search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
kill tsol ("Trusted Solaris") aka TX ("Trusted Extensions")
[unleashed.git] / usr / src / uts / common / c2 / audit_kernel.h
blobb7824ff1601c9269c530f27f250bd9ab6c756ead
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
23 */
24
25 #ifndef _BSM_AUDIT_KERNEL_H
26 #define _BSM_AUDIT_KERNEL_H
27
28
29 /*
30 * This file contains the basic auditing control structure definitions.
31 */
32
33 #include <c2/audit_kevents.h>
34 #include <sys/priv_impl.h>
35 #include <sys/taskq.h>
36 #include <sys/zone.h>
37
38 #ifdef __cplusplus
39 extern "C" {
40 #endif
41
42 /*
43 * This table contains the mapping from the system call ID to a corresponding
44 * audit event.
45 *
46 * au_init() is a function called at the beginning of the system call that
47 * performs any necessary setup/processing. It maps the call into the
48 * appropriate event, depending on the system call arguments. It is called
49 * by audit_start() from trap.c .
50 *
51 * au_event is the audit event associated with the system call. Most of the
52 * time it will map directly from the system call i.e. There is one system
53 * call associated with the event. In some cases, such as shmsys, or open,
54 * the au_start() function will map the system call to more than one event,
55 * depending on the system call arguments.
56 *
57 * au_start() is a function that provides per system call processing at the
58 * beginning of a system call. It is mainly concerned with preseving the
59 * audit record components that may be altered so that we can determine
60 * what the original paramater was before as well as after the system call.
61 * It is possible that au_start() may be taken away. It might be cleaner to
62 * define flags in au_ctrl to save a designated argument. For the moment we
63 * support both mechanisms, however the use of au_start() will be reviewed
64 * for 4.1.1 and CMW and ZEUS to see if such a general method is justified.
65 *
66 * au_finish() is a function that provides per system call processing at the
67 * completion of a system call. In certain circumstances, the type of audit
68 * event depends on intermidiate results during the processing of the system
69 * call. It is called in audit_finish() from trap.c .
70 *
71 * au_ctrl is a control vector that indicates what processing might have to
72 * be performed, even if there is no auditing for this system call. At
73 * present this is mostly for path processing for chmod, chroot. We need to
74 * process the path information in vfs_lookup, even when we are not auditing
75 * the system call in the case of chdir and chroot.
76 */
77 /*
78 * Defines for au_ctrl
79 */
80 #define S2E_SP TAD_SAVPATH /* save path for later use */
81 #define S2E_MLD TAD_MLD /* only one lookup per system call */
82 #define S2E_NPT TAD_NOPATH /* force no path in audit record */
83 #define S2E_PUB TAD_PUBLIC_EV /* syscall is defined as a public op */
84
85 /*
86 * At present, we are using the audit classes imbedded with in the kernel. Each
87 * event has a bit mask determining which classes the event is associated.
88 * The table audit_e2s maps the audit event ID to the audit state.
89 *
90 * Note that this may change radically. If we use a bit vector for the audit
91 * class, we can allow granularity at the event ID for each user. In this
92 * case, the vector would be determined at user level and passed to the kernel
93 * via the setaudit system call.
94 */
95
96 /*
97 * The audit_pad structure holds paths for the current root and directory
98 * for the process, as well as for open files and directly manipulated objects.
99 * The reference count minimizes data copies since the process's current
100 * directory changes very seldom.
101 */
102 struct audit_path {
103 uint_t audp_ref; /* reference count */
104 uint_t audp_size; /* allocated size of this structure */
105 uint_t audp_cnt; /* number of path sections */
106 char *audp_sect[1]; /* path section pointers */
107 /* audp_sect[0] is the path name */
108 /* audp_sect[1+] are attribute paths */
109 };
110
111 /*
112 * The structure of the terminal ID within the kernel is different from the
113 * terminal ID in user space. It is a combination of port and IP address.
114 */
115
116 struct au_termid {
117 dev_t at_port;
118 uint_t at_type;
119 uint_t at_addr[4];
120 };
121 typedef struct au_termid au_termid_t;
122
123 /*
124 * Attributes for deferring the queuing of an event.
