3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 /*
  22  * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.

  23  */
  24 
  25 #ifndef _BSM_AUDIT_KERNEL_H
  26 #define _BSM_AUDIT_KERNEL_H
  27 
  28 
  29 /*
  30  * This file contains the basic auditing control structure definitions.
  31  */
  32 

  33 #include <c2/audit_kevents.h>
  34 #include <sys/priv_impl.h>
  35 #include <sys/taskq.h>
  36 #include <sys/zone.h>
  37 
  38 #include <sys/tsol/label.h>
  39 
  40 #ifdef __cplusplus
  41 extern "C" {
  42 #endif
  43 
  44 /*
  45  * This table contains the mapping from the system call ID to a corresponding
  46  * audit event.
  47  *
  48  *   au_init() is a function called at the beginning of the system call that
  49  *   performs any necessary setup/processing. It maps the call into the
  50  *   appropriate event, depending on the system call arguments. It is called
  51  *   by audit_start() from trap.c .
  52  *

 168 extern kmem_cache_t *au_pad_cache;
 169 
 170 /*
 171  * Defines for thread audit control/status flags (tad_ctrl)
 172  */
 173 #define TAD_ABSPATH     0x00000001      /* path from lookup is absolute */
 174 #define TAD_ATCALL      0x00000002      /* *at() syscall, like openat() */
 175 #define TAD_ATTPATH     0x00000004      /* attribute file lookup */
 176 #define TAD_CORE        0x00000008      /* save attribute during core dump */
 177 #define TAD_ERRJMP      0x00000010      /* abort record generation on error */
 178 #define TAD_MLD         0x00000020      /* system call involves MLD */
 179 #define TAD_NOATTRB     0x00000040      /* do not automatically add attribute */
 180 #define TAD_NOAUDIT     0x00000080      /* discard audit record */
 181 #define TAD_NOPATH      0x00000100      /* force no paths in audit record */
 182 #define TAD_PATHFND     0x00000200      /* found path, don't retry lookup */
 183 #define TAD_PUBLIC_EV   0x00000400      /* syscall is defined as a public op */
 184 #define TAD_SAVPATH     0x00000800      /* save path for further processing */
 185 #define TAD_TRUE_CREATE 0x00001000      /* true create, file not found */
 186 
 187 /*























 188  * The structure t_audit_data hangs off of the thread structure. It contains
 189  * all of the audit information necessary to manage the audit record generation
 190  * for each thread.
 191  *
 192  */
 193 
 194 struct t_audit_data {
 195         kthread_id_t  tad_thread;       /* DEBUG pointer to parent thread */
 196         unsigned int  tad_scid;         /* system call ID for finish */
 197         au_event_t      tad_event;      /* event for audit record */
 198         au_emod_t       tad_evmod;      /* event modifier for audit record */
 199         int     tad_ctrl;       /* audit control/status flags */
 200         void    *tad_errjmp;    /* error longjmp (audit record aborted) */
 201         int     tad_flag;       /* to audit or not to audit */
 202         uint32_t tad_audit;     /* auditing enabled/disabled */
 203         struct audit_path       *tad_aupath;    /* captured at vfs_lookup */
 204         struct audit_path       *tad_atpath;    /* openat prefix, path of fd */
 205         caddr_t tad_ad;         /* base of accumulated audit data */
 206         au_defer_info_t *tad_defer_head;        /* queue of records to defer */
 207                                                 /* until syscall end: */
 208         au_defer_info_t *tad_defer_tail;        /* tail of defer queue */
 209         priv_set_t tad_sprivs;  /* saved (success) used privs */
 210         priv_set_t tad_fprivs;  /* saved (failed) used privs */





 211 };
 212 typedef struct t_audit_data t_audit_data_t;
 213 
 214 /*
 215  * The f_audit_data structure hangs off of the file structure. It contains
 216  * three fields of data. The audit ID, the audit state, and a path name.
 217  */
 218 
 219 struct f_audit_data {
 220         kthread_id_t    fad_thread;     /* DEBUG creating thread */
 221         int             fad_flags;      /* audit control flags */
 222         struct audit_path       *fad_aupath;    /* path from vfs_lookup */
 223 };
 224 typedef struct f_audit_data f_audit_data_t;
 225 
 226 #define FAD_READ        0x0001          /* read system call seen */
 227 #define FAD_WRITE       0x0002          /* write system call seen */
 228 
 229 #define P2A(p)  (p->p_audit_data)
 230 #define T2A(t)  (t->t_audit_data)

   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 /*
  22  * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
  23  * Copyright 2018 Nexenta Systems, Inc.  All rights reserved.
  24  */
  25 
  26 #ifndef _BSM_AUDIT_KERNEL_H
  27 #define _BSM_AUDIT_KERNEL_H
  28 
  29 
  30 /*
  31  * This file contains the basic auditing control structure definitions.
  32  */
  33 
  34 #include <c2/audit.h>
  35 #include <c2/audit_kevents.h>
  36 #include <sys/priv_impl.h>
  37 #include <sys/taskq.h>
  38 #include <sys/zone.h>
  39 
  40 #include <sys/tsol/label.h>
  41 
  42 #ifdef __cplusplus
  43 extern "C" {
  44 #endif
  45 
  46 /*
  47  * This table contains the mapping from the system call ID to a corresponding
  48  * audit event.
  49  *
  50  *   au_init() is a function called at the beginning of the system call that
  51  *   performs any necessary setup/processing. It maps the call into the
  52  *   appropriate event, depending on the system call arguments. It is called
  53  *   by audit_start() from trap.c .
  54  *

