Print this page
NEX-13644 File access audit logging
Reviewed by: Gordon Ross <gordon.ross@nexenta.com>
Reviewed by: Roman Strashkin <roman.strashkin@nexenta.com>
Reviewed by: Saso Kiselkov <saso.kiselkov@nexenta.com>
Reviewed by: Rick McNeal <rick.mcneal@nexenta.com>
Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/uts/common/c2/audit_record.h
+++ new/usr/src/uts/common/c2/audit_record.h
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
|
↓ open down ↓ |
13 lines elided |
↑ open up ↑ |
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 23 * Use is subject to license terms.
24 + *
25 + * Copyright 2018 Nexenta Systems, Inc. All rights reserved.
24 26 */
25 27
26 28 #ifndef _BSM_AUDIT_RECORD_H
27 29 #define _BSM_AUDIT_RECORD_H
28 30
29 31
30 32 #ifdef _KERNEL
31 33 #include <sys/priv.h>
32 34 #else
33 35 #include <priv.h>
34 36 #endif
35 37 #include <sys/socket.h>
36 38 #include <sys/acl.h>
39 +#include <sys/sid.h>
37 40
38 41 #include <sys/tsol/label.h>
39 42
40 43 #ifdef __cplusplus
41 44 extern "C" {
42 45 #endif
43 46
44 47 /*
45 48 * Version of audit attributes
46 49 *
47 50 * OS Release Version Number Comments
48 51 * ========== ============== ========
49 52 * SunOS 5.1 2 Unbundled Package
50 53 * SunOS 5.3 2 Bundled into the base OS
51 54 * SunOS 5.4-5.x 2
52 55 * Trusted Solaris 2.5 3 To distinguish potential new tokens
53 56 * Trusted Solaris 7-8 4 Redefine X tokens that overlap with
54 57 * SunOS 5.7
55 58 */
56 59
57 60 #define TOKEN_VERSION 2
58 61
59 62 /*
60 63 * Audit record token type codes
61 64 */
62 65
63 66 /*
64 67 * Control token types
65 68 */
66 69
67 70 #define AUT_INVALID ((char)0x00)
68 71 #define AUT_OTHER_FILE ((char)0x11)
69 72 #define AUT_OTHER_FILE32 AUT_OTHER_FILE
70 73 #define AUT_OHEADER ((char)0x12)
71 74 #define AUT_TRAILER ((char)0x13)
72 75 #define AUT_HEADER ((char)0x14)
73 76 #define AUT_HEADER32 AUT_HEADER
74 77 #define AUT_HEADER32_EX ((char)0x15)
75 78 #define AUT_TRAILER_MAGIC ((short)0xB105)
76 79
77 80 /*
78 81 * Data token types
79 82 */
80 83
81 84 #define AUT_FMRI ((char)0x20)
82 85 #define AUT_DATA ((char)0x21)
83 86 #define AUT_IPC ((char)0x22)
84 87 #define AUT_PATH ((char)0x23)
85 88 #define AUT_SUBJECT ((char)0x24)
86 89 #define AUT_SUBJECT32 AUT_SUBJECT
87 90 #define AUT_XATPATH ((char)0x25)
88 91 #define AUT_PROCESS ((char)0x26)
89 92 #define AUT_PROCESS32 AUT_PROCESS
90 93 #define AUT_RETURN ((char)0x27)
91 94 #define AUT_RETURN32 AUT_RETURN
92 95 #define AUT_TEXT ((char)0x28)
93 96 #define AUT_OPAQUE ((char)0x29)
94 97 #define AUT_IN_ADDR ((char)0x2A)
95 98 #define AUT_IP ((char)0x2B)
96 99 #define AUT_IPORT ((char)0x2C)
97 100 #define AUT_ARG ((char)0x2D)
98 101 #define AUT_ARG32 AUT_ARG
99 102 #define AUT_SOCKET ((char)0x2E)
100 103 #define AUT_SEQ ((char)0x2F)
101 104 #define AUT_USER ((char)0x36) /* out of order */
102 105 #define AUT_TID ((char)0x61) /* out of order */
103 106
104 107 /*
105 108 * Modifier token types
106 109 */
107 110
108 111 #define AUT_ACL ((char)0x30)
