sys/security/audit/audit.h

   1 /*-
   2  * SPDX-License-Identifier: BSD-3-Clause
   3  *
   4  * Copyright (c) 1999-2005 Apple Inc.
   5  * Copyright (c) 2016-2017 Robert N. M. Watson
   6  * All rights reserved.
   7  *
   8  * This software was developed by BAE Systems, the University of Cambridge
   9  * Computer Laboratory, and Memorial University under DARPA/AFRL contract
  10  * FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent Computing
  11  * (TC) research program.
  12  *
  13  * Redistribution and use in source and binary forms, with or without
  14  * modification, are permitted provided that the following conditions
  15  * are met:
  16  * 1.  Redistributions of source code must retain the above copyright
  17  *     notice, this list of conditions and the following disclaimer.
  18  * 2.  Redistributions in binary form must reproduce the above copyright
  19  *     notice, this list of conditions and the following disclaimer in the
  20  *     documentation and/or other materials provided with the distribution.
  21  * 3.  Neither the name of Apple Inc. ("Apple") nor the names of
  22  *     its contributors may be used to endorse or promote products derived
  23  *     from this software without specific prior written permission.
  24  *
  25  * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
  26  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  27  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  28  * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
  29  * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  30  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  31  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  32  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  33  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
  34  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  35  * POSSIBILITY OF SUCH DAMAGE.
  36  *
  37  * $FreeBSD$
  38  */
  39
  40 /*
  41  * This header includes function prototypes and type definitions that are
  42  * necessary for the kernel as a whole to interact with the audit subsystem.
  43  */
  44
  45 #ifndef _SECURITY_AUDIT_KERNEL_H_
  46 #define _SECURITY_AUDIT_KERNEL_H_
  47
  48 #ifndef _KERNEL
  49 #error "no user-serviceable parts inside"
  50 #endif
  51
  52 #include <bsm/audit.h>
  53
  54 #include <sys/file.h>
  55 #include <sys/sysctl.h>
  56
  57 /*
  58  * Audit subsystem condition flags.  The audit_enabled flag is set and
  59  * removed automatically as a result of configuring log files, and can be
  60  * observed but should not be directly manipulated.  The audit suspension
  61  * flag permits audit to be temporarily disabled without reconfiguring the
  62  * audit target.
  63  */
  64 extern int      audit_enabled;
  65 extern int      audit_suspended;
  66
  67 void     audit_syscall_enter(unsigned short code, struct thread *td);
  68 void     audit_syscall_exit(int error, struct thread *td);
  69
  70 /*
  71  * The remaining kernel functions are conditionally compiled in as they are
  72  * wrapped by a macro, and the macro should be the only place in the source
  73  * tree where these functions are referenced.
  74  */
  75 #ifdef AUDIT
  76 struct ipc_perm;
  77 struct sockaddr;
  78 union auditon_udata;
  79 void     audit_arg_addr(void * addr);
  80 void     audit_arg_exit(int status, int retval);
  81 void     audit_arg_len(int len);
  82 void     audit_arg_atfd1(int atfd);
  83 void     audit_arg_atfd2(int atfd);
  84 void     audit_arg_fd(int fd);
  85 void     audit_arg_fflags(int fflags);
  86 void     audit_arg_gid(gid_t gid);
  87 void     audit_arg_uid(uid_t uid);
  88 void     audit_arg_egid(gid_t egid);
  89 void     audit_arg_euid(uid_t euid);
  90 void     audit_arg_rgid(gid_t rgid);
  91 void     audit_arg_ruid(uid_t ruid);
  92 void     audit_arg_sgid(gid_t sgid);
  93 void     audit_arg_suid(uid_t suid);
  94 void     audit_arg_groupset(gid_t *gidset, u_int gidset_size);
  95 void     audit_arg_login(char *login);
  96 void     audit_arg_ctlname(int *name, int namelen);
  97 void     audit_arg_mask(int mask);
  98 void     audit_arg_mode(mode_t mode);
  99 void     audit_arg_dev(int dev);
 100 void     audit_arg_value(long value);
 101 void     audit_arg_owner(uid_t uid, gid_t gid);
 102 void     audit_arg_pid(pid_t pid);
 103 void     audit_arg_process(struct proc *p);
 104 void     audit_arg_signum(u_int signum);
 105 void     audit_arg_socket(int sodomain, int sotype, int soprotocol);
 106 void     audit_arg_sockaddr(struct thread *td, int dirfd, struct sockaddr *sa);
 107 void     audit_arg_auid(uid_t auid);
 108 void     audit_arg_auditinfo(struct auditinfo *au_info);
