater; 305 size32_t aq_lowater; 306 size32_t aq_bufsz; 307 clock32_t aq_delay; 308 }; 309 #endif 310 311 312 /* 313 * default values of hiwater and lowater (note hi > lo) 314 */ 315 #define AQ_HIWATER 100 316 #define AQ_MAXHIGH 100000 317 #define AQ_LOWATER 10 318 #define AQ_BUFSZ 8192 319 #define AQ_MAXBUFSZ 1048576 320 #define AQ_DELAY 20 321 #define AQ_MAXDELAY 20000 322 323 struct auditinfo { 324 au_id_t ai_auid; 325 au_mask_t ai_mask; 326 au_tid_t ai_termid; 327 au_asid_t ai_asid; 328 }; 329 330 #if defined(_SYSCALL32) 331 struct auditinfo32 { 332 au_id_t ai_auid; 333 au_mask_t ai_mask; 334 au_tid32_t ai_termid; 335 au_asid_t ai_asid; 336 }; 337 338 typedef struct auditinfo32 auditinfo32_t; 339 #endif 340 341 typedef struct auditinfo auditinfo_t; 342 343 struct k_auditinfo_addr { 344 au_id_t ai_auid; 345 au_mask_t ai_amask; /* user default preselection mask */ 346 au_mask_t ai_namask; /* non-attributable mask */ 347 au_tid_addr_t ai_termid; 348 au_asid_t ai_asid; 349 }; 350 typedef struct k_auditinfo_addr k_auditinfo_addr_t; 351 352 struct auditinfo_addr { 353 au_id_t ai_auid; 354 au_mask_t ai_mask; 355 au_tid_addr_t ai_termid; 356 au_asid_t ai_asid; 357 }; 358 359 struct auditinfo_addr64 { 360 au_id_t ai_auid; 361 au_mask_t ai_mask; 362 au_tid64_addr_t ai_termid; 363 au_asid_t ai_asid; 364 }; 365 typedef struct auditinfo_addr64 auditinfo64_addr_t; 366 367 #if defined(_SYSCALL32) 368 struct auditinfo_addr32 { 369 au_id_t ai_auid; 370 au_mask_t ai_mask; 371 au_tid32_addr_t ai_termid; 372 au_asid_t ai_asid; 373 }; 374 375 typedef struct auditinfo_addr32 auditinfo32_addr_t; 376 #endif 377 378 typedef struct auditinfo_addr auditinfo_addr_t; 379 380 struct auditpinfo { 381 pid_t ap_pid; 382 au_id_t ap_auid; 383 au_mask_t ap_mask; 384 au_tid_t ap_termid; 385 au_asid_t ap_asid; 386 }; 387 388 #if defined(_SYSCALL32) 389 struct auditpinfo32 { 390 pid_t ap_pid; 391 au_id_t ap_auid; 392 au_mask_t ap_mask; 393 au_tid32_t ap_termid; 394 au_asid_t ap_asid; 395 }; 396 #endif 397 398 399 struct auditpinfo_addr { 400 pid_t ap_pid; 401 au_id_t ap_auid; 402 au_mask_t ap_mask; 403 au_tid_addr_t ap_termid; 404 au_asid_t ap_asid; 405 }; 406 407 #if defined(_SYSCALL32) 408 struct auditpinfo_addr32 { 409 pid_t ap_pid; 410 au_id_t ap_auid; 411 au_mask_t ap_mask; 412 au_tid32_addr_t ap_termid; 413 au_asid_t ap_asid; 414 }; 415 #endif 416 417 418 struct au_evclass_map { 419 au_event_t ec_number; 420 au_class_t ec_class; 421 }; 422 typedef struct au_evclass_map au_evclass_map_t; 423 424 /* 425 * Audit stat structures (used to be in audit_stat.h 426 */ 427 428 struct audit_stat { 429 unsigned int as_version; /* version of kernel audit code */ 430 unsigned int as_numevent; /* number of kernel audit events */ 431 uint32_t as_generated; /* # records processed */ 432 uint32_t as_nonattrib; /* # non-attributed records produced */ 433 uint32_t as_kernel; /* # records produced by kernel */ 434 uint32_t as_audit; /* # records processed by audit(2) */ 435 uint32_t as_auditctl; /* # records processed by auditctl(2) */ 436 uint32_t