Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]
FreeBSD/Linux Kernel Cross Reference
sys/bsd/sys/kern_audit.h
Version:
- FREEBSD - FREEBSD-13-STABLE - FREEBSD-13-0 - FREEBSD-12-STABLE - FREEBSD-12-0 - FREEBSD-11-STABLE - FREEBSD-11-0 - FREEBSD-10-STABLE - FREEBSD-10-0 - FREEBSD-9-STABLE - FREEBSD-9-0 - FREEBSD-8-STABLE - FREEBSD-8-0 - FREEBSD-7-STABLE - FREEBSD-7-0 - FREEBSD-6-STABLE - FREEBSD-6-0 - FREEBSD-5-STABLE - FREEBSD-5-0 - FREEBSD-4-STABLE - FREEBSD-3-STABLE - FREEBSD22 - l41 - OPENBSD - linux-2.6 - MK84 - PLAN9 - xnu-8792
SearchContext: - none - 3 - 10
SearchContext: - none - 3 - 10
1 /* 2 * Copyright (c) 2003 Apple Computer, Inc. All rights reserved. 3 * 4 * @APPLE_LICENSE_HEADER_START@ 5 * 6 * Copyright (c) 1999-2003 Apple Computer, Inc. All Rights Reserved. 7 * 8 * This file contains Original Code and/or Modifications of Original Code 9 * as defined in and that are subject to the Apple Public Source License 10 * Version 2.0 (the 'License'). You may not use this file except in 11 * compliance with the License. Please obtain a copy of the License at 12 * http://www.opensource.apple.com/apsl/ and read it before using this 13 * file. 14 * 15 * The Original Code and all software distributed under the License are 16 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 17 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 18 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 19 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 20 * Please see the License for the specific language governing rights and 21 * limitations under the License. 22 * 23 * @APPLE_LICENSE_HEADER_END@ 24 */ 25 26 #ifndef _SYS_KERN_AUDIT_H 27 #define _SYS_KERN_AUDIT_H 28 29 #ifdef KERNEL 30 31 /* 32 * Audit subsystem condition flags. The audit_enabled flag is set and 33 * removed automatically as a result of configuring log files, and 34 * can be observed but should not be directly manipulated. The audit 35 * suspension flag permits audit to be temporarily disabled without 36 * reconfiguring the audit target. 37 */ 38 extern int audit_enabled; 39 extern int audit_suspended; 40 41 #define BSM_SUCCESS 0 42 #define BSM_FAILURE 1 43 #define BSM_NOAUDIT 2 44 45 /* 46 * Define the masks for the audited arguments. 47 */ 48 #define ARG_EUID 0x0000000000000001ULL 49 #define ARG_RUID 0x0000000000000002ULL 50 #define ARG_SUID 0x0000000000000004ULL 51 #define ARG_EGID 0x0000000000000008ULL 52 #define ARG_RGID 0x0000000000000010ULL 53 #define ARG_SGID 0x0000000000000020ULL 54 #define ARG_PID 0x0000000000000040ULL 55 #define ARG_UID 0x0000000000000080ULL 56 #define ARG_AUID 0x0000000000000100ULL 57 #define ARG_GID 0x0000000000000200ULL 58 #define ARG_FD 0x0000000000000400ULL 59 #define UNUSED 0x0000000000000800ULL 60 #define ARG_FFLAGS 0x0000000000001000ULL 61 #define ARG_MODE 0x0000000000002000ULL 62 #define ARG_DEV 0x0000000000004000ULL 63 #define ARG_ACCMODE 0x0000000000008000ULL 64 #define ARG_CMODE 0x0000000000010000ULL 65 #define ARG_MASK 0x0000000000020000ULL 66 #define ARG_SIGNUM 0x0000000000040000ULL 67 #define ARG_LOGIN 0x0000000000080000ULL 68 #define ARG_SADDRINET 0x0000000000100000ULL 69 #define ARG_SADDRINET6 0x0000000000200000ULL 70 #define ARG_SADDRUNIX 0x0000000000400000ULL 71 #define ARG_KPATH1 0x0000000000800000ULL 72 #define ARG_KPATH2 0x0000000001000000ULL 73 #define ARG_UPATH1 0x0000000002000000ULL 