1*7c478bd9Sstevel@tonic-gate /* 2*7c478bd9Sstevel@tonic-gate * CDDL HEADER START 3*7c478bd9Sstevel@tonic-gate * 4*7c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the 5*7c478bd9Sstevel@tonic-gate * Common Development and Distribution License, Version 1.0 only 6*7c478bd9Sstevel@tonic-gate * (the "License"). You may not use this file except in compliance 7*7c478bd9Sstevel@tonic-gate * with the License. 8*7c478bd9Sstevel@tonic-gate * 9*7c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10*7c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 11*7c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions 12*7c478bd9Sstevel@tonic-gate * and limitations under the License. 13*7c478bd9Sstevel@tonic-gate * 14*7c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 15*7c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16*7c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 17*7c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 18*7c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 19*7c478bd9Sstevel@tonic-gate * 20*7c478bd9Sstevel@tonic-gate * CDDL HEADER END 21*7c478bd9Sstevel@tonic-gate */ 22*7c478bd9Sstevel@tonic-gate /* 23*7c478bd9Sstevel@tonic-gate * Copyright 2004 Sun Microsystems, Inc. All rights reserved. 24*7c478bd9Sstevel@tonic-gate * Use is subject to license terms. 25*7c478bd9Sstevel@tonic-gate */ 26*7c478bd9Sstevel@tonic-gate 27*7c478bd9Sstevel@tonic-gate #ifndef _BSM_AUDIT_KERNEL_H 28*7c478bd9Sstevel@tonic-gate #define _BSM_AUDIT_KERNEL_H 29*7c478bd9Sstevel@tonic-gate 30*7c478bd9Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 31*7c478bd9Sstevel@tonic-gate 32*7c478bd9Sstevel@tonic-gate /* 33*7c478bd9Sstevel@tonic-gate * This file contains the basic auditing control structure definitions. 34*7c478bd9Sstevel@tonic-gate */ 35*7c478bd9Sstevel@tonic-gate 36*7c478bd9Sstevel@tonic-gate #include <c2/audit_kevents.h> 37*7c478bd9Sstevel@tonic-gate #include <sys/priv_impl.h> 38*7c478bd9Sstevel@tonic-gate #include <sys/taskq.h> 39*7c478bd9Sstevel@tonic-gate #include <sys/zone.h> 40*7c478bd9Sstevel@tonic-gate 41*7c478bd9Sstevel@tonic-gate #ifdef __cplusplus 42*7c478bd9Sstevel@tonic-gate extern "C" { 43*7c478bd9Sstevel@tonic-gate #endif 44*7c478bd9Sstevel@tonic-gate 45*7c478bd9Sstevel@tonic-gate /* 46*7c478bd9Sstevel@tonic-gate * This table contains the mapping from the system call ID to a corresponding 47*7c478bd9Sstevel@tonic-gate * audit event. 48*7c478bd9Sstevel@tonic-gate * 49*7c478bd9Sstevel@tonic-gate * au_init() is a function called at the beginning of the system call that 50*7c478bd9Sstevel@tonic-gate * performs any necessary setup/processing. It maps the call into the 51*7c478bd9Sstevel@tonic-gate * appropriate event, depending on the system call arguments. It is called 52*7c478bd9Sstevel@tonic-gate * by audit_start() from trap.c . 53*7c478bd9Sstevel@tonic-gate * 54*7c478bd9Sstevel@tonic-gate * au_event is the audit event associated with the system call. Most of the 55*7c478bd9Sstevel@tonic-gate * time it will map directly from the system call i.e. There is one system 56*7c478bd9Sstevel@tonic-gate * call associated with the event. In some cases, such as shmsys, or open, 57*7c478bd9Sstevel@tonic-gate * the au_start() function will map the system call to more than one event, 58*7c478bd9Sstevel@tonic-gate * depending on the system call arguments. 