17c478bd9Sstevel@tonic-gate /* 27c478bd9Sstevel@tonic-gate * CDDL HEADER START 37c478bd9Sstevel@tonic-gate * 47c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the 545916cd2Sjpk * Common Development and Distribution License (the "License"). 645916cd2Sjpk * You may not use this file except in compliance with the License. 77c478bd9Sstevel@tonic-gate * 87c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 97c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 107c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions 117c478bd9Sstevel@tonic-gate * and limitations under the License. 127c478bd9Sstevel@tonic-gate * 137c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 147c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 157c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 167c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 177c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 187c478bd9Sstevel@tonic-gate * 197c478bd9Sstevel@tonic-gate * CDDL HEADER END 207c478bd9Sstevel@tonic-gate */ 217c478bd9Sstevel@tonic-gate /* 2291b2cbb3Sgww * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved. 237c478bd9Sstevel@tonic-gate */ 247c478bd9Sstevel@tonic-gate 257c478bd9Sstevel@tonic-gate /* 267c478bd9Sstevel@tonic-gate * This file contains the declarations of the various data structures 277c478bd9Sstevel@tonic-gate * used by the auditing module(s). 287c478bd9Sstevel@tonic-gate */ 297c478bd9Sstevel@tonic-gate 307c478bd9Sstevel@tonic-gate #ifndef _BSM_AUDIT_H 317c478bd9Sstevel@tonic-gate #define _BSM_AUDIT_H 327c478bd9Sstevel@tonic-gate 337c478bd9Sstevel@tonic-gate #ifdef __cplusplus 347c478bd9Sstevel@tonic-gate extern "C" { 357c478bd9Sstevel@tonic-gate #endif 367c478bd9Sstevel@tonic-gate 377c478bd9Sstevel@tonic-gate 387c478bd9Sstevel@tonic-gate #include <sys/shm.h> /* for shmid_ds structure */ 397c478bd9Sstevel@tonic-gate #include <sys/sem.h> /* for semid_ds structure */ 407c478bd9Sstevel@tonic-gate #include <sys/msg.h> /* for msqid_ds structure */ 417c478bd9Sstevel@tonic-gate #include <sys/atomic.h> /* using atomics */ 42*d2a70789SRichard Lowe #include <sys/secflags.h> 437c478bd9Sstevel@tonic-gate 447c478bd9Sstevel@tonic-gate /* 457c478bd9Sstevel@tonic-gate * Audit conditions, statements reguarding what's to be done with 4691b2cbb3Sgww * audit records. None of the "global state" is returned by an 4791b2cbb3Sgww * auditconfig -getcond call. AUC_NOSPACE no longer seems used. 487c478bd9Sstevel@tonic-gate */ 497c478bd9Sstevel@tonic-gate /* global state */ 507c478bd9Sstevel@tonic-gate #define AUC_UNSET 0 /* on/off hasn't been decided */ 517c478bd9Sstevel@tonic-gate #define AUC_ENABLED 1 /* loaded and enabled */ 5291b2cbb3Sgww /* pseudo state used in libbsm */ 5391b2cbb3Sgww #define AUC_DISABLED 0x100 /* c2audit module is excluded */ 547c478bd9Sstevel@tonic-gate /* local zone state */ 5591b2cbb3Sgww #define AUC_AUDITING 0x1 /* audit daemon is active */ 5691b2cbb3Sgww #define AUC_NOAUDIT 0x2 /* audit daemon is not active */ 5791b2cbb3Sgww #define AUC_INIT_AUDIT 0x4 /* audit ready but auditd has not run */ 58005d3febSMarek Pospisil #define AUC_NOSPACE 0x8 /* audit enabled, no space for audit records */ 597c478bd9Sstevel@tonic-gate 607c478bd9Sstevel@tonic-gate /* 617c478bd9Sstevel@tonic-gate * The user id -2 is never audited - in fact, a setauid(AU_NOAUDITID) 627c478bd9Sstevel@tonic-gate * will turn off auditing. 637c478bd9Sstevel@tonic-gate */ 64f48205beScasper #define AU_NOAUDITID ((au_id_t)-2) 657c478bd9Sstevel@tonic-gate 667c478bd9Sstevel@tonic-gate /* 677c478bd9Sstevel@tonic-gate * success/failure bits for asynchronous events 687c478bd9Sstevel@tonic-gate */ 697c478bd9Sstevel@tonic-gate 707c478bd9Sstevel@tonic-gate #define AUM_SUCC 1 /* use the system success preselection mask */ 717c478bd9Sstevel@tonic-gate #define AUM_FAIL 2 /* use the system failure preselection mask */ 727c478bd9Sstevel@tonic-gate 737c478bd9Sstevel@tonic-gate 747c478bd9Sstevel@tonic-gate /* 757c478bd9Sstevel@tonic-gate * Defines for event modifier field 767c478bd9Sstevel@tonic-gate */ 777c478bd9Sstevel@tonic-gate #define PAD_READ 0x0001 /* object read */ 787c478bd9Sstevel@tonic-gate #define PAD_WRITE 0x0002 /* object write */ 797c478bd9Sstevel@tonic-gate #define