109 112 #define AUT_ATTR ((char)0x31)
110 113 #define AUT_IPC_PERM ((char)0x32)
111 114 #define AUT_LABEL ((char)0x33)
112 115 #define AUT_GROUPS ((char)0x34)
113 116 #define AUT_ACE ((char)0x35)
114 117 /* 0x37 unused */
115 118 #define AUT_PRIV ((char)0x38)
116 119 #define AUT_UPRIV ((char)0x39)
117 120 #define AUT_LIAISON ((char)0x3A)
118 121 #define AUT_NEWGROUPS ((char)0x3B)
119 122 #define AUT_EXEC_ARGS ((char)0x3C)
120 123 #define AUT_EXEC_ENV ((char)0x3D)
121 124 #define AUT_ATTR32 ((char)0x3E)
122 125 #define AUT_UAUTH ((char)0x3F)
123 126 #define AUT_ZONENAME ((char)0x60) /* out of order */
124 127 #define AUT_SECFLAGS ((char)0x62) /* out of order */
125 128
126 129 /*
127 130 * X windows token types
128 131 */
129 132
130 133 #define AUT_XATOM ((char)0x40)
131 134 #define AUT_XOBJ ((char)0x41)
132 135 #define AUT_XPROTO ((char)0x42)
133 136 #define AUT_XSELECT ((char)0x43)
134 137
135 138 #if TOKEN_VERSION != 3
136 139 #define AUT_XCOLORMAP ((char)0x44)
137 140 #define AUT_XCURSOR ((char)0x45)
138 141 #define AUT_XFONT ((char)0x46)
139 142 #define AUT_XGC ((char)0x47)
140 143 #define AUT_XPIXMAP ((char)0x48)
141 144 #define AUT_XPROPERTY ((char)0x49)
142 145 #define AUT_XWINDOW ((char)0x4A)
143 146 #define AUT_XCLIENT ((char)0x4B)
144 147 #else /* TOKEN_VERSION == 3 */
145 148 #define AUT_XCOLORMAP ((char)0x74)
146 149 #define AUT_XCURSOR ((char)0x75)
147 150 #define AUT_XFONT ((char)0x76)
148 151 #define AUT_XGC ((char)0x77)
149 152 #define AUT_XPIXMAP ((char)0x78)
150 153 #define AUT_XPROPERTY ((char)0x79)
151 154 #define AUT_XWINDOW ((char)0x7A)
152 155 #define AUT_XCLIENT ((char)0x7B)
153 156 #endif /* TOKEN_VERSION != 3 */
154 157
155 158 /*
156 159 * Command token types
157 160 */
158 161
159 162 #define AUT_CMD ((char)0x51)
160 163 #define AUT_EXIT ((char)0x52)
161 164
162 165 /*
163 166 * Miscellaneous token types
164 167 */
165 168
166 169 #define AUT_HOST ((char)0x70)
167 170
168 171 /*
169 172 * Solaris64 token types
170 173 */
171 174
172 175 #define AUT_ARG64 ((char)0x71)
173 176 #define AUT_RETURN64 ((char)0x72)
174 177 #define AUT_ATTR64 ((char)0x73)
175 178 #define AUT_HEADER64 ((char)0x74)
176 179 #define AUT_SUBJECT64 ((char)0x75)
177 180 #define AUT_PROCESS64 ((char)0x77)
178 181 #define AUT_OTHER_FILE64 ((char)0x78)
179 182
180 183 /*
181 184 * Extended network address token types
|
↓ open down ↓ |
135 lines elided |
↑ open up ↑ |
182 185 */
183 186
184 187 #define AUT_HEADER64_EX ((char)0x79)
185 188 #define AUT_SUBJECT32_EX ((char)0x7a)
186 189 #define AUT_PROCESS32_EX ((char)0x7b)
187 190 #define AUT_SUBJECT64_EX ((char)0x7c)
188 191 #define AUT_PROCESS64_EX ((char)0x7d)
189 192 #define AUT_IN_ADDR_EX ((char)0x7e)
190 193 #define AUT_SOCKET_EX ((char)0x7f)
191 194
195 +/*
196 + * Can't do >= 0x80 because these are chars. 0x16/0x17 seem to be free here,
197 + * but who knows if they have historical uses
198 + */
199 +#define AUT_ACCESS_MASK ((char)0x16)
200 +#define AUT_WSID ((char)0x17)
192 201
193 202 /*
194 203 * Audit print suggestion types.
