2008-07-31 09:54:35 +00:00
|
|
|
/*-
|
2009-02-08 14:39:35 +00:00
|
|
|
* Copyright (c) 1999-2009 Apple Inc.
|
2006-02-01 20:01:18 +00:00
|
|
|
* All rights reserved.
|
|
|
|
*
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
* are met:
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
2008-07-22 15:29:48 +00:00
|
|
|
* 3. Neither the name of Apple Inc. ("Apple") nor the names of
|
2006-02-01 20:01:18 +00:00
|
|
|
* its contributors may be used to endorse or promote products derived
|
|
|
|
* from this software without specific prior written permission.
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
|
|
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
|
|
|
|
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
|
|
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
|
|
|
|
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
|
|
* POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
*
|
|
|
|
* $FreeBSD$
|
|
|
|
*/
|
|
|
|
|
|
|
|
/*
|
|
|
|
* This include file contains function prototypes and type definitions used
|
|
|
|
* within the audit implementation.
|
|
|
|
*/
|
|
|
|
|
2006-03-19 15:37:04 +00:00
|
|
|
#ifndef _SECURITY_AUDIT_PRIVATE_H_
|
|
|
|
#define _SECURITY_AUDIT_PRIVATE_H_
|
2006-02-01 20:01:18 +00:00
|
|
|
|
|
|
|
#ifndef _KERNEL
|
|
|
|
#error "no user-serviceable parts inside"
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#include <sys/ipc.h>
|
|
|
|
#include <sys/socket.h>
|
|
|
|
#include <sys/ucred.h>
|
|
|
|
|
|
|
|
#ifdef MALLOC_DECLARE
|
|
|
|
MALLOC_DECLARE(M_AUDITBSM);
|
|
|
|
MALLOC_DECLARE(M_AUDITDATA);
|
|
|
|
MALLOC_DECLARE(M_AUDITPATH);
|
|
|
|
MALLOC_DECLARE(M_AUDITTEXT);
|
2009-06-29 20:19:19 +00:00
|
|
|
MALLOC_DECLARE(M_AUDITGIDSET);
|
2006-02-01 20:01:18 +00:00
|
|
|
#endif
|
|
|
|
|
|
|
|
/*
|
2006-03-19 17:34:00 +00:00
|
|
|
* Audit control variables that are usually set/read via system calls and
|
|
|
|
* used to control various aspects of auditing.
|
2006-02-01 20:01:18 +00:00
|
|
|
*/
|
|
|
|
extern struct au_qctrl audit_qctrl;
|
|
|
|
extern struct audit_fstat audit_fstat;
|
|
|
|
extern struct au_mask audit_nae_mask;
|
|
|
|
extern int audit_panic_on_write_fail;
|
|
|
|
extern int audit_fail_stop;
|
2006-09-01 11:45:40 +00:00
|
|
|
extern int audit_argv;
|
|
|
|
extern int audit_arge;
|
2006-02-01 20:01:18 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Success/failure conditions for the conversion of a kernel audit record to
|
|
|
|
* BSM format.
|
|
|
|
*/
|
2006-03-19 17:34:00 +00:00
|
|
|
#define BSM_SUCCESS 0
|
|
|
|
#define BSM_FAILURE 1
|
|
|
|
#define BSM_NOAUDIT 2
|
2006-02-01 20:01:18 +00:00
|
|
|
|
|
|
|
/*
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
* Defines for the kernel audit record k_ar_commit field. Flags are set to
|
|
|
|
* indicate what sort of record it is, and which preselection mechanism
|
|
|
|
* selected it.
|
2006-02-01 20:01:18 +00:00
|
|
|
*/
|
|
|
|
#define AR_COMMIT_KERNEL 0x00000001U
|
|
|
|
#define AR_COMMIT_USER 0x00000010U
|
|
|
|
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
#define AR_PRESELECT_TRAIL 0x00001000U
|
|
|
|
#define AR_PRESELECT_PIPE 0x00002000U
|
|
|
|
|
2006-09-17 17:52:57 +00:00
|
|
|
#define AR_PRESELECT_USER_TRAIL 0x00004000U
|
|
|
|
#define AR_PRESELECT_USER_PIPE 0x00008000U
|
|
|
|
|
2006-02-01 20:01:18 +00:00
|
|
|
/*
|
|
|
|
* Audit data is generated as a stream of struct audit_record structures,
|
|
|
|
* linked by struct kaudit_record, and contain storage for possible audit so
|
|
|
|
* that it will not need to be allocated during the processing of a system
|
|
|
|
* call, both improving efficiency and avoiding sleeping at untimely moments.
|
|
|
|
* This structure is converted to BSM format before being written to disk.
|
|
|
|
*/
|
|
|
|
struct vnode_au_info {
|
2006-03-19 17:34:00 +00:00
|
|
|
mode_t vn_mode;
|
|
|
|
uid_t vn_uid;
|
|
|
|
gid_t vn_gid;
|
|
|
|
dev_t vn_dev;
|
|
|
|
long vn_fsid;
|
|
|
|
long vn_fileid;
|
|
|
|
long vn_gen;
|
2006-02-01 20:01:18 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
struct groupset {
|
2009-06-29 20:19:19 +00:00
|
|
|
gid_t *gidset;
|
|
|
|
u_int gidset_size;
|
2006-02-01 20:01:18 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
struct socket_au_info {
|
2008-07-22 16:44:48 +00:00
|
|
|
int so_domain;
|
2006-02-01 20:01:18 +00:00
|
|
|
int so_type;
|
|
|
|
int so_protocol;
|
2006-03-19 17:34:00 +00:00
|
|
|
in_addr_t so_raddr; /* Remote address if INET socket. */
|
|
|
|
in_addr_t so_laddr; /* Local address if INET socket. */
|
|
|
|
u_short so_rport; /* Remote port. */
|
|
|
|
u_short so_lport; /* Local port. */
|
2006-02-01 20:01:18 +00:00
|
|
|
};
|
|
|
|
|
2009-04-19 14:53:17 +00:00
|
|
|
/*
|
|
|
|
* The following is used for A_OLDSETQCTRL and AU_OLDGETQCTRL and a 64-bit
|
|
|
|
* userland.
