1 /*- 2 * Copyright (c) 1999-2020 Apple Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 14 * its contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 * POSSIBILITY OF SUCH DAMAGE. 28 */ 29 /* 30 * NOTICE: This file was modified by SPARTA, Inc. in 2005 to introduce 31 * support for mandatory and extensible security protections. This notice 32 * is included in support of clause 2.2 (b) of the Apple Public License, 33 * Version 2.0. 34 */ 35 36 /* 37 * This include file contains function prototypes and type definitions used 38 * within the audit implementation. 39 */ 40 41 #ifndef _SECURITY_AUDIT_PRIVATE_H_ 42 #define _SECURITY_AUDIT_PRIVATE_H_ 43 44 #if defined(_KERNEL) || defined(KERNEL) 45 46 #if CONFIG_MACF 47 #include <sys/queue.h> 48 #include <security/mac_framework.h> 49 #endif 50 51 #include <sys/ipc.h> 52 #include <sys/proc_internal.h> /* for PID_MAX */ 53 #include <sys/socket.h> 54 #include <sys/ucred.h> 55 56 #ifdef MALLOC_DECLARE 57 MALLOC_DECLARE(M_AUDITBSM); 58 MALLOC_DECLARE(M_AUDITDATA); 59 MALLOC_DECLARE(M_AUDITPATH); 60 MALLOC_DECLARE(M_AUDITTEXT); 61 #endif 62 #if CONFIG_AUDIT 63 /* 64 * mac_audit_data_zone is the zone used for data pushed into the audit 65 * record by policies. Using a zone simplifies memory management of this 66 * data, and allows tracking of the amount of data in flight. 67 */ 68 extern zone_t mac_audit_data_zone; 69 #endif 70 71 /* 72 * Audit control variables that are usually set/read via system calls and 73 * used to control various aspects of auditing. 74 */ 75 extern struct au_qctrl audit_qctrl; 76 extern struct audit_fstat audit_fstat; 77 extern struct au_mask audit_nae_mask; 78 extern int audit_panic_on_write_fail; 79 extern int audit_fail_stop; 80 extern int audit_argv; 81 extern int audit_arge; 82 extern au_ctlmode_t audit_ctl_mode; 83 extern au_expire_after_t audit_expire_after; 84 85 /* 86 * Kernel mask that is used to check to see if system calls need to be audited. 87 */ 88 extern au_class_t audit_kevent_mask; 89 90 /* 91 * The macro used to check to see if the system calls need to be auditing. 92 * This will pessimisticly set the audit syscalls flag if the audit kevent 93 * mask has not been created yet. User code should build the event/class 94 * mapping table before setting preselection masks to avoid this. 95 */ 96 #define AUDIT_CHECK_IF_KEVENTS_MASK(m) do { \ 97 if ((m).am_success || (m).am_failure) \ 98 if (!audit_kevent_mask || \ 99 (audit_kevent_mask & (m).am_success) || \ 100 (audit_kevent_mask & (m).am_failure)) \ 101 audit_syscalls = 1; \ 102 } while (0) 103 104 /* 105 * Success/failure conditions for the conversion of a kernel audit record to 106 * BSM format. 