2 * Copyright (c) 2004 Apple Computer, Inc.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
14 * its contributors may be used to endorse or promote products derived
15 * from this software without specific prior written permission.
17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 * POSSIBILITY OF SUCH DAMAGE.
29 * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#27 $
36 * NB: definitions, etc., marked with "OpenSSH compatibility" were introduced
37 * solely to allow OpenSSH to compile; Darwin/Apple code should not use them.
40 #define AUDIT_MAX_ARGS 10
41 #define AUDIT_MAX_ENV 10
43 #include <sys/types.h>
44 #include <sys/cdefs.h>
46 #include <inttypes.h> /* Required for audit.h. */
47 #include <time.h> /* Required for clock_t on Linux. */
49 #include <bsm/audit.h>
50 #include <bsm/audit_record.h>
55 #include <mach/mach.h> /* audit_token_t */
58 #define AU_PRS_SUCCESS 1
59 #define AU_PRS_FAILURE 2
60 #define AU_PRS_BOTH (AU_PRS_SUCCESS|AU_PRS_FAILURE)
62 #define AU_PRS_USECACHE 0
63 #define AU_PRS_REREAD 1
65 #define AUDIT_EVENT_FILE "/etc/security/audit_event"
66 #define AUDIT_CLASS_FILE "/etc/security/audit_class"
67 #define AUDIT_CONTROL_FILE "/etc/security/audit_control"
68 #define AUDIT_USER_FILE "/etc/security/audit_user"
70 #define DIR_CONTROL_ENTRY "dir"
71 #define MINFREE_CONTROL_ENTRY "minfree"
72 #define FLAGS_CONTROL_ENTRY "flags"
73 #define NA_CONTROL_ENTRY "naflags"
75 #define AU_CLASS_NAME_MAX 8
76 #define AU_CLASS_DESC_MAX 72
77 #define AU_EVENT_NAME_MAX 30
78 #define AU_EVENT_DESC_MAX 50
79 #define AU_USER_NAME_MAX 50
80 #define AU_LINE_MAX 256
81 #define MAX_AUDITSTRING_LEN 256
82 #define BSM_TEXTBUFSZ MAX_AUDITSTRING_LEN /* OpenSSH compatibility */
85 * Arguments to au_close(3).
87 #define AU_TO_NO_WRITE 0 /* Abandon audit record. */
88 #define AU_TO_WRITE 1 /* Commit audit record. */
97 typedef struct au_event_ent au_event_ent_t;
104 typedef struct au_class_ent au_class_ent_t;
111 typedef struct au_user_ent au_user_ent_t;
114 #define ADD_TO_MASK(m, c, sel) do { \
115 if (sel & AU_PRS_SUCCESS) \
116 (m)->am_success |= c; \
117 if (sel & AU_PRS_FAILURE) \
118 (m)->am_failure |= c; \
121 #define SUB_FROM_MASK(m, c, sel) do { \
122 if (sel & AU_PRS_SUCCESS) \
123 (m)->am_success &= ((m)->am_success ^ c); \
124 if (sel & AU_PRS_FAILURE) \
125 (m)->am_failure &= ((m)->am_failure ^ c); \
128 #define ADDMASK(m, v) do { \
129 (m)->am_success |= (v)->am_success; \
130 (m)->am_failure |= (v)->am_failure; \
133 #define SUBMASK(m, v) do { \
134 (m)->am_success &= ((m)->am_success ^ (v)->am_success); \
135 (m)->am_failure &= ((m)->am_failure ^ (v)->am_failure); \
140 typedef struct au_tid32 {
145 typedef struct au_tid64 {
150 typedef struct au_tidaddr32 {
158 * argument value 4 bytes/8 bytes (32-bit/64-bit value)
159 * text length 2 bytes
160 * text N bytes + 1 terminating NULL byte
177 * how to print 1 byte
180 * data items (depends on basic unit)
190 * file access mode 4 bytes
191 * owner user ID 4 bytes
192 * owner group ID 4 bytes
193 * file system ID 4 bytes
195 * device 4 bytes/8 bytes (32-bit/64-bit)
217 * text count null-terminated string(s)
221 char *text[AUDIT_MAX_ARGS];
226 * text count null-terminated string(s)
230 char *text[AUDIT_MAX_ENV];
235 * return value 4 bytes
243 * seconds of time 4 bytes
244 * milliseconds of time 4 bytes
245 * file name length 2 bytes
246 * file pathname N bytes + 1 terminating NULL byte
257 * number groups 2 bytes
258 * group list N * 4 bytes
262 u_int32_t list[AUDIT_MAX_GROUPS];
266 * record byte count 4 bytes
267 * version # 1 byte [2]
269 * event modifier 2 bytes
270 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
271 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
283 * record byte count 4 bytes
284 * version # 1 byte [2]
286 * event modifier 2 bytes
287 * address type/length 1 byte (XXX: actually, 4 bytes)
288 * machine address 4 bytes/16 bytes (IPv4/IPv6 address)
289 * seconds of time 4 bytes/8 bytes (32/64-bits)
290 * nanoseconds of time 4 bytes/8 bytes (32/64-bits)
324 * internet address 4 bytes
332 * internet address 16 bytes
340 * version and ihl 1 byte
341 * type of service 1 byte
348 * source address 4 bytes
349 * destination address 4 bytes
365 * object ID type 1 byte
374 * owner user ID 4 bytes
375 * owner group ID 4 bytes
376 * creator user ID 4 bytes
377 * creator group ID 4 bytes
378 * access mode 4 bytes
379 * slot sequence # 4 bytes
393 * port IP address 2 bytes
409 * path length 2 bytes
410 * path N bytes + 1 terminating NULL byte
419 * effective user ID 4 bytes
420 * effective group ID 4 bytes
421 * real user ID 4 bytes
422 * real group ID 4 bytes
426 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
427 * machine address 4 bytes
453 * effective user ID 4 bytes
454 * effective group ID 4 bytes
455 * real user ID 4 bytes
456 * real group ID 4 bytes
460 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
462 * machine address 16 bytes
476 * error status 1 byte
477 * return value 4 bytes/8 bytes (32-bit/64-bit value)
490 * sequence number 4 bytes
497 * socket type 2 bytes
499 * local Internet address 4 bytes
500 * remote port 2 bytes
501 * remote Internet address 4 bytes
512 * socket type 2 bytes
514 * address type/length 4 bytes
515 * local Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
516 * remote port 4 bytes
517 * address type/length 4 bytes
518 * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
531 * socket family 2 bytes
533 * socket address 4 bytes/16 bytes (IPv4/IPv6 address)
542 * socket family 2 bytes
552 * effective user ID 4 bytes
553 * effective group ID 4 bytes
554 * real user ID 4 bytes
555 * real group ID 4 bytes
559 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
560 * machine address 4 bytes
586 * effective user ID 4 bytes
587 * effective group ID 4 bytes
588 * real user ID 4 bytes
589 * real group ID 4 bytes
593 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
595 * machine address 16 bytes
609 * text length 2 bytes
610 * text N bytes + 1 terminating NULL byte
631 * trailer magic number 2 bytes
632 * record byte count 4 bytes
649 au_execarg_t execarg;
650 au_execenv_t execenv;
655 au_header32_ex_t hdr32_ex;
657 au_header64_ex_t hdr64_ex;
659 au_inaddr_ex_t inaddr_ex;
662 au_ipcperm_t ipcperm;
668 au_proc32ex_t proc32_ex;
673 au_socket_ex32_t socket_ex32;
674 au_socketinet32_t sockinet32;
675 au_socketunix_t sockunix;
676 au_subject32_t subj32;
677 au_subject64_t subj64;
678 au_subject32ex_t subj32_ex;
681 au_invalid_t invalid;
683 } tt; /* The token is one of the above types */
686 typedef struct tokenstr tokenstr_t;
688 int audit_submit(short au_event, au_id_t auid,
689 char status, int reterr, const char *fmt, ...);
692 * Functions relating to querying audit class information.
694 void setauclass(void);
695 void endauclass(void);
696 struct au_class_ent *getauclassent(void);
697 struct au_class_ent *getauclassent_r(au_class_ent_t *class_int);
698 struct au_class_ent *getauclassnam(const char *name);
699 struct au_class_ent *getauclassnam_r(au_class_ent_t *class_int,
701 struct au_class_ent *getauclassnum(au_class_t class_number);
702 struct au_class_ent *getauclassnum_r(au_class_ent_t *class_int,
703 au_class_t class_number);
706 * Functions relating to querying audit control information.
710 int getacdir(char *name, int len);
711 int getacmin(int *min_val);
712 int getacflg(char *auditstr, int len);
713 int getacna(char *auditstr, int len);
714 int getauditflagsbin(char *auditstr, au_mask_t *masks);
715 int getauditflagschar(char *auditstr, au_mask_t *masks,
717 int au_preselect(au_event_t event, au_mask_t *mask_p,
721 * Functions relating to querying audit event information.
723 void setauevent(void);
724 void endauevent(void);
725 struct au_event_ent *getauevent(void);
726 struct au_event_ent *getauevent_r(struct au_event_ent *e);
727 struct au_event_ent *getauevnam(const char *name);
728 struct au_event_ent *getauevnam_r(struct au_event_ent *e,
730 struct au_event_ent *getauevnum(au_event_t event_number);
731 struct au_event_ent *getauevnum_r(struct au_event_ent *e,
732 au_event_t event_number);
733 au_event_t *getauevnonam(const char *event_name);
734 au_event_t *getauevnonam_r(au_event_t *ev,
735 const char *event_name);
738 * Functions relating to querying audit user information.
740 void setauuser(void);
741 void endauuser(void);
742 struct au_user_ent *getauuserent(void);
743 struct au_user_ent *getauuserent_r(struct au_user_ent *u);
744 struct au_user_ent *getauusernam(const char *name);
745 struct au_user_ent *getauusernam_r(struct au_user_ent *u,
747 int au_user_mask(char *username, au_mask_t *mask_p);
748 int getfauditflags(au_mask_t *usremask,
749 au_mask_t *usrdmask, au_mask_t *lastmask);
752 * Functions for reading and printing records and tokens from audit trails.
754 int au_read_rec(FILE *fp, u_char **buf);
755 int au_fetch_tok(tokenstr_t *tok, u_char *buf, int len);
756 //XXX The following interface has different prototype from BSM
757 void au_print_tok(FILE *outfp, tokenstr_t *tok,
758 char *del, char raw, char sfrm);
762 * The remaining APIs are associated with Apple's BSM implementation, in
763 * particular as relates to Mach IPC auditing and triggers passed via Mach
767 #include <sys/appleapiopts.h>
769 /**************************************************************************
770 **************************************************************************
771 ** The following definitions, functions, etc., are NOT officially
772 ** supported: they may be changed or removed in the future. Do not use
773 ** them unless you are prepared to cope with that eventuality.
774 **************************************************************************
775 **************************************************************************/
777 #ifdef __APPLE_API_PRIVATE
778 #define __BSM_INTERNAL_NOTIFY_KEY "com.apple.audit.change"
779 #endif /* __APPLE_API_PRIVATE */
782 * au_get_state() return values
783 * XXX use AUC_* values directly instead (<bsm/audit.h>); AUDIT_OFF and
784 * AUDIT_ON are deprecated and WILL be removed.
786 #ifdef __APPLE_API_PRIVATE
787 #define AUDIT_OFF AUC_NOAUDIT
788 #define AUDIT_ON AUC_AUDITING
789 #endif /* __APPLE_API_PRIVATE */
790 #endif /* !__APPLE__ */
793 * Error return codes for audit_set_terminal_id(), audit_write() and its
794 * brethren. We have 255 (not including kAUNoErr) to play with.
796 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
800 kAUBadParamErr = -66049,
804 kAUMakeSubjectTokErr,
805 kAUWriteSubjectTokErr,
806 kAUWriteCallerTokErr,
808 kAUWriteReturnTokErr,
816 * Error return codes for au_get_state() and/or its private support
817 * functions. These codes are designed to be compatible with the
818 * NOTIFY_STATUS_* codes defined in <notify.h> but non-overlapping.
819 * Any changes to notify(3) may cause these values to change in future.
821 * AU_UNIMPL should never happen unless you've changed your system software
822 * without rebooting. Shame on you.
824 #ifdef __APPLE_API_PRIVATE
825 #define AU_UNIMPL NOTIFY_STATUS_FAILED + 1 /* audit unimplemented */
826 #endif /* __APPLE_API_PRIVATE */
827 #endif /* !__APPLE__ */
831 * XXX This prototype should be in audit_record.h
835 * @summary - au_free_token() deallocates a token_t created by any of
836 * the au_to_*() BSM API functions.
838 * The BSM API generally manages deallocation of token_t objects. However,
839 * if au_write() is passed a bad audit descriptor, the token_t * parameter
840 * will be left untouched. In that case, the caller can deallocate the
841 * token_t using au_free_token() if desired. This is, in fact, what
842 * audit_write() does, in keeping with the existing memory management model
845 * @param tok - A token_t * generated by one of the au_to_*() BSM API
846 * calls. For convenience, tok may be NULL, in which case
847 * au_free_token() returns immediately.
849 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
851 void au_free_token(token_t *tok);
854 * Lightweight check to determine if auditing is enabled. If a client
855 * wants to use this to govern whether an entire series of audit calls
856 * should be made--as in the common case of a caller building a set of
857 * tokens, then writing them--it should cache the audit status in a local
858 * variable. This call always returns the current state of auditing.
860 * @return - AUC_AUDITING or AUC_NOAUDIT if no error occurred.
861 * Otherwise the function can return any of the errno values defined for
862 * setaudit(2), or AU_UNIMPL if audit does not appear to be supported by
865 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
867 int au_get_state(void);
870 /* OpenSSH compatibility */
871 int cannot_audit(int);
875 * audit_set_terminal_id()
877 * @summary - audit_set_terminal_id() fills in an au_tid_t struct, which is
878 * used in audit session initialization by processes like /usr/bin/login.
880 * @param tid - A pointer to an au_tid_t struct.
882 * @return - kAUNoErr on success; kAUBadParamErr if tid is NULL, kAUStatErr
883 * or kAUSysctlErr if one of the underlying system calls fails (a message
884 * is sent to the system log in those cases).
886 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
888 int audit_set_terminal_id(au_tid_t *tid);
891 * BEGIN au_write() WRAPPERS
893 * The following calls all wrap the existing BSM API. They use the
894 * provided subject information, if any, to construct the subject token
895 * required for every log message. They use the provided return/error
896 * value(s), if any, to construct the success/failure indication required
897 * for every log message. They only permit one "miscellaneous" token,
898 * which should contain the event-specific logging information mandated by
901 * All these calls assume the caller has previously determined that
902 * auditing is enabled by calling au_get_state().
908 * @summary - audit_write() is the basis for the other audit_write_*()
909 * calls. Performs a basic write of an audit record (subject, additional
910 * info, success/failure). Note that this call only permits logging one
911 * caller-specified token; clients needing to log more flexibly must use
912 * the existing BSM API (au_open(), et al.) directly.
914 * Note on memory management: audit_write() guarantees that the token_t *s
915 * passed to it will be deallocated whether or not the underlying write to
916 * the audit log succeeded. This addresses an inconsistency in the
917 * underlying BSM API in which token_t *s are usually but not always
920 * @param event_code - The code for the event being logged. This should
921 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
923 * @param subject - A token_t * generated by au_to_subject(),
924 * au_to_subject32(), au_to_subject64(), or au_to_me(). If no subject is
925 * required, subject should be NULL.
927 * @param misctok - A token_t * generated by one of the au_to_*() BSM API
928 * calls. This should correspond to the additional information required by
929 * CAPP for the event being audited. If no additional information is
930 * required, misctok should be NULL.
932 * @param retval - The return value to be logged for this event. This
933 * should be 0 (zero) for success, otherwise the value is event-specific.
935 * @param errcode - Any error code associated with the return value (e.g.,
936 * errno or h_errno). If there was no error, errcode should be 0 (zero).
938 * @return - The status of the call: 0 (zero) on success, else one of the
939 * kAU*Err values defined above.
941 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
943 int audit_write(short event_code, token_t *subject, token_t *misctok,
944 char retval, int errcode);
947 * audit_write_success()
949 * @summary - audit_write_success() records an auditable event that did not
950 * encounter an error. The interface is designed to require as little
951 * direct use of the au_to_*() API as possible. It builds a subject token
952 * from the information passed in and uses that to invoke audit_write().
953 * A subject, as defined by CAPP, is a process acting on the user's behalf.
955 * If the subject information is the same as the current process, use
956 * au_write_success_self().
958 * @param event_code - The code for the event being logged. This should
959 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
961 * @param misctok - A token_t * generated by one of the au_to_*() BSM API
962 * calls. This should correspond to the additional information required by
963 * CAPP for the event being audited. If no additional information is
964 * required, misctok should be NULL.
966 * @param auid - The subject's audit ID.
968 * @param euid - The subject's effective user ID.
970 * @param egid - The subject's effective group ID.
972 * @param ruid - The subject's real user ID.
974 * @param rgid - The subject's real group ID.
976 * @param pid - The subject's process ID.
978 * @param sid - The subject's session ID.
980 * @param tid - The subject's terminal ID.
982 * @return - The status of the call: 0 (zero) on success, else one of the
983 * kAU*Err values defined above.
985 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
987 int audit_write_success(short event_code, token_t *misctok, au_id_t auid,
988 uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, pid_t pid,
989 au_asid_t sid, au_tid_t *tid);
992 * audit_write_success_self()
994 * @summary - Similar to audit_write_success(), but used when the subject
995 * (process) is owned and operated by the auditable user him/herself.
997 * @param event_code - The code for the event being logged. This should
998 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
1000 * @param misctok - A token_t * generated by one of the au_to_*() BSM API
1001 * calls. This should correspond to the additional information required by
1002 * CAPP for the event being audited. If no additional information is
1003 * required, misctok should be NULL.
1005 * @return - The status of the call: 0 (zero) on success, else one of the
1006 * kAU*Err values defined above.
1008 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1010 int audit_write_success_self(short event_code, token_t *misctok);
1013 * audit_write_failure()
1015 * @summary - audit_write_failure() records an auditable event that
1016 * encountered an error. The interface is designed to require as little
1017 * direct use of the au_to_*() API as possible. It builds a subject token
1018 * from the information passed in and uses that to invoke audit_write().
1019 * A subject, as defined by CAPP, is a process acting on the user's behalf.
1021 * If the subject information is the same as the current process, use
1022 * au_write_failure_self().
1024 * @param event_code - The code for the event being logged. This should
1025 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
1027 * @param errmsg - A text message providing additional information about
1028 * the event being audited.
1030 * @param errret - A numerical value providing additional information about
1031 * the error. This is intended to store the value of errno or h_errno if
1032 * it's relevant. This can be 0 (zero) if no additional information is
1035 * @param auid - The subject's audit ID.
1037 * @param euid - The subject's effective user ID.
1039 * @param egid - The subject's effective group ID.
1041 * @param ruid - The subject's real user ID.
1043 * @param rgid - The subject's real group ID.
1045 * @param pid - The subject's process ID.
1047 * @param sid - The subject's session ID.
1049 * @param tid - The subject's terminal ID.
1051 * @return - The status of the call: 0 (zero) on success, else one of the
1052 * kAU*Err values defined above.
1054 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1056 int audit_write_failure(short event_code, char *errmsg, int errret,
1057 au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
1058 pid_t pid, au_asid_t sid, au_tid_t *tid);
1061 * audit_write_failure_self()
1063 * @summary - Similar to audit_write_failure(), but used when the subject
1064 * (process) is owned and operated by the auditable user him/herself.
1066 * @param event_code - The code for the event being logged. This should
1067 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
1069 * @param errmsg - A text message providing additional information about
1070 * the event being audited.
1072 * @param errret - A numerical value providing additional information about
1073 * the error. This is intended to store the value of errno or h_errno if
1074 * it's relevant. This can be 0 (zero) if no additional information is
1077 * @return - The status of the call: 0 (zero) on success, else one of the
1078 * kAU*Err values defined above.
1080 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1082 int audit_write_failure_self(short event_code, char *errmsg, int errret);
1085 * audit_write_failure_na()
1087 * @summary - audit_write_failure_na() records errors during login. Such
1088 * errors are implicitly non-attributable (i.e., not ascribable to any user).
1090 * @param event_code - The code for the event being logged. This should
1091 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
1093 * @param errmsg - A text message providing additional information about
1094 * the event being audited.
1096 * @param errret - A numerical value providing additional information about
1097 * the error. This is intended to store the value of errno or h_errno if
1098 * it's relevant. This can be 0 (zero) if no additional information is
1101 * @param euid - The subject's effective user ID.
1103 * @param egid - The subject's effective group ID.
1105 * @param pid - The subject's process ID.
1107 * @param tid - The subject's terminal ID.
1109 * @return - The status of the call: 0 (zero) on success, else one of the
1110 * kAU*Err values defined above.
1112 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1114 int audit_write_failure_na(short event_code, char *errmsg, int errret,
1115 uid_t euid, gid_t egid, pid_t pid, au_tid_t *tid);
1117 /* END au_write() WRAPPERS */
1121 * audit_token_to_au32()
1123 * @summary - Extract information from an audit_token_t, used to identify
1124 * Mach tasks and senders of Mach messages as subjects to the audit system.
1125 * audit_tokent_to_au32() is the only method that should be used to parse
1126 * an audit_token_t, since its internal representation may change over
1127 * time. A pointer parameter may be NULL if that information is not
1130 * @param atoken - the audit token containing the desired information
1132 * @param auidp - Pointer to a uid_t; on return will be set to the task or
1133 * sender's audit user ID
1135 * @param euidp - Pointer to a uid_t; on return will be set to the task or
1136 * sender's effective user ID
1138 * @param egidp - Pointer to a gid_t; on return will be set to the task or
1139 * sender's effective group ID
1141 * @param ruidp - Pointer to a uid_t; on return will be set to the task or
1142 * sender's real user ID
1144 * @param rgidp - Pointer to a gid_t; on return will be set to the task or
1145 * sender's real group ID
1147 * @param pidp - Pointer to a pid_t; on return will be set to the task or
1148 * sender's process ID
1150 * @param asidp - Pointer to an au_asid_t; on return will be set to the
1151 * task or sender's audit session ID
1153 * @param tidp - Pointer to an au_tid_t; on return will be set to the task
1154 * or sender's terminal ID
1156 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1158 void audit_token_to_au32(
1159 audit_token_t atoken,
1168 #endif /* !__APPLE__ */
1172 #endif /* !_LIBBSM_H_ */