diff options
Diffstat (limited to 'contrib/openbsm/bsm')
-rw-r--r-- | contrib/openbsm/bsm/Makefile | 22 | ||||
-rw-r--r-- | contrib/openbsm/bsm/audit.h | 327 | ||||
-rw-r--r-- | contrib/openbsm/bsm/audit_internal.h | 99 | ||||
-rw-r--r-- | contrib/openbsm/bsm/audit_kevents.h | 494 | ||||
-rw-r--r-- | contrib/openbsm/bsm/audit_record.h | 325 | ||||
-rw-r--r-- | contrib/openbsm/bsm/audit_uevents.h | 102 | ||||
-rw-r--r-- | contrib/openbsm/bsm/libbsm.h | 1175 |
7 files changed, 2544 insertions, 0 deletions
diff --git a/contrib/openbsm/bsm/Makefile b/contrib/openbsm/bsm/Makefile new file mode 100644 index 0000000..ba63701 --- /dev/null +++ b/contrib/openbsm/bsm/Makefile @@ -0,0 +1,22 @@ +# +# $P4: //depot/projects/trustedbsd/openbsm/bsm/Makefile#7 $ +# + +INCS= audit.h \ + audit_internal.h \ + audit_kevents.h \ + audit_record.h \ + audit_uevents.h \ + libbsm.h + +TARGET= ${DESTDIR}/usr/include/bsm + +all: +default: +depend: +clean: + +install: + mkdir -p -m 0755 ${TARGET} + install -o root -g wheel -m 0644 ${INCS} ${TARGET} + diff --git a/contrib/openbsm/bsm/audit.h b/contrib/openbsm/bsm/audit.h new file mode 100644 index 0000000..1d208c1 --- /dev/null +++ b/contrib/openbsm/bsm/audit.h @@ -0,0 +1,327 @@ +/* + * Copyright (c) 2005 Apple Computer, Inc. + * All rights reserved. + * + * @APPLE_BSD_LICENSE_HEADER_START@ + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of + * its contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * @APPLE_BSD_LICENSE_HEADER_END@ + * + * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit.h#14 $ + */ + +#ifndef _BSM_AUDIT_H +#define _BSM_AUDIT_H + +#define AUDIT_RECORD_MAGIC 0x828a0f1b +#define MAX_AUDIT_RECORDS 20 +#define MAX_AUDIT_RECORD_SIZE 4096 +#define MIN_AUDIT_FILE_SIZE (512 * 1024) + +/* + * Triggers for the audit daemon + */ +#define AUDIT_TRIGGER_MIN 1 +#define AUDIT_TRIGGER_LOW_SPACE 1 +#define AUDIT_TRIGGER_OPEN_NEW 2 +#define AUDIT_TRIGGER_READ_FILE 3 +#define AUDIT_TRIGGER_CLOSE_AND_DIE 4 +#define AUDIT_TRIGGER_NO_SPACE 5 +#define AUDIT_TRIGGER_MAX 5 + +/* + * File that will be read for trigger events from the kernel + */ +#define AUDIT_TRIGGER_FILE "/dev/audit" + +/* + * Pre-defined audit IDs + */ +#define AU_DEFAUDITID -1 + +/* + * Define the masks for the classes of audit events. + */ +#define AU_NULL 0x00000000 +#define AU_FREAD 0x00000001 +#define AU_FWRITE 0x00000002 +#define AU_FACCESS 0x00000004 +#define AU_FMODIFY 0x00000008 +#define AU_FCREATE 0x00000010 +#define AU_FDELETE 0x00000020 +#define AU_CLOSE 0x00000040 +#define AU_PROCESS 0x00000080 +#define AU_NET 0x00000100 +#define AU_IPC 0x00000200 +#define AU_NONAT 0x00000400 +#define AU_ADMIN 0x00000800 +#define AU_LOGIN 0x00001000 +#define AU_TFM 0x00002000 +#define AU_APPL 0x00004000 +#define AU_SETL 0x00008000 +#define AU_IFLOAT 0x00010000 +#define AU_PRIV 0x00020000 +#define AU_MAC_RW 0x00040000 +#define AU_XCONN 0x00080000 +#define AU_XCREATE 0x00100000 +#define AU_XDELETE 0x00200000 +#define AU_XIFLOAT 0x00400000 +#define AU_XPRIVS 0x00800000 +#define AU_XPRIVF 0x01000000 +#define AU_XMOVE 0x02000000 +#define AU_XDACF 0x04000000 +#define AU_XMACF 0x08000000 +#define AU_XSECATTR 0x10000000 +#define AU_IOCTL 0x20000000 +#define AU_EXEC 0x40000000 +#define AU_OTHER 0x80000000 +#define AU_ALL 0xffffffff + +/* + * IPC types + */ +#define AT_IPC_MSG ((u_char)1) /* Message IPC id. */ +#define AT_IPC_SEM ((u_char)2) /* Semaphore IPC id. */ +#define AT_IPC_SHM ((u_char)3) /* Shared mem IPC id. */ + +/* + * Audit conditions. + */ +#define AUC_UNSET 0 +#define AUC_AUDITING 1 +#define AUC_NOAUDIT 2 +#define AUC_DISABLED -1 + +/* + * auditon(2) commands. + */ +#define A_GETPOLICY 2 +#define A_SETPOLICY 3 +#define A_GETKMASK 4 +#define A_SETKMASK 5 +#define A_GETQCTRL 6 +#define A_SETQCTRL 7 +#define A_GETCWD 8 +#define A_GETCAR 9 +#define A_GETSTAT 12 +#define A_SETSTAT 13 +#define A_SETUMASK 14 +#define A_SETSMASK 15 +#define A_GETCOND 20 +#define A_SETCOND 21 +#define A_GETCLASS 22 +#define A_SETCLASS 23 +#define A_GETPINFO 24 +#define A_SETPMASK 25 +#define A_SETFSIZE 26 +#define A_GETFSIZE 27 +#define A_GETPINFO_ADDR 28 +#define A_GETKAUDIT 29 +#define A_SETKAUDIT 30 +#define A_SENDTRIGGER 31 + +/* + * Audit policy controls. + */ +#define AUDIT_CNT 0x0001 +#define AUDIT_AHLT 0x0002 +#define AUDIT_ARGV 0x0004 +#define AUDIT_ARGE 0x0008 +#define AUDIT_PASSWD 0x0010 +#define AUDIT_SEQ 0x0020 +#define AUDIT_WINDATA 0x0040 +#define AUDIT_USER 0x0080 +#define AUDIT_GROUP 0x0100 +#define AUDIT_TRAIL 0x0200 +#define AUDIT_PATH 0x0400 + +/* + * Audit queue control parameters + */ +#define AQ_HIWATER 100 +#define AQ_MAXHIGH 10000 +#define AQ_LOWATER 10 +#define AQ_BUFSZ 1024 +#define AQ_MAXBUFSZ 1048576 + +/* + * Default minimum percentage free space on file system. + */ +#define AU_FS_MINFREE 20 + +/* + * Type definitions used indicating the length of variable length addresses + * in tokens containing addresses, such as header fields. + */ +#define AU_IPv4 4 +#define AU_IPv6 16 + +__BEGIN_DECLS + +typedef uid_t au_id_t; +typedef pid_t au_asid_t; +typedef u_int16_t au_event_t; +typedef u_int16_t au_emod_t; +typedef u_int32_t au_class_t; + +struct au_tid { + dev_t port; + u_int32_t machine; +}; +typedef struct au_tid au_tid_t; + +struct au_tid_addr { + dev_t at_port; + u_int32_t at_type; + u_int32_t at_addr[4]; +}; +typedef struct au_tid_addr au_tid_addr_t; + +struct au_mask { + unsigned int am_success; /* Success bits. */ + unsigned int am_failure; /* Failure bits. */ +}; +typedef struct au_mask au_mask_t; + +struct auditinfo { + au_id_t ai_auid; /* Audit user ID. */ + au_mask_t ai_mask; /* Audit masks. */ + au_tid_t ai_termid; /* Terminal ID. */ + au_asid_t ai_asid; /* Audit session ID. */ +}; +typedef struct auditinfo auditinfo_t; + +struct auditinfo_addr { + au_id_t ai_auid; /* Audit user ID. */ + au_mask_t ai_mask; /* Audit masks. */ + au_tid_addr_t ai_termid; /* Terminal ID. */ + au_asid_t ai_asid; /* Audit session ID. */ +}; +typedef struct auditinfo_addr auditinfo_addr_t; + +struct auditpinfo { + pid_t ap_pid; /* ID of target process. */ + au_id_t ap_auid; /* Audit user ID. */ + au_mask_t ap_mask; /* Audit masks. */ + au_tid_t ap_termid; /* Terminal ID. */ + au_asid_t ap_asid; /* Audit session ID. */ +}; +typedef struct auditpinfo auditpinfo_t; + +struct auditpinfo_addr { + pid_t ap_pid; /* ID of target process. */ + au_id_t ap_auid; /* Audit user ID. */ + au_mask_t ap_mask; /* Audit masks. */ + au_tid_addr_t ap_termid; /* Terminal ID. */ + au_asid_t ap_asid; /* Audit session ID. */ +}; +typedef struct auditpinfo_addr auditpinfo_addr_t; + +/* Token and record structures. */ + +struct au_token { + u_char *t_data; + size_t len; + TAILQ_ENTRY(au_token) tokens; +}; +typedef struct au_token token_t; + +struct au_record { + char used; /* Record currently in use? */ + int desc; /* Descriptor for record. */ + TAILQ_HEAD(, au_token) token_q; /* Queue of BSM tokens. */ + u_char *data; + size_t len; + LIST_ENTRY(au_record) au_rec_q; +}; +typedef struct au_record au_record_t; + +/* + * Kernel audit queue control parameters. + */ +struct au_qctrl { + size_t aq_hiwater; + size_t aq_lowater; + size_t aq_bufsz; + clock_t aq_delay; + int aq_minfree; /* Minimum filesystem percent free space. */ +}; +typedef struct au_qctrl au_qctrl_t; + +/* + * Structure for the audit statistics. + */ +struct audit_stat { + unsigned int as_version; + unsigned int as_numevent; + int as_generated; + int as_nonattring; + int as_kernel; + int as_audit; + int as_auditctl; + int as_enqueu; + int as_written; + int as_wblocked; + int as_rblocked; + int as_dropped; + int as_totalsize; + unsigned int as_memused; +}; +typedef struct audit_stat au_stat_t; + +/* + * Structure for the audit file statistics. + */ +struct audit_fstat { + u_quad_t af_filesz; + u_quad_t af_currsz; +}; +typedef struct audit_fstat au_fstat_t; + +/* + * Audit to event class mapping. + */ +struct au_evclass_map { + au_event_t ec_number; + au_class_t ec_class; +}; +typedef struct au_evclass_map au_evclass_map_t; + +#if !defined(_KERNEL) && !defined(KERNEL) +int audit(const void *, int); +int auditon(int, void *, int); +int auditctl(const char *); +int getauid(au_id_t *); +int setauid(const au_id_t *); +int getaudit(struct auditinfo *); +int setaudit(const struct auditinfo *); +int getaudit_addr(struct auditinfo_addr *, int); +int setaudit_addr(const struct auditinfo_addr *, int); +#endif /* defined(_KERNEL) || defined(KERNEL) */ + +__END_DECLS + +#endif /* !