1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright 2018 Nexenta Systems, Inc. All rights reserved.
24 */
25
26 /*
27 * This file contains the declarations of the various data structures
28 * used by the auditing module(s).
29 */
30
31 #ifndef _BSM_AUDIT_H
32 #define _BSM_AUDIT_H
33
34 #ifdef __cplusplus
35 extern "C" {
36 #endif
37
38
39 #include <sys/shm.h> /* for shmid_ds structure */
40 #include <sys/sem.h> /* for semid_ds structure */
41 #include <sys/msg.h> /* for msqid_ds structure */
42 #include <sys/atomic.h> /* using atomics */
43 #include <sys/secflags.h>
44
45 /*
46 * Audit conditions, statements reguarding what's to be done with
47 * audit records. None of the "global state" is returned by an
48 * auditconfig -getcond call. AUC_NOSPACE no longer seems used.
49 */
50 /* global state */
51 #define AUC_UNSET 0 /* on/off hasn't been decided */
52 #define AUC_ENABLED 1 /* loaded and enabled */
53 /* pseudo state used in libbsm */
54 #define AUC_DISABLED 0x100 /* c2audit module is excluded */
55 /* local zone state */
56 #define AUC_AUDITING 0x1 /* audit daemon is active */
57 #define AUC_NOAUDIT 0x2 /* audit daemon is not active */
58 #define AUC_INIT_AUDIT 0x4 /* audit ready but auditd has not run */
59 #define AUC_NOSPACE 0x8 /* audit enabled, no space for audit records */
60
61 /*
62 * The user id -2 is never audited - in fact, a setauid(AU_NOAUDITID)
63 * will turn off auditing.
64 */
65 #define AU_NOAUDITID ((au_id_t)-2)
66
67 /*
68 * success/failure bits for asynchronous events
69 */
70
71 #define AUM_SUCC 1 /* use the system success preselection mask */
72 #define AUM_FAIL 2 /* use the system failure preselection mask */
73
74
75 /*
76 * Defines for event modifier field
77 */
78 #define PAD_READ 0x0001 /* object read */
79 #define PAD_WRITE 0x0002 /* object write */
80 #define PAD_NONATTR 0x4000 /* non-attributable event */
81 #define PAD_FAILURE 0x8000 /* fail audit event */
82 #define PAD_SPRIVUSE 0x0080 /* successfully used privileged */
83 #define PAD_FPRIVUSE 0x0100 /* failed use of privileged */
84
85 /*
86 * Some typedefs for the fundamentals
87 */
88 typedef uint_t au_asid_t;
89 typedef uint_t au_class_t;
90 typedef ushort_t au_event_t;
91 typedef ushort_t au_emod_t;
92 typedef uid_t au_id_t;
93
94 /*
95 * An audit event mask.