107 */ 108 #define BSM_SUCCESS 0 109 #define BSM_FAILURE 1 110 #define BSM_NOAUDIT 2 111 112 /* 113 * Defines for the kernel audit record k_ar_commit field. Flags are set to 114 * indicate what sort of record it is, and which preselection mechanism 115 * selected it. 116 */ 117 #define AR_COMMIT_KERNEL 0x00000001U 118 #define AR_COMMIT_USER 0x00000010U 119 120 #define AR_PRESELECT_TRAIL 0x00001000U 121 #define AR_PRESELECT_PIPE 0x00002000U 122 123 #define AR_PRESELECT_USER_TRAIL 0x00004000U 124 #define AR_PRESELECT_USER_PIPE 0x00008000U 125 126 #define AR_PRESELECT_FILTER 0x00010000U 127 128 #define AR_DRAIN_QUEUE 0x80000000U 129 130 /* 131 * Audit data is generated as a stream of struct audit_record structures, 132 * linked by struct kaudit_record, and contain storage for possible audit so 133 * that it will not need to be allocated during the processing of a system 134 * call, both improving efficiency and avoiding sleeping at untimely moments. 135 * This structure is converted to BSM format before being written to disk. 136 */ 137 struct vnode_au_info { 138 mode_t vn_mode; 139 uid_t vn_uid; 140 gid_t vn_gid; 141 dev_t vn_dev; 142 long vn_fsid; 143 long vn_fileid; 144 long vn_gen; 145 }; 146 147 struct groupset { 148 gid_t gidset[NGROUPS]; 149 u_int gidset_size; 150 }; 151 152 struct socket_au_info { 153 int sai_domain; 154 int sai_type; 155 int sai_protocol; 156 157 /* Foreign (remote) address/port. */ 158 struct sockaddr_storage sai_faddr; 159 160 /* Local address/port. */ 161 struct sockaddr_storage sai_laddr; 162 }; 163 164 /* 165 * The following is used for A_OLDSETQCTRL and A_OLDGETQCTRL and a 64-bit 166 * userland. 167 */ 168 struct au_qctrl64 { 169 u_int64_t aq64_hiwater; 170 u_int64_t aq64_lowater; 171 u_int64_t aq64_bufsz; 172 u_int64_t aq64_delay; 173 int64_t aq64_minfree; 174 }; 175 typedef struct au_qctrl64 au_qctrl64_t; 176 177 union auditon_udata { 178 char *au_path; 179 int au_cond; 180 int au_policy; 181 int64_t au_cond64; 182 int64_t au_policy64; 183 int au_trigger; 184 au_evclass_map_t au_evclass; 185 au_mask_t au_mask; 186 au_asflgs_t au_flags; 187 auditinfo_t au_auinfo; 188 auditpinfo_t au_aupinfo; 189 auditpinfo_addr_t au_aupinfo_addr; 190 au_qctrl_t au_qctrl; 191 au_qctrl64_t au_qctrl64; 192 au_stat_t au_stat; 193 au_fstat_t au_fstat; 194 auditinfo_addr_t au_kau_info; 195 au_ctlmode_t au_ctl_mode; 196 au_expire_after_t au_expire_after; 197 }; 198 199 struct posix_ipc_perm { 200 uid_t pipc_uid; 201 gid_t pipc_gid; 202 mode_t pipc_mode; 203 }; 204 205 struct au_identity_info { 206 u_int32_t signer_type; 207 char *signing_id; 208 u_char signing_id_trunc; 209 char *team_id; 210 u_char team_id_trunc; 211 u_int8_t *cdhash; 212 u_int16_t cdhash_len; 213 }; 214 215 struct audit_record { 216 /* Audit record header. */ 217 u_int32_t ar_magic; 218 int ar_event; 219 int ar_retval; /* value returned to the process */ 220 int ar_errno; /* return status of system call */ 221 struct timespec ar_starttime; 222 struct timespec ar_endtime; 223 u_int64_t ar_valid_arg; /* Bitmask of valid arguments */ 224 225 /* Audit subject information. */ 226 struct xucred ar_subj_cred; 227 uid_t ar_subj_ruid; 228 gid_t ar_subj_rgid; 229 gid_t ar_subj_egid; 230 uid_t ar_subj_auid; /* Audit user ID */ 231 pid_t ar_subj_asid; /* Audit session ID */ 232 pid_t ar_subj_pid; 233 struct au_tid ar_subj_term; 234 struct au_tid_addr ar_subj_term_addr; 235 struct au_mask ar_subj_amask; 236 237 /* Operation arguments. */ 238 uid_t ar_arg_euid; 239 uid_t ar_arg_ruid; 240 uid_t ar_arg_suid; 241 gid_t ar_arg_egid; 242 gid_t ar_arg_rgid; 243 gid_t ar_arg_sgid; 244 pid_t ar_arg_pid; 245 pid_t ar_arg_asid; 246 struct au_tid ar_arg_termid; 247 struct au_tid_addr ar_arg_termid_addr; 248 uid_t ar_arg_uid; 249 uid_t ar_arg_auid; 250 gid_t ar_arg_gid; 251 struct groupset ar_arg_groups; 252 int ar_arg_fd; 253 int ar_arg_fflags; 254 mode_t ar_arg_mode; 255 uint32_t ar_arg_value32; 256 uint64_t ar_arg_value64; 257 user_addr_t ar_arg_addr; 258 user_size_t ar_arg_len; 259 int ar_arg_mask; 260 u_int ar_arg_signum; 261 char ar_arg_login[MAXLOGNAME]; 262 int ar_arg_ctlname[CTL_MAXNAME]; 263 struct socket_au_info ar_arg_sockinfo; 264 char *ar_arg_upath1; 265 char *ar_arg_upath2; 266 char *ar_arg_kpath1; /* darwin-only */ 267 char *ar_arg_kpath2; /* darwin-only */ 268 #if CONFIG_MACF 269 char *ar_vnode1_mac_labels; 270 char *ar_vnode2_mac_labels; 271 char *ar_cred_mac_labels; 272 char *ar_arg_mac_string; 273 #endif 274 char *ar_arg_text; 275 void *ar_arg_opaque; /* darwin-only */ 276 void *ar_arg_data; /* darwin-only */ 277 u_int16_t ar_arg_opq_size; /* darwin-only */ 278 u_char ar_arg_data_type; /* darwin-only */ 279 u_char ar_arg_data_count; /* darwin-only */ 280 struct au_mask ar_arg_amask; 281 struct vnode_au_info ar_arg_vnode1; 282 struct vnode_au_info ar_arg_vnode2; 283 int ar_arg_cmd; 284 int ar_arg_svipc_cmd; 285 struct ipc_perm ar_arg_svipc_perm; 286 int ar_arg_svipc_id; 287 user_addr_t ar_arg_svipc_addr; 288 struct posix_ipc_perm ar_arg_pipc_perm; 289 mach_port_name_t ar_arg_mach_port1; /* darwin-only */ 290 mach_port_name_t ar_arg_mach_port2; /* darwin-only */ 291 union auditon_udata ar_arg_auditon; 292 char *ar_arg_argv; 293 int ar_arg_argc; 294 char *ar_arg_envv; 295 int ar_arg_envc; 296 int ar_arg_exitstatus; 297 int ar_arg_exitretval; 298 struct sockaddr_storage ar_arg_sockaddr; 299 int ar_arg_fd2; 300 301 #if CONFIG_MACF 302 /* 303 * MAC security related fields added by MAC policies ar_forced_by_mac 304 * is 1 if mac_audit_check_preselect() forced this call to be audited, 305 * 0 otherwise. 306 */ 307 LIST_HEAD(mac_audit_record_list_t, mac_audit_record) * ar_mac_records; 308 int ar_forced_by_mac; 309 #endif 310 struct au_identity_info ar_arg_identity; 311 }; 312 313 /* 314 * Arguments in the audit record are initially not defined; flags are set to 315 * indicate if they are present so they can be included in the audit log 316 * stream only if defined. 317 */ 318 #define ARG_IS_VALID(kar, arg) ((kar)->k_ar.ar_valid_arg & (arg)) 319 #define ARG_SET_VALID(kar, arg) do { \ 320 (kar)->k_ar.ar_valid_arg |= (arg); \ 321 } while (0) 322 323 /* 324 * Current thread macro. get_bsdthread_info() returns a void ptr for some 325 * reason. 326 */ 327 #define curthread() current_uthread() 328 329 /* 330 * In-kernel version of audit record; the basic record plus queue meta-data. 331 * This record can also have a pointer set to some opaque data that will be 332 * passed through to the audit writing mechanism. 333 */ 334 struct kaudit_record { 335 struct audit_record k_ar; 336 u_int32_t k_ar_commit; 337 void *k_udata; /* User data. */ 338 u_int k_ulen; /* User data length. */ 339 struct uthread *k_uthread; /* Audited thread. */ 340 TAILQ_ENTRY(kaudit_record) k_q; 341 }; 342 TAILQ_HEAD(kaudit_queue, kaudit_record); 343 344 /* 345 * Functions to manage the allocation, release, and commit of kernel audit 346 * records. 347 */ 348 void audit_abort(struct kaudit_record *ar); 349 void audit_commit(struct kaudit_record *ar, int error, 350 int retval); 351 struct kaudit_record *audit_new(int event, proc_t p, struct uthread *td); 352 353 /* 354 * Functions relating to the conversion of internal kernel audit records to 355 * the BSM file format. 356 */ 357 struct au_record; 358 int kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau); 359 int bsm_rec_verify(void *rec, int length, boolean_t kern_events_allowed); 360 361 /* 362 * Kernel versions of the libbsm audit record functions. 363 */ 364 void kau_free(struct au_record *rec); 365 void kau_init(void); 366 367 /* 368 * Return values for pre-selection and post-selection decisions. 369 */ 370 #define AU_PRS_SUCCESS 1 371 #define AU_PRS_FAILURE 2 372 #define AU_PRS_BOTH (AU_PRS_SUCCESS|AU_PRS_FAILURE) 373 374 /* 375 * Data structures relating to the kernel audit queue. Ideally, these might 376 * be abstracted so that only accessor methods are exposed. 377 */ 378 extern struct mtx audit_mtx; 379 extern struct cv audit_watermark_cv; 380 extern struct cv audit_worker_cv; 381 extern struct cv audit_drain_cv; 382 extern struct kaudit_queue audit_q; 383 extern int audit_q_len; 384 extern int audit_pre_q_len; 385 extern int audit_in_failure; 386 387 /* 388 * Flags to use on audit files when opening and closing. 389 */ 390 #define AUDIT_OPEN_FLAGS (FWRITE | O_APPEND) 391 #define AUDIT_CLOSE_FLAGS (FWRITE | O_APPEND) 392 393 #include <sys/fcntl.h> 394 #include <sys/kernel.h> 395 #include <sys/malloc.h> 396 397 /* 398 * Some of the BSM tokenizer functions take different parameters in the 399 * kernel implementations in order to save the copying of large kernel data 400 * structures. The prototypes of these functions are declared here. 401 */ 402 token_t *kau_to_socket(struct socket_au_info *soi); 403 404 /* 405 * audit_klib prototypes 406 */ 407 int au_preselect(au_event_t event, au_class_t class, 408 au_mask_t *mask_p, int sorf); 409 void au_evclassmap_init(void); 410 void au_evclassmap_insert(au_event_t event, au_class_t class); 411 au_class_t au_event_class(au_event_t event); 412 au_event_t audit_ctlname_to_sysctlevent(int name[], uint64_t valid_arg); 413 au_event_t audit_flags_and_error_to_openevent(int oflags, int error); 414 au_event_t audit_flags_and_error_to_openextendedevent(int oflags, 415 int error); 416 au_event_t audit_flags_and_error_to_openatevent(int oflags, 417 int error); 418 au_event_t audit_flags_and_error_to_openbyidevent(int oflags, 419 int error); 420 au_event_t audit_msgctl_to_event(int cmd); 421 au_event_t audit_semctl_to_event(int cmr); 422 int audit_canon_path(struct vnode *cwd_vp, const char *path, 423 char *cpath); 424 au_event_t auditon_command_event(int cmd); 425 au_event_t audit_fcntl_command_event(int cmd, int oflags, int error); 426 427 /* 428 * Audit trigger events notify user space of kernel audit conditions 429 * asynchronously. 