17c478bd9Sstevel@tonic-gate /* 27c478bd9Sstevel@tonic-gate * CDDL HEADER START 37c478bd9Sstevel@tonic-gate * 47c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the 581490fd2Sgww * Common Development and Distribution License (the "License"). 681490fd2Sgww * You may not use this file except in compliance with the License. 77c478bd9Sstevel@tonic-gate * 87c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 97c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 107c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions 117c478bd9Sstevel@tonic-gate * and limitations under the License. 127c478bd9Sstevel@tonic-gate * 137c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 147c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 157c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 167c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 177c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 187c478bd9Sstevel@tonic-gate * 197c478bd9Sstevel@tonic-gate * CDDL HEADER END 207c478bd9Sstevel@tonic-gate */ 217c478bd9Sstevel@tonic-gate /* 228fd04b83SRoger A. Faulkner * Copyright 2010 Sun Microsystems, Inc. All rights reserved. 237c478bd9Sstevel@tonic-gate * Use is subject to license terms. 247c478bd9Sstevel@tonic-gate */ 257c478bd9Sstevel@tonic-gate 267c478bd9Sstevel@tonic-gate #ifndef _BSM_AUDIT_KERNEL_H 277c478bd9Sstevel@tonic-gate #define _BSM_AUDIT_KERNEL_H 287c478bd9Sstevel@tonic-gate 297c478bd9Sstevel@tonic-gate 307c478bd9Sstevel@tonic-gate /* 317c478bd9Sstevel@tonic-gate * This file contains the basic auditing control structure definitions. 327c478bd9Sstevel@tonic-gate */ 337c478bd9Sstevel@tonic-gate 347c478bd9Sstevel@tonic-gate #include <c2/audit_kevents.h> 357c478bd9Sstevel@tonic-gate #include <sys/priv_impl.h> 367c478bd9Sstevel@tonic-gate #include <sys/taskq.h> 377c478bd9Sstevel@tonic-gate #include <sys/zone.h> 387c478bd9Sstevel@tonic-gate 3981490fd2Sgww #include <sys/tsol/label.h> 4081490fd2Sgww 417c478bd9Sstevel@tonic-gate #ifdef __cplusplus 427c478bd9Sstevel@tonic-gate extern "C" { 437c478bd9Sstevel@tonic-gate #endif 447c478bd9Sstevel@tonic-gate 457c478bd9Sstevel@tonic-gate /* 467c478bd9Sstevel@tonic-gate * This table contains the mapping from the system call ID to a corresponding 477c478bd9Sstevel@tonic-gate * audit event. 487c478bd9Sstevel@tonic-gate * 497c478bd9Sstevel@tonic-gate * au_init() is a function called at the beginning of the system call that 507c478bd9Sstevel@tonic-gate * performs any necessary setup/processing. It maps the call into the 517c478bd9Sstevel@tonic-gate * appropriate event, depending on the system call arguments. It is called 527c478bd9Sstevel@tonic-gate * by audit_start() from trap.c . 537c478bd9Sstevel@tonic-gate * 547c478bd9Sstevel@tonic-gate * au_event is the audit event associated with the system call. Most of the 557c478bd9Sstevel@tonic-gate * time it will map directly from the system call i.e. There is one system 567c478bd9Sstevel@tonic-gate * call associated with the event. In some cases, such as shmsys, or open, 577c478bd9Sstevel@tonic-gate * the au_start() function will map the system call to more than one event, 587c478bd9Sstevel@tonic-gate * depending on the system call arguments. 