195 204 */
196 205
197 206 #define AUP_BINARY ((char)0)
198 207 #define AUP_OCTAL ((char)1)
199 208 #define AUP_DECIMAL ((char)2)
200 209 #define AUP_HEX ((char)3)
201 210 #define AUP_STRING ((char)4)
202 211
203 212 /*
204 213 * Audit data member types.
205 214 */
206 215
207 216 #define AUR_BYTE ((char)0)
208 217 #define AUR_CHAR ((char)0)
209 218 #define AUR_SHORT ((char)1)
210 219 #define AUR_INT ((char)2)
211 220 #define AUR_INT32 ((char)2)
212 221 #define AUR_INT64 ((char)3)
213 222
214 223 /*
215 224 * Adr structures
216 225 */
217 226
218 227 struct adr_s {
219 228 char *adr_stream; /* The base of the stream */
220 229 char *adr_now; /* The location within the stream */
221 230 };
222 231
223 232 typedef struct adr_s adr_t;
224 233
225 234
226 235 #ifdef _KERNEL
227 236
228 237 #include <sys/param.h>
229 238 #include <sys/systm.h> /* for rval */
230 239 #include <sys/time.h>
231 240 #include <sys/types.h>
232 241 #include <sys/vnode.h>
233 242 #include <sys/mode.h>
234 243 #include <sys/user.h>
235 244 #include <sys/session.h>
236 245 #include <sys/ipc_impl.h>
237 246 #include <netinet/in_systm.h>
238 247 #include <netinet/in.h>
239 248 #include <netinet/ip.h>
240 249 #include <sys/socket.h>
241 250 #include <net/route.h>
242 251 #include <netinet/in_pcb.h>
243 252
244 253 /*
245 254 * au_close flag arguments
246 255 */
247 256
248 257 #define AU_OK 0x1 /* Good audit record */
249 258 #define AU_DONTBLOCK 0x2 /* Don't block or discard if queue full */
250 259 #define AU_DEFER 0x4 /* Defer record queueing to syscall end */
251 260
252 261 /*
253 262 * Audit token type is really an au_membuf pointer
254 263 */
255 264 typedef au_buff_t token_t;
256 265 /*
257 266 * token generation functions
258 267 */
|
↓ open down ↓ |
57 lines elided |
↑ open up ↑ |
259 268 token_t *au_append_token(token_t *, token_t *);
260 269 token_t *au_set(caddr_t, uint_t);
261 270
262 271 void au_free_rec(au_buff_t *);
263 272
264 273 #define au_getclr() ((token_t *)au_get_buff())
265 274 #define au_toss_token(tok) (au_free_rec((au_buff_t *)(tok)))
266 275
267 276 token_t *au_to_acl();
268 277 token_t *au_to_ace();
278 +token_t *au_to_access_mask(uint32_t);
279 +token_t *au_to_wsid(ksid_t *);
269 280 token_t *au_to_attr(struct vattr *);
270 281 token_t *au_to_data(char, char, char, char *);
271 282 token_t *au_to_header(int, au_event_t, au_emod_t);
272 283 token_t *au_to_header_ex(int, au_event_t, au_emod_t);
273 284 token_t *au_to_ipc(char, int);
274 285 token_t *au_to_ipc_perm(kipc_perm_t *);
275 286 token_t *au_to_iport(ushort_t);
276 287 token_t *au_to_in_addr(struct in_addr *);
277 288 token_t *au_to_in_addr_ex(int32_t *);
278 289 token_t *au_to_ip(struct ip *);
279 290 token_t *au_to_groups(const gid_t *, uint_t);
280 291 token_t *au_to_path(struct audit_path *);
292 +token_t *au_to_path_string(const char *);
281 293 token_t *au_to_seq();
282 294 token_t *au_to_process(uid_t, gid_t, uid_t, gid_t, pid_t,