96 */
97 #define AU_MASK_ALL 0xFFFFFFFF /* all bits on for unsigned int */
98 #define AU_MASK_NONE 0x0 /* all bits off = no:invalid class */
99
100 struct au_mask {
101 unsigned int am_success; /* success bits */
102 unsigned int am_failure; /* failure bits */
103 };
104 typedef struct au_mask au_mask_t;
105 #define as_success am_success
106 #define as_failure am_failure
107
108 /*
109 * The structure of the terminal ID (ipv4)
110 */
111 struct au_tid {
112 dev_t port;
113 uint_t machine;
114 };
115
116 #if defined(_SYSCALL32)
117 struct au_tid32 {
118 uint_t port;
119 uint_t machine;
120 };
121
122 typedef struct au_tid32 au_tid32_t;
123 #endif
124
125 typedef struct au_tid au_tid_t;
126
127 /*
128 * The structure of the terminal ID (ipv6)
129 */
130 struct au_tid_addr {
131 dev_t at_port;
132 uint_t at_type;
133 uint_t at_addr[4];
134 };
135
136 struct au_port_s {
137 uint32_t at_major; /* major # */
138 uint32_t at_minor; /* minor # */
139 };
140 typedef struct au_port_s au_port_t;
141
142 struct au_tid_addr64 {
143 au_port_t at_port;
144 uint_t at_type;
145 uint_t at_addr[4];
146 };
147 typedef struct au_tid_addr64 au_tid64_addr_t;
148
149 #if defined(_SYSCALL32)
150 struct au_tid_addr32 {
151 uint_t at_port;
152 uint_t at_type;
153 uint_t at_addr[4];
154 };
155
156 typedef struct au_tid_addr32 au_tid32_addr_t;
157 #endif
158
159 typedef struct au_tid_addr au_tid_addr_t;
160
161 struct au_ip {
162 uint16_t at_r_port; /* remote port */
163 uint16_t at_l_port; /* local port */
164 uint32_t at_type; /* AU_IPv4,... */
165 uint32_t at_addr[4]; /* remote IP */
166 };
167 typedef struct au_ip au_ip_t;
168
169 /*
170 * Generic network address structure
171 */
172 struct au_generic_tid {
173 uchar_t gt_type; /* AU_IPADR, AU_DEVICE,... */
174 union {
175 au_ip_t at_ip;
176 au_port_t at_dev;
177 } gt_adr;
178 };
179 typedef struct au_generic_tid au_generic_tid_t;
180
181 /*
182 * au_generic_tid_t gt_type values
183 * 0 is reserved for uninitialized data
184 */
185 #define AU_IPADR 1
186 #define AU_ETHER 2
187 #define AU_DEVICE 3
188
189 /*
190 * at_type values - address length used to identify address type
191 */
192 #define AU_IPv4 4 /* ipv4 type IP address */
193 #define AU_IPv6 16 /* ipv6 type IP address */
194
195 /*
196 * Compatability with SunOS 4.x BSM module
197 *
198 * New code should not contain audit_state_t,
199 * au_state_t, nor au_termid as these types
200 * may go away in future releases.
201 *
202 * typedef new-5.x-bsm-name old-4.x-bsm-name
203 */
204
205 typedef au_class_t au_state_t;
206 typedef au_mask_t audit_state_t;
207 typedef au_id_t auid_t;
208 #define ai_state ai_mask;
209
210 /*
211 * Opcodes for bsm system calls
212 */
213
214 #define BSM_GETAUID 19
215 #define BSM_SETAUID 20
216 #define BSM_GETAUDIT 21
217 #define BSM_SETAUDIT 22
218 /* 23 OBSOLETE */
219 /* 24 OBSOLETE */
220 #define BSM_AUDIT 25
221 /* 26 OBSOLETE */
222 /* 27 EOL announced for Sol 10 */
223 /* 28 OBSOLETE */
224 #define BSM_AUDITCTL 29
225 /* 30 OBSOLETE */
226 /* 31 OBSOLETE */
227 /* 32 OBSOLETE */
228 /* 33 OBSOLETE */
229 /* 34 OBSOLETE */
230 #define BSM_GETAUDIT_ADDR 35
231 #define BSM_SETAUDIT_ADDR 36
232 #define BSM_AUDITDOOR 37
233
234 /*
235 * auditon(2) commands
236 */