59*7c478bd9Sstevel@tonic-gate * 60*7c478bd9Sstevel@tonic-gate * au_start() is a function that provides per system call processing at the 61*7c478bd9Sstevel@tonic-gate * beginning of a system call. It is mainly concerned with preseving the 62*7c478bd9Sstevel@tonic-gate * audit record components that may be altered so that we can determine 63*7c478bd9Sstevel@tonic-gate * what the original paramater was before as well as after the system call. 64*7c478bd9Sstevel@tonic-gate * It is possible that au_start() may be taken away. It might be cleaner to 65*7c478bd9Sstevel@tonic-gate * define flags in au_ctrl to save a designated argument. For the moment we 66*7c478bd9Sstevel@tonic-gate * support both mechanisms, however the use of au_start() will be reviewed 67*7c478bd9Sstevel@tonic-gate * for 4.1.1 and CMW and ZEUS to see if such a general method is justified. 68*7c478bd9Sstevel@tonic-gate * 69*7c478bd9Sstevel@tonic-gate * au_finish() is a function that provides per system call processing at the 70*7c478bd9Sstevel@tonic-gate * completion of a system call. In certain circumstances, the type of audit 71*7c478bd9Sstevel@tonic-gate * event depends on intermidiate results during the processing of the system 72*7c478bd9Sstevel@tonic-gate * call. It is called in audit_finish() from trap.c . 73*7c478bd9Sstevel@tonic-gate * 74*7c478bd9Sstevel@tonic-gate * au_ctrl is a control vector that indicates what processing might have to 75*7c478bd9Sstevel@tonic-gate * be performed, even if there is no auditing for this system call. At 76*7c478bd9Sstevel@tonic-gate * present this is mostly for path processing for chmod, chroot. We need to 77*7c478bd9Sstevel@tonic-gate * process the path information in vfs_lookup, even when we are not auditing 78*7c478bd9Sstevel@tonic-gate * the system call in the case of chdir and chroot. 79*7c478bd9Sstevel@tonic-gate */ 80*7c478bd9Sstevel@tonic-gate /* 81*7c478bd9Sstevel@tonic-gate * Defines for au_ctrl 82*7c478bd9Sstevel@tonic-gate */ 83*7c478bd9Sstevel@tonic-gate #define S2E_SP PAD_SAVPATH /* save path for later use */ 84*7c478bd9Sstevel@tonic-gate #define S2E_MLD PAD_MLD /* only one lookup per system call */ 85*7c478bd9Sstevel@tonic-gate #define S2E_NPT PAD_NOPATH /* force no path in audit record */ 86*7c478bd9Sstevel@tonic-gate #define S2E_PUB PAD_PUBLIC_EV /* syscall is defined as a public op */ 87*7c478bd9Sstevel@tonic-gate 88*7c478bd9Sstevel@tonic-gate /* 89*7c478bd9Sstevel@tonic-gate * At present, we are using the audit classes imbedded with in the kernel. Each 90*7c478bd9Sstevel@tonic-gate * event has a bit mask determining which classes the event is associated. 91*7c478bd9Sstevel@tonic-gate * The table audit_e2s maps the audit event ID to the audit state. 92*7c478bd9Sstevel@tonic-gate * 93*7c478bd9Sstevel@tonic-gate * Note that this may change radically. If we use a bit vector for the audit 94*7c478bd9Sstevel@tonic-gate * class, we can allow granularity at the event ID for each user. In this 95*7c478bd9Sstevel@tonic-gate * case, the vector would be determined at user level and passed to the kernel 96*7c478bd9Sstevel@tonic-gate * via the setaudit system call. 97*7c478bd9Sstevel@tonic-gate */ 98*7c478bd9Sstevel@tonic-gate 99*7c478bd9Sstevel@tonic-gate /* 100*7c478bd9Sstevel@tonic-gate * The audit_pad structure holds paths for the current root and directory 101*7c478bd9Sstevel@tonic-gate * for the process, as well as for open files and directly manipulated objects. 