283 295 au_id_t, au_asid_t, const au_tid_addr_t *);
284 296 token_t *au_to_subject(uid_t, gid_t, uid_t, gid_t, pid_t,
285 297 au_id_t, au_asid_t, const au_tid_addr_t *);
286 298 token_t *au_to_return32(int, int32_t);
287 299 token_t *au_to_return64(int, int64_t);
288 300 token_t *au_to_text(const char *);
289 301 /* token_t *au_to_tid(au_generic_tid_t *); no kernel implementation */
290 302 token_t *au_to_trailer(int);
291 303 token_t *au_to_uauth(char *);
292 304 size_t au_zonename_length(zone_t *);
293 305 token_t *au_to_zonename(size_t, zone_t *);
294 306 token_t *au_to_arg32(char, char *, uint32_t);
295 307 token_t *au_to_arg64(char, char *, uint64_t);
296 308 token_t *au_to_socket_ex(short, short, char *, char *);
297 309 token_t *au_to_sock_inet(struct sockaddr_in *);
298 310 token_t *au_to_exec_args(const char *, ssize_t);
299 311 token_t *au_to_exec_env(const char *, ssize_t);
300 312 token_t *au_to_label(bslabel_t *);
301 313 token_t *au_to_privset(const char *, const priv_set_t *, char, int);
302 314 token_t *au_to_secflags(const char *, secflagset_t);
303 315
304 316 void au_uwrite();
305 317 void au_close(au_kcontext_t *, caddr_t *, int, au_event_t, au_emod_t,
306 318 timestruc_t *);
307 319 void au_close_defer(token_t *, int, au_event_t, au_emod_t, timestruc_t *);
308 320 void au_close_time(au_kcontext_t *, token_t *, int, au_event_t, au_emod_t,
309 321 timestruc_t *);
310 322 void au_free_rec(au_buff_t *);
311 323 void au_write(caddr_t *, token_t *);
312 324 void au_mem_init(void);
313 325 void au_zone_setup();
314 326 void au_enqueue(au_kcontext_t *, au_buff_t *, adr_t *, adr_t *, int, int);
315 327 int au_doorio(au_kcontext_t *);
316 328 int au_doormsg(au_kcontext_t *, uint32_t, void *);
317 329 int au_token_size(token_t *);
318 330 int au_append_rec(au_buff_t *, au_buff_t *, int);
319 331 int au_append_buf(const char *, int, au_buff_t *);
320 332
321 333 #else /* !_KERNEL */
322 334
323 335 #include <limits.h>
324 336 #include <sys/types.h>
325 337 #include <sys/vnode.h>
326 338 #include <netinet/in_systm.h>
327 339 #include <netinet/in.h>
328 340 #include <netinet/ip.h>
329 341 #include <sys/ipc.h>
330 342
331 343 struct token_s {
332 344 struct token_s *tt_next; /* Next in the list */
333 345 short tt_size; /* Size of data */
334 346 char *tt_data; /* The data */
335 347 };
336 348 typedef struct token_s token_t;
337 349
338 350 /*
339 351 * Old socket structure definition, formerly in <sys/socketvar.h>
340 352 */
341 353 struct oldsocket {
342 354 short so_type; /* generic type, see socket.h */
343 355 short so_options; /* from socket call, see socket.h */
344 356 short so_linger; /* time to linger while closing */
345 357 short so_state; /* internal state flags SS_*, below */
346 358 struct inpcb *so_pcb; /* protocol control block */
347 359 struct protosw *so_proto; /* protocol handle */
348 360 /*
349 361 * Variables for connection queueing.