 109 void     audit_arg_auditinfo_addr(struct auditinfo_addr *au_info);
 110 void     audit_arg_upath1(struct thread *td, int dirfd, char *upath);
 111 void     audit_arg_upath1_canon(char *upath);
 112 void     audit_arg_upath2(struct thread *td, int dirfd, char *upath);
 113 void     audit_arg_upath2_canon(char *upath);
 114 void     audit_arg_vnode1(struct vnode *vp);
 115 void     audit_arg_vnode2(struct vnode *vp);
 116 void     audit_arg_text(char *text);
 117 void     audit_arg_cmd(int cmd);
 118 void     audit_arg_svipc_cmd(int cmd);
 119 void     audit_arg_svipc_perm(struct ipc_perm *perm);
 120 void     audit_arg_svipc_id(int id);
 121 void     audit_arg_svipc_addr(void *addr);
 122 void     audit_arg_svipc_which(int which);
 123 void     audit_arg_posix_ipc_perm(uid_t uid, gid_t gid, mode_t mode);
 124 void     audit_arg_auditon(union auditon_udata *udata);
 125 void     audit_arg_file(struct proc *p, struct file *fp);
 126 void     audit_arg_argv(char *argv, int argc, int length);
 127 void     audit_arg_envv(char *envv, int envc, int length);
 128 void     audit_arg_rights(cap_rights_t *rightsp);
 129 void     audit_arg_fcntl_rights(uint32_t fcntlrights);
 130 void     audit_sysclose(struct thread *td, int fd);
 131 void     audit_cred_copy(struct ucred *src, struct ucred *dest);
 132 void     audit_cred_destroy(struct ucred *cred);
 133 void     audit_cred_init(struct ucred *cred);
 134 void     audit_cred_kproc0(struct ucred *cred);
 135 void     audit_cred_proc1(struct ucred *cred);
 136 void     audit_proc_coredump(struct thread *td, char *path, int errcode);
 137 void     audit_thread_alloc(struct thread *td);
 138 void     audit_thread_free(struct thread *td);
 139
 140 /*
 141  * Define macros to wrap the audit_arg_* calls by checking the global
 142  * audit_enabled flag before performing the actual call.
 143  */
 144 #define AUDITING_TD(td)         ((td)->td_pflags & TDP_AUDITREC)
 145
 146 #define AUDIT_ARG_ADDR(addr) do {                                       \
 147         if (AUDITING_TD(curthread))                                     \
 148                 audit_arg_addr((addr));                                 \
 149 } while (0)
 150
 151 #define AUDIT_ARG_ARGV(argv, argc, length) do {                         \
 152         if (AUDITING_TD(curthread))                                     \
 153                 audit_arg_argv((argv), (argc), (length));               \
 154 } while (0)
 155
 156 #define AUDIT_ARG_ATFD1(atfd) do {                                      \
 157         if (AUDITING_TD(curthread))                                     \
 158                 audit_arg_atfd1((atfd));                                \
 159 } while (0)
 160
 161 #define AUDIT_ARG_ATFD2(atfd) do {                                      \
 162         if (AUDITING_TD(curthread))                                     \
 163                 audit_arg_atfd2((atfd));                                \
 164 } while (0)
 165
 166 #define AUDIT_ARG_AUDITON(udata) do {                                   \
 167         if (AUDITING_TD(curthread))                                     \
 168                 audit_arg_auditon((udata));                             \
 169 } while (0)
 170
 171 #define AUDIT_ARG_CMD(cmd) do {                                         \
 172         if (AUDITING_TD(curthread))                                     \
 173                 audit_arg_cmd((cmd));                                   \
 174 } while (0)
 175
 176 #define AUDIT_ARG_DEV(dev) do {                                         \
 177         if (AUDITING_TD(curthread))                                     \
 178                 audit_arg_dev((dev));                                   \
 179 } while (0)
 180
 181 #define AUDIT_ARG_EGID(egid) do {                                       \
 182         if (AUDITING_TD(curthread))                                     \
 183                 audit_arg_egid((egid));                                 \
 184 } while (0)
 185
 186 #define AUDIT_ARG_ENVV(envv, envc, length) do {                         \
 187         if (AUDITING_TD(curthread))                                     \
 188                 audit_arg_envv((envv), (envc), (length));               \
 189 } while (0)
 190
 191 #define AUDIT_ARG_EXIT(status, retval) do {                             \
 192         if (AUDITING_TD(curthread))                                     \
 193                 audit_arg_exit((status), (retval));                     \
 194 } while (0)
 195
 196 #define AUDIT_ARG_EUID(euid) do {                                       \
 197         if (AUDITING_TD(curthread))                                     \
 198                 audit_arg_euid((euid));                                 \
