/* * CDDL HEADER START * * The contents of this file are subject to the terms of the * Common Development and Distribution License (the "License"). * You may not use this file except in compliance with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. * See the License for the specific language governing permissions * and limitations under the License. * * When distributing Covered Code, include this CDDL HEADER in each * file and include the License file at usr/src/OPENSOLARIS.LICENSE. * If applicable, add the following below this CDDL HEADER, with the * fields enclosed by brackets "[]" replaced with your own identifying * information: Portions Copyright [yyyy] [name of copyright owner] * * CDDL HEADER END */ /* * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved. * Copyright 2022 Garrett D'Amore */ /* * This file contains the declarations of the various data structures * used by the auditing module(s). */ #ifndef _BSM_AUDIT_H #define _BSM_AUDIT_H #ifdef __cplusplus extern "C" { #endif #include /* for shmid_ds structure */ #include /* for semid_ds structure */ #include /* for msqid_ds structure */ #include /* using atomics */ #include /* * Audit conditions, statements reguarding what's to be done with * audit records. None of the "global state" is returned by an * auditconfig -getcond call. AUC_NOSPACE no longer seems used. */ /* global state */ #define AUC_UNSET 0 /* on/off hasn't been decided */ #define AUC_ENABLED 1 /* loaded and enabled */ /* pseudo state used in libbsm */ #define AUC_DISABLED 0x100 /* c2audit module is excluded */ /* local zone state */ #define AUC_AUDITING 0x1 /* audit daemon is active */ #define AUC_NOAUDIT 0x2 /* audit daemon is not active */ #define AUC_INIT_AUDIT 0x4 /* audit ready but auditd has not run */ #define AUC_NOSPACE 0x8 /* audit enabled, no space for audit records */ /* * The user id -2 is never audited - in fact, a setauid(AU_NOAUDITID) * will turn off auditing. */ #define AU_NOAUDITID ((au_id_t)-2) /* * success/failure bits for asynchronous events */ #define AUM_SUCC 1 /* use the system success preselection mask */ #define AUM_FAIL 2 /* use the system failure preselection mask */ /* * Defines for event modifier field */ #define PAD_READ 0x0001 /* object read */ #define PAD_WRITE 0x0002 /* object write */ #define PAD_NONATTR 0x4000 /* non-attributable event */ #define PAD_FAILURE 0x8000 /* fail audit event */ #define PAD_SPRIVUSE 0x0080 /* successfully used privileged */ #define PAD_FPRIVUSE 0x0100 /* failed use of privileged */ /* * Some typedefs for the fundamentals */ typedef uint_t au_asid_t; typedef uint_t au_class_t; typedef ushort_t au_event_t; typedef ushort_t au_emod_t; typedef uid_t au_id_t; /* * An audit event mask. */ #define AU_MASK_ALL 0xFFFFFFFF /* all bits on for unsigned int */ #define AU_MASK_NONE 0x0 /* all bits off = no:invalid class */ struct au_mask { unsigned int am_success; /* success bits */ unsigned int am_failure; /* failure bits */ }; typedef struct au_mask au_mask_t; #define as_success am_success #define as_failure am_failure /* * The structure of the terminal ID (ipv4) */ struct au_tid { dev_t port; uint_t machine; }; #if defined(_SYSCALL32) struct au_tid32 { uint_t port; uint_t machine; }; typedef struct au_tid32 au_tid32_t; #endif