PAD_NONATTR 0x4000 /* non-attributable event */ 807c478bd9Sstevel@tonic-gate #define PAD_FAILURE 0x8000 /* fail audit event */ 817c478bd9Sstevel@tonic-gate #define PAD_SPRIVUSE 0x0080 /* successfully used privileged */ 827c478bd9Sstevel@tonic-gate #define PAD_FPRIVUSE 0x0100 /* failed use of privileged */ 837c478bd9Sstevel@tonic-gate 847c478bd9Sstevel@tonic-gate /* 857c478bd9Sstevel@tonic-gate * Some typedefs for the fundamentals 867c478bd9Sstevel@tonic-gate */ 87d0fa49b7STony Nguyen typedef uint_t au_asid_t; 887c478bd9Sstevel@tonic-gate typedef uint_t au_class_t; 89d0fa49b7STony Nguyen typedef ushort_t au_event_t; 90d0fa49b7STony Nguyen typedef ushort_t au_emod_t; 917c478bd9Sstevel@tonic-gate typedef uid_t au_id_t; 927c478bd9Sstevel@tonic-gate 937c478bd9Sstevel@tonic-gate /* 947c478bd9Sstevel@tonic-gate * An audit event mask. 957c478bd9Sstevel@tonic-gate */ 967c478bd9Sstevel@tonic-gate #define AU_MASK_ALL 0xFFFFFFFF /* all bits on for unsigned int */ 977c478bd9Sstevel@tonic-gate #define AU_MASK_NONE 0x0 /* all bits off = no:invalid class */ 987c478bd9Sstevel@tonic-gate 997c478bd9Sstevel@tonic-gate struct au_mask { 1007c478bd9Sstevel@tonic-gate unsigned int am_success; /* success bits */ 1017c478bd9Sstevel@tonic-gate unsigned int am_failure; /* failure bits */ 1027c478bd9Sstevel@tonic-gate }; 1037c478bd9Sstevel@tonic-gate typedef struct au_mask au_mask_t; 1047c478bd9Sstevel@tonic-gate #define as_success am_success 1057c478bd9Sstevel@tonic-gate #define as_failure am_failure 1067c478bd9Sstevel@tonic-gate 1077c478bd9Sstevel@tonic-gate /* 1087c478bd9Sstevel@tonic-gate * The structure of the terminal ID (ipv4) 1097c478bd9Sstevel@tonic-gate */ 1107c478bd9Sstevel@tonic-gate struct au_tid { 1117c478bd9Sstevel@tonic-gate dev_t port; 1127c478bd9Sstevel@tonic-gate uint_t machine; 1137c478bd9Sstevel@tonic-gate }; 1147c478bd9Sstevel@tonic-gate 1157c478bd9Sstevel@tonic-gate #if defined(_SYSCALL32) 1167c478bd9Sstevel@tonic-gate struct au_tid32 { 1177c478bd9Sstevel@tonic-gate uint_t port; 1187c478bd9Sstevel@tonic-gate uint_t machine; 1197c478bd9Sstevel@tonic-gate }; 1207c478bd9Sstevel@tonic-gate 1217c478bd9Sstevel@tonic-gate typedef struct au_tid32 au_tid32_t; 1227c478bd9Sstevel@tonic-gate #endif 1237c478bd9Sstevel@tonic-gate 1247c478bd9Sstevel@tonic-gate typedef struct au_tid au_tid_t; 1257c478bd9Sstevel@tonic-gate 1267c478bd9Sstevel@tonic-gate /* 1277c478bd9Sstevel@tonic-gate * The structure of the terminal ID (ipv6) 1287c478bd9Sstevel@tonic-gate */ 1297c478bd9Sstevel@tonic-gate struct au_tid_addr { 1307c478bd9Sstevel@tonic-gate dev_t at_port; 1317c478bd9Sstevel@tonic-gate uint_t at_type; 1327c478bd9Sstevel@tonic-gate uint_t at_addr[4]; 1337c478bd9Sstevel@tonic-gate }; 1347c478bd9Sstevel@tonic-gate 1357c478bd9Sstevel@tonic-gate struct au_port_s { 1367c478bd9Sstevel@tonic-gate uint32_t at_major; /* major # */ 1377c478bd9Sstevel@tonic-gate uint32_t at_minor; /* minor # */ 1387c478bd9Sstevel@tonic-gate }; 1397c478bd9Sstevel@tonic-gate typedef struct au_port_s au_port_t; 1407c478bd9Sstevel@tonic-gate 1417c478bd9Sstevel@tonic-gate struct au_tid_addr64 { 1427c478bd9Sstevel@tonic-gate au_port_t at_port; 1437c478bd9Sstevel@tonic-gate uint_t at_type; 1447c478bd9Sstevel@tonic-gate uint_t at_addr[4]; 1457c478bd9Sstevel@tonic-gate }; 1467c478bd9Sstevel@tonic-gate typedef struct au_tid_addr64 au_tid64_addr_t; 1477c478bd9Sstevel@tonic-gate 1487c478bd9Sstevel@tonic-gate #if defined(_SYSCALL32) 1497c478bd9Sstevel@tonic-gate struct au_tid_addr32 { 1507c478bd9Sstevel@tonic-gate uint_t at_port; 1517c478bd9Sstevel@tonic-gate uint_t at_type; 1527c478bd9Sstevel@tonic-gate uint_t at_addr[4]; 1537c478bd9Sstevel@tonic-gate }; 1547c478bd9Sstevel@tonic-gate 1557c478bd9Sstevel@tonic-gate typedef struct au_tid_addr32 au_tid32_addr_t; 1567c478bd9Sstevel@tonic-gate #endif 1577c478bd9Sstevel@tonic-gate 1587c478bd9Sstevel@tonic-gate typedef struct au_tid_addr au_tid_addr_t; 1597c478bd9Sstevel@tonic-gate 1607c478bd9Sstevel@tonic-gate struct au_ip { 1617c478bd9Sstevel@tonic-gate uint16_t at_r_port; /* remote port */ 1627c478bd9Sstevel@tonic-gate uint16_t at_l_port; /* local port */ 1637c478bd9Sstevel@tonic-gate uint32_t at_type; /* AU_IPv4,... */ 1647c478bd9Sstevel@tonic-gate uint32_t at_addr[4]; /* remote