74 #define ARG_UPATH2 0x0000000004000000ULL 75 #define ARG_TEXT 0x0000000008000000ULL 76 #define ARG_VNODE1 0x0000000010000000ULL 77 #define ARG_VNODE2 0x0000000020000000ULL 78 #define ARG_SVIPC_CMD 0x0000000040000000ULL 79 #define ARG_SVIPC_PERM 0x0000000080000000ULL 80 #define ARG_SVIPC_ID 0x0000000100000000ULL 81 #define ARG_SVIPC_ADDR 0x0000000200000000ULL 82 #define ARG_GROUPSET 0x0000000400000000ULL 83 #define ARG_CMD 0x0000000800000000ULL 84 #define ARG_SOCKINFO 0x0000001000000000ULL 85 #define ARG_NONE 0x0000000000000000ULL 86 #define ARG_ALL 0xFFFFFFFFFFFFFFFFULL 87 88 struct vnode_au_info { 89 mode_t vn_mode; 90 uid_t vn_uid; 91 gid_t vn_gid; 92 dev_t vn_dev; 93 long vn_fsid; 94 long vn_fileid; 95 long vn_gen; 96 }; 97 98 struct groupset { 99 gid_t gidset[NGROUPS]; 100 u_int gidset_size; 101 }; 102 103 struct socket_info { 104 int sodomain; 105 int sotype; 106 int soprotocol; 107 }; 108 109 struct audit_record { 110 /* Audit record header. */ 111 u_int32_t ar_magic; 112 int ar_event; 113 int ar_retval; /* value returned to the process */ 114 int ar_errno; /* return status of system call */ 115 struct timespec ar_starttime; 116 struct timespec ar_endtime; 117 u_int64_t ar_valid_arg; /* Bitmask of valid arguments */ 118 119 /* Audit subject information. */ 120 struct xucred ar_subj_cred; 121 uid_t ar_subj_ruid; 122 gid_t ar_subj_rgid; 123 gid_t ar_subj_egid; 124 uid_t ar_subj_auid; /* Audit user ID */ 125 pid_t ar_subj_asid; /* Audit session ID */ 126 pid_t ar_subj_pid; 127 struct au_tid ar_subj_term; 128 char ar_subj_comm[MAXCOMLEN + 1]; 129 struct au_mask ar_subj_amask; 130 131 /* Operation arguments. */ 132 uid_t ar_arg_euid; 133 uid_t ar_arg_ruid; 134 uid_t ar_arg_suid; 135 gid_t ar_arg_egid; 136 gid_t ar_arg_rgid; 137 gid_t ar_arg_sgid; 138 pid_t ar_arg_pid; 139 uid_t ar_arg_uid; 140 uid_t ar_arg_auid; 141 gid_t ar_arg_gid; 142 struct groupset ar_arg_groups; 143 int ar_arg_fd; 144 int ar_arg_fflags; 145 mode_t ar_arg_mode; 146 int ar_arg_dev; 147 int ar_arg_accmode; 148 int ar_arg_cmode; 149 int ar_arg_mask; 150 u_int ar_arg_signum; 151 char ar_arg_login[MAXLOGNAME]; 152 struct sockaddr ar_arg_sockaddr; 153 struct socket_info ar_arg_sockinfo; 154 char *ar_arg_upath1; 155 char *ar_arg_upath2; 156 char *ar_arg_kpath1; 157 char *ar_arg_kpath2; 158 char *ar_arg_text; 159 struct au_mask ar_arg_amask; 160 struct vnode_au_info ar_arg_vnode1; 161 struct vnode_au_info ar_arg_vnode2; 162 int ar_arg_cmd; 163 int ar_arg_svipc_cmd; 164 struct ipc_perm ar_arg_svipc_perm; 165 int ar_arg_svipc_id; 166 void * ar_arg_svipc_addr; 167 }; 168 169 /* 170 * In-kernel version of audit record; the basic record plus queue meta-data. 171 * This record can also have a pointer set to some opaque data that will 172 * be passed through to the audit writing mechanism. 173 */ 174 struct kaudit_record { 175 struct audit_record k_ar; 176 caddr_t k_udata; /* user data */ 177 u_int k_ulen; /* user data length */ 178 struct uthread *k_uthread; /* thread we are auditing */ 179 TAILQ_ENTRY(kaudit_record) k_q; 180 }; 181 182 struct proc; 183 struct vnode; 184 struct componentname; 185 186 void audit_abort(struct kaudit_record *ar); 187 void audit_commit(struct kaudit_record *ar, int error, 188 int retval); 189 void audit_init(void); 190 void audit_shutdown(void); 191 192 struct kaudit_record *audit_new(int event, struct proc *p, 193 struct uthread *uthread); 194 195 void audit_syscall_enter(unsigned short code, struct proc *proc, struct uthread *uthread); 196 void audit_syscall_exit(int error, struct proc *proc, 197 struct uthread *uthread); 198 199 int kaudit_to_bsm(struct kaudit_record *kar, 200 struct au_record **pau); 201 202 int bsm_rec_verify(caddr_t rec); 203 204 /* 205 * Kernel versions of the BSM audit record functions. 