typedef struct au_tid au_tid_t; /* * The structure of the terminal ID (ipv6) */ struct au_tid_addr { dev_t at_port; uint_t at_type; uint_t at_addr[4]; }; struct au_port_s { uint32_t at_major; /* major # */ uint32_t at_minor; /* minor # */ }; typedef struct au_port_s au_port_t; struct au_tid_addr64 { au_port_t at_port; uint_t at_type; uint_t at_addr[4]; }; typedef struct au_tid_addr64 au_tid64_addr_t; #if defined(_SYSCALL32) struct au_tid_addr32 { uint_t at_port; uint_t at_type; uint_t at_addr[4]; }; typedef struct au_tid_addr32 au_tid32_addr_t; #endif typedef struct au_tid_addr au_tid_addr_t; struct au_ip { uint16_t at_r_port; /* remote port */ uint16_t at_l_port; /* local port */ uint32_t at_type; /* AU_IPv4,... */ uint32_t at_addr[4]; /* remote IP */ }; typedef struct au_ip au_ip_t; /* * Generic network address structure */ struct au_generic_tid { uchar_t gt_type; /* AU_IPADR, AU_DEVICE,... */ union { au_ip_t at_ip; au_port_t at_dev; } gt_adr; }; typedef struct au_generic_tid au_generic_tid_t; /* * au_generic_tid_t gt_type values * 0 is reserved for uninitialized data */ #define AU_IPADR 1 #define AU_ETHER 2 #define AU_DEVICE 3 /* * at_type values - address length used to identify address type */ #define AU_IPv4 4 /* ipv4 type IP address */ #define AU_IPv6 16 /* ipv6 type IP address */ /* * Compatability with SunOS 4.x BSM module * * New code should not contain audit_state_t, * au_state_t, nor au_termid as these types * may go away in future releases. * * typedef new-5.x-bsm-name old-4.x-bsm-name */ typedef au_class_t au_state_t; typedef au_mask_t audit_state_t; typedef au_id_t auid_t; #define ai_state ai_mask; /* * Opcodes for bsm system calls */ #define BSM_GETAUID 19 #define BSM_SETAUID 20 #define BSM_GETAUDIT 21 #define BSM_SETAUDIT 22 /* 23 OBSOLETE */ /* 24 OBSOLETE */ #define BSM_AUDIT 25 /* 26 OBSOLETE */ /* 27 EOL announced for Sol 10 */ /* 28 OBSOLETE */ #define BSM_AUDITCTL 29 /* 30 OBSOLETE */ /* 31 OBSOLETE */ /* 32 OBSOLETE */ /* 33 OBSOLETE */ /* 34 OBSOLETE */ #define BSM_GETAUDIT_ADDR 35 #define BSM_SETAUDIT_ADDR 36 #define BSM_AUDITDOOR 37 /* * auditon(2) commands */ #define A_GETPOLICY 2 /* get audit policy */ #define A_SETPOLICY 3 /* set audit policy */ #define A_GETKMASK 4 /* get non-attributable event audit mask */ #define A_SETKMASK 5 /* set non-attributable event audit mask */ #define A_GETQCTRL 6 /* get kernel audit queue ctrl parameters */ #define A_SETQCTRL 7 /* set kernel audit queue ctrl parameters */ #define A_GETCWD 8 /* get process current working directory */ #define A_GETCAR 9 /* get process current active root */ #define A_GETSTAT 12 /* get audit statistics */ #define A_SETSTAT 13 /* (re)set audit statistics */ #define A_SETUMASK 14 /* set preselection mask for procs with auid */ #define A_SETSMASK 15 /* set preselection mask for procs with asid */ #define A_GETCOND 20 /* get audit system on/off condition */ #define A_SETCOND 21 /* set audit system on/off condition */ #define A_GETCLASS 22 /* get audit event to class mapping */ #define A_SETCLASS 23 /* set audit event to class mapping */ #define A_GETPINFO 24 /* get audit info for an arbitrary pid */ #define A_SETPMASK 25 /* set preselection mask for an given pid */ #define A_GETPINFO_ADDR 28 /* get audit info