125 */
126 typedef struct au_defer_info {
127 struct au_defer_info *audi_next; /* next on linked list */
128 void *audi_ad; /* audit record */
129 au_event_t audi_e_type; /* audit event id */
130 au_emod_t audi_e_mod; /* audit event modifier */
131 int audi_flag; /* au_close*() flags */
132 timestruc_t audi_atime; /* audit event timestamp */
133 } au_defer_info_t;
134
135 /*
136 * The structure p_audit_data hangs off of the process structure. It contains
137 * all of the audit information necessary to manage the audit record generation
138 * for each process.
139 *
140 * The pad_lock is constructed in the kmem_cache; the rest is combined
141 * in a sub structure so it can be copied/zeroed in one statement.
142 *
143 * The members have been reordered for maximum packing on 64 bit Solaris.
144 */
145 struct p_audit_data {
146 kmutex_t pad_lock; /* lock pad data during changes */
147 struct _pad_data {
148 struct audit_path *pad_root; /* process root path */
149 struct audit_path *pad_cwd; /* process cwd path */
150 au_mask_t pad_newmask; /* pending new mask */
151 int pad_flags;
152 } pad_data;
153 };
154 typedef struct p_audit_data p_audit_data_t;
155
156 #define pad_root pad_data.pad_root
157 #define pad_cwd pad_data.pad_cwd
158 #define pad_newmask pad_data.pad_newmask
159 #define pad_flags pad_data.pad_flags
160
161 /*
162 * Defines for process audit flags (pad_flags)
163 */
164 #define PAD_SETMASK 0x00000001 /* need to complete pending setmask */
165
166 extern kmem_cache_t *au_pad_cache;
167
168 /*
169 * Defines for thread audit control/status flags (tad_ctrl)
170 */
171 #define TAD_ABSPATH 0x00000001 /* path from lookup is absolute */
172 #define TAD_ATCALL 0x00000002 /* *at() syscall, like openat() */
173 #define TAD_ATTPATH 0x00000004 /* attribute file lookup */
174 #define TAD_CORE 0x00000008 /* save attribute during core dump */
175 #define TAD_ERRJMP 0x00000010 /* abort record generation on error */
176 #define TAD_MLD 0x00000020 /* system call involves MLD */
177 #define TAD_NOATTRB 0x00000040 /* do not automatically add attribute */
178 #define TAD_NOAUDIT 0x00000080 /* discard audit record */
179 #define TAD_NOPATH 0x00000100 /* force no paths in audit record */
180 #define TAD_PATHFND 0x00000200 /* found path, don't retry lookup */
181 #define TAD_PUBLIC_EV 0x00000400 /* syscall is defined as a public op */
182 #define TAD_SAVPATH 0x00000800 /* save path for further processing */
183 #define TAD_TRUE_CREATE 0x00001000 /* true create, file not found */
184
185 /*
186 * The structure t_audit_data hangs off of the thread structure. It contains
187 * all of the audit information necessary to manage the audit record generation
188 * for each thread.
189 *
190 */
191
192 struct t_audit_data {
193 kthread_id_t tad_thread; /* DEBUG pointer to parent thread */
194 unsigned int tad_scid; /* system call ID for finish */
195 au_event_t tad_event; /* event for audit record */
196 au_emod_t tad_evmod; /* event modifier for audit record */
197 int tad_ctrl; /* audit control/status flags */
198 void *tad_errjmp; /* error longjmp (audit record aborted) */
199 int tad_flag; /* to audit or not to audit */
200 uint32_t tad_audit; /* auditing enabled/disabled */
201 struct audit_path *tad_aupath; /* captured at vfs_lookup */
202 struct audit_path *tad_atpath; /* openat prefix, path of fd */
203 caddr_t tad_ad; /* base of accumulated audit data */
204 au_defer_info_t *tad_defer_head; /* queue of records to defer */
205 /* until syscall end: */
206 au_defer_info_t *tad_defer_tail; /* tail of defer queue */
207 priv_set_t tad_sprivs; /* saved (success) used privs */
208 priv_set_t tad_fprivs; /* saved (failed) used privs */
209 };
210 typedef struct t_audit_data t_audit_data_t;
211
212 /*
213 * The f_audit_data structure hangs off of the file structure. It contains
214 * three fields of data. The audit ID, the audit state, and a path name.