597c478bd9Sstevel@tonic-gate * 607c478bd9Sstevel@tonic-gate * au_start() is a function that provides per system call processing at the 617c478bd9Sstevel@tonic-gate * beginning of a system call. It is mainly concerned with preseving the 627c478bd9Sstevel@tonic-gate * audit record components that may be altered so that we can determine 637c478bd9Sstevel@tonic-gate * what the original paramater was before as well as after the system call. 647c478bd9Sstevel@tonic-gate * It is possible that au_start() may be taken away. It might be cleaner to 657c478bd9Sstevel@tonic-gate * define flags in au_ctrl to save a designated argument. For the moment we 667c478bd9Sstevel@tonic-gate * support both mechanisms, however the use of au_start() will be reviewed 677c478bd9Sstevel@tonic-gate * for 4.1.1 and CMW and ZEUS to see if such a general method is justified. 687c478bd9Sstevel@tonic-gate * 697c478bd9Sstevel@tonic-gate * au_finish() is a function that provides per system call processing at the 707c478bd9Sstevel@tonic-gate * completion of a system call. In certain circumstances, the type of audit 717c478bd9Sstevel@tonic-gate * event depends on intermidiate results during the processing of the system 727c478bd9Sstevel@tonic-gate * call. It is called in audit_finish() from trap.c . 737c478bd9Sstevel@tonic-gate * 747c478bd9Sstevel@tonic-gate * au_ctrl is a control vector that indicates what processing might have to 757c478bd9Sstevel@tonic-gate * be performed, even if there is no auditing for this system call. At 767c478bd9Sstevel@tonic-gate * present this is mostly for path processing for chmod, chroot. We need to 777c478bd9Sstevel@tonic-gate * process the path information in vfs_lookup, even when we are not auditing 787c478bd9Sstevel@tonic-gate * the system call in the case of chdir and chroot. 797c478bd9Sstevel@tonic-gate */ 807c478bd9Sstevel@tonic-gate /* 817c478bd9Sstevel@tonic-gate * Defines for au_ctrl 827c478bd9Sstevel@tonic-gate */ 837c478bd9Sstevel@tonic-gate #define S2E_SP PAD_SAVPATH /* save path for later use */ 847c478bd9Sstevel@tonic-gate #define S2E_MLD PAD_MLD /* only one lookup per system call */ 857c478bd9Sstevel@tonic-gate #define S2E_NPT PAD_NOPATH /* force no path in audit record */ 867c478bd9Sstevel@tonic-gate #define S2E_PUB PAD_PUBLIC_EV /* syscall is defined as a public op */ 878fd04b83SRoger A. Faulkner #define S2E_ATC PAD_ATCALL /* syscall is one of the *at() family */ 887c478bd9Sstevel@tonic-gate 897c478bd9Sstevel@tonic-gate /* 907c478bd9Sstevel@tonic-gate * At present, we are using the audit classes imbedded with in the kernel. Each 917c478bd9Sstevel@tonic-gate * event has a bit mask determining which classes the event is associated. 927c478bd9Sstevel@tonic-gate * The table audit_e2s maps the audit event ID to the audit state. 937c478bd9Sstevel@tonic-gate * 947c478bd9Sstevel@tonic-gate * Note that this may change radically. If we use a bit vector for the audit 957c478bd9Sstevel@tonic-gate * class, we can allow granularity at the event ID for each user. In this 967c478bd9Sstevel@tonic-gate * case, the vector would be determined at user level and passed to the kernel 977c478bd9Sstevel@tonic-gate * via the setaudit system call. 987c478bd9Sstevel@tonic-gate */ 997c478bd9Sstevel@tonic-gate 1007c478bd9Sstevel@tonic-gate /* 1017c478bd9Sstevel@tonic-gate * The audit_pad structure holds paths for the current root and directory 1027c478bd9Sstevel@tonic-gate * for the process, as well as for open files and directly manipulated objects. 