|
|
|
|
*/
|
|
|
|
struct au_qctrl64 {
|
|
|
|
u_int64_t aq64_hiwater;
|
|
|
|
u_int64_t aq64_lowater;
|
|
|
|
u_int64_t aq64_bufsz;
|
|
|
|
u_int64_t aq64_delay;
|
|
|
|
u_int64_t aq64_minfree;
|
|
|
|
};
|
|
|
|
typedef struct au_qctrl64 au_qctrl64_t;
|
|
|
|
|
2006-02-01 20:01:18 +00:00
|
|
|
union auditon_udata {
|
|
|
|
char *au_path;
|
2009-04-19 14:53:17 +00:00
|
|
|
int au_cond;
|
|
|
|
int au_flags;
|
|
|
|
int au_policy;
|
2006-02-01 20:01:18 +00:00
|
|
|
int au_trigger;
|
2009-04-19 14:53:17 +00:00
|
|
|
int64_t au_cond64;
|
|
|
|
int64_t au_policy64;
|
2006-02-01 20:01:18 +00:00
|
|
|
au_evclass_map_t au_evclass;
|
|
|
|
au_mask_t au_mask;
|
|
|
|
auditinfo_t au_auinfo;
|
|
|
|
auditpinfo_t au_aupinfo;
|
|
|
|
auditpinfo_addr_t au_aupinfo_addr;
|
|
|
|
au_qctrl_t au_qctrl;
|
2009-04-19 14:53:17 +00:00
|
|
|
au_qctrl64_t au_qctrl64;
|
2006-02-01 20:01:18 +00:00
|
|
|
au_stat_t au_stat;
|
|
|
|
au_fstat_t au_fstat;
|
2008-11-11 21:57:03 +00:00
|
|
|
auditinfo_addr_t au_kau_info;
|
2006-02-01 20:01:18 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
struct posix_ipc_perm {
|
2006-03-19 17:34:00 +00:00
|
|
|
uid_t pipc_uid;
|
|
|
|
gid_t pipc_gid;
|
|
|
|
mode_t pipc_mode;
|
2006-02-01 20:01:18 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
struct audit_record {
|
|
|
|
/* Audit record header. */
|
|
|
|
u_int32_t ar_magic;
|
|
|
|
int ar_event;
|
|
|
|
int ar_retval; /* value returned to the process */
|
|
|
|
int ar_errno; /* return status of system call */
|
|
|
|
struct timespec ar_starttime;
|
|
|
|
struct timespec ar_endtime;
|
|
|
|
u_int64_t ar_valid_arg; /* Bitmask of valid arguments */
|
|
|
|
|
|
|
|
/* Audit subject information. */
|
2006-03-19 17:34:00 +00:00
|
|
|
struct xucred ar_subj_cred;
|
|
|
|
uid_t ar_subj_ruid;
|
|
|
|
gid_t ar_subj_rgid;
|
|
|
|
gid_t ar_subj_egid;
|
|
|
|
uid_t ar_subj_auid; /* Audit user ID */
|
|
|
|
pid_t ar_subj_asid; /* Audit session ID */
|
|
|
|
pid_t ar_subj_pid;
|
|
|
|
struct au_tid ar_subj_term;
|
2007-04-13 14:55:19 +00:00
|
|
|
struct au_tid_addr ar_subj_term_addr;
|
2006-03-19 17:34:00 +00:00
|
|
|
struct au_mask ar_subj_amask;
|
2006-02-01 20:01:18 +00:00
|
|
|
|
|
|
|
/* Operation arguments. */
|
2006-03-19 17:34:00 +00:00
|
|
|
uid_t ar_arg_euid;
|
|
|
|
uid_t ar_arg_ruid;
|
|
|
|
uid_t ar_arg_suid;
|
|
|
|
gid_t ar_arg_egid;
|
|
|
|
gid_t ar_arg_rgid;
|
|
|
|
gid_t ar_arg_sgid;
|
|
|
|
pid_t ar_arg_pid;
|
|
|
|
pid_t ar_arg_asid;
|
|
|
|
struct au_tid ar_arg_termid;
|
2007-04-13 14:55:19 +00:00
|
|
|
struct au_tid_addr ar_arg_termid_addr;
|
2006-03-19 17:34:00 +00:00
|
|
|
uid_t ar_arg_uid;
|
|
|
|
uid_t ar_arg_auid;
|
|
|
|
gid_t ar_arg_gid;
|
|
|
|
struct groupset ar_arg_groups;
|
|
|
|
int ar_arg_fd;
|
2009-07-28 21:39:58 +00:00
|
|
|
int ar_arg_atfd1;
|
|
|
|
int ar_arg_atfd2;
|
2006-03-19 17:34:00 +00:00
|
|
|
int ar_arg_fflags;
|
|
|
|
mode_t ar_arg_mode;
|
|
|
|
int ar_arg_dev;
|
|
|
|
long ar_arg_value;
|
2013-02-11 22:54:23 +00:00
|
|
|
void *ar_arg_addr;
|
2006-03-19 17:34:00 +00:00
|
|
|
int ar_arg_len;
|
|
|
|
int ar_arg_mask;
|
|
|
|
u_int ar_arg_signum;
|
|
|
|
char ar_arg_login[MAXLOGNAME];
|
|
|
|
int ar_arg_ctlname[CTL_MAXNAME];
|
|
|
|
struct socket_au_info ar_arg_sockinfo;
|
|
|
|
char *ar_arg_upath1;
|
|
|
|
char *ar_arg_upath2;
|
|
|
|
char *ar_arg_text;
|
|
|
|
struct au_mask ar_arg_amask;
|
|
|
|
struct vnode_au_info ar_arg_vnode1;
|
|
|
|
struct vnode_au_info ar_arg_vnode2;
|
|
|
|
int ar_arg_cmd;
|
|
|
|
int ar_arg_svipc_cmd;
|
|
|
|
struct ipc_perm ar_arg_svipc_perm;
|
|
|
|
int ar_arg_svipc_id;
|
2013-02-11 22:54:23 +00:00
|
|
|
void *ar_arg_svipc_addr;
|
2006-03-19 17:34:00 +00:00
|
|
|
struct posix_ipc_perm ar_arg_pipc_perm;
|
|
|
|
union auditon_udata ar_arg_auditon;
|
2006-09-01 11:45:40 +00:00
|
|
|
char *ar_arg_argv;
|
|
|
|
int ar_arg_argc;
|
|
|
|
char *ar_arg_envv;
|
|
|
|
int ar_arg_envc;
|
2006-03-19 17:34:00 +00:00
|
|
|
int ar_arg_exitstatus;
|
|
|
|
int ar_arg_exitretval;
|
2006-11-06 00:15:44 +00:00
|
|
|
struct sockaddr_storage ar_arg_sockaddr;
|
2011-07-18 12:58:18 +00:00
|
|
|
cap_rights_t ar_arg_rights;
|
Merge Capsicum overhaul:
- Capability is no longer separate descriptor type. Now every descriptor
has set of its own capability rights.
- The cap_new(2) system call is left, but it is no longer documented and
should not be used in new code.
- The new syscall cap_rights_limit(2) should be used instead of
cap_new(2), which limits capability rights of the given descriptor
without creating a new one.
- The cap_getrights(2) syscall is renamed to cap_rights_get(2).
- If CAP_IOCTL capability right is present we can further reduce allowed
ioctls list with the new cap_ioctls_limit(2) syscall. List of allowed
ioctls can be retrived with cap_ioctls_get(2) syscall.
- If CAP_FCNTL capability right is present we can further reduce fcntls
that can be used with the new cap_fcntls_limit(2) syscall and retrive
them with cap_fcntls_get(2).
- To support ioctl and fcntl white-listing the filedesc structure was
heavly modified.
- The audit subsystem, kdump and procstat tools were updated to
recognize new syscalls.
- Capability rights were revised and eventhough I tried hard to provide
backward API and ABI compatibility there are some incompatible changes
that are described in detail below:
CAP_CREATE old behaviour:
- Allow for openat(2)+O_CREAT.
- Allow for linkat(2).
- Allow for symlinkat(2).
CAP_CREATE new behaviour:
- Allow for openat(2)+O_CREAT.
Added CAP_LINKAT:
- Allow for linkat(2). ABI: Reuses CAP_RMDIR bit.
- Allow to be target for renameat(2).
Added CAP_SYMLINKAT:
- Allow for symlinkat(2).
Removed CAP_DELETE. Old behaviour:
- Allow for unlinkat(2) when removing non-directory object.
- Allow to be source for renameat(2).
Removed CAP_RMDIR. Old behaviour:
- Allow for unlinkat(2) when removing directory.
Added CAP_RENAMEAT:
- Required for source directory for the renameat(2) syscall.
Added CAP_UNLINKAT (effectively it replaces CAP_DELETE and CAP_RMDIR):
- Allow for unlinkat(2) on any object.
- Required if target of renameat(2) exists and will be removed by this
call.
Removed CAP_MAPEXEC.
CAP_MMAP old behaviour:
- Allow for mmap(2) with any combination of PROT_NONE, PROT_READ and
PROT_WRITE.
CAP_MMAP new behaviour:
- Allow for mmap(2)+PROT_NONE.
Added CAP_MMAP_R:
- Allow for mmap(PROT_READ).
Added CAP_MMAP_W:
- Allow for mmap(PROT_WRITE).
Added CAP_MMAP_X:
- Allow for mmap(PROT_EXEC).
Added CAP_MMAP_RW:
- Allow for mmap(PROT_READ | PROT_WRITE).
Added CAP_MMAP_RX:
- Allow for mmap(PROT_READ | PROT_EXEC).
Added CAP_MMAP_WX:
- Allow for mmap(PROT_WRITE | PROT_EXEC).
Added CAP_MMAP_RWX:
- Allow for mmap(PROT_READ | PROT_WRITE | PROT_EXEC).
Renamed CAP_MKDIR to CAP_MKDIRAT.
Renamed CAP_MKFIFO to CAP_MKFIFOAT.
Renamed CAP_MKNODE to CAP_MKNODEAT.
CAP_READ old behaviour:
- Allow pread(2).
- Disallow read(2), readv(2) (if there is no CAP_SEEK).
CAP_READ new behaviour:
- Allow read(2), readv(2).
- Disallow pread(2) (CAP_SEEK was also required).
CAP_WRITE old behaviour:
- Allow pwrite(2).
- Disallow write(2), writev(2) (if there is no CAP_SEEK).
CAP_WRITE new behaviour:
- Allow write(2), writev(2).
- Disallow pwrite(2) (CAP_SEEK was also required).
Added convinient defines:
#define CAP_PREAD (CAP_SEEK | CAP_READ)
#define CAP_PWRITE (CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_R (CAP_MMAP | CAP_SEEK | CAP_READ)
#define CAP_MMAP_W (CAP_MMAP | CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_X (CAP_MMAP | CAP_SEEK | 0x0000000000000008ULL)
#define CAP_MMAP_RW (CAP_MMAP_R | CAP_MMAP_W)
#define CAP_MMAP_RX (CAP_MMAP_R | CAP_MMAP_X)
#define CAP_MMAP_WX (CAP_MMAP_W | CAP_MMAP_X)
#define CAP_MMAP_RWX (CAP_MMAP_R | CAP_MMAP_W | CAP_MMAP_X)
#define CAP_RECV CAP_READ
#define CAP_SEND CAP_WRITE
#define CAP_SOCK_CLIENT \
(CAP_CONNECT | CAP_GETPEERNAME | CAP_GETSOCKNAME | CAP_GETSOCKOPT | \
CAP_PEELOFF | CAP_RECV | CAP_SEND | CAP_SETSOCKOPT | CAP_SHUTDOWN)
#define CAP_SOCK_SERVER \
(CAP_ACCEPT | CAP_BIND | CAP_GETPEERNAME | CAP_GETSOCKNAME | \
CAP_GETSOCKOPT | CAP_LISTEN | CAP_PEELOFF | CAP_RECV | CAP_SEND | \
CAP_SETSOCKOPT | CAP_SHUTDOWN)
Added defines for backward API compatibility:
#define CAP_MAPEXEC CAP_MMAP_X
#define CAP_DELETE CAP_UNLINKAT
#define CAP_MKDIR CAP_MKDIRAT
#define CAP_RMDIR CAP_UNLINKAT
#define CAP_MKFIFO CAP_MKFIFOAT
#define CAP_MKNOD CAP_MKNODAT
#define CAP_SOCK_ALL (CAP_SOCK_CLIENT | CAP_SOCK_SERVER)
Sponsored by: The FreeBSD Foundation
Reviewed by: Christoph Mallon <christoph.mallon@gmx.de>
Many aspects discussed with: rwatson, benl, jonathan
ABI compatibility discussed with: kib
2013-03-02 00:53:12 +00:00
|
|
|
uint32_t ar_arg_fcntl_rights;
|
2013-01-17 21:02:53 +00:00
|
|
|
char ar_jailname[MAXHOSTNAMELEN];
|
2006-02-01 20:01:18 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Arguments in the audit record are initially not defined; flags are set to
|
|
|
|
* indicate if they are present so they can be included in the audit log
|
|
|
|
* stream only if defined.
|
|
|
|
*/
|
2009-07-29 07:44:43 +00:00
|
|
|
#define ARG_EUID 0x0000000000000001ULL
|
|
|
|
#define ARG_RUID 0x0000000000000002ULL
|
|
|
|
#define ARG_SUID 0x0000000000000004ULL
|
|
|
|
#define ARG_EGID 0x0000000000000008ULL
|
|
|
|
#define ARG_RGID 0x0000000000000010ULL
|
|
|
|
#define ARG_SGID 0x0000000000000020ULL
|
|
|
|
#define ARG_PID 0x0000000000000040ULL
|
|
|
|
#define ARG_UID 0x0000000000000080ULL
|
|
|
|
#define ARG_AUID 0x0000000000000100ULL
|
|
|
|
#define ARG_GID 0x0000000000000200ULL
|
|
|
|
#define ARG_FD 0x0000000000000400ULL
|
|
|
|
#define ARG_POSIX_IPC_PERM 0x0000000000000800ULL
|
|
|
|
#define ARG_FFLAGS 0x0000000000001000ULL
|
|
|
|
#define ARG_MODE 0x0000000000002000ULL
|
|
|
|
#define ARG_DEV 0x0000000000004000ULL
|
|
|
|
#define ARG_ADDR 0x0000000000008000ULL
|
|
|
|
#define ARG_LEN 0x0000000000010000ULL
|
|
|
|
#define ARG_MASK 0x0000000000020000ULL
|
|
|
|
#define ARG_SIGNUM 0x0000000000040000ULL
|
|
|
|
#define ARG_LOGIN 0x0000000000080000ULL
|
|
|
|
#define ARG_SADDRINET 0x0000000000100000ULL
|
|
|
|
#define ARG_SADDRINET6 0x0000000000200000ULL
|
|
|
|
#define ARG_SADDRUNIX 0x0000000000400000ULL
|
|
|
|
#define ARG_TERMID_ADDR 0x0000000000400000ULL
|
|
|
|
#define ARG_UNUSED2 0x0000000001000000ULL
|
|
|
|
#define ARG_UPATH1 0x0000000002000000ULL
|
|
|
|
#define ARG_UPATH2 0x0000000004000000ULL
|
|
|
|
#define ARG_TEXT 0x0000000008000000ULL
|
|
|
|
#define ARG_VNODE1 0x0000000010000000ULL
|
|
|
|
#define ARG_VNODE2 0x0000000020000000ULL
|
|
|
|
#define ARG_SVIPC_CMD 0x0000000040000000ULL
|
|
|
|
#define ARG_SVIPC_PERM 0x0000000080000000ULL
|
|
|
|
#define ARG_SVIPC_ID 0x0000000100000000ULL
|
|
|
|
#define ARG_SVIPC_ADDR 0x0000000200000000ULL
|
|
|
|
#define ARG_GROUPSET 0x0000000400000000ULL
|
|
|
|
#define ARG_CMD 0x0000000800000000ULL
|
|
|
|
#define ARG_SOCKINFO 0x0000001000000000ULL
|
|
|
|
#define ARG_ASID 0x0000002000000000ULL
|
|
|
|
#define ARG_TERMID 0x0000004000000000ULL
|
|
|
|
#define ARG_AUDITON 0x0000008000000000ULL
|
|
|
|
#define ARG_VALUE 0x0000010000000000ULL
|
|
|
|
#define ARG_AMASK 0x0000020000000000ULL
|
|
|
|
#define ARG_CTLNAME 0x0000040000000000ULL
|
|
|
|
#define ARG_PROCESS 0x0000080000000000ULL
|
|
|
|
#define ARG_MACHPORT1 0x0000100000000000ULL
|
|
|
|
#define ARG_MACHPORT2 0x0000200000000000ULL
|
|
|
|
#define ARG_EXIT 0x0000400000000000ULL
|
|
|
|
#define ARG_IOVECSTR 0x0000800000000000ULL
|
|
|
|
#define ARG_ARGV 0x0001000000000000ULL
|
|
|
|
#define ARG_ENVV 0x0002000000000000ULL
|
|
|
|
#define ARG_ATFD1 0x0004000000000000ULL
|
|
|
|
#define ARG_ATFD2 0x0008000000000000ULL
|
2011-07-18 12:58:18 +00:00
|
|
|
#define ARG_RIGHTS 0x0010000000000000ULL
|
Merge Capsicum overhaul:
- Capability is no longer separate descriptor type. Now every descriptor
has set of its own capability rights.
- The cap_new(2) system call is left, but it is no longer documented and
should not be used in new code.
- The new syscall cap_rights_limit(2) should be used instead of
cap_new(2), which limits capability rights of the given descriptor
without creating a new one.
- The cap_getrights(2) syscall is renamed to cap_rights_get(2).
- If CAP_IOCTL capability right is present we can further reduce allowed
ioctls list with the new cap_ioctls_limit(2) syscall. List of allowed
ioctls can be retrived with cap_ioctls_get(2) syscall.
- If CAP_FCNTL capability right is present we can further reduce fcntls
that can be used with the new cap_fcntls_limit(2) syscall and retrive
them with cap_fcntls_get(2).
- To support ioctl and fcntl white-listing the filedesc structure was
heavly modified.
- The audit subsystem, kdump and procstat tools were updated to
recognize new syscalls.
- Capability rights were revised and eventhough I tried hard to provide
backward API and ABI compatibility there are some incompatible changes
that are described in detail below:
CAP_CREATE old behaviour:
- Allow for openat(2)+O_CREAT.
- Allow for linkat(2).
- Allow for symlinkat(2).
CAP_CREATE new behaviour:
- Allow for openat(2)+O_CREAT.
Added CAP_LINKAT:
- Allow for linkat(2). ABI: Reuses CAP_RMDIR bit.
- Allow to be target for renameat(2).
Added CAP_SYMLINKAT:
- Allow for symlinkat(2).
Removed CAP_DELETE. Old behaviour:
- Allow for unlinkat(2) when removing non-directory object.
- Allow to be source for renameat(2).
Removed CAP_RMDIR. Old behaviour:
- Allow for unlinkat(2) when removing directory.
Added CAP_RENAMEAT:
- Required for source directory for the renameat(2) syscall.
Added CAP_UNLINKAT (effectively it replaces CAP_DELETE and CAP_RMDIR):
- Allow for unlinkat(2) on any object.
- Required if target of renameat(2) exists and will be removed by this
call.
Removed CAP_MAPEXEC.
CAP_MMAP old behaviour:
- Allow for mmap(2) with any combination of PROT_NONE, PROT_READ and
PROT_WRITE.
CAP_MMAP new behaviour:
- Allow for mmap(2)+PROT_NONE.
Added CAP_MMAP_R:
- Allow for mmap(PROT_READ).
Added CAP_MMAP_W:
- Allow for mmap(PROT_WRITE).
Added CAP_MMAP_X:
- Allow for mmap(PROT_EXEC).
Added CAP_MMAP_RW:
- Allow for mmap(PROT_READ | PROT_WRITE).
Added CAP_MMAP_RX:
- Allow for mmap(PROT_READ | PROT_EXEC).
Added CAP_MMAP_WX:
- Allow for mmap(PROT_WRITE | PROT_EXEC).
Added CAP_MMAP_RWX:
- Allow for mmap(PROT_READ | PROT_WRITE | PROT_EXEC).
Renamed CAP_MKDIR to CAP_MKDIRAT.
Renamed CAP_MKFIFO to CAP_MKFIFOAT.
Renamed CAP_MKNODE to CAP_MKNODEAT.
CAP_READ old behaviour:
- Allow pread(2).
- Disallow read(2), readv(2) (if there is no CAP_SEEK).
CAP_READ new behaviour:
- Allow read(2), readv(2).
- Disallow pread(2) (CAP_SEEK was also required).
CAP_WRITE old behaviour:
- Allow pwrite(2).
- Disallow write(2), writev(2) (if there is no CAP_SEEK).
CAP_WRITE new behaviour:
- Allow write(2), writev(2).
- Disallow pwrite(2) (CAP_SEEK was also required).
