2 * Copyright (c) 2004 Apple Computer, Inc.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
14 * its contributors may be used to endorse or promote products derived
15 * from this software without specific prior written permission.
17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 * POSSIBILITY OF SUCH DAMAGE.
29 * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_wrappers.c#24 $
33 #define _SYS_AUDIT_H /* Prevent include of sys/audit.h. */
36 #include <sys/param.h>
40 #include <sys/queue.h> /* Our bsm/audit.h doesn't include queue.h. */
43 #include <sys/sysctl.h>
45 #include <bsm/libbsm.h>
53 /* These are not advertised in libbsm.h */
54 int audit_set_terminal_port(dev_t *p);
55 int audit_set_terminal_host(uint32_t *m);
58 * General purpose audit submission mechanism for userspace.
61 audit_submit(short au_event, au_id_t auid, char status,
62 int reterr, const char *fmt, ...)
64 char text[MAX_AUDITSTRING_LEN];
69 int error, afd, subj_ex;
71 struct auditinfo_addr aia;
73 if (auditon(A_GETCOND, &acond, sizeof(acond)) < 0) {
75 * If auditon(2) returns ENOSYS, then audit has not been
76 * compiled into the kernel, so just return.
81 syslog(LOG_AUTH | LOG_ERR, "audit: auditon failed: %s",
86 if (acond == AUC_NOAUDIT)
88 /* XXXCSJP we should be doing a pre-select here */
92 syslog(LOG_AUTH | LOG_ERR, "audit: au_open failed: %s",
98 * Some operating systems do not have getaudit_addr(2) implemented
99 * yet. So we try to use getaudit(2) first, if the subject is
100 * using IPv6, then we will have to try getaudit_addr(2). Failing
101 * this, we return error.
104 error = getaudit(&ai);
105 if (error < 0 && errno == E2BIG) {
106 error = getaudit_addr(&aia, sizeof(aia));
112 syslog(LOG_AUTH | LOG_ERR, "audit: getaudit failed: %s",
119 token = au_to_subject32(auid, geteuid(), getegid(),
120 getuid(), getgid(), pid, pid, &ai.ai_termid);
122 token = au_to_subject_ex(auid, geteuid(), getegid(),
123 getuid(), getgid(), pid, pid, &aia.ai_termid);
125 syslog(LOG_AUTH | LOG_ERR,
126 "audit: unable to build subject token");
127 (void) au_close(afd, AU_TO_NO_WRITE, au_event);
131 if (au_write(afd, token) < 0) {
133 syslog(LOG_AUTH | LOG_ERR,
134 "audit: au_write failed: %s", strerror(errno));
135 (void) au_close(afd, AU_TO_NO_WRITE, au_event);
141 (void) vsnprintf(text, MAX_AUDITSTRING_LEN, fmt, ap);
143 token = au_to_text(text);
145 syslog(LOG_AUTH | LOG_ERR,
146 "audit: failed to generate text token");
147 (void) au_close(afd, AU_TO_NO_WRITE, au_event);
151 if (au_write(afd, token) < 0) {
153 syslog(LOG_AUTH | LOG_ERR,
154 "audit: au_write failed: %s", strerror(errno));
155 (void) au_close(afd, AU_TO_NO_WRITE, au_event);
160 token = au_to_return32(status, reterr);
162 syslog(LOG_AUTH | LOG_ERR,
163 "audit: enable to build return token");
164 (void) au_close(afd, AU_TO_NO_WRITE, au_event);
168 if (au_write(afd, token) < 0) {
170 syslog(LOG_AUTH | LOG_ERR,
171 "audit: au_write failed: %s", strerror(errno));
172 (void) au_close(afd, AU_TO_NO_WRITE, au_event);
176 if (au_close(afd, AU_TO_WRITE, au_event) < 0) {