_BSM_AUDIT_H */ diff --git a/contrib/openbsm/bsm/audit_internal.h b/contrib/openbsm/bsm/audit_internal.h new file mode 100644 index 0000000..2d98aae --- /dev/null +++ b/contrib/openbsm/bsm/audit_internal.h @@ -0,0 +1,99 @@ +/* + * Copyright (c) 2005 Apple Computer, Inc. + * Copyright (c) 2005 SPARTA, Inc. + * All rights reserved. + * + * This code was developed in part by Robert N. M. Watson, Senior Principal + * Scientist, SPARTA, Inc. + * + * @APPLE_BSD_LICENSE_HEADER_START@ + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of + * its contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * @APPLE_BSD_LICENSE_HEADER_END@ + * + * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_internal.h#7 $ + */ + +#ifndef _LIBBSM_INTERNAL_H +#define _LIBBSM_INTERNAL_H + +/* + * audit_internal.h contains private interfaces that are shared by user space + * and the kernel for the purposes of assembling audit records. Applications + * should not include this file or use the APIs found within, or it may be + * broken with future releases of OpenBSM, which may delete, modify, or + * otherwise break these interfaces or the assumptions they rely on. + */ + +/* We could determined the header and trailer sizes by + * defining appropriate structures. We hold off that approach + * till we have a consistant way of using structures for all tokens. + * This is not straightforward since these token structures may + * contain pointers of whose contents we dont know the size + * (e.g text tokens) + */ +#define BSM_HEADER_SIZE 18 +#define BSM_TRAILER_SIZE 7 + +/* + * BSM token streams store fields in big endian byte order, so as to be + * portable; when encoding and decoding, we must convert byte orders for + * typed values. + */ +#define ADD_U_CHAR(loc, val) \ + do { \ + *(loc) = (val); \ + (loc) += sizeof(u_char); \ + } while(0) + + +#define ADD_U_INT16(loc, val) \ + do { \ + be16enc((loc), (val)); \ + (loc) += sizeof(u_int16_t); \ + } while(0) + +#define ADD_U_INT32(loc, val) \ + do { \ + be32enc((loc), (val)); \ + (loc) += sizeof(u_int32_t); \ + } while(0) + +#define ADD_U_INT64(loc, val) \ + do { \ + be64enc((loc), (val)); \ + (loc) += sizeof(u_int64_t); \ + } while(0) + +#define ADD_MEM(loc, data, size) \ + do { \ + memcpy((loc), (data), (size)); \ + (loc) += size; \ + } while(0) + +#define ADD_STRING(loc, data, size) ADD_MEM(loc, data, size) + +#endif /* !_LIBBSM_INTERNAL_H_ */ diff --git a/contrib/openbsm/bsm/audit_kevents.h b/contrib/openbsm/bsm/audit_kevents.h new file mode 100644 index 0000000..54cc308 --- /dev/null +++ b/contrib/openbsm/bsm/audit_kevents.h @@ -0,0 +1,494 @@ +/* + * Copyright (c) 2005 Apple Computer, Inc. + * All rights reserved. + * + * @APPLE_BSD_LICENSE_HEADER_START@ + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of + * its contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * @APPLE_BSD_LICENSE_HEADER_END@ + * + * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_kevents.h#29 $ + */ + +#ifndef _BSM_AUDIT_KEVENTS_H_ +#define _BSM_AUDIT_KEVENTS_H_ + +/* + * Values marked as AUE_NULL are not required to be audited as per CAPP. + * + * Some conflicts exist in the assignment of name to event number mappings + * between BSM implementations. In general, we prefer the OpenSolaris + * definition as we consider Solaris BSM to be authoritative. _DARWIN_ has + * been inserted for the Darwin variants. If necessary, other tags will be + * added in the future. + */ + +#define AUE_NULL 0 +#define AUE_EXIT 1 +#define AUE_FORK 2 +#define AUE_OPEN 3 +#define AUE_CREAT 4 +#define AUE_LINK 5 +#define AUE_UNLINK 6 +#define AUE_DELETE AUE_UNLINK +#define AUE_EXEC 7 +#define AUE_CHDIR 8 +#define AUE_MKNOD 9 +#define AUE_CHMOD 10 +#define AUE_CHOWN 11 +#define AUE_UMOUNT 12 +#define AUE_JUNK 13 /* Solaris-specific. */ +#define AUE_ACCESS 14 +#define AUE_CHECKUSERACCESS AUE_ACCESS +#define AUE_KILL 15 +#define AUE_STAT 16 +#define AUE_LSTAT 17 +#define AUE_ACCT 18 +#define AUE_MCTL 19 /* Solaris-specific. */ +#define AUE_REBOOT 20 /* XXX: Darwin conflict. */ +#define AUE_SYMLINK 21 +#define AUE_READLINK 22 +#define AUE_EXECVE 23 +#define AUE_CHROOT 24 +#define AUE_VFORK 25 +#define AUE_SETGROUPS 26 +#define AUE_SETPGRP 27 +#define AUE_SWAPON 28 +#define AUE_SETHOSTNAME 29 /* XXX: Darwin conflict. */ +#define AUE_FCNTL 30 +#define AUE_SETPRIORITY 31 /* XXX: Darwin conflict. */ +#define AUE_CONNECT 32 +#define AUE_ACCEPT 33 +#define AUE_BIND 34 +#define AUE_SETSOCKOPT 35 +#define AUE_VTRACE 36 /* Solaris-specific. */ +#define AUE_SETTIMEOFDAY 37 /* XXX: Darwin conflict. */ +#define AUE_FCHOWN 38 +#define AUE_FCHMOD 39 +#define AUE_SETREUID 40 +#define AUE_SETREGID 41 +#define AUE_RENAME 42 +#define AUE_TRUNCATE 43 /* XXX: Darwin conflict. */ +#define AUE_FTRUNCATE 44 /* XXX: Darwin conflict. */ +#define AUE_FLOCK 45 /* XXX: Darwin conflict. */ +#define AUE_SHUTDOWN 46 +#define AUE_MKDIR 47 +#define AUE_RMDIR 48 +#define AUE_UTIMES 49 +#define AUE_ADJTIME 50 +#define AUE_SETRLIMIT 51 +#define AUE_KILLPG 52 +#define AUE_NFS_SVC 53 /* XXX: Darwin conflict. */ +#define AUE_STATFS 54 +#define AUE_FSTATFS 55 +#define AUE_UNMOUNT 56 /* XXX: Darwin conflict. */ +#define AUE_ASYNC_DAEMON 57 +#define AUE_NFS_GETFH 58 /* XXX: Darwin conflict. */ +#define AUE_SETDOMAINNAME 59 +#define AUE_QUOTACTL 60 /* XXX: Darwin conflict. */ +#define AUE_EXPORTFS 61 +#define AUE_MOUNT 62 +#define AUE_SEMSYS 63 +#define AUE_MSGSYS 64 +#define AUE_SHMSYS 65 +#define AUE_BSMSYS 66 /* Solaris-specific. */ +#define AUE_RFSSYS 67 /* Solaris-specific. */ +#define AUE_FCHDIR 68 +#define AUE_FCHROOT 69 +#define AUE_VPIXSYS 70 /* Solaris-specific. */ +#define AUE_PATHCONF 71 +#define AUE_OPEN_R 72 +#define AUE_OPEN_RC 73 +#define AUE_OPEN_RT 74 +#define AUE_OPEN_RTC 75 +#define AUE_OPEN_W 76 +#define AUE_OPEN_WC 77 +#define AUE_OPEN_WT 78 +#define AUE_OPEN_WTC 79 +#define AUE_OPEN_RW 80 +#define AUE_OPEN_RWC 81 +#define AUE_OPEN_RWT 82 +#define AUE_OPEN_RWTC 83 +#define AUE_MSGCTL 84 +#define AUE_MSGCTL_RMID 85 +#define AUE_MSGCTL_SET 86 +#define AUE_MSGCTL_STAT 87 +#define AUE_MSGGET 88 +#define AUE_MSGRCV 89 +#define AUE_MSGSND 90 +#define AUE_SHMCTL 91 +#define AUE_SHMCTL_RMID 92 +#define AUE_SHMCTL_SET 93 +#define AUE_SHMCTL_STAT 94 +#define AUE_SHMGET 95 +#define AUE_SHMAT 96 +#define AUE_SHMDT 97 +#define AUE_SEMCTL 98 +#define AUE_SEMCTL_RMID 99 +#define AUE_SEMCTL_SET 100 +#define AUE_SEMCTL_STAT 101 +#define AUE_SEMCTL_GETNCNT 102 +#define AUE_SEMCTL_GETPID 103 +#define AUE_SEMCTL_GETVAL 104 +#define AUE_SEMCTL_GETALL 105 +#define AUE_SEMCTL_GETZCNT 106 +#define AUE_SEMCTL_SETVAL 107 +#define AUE_SEMCTL_SETALL 108 +#define AUE_SEMGET 109 +#define AUE_SEMOP 110 +#define AUE_CORE 111 /* Solaris-specific, currently. */ +#define AUE_CLOSE 112 +#define AUE_SYSTEMBOOT 113 +#define AUE_ASYNC_DAEMON_EXIT 114 /* Solaris-specific. */ +#define AUE_NFSSVC_EXIT 115 /* Solaris-specific. */ +#define AUE_WRITEL 128 /* Solaris-specific. */ +#define AUE_WRITEVL 129 /* Solaris-specific. */ +#define AUE_GETAUID 130 +#define AUE_SETAUID 131 +#define AUE_GETAUDIT 132 +#define AUE_SETAUDIT 133 +#define AUE_GETUSERAUDIT 134 /* Solaris-specific. */ +#define AUE_SETUSERAUDIT 135 /* Solaris-specific. */ +#define AUE_AUDITSVC 136 /* Solaris-specific. */ +#define AUE_AUDITUSER 137 /* Solaris-specific. */ +#define AUE_AUDITON 138 +#define AUE_AUDITON_GTERMID 139 /* Solaris-specific. */ +#define AUE_AUDITON_STERMID 140 /* Solaris-specific. */ +#define AUE_AUDITON_GPOLICY 141 +#define AUE_AUDITON_SPOLICY 142 +#define AUE_AUDITON_GQCTRL 145 +#define AUE_AUDITON_SQCTRL 146 +#define AUE_GETKERNSTATE 147 /* Solaris-specific. */ +#define AUE_SETKERNSTATE 148 /* Solaris-specific. */ +#define AUE_GETPORTAUDIT 149 /* Solaris-specific. */ +#define AUE_AUDISTAT 150 /* Solaris-specific. */ +#define AUE_ENTERPROM 153 /* Solaris-specific. */ +#define AUE_EXITPROM 154 /* Solaris-specific. */ +#define AUE_IOCTL 158 +#define AUE_SOCKET 183 +#define AUE_SENDTO 184 +#define AUE_PIPE 185 +#define AUE_SOCKETPAIR 186 /* XXX: Darwin conflict. */ +#define AUE_SEND 187 +#define AUE_SENDMSG 188 +#define AUE_RECV 189 +#define AUE_RECVMSG 190 +#define AUE_RECVFROM 191 +#define AUE_READ 192 +#define AUE_LSEEK 194 +#define AUE_WRITE 195 +#define AUE_WRITEV 196 +#define AUE_NFS 197 /* Solaris-specific. */ +#define AUE_READV 198 + /* XXXRW: XXX Solaris old stat()? */ +#define AUE_SETUID 200 /* XXXRW: Solaris old setuid? */ +#define AUE_STIME 201 /* XXXRW: Solaris old stime? */ +#define AUE_UTIME 202 /* XXXRW: Solaris old utime? */ +#define AUE_NICE 203 /* XXXRW: Solaris old nice? */ + /* XXXRW: Solaris old setpgrp? */ +#define AUE_SETGID 205 /* XXXRW: Solaris old setgid? */ + /* XXXRW: Solaris readl? */ + /* XXXRW: Solaris readvl()? */ +#define AUE_DUP2 209 +#define AUE_MMAP 210 +#define AUE_AUDIT 211 +#define AUE_PRIOCNTLSYS 212 +#define AUE_MUNMAP 213 +#define AUE_SETEGID 214 +#define AUE_SETEUID 215 +#define AUE_PUTMSG 216 +#define AUE_GETMSG 217 /* Solaris-specific. */ +#define AUE_PUTPMSG 218 /* Solaris-specific. */ +#define AUE_GETPMSG 219 /* Solaris-specific. */ +#define AUE_AUDITSYS 220 /* Solaris-specific. */ +#define AUE_AUDITON_GETKMASK 221 +#define AUE_AUDITON_SETKMASK 222 +#define AUE_AUDITON_GETCWD 223 +#define AUE_AUDITON_GETCAR 224 +#define AUE_AUDITON_GETSTAT 225 +#define AUE_AUDITON_SETSTAT 226 +#define AUE_AUDITON_SETUMASK 227 +#define AUE_AUDITON_SETSMASK 228 +#define AUE_AUDITON_GETCOND 229 +#define AUE_AUDITON_SETCOND 230 +#define AUE_AUDITON_GETCLASS 231 +#define AUE_AUDITON_SETCLASS 232 +#define AUE_UTSSYS 233 /* Solaris-specific. */ +#define AUE_STATVFS 234 +#define AUE_XSTAT 235 +#define AUE_LXSTAT 236 +#define AUE_LCHOWN 237 +#define AUE_MEMCNTL 238 /* Solaris-specific. */ +#define AUE_SYSINFO 239 /* Solaris-specific. */ +#define AUE_XMKNOD 240 /* Solaris-specific. */ +#define AUE_FORK1 241 + /* XXXRW: Solaris modctl()? */ +#define AUE_MODLOAD 243 +#define AUE_MODUNLOAD 244 +#define AUE_MODCONFIG 245 /* Solaris-specific. */ +#define AUE_MODADDMAJ 246 /* Solaris-specific. */ +#define AUE_SOCKACCEPT 247 +#define AUE_SOCKCONNECT 248 +#define AUE_SOCKSEND 249 +#define AUE_SOCKRECEIVE 250 +#define AUE_ACLSET 251 +#define AUE_FACLSET 252 +#define AUE_DOORFS_DOOR_CALL 254 /* Solaris-specific. */ +#define AUE_DOORFS_DOOR_RETURN 255 /* Solaris-specific. */ +#define AUE_DOORFS_DOOR_CREATE 256 /* Solaris-specific. */ +#define AUE_DOORFS_DOOR_REVOKE 257 /* Solaris-specific. */ +#define AUE_DOORFS_DOOR_INFO 258 /* Solaris-specific. */ +#define AUE_DOORFS_DOOR_CRED 259 /* Solaris-specific. */ +#define AUE_DOORFS_DOOR_BIND 260 /* Solaris-specific. */ +#define AUE_DOORFS_DOOR_UNBIND 261 /* Solaris-specific. */ +#define AUE_P_ONLINE 262 /* Solaris-specific. */ +#define AUE_PROCESSOR_BIND 263 /* Solaris-specific. */ +#define AUE_INST_SYNC 264 /* Solaris-specific. */ +#define AUE_SOCK_CONFIG 265 /* Solaris-specific. */ +#define AUE_SETAUDIT_ADDR 266 +#define AUE_GETAUDIT_ADDR 267 +#define AUE_CLOCK_SETTIME 287 +#define AUE_NTP_ADJTIME 288 + +/* + * Events not present in OpenSolaris BSM, generally derived from Apple Darwin + * BSM or added in OpenBSM. This start a little too close to the top end of + * the OpenSolaris event list for my comfort. + */ +#define AUE_GETFSSTAT 301 +#define AUE_PTRACE 302 +#define AUE_CHFLAGS 303 +#define AUE_FCHFLAGS 304 +#define AUE_PROFILE 305 +#define AUE_KTRACE 306 +#define AUE_SETLOGIN 307 +#define AUE_DARWIN_REBOOT 308 /* XXX: See AUE_REBOOT. */ +#define AUE_REVOKE 309 +#define AUE_UMASK 310 +#define AUE_MPROTECT 311 +#define AUE_DARWIN_SETPRIORITY 312 /* XXX: See AUE_SETPRIORITY. */ +#define AUE_DARWIN_SETTIMEOFDAY 313 /* XXX: See AUE_SETTIMEOFDAY. */ +#define AUE_DARWIN_FLOCK 314 /* XXX: See AUE_FLOCK. */ +#define AUE_MKFIFO 315 +#define AUE_POLL 316 +#define AUE_DARWIN_SOCKETPAIR 317 /* XXXRW: See AUE_SOCKETPAIR. */ +#define AUE_FUTIMES 318 +#define AUE_SETSID 319 +#define AUE_SETPRIVEXEC 320 /* Darwin-specific. */ +#define AUE_DARWIN_NFSSVC 321 /* XXX: See AUE_NFS_SVC. */ +#define AUE_DARWIN_GETFH 322 /* XXX: See AUE_NFS_GETFH. */ +#define AUE_DARWIN_QUOTACTL 323 /* XXX: See AUE_QUOTACTL. */ +#define AUE_ADDPROFILE 324 /* Darwin-specific. */ +#define AUE_KDEBUGTRACE 325 /* Darwin-specific. */ +#define AUE_KDBUGTRACE AUE_KDEBUGTRACE +#define AUE_FSTAT 326 +#define AUE_FPATHCONF 327 +#define AUE_GETDIRENTRIES 328 +#define AUE_DARWIN_TRUNCATE 329 /* XXX: See AUE_TRUNCATE. */ +#define AUE_DARWIN_FTRUNCATE 330 /* XXX: See AUE_FTRUNCATE. */ +#define AUE_SYSCTL 331 +#define AUE_MLOCK 332 +#define AUE_MUNLOCK 333 +#define AUE_UNDELETE 334 +#define AUE_GETATTRLIST 335 /* Darwin-specific. */ +#define AUE_SETATTRLIST 336 /* Darwin-specific. */ +#define AUE_GETDIRENTRIESATTR 337 /* Darwin-specific. */ +#define AUE_EXCHANGEDATA 338 /* Darwin-specific. */ +#define AUE_SEARCHFS 339 /* Darwin-specific. */ +#define AUE_MINHERIT 340 +#define AUE_SEMCONFIG 341 +#define AUE_SEMOPEN 342 +#define AUE_SEMCLOSE 343 +#define AUE_SEMUNLINK 344 +#define AUE_SHMOPEN 345 +#define AUE_SHMUNLINK 346 +#define AUE_LOADSHFILE 347 /* Darwin-specific. */ +#define AUE_RESETSHFILE 348 /* Darwin-specific. */ +#define AUE_NEWSYSTEMSHREG 349 /* Darwin-specific. */ +#define AUE_PTHREADKILL 350 /* Darwin-specific. */ +#define AUE_PTHREADSIGMASK 351 /* Darwin-specific. */ +#define AUE_AUDITCTL 352 +#define AUE_RFORK 353 +#define AUE_LCHMOD 354 +#define AUE_SWAPOFF 355 +#define AUE_INITPROCESS 356 /* Darwin-specific. */ +#define AUE_MAPFD 357 /* Darwin-specific. */ +#define AUE_TASKFORPID 358 /* Darwin-specific. */ +#define AUE_PIDFORTASK 359 /* Darwin-specific. */ +#define AUE_SYSCTL_NONADMIN 360 +#define AUE_COPYFILE 361 /* Darwin-specific. */ +#define AUE_LUTIMES 362 +#define AUE_LCHFLAGS 363 /* FreeBSD-specific. */ +#define AUE_SENDFILE 364 /* BSD/Linux-specific. */ +#define AUE_USELIB 365 /* Linux-specific. */ +#define AUE_GETRESUID 366 +#define AUE_SETRESUID 367 +#define AUE_GETRESGID 368 +#define AUE_SETRESGID 369 +#define AUE_WAIT4 370 /* FreeBSD-specific. */ +#define AUE_LGETFH 371 /* FreeBSD-specific. */ +#define AUE_FHSTATFS 372 /* FreeBSD-specific. */ +#define AUE_FHOPEN 373 /* FreeBSD-specific. */ +#define AUE_FHSTAT 374 /* FreeBSD-specific. */ +#define AUE_JAIL 375 /* FreeBSD-specific. */ +#define AUE_EACCESS 376 /* FreeBSD-specific. */ +#define AUE_KQUEUE 377 /* FreeBSD-specific. */ +#define AUE_KEVENT 378 /* FreeBSD-specific. */ +#define AUE_FSYNC 379 +#define AUE_NMOUNT 380 /* FreeBSD-specific. */ + +/* + * Darwin BSM uses a number of AUE_O_* definitions, which are aliased to the + * normal Solaris BSM identifiers. _O_ refers to it being an old, or compat + * interface. In most cases, Darwin has never implemented these system calls + * but picked up the fields in their system call table from their FreeBSD + * import. Happily, these have different names than the AUE_O* definitions + * in Solaris BSM. + */ +#define AUE_O_CREAT AUE_OPEN_RWTC /* Darwin */ +#define AUE_O_EXECVE AUE_NULL /* Darwin */ +#define AUE_O_SBREAK AUE_NULL /* Darwin */ +#define AUE_O_LSEEK AUE_NULL /* Darwin */ +#define AUE_O_MOUNT AUE_NULL /* Darwin */ +#define AUE_O_UMOUNT AUE_NULL /* Darwin */ +#define AUE_O_STAT AUE_STAT /* Darwin */ +#define AUE_O_LSTAT AUE_LSTAT /* Darwin */ +#define AUE_O_FSTAT AUE_FSTAT /* Darwin */ +#define AUE_O_GETPAGESIZE AUE_NULL /* Darwin */ +#define AUE_O_VREAD AUE_NULL /* Darwin */ +#define AUE_O_VWRITE AUE_NULL /* Darwin */ +#define AUE_O_MMAP AUE_MMAP /* Darwin */ +#define AUE_O_VADVISE AUE_NULL /* Darwin */ +#define AUE_O_VHANGUP AUE_NULL /* Darwin */ +#define AUE_O_VLIMIT AUE_NULL /* Darwin */ +#define AUE_O_WAIT AUE_NULL /* Darwin */ +#define AUE_O_GETHOSTNAME AUE_NULL /* Darwin */ +#define AUE_O_SETHOSTNAME AUE_SYSCTL /* Darwin */ +#define AUE_O_GETDOPT AUE_NULL /* Darwin */ +#define AUE_O_SETDOPT AUE_NULL /* Darwin */ +#define AUE_O_ACCEPT AUE_NULL /* Darwin */ +#define AUE_O_SEND AUE_SENDMSG /* Darwin */ +#define AUE_O_RECV AUE_RECVMSG /* Darwin */ +#define AUE_O_VTIMES AUE_NULL /* Darwin */ +#define AUE_O_SIGVEC AUE_NULL /* Darwin */ +#define AUE_O_SIGBLOCK AUE_NULL /* Darwin */ +#define AUE_O_SIGSETMASK AUE_NULL /* Darwin */ +#define AUE_O_SIGSTACK AUE_NULL /* Darwin */ +#define AUE_O_RECVMSG AUE_RECVMSG /* Darwin */ +#define AUE_O_SENDMSG AUE_SENDMSG /* Darwin */ +#define AUE_O_VTRACE AUE_NULL /* Darwin */ +#define AUE_O_RESUBA AUE_NULL /* Darwin */ +#define AUE_O_RECVFROM AUE_RECVFROM /* Darwin */ +#define AUE_O_SETREUID AUE_SETREUID /* Darwin */ +#define AUE_O_SETREGID AUE_SETREGID /* Darwin */ +#define AUE_O_TRUNCATE AUE_TRUNCATE /* Darwin */ +#define AUE_O_FTRUNCATE AUE_FTRUNCATE /* Darwin */ +#define AUE_O_GETPEERNAME AUE_NULL /* Darwin */ +#define AUE_O_GETHOSTID AUE_NULL /* Darwin */ +#define AUE_O_SETHOSTID AUE_NULL /* Darwin */ +#define AUE_O_GETRLIMIT AUE_NULL /* Darwin */ +#define AUE_O_SETRLIMIT AUE_SETRLIMIT /* Darwin */ +#define AUE_O_KILLPG AUE_KILL /* Darwin */ +#define AUE_O_SETQUOTA AUE_NULL /* Darwin */ +#define AUE_O_QUOTA AUE_NULL /* Darwin */ +#define AUE_O_GETSOCKNAME AUE_NULL /* Darwin */ +#define AUE_O_GETDIREENTRIES AUE_GETDIREENTRIES /* Darwin */ +#define AUE_O_ASYNCDAEMON AUE_NULL /* Darwin */ +#define AUE_O_GETDOMAINNAME AUE_NULL /* Darwin */ +#define AUE_O_SETDOMAINNAME AUE_SYSCTL /* Darwin */ +#define AUE_O_PCFS_MOUNT AUE_NULL /* Darwin */ +#define AUE_O_EXPORTFS AUE_NULL /* Darwin */ +#define AUE_O_USTATE AUE_NULL /* Darwin */ +#define AUE_O_WAIT3 AUE_NULL /* Darwin */ +#define AUE_O_RPAUSE AUE_NULL /* Darwin */ +#define AUE_O_GETDENTS AUE_NULL /* Darwin */ + +/* + * Possible desired future values based on review of BSD/Darwin system calls. + */ +#define AUE_DUP AUE_NULL +#define AUE_FSCTL AUE_NULL +#define AUE_FSTATV AUE_NULL +#define AUE_GCCONTROL AUE_NULL +#define AUE_GETDTABLESIZE AUE_NULL +#define AUE_GETEGID AUE_NULL +#define AUE_GETEUID AUE_NULL +#define AUE_GETGID AUE_NULL +#define AUE_GETGROUPS AUE_NULL +#define AUE_GETITIMER AUE_NULL +#define AUE_GETLOGIN AUE_NULL +#define AUE_GETPEERNAME AUE_NULL +#define AUE_GETPGID AUE_NULL +#define AUE_GETPGRP AUE_NULL +#define AUE_GETPID AUE_NULL +#define AUE_GETPPID AUE_NULL +#define AUE_GETPRIORITY AUE_NULL +#define AUE_GETRLIMIT AUE_NULL +#define AUE_GETRUSAGE AUE_NULL +#define AUE_GETSID AUE_NULL +#define AUE_GETSOCKNAME AUE_NULL +#define AUE_GETTIMEOFDAY AUE_NULL +#define AUE_GETUID AUE_NULL +#define AUE_GETSOCKOPT AUE_NULL +#define AUE_GTSOCKOPT AUE_GETSOCKOPT /* XXX: Typo in Darwin. */ +#define AUE_ISSETUGID AUE_NULL +#define AUE_LISTEN AUE_NULL +#define AUE_LSTATV AUE_NULL +#define AUE_MADVISE AUE_NULL +#define AUE_MINCORE AUE_NULL +#define AUE_MKCOMPLEX AUE_NULL +#define AUE_MLOCKALL AUE_NULL +#define AUE_MODWATCH AUE_NULL +#define AUE_MSGCL AUE_NULL +#define AUE_MSYNC AUE_NULL +#define AUE_MUNLOCKALL AUE_NULL +#define AUE_PREAD AUE_NULL +#define AUE_PWRITE AUE_NULL +#define AUE_SBRK AUE_NULL +#define AUE_SELECT AUE_NULL +#define AUE_SEMDESTROY AUE_NULL +#define AUE_SEMGETVALUE AUE_NULL +#define AUE_SEMINIT AUE_NULL +#define AUE_SEMPOST AUE_NULL +#define AUE_SEMTRYWAIT AUE_NULL +#define AUE_SEMWAIT AUE_NULL +#define AUE_SETITIMER AUE_NULL +#define AUE_SIGACTION AUE_NULL +#define AUE_SIGALTSTACK AUE_NULL +#define AUE_SIGPENDING AUE_NULL +#define AUE_SIGPROCMASK AUE_NULL +#define AUE_SIGRETURN AUE_NULL +#define AUE_SIGSUSPEND AUE_NULL +#define AUE_SIGWAIT AUE_NULL +#define AUE_SSTK AUE_NULL +#define AUE_STATV AUE_NULL +#define AUE_SYNC AUE_NULL +#define AUE_SYSCALL AUE_NULL +#define AUE_TABLE AUE_NULL +#define AUE_WAITEVENT AUE_NULL +#define AUE_WATCHEVENT AUE_NULL + +#endif /* !