215 */
216
217 struct f_audit_data {
218 kthread_id_t fad_thread; /* DEBUG creating thread */
219 int fad_flags; /* audit control flags */
220 struct audit_path *fad_aupath; /* path from vfs_lookup */
221 };
222 typedef struct f_audit_data f_audit_data_t;
223
224 #define FAD_READ 0x0001 /* read system call seen */
225 #define FAD_WRITE 0x0002 /* write system call seen */
226
227 #define P2A(p) (p->p_audit_data)
228 #define T2A(t) (t->t_audit_data)
229 #define U2A(u) (curthread->t_audit_data)
230 #define F2A(f) (f->f_audit_data)
231
232 #define u_ad ((U2A(u))->tad_ad)
233 #define ad_ctrl ((U2A(u))->tad_ctrl)
234 #define ad_flag ((U2A(u))->tad_flag)
235
236 #define AU_BUFSIZE 128 /* buffer size for the buffer pool */
237
238 struct au_buff {
239 char buf[AU_BUFSIZE];
240 struct au_buff *next_buf;
241 struct au_buff *next_rec;
242 ushort_t rec_len;
243 uchar_t len;
244 uchar_t flag;
245 };
246
247 typedef struct au_buff au_buff_t;
248
249 /*
250 * Kernel audit queue structure.
251 */
252 struct audit_queue {
253 au_buff_t *head; /* head of queue */
254 au_buff_t *tail; /* tail of queue */
255 ssize_t cnt; /* number elements on queue */
256 size_t hiwater; /* high water mark to block */
257 size_t lowater; /* low water mark to restart */
258 size_t bufsz; /* audit trail write buffer size */
259 size_t buflen; /* audit trail buffer length in use */
260 clock_t delay; /* delay before flushing queue */
261 int wt_block; /* writer is blocked (1) */
262 int rd_block; /* reader is blocked (1) */
263 kmutex_t lock; /* mutex lock for queue modification */
264 kcondvar_t write_cv; /* sleep structure for write block */
265 kcondvar_t read_cv; /* sleep structure for read block */
266 };
267
268
269 union rval;
270 struct audit_s2e {
271 au_event_t (*au_init)(au_event_t);
272 /* convert au_event to real audit event ID */
273
274 int au_event; /* default audit event for this system call */
275 void (*au_start)(struct t_audit_data *);
276 /* pre-system call audit processing */
277 void (*au_finish)(struct t_audit_data *, int, union rval *);
278 /* post-system call audit processing */
279 int au_ctrl; /* control flags for auditing actions */
280 };
281
282 extern struct audit_s2e audit_s2e[];
283
284 #define AUK_VALID 0x5A5A5A5A
285 #define AUK_INVALID 0
286 /*
287 * per zone audit context
288 */
289 struct au_kcontext {
290 uint32_t auk_valid;
291 zoneid_t auk_zid;
292
293 boolean_t auk_hostaddr_valid;
294 int auk_sequence;
295 int auk_auditstate;
296 int auk_output_active;
297 struct vnode *auk_current_vp;
298 uint32_t auk_policy;
299
300 struct audit_queue auk_queue;
301
302 au_dbuf_t *auk_dbuffer; /* auditdoor output */
303
304 au_stat_t auk_statistics;
305
306 k_auditinfo_addr_t auk_info;
307 kmutex_t auk_eagain_mutex; /* door call retry */
308 kcondvar_t auk_eagain_cv;
309
310 taskq_t *auk_taskq; /* output thread */
311
312 /* Only one audit svc per zone at a time */
313 /* With the elimination of auditsvc, can this also go? see 6648414 */
314 kmutex_t auk_svc_lock;
315
316 au_state_t auk_ets[MAX_KEVENTS + 1];
317 };
318 #ifndef AUK_CONTEXT_T
319 #define AUK_CONTEXT_T
320 typedef struct au_kcontext au_kcontext_t;
321 #endif
322
323 extern zone_key_t au_zone_key;
324
325 /*
326 * Kernel auditing external variables
327 */
328 extern uint32_t audit_policy;
329 extern int audit_active;
330
331 extern struct audit_queue au_queue;
332 extern struct p_audit_data *pad0;
333 extern struct t_audit_data *tad0;
334
335 /*
336 * audit_path support routines
337 */
338 void au_pathhold(struct audit_path *);
339 void au_pathrele(struct audit_path *);
340 struct audit_path *au_pathdup(const struct audit_path *, int, int);
341
342 void au_pad_init(void);
343
344 int auditctl(int cmd, caddr_t data, int length);
345 int auditdoor(int fd);
346 int getauid(caddr_t);
347 int setauid(caddr_t);
348 int getaudit(caddr_t);
349 int getaudit_addr(caddr_t, int);
350 int setaudit(caddr_t);
351 int setaudit_addr(caddr_t, int);
352
353 /*
354 * Macros to hide asynchronous, non-blocking audit record start and finish
355 * processing.