237 #define A_GETPOLICY 2 /* get audit policy */
238 #define A_SETPOLICY 3 /* set audit policy */
239 #define A_GETKMASK 4 /* get non-attributable event audit mask */
240 #define A_SETKMASK 5 /* set non-attributable event audit mask */
241 #define A_GETQCTRL 6 /* get kernel audit queue ctrl parameters */
242 #define A_SETQCTRL 7 /* set kernel audit queue ctrl parameters */
243 #define A_GETCWD 8 /* get process current working directory */
244 #define A_GETCAR 9 /* get process current active root */
245 #define A_GETSTAT 12 /* get audit statistics */
246 #define A_SETSTAT 13 /* (re)set audit statistics */
247 #define A_SETUMASK 14 /* set preselection mask for procs with auid */
248 #define A_SETSMASK 15 /* set preselection mask for procs with asid */
249 #define A_GETCOND 20 /* get audit system on/off condition */
250 #define A_SETCOND 21 /* set audit system on/off condition */
251 #define A_GETCLASS 22 /* get audit event to class mapping */
252 #define A_SETCLASS 23 /* set audit event to class mapping */
253 #define A_GETPINFO 24 /* get audit info for an arbitrary pid */
254 #define A_SETPMASK 25 /* set preselection mask for an given pid */
255 #define A_GETPINFO_ADDR 28 /* get audit info for an arbitrary pid */
256 #define A_GETKAUDIT 29 /* get kernel audit characteristics */
257 #define A_SETKAUDIT 30 /* set kernel audit characteristics */
258 #define A_GETAMASK 31 /* set user default audit event mask */
259 #define A_SETAMASK 32 /* get user default audit event mask */
260
261 /*
262 * Audit Policy parameters (32 bits)
263 */
264 #define AUDIT_CNT 0x0001 /* do NOT sleep undelivered synch events */
265 #define AUDIT_AHLT 0x0002 /* HALT machine on undelivered async event */
266 #define AUDIT_ARGV 0x0004 /* include argv with execv system call events */
267 #define AUDIT_ARGE 0x0008 /* include arge with execv system call events */
268 #define AUDIT_SEQ 0x0010 /* include sequence attribute */
269 #define AUDIT_GROUP 0x0040 /* include group attribute with each record */
270 #define AUDIT_TRAIL 0x0080 /* include trailer token */
271 #define AUDIT_PATH 0x0100 /* allow multiple paths per event */
272 #define AUDIT_SCNT 0x0200 /* sleep user events but not kernel events */
273 #define AUDIT_PUBLIC 0x0400 /* audit even "public" files */
274 #define AUDIT_ZONENAME 0x0800 /* emit zonename token */
275 #define AUDIT_PERZONE 0x1000 /* auditd and audit queue for each zone */
276 #define AUDIT_WINDATA_DOWN 0x2000 /* include paste downgraded data */
277 #define AUDIT_WINDATA_UP 0x4000 /* include paste upgraded data */
278
279 /*
280 * If AUDIT_GLOBAL changes, corresponding changes are required in
281 * audit_syscalls.c's setpolicy().
282 */
283 #define AUDIT_GLOBAL (AUDIT_AHLT | AUDIT_PERZONE)
284 #define AUDIT_LOCAL (AUDIT_CNT | AUDIT_ARGV | AUDIT_ARGE |\
285 AUDIT_SEQ | AUDIT_GROUP | AUDIT_TRAIL | AUDIT_PATH |\
286 AUDIT_PUBLIC | AUDIT_SCNT | AUDIT_ZONENAME |\
287 AUDIT_WINDATA_DOWN | AUDIT_WINDATA_UP)
288
289 /*
290 * Kernel audit queue control parameters
291 *
292 * audit record recording blocks at hiwater # undelived records
293 * audit record recording resumes at lowwater # undelivered audit records
294 * bufsz determines how big the data xfers will be to the audit trail
295 */
296 struct au_qctrl {
