diff options
Diffstat (limited to 'contrib/openbsm/bsm')
-rw-r--r-- | contrib/openbsm/bsm/audit.h | 31 | ||||
-rw-r--r-- | contrib/openbsm/bsm/audit_filter.h | 18 | ||||
-rw-r--r-- | contrib/openbsm/bsm/audit_internal.h | 18 | ||||
-rw-r--r-- | contrib/openbsm/bsm/audit_kevents.h | 302 | ||||
-rw-r--r-- | contrib/openbsm/bsm/audit_record.h | 27 | ||||
-rw-r--r-- | contrib/openbsm/bsm/libbsm.h | 35 |
6 files changed, 258 insertions, 173 deletions
diff --git a/contrib/openbsm/bsm/audit.h b/contrib/openbsm/bsm/audit.h index 1d05625..d67b853 100644 --- a/contrib/openbsm/bsm/audit.h +++ b/contrib/openbsm/bsm/audit.h @@ -30,7 +30,7 @@ * * @APPLE_BSD_LICENSE_HEADER_END@ * - * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit.h#16 $ + * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit.h#19 $ */ #ifndef _BSM_AUDIT_H @@ -38,11 +38,12 @@ #define AUDIT_RECORD_MAGIC 0x828a0f1b #define MAX_AUDIT_RECORDS 20 -#define MAX_AUDIT_RECORD_SIZE 4096 +#define MAXAUDITDATA (0x8000 - 1) +#define MAX_AUDIT_RECORD_SIZE MAXAUDITDATA #define MIN_AUDIT_FILE_SIZE (512 * 1024) /* - * Triggers for the audit daemon + * Triggers for the audit daemon. */ #define AUDIT_TRIGGER_MIN 1 #define AUDIT_TRIGGER_LOW_SPACE 1 @@ -53,7 +54,8 @@ #define AUDIT_TRIGGER_MAX 5 /* - * File that will be read for trigger events from the kernel + * Special file that will be read for trigger events from the kernel + * (FreeBSD). */ #define AUDIT_TRIGGER_FILE "/dev/audit" @@ -101,7 +103,7 @@ #define AU_ALL 0xffffffff /* - * IPC types + * IPC types. */ #define AT_IPC_MSG ((u_char)1) /* Message IPC id. */ #define AT_IPC_SEM ((u_char)2) /* Semaphore IPC id. */ @@ -150,16 +152,19 @@ #define AUDIT_AHLT 0x0002 #define AUDIT_ARGV 0x0004 #define AUDIT_ARGE 0x0008 -#define AUDIT_PASSWD 0x0010 -#define AUDIT_SEQ 0x0020 -#define AUDIT_WINDATA 0x0040 -#define AUDIT_USER 0x0080 -#define AUDIT_GROUP 0x0100 -#define AUDIT_TRAIL 0x0200 -#define AUDIT_PATH 0x0400 +#define AUDIT_SEQ 0x0010 +#define AUDIT_WINDATA 0x0020 +#define AUDIT_USER 0x0040 +#define AUDIT_GROUP 0x0080 +#define AUDIT_TRAIL 0x0100 +#define AUDIT_PATH 0x0200 +#define AUDIT_SCNT 0x0400 +#define AUDIT_PUBLIC 0x0800 +#define AUDIT_ZONENAME 0x1000 +#define AUDIT_PERZONE 0x2000 /* - * Audit queue control parameters + * Audit queue control parameters. */ #define AQ_HIWATER 100 #define AQ_MAXHIGH 10000 diff --git a/contrib/openbsm/bsm/audit_filter.h b/contrib/openbsm/bsm/audit_filter.h index 5b7dd4f..8a548f7 100644 --- a/contrib/openbsm/bsm/audit_filter.h +++ b/contrib/openbsm/bsm/audit_filter.h @@ -25,7 +25,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_filter.h#2 $ + * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_filter.h#4 $ */ #ifndef _BSM_AUDIT_FILTER_H_ @@ -38,22 +38,28 @@ * audit_filter_reinit_t - arguments to module have changed * audit_filter_record_t - present parsed record to filter module, with * receipt time - * audit_filter_bsmrecord_t - present bsm format record to filter module, + * audit_filter_rawrecord_t - present BSM format record to filter module, * with receipt