for an arbitrary pid */ #define A_GETKAUDIT 29 /* get kernel audit characteristics */ #define A_SETKAUDIT 30 /* set kernel audit characteristics */ #define A_GETAMASK 31 /* set user default audit event mask */ #define A_SETAMASK 32 /* get user default audit event mask */ /* * Audit Policy parameters (32 bits) */ #define AUDIT_CNT 0x0001 /* do NOT sleep undelivered synch events */ #define AUDIT_AHLT 0x0002 /* HALT machine on undelivered async event */ #define AUDIT_ARGV 0x0004 /* include argv with execv system call events */ #define AUDIT_ARGE 0x0008 /* include arge with execv system call events */ #define AUDIT_SEQ 0x0010 /* include sequence attribute */ #define AUDIT_GROUP 0x0040 /* include group attribute with each record */ #define AUDIT_TRAIL 0x0080 /* include trailer token */ #define AUDIT_PATH 0x0100 /* allow multiple paths per event */ #define AUDIT_SCNT 0x0200 /* sleep user events but not kernel events */ #define AUDIT_PUBLIC 0x0400 /* audit even "public" files */ #define AUDIT_ZONENAME 0x0800 /* emit zonename token */ #define AUDIT_PERZONE 0x1000 /* auditd and audit queue for each zone */ #define AUDIT_WINDATA_DOWN 0x2000 /* include paste downgraded data */ #define AUDIT_WINDATA_UP 0x4000 /* include paste upgraded data */ /* * If AUDIT_GLOBAL changes, corresponding changes are required in * audit_syscalls.c's setpolicy(). */ #define AUDIT_GLOBAL (AUDIT_AHLT | AUDIT_PERZONE) #define AUDIT_LOCAL (AUDIT_CNT | AUDIT_ARGV | AUDIT_ARGE |\ AUDIT_SEQ | AUDIT_GROUP | AUDIT_TRAIL | AUDIT_PATH |\ AUDIT_PUBLIC | AUDIT_SCNT | AUDIT_ZONENAME |\ AUDIT_WINDATA_DOWN | AUDIT_WINDATA_UP) /* * Kernel audit queue control parameters * * audit record recording blocks at hiwater # undelived records * audit record recording resumes at lowwater # undelivered audit records * bufsz determines how big the data xfers will be to the audit trail */ struct au_qctrl { size_t aq_hiwater; /* kernel audit queue, high water mark */ size_t aq_lowater; /* kernel audit queue, low water mark */ size_t aq_bufsz; /* kernel audit queue, write size to trail */ clock_t aq_delay; /* delay before flushing audit queue */ }; #if defined(_SYSCALL32) struct au_qctrl32 { size32_t aq_hiwater; size32_t aq_lowater; size32_t aq_bufsz; clock32_t aq_delay; }; #endif /* * default values of hiwater and lowater (note hi > lo) */ #define AQ_HIWATER 100 #define AQ_MAXHIGH 100000 #define AQ_LOWATER 10 #define AQ_BUFSZ 8192 #define AQ_MAXBUFSZ 1048576 #define AQ_DELAY 20 #define AQ_MAXDELAY 20000 struct auditinfo { au_id_t ai_auid; au_mask_t ai_mask; au_tid_t ai_termid; au_asid_t ai_asid; }; #if defined(_SYSCALL32) struct auditinfo32 { au_id_t ai_auid; au_mask_t ai_mask; au_tid32_t ai_termid; au_asid_t ai_asid; }; typedef struct auditinfo32 auditinfo32_t; #endif typedef struct auditinfo auditinfo_t; struct k_auditinfo_addr { au_id_t ai_auid; au_mask_t ai_amask; /* user default preselection mask */ au_mask_t ai_namask; /* non-attributable mask */ au_tid_addr_t ai_termid; au_asid_t ai_asid; }; typedef struct k_auditinfo_addr k_auditinfo_addr_t; struct auditinfo_addr { au_id_t ai_auid; au_mask_t ai_mask; au_tid_addr_t ai_termid; au_asid_t ai_asid; }; struct auditinfo_addr64 { au_id_t ai_auid; au_mask_t ai_mask; au_tid64_addr_t ai_termid; au_asid_t ai_asid; }; typedef struct auditinfo_addr64 auditinfo64_addr_t; #if defined(_SYSCALL32) struct auditinfo_addr32 { au_id_t ai_auid; au_mask_t ai_mask; au_tid32_addr_t ai_termid; au_asid_t ai_asid; }; typedef struct auditinfo_addr32 auditinfo32_addr_t; #endif typedef struct auditinfo_addr auditinfo_addr_t; struct auditpinfo { pid_t ap_pid; au_id_t ap_auid; au_mask_t ap_mask; au_tid_t ap_termid; au_asid_t ap_asid; }; #if defined(_SYSCALL32) struct auditpinfo32 { pid_t ap_pid; au_id_t ap_auid; au_mask_t ap_mask; au_tid32_t ap_termid; au_asid_t ap_asid; }; #endif struct auditpinfo_addr { pid_t ap_pid; au_id_t ap_auid; au_mask_t ap_mask; au_tid_addr_t ap_termid; au_asid_t ap_asid; }; #if defined(_SYSCALL32) struct auditpinfo_addr32 { pid_t ap_pid; au_id_t ap_auid; au_mask_t ap_mask; au_tid32_addr_t ap_termid; au_asid_t ap_asid; }; #endif struct au_evclass_map { au_event_t ec_number; au_class_t ec_class; }; typedef struct au_evclass_map au_evclass_map_t; /* * Audit stat structures (used to be in audit_stat.h */ struct audit_stat { unsigned int as_version; /* version of kernel audit code */ unsigned int as_numevent; /* number of kernel audit events */ uint32_t as_generated; /* # records processed */ uint32_t as_nonattrib; /* # non-attributed records produced */ uint32_t as_kernel; /* # records produced by kernel */ uint32_t as_audit; /* # records processed by audit(2) */ uint32_t as_auditctl; /* # records processed by auditctl(2) */ uint32_t as_enqueue; /* # records put onto audit queue */ uint32_t as_written; /* # records written to audit trail */ uint32_t as_wblocked; /* # times write blked on audit queue */ uint32_t as_rblocked; /* # times read blked on audit queue */ uint32_t as_dropped; /* # of dropped audit records */ uint32_t as_totalsize; /* total number bytes of audit data */ uint32_t as_memused; /* no longer used */ }; typedef struct audit_stat au_stat_t; /* get kernel audit context dependent on AUDIT_PERZONE policy */ #define GET_KCTX_PZ (audit_policy & AUDIT_PERZONE) ?\ curproc->p_zone->zone_audit_kctxt :\ global_zone->zone_audit_kctxt /* get kernel audit context of global zone */ #define GET_KCTX_GZ global_zone->zone_audit_kctxt /* get kernel audit context of non-global zone */ #define GET_KCTX_NGZ curproc->p_zone->zone_audit_kctxt #define AS_INC(a, b, c) atomic_add_32(&(c->auk_statistics.a), (b)) #define AS_DEC(a, b, c) atomic_add_32(&(c->auk_statistics.a), -(b)) /* * audit token IPC types (shm, sem, msg) [for ipc attribute] */ #define AT_IPC_MSG ((char)1) /* message IPC id */ #define AT_IPC_SEM ((char)2) /* semaphore IPC id */ #define AT_IPC_SHM ((char)3) /* shared memory IPC id */ #if defined(_KERNEL) #ifdef __cplusplus } #endif #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifdef __cplusplus extern "C" { #endif struct fcntla; struct t_audit_data; struct audit_path; struct priv_set; struct devplcysys; struct auditcalls { long code; long a1; long a2; long a3; long a4; long a5; }; int audit(caddr_t, int); int auditsys(struct auditcalls *, union rval *); /* fake stub */ void audit_cryptoadm(int, char *, crypto_mech_name_t *, uint_t, uint_t, uint32_t, int); void audit_init(void); void audit_init_module(void); void audit_newproc(struct proc *); void audit_pfree(struct proc *); void audit_thread_create(kthread_id_t); void