178 syslog(LOG_AUTH | LOG_ERR, "audit: record not committed");
186 audit_set_terminal_port(dev_t *p)
191 return (kAUBadParamErr);
199 /* for /usr/bin/login, try fstat() first */
200 if (fstat(STDIN_FILENO, &st) != 0) {
201 if (errno != EBADF) {
202 syslog(LOG_ERR, "fstat() failed (%s)",
206 if (stat("/dev/console", &st) != 0) {
207 syslog(LOG_ERR, "stat() failed (%s)",
217 audit_set_terminal_host(uint32_t *m)
221 int name[2] = { CTL_KERN, KERN_HOSTID };
225 return (kAUBadParamErr);
228 if (sysctl(name, 2, m, &len, NULL, 0) != 0) {
229 syslog(LOG_ERR, "sysctl() failed (%s)", strerror(errno));
230 return (kAUSysctlErr);
240 audit_set_terminal_id(au_tid_t *tid)
245 return (kAUBadParamErr);
246 if ((ret = audit_set_terminal_port(&tid->port)) != kAUNoErr)
248 return (audit_set_terminal_host(&tid->machine));
252 * This is OK for those callers who have only one token to write. If you have
253 * multiple tokens that logically form part of the same audit record, you need
254 * to use the existing au_open()/au_write()/au_close() API:
257 * tok = au_to_random_token_1(...);
258 * au_write(aufd, tok);
259 * tok = au_to_random_token_2(...);
260 * au_write(aufd, tok);
262 * au_close(aufd, AU_TO_WRITE, AUE_your_event_type);
264 * Assumes, like all wrapper calls, that the caller has previously checked
265 * that auditing is enabled via the audit_get_state() call.
267 * XXX: Should be more robust against bad arguments.
270 audit_write(short event_code, token_t *subject, token_t *misctok, char retval,
274 char *func = "audit_write()";
277 if ((aufd = au_open()) == -1) {
278 au_free_token(subject);
279 au_free_token(misctok);
280 syslog(LOG_ERR, "%s: au_open() failed", func);
285 if (subject && au_write(aufd, subject) == -1) {
286 au_free_token(subject);
287 au_free_token(misctok);
288 (void)au_close(aufd, AU_TO_WRITE, event_code);
289 syslog(LOG_ERR, "%s: write of subject failed", func);
290 return (kAUWriteSubjectTokErr);
293 /* Save the event-specific token. */
294 if (misctok && au_write(aufd, misctok) == -1) {
295 au_free_token(misctok);
296 (void)au_close(aufd, AU_TO_NO_WRITE, event_code);
297 syslog(LOG_ERR, "%s: write of caller token failed", func);
298 return (kAUWriteCallerTokErr);
301 /* Tokenize and save the return value. */
302 if ((rettok = au_to_return32(retval, errcode)) == NULL) {
303 (void)au_close(aufd, AU_TO_NO_WRITE, event_code);
304 syslog(LOG_ERR, "%s: au_to_return32() failed", func);
305 return (kAUMakeReturnTokErr);
308 if (au_write(aufd, rettok) == -1) {
309 au_free_token(rettok);
310 (void)au_close(aufd, AU_TO_NO_WRITE, event_code);
311 syslog(LOG_ERR, "%s: write of return code failed", func);
312 return (kAUWriteReturnTokErr);
316 * We assume the caller wouldn't have bothered with this
317 * function if it hadn't already decided to keep the record.
319 if (au_close(aufd, AU_TO_WRITE, event_code) < 0) {
320 syslog(LOG_ERR, "%s: au_close() failed", func);
321 return (kAUCloseErr);
328 * Same caveats as audit_write(). In addition, this function explicitly
329 * assumes success; use audit_write_failure() on error.
332 audit_write_success(short event_code, token_t *tok, au_id_t auid, uid_t euid,
333 gid_t egid, uid_t ruid, gid_t rgid, pid_t pid, au_asid_t sid,
336 char *func = "audit_write_success()";
337 token_t *subject = NULL;
339 /* Tokenize and save subject. */
340 subject = au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid,
342 if (subject == NULL) {
343 syslog(LOG_ERR, "%s: au_to_subject32() failed", func);
344 return kAUMakeSubjectTokErr;
347 return (audit_write(event_code, subject, tok, 0, 0));
351 * Same caveats as audit_write(). In addition, this function explicitly
352 * assumes success; use audit_write_failure_self() on error.
355 audit_write_success_self(short event_code, token_t *tok)
358 char *func = "audit_write_success_self()";
360 if ((subject = au_to_me()) == NULL) {
361 syslog(LOG_ERR, "%s: au_to_me() failed", func);
362 return (kAUMakeSubjectTokErr);
365 return (audit_write(event_code, subject, tok, 0, 0));
369 * Same caveats as audit_write(). In addition, this function explicitly
370 * assumes failure; use audit_write_success() otherwise.
372 * XXX This should let the caller pass an error return value rather than
376 audit_write_failure(short event_code, char *errmsg, int errcode, au_id_t auid,
377 uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, pid_t pid, au_asid_t sid,
380 char *func = "audit_write_failure()";
381 token_t *subject, *errtok;
383 subject = au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid, tid);
384 if (subject == NULL) {
385 syslog(LOG_ERR, "%s: au_to_subject32() failed", func);
386 return (kAUMakeSubjectTokErr);
389 /* tokenize and save the error message */
390 if ((errtok = au_to_text(errmsg)) == NULL) {
391 au_free_token(subject);
392 syslog(LOG_ERR, "%s: au_to_text() failed", func);
393 return (kAUMakeTextTokErr);
396 return (audit_write(event_code, subject, errtok, -1, errcode));
400 * Same caveats as audit_write(). In addition, this function explicitly
401 * assumes failure; use audit_write_success_self() otherwise.
403 * XXX This should let the caller pass an error return value rather than
407 audit_write_failure_self(short event_code, char *errmsg, int errret)
409 char *func = "audit_write_failure_self()";
410 token_t *subject, *errtok;
412 if ((subject = au_to_me()) == NULL) {
413 syslog(LOG_ERR, "%s: au_to_me() failed", func);
414 return (kAUMakeSubjectTokErr);
416 /* tokenize and save the error message */
417 if ((errtok = au_to_text(errmsg)) == NULL) {
418 au_free_token(subject);
419 syslog(LOG_ERR, "%s: au_to_text() failed", func);
420 return (kAUMakeTextTokErr);
422 return (audit_write(event_code, subject, errtok, -1, errret));
426 * For auditing errors during login. Such errors are implicitly
427 * non-attributable (i.e., not ascribable to any user).
429 * Assumes, like all wrapper calls, that the caller has previously checked
430 * that auditing is enabled via the audit_get_state() call.
433 audit_write_failure_na(short event_code, char *errmsg, int errret, uid_t euid,
434 uid_t egid, pid_t pid, au_tid_t *tid)
437 return (audit_write_failure(event_code, errmsg, errret, -1, euid,
438 egid, -1, -1, pid, -1, tid));
441 /* END OF au_write() WRAPPERS */
445 audit_token_to_au32(audit_token_t atoken, uid_t *auidp, uid_t *euidp,
446 gid_t *egidp, uid_t *ruidp, gid_t *rgidp, pid_t *pidp, au_asid_t *asidp,
451 *auidp = (uid_t)atoken.val[0];
453 *euidp = (uid_t)atoken.val[1];
455 *egidp = (gid_t)atoken.val[2];
457 *ruidp = (uid_t)atoken.val[3];
459 *rgidp = (gid_t)atoken.val[4];
461 *pidp = (pid_t)atoken.val[5];
463 *asidp = (au_asid_t)atoken.val[6];
465 audit_set_terminal_host(&tidp->machine);
466 tidp->port = (dev_t)atoken.val[7];
469 #endif /* !__APPLE__ */