430 */ 431 int audit_send_trigger(unsigned int trigger); 432 int audit_send_analytics(char* id, char* name); 433 434 /* 435 * Accessor functions to manage global audit state. 436 */ 437 void audit_set_kinfo(struct auditinfo_addr *); 438 void audit_get_kinfo(struct auditinfo_addr *); 439 440 /* 441 * General audit related functions. 442 */ 443 struct kaudit_record *currecord(void); 444 void audit_free(struct kaudit_record *ar); 445 void audit_rotate_vnode(struct ucred *cred, 446 struct vnode *vp); 447 void audit_worker_init(void); 448 void audit_identity_info_construct( 449 struct au_identity_info *id_info); 450 void audit_identity_info_destruct( 451 struct au_identity_info *id_info); 452 453 /* 454 * Audit pipe functions. 455 */ 456 int audit_pipe_init(void); 457 int audit_pipe_shutdown(void); 458 int audit_pipe_preselect(au_id_t auid, au_event_t event, 459 au_class_t class, int sorf, int trail_select); 460 void audit_pipe_submit(au_id_t auid, au_event_t event, au_class_t class, 461 int sorf, int trail_select, void *record, u_int record_len); 462 void audit_pipe_submit_user(void *record, u_int record_len); 463 464 /* 465 * Audit MAC prototypes. 466 */ 467 int audit_mac_new(proc_t p, struct kaudit_record *ar); 468 void audit_mac_free(struct kaudit_record *ar); 469 int audit_mac_syscall_enter(unsigned short code, proc_t p, 470 struct uthread *uthread, kauth_cred_t my_cred, au_event_t event); 471 int audit_mac_syscall_exit(unsigned short code, struct uthread *uthread, 472 int error, int retval); 473 474 /* 475 * Audit Session. 476 */ 477 void audit_session_init(void); 478 int audit_session_setaia(proc_t p, auditinfo_addr_t *aia_p); 479 auditinfo_addr_t *audit_session_update(auditinfo_addr_t *new_aia); 480 int audit_session_lookup(au_asid_t asid, auditinfo_addr_t *ret_aia); 481 482 /* 483 * Kernel assigned audit session IDs start at PID_MAX + 1 and ends at 484 * ASSIGNED_ASID_MAX. 485 */ 486 #define ASSIGNED_ASID_MIN (PID_MAX + 1) 487 #define ASSIGNED_ASID_MAX (0xFFFFFFFF - 1) 488 489 /* 490 * Entitlement required to control various audit subsystem settings 491 */ 492 #define AU_CLASS_RESERVED_ENTITLEMENT "com.apple.private.dz.audit" 493 494 /* 495 * Entitlement required to control auditctl sys call 496 */ 497 #define AU_AUDITCTL_RESERVED_ENTITLEMENT "com.apple.private.protected-audit-control" 498 499 /* 500 * Entitlement required to control auditctl sys call 501 */ 502 #define AU_AUDIT_USER_ENTITLEMENT "com.apple.private.audit.user" 503 504 /* 505 * Max sizes used by the kernel for signing id and team id values of the 506 * identity tokens. These lengths include space for the null terminator. 507 */ 508 #define MAX_AU_IDENTITY_SIGNING_ID_LENGTH 129 509 #define MAX_AU_IDENTITY_TEAM_ID_LENGTH 17 510 511 struct __attribute__((__packed__)) hdr_tok_partial { 512 u_char type; 513 uint32_t len; 514 u_char ver; 515 uint16_t e_type; 516 }; 517 static_assert(sizeof(struct hdr_tok_partial) == 8); 518 519 struct __attribute__((__packed__)) trl_tok_partial { 520 u_char type; 521 uint16_t magic; 522 uint32_t len; 523 }; 524 static_assert(sizeof(struct trl_tok_partial) == 7); 525 526 #endif /* defined(KERNEL) || defined(_KERNEL) */ 527 528 #endif /* ! _SECURITY_AUDIT_PRIVATE_H_ */ 529