IP */ 1657c478bd9Sstevel@tonic-gate }; 1667c478bd9Sstevel@tonic-gate typedef struct au_ip au_ip_t; 1677c478bd9Sstevel@tonic-gate 1687c478bd9Sstevel@tonic-gate /* 1697c478bd9Sstevel@tonic-gate * Generic network address structure 1707c478bd9Sstevel@tonic-gate */ 1717c478bd9Sstevel@tonic-gate struct au_generic_tid { 1727c478bd9Sstevel@tonic-gate uchar_t gt_type; /* AU_IPADR, AU_DEVICE,... */ 1737c478bd9Sstevel@tonic-gate union { 1747c478bd9Sstevel@tonic-gate au_ip_t at_ip; 1757c478bd9Sstevel@tonic-gate au_port_t at_dev; 1767c478bd9Sstevel@tonic-gate } gt_adr; 1777c478bd9Sstevel@tonic-gate }; 1787c478bd9Sstevel@tonic-gate typedef struct au_generic_tid au_generic_tid_t; 1797c478bd9Sstevel@tonic-gate 1807c478bd9Sstevel@tonic-gate /* 1817c478bd9Sstevel@tonic-gate * au_generic_tid_t gt_type values 1827c478bd9Sstevel@tonic-gate * 0 is reserved for uninitialized data 1837c478bd9Sstevel@tonic-gate */ 1847c478bd9Sstevel@tonic-gate #define AU_IPADR 1 1857c478bd9Sstevel@tonic-gate #define AU_ETHER 2 1867c478bd9Sstevel@tonic-gate #define AU_DEVICE 3 1877c478bd9Sstevel@tonic-gate 1887c478bd9Sstevel@tonic-gate /* 1897c478bd9Sstevel@tonic-gate * at_type values - address length used to identify address type 1907c478bd9Sstevel@tonic-gate */ 1917c478bd9Sstevel@tonic-gate #define AU_IPv4 4 /* ipv4 type IP address */ 1927c478bd9Sstevel@tonic-gate #define AU_IPv6 16 /* ipv6 type IP address */ 1937c478bd9Sstevel@tonic-gate 1947c478bd9Sstevel@tonic-gate /* 1957c478bd9Sstevel@tonic-gate * Compatability with SunOS 4.x BSM module 1967c478bd9Sstevel@tonic-gate * 1977c478bd9Sstevel@tonic-gate * New code should not contain audit_state_t, 1987c478bd9Sstevel@tonic-gate * au_state_t, nor au_termid as these types 1997c478bd9Sstevel@tonic-gate * may go away in future releases. 2007c478bd9Sstevel@tonic-gate * 2017c478bd9Sstevel@tonic-gate * typedef new-5.x-bsm-name old-4.x-bsm-name 2027c478bd9Sstevel@tonic-gate */ 2037c478bd9Sstevel@tonic-gate 2047c478bd9Sstevel@tonic-gate typedef au_class_t au_state_t; 2057c478bd9Sstevel@tonic-gate typedef au_mask_t audit_state_t; 2067c478bd9Sstevel@tonic-gate typedef au_id_t auid_t; 2077c478bd9Sstevel@tonic-gate #define ai_state ai_mask; 2087c478bd9Sstevel@tonic-gate 2097c478bd9Sstevel@tonic-gate /* 2107c478bd9Sstevel@tonic-gate * Opcodes for bsm system calls 2117c478bd9Sstevel@tonic-gate */ 2127c478bd9Sstevel@tonic-gate 2137c478bd9Sstevel@tonic-gate #define BSM_GETAUID 19 2147c478bd9Sstevel@tonic-gate #define BSM_SETAUID 20 2157c478bd9Sstevel@tonic-gate #define BSM_GETAUDIT 21 2167c478bd9Sstevel@tonic-gate #define BSM_SETAUDIT 22 217469aa27fSJan Friedel /* 23 OBSOLETE */ 218469aa27fSJan Friedel /* 24 OBSOLETE */ 2197c478bd9Sstevel@tonic-gate #define BSM_AUDIT 25 220731b94c1Stz /* 26 OBSOLETE */ 221787b48eaSgww /* 27 EOL announced for Sol 10 */ 222ddc42f88SMarek Pospisil /* 28 OBSOLETE */ 2237c478bd9Sstevel@tonic-gate #define BSM_AUDITCTL 29 224469aa27fSJan Friedel /* 30 OBSOLETE */ 225469aa27fSJan Friedel /* 31 OBSOLETE */ 226469aa27fSJan Friedel /* 32 OBSOLETE */ 227469aa27fSJan Friedel /* 33 OBSOLETE */ 228469aa27fSJan Friedel /* 34 OBSOLETE */ 2297c478bd9Sstevel@tonic-gate #define BSM_GETAUDIT_ADDR 35 2307c478bd9Sstevel@tonic-gate #define BSM_SETAUDIT_ADDR 36 2317c478bd9Sstevel@tonic-gate #define BSM_AUDITDOOR 37 2327c478bd9Sstevel@tonic-gate 2337c478bd9Sstevel@tonic-gate /* 234f8994074SJan Friedel * auditon(2) commands 2357c478bd9Sstevel@tonic-gate */ 2367c478bd9Sstevel@tonic-gate #define A_GETPOLICY 2 /* get audit policy */ 2377c478bd9Sstevel@tonic-gate #define A_SETPOLICY 3 /* set audit policy */ 238f8994074SJan Friedel #define A_GETKMASK 4 /* get non-attributable event audit mask */ 239f8994074SJan Friedel #define A_SETKMASK 5 /* set non-attributable event audit mask */ 2407c478bd9Sstevel@tonic-gate #define A_GETQCTRL 6 /* get kernel audit queue ctrl parameters */ 2417c478bd9Sstevel@tonic-gate #define A_SETQCTRL 7 /* set kernel audit queue ctrl parameters */ 2427c478bd9Sstevel@tonic-gate #define A_GETCWD 8 /* get process current working directory */ 2437c478bd9Sstevel@tonic-gate #define A_GETCAR 9 /* get process current active root */ 2447c478bd9Sstevel@tonic-gate #define A_GETSTAT 12 /* get audit statistics */ 2457c478bd9Sstevel@tonic-gate #define A_SETSTAT 13 /* (re)set audit statistics */ 2467c478bd9Sstevel@tonic-gate #define A_SETUMASK 14 /* set preselection mask for procs with auid */ 2477c478bd9Sstevel@tonic-gate #define A_SETSMASK 15 /* set preselection mask for procs with asid */ 2487c478bd9Sstevel@tonic-gate #define A_GETCOND 20 /* get audit system on/off condition */ 2497c478bd9Sstevel@tonic-gate #define A_SETCOND 21 /* set audit system on/off condition */ 2507c478bd9Sstevel@tonic-gate #define A_GETCLASS 22 /* get audit event to class mapping */ 2517c478bd9Sstevel@tonic-gate #define A_SETCLASS 23 /* set audit event to class mapping */ 2527c478bd9Sstevel@tonic-gate #define A_GETPINFO 24 /* get audit info for an arbitrary pid */ 2537c478bd9Sstevel@tonic-gate #define A_SETPMASK 25 /* set preselection mask for an given pid */ 2547c478bd9Sstevel@tonic-gate #define A_GETPINFO_ADDR 28 /* get audit info for an arbitrary pid */ 2557c478bd9Sstevel@tonic-gate #define A_GETKAUDIT 29 /* get kernel audit characteristics */ 2567c478bd9Sstevel@tonic-gate #define A_SETKAUDIT 30 /* set kernel audit characteristics */ 257f8994074SJan Friedel #define A_GETAMASK 31 /* set user default audit event mask */ 258f8994074SJan Friedel #define A_SETAMASK 32 /* get user default audit event mask */ 2597c478bd9Sstevel@tonic-gate 2607c478bd9Sstevel@tonic-gate /* 2617c478bd9Sstevel@tonic-gate * Audit Policy parameters (32 bits) 2627c478bd9Sstevel@tonic-gate */ 2637c478bd9Sstevel@tonic-gate #define AUDIT_CNT 0x0001 /* do NOT sleep undelivered synch events */ 2647c478bd9Sstevel@tonic-gate #define AUDIT_AHLT 0x0002 /* HALT machine on undelivered async event */ 2657c478bd9Sstevel@tonic-gate #define AUDIT_ARGV 0x0004 /* include argv with execv system call events */ 2667c478bd9Sstevel@tonic-gate #define AUDIT_ARGE 0x0008 /* include arge with execv system call events */ 2677bce2ddcSgww #define AUDIT_SEQ 0x0010 /* include sequence attribute */ 268731b94c1Stz #define AUDIT_GROUP 0x0040 /* include group attribute with each record */ 269731b94c1Stz #define AUDIT_TRAIL 0x0080 /* include trailer token */ 270731b94c1Stz #define AUDIT_PATH 0x0100 /* allow multiple paths per event */ 271731b94c1Stz #define AUDIT_SCNT 0x0200 /* sleep user events but not kernel events */ 272731b94c1Stz #define AUDIT_PUBLIC 0x0400 /* audit even "public" files */ 273731b94c1Stz #define AUDIT_ZONENAME 0x0800 /* emit zonename token */ 274731b94c1Stz #define AUDIT_PERZONE 0x1000 /* auditd and audit queue for each zone */ 275731b94c1Stz #define AUDIT_WINDATA_DOWN 0x2000 /* include paste downgraded data */ 276731b94c1Stz #define AUDIT_WINDATA_UP 0x4000 /* include paste upgraded data */ 27745916cd2Sjpk 2787c478bd9Sstevel@tonic-gate /* 2797c478bd9Sstevel@tonic-gate * If AUDIT_GLOBAL changes, corresponding changes are required in 2807c478bd9Sstevel@tonic-gate * audit_syscalls.c's setpolicy(). 2817c478bd9Sstevel@tonic-gate */ 2827c478bd9Sstevel@tonic-gate #define AUDIT_GLOBAL (AUDIT_AHLT | AUDIT_PERZONE) 2837c478bd9Sstevel@tonic-gate #define AUDIT_LOCAL (AUDIT_CNT | AUDIT_ARGV | AUDIT_ARGE |\ 2849ee9cb3dSJan Friedel AUDIT_SEQ | AUDIT_GROUP | AUDIT_TRAIL | AUDIT_PATH |\ 28545916cd2Sjpk AUDIT_PUBLIC | AUDIT_SCNT | AUDIT_ZONENAME |\ 28645916cd2Sjpk AUDIT_WINDATA_DOWN | AUDIT_WINDATA_UP) 2877c478bd9Sstevel@tonic-gate 2887c478bd9Sstevel@tonic-gate /* 2897c478bd9Sstevel@tonic-gate * Kernel audit queue control parameters 2907c478bd9Sstevel@tonic-gate * 2917c478bd9Sstevel@tonic-gate * audit record recording blocks at hiwater # undelived records 2927c478bd9Sstevel@tonic-gate * audit record recording resumes at lowwater # undelivered audit records 2937c478bd9Sstevel@tonic-gate * bufsz determines how big the data xfers will be to the audit trail 2947c478bd9Sstevel@tonic-gate */ 2957c478bd9Sstevel@tonic-gate struct au_qctrl { 2967c478bd9Sstevel@tonic-gate size_t aq_hiwater; /* kernel audit queue, high water mark */ 2977c478bd9Sstevel@tonic-gate size_t aq_lowater; /* kernel audit queue, low water mark */ 2987c478bd9Sstevel@tonic-gate size_t aq_bufsz; /* kernel audit queue, write size to trail */ 2997c478bd9Sstevel@tonic-gate clock_t aq_delay; /* delay before flushing audit queue */ 3007c478bd9Sstevel@tonic-gate }; 3017c478bd9Sstevel@tonic-gate 3027c478bd9Sstevel@tonic-gate #if defined(_SYSCALL32) 3037c478bd9Sstevel@tonic-gate struct au_qctrl32 { 3047c478bd9Sstevel@tonic-gate size32_t aq_hiwater; 3057c478bd9Sstevel@tonic-gate size32_t aq_lowater; 3067c478bd9Sstevel@tonic-gate size32_t aq_bufsz; 3077c478bd9Sstevel@tonic-gate clock32_t aq_delay; 3087c478bd9Sstevel@tonic-gate }; 3097c478bd9Sstevel@tonic-gate #endif 3107c478bd9Sstevel@tonic-gate 3117c478bd9Sstevel@tonic-gate 3127c478bd9Sstevel@tonic-gate /* 3137c478bd9Sstevel@tonic-gate * default values of hiwater and lowater (note hi > lo) 3147c478bd9Sstevel@tonic-gate */ 3157c478bd9Sstevel@tonic-gate #define AQ_HIWATER 100 3167c478bd9Sstevel@tonic-gate #define AQ_MAXHIGH 100000 3177c478bd9Sstevel@tonic-gate #define AQ_LOWATER 10 3187c478bd9Sstevel@tonic-gate #define AQ_BUFSZ 8192 3197c478bd9Sstevel@tonic-gate #define AQ_MAXBUFSZ 1048576 3207c478bd9Sstevel@tonic-gate #define AQ_DELAY 20 3217c478bd9Sstevel@tonic-gate #define AQ_MAXDELAY 20000 3227c478bd9Sstevel@tonic-gate 3237c478bd9Sstevel@tonic-gate struct auditinfo { 3247c478bd9Sstevel@tonic-gate au_id_t ai_auid; 3257c478bd9Sstevel@tonic-gate au_mask_t ai_mask; 3267c478bd9Sstevel@tonic-gate au_tid_t ai_termid; 3277c478bd9Sstevel@tonic-gate au_asid_t ai_asid; 3287c478bd9Sstevel@tonic-gate }; 3297c478bd9Sstevel@tonic-gate 3307c478bd9Sstevel@tonic-gate #if defined(_SYSCALL32) 3317c478bd9Sstevel@tonic-gate struct auditinfo32 { 3327c478bd9Sstevel@tonic-gate au_id_t ai_auid; 3337c478bd9Sstevel@tonic-gate au_mask_t ai_mask; 3347c478bd9Sstevel@tonic-gate au_tid32_t ai_termid; 3357c478bd9Sstevel@tonic-gate au_asid_t ai_asid; 3367c478bd9Sstevel@tonic-gate }; 3377c478bd9Sstevel@tonic-gate 3387c478bd9Sstevel@tonic-gate typedef struct auditinfo32 auditinfo32_t; 3397c478bd9Sstevel@tonic-gate #endif 3407c478bd9Sstevel@tonic-gate 3417c478bd9Sstevel@tonic-gate typedef struct auditinfo auditinfo_t; 3427c478bd9Sstevel@tonic-gate 343f8994074SJan Friedel struct k_auditinfo_addr { 344f8994074SJan Friedel au_id_t ai_auid; 345f8994074SJan Friedel au_mask_t ai_amask; /* user default preselection mask */ 346f8994074SJan Friedel au_mask_t ai_namask; /* non-attributable mask */ 347f8994074SJan Friedel au_tid_addr_t ai_termid; 348f8994074SJan Friedel au_asid_t ai_asid; 349f8994074SJan Friedel }; 350f8994074SJan Friedel typedef struct k_auditinfo_addr k_auditinfo_addr_t; 351f8994074SJan Friedel 3527c478bd9Sstevel@tonic-gate struct auditinfo_addr { 3537c478bd9Sstevel@tonic-gate au_id_t ai_auid; 3547c478bd9Sstevel@tonic-gate au_mask_t ai_mask; 3557c478bd9Sstevel@tonic-gate au_tid_addr_t ai_termid; 3567c478bd9Sstevel@tonic-gate au_asid_t ai_asid; 3577c478bd9Sstevel@tonic-gate }; 3587c478bd9Sstevel@tonic-gate 3597c478bd9Sstevel@tonic-gate struct auditinfo_addr64 { 3607c478bd9Sstevel@tonic-gate au_id_t ai_auid; 3617c478bd9Sstevel@tonic-gate au_mask_t ai_mask; 3627c478bd9Sstevel@tonic-gate au_tid64_addr_t ai_termid; 3637c478bd9Sstevel@tonic-gate au_asid_t ai_asid; 3647c478bd9Sstevel@tonic-gate }; 3657c478bd9Sstevel@tonic-gate typedef struct auditinfo_addr64 auditinfo64_addr_t; 3667c478bd9Sstevel@tonic-gate 3677c478bd9Sstevel@tonic-gate #if defined(_SYSCALL32) 3687c478bd9Sstevel@tonic-gate struct auditinfo_addr32 { 3697c478bd9Sstevel@tonic-gate au_id_t ai_auid; 3707c478bd9Sstevel@tonic-gate au_mask_t ai_mask; 3717c478bd9Sstevel@tonic-gate au_tid32_addr_t ai_termid; 3727c478bd9Sstevel@tonic-gate au_asid_t ai_asid; 3737c478bd9Sstevel@tonic-gate }; 3747c478bd9Sstevel@tonic-gate 3757c478bd9Sstevel@tonic-gate typedef struct auditinfo_addr32 auditinfo32_addr_t; 3767c478bd9Sstevel@tonic-gate #endif 3777c478bd9Sstevel@tonic-gate 3787c478bd9Sstevel@tonic-gate typedef struct auditinfo_addr auditinfo_addr_t; 3797c478bd9Sstevel@tonic-gate 3807c478bd9Sstevel@tonic-gate struct auditpinfo { 3817c478bd9Sstevel@tonic-gate pid_t ap_pid; 3827c478bd9Sstevel@tonic-gate au_id_t ap_auid; 3837c478bd9Sstevel@tonic-gate au_mask_t ap_mask; 3847c478bd9Sstevel@tonic-gate au_tid_t ap_termid; 3857c478bd9Sstevel@tonic-gate au_asid_t ap_asid; 3867c478bd9Sstevel@tonic-gate }; 3877c478bd9Sstevel@tonic-gate 3887c478bd9Sstevel@tonic-gate #if defined(_SYSCALL32) 3897c478bd9Sstevel@tonic-gate struct auditpinfo32 { 3907c478bd9Sstevel@tonic-gate pid_t ap_pid; 3917c478bd9Sstevel@tonic-gate au_id_t ap_auid; 3927c478bd9Sstevel@tonic-gate au_mask_t ap_mask; 3937c478bd9Sstevel@tonic-gate au_tid32_t ap_termid; 3947c478bd9Sstevel@tonic-gate au_asid_t ap_asid; 3957c478bd9Sstevel@tonic-gate }; 3967c478bd9Sstevel@tonic-gate #endif 3977c478bd9Sstevel@tonic-gate 3987c478bd9Sstevel@tonic-gate 3997c478bd9Sstevel@tonic-gate struct auditpinfo_addr { 4007c478bd9Sstevel@tonic-gate pid_t ap_pid; 4017c478bd9Sstevel@tonic-gate au_id_t ap_auid; 4027c478bd9Sstevel@tonic-gate au_mask_t ap_mask; 4037c478bd9Sstevel@tonic-gate au_tid_addr_t ap_termid; 4047c478bd9Sstevel@tonic-gate au_asid_t ap_asid; 4057c478bd9Sstevel@tonic-gate }; 4067c478bd9Sstevel@tonic-gate 4077c478bd9Sstevel@tonic-gate #if defined(_SYSCALL32) 4087c478bd9Sstevel@tonic-gate struct auditpinfo_addr32 { 4097c478bd9Sstevel@tonic-gate pid_t ap_pid; 4107c478bd9Sstevel@tonic-gate au_id_t ap_auid; 4117c478bd9Sstevel@tonic-gate au_mask_t ap_mask; 4127c478bd9Sstevel@tonic-gate au_tid32_addr_t ap_termid; 4137c478bd9Sstevel@tonic-gate au_asid_t ap_asid; 4147c478bd9Sstevel@tonic-gate }; 4157c478bd9Sstevel@tonic-gate #endif 4167c478bd9Sstevel@tonic-gate 4177c478bd9Sstevel@tonic-gate 4187c478bd9Sstevel@tonic-gate struct au_evclass_map { 4197c478bd9Sstevel@tonic-gate au_event_t ec_number; 4207c478bd9Sstevel@tonic-gate au_class_t ec_class; 4217c478bd9Sstevel@tonic-gate }; 4227c478bd9Sstevel@tonic-gate typedef struct au_evclass_map au_evclass_map_t; 4237c478bd9Sstevel@tonic-gate 4247c478bd9Sstevel@tonic-gate /* 4257c478bd9Sstevel@tonic-gate * Audit stat structures (used to be in audit_stat.h 4267c478bd9Sstevel@tonic-gate */ 4277c478bd9Sstevel@tonic-gate 4287c478bd9Sstevel@tonic-gate struct audit_stat { 4297c478bd9Sstevel@tonic-gate unsigned int as_version; /* version of kernel audit code */ 4307c478bd9Sstevel@tonic-gate unsigned int as_numevent; /* number of kernel audit events */ 4317c478bd9Sstevel@tonic-gate uint32_t as_generated; /* # records processed */ 4327c478bd9Sstevel@tonic-gate uint32_t as_nonattrib; /* # non-attributed records produced */ 4337c478bd9Sstevel@tonic-gate uint32_t as_kernel; /* # records produced by kernel */ 4347c478bd9Sstevel@tonic-gate uint32_t as_audit; /* # records processed by audit(2) */ 4357c478bd9Sstevel@tonic-gate uint32_t as_auditctl; /* # records processed by auditctl(2) */ 4367c478bd9Sstevel@tonic-gate uint32_t as_enqueue; /* # records put onto audit queue */ 4377c478bd9Sstevel@tonic-gate uint32_t as_written; /* # records written to audit trail */ 4387c478bd9Sstevel@tonic-gate uint32_t as_wblocked; /* # times write blked on audit queue */ 4397c478bd9Sstevel@tonic-gate uint32_t as_rblocked; /* # times read blked on audit queue */ 4407c478bd9Sstevel@tonic-gate uint32_t as_dropped; /* # of dropped audit records */ 4417c478bd9Sstevel@tonic-gate uint32_t as_totalsize; /* total number bytes of audit data */ 4427c478bd9Sstevel@tonic-gate uint32_t as_memused; /* no longer used */ 4437c478bd9Sstevel@tonic-gate }; 4447c478bd9Sstevel@tonic-gate typedef struct audit_stat au_stat_t; 4457c478bd9Sstevel@tonic-gate 4469e9e6ab8Spaulson /* get kernel audit context dependent on AUDIT_PERZONE policy */ 4479e9e6ab8Spaulson #define GET_KCTX_PZ (audit_policy & AUDIT_PERZONE) ?\ 4489e9e6ab8Spaulson curproc->p_zone->zone_audit_kctxt :\ 4499e9e6ab8Spaulson global_zone->zone_audit_kctxt 4509e9e6ab8Spaulson /* get kernel audit context of global zone */ 4519e9e6ab8Spaulson #define GET_KCTX_GZ global_zone->zone_audit_kctxt 4529e9e6ab8Spaulson /* get kernel audit context of non-global zone */ 4539e9e6ab8Spaulson #define GET_KCTX_NGZ curproc->p_zone->zone_audit_kctxt 4547c478bd9Sstevel@tonic-gate 4557c478bd9Sstevel@tonic-gate #define AS_INC(a, b, c) atomic_add_32(&(c->auk_statistics.a), (b)) 4567c478bd9Sstevel@tonic-gate #define AS_DEC(a, b, c) atomic_add_32(&(c->auk_statistics.a), -(b)) 4577c478bd9Sstevel@tonic-gate 4587c478bd9Sstevel@tonic-gate /* 4597c478bd9Sstevel@tonic-gate * audit token IPC types (shm, sem, msg) [for ipc attribute] 4607c478bd9Sstevel@tonic-gate */ 4617c478bd9Sstevel@tonic-gate 4627c478bd9Sstevel@tonic-gate #define AT_IPC_MSG ((char)1) /* message IPC id */ 4637c478bd9Sstevel@tonic-gate #define AT_IPC_SEM ((char)2) /* semaphore IPC id */ 4647c478bd9Sstevel@tonic-gate #define AT_IPC_SHM ((char)3) /* shared memory IPC id */ 4657c478bd9Sstevel@tonic-gate 4667c478bd9Sstevel@tonic-gate #if defined(_KERNEL) 4677c478bd9Sstevel@tonic-gate 4687c478bd9Sstevel@tonic-gate #ifdef __cplusplus 4697c478bd9Sstevel@tonic-gate } 4707c478bd9Sstevel@tonic-gate #endif 4717c478bd9Sstevel@tonic-gate 4727c478bd9Sstevel@tonic-gate #include <sys/types.h> 4737c478bd9Sstevel@tonic-gate #include <sys/model.h> 4747c478bd9Sstevel@tonic-gate #include <sys/proc.h> 4757c478bd9Sstevel@tonic-gate #include <sys/stream.h> 4767c478bd9Sstevel@tonic-gate #include <sys/stropts.h> 4777c478bd9Sstevel@tonic-gate #include <sys/file.h> 4787c478bd9Sstevel@tonic-gate #include <sys/pathname.h> 4797c478bd9Sstevel@tonic-gate #include <sys/vnode.h> 4807c478bd9Sstevel@tonic-gate #include <sys/systm.h> 4817c478bd9Sstevel@tonic-gate #include <netinet/in.h> 4827c478bd9Sstevel@tonic-gate #include <c2/audit_door_infc.h> 4837c478bd9Sstevel@tonic-gate #include <sys/crypto/ioctladmin.h> 484799bd290Spwernau #include <sys/netstack.h> 485005d3febSMarek Pospisil #include <sys/zone.h> 4867c478bd9Sstevel@tonic-gate 4877c478bd9Sstevel@tonic-gate #ifdef __cplusplus 4887c478bd9Sstevel@tonic-gate extern "C" { 4897c478bd9Sstevel@tonic-gate #endif 4907c478bd9Sstevel@tonic-gate 4917c478bd9Sstevel@tonic-gate struct fcntla; 4927c478bd9Sstevel@tonic-gate struct t_audit_data; 4937c478bd9Sstevel@tonic-gate struct audit_path; 4947c478bd9Sstevel@tonic-gate struct priv_set; 4957c478bd9Sstevel@tonic-gate struct devplcysys; 4967c478bd9Sstevel@tonic-gate 4977c478bd9Sstevel@tonic-gate struct auditcalls { 4987c478bd9Sstevel@tonic-gate long code; 4997c478bd9Sstevel@tonic-gate long a1; 5007c478bd9Sstevel@tonic-gate long a2; 5017c478bd9Sstevel@tonic-gate long a3; 5027c478bd9Sstevel@tonic-gate long a4; 5037c478bd9Sstevel@tonic-gate long a5; 5047c478bd9Sstevel@tonic-gate }; 5057c478bd9Sstevel@tonic-gate 5067c478bd9Sstevel@tonic-gate int audit(caddr_t, int); 5077c478bd9Sstevel@tonic-gate int auditsys(struct auditcalls *, union rval *); /* fake stub */ 5087c478bd9Sstevel@tonic-gate void audit_cryptoadm(int, char *, crypto_mech_name_t *, 5097c478bd9Sstevel@tonic-gate uint_t, uint_t, uint32_t, int); 5107c478bd9Sstevel@tonic-gate void audit_init(void); 511005d3febSMarek Pospisil void audit_init_module(void); 5127c478bd9Sstevel@tonic-gate void audit_newproc(struct proc *); 5137c478bd9Sstevel@tonic-gate void audit_pfree(struct proc *); 5147c478bd9Sstevel@tonic-gate void audit_thread_create(kthread_id_t); 5157c478bd9Sstevel@tonic-gate void audit_thread_free(kthread_id_t); 5164a0fa546SMarek Pospisil int audit_savepath(struct pathname *, struct vnode *, struct vnode *, 5174a0fa546SMarek Pospisil int, cred_t *); 5187c478bd9Sstevel@tonic-gate void audit_anchorpath(struct pathname *, int); 5197c478bd9Sstevel@tonic-gate void audit_symlink(struct pathname *, struct pathname *); 5207c478bd9Sstevel@tonic-gate void audit_symlink_create(struct vnode *, char *, char *, int); 5214a0fa546SMarek Pospisil int object_is_public(struct vattr *); 5227c478bd9Sstevel@tonic-gate void audit_attributes(struct vnode *); 5237c478bd9Sstevel@tonic-gate void audit_falloc(struct file *); 5247c478bd9Sstevel@tonic-gate void audit_unfalloc(struct file *); 5257c478bd9Sstevel@tonic-gate void audit_exit(int, int); 5267c478bd9Sstevel@tonic-gate void audit_core_start(int); 5277c478bd9Sstevel@tonic-gate void audit_core_finish(int); 5287c478bd9Sstevel@tonic-gate void audit_strgetmsg(struct vnode *, struct strbuf *, struct strbuf *, 5297c478bd9Sstevel@tonic-gate unsigned char *, int *, int); 5307c478bd9Sstevel@tonic-gate void audit_strputmsg(struct vnode *, struct strbuf *, struct strbuf *, 5317c478bd9Sstevel@tonic-gate unsigned char, int, int); 5327c478bd9Sstevel@tonic-gate void audit_closef(struct file *); 5337c478bd9Sstevel@tonic-gate void audit_setf(struct file *, int); 5347c478bd9Sstevel@tonic-gate void audit_reboot(void); 5357c478bd9Sstevel@tonic-gate void audit_vncreate_start(void); 5367c478bd9Sstevel@tonic-gate void audit_setfsat_path(int argnum); 5377c478bd9Sstevel@tonic-gate void audit_vncreate_finish(struct vnode *, int); 538134a1f4eSCasper H.S. Dik void audit_exec(const char *, const char *, ssize_t, ssize_t, cred_t *); 5397c478bd9Sstevel@tonic-gate