 199 } while (0)
 200
 201 #define AUDIT_ARG_FD(fd) do {                                           \
 202         if (AUDITING_TD(curthread))                                     \
 203                 audit_arg_fd((fd));                                     \
 204 } while (0)
 205
 206 #define AUDIT_ARG_FILE(p, fp) do {                                      \
 207         if (AUDITING_TD(curthread))                                     \
 208                 audit_arg_file((p), (fp));                              \
 209 } while (0)
 210
 211 #define AUDIT_ARG_FFLAGS(fflags) do {                                   \
 212         if (AUDITING_TD(curthread))                                     \
 213                 audit_arg_fflags((fflags));                             \
 214 } while (0)
 215
 216 #define AUDIT_ARG_GID(gid) do {                                         \
 217         if (AUDITING_TD(curthread))                                     \
 218                 audit_arg_gid((gid));                                   \
 219 } while (0)
 220
 221 #define AUDIT_ARG_GROUPSET(gidset, gidset_size) do {                    \
 222         if (AUDITING_TD(curthread))                                     \
 223                 audit_arg_groupset((gidset), (gidset_size));            \
 224 } while (0)
 225
 226 #define AUDIT_ARG_LOGIN(login) do {                                     \
 227         if (AUDITING_TD(curthread))                                     \
 228                 audit_arg_login((login));                               \
 229 } while (0)
 230
 231 #define AUDIT_ARG_MODE(mode) do {                                       \
 232         if (AUDITING_TD(curthread))                                     \
 233                 audit_arg_mode((mode));                                 \
 234 } while (0)
 235
 236 #define AUDIT_ARG_OWNER(uid, gid) do {                                  \
 237         if (AUDITING_TD(curthread))                                     \
 238                 audit_arg_owner((uid), (gid));                          \
 239 } while (0)
 240
 241 #define AUDIT_ARG_PID(pid) do {                                         \
 242         if (AUDITING_TD(curthread))                                     \
 243                 audit_arg_pid((pid));                                   \
 244 } while (0)
 245
 246 #define AUDIT_ARG_POSIX_IPC_PERM(uid, gid, mode) do {                   \
 247         if (AUDITING_TD(curthread))                                     \
 248                 audit_arg_posix_ipc_perm((uid), (gid), (mod));          \
 249 } while (0)
 250
 251 #define AUDIT_ARG_PROCESS(p) do {                                       \
 252         if (AUDITING_TD(curthread))                                     \
 253                 audit_arg_process((p));                                 \
 254 } while (0)
 255
 256 #define AUDIT_ARG_RGID(rgid) do {                                       \
 257         if (AUDITING_TD(curthread))                                     \
 258                 audit_arg_rgid((rgid));                                 \
 259 } while (0)
 260
 261 #define AUDIT_ARG_RIGHTS(rights) do {                                   \
 262         if (AUDITING_TD(curthread))                                     \
 263                 audit_arg_rights((rights));                             \
 264 } while (0)
 265
 266 #define AUDIT_ARG_FCNTL_RIGHTS(fcntlrights) do {                        \
 267         if (AUDITING_TD(curthread))                                     \
 268                 audit_arg_fcntl_rights((fcntlrights));                  \
 269 } while (0)
 270
 271 #define AUDIT_ARG_RUID(ruid) do {                                       \
 272         if (AUDITING_TD(curthread))                                     \
 273                 audit_arg_ruid((ruid));                                 \
 274 } while (0)
 275
 276 #define AUDIT_ARG_SIGNUM(signum) do {                                   \
 277         if (AUDITING_TD(curthread))                                     \
 278                 audit_arg_signum((signum));                             \
 279 } while (0)
 280
 281 #define AUDIT_ARG_SGID(sgid) do {                                       \
 282         if (AUDITING_TD(curthread))                                     \
 283                 audit_arg_sgid((sgid));                                 \
 284 } while (0)
 285
 286 #define AUDIT_ARG_SOCKET(sodomain, sotype, soprotocol) do {             \
 287         if (AUDITING_TD(curthread))                                     \
 288                 audit_arg_socket((sodomain), (sotype), (soprotocol));   \
 289 } while (0)
 290