Added convinient defines:
#define CAP_PREAD (CAP_SEEK | CAP_READ)
#define CAP_PWRITE (CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_R (CAP_MMAP | CAP_SEEK | CAP_READ)
#define CAP_MMAP_W (CAP_MMAP | CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_X (CAP_MMAP | CAP_SEEK | 0x0000000000000008ULL)
#define CAP_MMAP_RW (CAP_MMAP_R | CAP_MMAP_W)
#define CAP_MMAP_RX (CAP_MMAP_R | CAP_MMAP_X)
#define CAP_MMAP_WX (CAP_MMAP_W | CAP_MMAP_X)
#define CAP_MMAP_RWX (CAP_MMAP_R | CAP_MMAP_W | CAP_MMAP_X)
#define CAP_RECV CAP_READ
#define CAP_SEND CAP_WRITE
#define CAP_SOCK_CLIENT \
(CAP_CONNECT | CAP_GETPEERNAME | CAP_GETSOCKNAME | CAP_GETSOCKOPT | \
CAP_PEELOFF | CAP_RECV | CAP_SEND | CAP_SETSOCKOPT | CAP_SHUTDOWN)
#define CAP_SOCK_SERVER \
(CAP_ACCEPT | CAP_BIND | CAP_GETPEERNAME | CAP_GETSOCKNAME | \
CAP_GETSOCKOPT | CAP_LISTEN | CAP_PEELOFF | CAP_RECV | CAP_SEND | \
CAP_SETSOCKOPT | CAP_SHUTDOWN)
Added defines for backward API compatibility:
#define CAP_MAPEXEC CAP_MMAP_X
#define CAP_DELETE CAP_UNLINKAT
#define CAP_MKDIR CAP_MKDIRAT
#define CAP_RMDIR CAP_UNLINKAT
#define CAP_MKFIFO CAP_MKFIFOAT
#define CAP_MKNOD CAP_MKNODAT
#define CAP_SOCK_ALL (CAP_SOCK_CLIENT | CAP_SOCK_SERVER)
Sponsored by: The FreeBSD Foundation
Reviewed by: Christoph Mallon <christoph.mallon@gmx.de>
Many aspects discussed with: rwatson, benl, jonathan
ABI compatibility discussed with: kib
2013-03-02 00:53:12 +00:00
|
|
|
#define ARG_FCNTL_RIGHTS 0x0020000000000000ULL
|
2009-07-29 07:44:43 +00:00
|
|
|
#define ARG_NONE 0x0000000000000000ULL
|
|
|
|
#define ARG_ALL 0xFFFFFFFFFFFFFFFFULL
|
|
|
|
|
2006-02-01 20:01:18 +00:00
|
|
|
#define ARG_IS_VALID(kar, arg) ((kar)->k_ar.ar_valid_arg & (arg))
|
|
|
|
#define ARG_SET_VALID(kar, arg) do { \
|
|
|
|
(kar)->k_ar.ar_valid_arg |= (arg); \
|
|
|
|
} while (0)
|
2009-07-28 21:52:24 +00:00
|
|
|
#define ARG_CLEAR_VALID(kar, arg) do { \
|
|
|
|
(kar)->k_ar.ar_valid_arg &= ~(arg); \
|
|
|
|
} while (0)
|
2006-02-01 20:01:18 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* In-kernel version of audit record; the basic record plus queue meta-data.
|
2006-03-19 17:34:00 +00:00
|
|
|
* This record can also have a pointer set to some opaque data that will be
|
|
|
|
* passed through to the audit writing mechanism.
|
2006-02-01 20:01:18 +00:00
|
|
|
*/
|
|
|
|
struct kaudit_record {
|
2006-03-19 17:34:00 +00:00
|
|
|
struct audit_record k_ar;
|
|
|
|
u_int32_t k_ar_commit;
|
|
|
|
void *k_udata; /* User data. */
|
|
|
|
u_int k_ulen; /* User data length. */
|
|
|
|
struct uthread *k_uthread; /* Audited thread. */
|
|
|
|
TAILQ_ENTRY(kaudit_record) k_q;
|
2006-02-01 20:01:18 +00:00
|
|
|
};
|
Merge Perforce changes 93512, 93514, 93515 from TrustedBSD audit3
branch:
Integrate audit.c to audit_worker.c, so as to migrate the worker
thread implementation to its own .c file.
Populate audit_worker.c using parts now removed from audit.c:
- Move audit rotation global variables.
- Move audit_record_write(), audit_worker_rotate(),
audit_worker_drain(), audit_worker(), audit_rotate_vnode().
- Create audit_worker_init() from relevant parts of audit_init(),
which now calls this routine.
- Recreate audit_free(), which wraps uma_zfree() so that
audit_record_zone can be static to audit.c.
- Unstaticize various types and variables relating to the audit
record queue so that audit_worker can get to them. We may want
to wrap these in accessor methods at some point.
- Move AUDIT_PRINTF() to audit_private.h.
Addition of audit_worker.c to kernel configuration, missed in
earlier submit.
Obtained from: TrustedBSD Project
2006-03-19 16:03:43 +00:00
|
|
|
TAILQ_HEAD(kaudit_queue, kaudit_record);
|
2006-02-01 20:01:18 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Functions to manage the allocation, release, and commit of kernel audit
|
|
|
|
* records.
|
|
|
|
*/
|
|
|
|
void audit_abort(struct kaudit_record *ar);
|
Merge Perforce changes 93512, 93514, 93515 from TrustedBSD audit3
branch:
Integrate audit.c to audit_worker.c, so as to migrate the worker
thread implementation to its own .c file.
Populate audit_worker.c using parts now removed from audit.c:
- Move audit rotation global variables.
- Move audit_record_write(), audit_worker_rotate(),
audit_worker_drain(), audit_worker(), audit_rotate_vnode().
- Create audit_worker_init() from relevant parts of audit_init(),
which now calls this routine.
- Recreate audit_free(), which wraps uma_zfree() so that
audit_record_zone can be static to audit.c.
- Unstaticize various types and variables relating to the audit
record queue so that audit_worker can get to them. We may want
to wrap these in accessor methods at some point.
- Move AUDIT_PRINTF() to audit_private.h.
Addition of audit_worker.c to kernel configuration, missed in
earlier submit.