_BSM_AUDIT_KEVENTS_H_ */ diff --git a/contrib/openbsm/bsm/audit_record.h b/contrib/openbsm/bsm/audit_record.h new file mode 100644 index 0000000..af9ba4d --- /dev/null +++ b/contrib/openbsm/bsm/audit_record.h @@ -0,0 +1,325 @@ +/* + * Copyright (c) 2005 Apple Computer, Inc. + * All rights reserved. + * + * @APPLE_BSD_LICENSE_HEADER_START@ + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of + * its contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * @APPLE_BSD_LICENSE_HEADER_END@ + * + * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_record.h#14 $ + */ + +#ifndef _BSM_AUDIT_RECORD_H_ +#define _BSM_AUDIT_RECORD_H_ + +/* Various token id types */ + +/* + * Values inside the comments are not documented in the BSM pages and + * have been picked up from the header files + */ + +/* + * Values marked as XXX do not have a value defined in the BSM header files + */ + +#define AUT_INVALID 0x00 +#define AUT_OTHER_FILE32 0x11 +#define AUT_OHEADER 0x12 +#define AUT_TRAILER 0x13 +#define AUT_HEADER32 0x14 +#define AUT_HEADER32_EX 0x15 +#define AUT_DATA 0x21 +#define AUT_IPC 0x22 +#define AUT_PATH 0x23 +#define AUT_SUBJECT32 0x24 +#define AUT_SERVER32 0x25 +#define AUT_PROCESS32 0x26 +#define AUT_RETURN32 0x27 +#define AUT_TEXT 0x28 +#define AUT_OPAQUE 0x29 +#define AUT_IN_ADDR 0x2a +#define AUT_IP 0x2b +#define AUT_IPORT 0x2c +#define AUT_ARG32 0x2d +#define AUT_SOCKET 0x2e +#define AUT_SEQ 0x2f +#define AUT_ACL 0x30 +#define AUT_ATTR 0x31 +#define AUT_IPC_PERM 0x32 +#define AUT_LABEL 0x33 +#define AUT_GROUPS 0x34 +#define AUT_ILABEL 0x35 +#define AUT_SLABEL 0x36 +#define AUT_CLEAR 0x37 +#define AUT_PRIV 0x38 +#define AUT_UPRIV 0x39 +#define AUT_LIAISON 0x3a +#define AUT_NEWGROUPS 0x3b +#define AUT_EXEC_ARGS 0x3c +#define AUT_EXEC_ENV 0x3d +#define AUT_ATTR32 0x3e +/* #define AUT_???? 0x3f */ +#define AUT_XATOM 0x40 +#define AUT_XOBJ 0x41 +#define AUT_XPROTO 0x42 +#define AUT_XSELECT 0x43 +/* XXXRW: Additional X11 tokens not defined? */ +#define AUT_CMD 0x51 +#define AUT_EXIT 0x52 +/* XXXRW: OpenBSM AUT_HOST 0x70? */ +#define AUT_ARG64 0x71 +#define AUT_RETURN64 0x72 +#define AUT_ATTR64 0x73 +#define AUT_HEADER64 0x74 +#define AUT_SUBJECT64 0x75 +#define AUT_SERVER64 0x76 +#define AUT_PROCESS64 0x77 +#define AUT_OTHER_FILE64 0x78 +#define AUT_HEADER64_EX 0x79 +#define AUT_SUBJECT32_EX 0x7a +#define AUT_PROCESS32_EX 0x7b +#define AUT_SUBJECT64_EX 0x7c +#define AUT_PROCESS64_EX 0x7d +#define AUT_IN_ADDR_EX 0x7e +#define AUT_SOCKET_EX 0x7f + +/* + * Pre-64-bit BSM, 32-bit tokens weren't explicitly named as '32'. We have + * compatibility defines. + */ +#define AUT_HEADER AUT_HEADER32 +#define AUT_ARG AUT_ARG32 +#define AUT_RETURN AUT_RETURN32 +#define AUT_SUBJECT AUT_SUBJECT32 +#define AUT_SERVER AUT_SERVER32 +#define AUT_PROCESS AUT_PROCESS32 +#define AUT_OTHER_FILE AUT_OTHER_FILE32 + +/* + * Darwin's bsm distribution uses the following non-BSM token name defines. + * We provide them for a single OpenBSM release for compatibility reasons. + */ +#define AU_FILE_TOKEN AUT_OTHER_FILE32 +#define AU_TRAILER_TOKEN AUT_TRAILER +#define AU_HEADER_32_TOKEN AUT_HEADER32 +#define AU_DATA_TOKEN AUT_DATA +#define AU_ARB_TOKEN AUT_DATA +#define AU_IPC_TOKEN AUT_IPC +#define AU_PATH_TOKEN AUT_PATH +#define AU_SUBJECT_32_TOKEN AUT_SUBJECT32 +#define AU_PROCESS_32_TOKEN AUT_PROCESS32 +#define AU_RETURN_32_TOKEN AUT_RETURN32 +#define AU_TEXT_TOKEN AUT_TEXT +#define AU_OPAQUE_TOKEN AUT_OPAQUE +#define AU_IN_ADDR_TOKEN AUT_IN_ADDR +#define AU_IP_TOKEN AUT_IP +#define AU_IPORT_TOKEN AUT_IPORT +#define AU_ARG32_TOKEN AUT_ARG32 +#define AU_SOCK_TOKEN AUT_SOCKET +#define AU_SEQ_TOKEN AUT_SEQ +#define AU_ATTR_TOKEN AUT_ATTR +#define AU_IPCPERM_TOKEN AUT_IPC_PERM +#define AU_NEWGROUPS_TOKEN AUT_NEWGROUPS +#define AU_EXEC_ARG_TOKEN AUT_EXEC_ARGS +#define AU_EXEC_ENV_TOKEN AUT_EXEC_ENV +#define AU_ATTR32_TOKEN AUT_ATTR32 +#define AU_CMD_TOKEN AUT_CMD +#define AU_EXIT_TOKEN AUT_EXIT +#define AU_ARG64_TOKEN AUT_ARG64 +#define AU_RETURN_64_TOKEN AUT_RETURN64 +#define AU_ATTR64_TOKEN AUT_ATTR64 +#define AU_HEADER_64_TOKEN AUT_HEADER64 +#define AU_SUBJECT_64_TOKEN AUT_SUBJECT64 +#define AU_PROCESS_64_TOKEN AUT_PROCESS64 +#define AU_HEADER_64_EX_TOKEN AUT_HEADER64_EX +#define AU_SUBJECT_32_EX_TOKEN AUT_SUBJECT32_EX +#define AU_PROCESS_32_EX_TOKEN AUT_PROCESS32_EX +#define AU_SUBJECT_64_EX_TOKEN AUT_SUBJECT64_EX +#define AU_PROCESS_64_EX_TOKEN AUT_PROCESS64_EX +#define AU_IN_ADDR_EX_TOKEN AUT_IN_ADDR_EX +#define AU_SOCK_32_EX_TOKEN AUT_SOCKET_EX + +/* + * The values for the following token ids are not defined by BSM. + * + * XXXRW: Not sure how to handle these in OpenBSM yet, but I'll give them + * names more consistent with Sun's BSM. These originally came from Apple's + * BSM. + */ +#define AUT_SOCKINET32 0x80 /* XXX */ +#define AUT_SOCKINET128 0x81 /* XXX */ +#define AUT_SOCKUNIX 0x82 /* XXX */ +#define AU_SOCK_INET_32_TOKEN AUT_SOCKINET32 +#define AU_SOCK_INET_128_TOKEN AUT_SOCKINET128 +#define AU_SOCK_UNIX_TOKEN AUT_SOCKUNIX + +/* print values for the arbitrary token */ +#define AUP_BINARY 0 +#define AUP_OCTAL 1 +#define AUP_DECIMAL 2 +#define AUP_HEX 3 +#define AUP_STRING 4 + +/* data-types for the arbitrary token */ +#define AUR_BYTE 0 +#define AUR_SHORT 1 +#define AUR_LONG 2 + +/* ... and their sizes */ +#define AUR_BYTE_SIZE sizeof(u_char) +#define AUR_SHORT_SIZE sizeof(uint16_t) +#define AUR_LONG_SIZE sizeof(uint32_t) + +/* Modifiers for the header token */ +#define PAD_NOTATTR 0x4000 /* nonattributable event */ +#define PAD_FAILURE 0x8000 /* fail audit event */ + + +#define BSM_MAX_GROUPS 16 +#define HEADER_VERSION 1 + +/* + * BSM define is AUT_TRAILER_MAGIC; Apple BSM define is TRAILER_PAD_MAGIC; we + * split the difference, will remove the Apple define for the next release. + */ +#define AUT_TRAILER_MAGIC 0xb105 +#define TRAILER_PAD_MAGIC AUT_TRAILER_MAGIC + +/* BSM library calls */ + +__BEGIN_DECLS + +struct in_addr; +struct in6_addr; +struct ip; +struct ipc_perm; +struct kevent; +struct sockaddr_in; +struct sockaddr_in6; +struct sockaddr_un; +#if defined(_KERNEL) || defined(KERNEL) +struct vnode_au_info; +#endif + +int au_open(void); +int au_write(int d, token_t *m); +int au_close(int d, int keep, short event); +int au_close_buffer(int d, short event, u_char *buffer, size_t *buflen); + +#if defined(KERNEL) || defined(_KERNEL) +token_t *au_to_file(char *file, struct timeval tm); +#else +token_t *au_to_file(char *file); +#endif + +#if defined(KERNEL) || defined(_KERNEL) +token_t *au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod, + struct timeval tm); +token_t *au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod, + struct timeval tm); +#else +token_t *au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod); +token_t *au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod); +#endif + +token_t *au_to_header64(int rec_size, au_event_t e_type, au_emod_t e_mod); +token_t *au_to_me(void); +token_t *au_to_arg(char n, char *text, uint32_t v); +token_t *au_to_arg32(char n, char *text, uint32_t v); +token_t *au_to_arg64(char n, char *text, uint64_t v); + +#if defined(_KERNEL) || defined(KERNEL) +token_t *au_to_attr(struct vnode_au_info *vni); +token_t *au_to_attr32(struct vnode_au_info *vni); +token_t *au_to_attr64(struct vnode_au_info *vni); +#endif + +token_t *au_to_data(char unit_print, char unit_type, char unit_count, + char *p); +token_t *au_to_exit(int retval, int err); +token_t *au_to_groups(int *groups); +token_t *au_to_newgroups(uint16_t n, gid_t *groups); +token_t *au_to_in_addr(struct in_addr *internet_addr); +token_t *au_to_in_addr_ex(struct in6_addr *internet_addr); +token_t *au_to_ip(struct ip *ip); +token_t *au_to_ipc(char type, int id); +token_t *au_to_ipc_perm(struct ipc_perm *perm); +token_t *au_to_iport(uint16_t iport); +token_t *au_to_opaque(char *data, uint16_t bytes); +token_t *au_to_path(char *path); +token_t *au_to_process(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, + gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid); +token_t *au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, + gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid); +token_t *au_to_process64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, + gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid); +token_t *au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, + gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid); +token_t *au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid, + uid_t ruid, gid_t rgid, pid_t pid, au_asid_t sid, + au_tid_addr_t *tid); +token_t *au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, + gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid); +token_t *au_to_return(char status, uint32_t ret); +token_t *au_to_return32(char status, uint32_t ret); +token_t *au_to_return64(char status, uint64_t ret); +token_t *au_to_seq(long audit_count); + +#if defined(_KERNEL) || defined(KERNEL) +token_t *au_to_socket(struct socket *so); +token_t *au_to_socket_ex_32(uint16_t lp, uint16_t rp, struct sockaddr *la, + struct sockaddr *ta); +token_t *au_to_socket_ex_128(uint16_t lp, uint16_t rp, struct sockaddr *la, + struct sockaddr *ta); +#endif + +token_t *au_to_sock_inet(struct sockaddr_in *so); +token_t *au_to_sock_inet32(struct sockaddr_in *so); +token_t *au_to_sock_inet128(struct sockaddr_in6 *so); +token_t *au_to_sock_unix(struct sockaddr_un *so); +token_t *au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, + gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid); +token_t *au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, + gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid); +token_t *au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, + gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid); +token_t *au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, + gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid); +token_t *au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, + gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid); +token_t *au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, + gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid); +token_t *au_to_exec_args(const char **); +token_t *au_to_exec_env(const char **); +token_t *au_to_text(char *text); +token_t *au_to_kevent(struct kevent *kev); +token_t *au_to_trailer(int rec_size); + +__END_DECLS + +#endif /* ! _BSM_AUDIT_RECORD_H_ */ diff --git a/contrib/openbsm/bsm/audit_uevents.h b/contrib/openbsm/bsm/audit_uevents.h new file mode 100644 index 0000000..0493e31 --- /dev/null +++ b/contrib/openbsm/bsm/audit_uevents.h @@ -0,0 +1,102 @@ +/* + * Copyright (c) 2004 Apple Computer, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of + * its contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR + * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING + * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_uevents.h#7 $ + */ + +#ifndef _BSM_AUDIT_UEVENTS_H_ +#define _BSM_AUDIT_UEVENTS_H_ + +/*- + * User level audit event numbers + * + * Range of audit event numbers: + * 0 Reserved, invalid + * 1 - 2047 Reserved for kernel events + * 2048 - 32767 Defined by BSM for user events + * 32768 - 36864 Reserved for Mac OS-X applications + * 36865 - 65535 Reserved for applications + * + */ +#define AUE_at_create 6144 +#define AUE_at_delete 6145 +#define AUE_at_perm 6146 +#define AUE_cron_invoke 6147 +#define AUE_crontab_create 6148 +#define AUE_crontab_delete 6149 +#define AUE_crontab_perm 6150 +#define AUE_inetd_connect 6151 +#define AUE_login 6152 +#define AUE_logout 6153 +#define AUE_telnet 6154 +#define AUE_rlogin 6155 +#define AUE_mountd_mount 6156 +#define AUE_mountd_umount 6157 +#define AUE_rshd 6158 +#define AUE_su 6159 +#define AUE_halt 6160 +#define AUE_reboot 6161 +#define AUE_rexecd 6162 +#define AUE_passwd 6163 +#define AUE_rexd 6164 +#define AUE_ftpd 6165 +#define AUE_init 6166 +#define AUE_uadmin 6167 +#define AUE_shutdown 6168 +#define AUE_poweroff 6169 +#define AUE_crontab_mod 6170 +#define AUE_audit_startup 6171 +#define AUE_audit_shutdown 6172 +#define AUE_allocate_succ 6200 +#define AUE_allocate_fail 6201 +#define AUE_deallocate_succ 6202 +#define AUE_deallocate_fail 6203 +#define AUE_listdevice_succ 6205 +#define AUE_listdevice_fail 6206 +#define AUE_create_user 6207 +#define AUE_modify_user 6208 +#define AUE_delete_user 6209 +#define AUE_disable_user 6210 +#define AUE_enable_user 6211 +#define AUE_sudo 6300 +#define AUE_modify_password 6501 /* Not assigned by Sun. */ +#define AUE_create_group 6511 /* Not assigned by Sun. */ +#define AUE_delete_group 6512 /* Not assigned by Sun. */ +#define AUE_modify_group 6513 /* Not assigned by Sun. */ +#define AUE_add_to_group 6514 /* Not assigned by Sun. */ +#define AUE_remove_from_group 6515 /* Not assigned by Sun. */ +#define AUE_revoke_obj 6521 /* Not assigned by Sun; not used. */ +#define AUE_lw_login 6600 /* Not assigned by Sun; tentative. */ +#define AUE_lw_logout 6601 /* Not assigned by Sun; tentative. */ +#define AUE_auth_user 7000 /* Not assigned by Sun. */ +#define AUE_ssconn 7001 /* Not assigned by Sun. */ +#define AUE_ssauthorize 7002 /* Not assigned by Sun. */ +#define AUE_ssauthint 7003 /* Not assigned by Sun. */ +#define AUE_openssh 32800 + +#endif /* !_BSM_AUDIT_UEVENTS_H_ */ diff --git a/contrib/openbsm/bsm/libbsm.h b/contrib/openbsm/bsm/libbsm.h new file mode 100644 index 0000000..baf9f14 --- /dev/null +++ b/contrib/openbsm/bsm/libbsm.h @@ -0,0 +1,1175 @@ +/* + * Copyright (c) 2004 Apple Computer, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of + * its contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR + * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING + * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#14 $ + */ + +#ifndef _LIBBSM_H_ +#define _LIBBSM_H_ + +/* + * NB: definitions, etc., marked with "OpenSSH compatibility" were introduced + * solely to allow OpenSSH to compile; Darwin/Apple code should not use them. + */ + +#define MAX_ARGS 10 +#define MAX_ENV 10 + +#include <sys/types.h> +#include <sys/cdefs.h> +#include <sys/queue.h> + +#include <bsm/audit.h> +#include <bsm/audit_record.h> + +#include <stdio.h> +#include <stdint.h> + +#ifdef __APPLE__ +#include <mach/mach.h> /* audit_token_t */ +#endif + +#define AU_PRS_SUCCESS 1 +#define AU_PRS_FAILURE 2 +#define AU_PRS_BOTH (AU_PRS_SUCCESS|AU_PRS_FAILURE) + +#define AU_PRS_USECACHE 0 +#define AU_PRS_REREAD 1 + +#define AUDIT_EVENT_FILE "/etc/security/audit_event" +#define AUDIT_CLASS_FILE "/etc/security/audit_class" +#define AUDIT_CONTROL_FILE "/etc/security/audit_control" +#define AUDIT_USER_FILE "/etc/security/audit_user" + +#define DIR_CONTROL_ENTRY "dir" +#define MINFREE_CONTROL_ENTRY "minfree" +#define FLAGS_CONTROL_ENTRY "flags" +#define NA_CONTROL_ENTRY "naflags" + +#define AU_CLASS_NAME_MAX 8 +#define AU_CLASS_DESC_MAX 72 +#define AU_EVENT_NAME_MAX 30 +#define AU_EVENT_DESC_MAX 50 +#define AU_USER_NAME_MAX 50 +#define AU_LINE_MAX 256 +#define MAX_AUDITSTRING_LEN 256 +#define BSM_TEXTBUFSZ MAX_AUDITSTRING_LEN /* OpenSSH compatibility */ + +/* + * These are referenced in Solaris 9 au_open(3BSM); values are guesses. + * Provided for OpenSSH compatibility. + */ +#define AU_TO_NO_WRITE 0 +#define AU_TO_WRITE 1 + +__BEGIN_DECLS +struct au_event_ent { + au_event_t ae_number; + char *ae_name; + char *ae_desc; + au_class_t ae_class; +}; +typedef struct au_event_ent au_event_ent_t; + +struct au_class_ent { + char *ac_name; + au_class_t ac_class; + char *ac_desc; +}; +typedef struct au_class_ent au_class_ent_t; + +struct au_user_ent { + char *au_name; + au_mask_t au_always; + au_mask_t au_never; +}; +typedef struct au_user_ent au_user_ent_t; +__END_DECLS + +#define ADD_TO_MASK(m, c, sel) do { \ + if (sel & AU_PRS_SUCCESS) \ + (m)->am_success |= c; \ + if (sel & AU_PRS_FAILURE) \ + (m)->am_failure |= c; \ +} while (0) + +#define SUB_FROM_MASK(m, c, sel) do { \ + if (sel & AU_PRS_SUCCESS) \ + (m)->am_success &= ((m)->am_success ^ c); \ + if (sel & AU_PRS_FAILURE) \ + (m)->am_failure &= ((m)->am_failure ^ c); \ +} while (0) + +#define ADDMASK(m, v) do { \ + (m)->am_success |= (v)->am_success; \ + (m)->am_failure |= (v)->am_failure; \ +} while(0) + +#define SUBMASK(m, v) do { \ + (m)->am_success &= ((m)->am_success ^ (v)->am_success); \ + (m)->am_failure &= ((m)->am_failure ^ (v)->am_failure); \ +} while(0) + +__BEGIN_DECLS + +/* + * Internal representation of audit user in libnsl. + */ +typedef struct au_user_str_s { + char *au_name; + char *au_always; + char *au_never; +} au_user_str_t; + +typedef struct au_tid32 { + u_int32_t port; + u_int32_t addr; +} au_tid32_t; + +typedef struct au_tid64 { + u_int64_t port; + u_int32_t addr; +} au_tid64_t; + +typedef struct au_tidaddr32 { + u_int32_t port; + u_int32_t type; + u_int32_t addr[4]; +} au_tidaddr32_t; + +/* + * argument # 1 byte + * argument value 4 bytes/8 bytes (32-bit/64-bit value) + * text length 2 bytes + * text N bytes + 1 terminating NULL byte + */ +typedef struct { + u_char no; + u_int32_t val; + u_int16_t len; + char *text; +} au_arg32_t; + +typedef struct { + u_char no; + u_int64_t val; + u_int16_t len; + char *text; +} au_arg64_t; + +/* + * how to print 1 byte + * basic unit 1 byte + * unit count 1 byte + * data items (depends on basic unit) + */ +typedef struct { + u_char howtopr; + u_char bu; + u_char uc; + u_char *data; +} au_arb_t; + +/* + * file access mode 4 bytes + * owner user ID 4 bytes + * owner group ID 4 bytes + * file system ID 4 bytes + * node ID 8 bytes + * device 4 bytes/8 bytes (32-bit/64-bit) + */ +typedef struct { + u_int32_t mode; + u_int32_t uid; + u_int32_t gid; + u_int32_t fsid; + u_int64_t nid; + u_int32_t dev; +} au_attr32_t; + +typedef struct { + u_int32_t mode; + u_int32_t uid; + u_int32_t gid; + u_int32_t fsid; + u_int64_t nid; + u_int64_t dev; +} au_attr64_t; + +/* + * count 4 bytes + * text count null-terminated string(s) + */ +typedef struct { + u_int32_t count; + char *text[MAX_ARGS]; +} au_execarg_t; + +/* + * count 4 bytes + * text count null-terminated string(s) + */ +typedef struct { + u_int32_t count; + char *text[MAX_ENV]; +} au_execenv_t; + +/* + * status 4 bytes + * return value 4 bytes + */ +typedef struct { + u_int32_t status; + u_int32_t ret; +} au_exit_t; + +/* + * seconds of time 4 bytes + * milliseconds of time 4 bytes + * file name length 2 bytes + * file pathname N bytes + 1 terminating NULL byte + */ +typedef struct { + u_int32_t s; + u_int32_t ms; + u_int16_t len; + char *name; +} au_file_t; + + +/* + * number groups 2 bytes + * group list N * 4 bytes + */ +typedef struct { + u_int16_t no; + u_int32_t list[BSM_MAX_GROUPS]; +} au_groups_t; + +/* + * record byte count 4 bytes + * version # 1 byte [2] + * event type 2 bytes + * event modifier 2 bytes + * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) + * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) + */ +typedef struct { + u_int32_t size; + u_char version; + u_int16_t e_type; + u_int16_t e_mod; + u_int32_t s; + u_int32_t ms; +} au_header32_t; + +/* + * record byte count 4 bytes + * version # 1 byte [2] + * event type 2 bytes + * event modifier 2 bytes + * address type/length 1 byte (XXX: actually, 4 bytes) + * machine address 4 bytes/16 bytes (IPv4/IPv6 address) + * seconds of time 4 bytes/8 bytes (32/64-bits) + * nanoseconds of time 4 bytes/8 bytes (32/64-bits) + */ +typedef struct { + u_int32_t size; + u_char version; + u_int16_t e_type; + u_int16_t e_mod; + u_int32_t ad_type; + u_int32_t addr[4]; + u_int32_t s; + u_int32_t ms; +} au_header32_ex_t; + +typedef struct { + u_int32_t size; + u_char version; + u_int16_t e_type; + u_int16_t e_mod; + u_int64_t s; + u_int64_t ms; +} au_header64_t; + +typedef struct { + u_int32_t size; + u_char version; + u_int16_t e_type; + u_int16_t e_mod; + u_int32_t ad_type; + u_int32_t addr[4]; + u_int64_t s; + u_int64_t ms; +} au_header64_ex_t; + +/* + * internet address 4 bytes + */ +typedef struct { + u_int32_t addr; +} au_inaddr_t; + +/* + * type 4 bytes + * internet address 16 bytes + */ +typedef struct { + u_int32_t type; + u_int32_t addr[4]; +} au_inaddr_ex_t; + +/* + * version and ihl 1 byte + * type of service 1 byte + * length 2 bytes + * id 2 bytes + * offset 2 bytes + * ttl 1 byte + * protocol 1 byte + * checksum 2 bytes + * source address 4 bytes + * destination address 4 bytes + */ +typedef struct { + u_char version; + u_char tos; + u_int16_t len; + u_int16_t id; + u_int16_t offset; + u_char ttl; + u_char prot; + u_int16_t chksm; + u_int32_t src; + u_int32_t dest; +} au_ip_t; + +/* + * object ID type 1 byte + * object ID 4 bytes + */ +typedef struct { + u_char type; + u_int32_t id; +} au_ipc_t; + +/* + * owner user ID 4 bytes + * owner group ID 4 bytes + * creator user ID 4 bytes + * creator group ID 4 bytes + * access mode 4 bytes + * slot sequence # 4 bytes + * key 4 bytes + */ +typedef struct { + u_int32_t uid; + u_int32_t gid; + u_int32_t puid; + u_int32_t pgid; + u_int32_t mode; + u_int32_t seq; + u_int32_t key; +} au_ipcperm_t; + +/* + * port IP address 2 bytes + */ +typedef struct { + u_int16_t port; +} au_iport_t; + +/* + * length 2 bytes + * data length bytes + */ +typedef struct { + u_int16_t size; + char *data; +} au_opaque_t; + +/* + * path length 2 bytes + * path N bytes + 1 terminating NULL byte + */ +typedef struct { + u_int16_t len; + char *path; +} au_path_t; + +/* + * audit ID 4 bytes + * effective user ID 4 bytes + * effective group ID 4 bytes + * real user ID 4 bytes + * real group ID 4 bytes + * process ID 4 bytes + * session ID 4 bytes + * terminal ID + * port ID 4 bytes/8 bytes (32-bit/64-bit value) + * machine address 4 bytes + */ +typedef struct { + u_int32_t auid; + u_int32_t euid; + u_int32_t egid; + u_int32_t ruid; + u_int32_t rgid; + u_int32_t pid; + u_int32_t sid; + au_tid32_t tid; +} au_proc32_t; + +typedef struct { + u_int32_t auid; + u_int32_t euid; + u_int32_t egid; + u_int32_t ruid; + u_int32_t rgid; + u_int32_t pid; + u_int32_t sid; + au_tid64_t tid; +} au_proc64_t; + +/* + * audit ID 4 bytes + * effective user ID 4 bytes + * effective group ID 4 bytes + * real user ID 4 bytes + * real group ID 4 bytes + * process ID 4 bytes + * session ID 4 bytes + * terminal ID + * port ID 4 bytes/8 bytes (32-bit/64-bit value) + * type 4 bytes + * machine address 16 bytes + */ +typedef struct { + u_int32_t auid; + u_int32_t euid; + u_int32_t egid; + u_int32_t ruid; + u_int32_t rgid; + u_int32_t pid; + u_int32_t sid; + au_tidaddr32_t tid; +} au_proc32ex_t; + +/* + * error status 1 byte + * return value 4 bytes/8 bytes (32-bit/64-bit value) + */ +typedef struct { + u_char status; + u_int32_t ret; +} au_ret32_t; + +typedef struct { + u_char err; + u_int64_t val; +} au_ret64_t; + +/* + * sequence number 4 bytes + */ +typedef struct { + u_int32_t seqno; +} au_seq_t; + +/* + * socket type 2 bytes + * local port 2 bytes + * local Internet address 4 bytes + * remote port 2 bytes + * remote Internet address 4 bytes + */ +typedef struct { + u_int16_t type; + u_int16_t l_port; + u_int32_t l_addr; + u_int16_t r_port; + u_int32_t r_addr; +} au_socket_t; + +/* + * socket type 2 bytes + * local port 2 bytes + * address type/length 4 bytes + * local Internet address 4 bytes/16 bytes (IPv4/IPv6 address) + * remote port 4 bytes + * address type/length 4 bytes + * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address) + */ +typedef struct { + u_int16_t type; + u_int16_t l_port; + u_int32_t l_ad_type; + u_int32_t l_addr; + u_int32_t r_port; + u_int32_t r_ad_type; + u_int32_t r_addr; +} au_socket_ex32_t; + +/* + * socket family 2 bytes + * local port 2 bytes + * socket address 4 bytes/16 bytes (IPv4/IPv6 address) + */ +typedef struct { + u_int16_t family; + u_int16_t port; + u_int32_t addr; +} au_socketinet32_t; + +/* + * socket family 2 bytes + * path 104 bytes + */ +typedef struct { + u_int16_t family; + char path[104]; +} au_socketunix_t; + +/* + * audit ID 4 bytes + * effective user ID 4 bytes + * effective group ID 4 bytes + * real user ID 4 bytes + * real group ID 4 bytes + * process ID 4 bytes + * session ID 4 bytes + * terminal ID + * port ID 4 bytes/8 bytes (32-bit/64-bit value) + * machine address 4 bytes + */ +typedef struct { + u_int32_t auid; + u_int32_t euid; + u_int32_t egid; + u_int32_t ruid; + u_int32_t rgid; + u_int32_t pid; + u_int32_t sid; + au_tid32_t tid; +} au_subject32_t; + +typedef struct { + u_int32_t auid; + u_int32_t euid; + u_int32_t egid; + u_int32_t ruid; + u_int32_t rgid; + u_int32_t pid; + u_int32_t sid; + au_tid64_t tid; +} au_subject64_t; + +/* + * audit ID 4 bytes + * effective user ID 4 bytes + * effective group ID 4 bytes + * real user ID 4 bytes + * real group ID 4 bytes + * process ID 4 bytes + * session ID 4 bytes + * terminal ID + * port ID 4 bytes/8 bytes (32-bit/64-bit value) + * type 4 bytes + * machine address 16 bytes + */ +typedef struct { + u_int32_t auid; + u_int32_t euid; + u_int32_t egid; + u_int32_t ruid; + u_int32_t rgid; + u_int32_t pid; + u_int32_t sid; + au_tidaddr32_t tid; +} au_subject32ex_t; + +/* + * text length 2 bytes + * text N bytes + 1 terminating NULL byte + */ +typedef struct { + u_int16_t len; + char *text; +} au_text_t; + +typedef struct { + u_int32_t ident; + u_int16_t filter; + u_int16_t flags; + u_int32_t fflags; + u_int32_t data; +} au_kevent_t; + +typedef struct { + u_int16_t length; + char *data; +} au_invalid_t; + +/* + * trailer magic number 2 bytes + * record byte count 4 bytes + */ +typedef struct { + u_int16_t magic; + u_int32_t count; +} au_trailer_t; + +struct tokenstr { + u_char id; + u_char *data; + size_t len; + union { + au_arg32_t arg32; + au_arg64_t arg64; + au_arb_t arb; + au_attr32_t attr32; + au_attr64_t attr64; + au_execarg_t execarg; + au_execenv_t execenv; + au_exit_t exit; + au_file_t file; + au_groups_t grps; + au_header32_t hdr32; + au_header32_ex_t hdr32_ex; + au_header64_t hdr64; + au_header64_ex_t hdr64_ex; + au_inaddr_t inaddr; + au_inaddr_ex_t inaddr_ex; + au_ip_t ip; + au_ipc_t ipc; + au_ipcperm_t ipcperm; + au_iport_t iport; + au_opaque_t opaque; + au_path_t path; + au_proc32_t proc32; + au_proc64_t proc64; + au_proc32ex_t proc32_ex; + au_ret32_t ret32; + au_ret64_t ret64; + au_seq_t seq; + au_socket_t socket; + au_socket_ex32_t socket_ex32; + au_socketinet32_t sockinet32; + au_socketunix_t sockunix; + au_subject32_t subj32; + au_subject64_t subj64; + au_subject32ex_t subj32_ex; + au_text_t text; + au_kevent_t kevent; + au_invalid_t invalid; + au_trailer_t trail; + } tt; /* The token is one of the above types */ +}; + +typedef struct tokenstr tokenstr_t; + +/* + * Functions relating to querying audit class information. + */ +void setauclass(void); +void endauclass(void); +struct au_class_ent *getauclassent(void); +struct au_class_ent *getauclassent_r(au_class_ent_t *class_int); +struct au_class_ent *getauclassnam(const char *name); +struct au_class_ent *getauclassnam_r(au_class_ent_t *class_int, + const char *name); +struct au_class_ent *getauclassnum(au_class_t class_number); +struct au_class_ent *getauclassnum_r(au_class_ent_t *class_int, + au_class_t class_number); + +/* + * Functions relating to querying audit control information. + */ +void setac(void); +void endac(void); +int getacdir(char *name, int len); +int getacmin(int *min_val); +int getacflg(char *auditstr, int len); +int getacna(char *auditstr, int len); +int getauditflagsbin(char *auditstr, au_mask_t *masks); +int getauditflagschar(char *auditstr, au_mask_t *masks, + int verbose); +int au_preselect(au_event_t event, au_mask_t *mask_p, + int sorf, int flag); + +/* + * Functions relating to querying audit event information. + * + * XXXRW: getauevnonam() has no _r version? + */ +void setauevent(void); +void endauevent(void); +struct au_event_ent *getauevent(void); +struct au_event_ent *getauevent_r(struct au_event_ent *e); +struct au_event_ent *getauevnam(const char *name); +struct au_event_ent *getauevnam_r(struct au_event_ent *e, + const char *name); +struct au_event_ent *getauevnum(au_event_t event_number); +struct au_event_ent *getauevnum_r(struct au_event_ent *e, + au_event_t event_number); +au_event_t *getauevnonam(const char *event_name); +au_event_t *getauevnonam_r(au_event_t *ev, + const char *event_name); + +/* + * Functions relating to querying audit user information. + */ +void setauuser(void); +void endauuser(void); +struct au_user_ent *getauuserent(void); +struct au_user_ent *getauuserent_r(struct au_user_ent *u); +struct au_user_ent *getauusernam(const char *name); +struct au_user_ent *getauusernam_r(struct au_user_ent *u, + const char *name); +int au_user_mask(char *username, au_mask_t *mask_p); +int getfauditflags(au_mask_t *usremask, + au_mask_t *usrdmask, au_mask_t *lastmask); + +/* + * Functions for reading and printing records and tokens from audit trails. + */ +int au_read_rec(FILE *fp, u_char **buf); +int au_fetch_tok(tokenstr_t *tok, u_char *buf, int len); +//XXX The following interface has different prototype from BSM +void au_print_tok(FILE *outfp, tokenstr_t *tok, + char *del, char raw, char sfrm); +__END_DECLS + +#ifdef __APPLE__ +#include <sys/appleapiopts.h> + +/************************************************************************** + ************************************************************************** + ** The following definitions, functions, etc., are NOT officially + ** supported: they may be changed or removed in the future. Do not use + ** them unless you are prepared to cope with that eventuality. + ************************************************************************** + **************************************************************************/ + +#ifdef __APPLE_API_PRIVATE +#define __BSM_INTERNAL_NOTIFY_KEY "com.apple.audit.change" +#endif /* __APPLE_API_PRIVATE */ + +/* + * au_get_state() return values + * XXX use AUC_* values directly instead (<bsm/audit.h>); AUDIT_OFF and + * AUDIT_ON are deprecated and WILL be removed. + */ +#ifdef __APPLE_API_PRIVATE +#define AUDIT_OFF AUC_NOAUDIT +#define AUDIT_ON AUC_AUDITING +#endif /* __APPLE_API_PRIVATE */ +#endif /* !__APPLE__ */ + +/* + * Error return codes for audit_set_terminal_id(), audit_write() and its + * brethren. We have 255 (not including kAUNoErr) to play with. + * + * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. + */ +enum { + kAUNoErr = 0, + kAUBadParamErr = -66049, + kAUStatErr, + kAUSysctlErr, + kAUOpenErr, + kAUMakeSubjectTokErr, + kAUWriteSubjectTokErr, + kAUWriteCallerTokErr, + kAUMakeReturnTokErr, + kAUWriteReturnTokErr, + kAUCloseErr, + kAUMakeTextTokErr, + kAULastErr +}; + +#ifdef __APPLE__ +/* + * Error return codes for au_get_state() and/or its private support + * functions. These codes are designed to be compatible with the + * NOTIFY_STATUS_* codes defined in <notify.h> but non-overlapping. + * Any changes to notify(3) may cause these values to change in future. + * + * AU_UNIMPL should never happen unless you've changed your system software + * without rebooting. Shame on you. + */ +#ifdef __APPLE_API_PRIVATE +#define AU_UNIMPL NOTIFY_STATUS_FAILED + 1 /* audit unimplemented */ +#endif /* __APPLE_API_PRIVATE */ +#endif /* !__APPLE__ */ + +__BEGIN_DECLS +/* + * XXX This prototype should be in audit_record.h + * + * au_free_token() + * + * @summary - au_free_token() deallocates a token_t created by any of + * the au_to_*() BSM API functions. + * + * The BSM API generally manages deallocation of token_t objects. However, + * if au_write() is passed a bad audit descriptor, the token_t * parameter + * will be left untouched. In that case, the caller can deallocate the + * token_t using au_free_token() if desired. This is, in fact, what + * audit_write() does, in keeping with the existing memory management model + * of the BSM API. + * + * @param tok - A token_t * generated by one of the au_to_*() BSM API + * calls. For convenience, tok may be NULL, in which case + * au_free_token() returns immediately. + * + * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. + */ +void au_free_token(token_t *tok); + +/* + * Lightweight check to determine if auditing is enabled. If a client + * wants to use this to govern whether an entire series of audit calls + * should be made--as in the common case of a caller building a set of + * tokens, then writing them--it should cache the audit status in a local + * variable. This call always returns the current state of auditing. + * + * @return - AUC_AUDITING or AUC_NOAUDIT if no error occurred. + * Otherwise the function can return any of the errno values defined for + * setaudit(2), or AU_UNIMPL if audit does not appear to be supported by + * the system. + * + * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. + */ +int au_get_state(void); +__END_DECLS + +/* OpenSSH compatibility */ +#define cannot_audit(x) (!(au_get_state() == AUC_AUDITING)) + +__BEGIN_DECLS +/* + * audit_set_terminal_id() + * + * @summary - audit_set_terminal_id() fills in an au_tid_t struct, which is + * used in audit session initialization by processes like /usr/bin/login. + * + * @param tid - A pointer to an au_tid_t struct. + * + * @return - kAUNoErr on success; kAUBadParamErr if tid is NULL, kAUStatErr + * or kAUSysctlErr if one of the underlying system calls fails (a message + * is sent to the system log in those cases). + * + * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. + */ +int audit_set_terminal_id(au_tid_t *tid); + +/* + * BEGIN au_write() WRAPPERS + * + * The following calls all wrap the existing BSM API. They use the + * provided subject information, if any, to construct the subject token + * required for every log message. They use the provided return/error + * value(s), if any, to construct the success/failure indication required + * for every log message. They only permit one "miscellaneous" token, + * which should contain the event-specific logging information mandated by + * CAPP. + * + * All these calls assume the caller has previously determined that + * auditing is enabled by calling au_get_state(). + */ + +/* + * audit_write() + * + * @summary - audit_write() is the basis for the other audit_write_*() + * calls. Performs a basic write of an audit record (subject, additional + * info, success/failure). Note that this call only permits logging one + * caller-specified token; clients needing to log more flexibly must use + * the existing BSM API (au_open(), et al.) directly. + * + * Note on memory management: audit_write() guarantees that the token_t *s + * passed to it will be deallocated whether or not the underlying write to + * the audit log succeeded. This addresses an inconsistency in the + * underlying BSM API in which token_t *s are usually but not always + * deallocated. + * + * @param event_code - The code for the event being logged. This should + * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. + * + * @param subject - A token_t * generated by au_to_subject(), + * au_to_subject32(), au_to_subject64(), or au_to_me(). If no subject is + * required, subject should be NULL. + * + * @param misctok - A token_t * generated by one of the au_to_*() BSM API + * calls. This should correspond to the additional information required by + * CAPP for the event being audited. If no additional information is + * required, misctok should be NULL. + * + * @param retval - The return value to be logged for this event. This + * should be 0 (zero) for success, otherwise the value is event-specific. + * + * @param errcode - Any error code associated with the return value (e.g., + * errno or h_errno). If there was no error, errcode should be 0 (zero). + * + * @return - The status of the call: 0 (zero) on success, else one of the + * kAU*Err values defined above. + * + * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. + */ +int audit_write(short event_code, token_t *subject, token_t *misctok, + char retval, int errcode); + +/* + * audit_write_success() + * + * @summary - audit_write_success() records an auditable event that did not + * encounter an error. The interface is designed to require as little + * direct use of the au_to_*() API as possible. It builds a subject token + * from the information passed in and uses that to invoke audit_write(). + * A subject, as defined by CAPP, is a process acting on the user's behalf. + * + * If the subject information is the same as the current process, use + * au_write_success_self(). + * + * @param event_code - The code for the event being logged. This should + * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. + * + * @param misctok - A token_t * generated by one of the au_to_*() BSM API + * calls. This should correspond to the additional information required by + * CAPP for the event being audited. If no additional information is + * required, misctok should be NULL. + * + * @param auid - The subject's audit ID. + * + * @param euid - The subject's effective user ID. + * + * @param egid - The subject's effective group ID. + * + * @param ruid - The subject's real user ID. + * + * @param rgid - The subject's real group ID. + * + * @param pid - The subject's process ID. + * + * @param sid - The subject's session ID. + * + * @param tid - The subject's terminal ID. + * + * @return - The status of the call: 0 (zero) on success, else one of the + * kAU*Err values defined above. + * + * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. + */ +int audit_write_success(short event_code, token_t *misctok, au_id_t auid, + uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, pid_t pid, + au_asid_t sid, au_tid_t *tid); + +/* + * audit_write_success_self() + * + * @summary - Similar to audit_write_success(), but used when the subject + * (process) is owned and operated by the auditable user him/herself. + * + * @param event_code - The code for the event being logged. This should + * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. + * + * @param misctok - A token_t * generated by one of the au_to_*() BSM API + * calls. This should correspond to the additional information required by + * CAPP for the event being audited. If no additional information is + * required, misctok should be NULL. + * + * @return - The status of the call: 0 (zero) on success, else one of the + * kAU*Err values defined above. + * + * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. + */ +int audit_write_success_self(short event_code, token_t *misctok); + +/* + * audit_write_failure() + * + * @summary - audit_write_failure() records an auditable event that + * encountered an error. The interface is designed to require as little + * direct use of the au_to_*() API as possible. It builds a subject token + * from the information passed in and uses that to invoke audit_write(). + * A subject, as defined by CAPP, is a process acting on the user's behalf. + * + * If the subject information is the same as the current process, use + * au_write_failure_self(). + * + * @param event_code - The code for the event being logged. This should + * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. + * + * @param errmsg - A text message providing additional information about + * the event being audited. + * + * @param errret - A numerical value providing additional information about + * the error. This is intended to store the value of errno or h_errno if + * it's relevant. This can be 0 (zero) if no additional information is + * available. + * + * @param auid - The subject's audit ID. + * + * @param euid - The subject's effective user ID. + * + * @param egid - The subject's effective group ID. + * + * @param ruid - The subject's real user ID. + * + * @param rgid - The subject's real group ID. + * + * @param pid - The subject's process ID. + * + * @param sid - The subject's session ID. + * + * @param tid - The subject's terminal ID. + * + * @return - The status of the call: 0 (zero) on success, else one of the + * kAU*Err values defined above. + * + * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. + */ +int audit_write_failure(short event_code, char *errmsg, int errret, + au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, + pid_t pid, au_asid_t sid, au_tid_t *tid); + +/* + * audit_write_failure_self() + * + * @summary - Similar to audit_write_failure(), but used when the subject + * (process) is owned and operated by the auditable user him/herself. + * + * @param event_code - The code for the event being logged. This should + * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. + * + * @param errmsg - A text message providing additional information about + * the event being audited. + * + * @param errret - A numerical value providing additional information about + * the error. This is intended to store the value of errno or h_errno if + * it's relevant. This can be 0 (zero) if no additional information is + * available. + * + * @return - The status of the call: 0 (zero) on success, else one of the + * kAU*Err values defined above. + * + * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. + */ +int audit_write_failure_self(short event_code, char *errmsg, int errret); + +/* + * audit_write_failure_na() + * + * @summary - audit_write_failure_na() records errors during login. Such + * errors are implicitly non-attributable (i.e., not ascribable to any user). + * + * @param event_code - The code for the event being logged. This should + * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. + * + * @param errmsg - A text message providing additional information about + * the event being audited. + * + * @param errret - A numerical value providing additional information about + * the error. This is intended to store the value of errno or h_errno if + * it's relevant. This can be 0 (zero) if no additional information is + * available. + * + * @param euid - The subject's effective user ID. + * + * @param egid - The subject's effective group ID. + * + * @param pid - The subject's process ID. + * + * @param tid - The subject's terminal ID. + * + * @return - The status of the call: 0 (zero) on success, else one of the + * kAU*Err values defined above. + * + * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. + */ +int audit_write_failure_na(short event_code, char *errmsg, int errret, + uid_t euid, gid_t egid, pid_t pid, au_tid_t *tid); + +/* END au_write() WRAPPERS */ + +#ifdef __APPLE__ +/* + * audit_token_to_au32() + * + * @summary - Extract information from an audit_token_t, used to identify + * Mach tasks and senders of Mach messages as subjects to the audit system. + * audit_tokent_to_au32() is the only method that should be used to parse + * an audit_token_t, since its internal representation may change over + * time. A pointer parameter may be NULL if that information is not + * needed. + * + * @param atoken - the audit token containing the desired information + * + * @param auidp - Pointer to a uid_t; on return will be set to the task or + * sender's audit user ID + * + * @param euidp - Pointer to a uid_t; on return will be set to the task or + * sender's effective user ID + * + * @param egidp - Pointer to a gid_t; on return will be set to the task or + * sender's effective group ID + * + * @param ruidp - Pointer to a uid_t; on return will be set to the task or + * sender's real user ID + * + * @param rgidp - Pointer to a gid_t; on return will be set to the task or + * sender's real group ID + * + * @param pidp - Pointer to a pid_t; on return will be set to the task or + * sender's process ID + * + * @param asidp - Pointer to an au_asid_t; on return will be set to the + * task or sender's audit session ID + * + * @param tidp - Pointer to an au_tid_t; on return will be set to the task + * or sender's terminal ID + * + * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. + */ +void audit_token_to_au32( + audit_token_t atoken, + uid_t *auidp, + uid_t *euidp, + gid_t *egidp, + uid_t *ruidp, + gid_t *rgidp, + pid_t *pidp, + au_asid_t *asidp, + au_tid_t *tidp); +#endif /* !__APPLE__ */ + +__END_DECLS + +#endif /* !_LIBBSM_H_ */ |