 291 #define AUDIT_ARG_SOCKADDR(td, dirfd, sa) do {                          \
 292         if (AUDITING_TD(curthread))                                     \
 293                 audit_arg_sockaddr((td), (dirfd), (sa));                \
 294 } while (0)
 295
 296 #define AUDIT_ARG_SUID(suid) do {                                       \
 297         if (AUDITING_TD(curthread))                                     \
 298                 audit_arg_suid((suid));                                 \
 299 } while (0)
 300
 301 #define AUDIT_ARG_SVIPC_CMD(cmd) do {                                   \
 302         if (AUDITING_TD(curthread))                                     \
 303                 audit_arg_svipc_cmd((cmd));                             \
 304 } while (0)
 305
 306 #define AUDIT_ARG_SVIPC_PERM(perm) do {                                 \
 307         if (AUDITING_TD(curthread))                                     \
 308                 audit_arg_svipc_perm((perm));                           \
 309 } while (0)
 310
 311 #define AUDIT_ARG_SVIPC_ID(id) do {                                     \
 312         if (AUDITING_TD(curthread))                                     \
 313                 audit_arg_svipc_id((id));                               \
 314 } while (0)
 315
 316 #define AUDIT_ARG_SVIPC_ADDR(addr) do {                                 \
 317         if (AUDITING_TD(curthread))                                     \
 318                 audit_arg_svipc_addr((addr));                           \
 319 } while (0)
 320
 321 #define AUDIT_ARG_SVIPC_WHICH(which) do {                               \
 322         if (AUDITING_TD(curthread))                                     \
 323                 audit_arg_svipc_which((which));                         \
 324 } while (0)
 325
 326 #define AUDIT_ARG_TEXT(text) do {                                       \
 327         if (AUDITING_TD(curthread))                                     \
 328                 audit_arg_text((text));                                 \
 329 } while (0)
 330
 331 #define AUDIT_ARG_UID(uid) do {                                         \
 332         if (AUDITING_TD(curthread))                                     \
 333                 audit_arg_uid((uid));                                   \
 334 } while (0)
 335
 336 #define AUDIT_ARG_UPATH1(td, dirfd, upath) do {                         \
 337         if (AUDITING_TD(curthread))                                     \
 338                 audit_arg_upath1((td), (dirfd), (upath));               \
 339 } while (0)
 340
 341 #define AUDIT_ARG_UPATH1_CANON(upath) do {                              \
 342         if (AUDITING_TD(curthread))                                     \
 343                 audit_arg_upath1_canon((upath));                        \
 344 } while (0)
 345
 346 #define AUDIT_ARG_UPATH2(td, dirfd, upath) do {                         \
 347         if (AUDITING_TD(curthread))                                     \
 348                 audit_arg_upath2((td), (dirfd), (upath));               \
 349 } while (0)
 350
 351 #define AUDIT_ARG_UPATH2_CANON(upath) do {                              \
 352         if (AUDITING_TD(curthread))                                     \
 353                 audit_arg_upath2_canon((upath));                        \
 354 } while (0)
 355
 356 #define AUDIT_ARG_VALUE(value) do {                                     \
 357         if (AUDITING_TD(curthread))                                     \
 358                 audit_arg_value((value));                               \
 359 } while (0)
 360
 361 #define AUDIT_ARG_VNODE1(vp) do {                                       \
 362         if (AUDITING_TD(curthread))                                     \
 363                 audit_arg_vnode1((vp));                                 \
 364 } while (0)
 365
 366 #define AUDIT_ARG_VNODE2(vp) do {                                       \
 367         if (AUDITING_TD(curthread))                                     \
 368                 audit_arg_vnode2((vp));                                 \
 369 } while (0)
 370
 371 #define AUDIT_SYSCALL_ENTER(code, td)   do {                            \
 372         if (audit_enabled) {                                            \
 373                 audit_syscall_enter(code, td);                          \
 374         }                                                               \
 375 } while (0)
 376
 377 /*
 378  * Wrap the audit_syscall_exit() function so that it is called only when
 379  * we have a audit record on the thread.  Audit records can persist after
 380  * auditing is disabled, so we don't just check audit_enabled here.