297 size_t aq_hiwater; /* kernel audit queue, high water mark */
298 size_t aq_lowater; /* kernel audit queue, low water mark */
299 size_t aq_bufsz; /* kernel audit queue, write size to trail */
300 clock_t aq_delay; /* delay before flushing audit queue */
301 };
302
303 #if defined(_SYSCALL32)
304 struct au_qctrl32 {
305 size32_t aq_hiwater;
306 size32_t aq_lowater;
307 size32_t aq_bufsz;
308 clock32_t aq_delay;
309 };
310 #endif
311
312
313 /*
314 * default values of hiwater and lowater (note hi > lo)
315 */
316 #define AQ_HIWATER 100
317 #define AQ_MAXHIGH 100000
318 #define AQ_LOWATER 10
319 #define AQ_BUFSZ 8192
320 #define AQ_MAXBUFSZ 1048576
321 #define AQ_DELAY 20
322 #define AQ_MAXDELAY 20000
323
324 struct auditinfo {
325 au_id_t ai_auid;
326 au_mask_t ai_mask;
327 au_tid_t ai_termid;
328 au_asid_t ai_asid;
329 };
330
331 #if defined(_SYSCALL32)
332 struct auditinfo32 {
333 au_id_t ai_auid;
334 au_mask_t ai_mask;
335 au_tid32_t ai_termid;
336 au_asid_t ai_asid;
337 };
338
339 typedef struct auditinfo32 auditinfo32_t;
340 #endif
341
342 typedef struct auditinfo auditinfo_t;
343
344 struct k_auditinfo_addr {
345 au_id_t ai_auid;
346 au_mask_t ai_amask; /* user default preselection mask */
347 au_mask_t ai_namask; /* non-attributable mask */
348 au_tid_addr_t ai_termid;
349 au_asid_t ai_asid;
350 };
351 typedef struct k_auditinfo_addr k_auditinfo_addr_t;
352
353 struct auditinfo_addr {
354 au_id_t ai_auid;
355 au_mask_t ai_mask;
356 au_tid_addr_t ai_termid;
357 au_asid_t ai_asid;
358 };
359
360 struct auditinfo_addr64 {
361 au_id_t ai_auid;
362 au_mask_t ai_mask;
363 au_tid64_addr_t ai_termid;
364 au_asid_t ai_asid;
365 };
366 typedef struct auditinfo_addr64 auditinfo64_addr_t;
367
368 #if defined(_SYSCALL32)
369 struct auditinfo_addr32 {
370 au_id_t ai_auid;
371 au_mask_t ai_mask;
372 au_tid32_addr_t ai_termid;
373 au_asid_t ai_asid;
374 };
375
376 typedef struct auditinfo_addr32 auditinfo32_addr_t;
377 #endif
378
379 typedef struct auditinfo_addr auditinfo_addr_t;
380
381 struct auditpinfo {
382 pid_t ap_pid;
383 au_id_t ap_auid;
384 au_mask_t ap_mask;
385 au_tid_t ap_termid;
386 au_asid_t ap_asid;
387 };
388
389 #if defined(_SYSCALL32)
390 struct auditpinfo32 {
391 pid_t ap_pid;
392 au_id_t ap_auid;
393 au_mask_t ap_mask;
394 au_tid32_t ap_termid;
395 au_asid_t ap_asid;
396 };
397 #endif
398
399
400 struct auditpinfo_addr {
401 pid_t ap_pid;
402 au_id_t ap_auid;
403 au_mask_t ap_mask;
404 au_tid_addr_t ap_termid;
405 au_asid_t ap_asid;
406 };
407
408 #if defined(_SYSCALL32)
409 struct auditpinfo_addr32 {
410 pid_t ap_pid;
411 au_id_t ap_auid;
412 au_mask_t ap_mask;
413 au_tid32_addr_t ap_termid;
414 au_asid_t ap_asid;
415 };
416 #endif
417
418
419 struct au_evclass_map {
420 au_event_t ec_number;
421 au_class_t ec_class;
422 };
423 typedef struct au_evclass_map au_evclass_map_t;
424
425 /*
426 * Audit stat structures (used to be in audit_stat.h
427 */
428
429 struct audit_stat {
430 unsigned int as_version; /* version of kernel audit code */
431 unsigned int as_numevent; /* number of kernel audit events */
432 uint32_t as_generated; /* # records processed */
433 uint32_t as_nonattrib; /* # non-attributed records produced */
434 uint32_t as_kernel; /* # records produced by kernel */