356 *
357 * NOTE: must be used in (void) funcction () { ... }
358 */
359
360 #define AUDIT_ASYNC_START(rp, audit_event, sorf) \
361 { \
362 label_t jb; \
363 if (setjmp(&jb)) { \
364 /* cleanup any residual audit data */ \
365 audit_async_drop((caddr_t *)&(rp), 0); \
366 return; \
367 } \
368 /* auditing enabled and we're preselected for this event? */ \
369 if (audit_async_start(&jb, audit_event, sorf)) { \
370 return; \
371 } \
372 }
373
374 #define AUDIT_ASYNC_FINISH(rp, audit_event, event_modifier, event_time) \
375 audit_async_finish((caddr_t *)&(rp), audit_event, event_modifier, \
376 event_time);
377
378
379 #ifdef _KERNEL
380 au_buff_t *au_get_buff(void), *au_free_buff(au_buff_t *);
381 #endif
382
383 /*
384 * Macro for uniform "subject" token(s) generation
385 */
386 #define AUDIT_SETSUBJ_GENERIC(u, c, a, k, p) \
387 (au_write((u), au_to_subject(crgetuid(c), \
388 crgetgid(c), crgetruid(c), crgetrgid(c), \
389 p, (a)->ai_auid, (a)->ai_asid, \
390 &((a)->ai_termid)))); \
391 (((k)->auk_policy & AUDIT_GROUP) ? au_write((u),\
392 au_to_groups(crgetgroups(c), \
393 crgetngroups(c))) : (void) 0)
394
395 #define AUDIT_SETSUBJ(u, c, a, k) \
396 AUDIT_SETSUBJ_GENERIC(u, c, a, k, curproc->p_pid)
397
398 #define AUDIT_SETPROC_GENERIC(u, c, a, p) \
399 (au_write((u), au_to_process(crgetuid(c), \
400 crgetgid(c), crgetruid(c), crgetrgid(c), \
401 p, (a)->ai_auid, (a)->ai_asid, \
402 &((a)->ai_termid))));
403
404 #define AUDIT_SETPROC(u, c, a) \
405 AUDIT_SETPROC_GENERIC(u, c, a, curproc->p_pid)
406
407 /*
408 * Macros for type conversion
409 */
410
411 /* au_membuf head, to typed data */
412 #define memtod(x, t) ((t)x->buf)
413
414 /* au_membuf types */
415 #define MT_FREE 0 /* should be on free list */
416 #define MT_DATA 1 /* dynamic (data) allocation */
417
418 /* flags to au_memget */
419 #define DONTWAIT 0
420 #define WAIT 1
421
422 #define AU_PACK 1 /* pack data in au_append_rec() */
423 #define AU_LINK 0 /* link data in au_append_rec() */
424
425 /* flags to async routines */
426 #define AU_BACKEND 1 /* called from softcall backend */
427
428 #ifdef __cplusplus
429 }
430 #endif
431
432 #endif /* _BSM_AUDIT_KERNEL_H */
Unleashed OS