1037c478bd9Sstevel@tonic-gate * The reference count minimizes data copies since the process's current 1047c478bd9Sstevel@tonic-gate * directory changes very seldom. 1057c478bd9Sstevel@tonic-gate */ 1067c478bd9Sstevel@tonic-gate struct audit_path { 1077c478bd9Sstevel@tonic-gate uint_t audp_ref; /* reference count */ 1087c478bd9Sstevel@tonic-gate uint_t audp_size; /* allocated size of this structure */ 1097c478bd9Sstevel@tonic-gate uint_t audp_cnt; /* number of path sections */ 1107c478bd9Sstevel@tonic-gate char *audp_sect[1]; /* path section pointers */ 1117c478bd9Sstevel@tonic-gate /* audp_sect[0] is the path name */ 1127c478bd9Sstevel@tonic-gate /* audp_sect[1+] are attribute paths */ 1137c478bd9Sstevel@tonic-gate }; 1147c478bd9Sstevel@tonic-gate 1157c478bd9Sstevel@tonic-gate /* 1167c478bd9Sstevel@tonic-gate * The structure of the terminal ID within the kernel is different from the 1177c478bd9Sstevel@tonic-gate * terminal ID in user space. It is a combination of port and IP address. 1187c478bd9Sstevel@tonic-gate */ 1197c478bd9Sstevel@tonic-gate 1207c478bd9Sstevel@tonic-gate struct au_termid { 1217c478bd9Sstevel@tonic-gate dev_t at_port; 1227c478bd9Sstevel@tonic-gate uint_t at_type; 1237c478bd9Sstevel@tonic-gate uint_t at_addr[4]; 1247c478bd9Sstevel@tonic-gate }; 1257c478bd9Sstevel@tonic-gate typedef struct au_termid au_termid_t; 1267c478bd9Sstevel@tonic-gate 1277c478bd9Sstevel@tonic-gate /* 1287c478bd9Sstevel@tonic-gate * Attributes for deferring the queuing of an event. 1297c478bd9Sstevel@tonic-gate */ 1307c478bd9Sstevel@tonic-gate typedef struct au_defer_info { 1317c478bd9Sstevel@tonic-gate struct au_defer_info *audi_next; /* next on linked list */ 1327c478bd9Sstevel@tonic-gate void *audi_ad; /* audit record */ 133d0fa49b7STony Nguyen au_event_t audi_e_type; /* audit event id */ 134d0fa49b7STony Nguyen au_emod_t audi_e_mod; /* audit event modifier */ 1357c478bd9Sstevel@tonic-gate int audi_flag; /* au_close*() flags */ 1367c478bd9Sstevel@tonic-gate timestruc_t audi_atime; /* audit event timestamp */ 1377c478bd9Sstevel@tonic-gate } au_defer_info_t; 1387c478bd9Sstevel@tonic-gate 1397c478bd9Sstevel@tonic-gate /* 1407c478bd9Sstevel@tonic-gate * The structure p_audit_data hangs off of the process structure. It contains 1417c478bd9Sstevel@tonic-gate * all of the audit information necessary to manage the audit record generation 1427c478bd9Sstevel@tonic-gate * for each process. 1437c478bd9Sstevel@tonic-gate * 1447c478bd9Sstevel@tonic-gate * The pad_lock is constructed in the kmem_cache; the rest is combined 1457c478bd9Sstevel@tonic-gate * in a sub structure so it can be copied/zeroed in one statement. 1467c478bd9Sstevel@tonic-gate * 1477c478bd9Sstevel@tonic-gate * The members have been reordered for maximum packing on 64 bit Solaris. 1487c478bd9Sstevel@tonic-gate */ 1497c478bd9Sstevel@tonic-gate struct p_audit_data { 1507c478bd9Sstevel@tonic-gate kmutex_t pad_lock; /* lock pad data during changes */ 1517c478bd9Sstevel@tonic-gate struct _pad_data { 1527c478bd9Sstevel@tonic-gate struct audit_path *pad_root; /* process root path */ 1537c478bd9Sstevel@tonic-gate struct audit_path *pad_cwd; /* process cwd path */ 1547c478bd9Sstevel@tonic-gate au_mask_t pad_newmask; /* pending new mask */ 1557c478bd9Sstevel@tonic-gate int pad_flags; 1567c478bd9Sstevel@tonic-gate } pad_data; 1577c478bd9Sstevel@tonic-gate }; 1587c478bd9Sstevel@tonic-gate typedef struct p_audit_data p_audit_data_t; 1597c478bd9Sstevel@tonic-gate 1607c478bd9Sstevel@tonic-gate #define pad_root pad_data.pad_root 1617c478bd9Sstevel@tonic-gate #define pad_cwd pad_data.pad_cwd 1627c478bd9Sstevel@tonic-gate #define pad_newmask pad_data.pad_newmask 1637c478bd9Sstevel@tonic-gate #define pad_flags pad_data.pad_flags 1647c478bd9Sstevel@tonic-gate 1657c478bd9Sstevel@tonic-gate /* 1667c478bd9Sstevel@tonic-gate * Defines for pad_flags 1677c478bd9Sstevel@tonic-gate */ 1687c478bd9Sstevel@tonic-gate #define PAD_SETMASK 0x00000001 /* need to complete pending setmask */ 1697c478bd9Sstevel@tonic-gate 1707c478bd9Sstevel@tonic-gate extern kmem_cache_t *au_pad_cache; 1717c478bd9Sstevel@tonic-gate 1727c478bd9Sstevel@tonic-gate /* 1738fd04b83SRoger A. Faulkner * Defines for tad_ctrl 1747c478bd9Sstevel@tonic-gate */ 1757c478bd9Sstevel@tonic-gate #define PAD_SAVPATH 0x00000001 /* save path for further processing */ 1767c478bd9Sstevel@tonic-gate #define PAD_MLD 0x00000002 /* system call involves MLD */ 1777c478bd9Sstevel@tonic-gate #define PAD_NOPATH 0x00000004 /* force no paths in audit record */ 1787c478bd9Sstevel@tonic-gate #define PAD_ABSPATH 0x00000008 /* path from lookup is absolute */ 1797c478bd9Sstevel@tonic-gate #define PAD_NOATTRB 0x00000010 /* do not automatically add attribute */ 1808fd04b83SRoger A. Faulkner /* 0x20 unused */ 1818fd04b83SRoger A. Faulkner #define PAD_ATCALL 0x00000040 /* *at() syscall, like openat() */ 1827c478bd9Sstevel@tonic-gate #define PAD_LFLOAT 0x00000080 /* Label float */ 1837c478bd9Sstevel@tonic-gate #define PAD_NOAUDIT 0x00000100 /* discard audit record */ 1847c478bd9Sstevel@tonic-gate #define PAD_PATHFND 0x00000200 /* found path, don't retry lookup */ 1857c478bd9Sstevel@tonic-gate #define PAD_SPRIV 0x00000400 /* succ priv use. extra audit_finish */ 1867c478bd9Sstevel@tonic-gate #define PAD_FPRIV 0x00000800 /* fail priv use. extra audit_finish */ 1877c478bd9Sstevel@tonic-gate #define PAD_SMAC 0x00001000 /* succ mac use. extra audit_finish */ 1887c478bd9Sstevel@tonic-gate #define PAD_FMAC 0x00002000 /* fail mac use. extra audit_finish */ 1897c478bd9Sstevel@tonic-gate #define PAD_AUDITME 0x00004000 /* audit me because of NFS operation */ 1908fd04b83SRoger A. Faulkner #define PAD_ATTPATH 0x00008000 /* attribute file lookup */ 1917c478bd9Sstevel@tonic-gate #define PAD_TRUE_CREATE 0x00010000 /* true create, file not found */ 1927c478bd9Sstevel@tonic-gate #define PAD_CORE 0x00020000 /* save attribute during core dump */ 1937c478bd9Sstevel@tonic-gate #define PAD_ERRJMP 0x00040000 /* abort record generation on error */ 1947c478bd9Sstevel@tonic-gate #define PAD_PUBLIC_EV 0x00080000 /* syscall is defined as a public op */ 1957c478bd9Sstevel@tonic-gate 1967c478bd9Sstevel@tonic-gate /* 1977c478bd9Sstevel@tonic-gate * The structure t_audit_data hangs off of the thread structure. It contains 1987c478bd9Sstevel@tonic-gate * all of the audit information necessary to manage the audit record generation 1997c478bd9Sstevel@tonic-gate * for each thread. 2007c478bd9Sstevel@tonic-gate * 2017c478bd9Sstevel@tonic-gate */ 2027c478bd9Sstevel@tonic-gate 2037c478bd9Sstevel@tonic-gate struct t_audit_data { 2047c478bd9Sstevel@tonic-gate kthread_id_t tad_thread; /* DEBUG pointer to parent thread */ 2057c478bd9Sstevel@tonic-gate unsigned int tad_scid; /* system call ID for finish */ 206d0fa49b7STony Nguyen au_event_t tad_event; /* event for audit record */ 207d0fa49b7STony Nguyen au_emod_t tad_evmod; /* event modifier for audit record */ 2087c478bd9Sstevel@tonic-gate int tad_ctrl; /* audit control/status flags */ 2097c478bd9Sstevel@tonic-gate void *tad_errjmp; /* error longjmp (audit record aborted) */ 2107c478bd9Sstevel@tonic-gate int tad_flag; /* to audit or not to audit */ 211005d3febSMarek Pospisil uint32_t tad_audit; /* auditing enabled/disabled */ 2127c478bd9Sstevel@tonic-gate struct audit_path *tad_aupath; /* captured at vfs_lookup */ 2137c478bd9Sstevel@tonic-gate struct audit_path *tad_atpath; /* openat prefix, path of fd */ 2147c478bd9Sstevel@tonic-gate struct vnode *tad_vn; /* saved inode from vfs_lookup */ 2157c478bd9Sstevel@tonic-gate caddr_t tad_ad; /* base of accumulated audit data */ 2167c478bd9Sstevel@tonic-gate au_defer_info_t *tad_defer_head; /* queue of records to defer */ 2177c478bd9Sstevel@tonic-gate /* until syscall end: */ 2187c478bd9Sstevel@tonic-gate au_defer_info_t *tad_defer_tail; /* tail of defer queue */ 2197c478bd9Sstevel@tonic-gate priv_set_t tad_sprivs; /* saved (success) used privs */ 2207c478bd9Sstevel@tonic-gate priv_set_t tad_fprivs; /* saved (failed) used privs */ 2217c478bd9Sstevel@tonic-gate }; 2227c478bd9Sstevel@tonic-gate typedef struct t_audit_data t_audit_data_t; 2237c478bd9Sstevel@tonic-gate 2247c478bd9Sstevel@tonic-gate /* 2257c478bd9Sstevel@tonic-gate * The f_audit_data structure hangs off of the file structure. It contains 2267c478bd9Sstevel@tonic-gate * three fields of data. The audit ID, the audit state, and a path name. 2277c478bd9Sstevel@tonic-gate */ 2287c478bd9Sstevel@tonic-gate 2297c478bd9Sstevel@tonic-gate struct f_audit_data { 2307c478bd9Sstevel@tonic-gate kthread_id_t fad_thread; /* DEBUG creating thread */ 2317c478bd9Sstevel@tonic-gate int fad_flags; /* audit control flags */ 2327c478bd9Sstevel@tonic-gate struct audit_path *fad_aupath; /* path from vfs_lookup */ 2337c478bd9Sstevel@tonic-gate }; 2347c478bd9Sstevel@tonic-gate typedef struct f_audit_data f_audit_data_t; 2357c478bd9Sstevel@tonic-gate 2367c478bd9Sstevel@tonic-gate #define FAD_READ 0x0001 /* read system call seen */ 2377c478bd9Sstevel@tonic-gate #define FAD_WRITE 0x0002 /* write system call seen */ 2387c478bd9Sstevel@tonic-gate 2397c478bd9Sstevel@tonic-gate #define P2A(p) (p->p_audit_data) 2407c478bd9Sstevel@tonic-gate #define T2A(t) (t->t_audit_data) 2417c478bd9Sstevel@tonic-gate #define U2A(u) (curthread->t_audit_data) 2427c478bd9Sstevel@tonic-gate #define F2A(f) (f->f_audit_data) 2437c478bd9Sstevel@tonic-gate 2447c478bd9Sstevel@tonic-gate #define u_ad ((U2A(u))->tad_ad) 2457c478bd9Sstevel@tonic-gate #define ad_ctrl ((U2A(u))->tad_ctrl) 2467c478bd9Sstevel@tonic-gate #define ad_flag ((U2A(u))->tad_flag) 2477c478bd9Sstevel@tonic-gate 2487c478bd9Sstevel@tonic-gate #define AU_BUFSIZE 128 /* buffer size for the buffer pool */ 2497c478bd9Sstevel@tonic-gate 2507c478bd9Sstevel@tonic-gate