time * audit_filter_destach_t - filter module is being detached * * There may be many instances of the same filter, identified by the instance * void pointer maintained by the filter instance. */ -typedef int (*audit_filter_attach_t)(void **instance, int argc, char *argv[]); +typedef int (*audit_filter_attach_t)(void *instance, int argc, char *argv[]); typedef int (*audit_filter_reinit_t)(void *instance, int argc, char *argv[]); typedef void (*audit_filter_record_t)(void *instance, struct timespec *ts, int token_count, const tokenstr_t tok[]); -typedef void (*audit_filter_bsmrecord_t)(void *instance, struct timespec *ts, +typedef void (*audit_filter_rawrecord_t)(void *instance, struct timespec *ts, void *data, u_int len); typedef void (*audit_filter_detach_t)(void *instance); /* + * APIs that may be called by audit filters. + */ +void audit_filter_getcookie(void *instance, void **cookie); +void audit_filter_setcookie(void *instance, void *cookie); + +/* * Values to be returned by audit_filter_init_t. */ #define AUDIT_FILTER_SUCCESS (0) @@ -66,12 +72,12 @@ typedef void (*audit_filter_detach_t)(void *instance); #define AUDIT_FILTER_ATTACH audit_filter_attach #define AUDIT_FILTER_REINIT audit_filter_reinit #define AUDIT_FILTER_RECORD audit_filter_record -#define AUDIT_FILTER_BSMRECORD audit_filter_bsmrecord +#define AUDIT_FILTER_RAWRECORD audit_filter_rawrecord #define AUDIT_FILTER_DETACH audit_filter_detach #define AUDIT_FILTER_ATTACH_STRING "audit_filter_attach" #define AUDIT_FILTER_REINIT_STRING "audit_filter_reinit" #define AUDIT_FILTER_RECORD_STRING "audit_filter_record" -#define AUDIT_FILTER_BSMRECORD_STRING "audit_filter_bsmrecord" +#define AUDIT_FILTER_RAWRECORD_STRING "audit_filter_rawrecord" #define AUDIT_FILTER_DETACH_STRING "audit_filter_detach" #endif /* !_BSM_AUDIT_FILTER_H_ */ diff --git a/contrib/openbsm/bsm/audit_internal.h b/contrib/openbsm/bsm/audit_internal.h index 00f44bf..97bafca 100644 --- a/contrib/openbsm/bsm/audit_internal.h +++ b/contrib/openbsm/bsm/audit_internal.h @@ -34,7 +34,7 @@ * * @APPLE_BSD_LICENSE_HEADER_END@ * - * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_internal.h#13 $ + * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_internal.h#14 $ */ #ifndef _AUDIT_INTERNAL_H @@ -68,15 +68,15 @@ struct au_record { typedef struct au_record au_record_t; -/* We could determined the header and trailer sizes by - * defining appropriate structures. We hold off that approach - * till we have a consistant way of using structures for all tokens. - * This is not straightforward since these token structures may - * contain pointers of whose contents we dont know the size - * (e.g text tokens) +/* + * We could determined the header and trailer sizes by defining appropriate + * structures. We hold off that approach until we have a consistant way of + * using structures for all tokens. This is not straightforward since these + * token structures may contain pointers of whose contents we dont know the + * size (e.g text tokens). */ -#define BSM_HEADER_SIZE 18 -#define