206 */ 207 struct au_record *kau_open(void); 208 int kau_write(struct au_record *rec, token_t *m); 209 int kau_close(struct au_record *rec, 210 struct timespec *endtime, short event); 211 void kau_free(struct au_record *rec); 212 void kau_init(void); 213 token_t *kau_to_file(char *file, struct timeval *tv); 214 token_t *kau_to_header(struct timespec *ctime, int rec_size, 215 au_event_t e_type, au_emod_t e_mod); 216 token_t *kau_to_header32(struct timespec *ctime, int rec_size, 217 au_event_t e_type, au_emod_t e_mod); 218 token_t *kau_to_header64(struct timespec *ctime, int rec_size, 219 au_event_t e_type, au_emod_t e_mod); 220 /* 221 * The remaining kernel functions are conditionally compiled in as they 222 * are wrapped by a macro, and the macro should be the only place in 223 * the source tree where these functions are referenced. 224 */ 225 #ifdef AUDIT 226 void audit_arg_accmode(int mode); 227 void audit_arg_cmode(int cmode); 228 void audit_arg_fd(int fd); 229 void audit_arg_fflags(int fflags); 230 void audit_arg_gid(gid_t gid, gid_t egid, gid_t rgid, 231 gid_t sgid); 232 void audit_arg_uid(uid_t uid, uid_t euid, uid_t ruid, 233 uid_t suid); 234 void audit_arg_groupset(gid_t *gidset, u_int gidset_size); 235 void audit_arg_login(char[MAXLOGNAME]); 236 void audit_arg_mask(int mask); 237 void audit_arg_mode(mode_t mode); 238 void audit_arg_dev(int dev); 239 void audit_arg_owner(uid_t uid, gid_t gid); 240 void audit_arg_pid(pid_t pid); 241 void audit_arg_signum(u_int signum); 242 void audit_arg_socket(int sodomain, int sotype, 243 int soprotocol); 244 void audit_arg_sockaddr(struct proc *p, 245 struct sockaddr *so); 246 void audit_arg_auid(uid_t auid); 247 void audit_arg_upath(struct proc *p, char *upath, 248 u_int64_t flags); 249 void audit_arg_vnpath(struct vnode *vp, u_int64_t flags); 250 void audit_arg_text(char *text); 251 void audit_arg_cmd(int cmd); 252 void audit_arg_svipc_cmd(int cmd); 253 void audit_arg_svipc_perm(struct ipc_perm *perm); 254 void audit_arg_svipc_id(int id); 255 void audit_arg_svipc_addr(void *addr); 256 257 void audit_proc_init(struct proc *p); 258 void audit_proc_fork(struct proc *parent, 259 struct proc *child); 260 void audit_proc_free(struct proc *p); 261 262 /* 263 * Define a macro to wrap the audit_arg_* calls by checking the global 264 * audit_enabled flag before performing the actual call. 265 */ 266 #define AUDIT_ARG(op, args...) do { \ 267 if (audit_enabled) \ 268 audit_arg_ ## op (args); \ 269 } while (0) 270 271 #define AUDIT_CMD(audit_cmd) do { \ 272 if (audit_enabled) { \ 273 audit_cmd; \ 274 } \ 275 } while (0) 276 277 #else /* !AUDIT */ 278 #define AUDIT_ARG(op, args...) do { \ 279 } while (0) 280 281 #define AUDIT_CMD(audit_cmd) do { \ 282 } while (0) 283 284 #endif /* AUDIT */ 285 286 #endif /* KERNEL */ 287 288 #endif /* !_SYS_KERN_AUDIT_H */
Cache object: dd9ee4160e279a9a7bc8e5d187675774
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]