struct au_buff { 2517c478bd9Sstevel@tonic-gate char buf[AU_BUFSIZE]; 2527c478bd9Sstevel@tonic-gate struct au_buff *next_buf; 2537c478bd9Sstevel@tonic-gate struct au_buff *next_rec; 2547c478bd9Sstevel@tonic-gate ushort_t rec_len; 2557c478bd9Sstevel@tonic-gate uchar_t len; 2567c478bd9Sstevel@tonic-gate uchar_t flag; 2577c478bd9Sstevel@tonic-gate }; 2587c478bd9Sstevel@tonic-gate 2597c478bd9Sstevel@tonic-gate typedef struct au_buff au_buff_t; 2607c478bd9Sstevel@tonic-gate 2617c478bd9Sstevel@tonic-gate /* 2627c478bd9Sstevel@tonic-gate * Kernel audit queue structure. 2637c478bd9Sstevel@tonic-gate */ 2647c478bd9Sstevel@tonic-gate struct audit_queue { 2657c478bd9Sstevel@tonic-gate au_buff_t *head; /* head of queue */ 2667c478bd9Sstevel@tonic-gate au_buff_t *tail; /* tail of queue */ 2677c478bd9Sstevel@tonic-gate ssize_t cnt; /* number elements on queue */ 2687c478bd9Sstevel@tonic-gate size_t hiwater; /* high water mark to block */ 2697c478bd9Sstevel@tonic-gate size_t lowater; /* low water mark to restart */ 2707c478bd9Sstevel@tonic-gate size_t bufsz; /* audit trail write buffer size */ 2717c478bd9Sstevel@tonic-gate size_t buflen; /* audit trail buffer length in use */ 2727c478bd9Sstevel@tonic-gate clock_t delay; /* delay before flushing queue */ 2737c478bd9Sstevel@tonic-gate int wt_block; /* writer is blocked (1) */ 2747c478bd9Sstevel@tonic-gate int rd_block; /* reader is blocked (1) */ 2757c478bd9Sstevel@tonic-gate kmutex_t lock; /* mutex lock for queue modification */ 2767c478bd9Sstevel@tonic-gate kcondvar_t write_cv; /* sleep structure for write block */ 2777c478bd9Sstevel@tonic-gate kcondvar_t read_cv; /* sleep structure for read block */ 2787c478bd9Sstevel@tonic-gate }; 2797c478bd9Sstevel@tonic-gate 2807c478bd9Sstevel@tonic-gate 2817c478bd9Sstevel@tonic-gate union rval; 2827c478bd9Sstevel@tonic-gate struct audit_s2e { 2837c478bd9Sstevel@tonic-gate au_event_t (*au_init)(au_event_t); 2847c478bd9Sstevel@tonic-gate /* convert au_event to real audit event ID */ 2857c478bd9Sstevel@tonic-gate 2867c478bd9Sstevel@tonic-gate int au_event; /* default audit event for this system call */ 2877c478bd9Sstevel@tonic-gate void (*au_start)(struct t_audit_data *); 2887c478bd9Sstevel@tonic-gate /* pre-system call audit processing */ 2897c478bd9Sstevel@tonic-gate void (*au_finish)(struct t_audit_data *, int, union rval *); 2907c478bd9Sstevel@tonic-gate /* post-system call audit processing */ 2917c478bd9Sstevel@tonic-gate int au_ctrl; /* control flags for auditing actions */ 2927c478bd9Sstevel@tonic-gate }; 2937c478bd9Sstevel@tonic-gate 2947c478bd9Sstevel@tonic-gate extern struct audit_s2e audit_s2e[]; 2957c478bd9Sstevel@tonic-gate 2967c478bd9Sstevel@tonic-gate #define AUK_VALID 0x5A5A5A5A 2977c478bd9Sstevel@tonic-gate #define AUK_INVALID 0 2987c478bd9Sstevel@tonic-gate /* 2997c478bd9Sstevel@tonic-gate * per zone audit context 3007c478bd9Sstevel@tonic-gate */ 3017c478bd9Sstevel@tonic-gate struct au_kcontext { 3027c478bd9Sstevel@tonic-gate uint32_t auk_valid; 3037c478bd9Sstevel@tonic-gate zoneid_t auk_zid; 3047c478bd9Sstevel@tonic-gate 3057c478bd9Sstevel@tonic-gate boolean_t auk_hostaddr_valid; 3067c478bd9Sstevel@tonic-gate int auk_sequence; 3077c478bd9Sstevel@tonic-gate int auk_auditstate; 3087c478bd9Sstevel@tonic-gate int auk_output_active; 