as_enqueue; /* # records put onto audit queue */ 437 uint32_t as_written; /* # records written to audit trail */ 438 uint32_t as_wblocked; /* # times write blked on audit queue */ 439 uint32_t as_rblocked; /* # times read blked on audit queue */ 440 uint32_t as_dropped; /* # of dropped audit records */ 441 uint32_t as_totalsize; /* total number bytes of audit data */ 442 uint32_t as_memused; /* no longer used */ 443 }; 444 typedef struct audit_stat au_stat_t; 445 446 /* get kernel audit context dependent on AUDIT_PERZONE policy */ 447 #define GET_KCTX_PZ (audit_policy & AUDIT_PERZONE) ?\ 448 curproc->p_zone->zone_audit_kctxt :\ 449 global_zone->zone_audit_kctxt 450 /* get kernel audit context of global zone */ 451 #define GET_KCTX_GZ global_zone->zone_audit_kctxt 452 /* get kernel audit context of non-global zone */ 453 #define GET_KCTX_NGZ curproc->p_zone->zone_audit_kctxt 454 455 #define AS_INC(a, b, c) atomic_add_32(&(c->auk_statistics.a), (b)) 456 #define AS_DEC(a, b, c) atomic_add_32(&(c->auk_statistics.a), -(b)) 457 458 /* 459 * audit token IPC types (shm, sem, msg) [for ipc attribute] 460 */ 461 462 #define AT_IPC_MSG ((char)1) /* message IPC id */ 463 #define AT_IPC_SEM ((char)2) /* semaphore IPC id */ 464 #define AT_IPC_SHM ((char)3) /* shared memory IPC id */ 465 466 #if defined(_KERNEL) 467 468 #ifdef __cplusplus 469 } 470 #endif 471 472 #include <sys/types.h> 473 #include <sys/model.h> 474 #include <sys/proc.h> 475 #include <sys/stream.h> 476 #include <sys/stropts.h> 477 #include <sys/file.h> 478 #include <sys/pathname.h> 479 #include <sys/vnode.h> 480 #include <sys/systm.h> 481 #include <netinet/in.h> 482 #include <c2/audit_door_infc.h> 483 #include <sys/crypto/ioctladmin.h> 484 #include <sys/netstack.h> 485 #include <sys/zone.h> 486 487 #ifdef __cplusplus 488 extern "C" { 489 #endif 490 491 struct fcntla; 492 struct t_audit_data; 493 struct audit_path; 494 struct priv_set; 495 struct devplcysys; 496 497 struct auditcalls { 498 long code; 499 long a1; 500 long a2; 501 long a3; 502 long a4; 503 long a5; 504 }; 505 506 int audit(caddr_t, int); 507 int auditsys(struct auditcalls *, union rval *); /* fake stub */ 508 void audit_cryptoadm(int, char *, crypto_mech_name_t *, 509 uint_t, uint_t, uint32_t, int); 510 void audit_init(void); 511 void audit_init_module(void); 512 void audit_newproc(struct proc *); 513 void audit_pfree(struct proc *); 514 void audit_thread_create(kthread_id_t); 515 void audit_thread_free(kthread_id_t); 516 int audit_savepath(struct pathname *, struct vnode *, struct vnode *, 517 int, cred_t *); 518 void audit_anchorpath(struct pathname *, int); 519 void audit_symlink(struct pathname *, struct pathname *); 520 void audit_symlink_create(struct vnode *, char *, char *, int); 521 int object_is_public(struct vattr *); 522 void audit_attributes(struct vnode *); 523 void audit_falloc(struct file *); 524 void audit_unfalloc(struct file *); 525 void audit_exit(int, int); 526 void audit_core_start(int); 527 void audit_core_finish(int); 528 void audit_strgetmsg(struct vnode *, struct strbuf *, struct strbuf *, 529 unsigned char *, int *, int); 530 void audit_strputmsg(struct vnode *, struct strbuf *, struct strbuf *, 531 unsigned char, int, int); 532 void audit_closef(struct file *); 533 void audit_setf(struct file *, int); 534 void audit_reboot(void); 535 void audit_vncreate_start(void); 536 void audit_setfsat_path(int argnum); 537 void audit_vncreate_finish(struct vnode *, int); 538 void audit_exec(const char *, const char *, ssize_t, ssize_t, cred_t *); 539 void audit_enterprom(int); 540 void audit_exitprom(int); 541 void audit_chdirec(struct vnode *, struct vnode **); 542 void audit_sock(int, struct queue *, struct msgb *, int); 543 int audit_start(unsigned int, unsigned int, uint32_t, int, klwp_t *); 544 void audit_finish(unsigned int, unsigned int, int, union rval *); 545 int audit_async_start(label_t *, au_event_t, int); 546 void audit_async_finish(caddr_t *, au_event_t, au_emod_t, timestruc_t *); 547 void audit_async_discard_backend(void *); 548 void audit_async_done(caddr_t *, int); 549 void audit_async_drop(caddr_t *, int); 550 551 #ifndef AUK_CONTEXT_T 552 #define AUK_CONTEXT_T 553 typedef struct au_kcontext au_kcontext_t; 554 #endif 555 556 /* Zone audit context setup routine */ 557 void au_zone_setup(void); 558 559 /* 560 * c2audit module states 561 */ 562 #define C2AUDIT_DISABLED 0 /* c2audit module excluded in /etc/system */ 563 #define C2AUDIT_UNLOADED 1 /* c2audit module not loaded */ 564 #define C2AUDIT_LOADED 2 /* c2audit module loaded */ 565 566 uint32_t audit_getstate(void); 567 int au_zone_getstate(const au_kcontext_t *); 568 569 /* The audit mask defining in which case is auditing enabled */ 570 #define AU_AUDIT_MASK (AUC_AUDITING | AUC_NOSPACE) 571 572 /* 573 * Get the given zone audit status. zcontext != NULL serves 574 * as a protection when c2audit module is not loaded. 575 */ 576 #define AU_ZONE_AUDITING(zcontext) \ 577 (audit_active == C2AUDIT_LOADED && \ 578 ((AU_AUDIT_MASK) & au_zone_getstate((zcontext)))) 579 580 /* 581 * Get auditing status 582 */ 583 #define AU_AUDITING() (audit_getstate()) 584 585 int audit_success(au_kcontext_t *, struct t_audit_data *, int, cred_t *); 586 int auditme(au_kcontext_t *, struct t_audit_data *, au_state_t); 587 void audit_fixpath(struct audit_path *, int); 588 void audit_ipc(int, int, void *); 589 void audit_ipcget(int, void *); 590 void audit_fdsend(int, struct file *, int); 591 void audit_fdrecv(int, struct file *); 592 void audit_priv(int, const struct priv_set *, int); 593 void audit_setppriv(int, int, const struct priv_set *, const cred_t *); 594 void audit_psecflags(proc_t *, psecflagwhich_t, 595 const secflagdelta_t *); 596 void audit_devpolicy(int, const struct devplcysys *); 597 void audit_update_context(proc_t *, cred_t *); 598 void audit_kssl(int, void *, int); 599 void audit_pf_policy(int, cred_t *, netstack_t *, char *, boolean_t, int, 600 pid_t); 601 void audit_sec_attributes(caddr_t *, struct vnode *); 602 603 #endif 604 605 #ifdef __cplusplus 606 } 607 #endif 608 609 #endif /* _BSM_AUDIT_H */