Obtained from: TrustedBSD Project
2006-03-19 16:03:43 +00:00
|
|
|
void audit_commit(struct kaudit_record *ar, int error,
|
2006-02-01 20:01:18 +00:00
|
|
|
int retval);
|
|
|
|
struct kaudit_record *audit_new(int event, struct thread *td);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Functions relating to the conversion of internal kernel audit records to
|
|
|
|
* the BSM file format.
|
|
|
|
*/
|
2006-03-04 17:00:55 +00:00
|
|
|
struct au_record;
|
2006-03-19 17:34:00 +00:00
|
|
|
int kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau);
|
|
|
|
int bsm_rec_verify(void *rec);
|
2006-02-01 20:01:18 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Kernel versions of the libbsm audit record functions.
|
|
|
|
*/
|
2006-03-19 17:34:00 +00:00
|
|
|
void kau_free(struct au_record *rec);
|
|
|
|
void kau_init(void);
|
2006-02-01 20:01:18 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Return values for pre-selection and post-selection decisions.
|
|
|
|
*/
|
2006-03-19 17:34:00 +00:00
|
|
|
#define AU_PRS_SUCCESS 1
|
|
|
|
#define AU_PRS_FAILURE 2
|
|
|
|
#define AU_PRS_BOTH (AU_PRS_SUCCESS|AU_PRS_FAILURE)
|
2006-02-01 20:01:18 +00:00
|
|
|
|
Merge Perforce changes 93512, 93514, 93515 from TrustedBSD audit3
branch:
Integrate audit.c to audit_worker.c, so as to migrate the worker
thread implementation to its own .c file.
Populate audit_worker.c using parts now removed from audit.c:
- Move audit rotation global variables.
- Move audit_record_write(), audit_worker_rotate(),
audit_worker_drain(), audit_worker(), audit_rotate_vnode().
- Create audit_worker_init() from relevant parts of audit_init(),
which now calls this routine.
- Recreate audit_free(), which wraps uma_zfree() so that
audit_record_zone can be static to audit.c.
- Unstaticize various types and variables relating to the audit
record queue so that audit_worker can get to them. We may want
to wrap these in accessor methods at some point.
- Move AUDIT_PRINTF() to audit_private.h.
Addition of audit_worker.c to kernel configuration, missed in
earlier submit.
Obtained from: TrustedBSD Project
2006-03-19 16:03:43 +00:00
|
|
|
/*
|
|
|
|
* Data structures relating to the kernel audit queue. Ideally, these might
|
|
|
|
* be abstracted so that only accessor methods are exposed.
|
|
|
|
*/
|
2006-03-19 17:34:00 +00:00
|
|
|
extern struct mtx audit_mtx;
|
2006-06-05 13:43:57 +00:00
|
|
|
extern struct cv audit_watermark_cv;
|
|
|
|
extern struct cv audit_worker_cv;
|
2006-03-19 17:34:00 +00:00
|
|
|
extern struct kaudit_queue audit_q;
|
2009-04-19 14:53:17 +00:00
|
|
|
extern int audit_q_len;
|
|
|
|
extern int audit_pre_q_len;
|
2006-03-19 17:34:00 +00:00
|
|
|
extern int audit_in_failure;
|
Merge Perforce changes 93512, 93514, 93515 from TrustedBSD audit3
branch:
Integrate audit.c to audit_worker.c, so as to migrate the worker
thread implementation to its own .c file.
Populate audit_worker.c using parts now removed from audit.c:
- Move audit rotation global variables.
- Move audit_record_write(), audit_worker_rotate(),
audit_worker_drain(), audit_worker(), audit_rotate_vnode().
- Create audit_worker_init() from relevant parts of audit_init(),
which now calls this routine.
- Recreate audit_free(), which wraps uma_zfree() so that
audit_record_zone can be static to audit.c.
- Unstaticize various types and variables relating to the audit
record queue so that audit_worker can get to them. We may want
to wrap these in accessor methods at some point.
- Move AUDIT_PRINTF() to audit_private.h.
Addition of audit_worker.c to kernel configuration, missed in
earlier submit.
Obtained from: TrustedBSD Project
2006-03-19 16:03:43 +00:00
|
|
|
|
|
|
|
/*
|
2006-02-01 20:01:18 +00:00
|
|
|
* Flags to use on audit files when opening and closing.
|
|
|
|
*/
|
|
|
|
#define AUDIT_OPEN_FLAGS (FWRITE | O_APPEND)
|
|
|
|
#define AUDIT_CLOSE_FLAGS (FWRITE | O_APPEND)
|
|
|
|
|
|
|
|
#include <sys/fcntl.h>
|
|
|
|
#include <sys/kernel.h>
|
|
|
|
#include <sys/malloc.h>
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Some of the BSM tokenizer functions take different parameters in the
|
2006-03-19 17:34:00 +00:00
|
|
|
* kernel implementations in order to save the copying of large kernel data
|
2007-06-01 21:58:59 +00:00
|
|
|
* structures. The prototypes of these functions are declared here.
|
2006-02-01 20:01:18 +00:00
|
|
|
*/
|
|
|
|
token_t *kau_to_socket(struct socket_au_info *soi);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* audit_klib prototypes
|
|
|
|
*/
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
int au_preselect(au_event_t event, au_class_t class,
|
|
|
|
au_mask_t *mask_p, int sorf);
|
2006-02-01 20:01:18 +00:00
|
|
|
void au_evclassmap_init(void);
|
|
|
|
void au_evclassmap_insert(au_event_t event, au_class_t class);
|
|
|
|
au_class_t au_event_class(au_event_t event);
|
2008-03-01 11:40:49 +00:00
|
|
|
au_event_t audit_ctlname_to_sysctlevent(int name[], uint64_t valid_arg);
|
|
|
|
au_event_t audit_flags_and_error_to_openevent(int oflags, int error);
|
2009-07-28 21:39:58 +00:00
|
|
|
au_event_t audit_flags_and_error_to_openatevent(int oflags, int error);
|
2009-02-08 14:39:35 +00:00
|
|
|
au_event_t audit_msgctl_to_event(int cmd);
|
|
|
|
au_event_t audit_semctl_to_event(int cmr);
|
2012-11-30 23:18:49 +00:00
|
|
|
void audit_canon_path(struct thread *td, int dirfd, char *path,
|
|
|
|
char *cpath);
|
2009-02-08 14:39:35 +00:00
|
|
|
au_event_t auditon_command_event(int cmd);
|
2006-02-01 20:01:18 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Audit trigger events notify user space of kernel audit conditions
|
|
|
|
* asynchronously.
|
|
|
|
*/
|
|
|
|
void audit_trigger_init(void);
|
2008-03-01 11:04:04 +00:00
|
|
|
int audit_send_trigger(unsigned int trigger);
|
2006-02-01 20:01:18 +00:00
|
|
|
|
2008-11-11 23:08:20 +00:00
|
|
|
/*
|
|
|
|
* Accessor functions to manage global audit state.
|
|
|
|
*/
|
|
|
|
void audit_set_kinfo(struct auditinfo_addr *);
|
|
|
|
void audit_get_kinfo(struct auditinfo_addr *);
|
|
|
|
|
2006-02-01 20:01:18 +00:00
|
|
|
/*
|
|
|
|
* General audit related functions.
|
|
|
|
*/
|
|
|
|
struct kaudit_record *currecord(void);
|
Merge Perforce changes 93512, 93514, 93515 from TrustedBSD audit3
branch:
Integrate audit.c to audit_worker.c, so as to migrate the worker
thread implementation to its own .c file.
Populate audit_worker.c using parts now removed from audit.c:
- Move audit rotation global variables.
- Move audit_record_write(), audit_worker_rotate(),
audit_worker_drain(), audit_worker(), audit_rotate_vnode().
- Create audit_worker_init() from relevant parts of audit_init(),
which now calls this routine.
- Recreate audit_free(), which wraps uma_zfree() so that
audit_record_zone can be static to audit.c.
- Unstaticize various types and variables relating to the audit
record queue so that audit_worker can get to them. We may want
to wrap these in accessor methods at some point.
- Move AUDIT_PRINTF() to audit_private.h.
Addition of audit_worker.c to kernel configuration, missed in
earlier submit.
Obtained from: TrustedBSD Project
2006-03-19 16:03:43 +00:00
|
|
|
void audit_free(struct kaudit_record *ar);
|
2006-02-01 20:01:18 +00:00
|
|
|
void audit_shutdown(void *arg, int howto);
|
|
|
|
void audit_rotate_vnode(struct ucred *cred,
|
|
|
|
struct vnode *vp);
|
Merge Perforce changes 93512, 93514, 93515 from TrustedBSD audit3
branch:
Integrate audit.c to audit_worker.c, so as to migrate the worker
thread implementation to its own .c file.
Populate audit_worker.c using parts now removed from audit.c:
- Move audit rotation global variables.
- Move audit_record_write(), audit_worker_rotate(),
audit_worker_drain(), audit_worker(), audit_rotate_vnode().
- Create audit_worker_init() from relevant parts of audit_init(),
which now calls this routine.
- Recreate audit_free(), which wraps uma_zfree() so that
audit_record_zone can be static to audit.c.
- Unstaticize various types and variables relating to the audit
record queue so that audit_worker can get to them. We may want
to wrap these in accessor methods at some point.
- Move AUDIT_PRINTF() to audit_private.h.
Addition of audit_worker.c to kernel configuration, missed in
earlier submit.
Obtained from: TrustedBSD Project
2006-03-19 16:03:43 +00:00
|
|
|
void audit_worker_init(void);
|
2006-02-01 20:01:18 +00:00
|
|
|
|
2006-02-06 22:50:39 +00:00
|
|
|
/*
|
|
|
|
* Audit pipe functions.
|
|
|
|
*/
|
Introduce support for per-audit pipe preselection independent from the
global audit trail configuration. This allows applications consuming
audit trails to specify parameters for which audit records are of
interest, including selecting records not required by the global trail.
Allowing application interest specification without changing the global
configuration allows intrusion detection systems to run without
interfering with global auditing or each other (if multiple are
present). To implement this:
- Kernel audit records now carry a flag to indicate whether they have
been selected by the global trail or by the audit pipe subsystem,
set during record commit, so that this information is available
after BSM conversion when delivering the BSM to the trail and audit
pipes in the audit worker thread asynchronously. Preselection by
either record target will cause the record to be kept.
- Similar changes to preselection when the audit record is created
when the system call is entering: consult both the global trail and
pipes.
- au_preselect() now accepts the class in order to avoid repeatedly
looking up the mask for each preselection test.
- Define a series of ioctls that allow applications to specify whether
they want to track the global trail, or program their own
preselection parameters: they may specify their own flags and naflags
masks, similar to the global masks of the same name, as well as a set
of per-auid masks. They also set a per-pipe mode specifying whether
they track the global trail, or user their own -- the door is left
open for future additional modes. A new ioctl is defined to allow a
user process to flush the current audit pipe queue, which can be used
after reprogramming pre-selection to make sure that only records of
interest are received in future reads.
- Audit pipe data structures are extended to hold the additional fields
necessary to support preselection. By default, audit pipes track the
global trail, so "praudit /dev/auditpipe" will track the global audit
trail even though praudit doesn't program the audit pipe selection
model.
- Comment about the complexities of potentially adding partial read
support to audit pipes.
By using a set of ioctls, applications can select which records are of
interest, and toggle the preselection mode.
Obtained from: TrustedBSD Project
2006-06-05 14:48:17 +00:00
|
|
|
int audit_pipe_preselect(au_id_t auid, au_event_t event,
|
|
|
|
au_class_t class, int sorf, int trail_select);
|
|
|
|
void audit_pipe_submit(au_id_t auid, au_event_t event, au_class_t class,
|
|
|
|
int sorf, int trail_select, void *record, u_int record_len);
|
|
|
|
void audit_pipe_submit_user(void *record, u_int record_len);
|
2006-02-06 22:50:39 +00:00
|
|
|
|
2006-03-19 15:37:04 +00:00
|
|
|
#endif /* ! _SECURITY_AUDIT_PRIVATE_H_ */
|