 381  */
 382 #define AUDIT_SYSCALL_EXIT(error, td)   do {                            \
 383         if (td->td_pflags & TDP_AUDITREC)                               \
 384                 audit_syscall_exit(error, td);                          \
 385 } while (0)
 386
 387 /*
 388  * A Macro to wrap the audit_sysclose() function.
 389  */
 390 #define AUDIT_SYSCLOSE(td, fd)  do {                                    \
 391         if (td->td_pflags & TDP_AUDITREC)                               \
 392                 audit_sysclose(td, fd);                                 \
 393 } while (0)
 394
 395 #else /* !AUDIT */
 396
 397 #define AUDIT_ARG_ADDR(addr)
 398 #define AUDIT_ARG_ARGV(argv, argc, length)
 399 #define AUDIT_ARG_ATFD1(atfd)
 400 #define AUDIT_ARG_ATFD2(atfd)
 401 #define AUDIT_ARG_AUDITON(udata)
 402 #define AUDIT_ARG_CMD(cmd)
 403 #define AUDIT_ARG_DEV(dev)
 404 #define AUDIT_ARG_EGID(egid)
 405 #define AUDIT_ARG_ENVV(envv, envc, length)
 406 #define AUDIT_ARG_EXIT(status, retval)
 407 #define AUDIT_ARG_EUID(euid)
 408 #define AUDIT_ARG_FD(fd)
 409 #define AUDIT_ARG_FILE(p, fp)
 410 #define AUDIT_ARG_FFLAGS(fflags)
 411 #define AUDIT_ARG_GID(gid)
 412 #define AUDIT_ARG_GROUPSET(gidset, gidset_size)
 413 #define AUDIT_ARG_LOGIN(login)
 414 #define AUDIT_ARG_MODE(mode)
 415 #define AUDIT_ARG_OWNER(uid, gid)
 416 #define AUDIT_ARG_PID(pid)
 417 #define AUDIT_ARG_POSIX_IPC_PERM(uid, gid, mode)
 418 #define AUDIT_ARG_PROCESS(p)
 419 #define AUDIT_ARG_RGID(rgid)
 420 #define AUDIT_ARG_RIGHTS(rights)
 421 #define AUDIT_ARG_FCNTL_RIGHTS(fcntlrights)
 422 #define AUDIT_ARG_RUID(ruid)
 423 #define AUDIT_ARG_SIGNUM(signum)
 424 #define AUDIT_ARG_SGID(sgid)
 425 #define AUDIT_ARG_SOCKET(sodomain, sotype, soprotocol)
 426 #define AUDIT_ARG_SOCKADDR(td, dirfd, sa)
 427 #define AUDIT_ARG_SUID(suid)
 428 #define AUDIT_ARG_SVIPC_CMD(cmd)
 429 #define AUDIT_ARG_SVIPC_PERM(perm)
 430 #define AUDIT_ARG_SVIPC_ID(id)
 431 #define AUDIT_ARG_SVIPC_ADDR(addr)
 432 #define AUDIT_ARG_SVIPC_WHICH(which)
 433 #define AUDIT_ARG_TEXT(text)
 434 #define AUDIT_ARG_UID(uid)
 435 #define AUDIT_ARG_UPATH1(td, dirfd, upath)
 436 #define AUDIT_ARG_UPATH1_CANON(upath)
 437 #define AUDIT_ARG_UPATH2(td, dirfd, upath)
 438 #define AUDIT_ARG_UPATH2_CANON(upath)
 439 #define AUDIT_ARG_VALUE(value)
 440 #define AUDIT_ARG_VNODE1(vp)
 441 #define AUDIT_ARG_VNODE2(vp)
 442
 443 #define AUDIT_SYSCALL_ENTER(code, td)
 444 #define AUDIT_SYSCALL_EXIT(error, td)
 445
 446 #define AUDIT_SYSCLOSE(p, fd)
 447
 448 #endif /* AUDIT */
 449
 450 #endif /* !_SECURITY_AUDIT_KERNEL_H_ */