void audit_enterprom(int); 5407c478bd9Sstevel@tonic-gate void audit_exitprom(int); 5417c478bd9Sstevel@tonic-gate void audit_chdirec(struct vnode *, struct vnode **); 5427c478bd9Sstevel@tonic-gate void audit_sock(int, struct queue *, struct msgb *, int); 543005d3febSMarek Pospisil int audit_start(unsigned int, unsigned int, uint32_t, int, klwp_t *); 5447c478bd9Sstevel@tonic-gate void audit_finish(unsigned int, unsigned int, int, union rval *); 545d0fa49b7STony Nguyen int audit_async_start(label_t *, au_event_t, int); 546005d3febSMarek Pospisil void audit_async_finish(caddr_t *, au_event_t, au_emod_t, timestruc_t *); 5477c478bd9Sstevel@tonic-gate void audit_async_discard_backend(void *); 5487c478bd9Sstevel@tonic-gate void audit_async_done(caddr_t *, int); 5497c478bd9Sstevel@tonic-gate void audit_async_drop(caddr_t *, int); 5507c478bd9Sstevel@tonic-gate 5517c478bd9Sstevel@tonic-gate #ifndef AUK_CONTEXT_T 5527c478bd9Sstevel@tonic-gate #define AUK_CONTEXT_T 5537c478bd9Sstevel@tonic-gate typedef struct au_kcontext au_kcontext_t; 5547c478bd9Sstevel@tonic-gate #endif 5557c478bd9Sstevel@tonic-gate 556005d3febSMarek Pospisil /* Zone audit context setup routine */ 557005d3febSMarek Pospisil void au_zone_setup(void); 558005d3febSMarek Pospisil 559005d3febSMarek Pospisil /* 560005d3febSMarek Pospisil * c2audit module states 561005d3febSMarek Pospisil */ 562005d3febSMarek Pospisil #define C2AUDIT_DISABLED 0 /* c2audit module excluded in /etc/system */ 563005d3febSMarek Pospisil #define C2AUDIT_UNLOADED 1 /* c2audit module not loaded */ 564005d3febSMarek Pospisil #define C2AUDIT_LOADED 2 /* c2audit module loaded */ 565005d3febSMarek Pospisil 566005d3febSMarek Pospisil uint32_t audit_getstate(void); 567005d3febSMarek Pospisil int au_zone_getstate(const au_kcontext_t *); 568005d3febSMarek Pospisil 569005d3febSMarek Pospisil /* The audit mask defining in which case is auditing enabled */ 570005d3febSMarek Pospisil #define AU_AUDIT_MASK (AUC_AUDITING | AUC_NOSPACE) 571005d3febSMarek Pospisil 572005d3febSMarek Pospisil /* 573005d3febSMarek Pospisil * Get the given zone audit status. zcontext != NULL serves 574005d3febSMarek Pospisil * as a protection when c2audit module is not loaded. 575005d3febSMarek Pospisil */ 5764a0fa546SMarek Pospisil #define AU_ZONE_AUDITING(zcontext) \ 5774a0fa546SMarek Pospisil (audit_active == C2AUDIT_LOADED && \ 578005d3febSMarek Pospisil ((AU_AUDIT_MASK) & au_zone_getstate((zcontext)))) 579005d3febSMarek Pospisil 580005d3febSMarek Pospisil /* 581005d3febSMarek Pospisil * Get auditing status 582005d3febSMarek Pospisil */ 583005d3febSMarek Pospisil #define AU_AUDITING() (audit_getstate()) 584005d3febSMarek Pospisil 585799bd290Spwernau int audit_success(au_kcontext_t *, struct t_audit_data *, int, cred_t *); 5867c478bd9Sstevel@tonic-gate int auditme(au_kcontext_t *, struct t_audit_data *, au_state_t); 5877c478bd9Sstevel@tonic-gate void audit_fixpath(struct audit_path *, int); 5887c478bd9Sstevel@tonic-gate void audit_ipc(int, int, void *); 5897c478bd9Sstevel@tonic-gate void audit_ipcget(int, void *); 5907c478bd9Sstevel@tonic-gate void audit_fdsend(int, struct file *, int); 5917c478bd9Sstevel@tonic-gate void audit_fdrecv(int, struct file *); 5927c478bd9Sstevel@tonic-gate void audit_priv(int, const struct priv_set *, int); 5937c478bd9Sstevel@tonic-gate void audit_setppriv(int, int, const struct priv_set *, const cred_t *); 594*d2a70789SRichard Lowe void audit_psecflags(proc_t *, psecflagwhich_t, 595*d2a70789SRichard Lowe const secflagdelta_t *); 5967c478bd9Sstevel@tonic-gate void audit_devpolicy(int, const struct devplcysys *); 5977c478bd9Sstevel@tonic-gate void audit_update_context(proc_t *, cred_t *); 598c28749e9Skais void audit_kssl(int, void *, int); 599799bd290Spwernau void audit_pf_policy(int, cred_t *, netstack_t *, char *, boolean_t, int, 600799bd290Spwernau pid_t); 60145916cd2Sjpk void audit_sec_attributes(caddr_t *, struct vnode *); 6027c478bd9Sstevel@tonic-gate 6037c478bd9Sstevel@tonic-gate #endif 6047c478bd9Sstevel@tonic-gate 6057c478bd9Sstevel@tonic-gate #ifdef __cplusplus 6067c478bd9Sstevel@tonic-gate } 6077c478bd9Sstevel@tonic-gate #endif 6087c478bd9Sstevel@tonic-gate 6097c478bd9Sstevel@tonic-gate #endif /* _BSM_AUDIT_H */ 610