 170 extern kmem_cache_t *au_pad_cache;
 171 
 172 /*
 173  * Defines for thread audit control/status flags (tad_ctrl)
 174  */
 175 #define TAD_ABSPATH     0x00000001      /* path from lookup is absolute */
 176 #define TAD_ATCALL      0x00000002      /* *at() syscall, like openat() */
 177 #define TAD_ATTPATH     0x00000004      /* attribute file lookup */
 178 #define TAD_CORE        0x00000008      /* save attribute during core dump */
 179 #define TAD_ERRJMP      0x00000010      /* abort record generation on error */
 180 #define TAD_MLD         0x00000020      /* system call involves MLD */
 181 #define TAD_NOATTRB     0x00000040      /* do not automatically add attribute */
 182 #define TAD_NOAUDIT     0x00000080      /* discard audit record */
 183 #define TAD_NOPATH      0x00000100      /* force no paths in audit record */
 184 #define TAD_PATHFND     0x00000200      /* found path, don't retry lookup */
 185 #define TAD_PUBLIC_EV   0x00000400      /* syscall is defined as a public op */
 186 #define TAD_SAVPATH     0x00000800      /* save path for further processing */
 187 #define TAD_TRUE_CREATE 0x00001000      /* true create, file not found */
 188 
 189 /*
 190  * These types implement the interface between a consumer and FS for handling
 191  * SACL-based File Access Auditing. A consumer zeroes out the appropriate
 192  * t_audit_sacl_t in T2A(curthread), then sets tad_sacl_ctrl to one of
 193  * sacl_audit_ctrl_t. The FS, when auditing of SACLs is enabled, checks to see
 194  * if tad_sacl_ctrl is not NONE. If so, it collects information from the
 195  * object's SACL (such as NFSv4 Audit and Alarm type ACEs), and stores
 196  * representative Success and Failure masks in the t_audit_sacl_t structure.
 197  * The consumer then compares the requested access to the appropriate mask in
 198  * order to determine whether an audit record should be generated.
 199  */
 200 typedef struct t_audit_sacl {
 201         uint32_t tas_smask;
 202         uint32_t tas_fmask;
 203 } t_audit_sacl_t;
 204 
 205 typedef enum sacl_audit_ctrl {
 206         SACL_AUDIT_NONE = 0,
 207         SACL_AUDIT_ON,
 208         SACL_AUDIT_ALL,
 209         SACL_AUDIT_NO_SRC
 210 } sacl_audit_ctrl_t;
 211 
 212 /*
 213  * The structure t_audit_data hangs off of the thread structure. It contains
 214  * all of the audit information necessary to manage the audit record generation
 215  * for each thread.
 216  *
 217  */
 218 
 219 struct t_audit_data {
 220         kthread_id_t  tad_thread;       /* DEBUG pointer to parent thread */
 221         unsigned int  tad_scid;         /* system call ID for finish */
 222         au_event_t      tad_event;      /* event for audit record */
 223         au_emod_t       tad_evmod;      /* event modifier for audit record */
 224         int     tad_ctrl;       /* audit control/status flags */
 225         void    *tad_errjmp;    /* error longjmp (audit record aborted) */
 226         int     tad_flag;       /* to audit or not to audit */
 227         uint32_t tad_audit;     /* auditing enabled/disabled */
 228         struct audit_path       *tad_aupath;    /* captured at vfs_lookup */
 229         struct audit_path       *tad_atpath;    /* openat prefix, path of fd */
 230         caddr_t tad_ad;         /* base of accumulated audit data */
 231         au_defer_info_t *tad_defer_head;        /* queue of records to defer */
 232                                                 /* until syscall end: */
 233         au_defer_info_t *tad_defer_tail;        /* tail of defer queue */
 234         priv_set_t tad_sprivs;  /* saved (success) used privs */
 235         priv_set_t tad_fprivs;  /* saved (failed) used privs */
 236         sacl_audit_ctrl_t tad_sacl_ctrl;
 237         sacl_audit_ctrl_t tad_sacl_backup;
 238         t_audit_sacl_t tad_sacl_mask;
 239         t_audit_sacl_t tad_sacl_mask_src;
 240         t_audit_sacl_t tad_sacl_mask_dest;
 241 };
 242 typedef struct t_audit_data t_audit_data_t;
 243 
 244 /*
 245  * The f_audit_data structure hangs off of the file structure. It contains
 246  * three fields of data. The audit ID, the audit state, and a path name.
 247  */
 248 
 249 struct f_audit_data {
 250         kthread_id_t    fad_thread;     /* DEBUG creating thread */
 251         int             fad_flags;      /* audit control flags */
 252         struct audit_path       *fad_aupath;    /* path from vfs_lookup */
 253 };
 254 typedef struct f_audit_data f_audit_data_t;
 255 
 256 #define FAD_READ        0x0001          /* read system call seen */
 257 #define FAD_WRITE       0x0002          /* write system call seen */
 258 
 259 #define P2A(p)  (p->p_audit_data)
 260 #define T2A(t)  (t->t_audit_data)