BSM_TRAILER_SIZE 7 +#define AUDIT_HEADER_SIZE 18 +#define AUDIT_TRAILER_SIZE 7 /* * BSM token streams store fields in big endian byte order, so as to be diff --git a/contrib/openbsm/bsm/audit_kevents.h b/contrib/openbsm/bsm/audit_kevents.h index b323692..cd55883 100644 --- a/contrib/openbsm/bsm/audit_kevents.h +++ b/contrib/openbsm/bsm/audit_kevents.h @@ -30,7 +30,7 @@ * * @APPLE_BSD_LICENSE_HEADER_END@ * - * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_kevents.h#38 $ + * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_kevents.h#40 $ */ #ifndef _BSM_AUDIT_KEVENTS_H_ @@ -273,134 +273,200 @@ #define AUE_NTP_ADJTIME 288 /* - * Events not present in OpenSolaris BSM, generally derived from Apple Darwin - * BSM or added in OpenBSM. This start a little too close to the top end of - * the OpenSolaris event list for my comfort. + * Events added for Apple Darwin that potentially collide with future Solaris + * BSM events. These are assigned AUE_DARWIN prefixes, and are deprecated in + * new trails. Systems generating these events should switch to the new + * identifiers that avoid colliding with the Solaris identifier space. */ -#define AUE_GETFSSTAT 301 -#define AUE_PTRACE 302 -#define AUE_CHFLAGS 303 -#define AUE_FCHFLAGS 304 -#define AUE_PROFILE 305 -#define AUE_KTRACE 306 -#define AUE_SETLOGIN 307 +#define AUE_DARWIN_GETFSSTAT 301 +#define AUE_DARWIN_PTRACE 302 +#define AUE_DARWIN_CHFLAGS 303 +#define AUE_DARWIN_FCHFLAGS 304 +#define AUE_DARWIN_PROFILE 305 +#define AUE_DARWIN_KTRACE 306 +#define AUE_DARWIN_SETLOGIN 307 #define AUE_DARWIN_REBOOT 308 /* XXX: See AUE_REBOOT. */ -#define AUE_REVOKE 309 -#define AUE_UMASK 310 -#define AUE_MPROTECT 311 +#define AUE_DARWIN_REVOKE 309 +#define AUE_DARWIN_UMASK 310 +#define AUE_DARWIN_MPROTECT 311 #define AUE_DARWIN_SETPRIORITY 312 /* XXX: See AUE_SETPRIORITY. */ #define AUE_DARWIN_SETTIMEOFDAY 313 /* XXX: See AUE_SETTIMEOFDAY. */ #define AUE_DARWIN_FLOCK 314 /* XXX: See AUE_FLOCK. */ -#define AUE_MKFIFO 315 -#define AUE_POLL 316 +#define AUE_DARWIN_MKFIFO 315 +#define AUE_DARWIN_POLL 316 #define AUE_DARWIN_SOCKETPAIR 317 /* XXXRW: See AUE_SOCKETPAIR. */ -#define AUE_FUTIMES 318 -#define AUE_SETSID 319 -#define AUE_SETPRIVEXEC 320 /* Darwin-specific. */ +#define AUE_DARWIN_FUTIMES 318 +#define AUE_DARWIN_SETSID 319 +#define AUE_DARWIN_SETPRIVEXEC 320 /* Darwin-specific. */ #define AUE_DARWIN_NFSSVC 321 /* XXX: See AUE_NFS_SVC. */ #define AUE_DARWIN_GETFH 322 /* XXX: See AUE_NFS_GETFH. */ #define AUE_DARWIN_QUOTACTL 323 /* XXX: See AUE_QUOTACTL. */ -#define AUE_ADDPROFILE 324 /* Darwin-specific. */ -#define AUE_KDEBUGTRACE 325 /* Darwin-specific. */ -#define AUE_KDBUGTRACE AUE_KDEBUGTRACE -#define AUE_FSTAT 326 -#define AUE_FPATHCONF 327 -#define AUE_GETDIRENTRIES 328 +#define AUE_DARWIN_ADDPROFILE 324 /* Darwin-specific. */ +#define AUE_DARWIN_KDEBUGTRACE 325 /* Darwin-specific. */ +#define AUE_DARWIN_KDBUGTRACE AUE_KDEBUGTRACE +#define AUE_DARWIN_FSTAT 326 +#define AUE_DARWIN_FPATHCONF 327 +#define AUE_DARWIN_GETDIRENTRIES 328 #define AUE_DARWIN_TRUNCATE 329 /* XXX: See AUE_TRUNCATE. */ #define AUE_DARWIN_FTRUNCATE 330 /* XXX: See AUE_FTRUNCATE. */ -#define AUE_SYSCTL 331 -#define AUE_MLOCK 332 -#define AUE_MUNLOCK 333 -#define AUE_UNDELETE 334 -#define AUE_GETATTRLIST 335 /* Darwin-specific. */ -#define AUE_SETATTRLIST 336 /* Darwin-specific. */ -#define AUE_GETDIRENTRIESATTR 337 /* Darwin-specific. */ -#define AUE_EXCHANGEDATA 338 /* Darwin-specific. */ -#define AUE_SEARCHFS 339 /* Darwin-specific. */ -#define AUE_MINHERIT 340 -#define AUE_SEMCONFIG 341 -#define AUE_SEMOPEN 342 -#define AUE_SEMCLOSE 343 -#define AUE_SEMUNLINK 344 -#define AUE_SHMOPEN 345 -#define AUE_SHMUNLINK 346 -#define AUE_LOADSHFILE 347 /* Darwin-specific. */ -#define AUE_RESETSHFILE 348 /* Darwin-specific. */ -#define AUE_NEWSYSTEMSHREG 349 /* Darwin-specific. */ -#define AUE_PTHREADKILL 350 /* Darwin-specific. */ -#define AUE_PTHREADSIGMASK 351 /* Darwin-specific. */ -#define AUE_AUDITCTL 352 -#define AUE_RFORK 353 -#define AUE_LCHMOD 354 -#define AUE_SWAPOFF 355 -#define AUE_INITPROCESS 356 /* Darwin-specific. */ -#define AUE_MAPFD 357 /* Darwin-specific. */ -#define AUE_TASKFORPID 358 /* Darwin-specific. */ -#define AUE_PIDFORTASK 359 /* Darwin-specific. */ -#define AUE_SYSCTL_NONADMIN 360 -#define AUE_COPYFILE 361 /* Darwin-specific. */ -#define AUE_LUTIMES 362 -#define AUE_LCHFLAGS 363 /* FreeBSD-specific. */ -#define AUE_SENDFILE 364 /* BSD/Linux-specific. */ -#define AUE_USELIB 365 /* Linux-specific. */ -#define AUE_GETRESUID 366 -#define AUE_SETRESUID 367 -#define AUE_GETRESGID 368 -#define AUE_SETRESGID 369 -#define AUE_WAIT4 370 /* FreeBSD-specific. */ -#define AUE_LGETFH 371 /* FreeBSD-specific. */ -#define AUE_FHSTATFS 372 /* FreeBSD-specific. */ -#define AUE_FHOPEN 373 /* FreeBSD-specific. */ -#define AUE_FHSTAT 374 /* FreeBSD-specific. */ -#define AUE_JAIL 375 /* FreeBSD-specific. */ -#define AUE_EACCESS 376 /* FreeBSD-specific. */ -#define AUE_KQUEUE 377 /* FreeBSD-specific. */ -#define AUE_KEVENT 378 /* FreeBSD-specific. */ -#define AUE_FSYNC 379 -#define AUE_NMOUNT 380 /* FreeBSD-specific. */ -#define AUE_BDFLUSH 381 /* Linux-specific. */ -#define AUE_SETFSUID 382 /* Linux-specific. */ -#define AUE_SETFSGID 383 /* Linux-specific. */ -#define AUE_PERSONALITY 384 /* Linux-specific. */ -#define AUE_SCHED_GETSCHEDULER 385 /* POSIX.1b. */ -#define AUE_SCHED_SETSCHEDULER 386 /* POSIX.1b. */ -#define AUE_PRCTL 387 /* Linux-specific. */ -#define AUE_GETCWD 388 /* FreeBSD/Linux-specific. */ -#define AUE_CAPGET 389 /* Linux-specific. */ -#define AUE_CAPSET 390 /* Linux-specific. */ -#define AUE_PIVOT_ROOT 391 /* Linux-specific. */ -#define AUE_RTPRIO 392 /* FreeBSD-specific. */ -#define AUE_SCHED_GETPARAM 393 /* POSIX.1b. */ -#define AUE_SCHED_SETPARAM 394 /* POSIX.1b. */ -#define AUE_SCHED_GET_PRIORITY_MAX 395 /* POSIX.1b. */ -#define AUE_SCHED_GET_PRIORITY_MIN 396 /* POSIX.1b. */ -#define AUE_SCHED_RR_GET_INTERVAL 397 /* POSIX.1b. */ -#define AUE_ACL_GET_FILE 398 /* FreeBSD. */ -#define AUE_ACL_SET_FILE 399 /* FreeBSD. */ -#define AUE_ACL_GET_FD 400 /* FreeBSD. */ -#define AUE_ACL_SET_FD 401 /* FreeBSD. */ -#define AUE_ACL_DELETE_FILE 402 /* FreeBSD. */ -#define AUE_ACL_DELETE_FD 403 /* FreeBSD. */ -#define AUE_ACL_CHECK_FILE 404 /* FreeBSD. */ -#define AUE_ACL_CHECK_FD 405 /* FreeBSD. */ -#define AUE_ACL_GET_LINK 406 /* FreeBSD. */ -#define AUE_ACL_SET_LINK 407 /* FreeBSD. */ -#define AUE_ACL_DELETE_LINK 408 /* FreeBSD. */ -#define AUE_ACL_CHECK_LINK 409 /* FreeBSD. */ -#define AUE_SYSARCH 410 /* FreeBSD. */ -#define AUE_EXTATTRCTL 411 /* FreeBSD. */ -#define AUE_EXTATTR_GET_FILE 412 /* FreeBSD. */ -#define AUE_EXTATTR_SET_FILE 413 /* FreeBSD. */ -#define AUE_EXTATTR_LIST_FILE 414 /* FreeBSD. */ -#define AUE_EXTATTR_DELETE_FILE 415 /* FreeBSD. */ -#define AUE_EXTATTR_GET_FD 416 /* FreeBSD. */ -#define AUE_EXTATTR_SET_FD 417 /* FreeBSD. */ -#define AUE_EXTATTR_LIST_FD 418 /* FreeBSD. */ -#define AUE_EXTATTR_DELETE_FD 419 /* FreeBSD. */ -#define AUE_EXTATTR_GET_LINK 420 /* FreeBSD. */ -#define AUE_EXTATTR_SET_LINK 421 /* FreeBSD. */ -#define AUE_EXTATTR_LIST_LINK 422 /* FreeBSD. */ -#define AUE_EXTATTR_DELETE_LINK 423 /* FreeBSD. */ +#define AUE_DARWIN_SYSCTL 331 +#define AUE_DARWIN_MLOCK 332 +#define AUE_DARWIN_MUNLOCK 333 +#define AUE_DARWIN_UNDELETE 334 +#define AUE_DARWIN_GETATTRLIST 335 /* Darwin-specific. */ +#define AUE_DARWIN_SETATTRLIST 336 /* Darwin-specific. */ +#define AUE_DARWIN_GETDIRENTRIESATTR 337 /* Darwin-specific. */ +#define AUE_DARWIN_EXCHANGEDATA 338 /* Darwin-specific. */ +#define AUE_DARWIN_SEARCHFS 339 /* Darwin-specific. */ +#define AUE_DARWIN_MINHERIT 340 +#define AUE_DARWIN_SEMCONFIG 341 +#define AUE_DARWIN_SEMOPEN 342 +#define AUE_DARWIN_SEMCLOSE 343 +#define AUE_DARWIN_SEMUNLINK 344 +#define AUE_DARWIN_SHMOPEN 345 +#define AUE_DARWIN_SHMUNLINK 346 +#define AUE_DARWIN_LOADSHFILE 347 /* Darwin-specific. */ +#define AUE_DARWIN_RESETSHFILE 348 /* Darwin-specific. */ +#define AUE_DARWIN_NEWSYSTEMSHREG 349 /* Darwin-specific. */ +#define AUE_DARWIN_PTHREADKILL 350 /* Darwin-specific. */ +#define AUE_DARWIN_PTHREADSIGMASK 351 /* Darwin-specific. */ +#define AUE_DARWIN_AUDITCTL 352 +#define AUE_DARWIN_RFORK 353 +#define AUE_DARWIN_LCHMOD 354 +#define AUE_DARWIN_SWAPOFF 355 +#define AUE_DARWIN_INITPROCESS 356 /* Darwin-specific. */ +#define AUE_DARWIN_MAPFD 357 /* Darwin-specific. */ +#define AUE_DARWIN_TASKFORPID 358 /* Darwin-specific. */ +#define AUE_DARWIN_PIDFORTASK 359 /* Darwin-specific. */ +#define AUE_DARWIN_SYSCTL_NONADMIN 360 +#define AUE_DARWIN_COPYFILE 361 /* Darwin-specific. */ + +/* + * Audit event identifiers added as part of OpenBSM, generally corresponding + * to events in FreeBSD, Darwin, and Linux that were not present in Solaris. + * These often duplicate events added to the Solaris set by Darwin, but use + * event identifiers in a higher range in order to avoid colliding with + * future Solaris additions. + */ +#define AUE_GETFSSTAT 43001 +#define AUE_PTRACE 43002 +#define AUE_CHFLAGS 43003 +#define AUE_FCHFLAGS 43004 +#define AUE_PROFILE 43005 +#define AUE_KTRACE 43006 +#define AUE_SETLOGIN 43007 +#define AUE_REVOKE 43008 +#define AUE_UMASK 43009 +#define AUE_MPROTECT 43010 +#define AUE_MKFIFO 43011 +#define AUE_POLL 43012 +#define AUE_FUTIMES 43013 +#define AUE_SETSID 43014 +#define AUE_SETPRIVEXEC 43015 /* Darwin-specific. */ +#define AUE_ADDPROFILE 43016 /* Darwin-specific. */ +#define AUE_KDEBUGTRACE 43017 /* Darwin-specific. */ +#define AUE_KDBUGTRACE AUE_KDEBUGTRACE +#define AUE_FSTAT 43018 +#define AUE_FPATHCONF 43019 +#define AUE_GETDIRENTRIES 43020 +#define AUE_SYSCTL 43021 +#define AUE_MLOCK 43022 +#define AUE_MUNLOCK 43023 +#define AUE_UNDELETE 43024 +#define AUE_GETATTRLIST 43025 /* Darwin-specific. */ +#define AUE_SETATTRLIST 43026 /* Darwin-specific. */ +#define AUE_GETDIRENTRIESATTR 43027 /* Darwin-specific. */ +#define AUE_EXCHANGEDATA 43028 /* Darwin-specific. */ +#define AUE_SEARCHFS 43029 /* Darwin-specific. */ +#define AUE_MINHERIT 43030 +#define AUE_SEMCONFIG 43031 +#define AUE_SEMOPEN 43032 +#define AUE_SEMCLOSE 43033 +#define AUE_SEMUNLINK 43034 +#define AUE_SHMOPEN 43035 +#define AUE_SHMUNLINK 43036 +#define AUE_LOADSHFILE 43037 /* Darwin-specific. */ +#define AUE_RESETSHFILE 43038 /* Darwin-specific. */ +#define AUE_NEWSYSTEMSHREG 43039 /* Darwin-specific. */ +#define AUE_PTHREADKILL 43040 /* Darwin-specific. */ +#define AUE_PTHREADSIGMASK 43041 /* Darwin-specific. */ +#define AUE_AUDITCTL 43042 +#define AUE_RFORK 43043 +#define AUE_LCHMOD 43044 +#define AUE_SWAPOFF 43045 +#define AUE_INITPROCESS 43046 /* Darwin-specific. */ +#define AUE_MAPFD 43047 /* Darwin-specific. */ +#define AUE_TASKFORPID 43048 /* Darwin-specific. */ +#define AUE_PIDFORTASK 43049 /* Darwin-specific. */ +#define AUE_SYSCTL_NONADMIN 43050 +#define AUE_COPYFILE 43051 /* Darwin-specific. */ + +/* + * Events added to OpenBSM for FreeBSD and Linux; may also be used by Darwin + * in the future. + */ +#define AUE_LUTIMES 43052 +#define AUE_LCHFLAGS 43053 /* FreeBSD-specific. */ +#define AUE_SENDFILE 43054 /* BSD/Linux-specific. */ +#define AUE_USELIB 43055 /* Linux-specific. */ +#define AUE_GETRESUID 43056 +#define AUE_SETRESUID 43057 +#define AUE_GETRESGID 43058 +#define AUE_SETRESGID 43059 +#define AUE_WAIT4 43060 /* FreeBSD-specific. */ +#define AUE_LGETFH 43061 /* FreeBSD-specific. */ +#define AUE_FHSTATFS 43062 /* FreeBSD-specific. */ +#define AUE_FHOPEN 43063 /* FreeBSD-specific. */ +#define AUE_FHSTAT 43064 /* FreeBSD-specific. */ +#define AUE_JAIL 43065 /* FreeBSD-specific. */ +#define AUE_EACCESS 43066 /* FreeBSD-specific. */ +#define AUE_KQUEUE 43067 /* FreeBSD-specific. */ +#define AUE_KEVENT 43068 /* FreeBSD-specific. */ +#define AUE_FSYNC 43069 +#define AUE_NMOUNT 43070 /* FreeBSD-specific. */ +#define AUE_BDFLUSH 43071 /* Linux-specific. */ +#define AUE_SETFSUID 43072 /* Linux-specific. */ +#define AUE_SETFSGID 43073 /* Linux-specific. */ +#define AUE_PERSONALITY 43074 /* Linux-specific. */ +#define AUE_SCHED_GETSCHEDULER 43075 /* POSIX.1b. */ +#define AUE_SCHED_SETSCHEDULER 43076 /* POSIX.1b. */ +#define AUE_PRCTL 43077 /* Linux-specific. */ +#define AUE_GETCWD 43078 /* FreeBSD/Linux-specific. */ +#define AUE_CAPGET 43079 /* Linux-specific. */ +#define AUE_CAPSET 43080 /* Linux-specific. */ +#define AUE_PIVOT_ROOT 43081 /* Linux-specific. */ +#define AUE_RTPRIO 43082 /* FreeBSD-specific. */ +#define AUE_SCHED_GETPARAM 43083 /* POSIX.1b. */ +#define AUE_SCHED_SETPARAM 43084 /* POSIX.1b. */ +#define AUE_SCHED_GET_PRIORITY_MAX 43085 /* POSIX.1b. */ +#define AUE_SCHED_GET_PRIORITY_MIN 43086 /* POSIX.1b. */ +#define AUE_SCHED_RR_GET_INTERVAL 43087 /* POSIX.1b. */ +#define AUE_ACL_GET_FILE 43088 /* FreeBSD. */ +#define AUE_ACL_SET_FILE 43089 /* FreeBSD. */ +#define AUE_ACL_GET_FD 43090 /* FreeBSD. */ +#define AUE_ACL_SET_FD 43091 /* FreeBSD. */ +#define AUE_ACL_DELETE_FILE 43092 /* FreeBSD. */ +#define AUE_ACL_DELETE_FD 43093 /* FreeBSD. */ +#define AUE_ACL_CHECK_FILE 43094 /* FreeBSD. */ +#define AUE_ACL_CHECK_FD 43095 /* FreeBSD. */ +#define AUE_ACL_GET_LINK 43096 /* FreeBSD. */ +#define AUE_ACL_SET_LINK 43097 /* FreeBSD. */ +#define AUE_ACL_DELETE_LINK 43098 /* FreeBSD. */ +#define AUE_ACL_CHECK_LINK 43099 /* FreeBSD. */ +#define AUE_SYSARCH 43100 /* FreeBSD. */ +#define AUE_EXTATTRCTL 43101 /* FreeBSD. */ +#define AUE_EXTATTR_GET_FILE 43102 /* FreeBSD. */ +#define AUE_EXTATTR_SET_FILE 43103 /* FreeBSD. */ +#define AUE_EXTATTR_LIST_FILE 43104 /* FreeBSD. */ +#define AUE_EXTATTR_DELETE_FILE 43105 /* FreeBSD. */ +#define AUE_EXTATTR_GET_FD 43106 /* FreeBSD. */ +#define AUE_EXTATTR_SET_FD 43107 /* FreeBSD. */ +#define AUE_EXTATTR_LIST_FD 43108 /* FreeBSD. */ +#define AUE_EXTATTR_DELETE_FD 43109 /* FreeBSD. */ +#define AUE_EXTATTR_GET_LINK 43110 /* FreeBSD. */ +#define AUE_EXTATTR_SET_LINK 43111 /* FreeBSD. */ +#define AUE_EXTATTR_LIST_LINK 43112 /* FreeBSD. */ +#define AUE_EXTATTR_DELETE_LINK 43113 /* FreeBSD. */ /* * Darwin BSM uses a number of AUE_O_* definitions, which are aliased to the diff --git a/contrib/openbsm/bsm/audit_record.h b/contrib/openbsm/bsm/audit_record.h index f9c0288..79d13c3 100644 --- a/contrib/openbsm/bsm/audit_record.h +++ b/contrib/openbsm/bsm/audit_record.h @@ -30,7 +30,7 @@ * * @APPLE_BSD_LICENSE_HEADER_END@ * - * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_record.h#19 $ + * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_record.h#23 $ */ #ifndef _BSM_AUDIT_RECORD_H_ @@ -184,7 +184,7 @@ #define AUR_CHAR AUR_BYTE #define AUR_SHORT 1 #define AUR_INT32 2 -#define AUR_INT AUR_INT +#define AUR_INT AUR_INT32 #define AUR_INT64 3 /* ... and their sizes */ @@ -199,9 +199,19 @@ #define PAD_NOTATTR 0x4000 /* nonattributable event */ #define PAD_FAILURE 0x8000 /* fail audit event */ +#define AUDIT_MAX_GROUPS 16 -#define BSM_MAX_GROUPS 16 -#define HEADER_VERSION 1 +/* + * A number of BSM versions are floating around and defined. Here are + * constants for them. OpenBSM uses the same token types, etc, used in the + * Solaris BSM version, but has a separate version number in order to + * identify a potentially different event identifier name space. + */ +#define AUDIT_HEADER_VERSION_OLDDARWIN 1 /* In retrospect, a mistake. */ +#define AUDIT_HEADER_VERSION_SOLARIS 2 +#define AUDIT_HEADER_VERSION_TSOL25 3 +#define AUDIT_HEADER_VERSION_TSOL 4 +#define AUDIT_HEADER_VERSION_OPENBSM 10 /* * BSM define is AUT_TRAILER_MAGIC; Apple BSM define is TRAILER_PAD_MAGIC; we @@ -308,8 +318,13 @@ token_t *au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid); token_t *au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid); -token_t *au_to_exec_args(const char **); -token_t *au_to_exec_env(const char **); +#if defined(_KERNEL) || defined(KERNEL) +token_t *au_to_exec_args(char *args, int argc); +token_t *au_to_exec_env(char *envs, int envc); +#else +token_t *au_to_exec_args(char **argv); +token_t *au_to_exec_env(char **envp); +#endif token_t *au_to_text(char *text); token_t *au_to_kevent(struct kevent *kev); token_t *au_to_trailer(int rec_size); diff --git a/contrib/openbsm/bsm/libbsm.h b/contrib/openbsm/bsm/libbsm.h index 2efdace..5fea48c 100644 --- a/contrib/openbsm/bsm/libbsm.h +++ b/contrib/openbsm/bsm/libbsm.h @@ -26,7 +26,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#21 $ + * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#27 $ */ #ifndef _LIBBSM_H_ @@ -37,8 +37,8 @@ * solely to allow OpenSSH to compile; Darwin/Apple code should not use them. */ -#define MAX_ARGS 10 -#define MAX_ENV 10 +#define AUDIT_MAX_ARGS 10 +#define AUDIT_MAX_ENV 10 #include <sys/types.h> #include <sys/cdefs.h> @@ -82,11 +82,10 @@ #define BSM_TEXTBUFSZ MAX_AUDITSTRING_LEN /* OpenSSH compatibility */ /* - * These are referenced in Solaris 9 au_open(3BSM); values are guesses. - * Provided for OpenSSH compatibility. + * Arguments to au_close(3). */ -#define AU_TO_NO_WRITE 0 -#define AU_TO_WRITE 1 +#define AU_TO_NO_WRITE 0 /* Abandon audit record. */ +#define AU_TO_WRITE 1 /* Commit audit record. */ __BEGIN_DECLS struct au_event_ent { @@ -138,15 +137,6 @@ __END_DECLS __BEGIN_DECLS -/* - * Internal representation of audit user in libnsl. - */ -typedef struct au_user_str_s { - char *au_name; - char *au_always; - char *au_never; -} au_user_str_t; - typedef struct au_tid32 { u_int32_t port; u_int32_t addr; @@ -228,7 +218,7 @@ typedef struct { */ typedef struct { u_int32_t count; - char *text[MAX_ARGS]; + char *text[AUDIT_MAX_ARGS]; } au_execarg_t; /* @@ -237,7 +227,7 @@ typedef struct { */ typedef struct { u_int32_t count; - char *text[MAX_ENV]; + char *text[AUDIT_MAX_ENV]; } au_execenv_t; /* @@ -269,7 +259,7 @@ typedef struct { */ typedef struct { u_int16_t no; - u_int32_t list[BSM_MAX_GROUPS]; + u_int32_t list[AUDIT_MAX_GROUPS]; } au_groups_t; /* @@ -729,8 +719,6 @@ int au_preselect(au_event_t event, au_mask_t *mask_p, /* * Functions relating to querying audit event information. - * - * XXXRW: getauevnonam() has no _r version? */ void setauevent(void); void endauevent(void); @@ -770,6 +758,11 @@ void au_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm); __END_DECLS +/* + * The remaining APIs are associated with Apple's BSM implementation, in + * particular as relates to Mach IPC auditing and triggers passed via Mach + * IPC. + */ #ifdef __APPLE__ #include <sys/appleapiopts.h> |