102*7c478bd9Sstevel@tonic-gate * The reference count minimizes data copies since the process's current 103*7c478bd9Sstevel@tonic-gate * directory changes very seldom. 104*7c478bd9Sstevel@tonic-gate */ 105*7c478bd9Sstevel@tonic-gate struct audit_path { 106*7c478bd9Sstevel@tonic-gate uint_t audp_ref; /* reference count */ 107*7c478bd9Sstevel@tonic-gate uint_t audp_size; /* allocated size of this structure */ 108*7c478bd9Sstevel@tonic-gate uint_t audp_cnt; /* number of path sections */ 109*7c478bd9Sstevel@tonic-gate char *audp_sect[1]; /* path section pointers */ 110*7c478bd9Sstevel@tonic-gate /* audp_sect[0] is the path name */ 111*7c478bd9Sstevel@tonic-gate /* audp_sect[1+] are attribute paths */ 112*7c478bd9Sstevel@tonic-gate }; 113*7c478bd9Sstevel@tonic-gate 114*7c478bd9Sstevel@tonic-gate /* 115*7c478bd9Sstevel@tonic-gate * The structure of the terminal ID within the kernel is different from the 116*7c478bd9Sstevel@tonic-gate * terminal ID in user space. It is a combination of port and IP address. 117*7c478bd9Sstevel@tonic-gate */ 118*7c478bd9Sstevel@tonic-gate 119*7c478bd9Sstevel@tonic-gate struct au_termid { 120*7c478bd9Sstevel@tonic-gate dev_t at_port; 121*7c478bd9Sstevel@tonic-gate uint_t at_type; 122*7c478bd9Sstevel@tonic-gate uint_t at_addr[4]; 123*7c478bd9Sstevel@tonic-gate }; 124*7c478bd9Sstevel@tonic-gate typedef struct au_termid au_termid_t; 125*7c478bd9Sstevel@tonic-gate 126*7c478bd9Sstevel@tonic-gate /* 127*7c478bd9Sstevel@tonic-gate * Attributes for deferring the queuing of an event. 128*7c478bd9Sstevel@tonic-gate */ 129*7c478bd9Sstevel@tonic-gate typedef struct au_defer_info { 130*7c478bd9Sstevel@tonic-gate struct au_defer_info *audi_next; /* next on linked list */ 131*7c478bd9Sstevel@tonic-gate void *audi_ad; /* audit record */ 132*7c478bd9Sstevel@tonic-gate int audi_e_type; /* audit event id */ 133*7c478bd9Sstevel@tonic-gate int audi_e_mod; /* audit event modifier */ 134*7c478bd9Sstevel@tonic-gate int audi_flag; /* au_close*() flags */ 135*7c478bd9Sstevel@tonic-gate timestruc_t audi_atime; /* audit event timestamp */ 136*7c478bd9Sstevel@tonic-gate } au_defer_info_t; 137*7c478bd9Sstevel@tonic-gate 138*7c478bd9Sstevel@tonic-gate /* 139*7c478bd9Sstevel@tonic-gate * The structure p_audit_data hangs off of the process structure. It contains 140*7c478bd9Sstevel@tonic-gate * all of the audit information necessary to manage the audit record generation 141*7c478bd9Sstevel@tonic-gate * for each process. 142*7c478bd9Sstevel@tonic-gate * 143*7c478bd9Sstevel@tonic-gate * The pad_lock is constructed in the kmem_cache; the rest is combined 144*7c478bd9Sstevel@tonic-gate * in a sub structure so it can be copied/zeroed in one statement. 145*7c478bd9Sstevel@tonic-gate * 146*7c478bd9Sstevel@tonic-gate * The members have been reordered for maximum packing on 64 bit Solaris. 147*7c478bd9Sstevel@tonic-gate */ 148*7c478bd9Sstevel@tonic-gate struct p_audit_data { 149*7c478bd9Sstevel@tonic-gate kmutex_t pad_lock; /* lock pad data during changes */ 150*7c478bd9Sstevel@tonic-gate struct _pad_data { 151*7c478bd9Sstevel@tonic-gate struct audit_path *pad_root; /* process root path */ 152*7c478bd9Sstevel@tonic-gate struct audit_path *pad_cwd; /* process cwd path */ 153*7c478bd9Sstevel@tonic-gate au_mask_t pad_newmask; /* pending new mask */ 154*7c478bd9Sstevel@tonic-gate int pad_flags; 155*7c478bd9Sstevel@tonic-gate } pad_data; 156*7c478bd9Sstevel@tonic-gate }; 157*7c478bd9Sstevel@tonic-gate typedef struct p_audit_data p_audit_data_t; 158*7c478bd9Sstevel@tonic-gate 159*7c478bd9Sstevel@tonic-gate #define pad_root pad_data.pad_root 160*7c478bd9Sstevel@tonic-gate #define pad_cwd pad_data.pad_cwd 161*7c478bd9Sstevel@tonic-gate #define pad_newmask pad_data.pad_newmask 162*7c478bd9Sstevel@tonic-gate #define pad_flags pad_data.pad_flags 163*7c478bd9Sstevel@tonic-gate 164*7c478bd9Sstevel@tonic-gate /* 165*7c478bd9Sstevel@tonic-gate * Defines for pad_flags 166*7c478bd9Sstevel@tonic-gate */ 167*7c478bd9Sstevel@tonic-gate #define PAD_SETMASK 0x00000001 /* need to complete pending setmask */ 168*7c478bd9Sstevel@tonic-gate 169*7c478bd9Sstevel@tonic-gate extern kmem_cache_t *au_pad_cache; 170*7c478bd9Sstevel@tonic-gate 171*7c478bd9Sstevel@tonic-gate /* 172*7c478bd9Sstevel@tonic-gate * Defines for pad_ctrl 173*7c478bd9Sstevel@tonic-gate */ 174*7c478bd9Sstevel@tonic-gate #define PAD_SAVPATH 0x00000001 /* save path for further processing */ 175*7c478bd9Sstevel@tonic-gate #define PAD_MLD 0x00000002 /* system call involves MLD */ 176*7c478bd9Sstevel@tonic-gate #define PAD_NOPATH 0x00000004 /* force no paths in audit record */ 177*7c478bd9Sstevel@tonic-gate #define PAD_ABSPATH 0x00000008 /* path from lookup is absolute */ 178*7c478bd9Sstevel@tonic-gate #define PAD_NOATTRB 0x00000010 /* do not automatically add attribute */ 179*7c478bd9Sstevel@tonic-gate /* 0x20, 0x40 unused */ 180*7c478bd9Sstevel@tonic-gate #define PAD_LFLOAT 0x00000080 /* Label float */ 181*7c478bd9Sstevel@tonic-gate #define PAD_NOAUDIT 0x00000100 /* discard audit record */ 182*7c478bd9Sstevel@tonic-gate #define PAD_PATHFND 0x00000200 /* found path, don't retry lookup */ 183*7c478bd9Sstevel@tonic-gate #define PAD_SPRIV 0x00000400 /* succ priv use. extra audit_finish */ 184*7c478bd9Sstevel@tonic-gate #define PAD_FPRIV 0x00000800 /* fail priv use. extra audit_finish */ 185*7c478bd9Sstevel@tonic-gate #define PAD_SMAC 0x00001000 /* succ mac use. extra audit_finish */ 186*7c478bd9Sstevel@tonic-gate #define PAD_FMAC 0x00002000 /* fail mac use. extra audit_finish */ 187*7c478bd9Sstevel@tonic-gate #define PAD_AUDITME 0x00004000 /* audit me because of NFS operation */ 188*7c478bd9Sstevel@tonic-gate #define PAD_ATPATH 0x00008000 /* attribute file lookup */ 189*7c478bd9Sstevel@tonic-gate #define PAD_TRUE_CREATE 0x00010000 /* true create, file not found */ 190*7c478bd9Sstevel@tonic-gate #define PAD_CORE 0x00020000 /* save attribute during core dump */ 191*7c478bd9Sstevel@tonic-gate #define PAD_ERRJMP 0x00040000 /* abort record generation on error */ 192*7c478bd9Sstevel@tonic-gate #define PAD_PUBLIC_EV 0x00080000 /* syscall is defined as a public op */ 193*7c478bd9Sstevel@tonic-gate 194*7c478bd9Sstevel@tonic-gate /* 195*7c478bd9Sstevel@tonic-gate * The structure t_audit_data hangs off of the thread structure. It contains 196*7c478bd9Sstevel@tonic-gate * all of the audit information necessary to manage the audit record generation 197*7c478bd9Sstevel@tonic-gate * for each thread. 198*7c478bd9Sstevel@tonic-gate * 199*7c478bd9Sstevel@tonic-gate */ 200*7c478bd9Sstevel@tonic-gate 201*7c478bd9Sstevel@tonic-gate struct t_audit_data { 202*7c478bd9Sstevel@tonic-gate kthread_id_t tad_thread; /* DEBUG pointer to parent thread */ 203*7c478bd9Sstevel@tonic-gate unsigned int tad_scid; /* system call ID for finish */ 204*7c478bd9Sstevel@tonic-gate short tad_event; /* event for audit record */ 205*7c478bd9Sstevel@tonic-gate short tad_evmod; /* event modifier for audit record */ 206*7c478bd9Sstevel@tonic-gate int tad_ctrl; /* audit control/status flags */ 207*7c478bd9Sstevel@tonic-gate void *tad_errjmp; /* error longjmp (audit record aborted) */ 208*7c478bd9Sstevel@tonic-gate int tad_flag; /* to audit or not to audit */ 209*7c478bd9Sstevel@tonic-gate struct audit_path *tad_aupath; /* captured at vfs_lookup */ 210*7c478bd9Sstevel@tonic-gate struct audit_path *tad_atpath; /* openat prefix, path of fd */ 211*7c478bd9Sstevel@tonic-gate struct vnode *tad_vn; /* saved inode from vfs_lookup */ 212*7c478bd9Sstevel@tonic-gate caddr_t tad_ad; /* base of accumulated audit data */ 213*7c478bd9Sstevel@tonic-gate au_defer_info_t *tad_defer_head; /* queue of records to defer */ 214*7c478bd9Sstevel@tonic-gate /* until syscall end: */ 215*7c478bd9Sstevel@tonic-gate au_defer_info_t *tad_defer_tail; /* tail of defer queue */ 216*7c478bd9Sstevel@tonic-gate priv_set_t tad_sprivs; /* saved (success) used privs */ 217*7c478bd9Sstevel@tonic-gate priv_set_t tad_fprivs; /* saved (failed) used privs */ 218*7c478bd9Sstevel@tonic-gate }; 219*7c478bd9Sstevel@tonic-gate typedef struct t_audit_data t_audit_data_t; 220*7c478bd9Sstevel@tonic-gate 221*7c478bd9Sstevel@tonic-gate /* 222*7c478bd9Sstevel@tonic-gate * The f_audit_data structure hangs off of the file structure. It contains 223*7c478bd9Sstevel@tonic-gate * three fields of data. The audit ID, the audit state, and a path name. 224*7c478bd9Sstevel@tonic-gate */ 225*7c478bd9Sstevel@tonic-gate 226*7c478bd9Sstevel@tonic-gate struct f_audit_data { 227*7c478bd9Sstevel@tonic-gate kthread_id_t fad_thread; /* DEBUG creating thread */ 228*7c478bd9Sstevel@tonic-gate int fad_flags; /* audit control flags */ 229*7c478bd9Sstevel@tonic-gate struct audit_path *fad_aupath; /* path from vfs_lookup */ 230*7c478bd9Sstevel@tonic-gate }; 231*7c478bd9Sstevel@tonic-gate typedef struct f_audit_data f_audit_data_t; 232*7c478bd9Sstevel@tonic-gate 233*7c478bd9Sstevel@tonic-gate #define FAD_READ 0x0001 /* read system call seen */ 234*7c478bd9Sstevel@tonic-gate #define FAD_WRITE 0x0002 /* write system call seen */ 235*7c478bd9Sstevel@tonic-gate 236*7c478bd9Sstevel@tonic-gate #define P2A(p) (p->p_audit_data) 237*7c478bd9Sstevel@tonic-gate #define T2A(t) (t->t_audit_data) 238*7c478bd9Sstevel@tonic-gate #define U2A(u) (curthread->t_audit_data) 239*7c478bd9Sstevel@tonic-gate #define F2A(f) (f->f_audit_data) 240*7c478bd9Sstevel@tonic-gate 241*7c478bd9Sstevel@tonic-gate #define u_ad ((U2A(u))->tad_ad) 242*7c478bd9Sstevel@tonic-gate #define ad_ctrl ((U2A(u))->tad_ctrl) 243*7c478bd9Sstevel@tonic-gate #define ad_flag ((U2A(u))->tad_flag) 244*7c478bd9Sstevel@tonic-gate 245*7c478bd9Sstevel@tonic-gate #define AU_BUFSIZE 128 /* buffer size for the buffer pool */ 246*7c478bd9Sstevel@tonic-gate 247*7c478bd9Sstevel@tonic-gate struct au_buff { 248*7c478bd9Sstevel@tonic-gate char buf[AU_BUFSIZE]; 249*7c478bd9Sstevel@tonic-gate struct au_buff *next_buf; 250*7c478bd9Sstevel@tonic-gate struct au_buff *next_rec; 251*7c478bd9Sstevel@tonic-gate ushort_t rec_len; 252*7c478bd9Sstevel@tonic-gate uchar_t len; 253*7c478bd9Sstevel@tonic-gate uchar_t flag; 254*7c478bd9Sstevel@tonic-gate }; 255*7c478bd9Sstevel@tonic-gate 256*7c478bd9Sstevel@tonic-gate typedef struct au_buff au_buff_t; 257*7c478bd9Sstevel@tonic-gate 258*7c478bd9Sstevel@tonic-gate /* 259*7c478bd9Sstevel@tonic-gate * Kernel audit queue structure. 260*7c478bd9Sstevel@tonic-gate */ 261*7c478bd9Sstevel@tonic-gate struct audit_queue { 262*7c478bd9Sstevel@tonic-gate au_buff_t *head; /* head of queue */ 263*7c478bd9Sstevel@tonic-gate au_buff_t *tail; /* tail of queue */ 264*7c478bd9Sstevel@tonic-gate ssize_t cnt; /* number elements on queue */ 265*7c478bd9Sstevel@tonic-gate size_t hiwater; /* high water mark to block */ 266*7c478bd9Sstevel@tonic-gate size_t lowater; /* low water mark to restart */ 267*7c478bd9Sstevel@tonic-gate size_t bufsz; /* audit trail write buffer size */ 268*7c478bd9Sstevel@tonic-gate size_t buflen; /* audit trail buffer length in use */ 269*7c478bd9Sstevel@tonic-gate clock_t delay; /* delay before flushing queue */ 270*7c478bd9Sstevel@tonic-gate int wt_block; /* writer is blocked (1) */ 271*7c478bd9Sstevel@tonic-gate int rd_block; /* reader is blocked (1) */ 272*7c478bd9Sstevel@tonic-gate kmutex_t lock; /* mutex lock for queue modification */ 273*7c478bd9Sstevel@tonic-gate kcondvar_t write_cv; /* sleep structure for write block */ 274*7c478bd9Sstevel@tonic-gate kcondvar_t read_cv; /* sleep structure for read block */ 275*7c478bd9Sstevel@tonic-gate }; 276*7c478bd9Sstevel@tonic-gate 277*7c478bd9Sstevel@tonic-gate 278*7c478bd9Sstevel@tonic-gate union rval; 279*7c478bd9Sstevel@tonic-gate struct audit_s2e { 280*7c478bd9Sstevel@tonic-gate au_event_t (*au_init)(au_event_t); 281*7c478bd9Sstevel@tonic-gate /* convert au_event to real audit event ID */ 282*7c478bd9Sstevel@tonic-gate 283*7c478bd9Sstevel@tonic-gate int au_event; /* default audit event for this system call */ 284*7c478bd9Sstevel@tonic-gate void (*au_start)(struct t_audit_data *); 285*7c478bd9Sstevel@tonic-gate /* pre-system call audit processing */ 286*7c478bd9Sstevel@tonic-gate void (*au_finish)(struct t_audit_data *, int, union rval *); 287*7c478bd9Sstevel@tonic-gate /* post-system call audit processing */ 288*7c478bd9Sstevel@tonic-gate int au_ctrl; /* control flags for auditing actions */ 289*7c478bd9Sstevel@tonic-gate }; 290*7c478bd9Sstevel@tonic-gate 291*7c478bd9Sstevel@tonic-gate extern struct audit_s2e audit_s2e[]; 292*7c478bd9Sstevel@tonic-gate 293*7c478bd9Sstevel@tonic-gate #define AUK_VALID 0x5A5A5A5A 294*7c478bd9Sstevel@tonic-gate #define AUK_INVALID 0 295*7c478bd9Sstevel@tonic-gate /* 296*7c478bd9Sstevel@tonic-gate * per zone audit context 297*7c478bd9Sstevel@tonic-gate */ 298*7c478bd9Sstevel@tonic-gate struct au_kcontext { 299*7c478bd9Sstevel@tonic-gate uint32_t auk_valid; 300*7c478bd9Sstevel@tonic-gate zoneid_t auk_zid; 301*7c478bd9Sstevel@tonic-gate 302*7c478bd9Sstevel@tonic-gate boolean_t auk_hostaddr_valid; 303*7c478bd9Sstevel@tonic-gate int auk_sequence; 304*7c478bd9Sstevel@tonic-gate int auk_auditstate; 305*7c478bd9Sstevel@tonic-gate int auk_output_active; 306*7c478bd9Sstevel@tonic-gate struct vnode *auk_current_vp; 307*7c478bd9Sstevel@tonic-gate int auk_policy; 308*7c478bd9Sstevel@tonic-gate 309*7c478bd9Sstevel@tonic-gate struct audit_queue auk_queue; 310*7c478bd9Sstevel@tonic-gate 311*7c478bd9Sstevel@tonic-gate char *auk_buffer; /* auditsvc output */ 312*7c478bd9Sstevel@tonic-gate au_dbuf_t *auk_dbuffer; /* auditdoor output */ 313*7c478bd9Sstevel@tonic-gate 314*7c478bd9Sstevel@tonic-gate au_stat_t auk_statistics; 315*7c478bd9Sstevel@tonic-gate 316*7c478bd9Sstevel@tonic-gate struct auditinfo_addr auk_info; 317*7c478bd9Sstevel@tonic-gate kmutex_t auk_eagain_mutex; /* door call retry */ 318*7c478bd9Sstevel@tonic-gate kcondvar_t auk_eagain_cv; 319*7c478bd9Sstevel@tonic-gate kmutex_t auk_fstat_lock; /* audit file statistics lock */ 320*7c478bd9Sstevel@tonic-gate au_fstat_t auk_file_stat; /* file statistics */ 321*7c478bd9Sstevel@tonic-gate 322*7c478bd9Sstevel@tonic-gate taskq_t *auk_taskq; /* output thread */ 323*7c478bd9Sstevel@tonic-gate 324*7c478bd9Sstevel@tonic-gate /* Only one audit svc per zone at a time */ 325*7c478bd9Sstevel@tonic-gate kmutex_t auk_svc_lock; 326*7c478bd9Sstevel@tonic-gate /* 1 during auditsvc, 2 during auditdoor */ 327*7c478bd9Sstevel@tonic-gate int auk_svc_busy; 328*7c478bd9Sstevel@tonic-gate au_state_t auk_ets[MAX_KEVENTS]; 329*7c478bd9Sstevel@tonic-gate }; 330*7c478bd9Sstevel@tonic-gate #ifndef AUK_CONTEXT_T 331*7c478bd9Sstevel@tonic-gate #define AUK_CONTEXT_T 332*7c478bd9Sstevel@tonic-gate typedef struct au_kcontext au_kcontext_t; 333*7c478bd9Sstevel@tonic-gate #endif 334*7c478bd9Sstevel@tonic-gate 335*7c478bd9Sstevel@tonic-gate extern zone_key_t au_zone_key; 336*7c478bd9Sstevel@tonic-gate 337*7c478bd9Sstevel@tonic-gate /* 338*7c478bd9Sstevel@tonic-gate * Kernel auditing external variables 339*7c478bd9Sstevel@tonic-gate */ 340*7c478bd9Sstevel@tonic-gate extern int audit_policy; 341*7c478bd9Sstevel@tonic-gate extern int audit_active; 342*7c478bd9Sstevel@tonic-gate extern int audit_load; 343*7c478bd9Sstevel@tonic-gate extern int au_auditstate; 344*7c478bd9Sstevel@tonic-gate 345*7c478bd9Sstevel@tonic-gate extern struct audit_queue au_queue; 346*7c478bd9Sstevel@tonic-gate extern struct p_audit_data *pad0; 347*7c478bd9Sstevel@tonic-gate extern struct t_audit_data *tad0; 348*7c478bd9Sstevel@tonic-gate 349*7c478bd9Sstevel@tonic-gate /* 350*7c478bd9Sstevel@tonic-gate * audit_path support routines 351*7c478bd9Sstevel@tonic-gate */ 352*7c478bd9Sstevel@tonic-gate void au_pathhold(struct audit_path *); 353*7c478bd9Sstevel@tonic-gate void au_pathrele(struct audit_path *); 354*7c478bd9Sstevel@tonic-gate struct audit_path *au_pathdup(const struct audit_path *, int, int); 355*7c478bd9Sstevel@tonic-gate 356*7c478bd9Sstevel@tonic-gate /* 357*7c478bd9Sstevel@tonic-gate * Macros to hide asynchronous, non-blocking audit record start and finish 358*7c478bd9Sstevel@tonic-gate * processing. 359*7c478bd9Sstevel@tonic-gate * 360*7c478bd9Sstevel@tonic-gate * NOTE: must be used in (void) funcction () { ... } 361*7c478bd9Sstevel@tonic-gate */ 362*7c478bd9Sstevel@tonic-gate 363*7c478bd9Sstevel@tonic-gate #define AUDIT_ASYNC_START(rp, audit_event, sorf) \ 364*7c478bd9Sstevel@tonic-gate { \ 365*7c478bd9Sstevel@tonic-gate label_t jb; \ 366*7c478bd9Sstevel@tonic-gate if (setjmp(&jb)) { \ 367*7c478bd9Sstevel@tonic-gate /* cleanup any residual audit data */ \ 368*7c478bd9Sstevel@tonic-gate audit_async_drop((caddr_t *)&(rp), 0); \ 369*7c478bd9Sstevel@tonic-gate return; \ 370*7c478bd9Sstevel@tonic-gate } \ 371*7c478bd9Sstevel@tonic-gate /* auditing enabled and we're preselected for this event? */ \ 372*7c478bd9Sstevel@tonic-gate if (audit_async_start(&jb, audit_event, sorf)) { \ 373*7c478bd9Sstevel@tonic-gate return; \ 374*7c478bd9Sstevel@tonic-gate } \ 375*7c478bd9Sstevel@tonic-gate } 376*7c478bd9Sstevel@tonic-gate 377*7c478bd9Sstevel@tonic-gate #define AUDIT_ASYNC_FINISH(rp, audit_event, event_modifier) \ 378*7c478bd9Sstevel@tonic-gate audit_async_finish((caddr_t *)&(rp), audit_event, event_modifier); 379*7c478bd9Sstevel@tonic-gate 380*7c478bd9Sstevel@tonic-gate 381*7c478bd9Sstevel@tonic-gate #ifdef _KERNEL 382*7c478bd9Sstevel@tonic-gate au_buff_t *au_get_buff(void), *au_free_buff(au_buff_t *); 383*7c478bd9Sstevel@tonic-gate #endif 384*7c478bd9Sstevel@tonic-gate 385*7c478bd9Sstevel@tonic-gate /* 386*7c478bd9Sstevel@tonic-gate * Macros for repeated token generation operations 387*7c478bd9Sstevel@tonic-gate */ 388*7c478bd9Sstevel@tonic-gate #define AUDIT_SETSUBJ(u, c, a) \ 389*7c478bd9Sstevel@tonic-gate au_write(u, au_to_subject( \ 390*7c478bd9Sstevel@tonic-gate crgetuid(c), \ 391*7c478bd9Sstevel@tonic-gate crgetgid(c), \ 392*7c478bd9Sstevel@tonic-gate crgetruid(c), \ 393*7c478bd9Sstevel@tonic-gate crgetrgid(c), \ 394*7c478bd9Sstevel@tonic-gate curproc->p_pid, \ 395*7c478bd9Sstevel@tonic-gate a->ai_auid, \ 396*7c478bd9Sstevel@tonic-gate a->ai_asid, \ 397*7c478bd9Sstevel@tonic-gate &(a->ai_termid))) 398*7c478bd9Sstevel@tonic-gate 399*7c478bd9Sstevel@tonic-gate #define AUDIT_SETGROUP(u, c, k) \ 400*7c478bd9Sstevel@tonic-gate if (k->auk_policy & AUDIT_GROUP) \ 401*7c478bd9Sstevel@tonic-gate au_write(u, au_to_groups( \ 402*7c478bd9Sstevel@tonic-gate crgetgroups(c), \ 403*7c478bd9Sstevel@tonic-gate crgetngroups(c))) 404*7c478bd9Sstevel@tonic-gate 405*7c478bd9Sstevel@tonic-gate /* 406*7c478bd9Sstevel@tonic-gate * Macros for type conversion 407*7c478bd9Sstevel@tonic-gate */ 408*7c478bd9Sstevel@tonic-gate 409*7c478bd9Sstevel@tonic-gate /* au_membuf head, to typed data */ 410*7c478bd9Sstevel@tonic-gate #define memtod(x, t) ((t)x->buf) 411*7c478bd9Sstevel@tonic-gate 412*7c478bd9Sstevel@tonic-gate /* au_membuf types */ 413*7c478bd9Sstevel@tonic-gate #define MT_FREE 0 /* should be on free list */ 414*7c478bd9Sstevel@tonic-gate #define MT_DATA 1 /* dynamic (data) allocation */ 415*7c478bd9Sstevel@tonic-gate 416*7c478bd9Sstevel@tonic-gate /* flags to au_memget */ 417*7c478bd9Sstevel@tonic-gate #define DONTWAIT 0 418*7c478bd9Sstevel@tonic-gate #define WAIT 1 419*7c478bd9Sstevel@tonic-gate 420*7c478bd9Sstevel@tonic-gate #define AU_PACK 1 /* pack data in au_append_rec() */ 421*7c478bd9Sstevel@tonic-gate #define AU_LINK 0 /* link data in au_append_rec() */ 422*7c478bd9Sstevel@tonic-gate 423*7c478bd9Sstevel@tonic-gate /* flags to async routines */ 424*7c478bd9Sstevel@tonic-gate #define AU_BACKEND 1 /* called from softcall backend */ 425*7c478bd9Sstevel@tonic-gate 426*7c478bd9Sstevel@tonic-gate #ifdef __cplusplus 427*7c478bd9Sstevel@tonic-gate } 428*7c478bd9Sstevel@tonic-gate #endif 429*7c478bd9Sstevel@tonic-gate 430*7c478bd9Sstevel@tonic-gate #endif /* _BSM_AUDIT_KERNEL_H */ 431