435 uint32_t as_audit; /* # records processed by audit(2) */
436 uint32_t as_auditctl; /* # records processed by auditctl(2) */
437 uint32_t as_enqueue; /* # records put onto audit queue */
438 uint32_t as_written; /* # records written to audit trail */
439 uint32_t as_wblocked; /* # times write blked on audit queue */
440 uint32_t as_rblocked; /* # times read blked on audit queue */
441 uint32_t as_dropped; /* # of dropped audit records */
442 uint32_t as_totalsize; /* total number bytes of audit data */
443 uint32_t as_memused; /* no longer used */
444 };
445 typedef struct audit_stat au_stat_t;
446
447 /* get kernel audit context dependent on AUDIT_PERZONE policy */
448 #define GET_KCTX_PZ (audit_policy & AUDIT_PERZONE) ?\
449 curproc->p_zone->zone_audit_kctxt :\
450 global_zone->zone_audit_kctxt
451 /* get kernel audit context of global zone */
452 #define GET_KCTX_GZ global_zone->zone_audit_kctxt
453 /* get kernel audit context of non-global zone */
454 #define GET_KCTX_NGZ curproc->p_zone->zone_audit_kctxt
455
456 #define AS_INC(a, b, c) atomic_add_32(&(c->auk_statistics.a), (b))
457 #define AS_DEC(a, b, c) atomic_add_32(&(c->auk_statistics.a), -(b))
458
459 /*
460 * audit token IPC types (shm, sem, msg) [for ipc attribute]
461 */
462
463 #define AT_IPC_MSG ((char)1) /* message IPC id */
464 #define AT_IPC_SEM ((char)2) /* semaphore IPC id */
465 #define AT_IPC_SHM ((char)3) /* shared memory IPC id */
466
467 #if defined(_KERNEL)
468
469 #ifdef __cplusplus
470 }
471 #endif
472
473 #include <sys/types.h>
474 #include <sys/model.h>
475 #include <sys/proc.h>
476 #include <sys/stream.h>
477 #include <sys/stropts.h>
478 #include <sys/file.h>
479 #include <sys/pathname.h>
480 #include <sys/vnode.h>
481 #include <sys/systm.h>
482 #include <netinet/in.h>
483 #include <c2/audit_door_infc.h>
484 #include <sys/crypto/ioctladmin.h>
485 #include <sys/netstack.h>
486 #include <sys/zone.h>
487
488 #ifdef __cplusplus
489 extern "C" {
490 #endif
491
492 struct fcntla;
493 struct t_audit_data;
494 struct t_audit_sacl;
495 struct audit_path;
496 struct priv_set;
497 struct devplcysys;
498
499 struct auditcalls {
500 long code;
501 long a1;
502 long a2;
503 long a3;
504 long a4;
505 long a5;
506 };
507
508 int audit(caddr_t, int);
509 int auditsys(struct auditcalls *, union rval *); /* fake stub */
510 void audit_cryptoadm(int, char *, crypto_mech_name_t *,
511 uint_t, uint_t, uint32_t, int);
512 void audit_init(void);
513 void audit_init_module(void);
514 void audit_newproc(struct proc *);
515 void audit_pfree(struct proc *);
516 void audit_thread_create(kthread_id_t);
517 void audit_thread_free(kthread_id_t);
518 int audit_savepath(struct pathname *, struct vnode *, struct vnode *,
519 int, cred_t *);
520 void audit_anchorpath(struct pathname *, int);
521 void audit_symlink(struct pathname *, struct pathname *);
522 void audit_symlink_create(struct vnode *, char *, char *, int);
523 int object_is_public(struct vattr *);
524 void audit_attributes(struct vnode *);
525 void audit_falloc(struct file *);
526 void audit_unfalloc(struct file *);
527 void audit_exit(int, int);
528 void audit_core_start(int);
529 void audit_core_finish(int);
530 void audit_strgetmsg(struct vnode *, struct strbuf *, struct strbuf *,