audit_thread_free(kthread_id_t); int audit_savepath(struct pathname *, struct vnode *, struct vnode *, int, cred_t *); void audit_anchorpath(struct pathname *, int); void audit_symlink(struct pathname *, struct pathname *); void audit_symlink_create(struct vnode *, char *, char *, int); int object_is_public(struct vattr *); void audit_attributes(struct vnode *); void audit_falloc(struct file *); void audit_unfalloc(struct file *); void audit_exit(int, int); void audit_core_start(int); void audit_core_finish(int); void audit_strgetmsg(struct vnode *, struct strbuf *, struct strbuf *, unsigned char *, int *, int); void audit_strputmsg(struct vnode *, struct strbuf *, struct strbuf *, unsigned char, int, int); void audit_closef(struct file *); void audit_setf(struct file *, int); void audit_reboot(void); void audit_vncreate_start(void); void audit_setfsat_path(int argnum); void audit_vncreate_finish(struct vnode *, int); void audit_exec(const char *, const char *, ssize_t, ssize_t, cred_t *); void audit_enterprom(int); void audit_exitprom(int); void audit_chdirec(struct vnode *, struct vnode **); void audit_sock(int, struct queue *, struct msgb *, int); int audit_start(unsigned int, unsigned int, uint32_t, int, klwp_t *); void audit_finish(unsigned int, unsigned int, int, union rval *); int audit_async_start(label_t *, au_event_t, int); void audit_async_finish(caddr_t *, au_event_t, au_emod_t, timestruc_t *); void audit_async_discard_backend(void *); void audit_async_done(caddr_t *, int); void audit_async_drop(caddr_t *, int); #ifndef AUK_CONTEXT_T #define AUK_CONTEXT_T typedef struct au_kcontext au_kcontext_t; #endif /* Zone audit context setup routine */ void au_zone_setup(void); /* * c2audit module states */ #define C2AUDIT_DISABLED 0 /* c2audit module excluded in /etc/system */ #define C2AUDIT_UNLOADED 1 /* c2audit module not loaded */ #define C2AUDIT_LOADED 2 /* c2audit module loaded */ uint32_t audit_getstate(void); int au_zone_getstate(const au_kcontext_t *); /* The audit mask defining in which case is auditing enabled */ #define AU_AUDIT_MASK (AUC_AUDITING | AUC_NOSPACE) /* * Get the given zone audit status. zcontext != NULL serves * as a protection when c2audit module is not loaded. */ #define AU_ZONE_AUDITING(zcontext) \ (audit_active == C2AUDIT_LOADED && \ ((AU_AUDIT_MASK) & au_zone_getstate((zcontext)))) /* * Get auditing status */ #define AU_AUDITING() (audit_getstate()) int audit_success(au_kcontext_t *, struct t_audit_data *, int, cred_t *); int auditme(au_kcontext_t *, struct t_audit_data *, au_state_t); void audit_fixpath(struct audit_path *, int); void audit_ipc(int, int, void *); void audit_ipcget(int, void *); void audit_fdsend(int, struct file *, int); void audit_fdrecv(int, struct file *); void audit_priv(int, const struct priv_set *, int); void audit_setppriv(int, int, const struct priv_set *, const cred_t *); void audit_psecflags(proc_t *, psecflagwhich_t, const secflagdelta_t *); void audit_devpolicy(int, const struct devplcysys *); void audit_update_context(proc_t *, cred_t *); void audit_pf_policy(int, cred_t *, netstack_t *, char *, boolean_t, int, pid_t); void audit_sec_attributes(caddr_t *, struct vnode *); #endif #ifdef __cplusplus } #endif #endif /* _BSM_AUDIT_H */