3097c478bd9Sstevel@tonic-gate struct vnode *auk_current_vp; 310*96093503SMarek Pospisil uint32_t auk_policy; 3117c478bd9Sstevel@tonic-gate 3127c478bd9Sstevel@tonic-gate struct audit_queue auk_queue; 3137c478bd9Sstevel@tonic-gate 3147c478bd9Sstevel@tonic-gate au_dbuf_t *auk_dbuffer; /* auditdoor output */ 3157c478bd9Sstevel@tonic-gate 3167c478bd9Sstevel@tonic-gate au_stat_t auk_statistics; 3177c478bd9Sstevel@tonic-gate 3187c478bd9Sstevel@tonic-gate struct auditinfo_addr auk_info; 3197c478bd9Sstevel@tonic-gate kmutex_t auk_eagain_mutex; /* door call retry */ 3207c478bd9Sstevel@tonic-gate kcondvar_t auk_eagain_cv; 3217c478bd9Sstevel@tonic-gate 3227c478bd9Sstevel@tonic-gate taskq_t *auk_taskq; /* output thread */ 3237c478bd9Sstevel@tonic-gate 3247c478bd9Sstevel@tonic-gate /* Only one audit svc per zone at a time */ 325787b48eaSgww /* With the elimination of auditsvc, can this also go? see 6648414 */ 3267c478bd9Sstevel@tonic-gate kmutex_t auk_svc_lock; 327787b48eaSgww 328d31ffe99Srica au_state_t auk_ets[MAX_KEVENTS + 1]; 3297c478bd9Sstevel@tonic-gate }; 3307c478bd9Sstevel@tonic-gate #ifndef AUK_CONTEXT_T 3317c478bd9Sstevel@tonic-gate #define AUK_CONTEXT_T 3327c478bd9Sstevel@tonic-gate typedef struct au_kcontext au_kcontext_t; 3337c478bd9Sstevel@tonic-gate #endif 3347c478bd9Sstevel@tonic-gate 3357c478bd9Sstevel@tonic-gate extern zone_key_t au_zone_key; 3367c478bd9Sstevel@tonic-gate 3377c478bd9Sstevel@tonic-gate /* 3387c478bd9Sstevel@tonic-gate * Kernel auditing external variables 3397c478bd9Sstevel@tonic-gate */ 340*96093503SMarek Pospisil extern uint32_t audit_policy; 3417c478bd9Sstevel@tonic-gate extern int audit_active; 3427c478bd9Sstevel@tonic-gate 3437c478bd9Sstevel@tonic-gate extern struct audit_queue au_queue; 3447c478bd9Sstevel@tonic-gate extern struct p_audit_data *pad0; 3457c478bd9Sstevel@tonic-gate extern struct t_audit_data *tad0; 3467c478bd9Sstevel@tonic-gate 3477c478bd9Sstevel@tonic-gate /* 3487c478bd9Sstevel@tonic-gate * audit_path support routines 3497c478bd9Sstevel@tonic-gate */ 3507c478bd9Sstevel@tonic-gate void au_pathhold(struct audit_path *); 3517c478bd9Sstevel@tonic-gate void au_pathrele(struct audit_path *); 3527c478bd9Sstevel@tonic-gate struct audit_path *au_pathdup(const struct audit_path *, int, int); 3537c478bd9Sstevel@tonic-gate 354005d3febSMarek Pospisil void au_pad_init(void); 355005d3febSMarek Pospisil 356005d3febSMarek Pospisil int auditctl(int cmd, caddr_t data, int length); 357005d3febSMarek Pospisil int auditdoor(int fd); 358005d3febSMarek Pospisil int getauid(caddr_t); 359005d3febSMarek Pospisil int setauid(caddr_t); 360005d3febSMarek Pospisil int getaudit(caddr_t); 361005d3febSMarek Pospisil int getaudit_addr(caddr_t, int); 362005d3febSMarek Pospisil int setaudit(caddr_t); 363005d3febSMarek Pospisil int setaudit_addr(caddr_t, int); 364005d3febSMarek Pospisil 3657c478bd9Sstevel@tonic-gate /* 3667c478bd9Sstevel@tonic-gate * Macros to hide asynchronous, non-blocking audit record start and finish 3677c478bd9Sstevel@tonic-gate * processing. 