531 unsigned char *, int *, int);
532 void audit_strputmsg(struct vnode *, struct strbuf *, struct strbuf *,
533 unsigned char, int, int);
534 void audit_closef(struct file *);
535 void audit_setf(struct file *, int);
536 void audit_reboot(void);
537 void audit_vncreate_start(void);
538 void audit_setfsat_path(int argnum);
539 void audit_vncreate_finish(struct vnode *, int);
540 void audit_exec(const char *, const char *, ssize_t, ssize_t, cred_t *);
541 void audit_enterprom(int);
542 void audit_exitprom(int);
543 void audit_chdirec(struct vnode *, struct vnode **);
544 void audit_sock(int, struct queue *, struct msgb *, int);
545 int audit_start(unsigned int, unsigned int, uint32_t, int, klwp_t *);
546 void audit_finish(unsigned int, unsigned int, int, union rval *);
547 int audit_async_start(label_t *, au_event_t, int);
548 void audit_async_finish(caddr_t *, au_event_t, au_emod_t, timestruc_t *);
549 void audit_async_discard_backend(void *);
550 void audit_async_done(caddr_t *, int);
551 void audit_async_drop(caddr_t *, int);
552 void audit_sacl(char *, cred_t *, uint32_t, boolean_t,
553 struct t_audit_sacl *);
554
555 #ifndef AUK_CONTEXT_T
556 #define AUK_CONTEXT_T
557 typedef struct au_kcontext au_kcontext_t;
558 #endif
559
560 /* Zone audit context setup routine */
561 void au_zone_setup(void);
562
563 /*
564 * c2audit module states
565 */
566 #define C2AUDIT_DISABLED 0 /* c2audit module excluded in /etc/system */
567 #define C2AUDIT_UNLOADED 1 /* c2audit module not loaded */
568 #define C2AUDIT_LOADED 2 /* c2audit module loaded */
569
570 uint32_t audit_getstate(void);
571 int au_zone_getstate(const au_kcontext_t *);
572
573 /* The audit mask defining in which case is auditing enabled */
574 #define AU_AUDIT_MASK (AUC_AUDITING | AUC_NOSPACE)
575
576 /*
577 * Get the given zone audit status. zcontext != NULL serves
578 * as a protection when c2audit module is not loaded.
579 */
580 #define AU_ZONE_AUDITING(zcontext) \
581 (audit_active == C2AUDIT_LOADED && \
582 ((AU_AUDIT_MASK) & au_zone_getstate((zcontext))))
583
584 #define AU_AUDIT_PERZONE() \
585 ((audit_policy & AUDIT_PERZONE) != 0)
586
587 /*
588 * Get auditing status
589 */
590 #define AU_AUDITING() (audit_getstate())
591
592 int audit_success(au_kcontext_t *, struct t_audit_data *, int, cred_t *);
593 int auditme(au_kcontext_t *, struct t_audit_data *, au_state_t);
594 int auditev(au_event_t, cred_t *);
595 void audit_fixpath(struct audit_path *, int);
596 void audit_ipc(int, int, void *);
597 void audit_ipcget(int, void *);
598 void audit_fdsend(int, struct file *, int);
599 void audit_fdrecv(int, struct file *);
600 void audit_priv(int, const struct priv_set *, int);
601 void audit_setppriv(int, int, const struct priv_set *, const cred_t *);
602 void audit_psecflags(proc_t *, psecflagwhich_t,
603 const secflagdelta_t *);
604 void audit_devpolicy(int, const struct devplcysys *);
605 void audit_update_context(proc_t *, cred_t *);
606 void audit_kssl(int, void *, int);
607 void audit_pf_policy(int, cred_t *, netstack_t *, char *, boolean_t, int,
608 pid_t);
609 void audit_sec_attributes(caddr_t *, struct vnode *);
610
611 #endif
612
613 #ifdef __cplusplus
614 }
615 #endif
616
617 #endif /* _BSM_AUDIT_H */