350 362 * Socket where accepts occur is so_head in all subsidiary sockets.
351 363 * If so_head is 0, socket is not related to an accept.
352 364 * For head socket so_q0 queues partially completed connections,
353 365 * while so_q is a queue of connections ready to be accepted.
354 366 * If a connection is aborted and it has so_head set, then
355 367 * it has to be pulled out of either so_q0 or so_q.
356 368 * We allow connections to queue up based on current queue lengths
357 369 * and limit on number of queued connections for this socket.
358 370 */
359 371 struct oldsocket *so_head; /* back pointer to accept socket */
360 372 struct oldsocket *so_q0; /* queue of partial connections */
361 373 struct oldsocket *so_q; /* queue of incoming connections */
362 374 short so_q0len; /* partials on so_q0 */
363 375 short so_qlen; /* number of connections on so_q */
364 376 short so_qlimit; /* max number queued connections */
365 377 short so_timeo; /* connection timeout */
366 378 ushort_t so_error; /* error affecting connection */
367 379 short so_pgrp; /* pgrp for signals */
368 380 ulong_t so_oobmark; /* chars to oob mark */
369 381 /*
370 382 * Variables for socket buffering.
371 383 */
372 384 struct sockbuf {
373 385 ulong_t sb_cc; /* actual chars in buffer */
374 386 ulong_t sb_hiwat; /* max actual char count */
375 387 ulong_t sb_mbcnt; /* chars of mbufs used */
376 388 ulong_t sb_mbmax; /* max chars of mbufs to use */
377 389 ulong_t sb_lowat; /* low water mark (not used yet) */
378 390 struct mbuf *sb_mb; /* the mbuf chain */
379 391 struct proc *sb_sel; /* process selecting read/write */
380 392 short sb_timeo; /* timeout (not used yet) */
381 393 short sb_flags; /* flags, see below */
382 394 } so_rcv, so_snd;
383 395 /*
384 396 * Hooks for alternative wakeup strategies.
385 397 * These are used by kernel subsystems wishing to access the socket
386 398 * abstraction. If so_wupfunc is nonnull, it is called in place of
387 399 * wakeup any time that wakeup would otherwise be called with an
388 400 * argument whose value is an address lying within a socket structure.
389 401 */
390 402 struct wupalt *so_wupalt;
391 403 };
392 404 extern token_t *au_to_arg32(char, char *, uint32_t);
393 405 extern token_t *au_to_arg64(char, char *, uint64_t);
394 406 extern token_t *au_to_acl(struct acl *);
395 407 extern token_t *au_to_attr(struct vattr *);
396 408 extern token_t *au_to_cmd(uint_t, char **, char **);
397 409 extern token_t *au_to_data(char, char, char, char *);
398 410 extern token_t *au_to_exec_args(char **);
399 411 extern token_t *au_to_exec_env(char **);
400 412 extern token_t *au_to_exit(int, int);
401 413 extern token_t *au_to_fmri(char *);
402 414 extern token_t *au_to_groups(int *);
403 415 extern token_t *au_to_newgroups(int, gid_t *);
404 416 extern token_t *au_to_header(au_event_t, au_emod_t);
405 417 extern token_t *au_to_header_ex(au_event_t, au_emod_t);
406 418 extern token_t *au_to_in_addr(struct in_addr *);
407 419 extern token_t *au_to_in_addr_ex(struct in6_addr *);