3687c478bd9Sstevel@tonic-gate * 3697c478bd9Sstevel@tonic-gate * NOTE: must be used in (void) funcction () { ... } 3707c478bd9Sstevel@tonic-gate */ 3717c478bd9Sstevel@tonic-gate 3727c478bd9Sstevel@tonic-gate #define AUDIT_ASYNC_START(rp, audit_event, sorf) \ 3737c478bd9Sstevel@tonic-gate { \ 3747c478bd9Sstevel@tonic-gate label_t jb; \ 3757c478bd9Sstevel@tonic-gate if (setjmp(&jb)) { \ 3767c478bd9Sstevel@tonic-gate /* cleanup any residual audit data */ \ 3777c478bd9Sstevel@tonic-gate audit_async_drop((caddr_t *)&(rp), 0); \ 3787c478bd9Sstevel@tonic-gate return; \ 3797c478bd9Sstevel@tonic-gate } \ 3807c478bd9Sstevel@tonic-gate /* auditing enabled and we're preselected for this event? */ \ 3817c478bd9Sstevel@tonic-gate if (audit_async_start(&jb, audit_event, sorf)) { \ 3827c478bd9Sstevel@tonic-gate return; \ 3837c478bd9Sstevel@tonic-gate } \ 3847c478bd9Sstevel@tonic-gate } 3857c478bd9Sstevel@tonic-gate 386005d3febSMarek Pospisil #define AUDIT_ASYNC_FINISH(rp, audit_event, event_modifier, event_time) \ 387005d3febSMarek Pospisil audit_async_finish((caddr_t *)&(rp), audit_event, event_modifier, \ 388005d3febSMarek Pospisil event_time); 3897c478bd9Sstevel@tonic-gate 3907c478bd9Sstevel@tonic-gate 3917c478bd9Sstevel@tonic-gate #ifdef _KERNEL 3927c478bd9Sstevel@tonic-gate au_buff_t *au_get_buff(void), *au_free_buff(au_buff_t *); 3937c478bd9Sstevel@tonic-gate #endif 3947c478bd9Sstevel@tonic-gate 3957c478bd9Sstevel@tonic-gate /* 39681490fd2Sgww * Macro for uniform "subject" token(s) generation 3977c478bd9Sstevel@tonic-gate */ 39889581a11Sjf #define AUDIT_SETSUBJ_GENERIC(u, c, a, k, p) \ 39989581a11Sjf (au_write((u), au_to_subject(crgetuid(c), \ 40089581a11Sjf crgetgid(c), crgetruid(c), crgetrgid(c), \ 40189581a11Sjf p, (a)->ai_auid, (a)->ai_asid, \ 40289581a11Sjf &((a)->ai_termid)))); \ 40389581a11Sjf ((is_system_labeled()) ? au_write((u), \ 40489581a11Sjf au_to_label(CR_SL((c)))) : (void) 0); \ 40589581a11Sjf (((k)->auk_policy & AUDIT_GROUP) ? au_write((u),\ 40689581a11Sjf au_to_groups(crgetgroups(c), \ 40789581a11Sjf crgetngroups(c))) : (void) 0) 4087c478bd9Sstevel@tonic-gate 4091d7bfecdStz #define AUDIT_SETSUBJ(u, c, a, k) \ 4101d7bfecdStz AUDIT_SETSUBJ_GENERIC(u, c, a, k, curproc->p_pid) 4111d7bfecdStz 4127c478bd9Sstevel@tonic-gate /* 4137c478bd9Sstevel@tonic-gate * Macros for type conversion 4147c478bd9Sstevel@tonic-gate */ 4157c478bd9Sstevel@tonic-gate 4167c478bd9Sstevel@tonic-gate /* au_membuf head, to typed data */ 4177c478bd9Sstevel@tonic-gate #define memtod(x, t) ((t)x->buf) 4187c478bd9Sstevel@tonic-gate 4197c478bd9Sstevel@tonic-gate /* au_membuf types */ 4207c478bd9Sstevel@tonic-gate #define MT_FREE 0 /* should be on free list */ 4217c478bd9Sstevel@tonic-gate #define MT_DATA 1 /* dynamic (data) allocation */ 4227c478bd9Sstevel@tonic-gate 4237c478bd9Sstevel@tonic-gate /* flags to au_memget */ 4247c478bd9Sstevel@tonic-gate #define DONTWAIT 0 4257c478bd9Sstevel@tonic-gate #define WAIT 1 4267c478bd9Sstevel@tonic-gate 4277c478bd9Sstevel@tonic-gate #define AU_PACK 1 /* pack data in au_append_rec() */ 4287c478bd9Sstevel@tonic-gate #define AU_LINK 0 /* link data in au_append_rec() */ 4297c478bd9Sstevel@tonic-gate 4307c478bd9Sstevel@tonic-gate /* flags to async routines */ 4317c478bd9Sstevel@tonic-gate #define AU_BACKEND 1 /* called from softcall backend */ 4327c478bd9Sstevel@tonic-gate 4337c478bd9Sstevel@tonic-gate #ifdef __cplusplus 4347c478bd9Sstevel@tonic-gate } 4357c478bd9Sstevel@tonic-gate #endif 4367c478bd9Sstevel@tonic-gate 4377c478bd9Sstevel@tonic-gate #endif /* _BSM_AUDIT_KERNEL_H */ 438