408 420 extern token_t *au_to_ipc(char, int);
409 421 extern token_t *au_to_ipc_perm(struct ipc_perm *);
410 422 extern token_t *au_to_iport(ushort_t);
411 423 extern token_t *au_to_me(void);
412 424 extern token_t *au_to_mylabel(void);
413 425 extern token_t *au_to_opaque(char *, short);
414 426 extern token_t *au_to_path(char *);
415 427 extern token_t *au_to_privset(const char *, const priv_set_t *);
416 428 extern token_t *au_to_process(au_id_t, uid_t, gid_t, uid_t, gid_t,
417 429 pid_t, au_asid_t, au_tid_t *);
418 430 extern token_t *au_to_process_ex(au_id_t, uid_t, gid_t, uid_t, gid_t,
419 431 pid_t, au_asid_t, au_tid_addr_t *);
420 432 extern token_t *au_to_return32(char, uint32_t);
421 433 extern token_t *au_to_return64(char, uint64_t);
422 434 extern token_t *au_to_seq(int);
423 435 extern token_t *au_to_label(m_label_t *);
424 436 extern token_t *au_to_socket(struct oldsocket *);
425 437 extern token_t *au_to_subject(au_id_t, uid_t, gid_t, uid_t, gid_t,
426 438 pid_t, au_asid_t, au_tid_t *);
427 439 extern token_t *au_to_subject_ex(au_id_t, uid_t, gid_t, uid_t, gid_t,
428 440 pid_t, au_asid_t, au_tid_addr_t *);
429 441 extern token_t *au_to_text(char *);
430 442 extern token_t *au_to_tid(au_generic_tid_t *);
431 443 extern token_t *au_to_trailer(void);
432 444 extern token_t *au_to_uauth(char *);
433 445 extern token_t *au_to_upriv(char, char *);
434 446 extern token_t *au_to_user(uid_t, char *);
435 447 extern token_t *au_to_xatom(char *);
436 448 extern token_t *au_to_xselect(char *, char *, char *);
437 449 extern token_t *au_to_xcolormap(int32_t, uid_t);
438 450 extern token_t *au_to_xcursor(int32_t, uid_t);
439 451 extern token_t *au_to_xfont(int32_t, uid_t);
440 452 extern token_t *au_to_xgc(int32_t, uid_t);
441 453 extern token_t *au_to_xpixmap(int32_t, uid_t);
442 454 extern token_t *au_to_xwindow(int32_t, uid_t);
443 455 extern token_t *au_to_xproperty(int32_t, uid_t, char *);
444 456 extern token_t *au_to_xclient(uint32_t);
445 457 extern token_t *au_to_zonename(char *);
446 458 #endif /* _KERNEL */
447 459
448 460 #ifdef _KERNEL
449 461
450 462 void adr_char(adr_t *, char *, int);
451 463 void adr_int32(adr_t *, int32_t *, int);
452 464 void adr_uint32(adr_t *, uint32_t *, int);
453 465 void adr_int64(adr_t *, int64_t *, int);
454 466 void adr_uint64(adr_t *, uint64_t *, int);
455 467 void adr_short(adr_t *, short *, int);
456 468 void adr_ushort(adr_t *, ushort_t *, int);
457 469 void adr_start(adr_t *, char *);
458 470
459 471 char *adr_getchar(adr_t *, char *);
460 472 char *adr_getshort(adr_t *, short *);
461 473 char *adr_getushort(adr_t *, ushort_t *);
462 474 char *adr_getint32(adr_t *, int32_t *);
463 475 char *adr_getuint32(adr_t *, uint32_t *);
464 476 char *adr_getint64(adr_t *, int64_t *);
465 477 char *adr_getuint64(adr_t *, uint64_t *);
466 478
467 479 int adr_count(adr_t *);
468 480
469 481 #endif /* _KERNEL */
470 482
471 483 #ifdef __cplusplus
472 484 }
473 485 #endif
474 486
475 487 #endif /* _BSM_AUDIT_RECORD_H */
|
↓ open down ↓ |
185 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX