[Midnightbsd-cvs] src: sys/bsm: add additional openbsm files.

[laffer1 at midnightbsd.org]

Log Message:
-----------
add additional openbsm files.

Added Files:
-----------
    src/sys/bsm:
        audit_internal.h (r1.1)
        audit_record.h (r1.1)

-------------- next part --------------
--- /dev/null
+++ sys/bsm/audit_record.h
@@ -0,0 +1,336 @@
+/*
+ * Copyright (c) 2005 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * P4: //depot/projects/trustedbsd/audit3/sys/bsm/audit_record.h#26
+ * $FreeBSD: src/sys/bsm/audit_record.h,v 1.10 2007/07/22 12:28:13 rwatson Exp $
+ * $MidnightBSD: src/sys/bsm/audit_record.h,v 1.1 2008/09/03 02:01:51 laffer1 Exp $
+ */
+
+#ifndef _BSM_AUDIT_RECORD_H_
+#define _BSM_AUDIT_RECORD_H_
+
+#include <sys/time.h>			/* struct timeval */
+
+/*
+ * Token type identifiers.
+ */
+#define	AUT_INVALID		0x00
+#define	AUT_OTHER_FILE32	0x11
+#define	AUT_OHEADER		0x12
+#define	AUT_TRAILER		0x13
+#define	AUT_HEADER32		0x14
+#define	AUT_HEADER32_EX		0x15
+#define	AUT_DATA		0x21
+#define	AUT_IPC			0x22
+#define	AUT_PATH		0x23
+#define	AUT_SUBJECT32		0x24
+#define	AUT_SERVER32		0x25
+#define	AUT_PROCESS32		0x26
+#define	AUT_RETURN32		0x27
+#define	AUT_TEXT		0x28
+#define	AUT_OPAQUE		0x29
+#define	AUT_IN_ADDR		0x2a
+#define	AUT_IP			0x2b
+#define	AUT_IPORT		0x2c
+#define	AUT_ARG32		0x2d
+#define	AUT_SOCKET		0x2e
+#define	AUT_SEQ			0x2f
+#define	AUT_ACL			0x30
+#define	AUT_ATTR		0x31
+#define	AUT_IPC_PERM		0x32
+#define	AUT_LABEL		0x33
+#define	AUT_GROUPS		0x34
+#define	AUT_ILABEL		0x35
+#define	AUT_SLABEL		0x36
+#define	AUT_CLEAR		0x37
+#define	AUT_PRIV		0x38
+#define	AUT_UPRIV		0x39
+#define	AUT_LIAISON		0x3a
+#define	AUT_NEWGROUPS		0x3b
+#define	AUT_EXEC_ARGS		0x3c
+#define	AUT_EXEC_ENV		0x3d
+#define	AUT_ATTR32		0x3e
+/* #define	AUT_????	0x3f */
+#define	AUT_XATOM		0x40
+#define	AUT_XOBJ		0x41
+#define	AUT_XPROTO		0x42
+#define	AUT_XSELECT		0x43
+/* XXXRW: Additional X11 tokens not defined? */
+#define	AUT_CMD			0x51
+#define	AUT_EXIT		0x52
+#define	AUT_ZONENAME		0x60
+/* XXXRW: OpenBSM AUT_HOST 0x70? */
+#define	AUT_ARG64		0x71
+#define	AUT_RETURN64		0x72
+#define	AUT_ATTR64		0x73
+#define	AUT_HEADER64		0x74
+#define	AUT_SUBJECT64		0x75
+#define	AUT_SERVER64		0x76
+#define	AUT_PROCESS64		0x77
+#define	AUT_OTHER_FILE64	0x78
+#define	AUT_HEADER64_EX		0x79
+#define	AUT_SUBJECT32_EX	0x7a
+#define	AUT_PROCESS32_EX	0x7b
+#define	AUT_SUBJECT64_EX	0x7c
+#define	AUT_PROCESS64_EX	0x7d
+#define	AUT_IN_ADDR_EX		0x7e
+#define	AUT_SOCKET_EX		0x7f
+
+/*
+ * Pre-64-bit BSM, 32-bit tokens weren't explicitly named as '32'.  We have
+ * compatibility defines.
+ */
+#define	AUT_HEADER		AUT_HEADER32
+#define	AUT_ARG			AUT_ARG32
+#define	AUT_RETURN		AUT_RETURN32
+#define	AUT_SUBJECT		AUT_SUBJECT32
+#define	AUT_SERVER		AUT_SERVER32
+#define	AUT_PROCESS		AUT_PROCESS32
+#define	AUT_OTHER_FILE		AUT_OTHER_FILE32
+
+/*
+ * Darwin's bsm distribution uses the following non-BSM token name defines.
+ * We provide them for a single OpenBSM release for compatibility reasons.
+ */
+#define	AU_FILE_TOKEN		AUT_OTHER_FILE32
+#define	AU_TRAILER_TOKEN	AUT_TRAILER
+#define	AU_HEADER_32_TOKEN	AUT_HEADER32
+#define	AU_DATA_TOKEN		AUT_DATA
+#define	AU_ARB_TOKEN		AUT_DATA
+#define	AU_IPC_TOKEN		AUT_IPC
+#define	AU_PATH_TOKEN		AUT_PATH
+#define	AU_SUBJECT_32_TOKEN	AUT_SUBJECT32
+#define	AU_PROCESS_32_TOKEN	AUT_PROCESS32
+#define	AU_RETURN_32_TOKEN	AUT_RETURN32
+#define	AU_TEXT_TOKEN		AUT_TEXT
+#define	AU_OPAQUE_TOKEN		AUT_OPAQUE
+#define	AU_IN_ADDR_TOKEN	AUT_IN_ADDR
+#define	AU_IP_TOKEN		AUT_IP
+#define	AU_IPORT_TOKEN		AUT_IPORT
+#define	AU_ARG32_TOKEN		AUT_ARG32
+#define	AU_SOCK_TOKEN		AUT_SOCKET
+#define	AU_SEQ_TOKEN		AUT_SEQ
+#define	AU_ATTR_TOKEN		AUT_ATTR
+#define	AU_IPCPERM_TOKEN	AUT_IPC_PERM
+#define	AU_NEWGROUPS_TOKEN	AUT_NEWGROUPS
+#define	AU_EXEC_ARG_TOKEN	AUT_EXEC_ARGS
+#define	AU_EXEC_ENV_TOKEN	AUT_EXEC_ENV
+#define	AU_ATTR32_TOKEN		AUT_ATTR32
+#define	AU_CMD_TOKEN		AUT_CMD
+#define	AU_EXIT_TOKEN		AUT_EXIT
+#define	AU_ARG64_TOKEN		AUT_ARG64
+#define	AU_RETURN_64_TOKEN	AUT_RETURN64
+#define	AU_ATTR64_TOKEN		AUT_ATTR64
+#define	AU_HEADER_64_TOKEN	AUT_HEADER64
+#define	AU_SUBJECT_64_TOKEN	AUT_SUBJECT64
+#define	AU_PROCESS_64_TOKEN	AUT_PROCESS64
+#define	AU_HEADER_64_EX_TOKEN	AUT_HEADER64_EX
+#define	AU_SUBJECT_32_EX_TOKEN	AUT_SUBJECT32_EX
+#define	AU_PROCESS_32_EX_TOKEN	AUT_PROCESS32_EX
+#define	AU_SUBJECT_64_EX_TOKEN	AUT_SUBJECT64_EX
+#define	AU_PROCESS_64_EX_TOKEN	AUT_PROCESS64_EX
+#define	AU_IN_ADDR_EX_TOKEN	AUT_IN_ADDR_EX
+#define	AU_SOCK_32_EX_TOKEN	AUT_SOCKET_EX
+
+/*
+ * The values for the following token ids are not defined by BSM.
+ *
+ * XXXRW: Not sure how to handle these in OpenBSM yet, but I'll give them
+ * names more consistent with Sun's BSM.  These originally came from Apple's
+ * BSM.
+ */
+#define	AUT_SOCKINET32		0x80		/* XXX */
+#define	AUT_SOCKINET128		0x81		/* XXX */
+#define	AUT_SOCKUNIX		0x82		/* XXX */
+#define	AU_SOCK_INET_32_TOKEN	AUT_SOCKINET32
+#define	AU_SOCK_INET_128_TOKEN	AUT_SOCKINET128
+#define	AU_SOCK_UNIX_TOKEN	AUT_SOCKUNIX
+
+/* print values for the arbitrary token */
+#define AUP_BINARY      0
+#define AUP_OCTAL       1
+#define AUP_DECIMAL     2
+#define AUP_HEX         3
+#define AUP_STRING      4
+
+/* data-types for the arbitrary token */
+#define AUR_BYTE        0
+#define AUR_CHAR        AUR_BYTE
+#define AUR_SHORT       1
+#define AUR_INT32       2
+#define AUR_INT         AUR_INT32
+#define AUR_INT64       3
+
+/* ... and their sizes */
+#define AUR_BYTE_SIZE       sizeof(u_char)
+#define AUR_CHAR_SIZE       AUR_BYTE_SIZE
+#define AUR_SHORT_SIZE      sizeof(uint16_t)
+#define AUR_INT32_SIZE      sizeof(uint32_t)
+#define AUR_INT_SIZE        AUR_INT32_SIZE
+#define AUR_INT64_SIZE      sizeof(uint64_t)
+
+/* Modifiers for the header token */
+#define PAD_NOTATTR  0x4000   /* nonattributable event */
+#define PAD_FAILURE  0x8000   /* fail audit event */
+
+#define AUDIT_MAX_GROUPS      16
+
+/*
+ * A number of BSM versions are floating around and defined.  Here are
+ * constants for them.  OpenBSM uses the same token types, etc, used in the
+ * Solaris BSM version, but has a separate version number in order to
+ * identify a potentially different event identifier name space.
+ */
+#define	AUDIT_HEADER_VERSION_OLDDARWIN	1	/* In retrospect, a mistake. */
+#define	AUDIT_HEADER_VERSION_SOLARIS	2
+#define	AUDIT_HEADER_VERSION_TSOL25	3
+#define	AUDIT_HEADER_VERSION_TSOL	4
+#define	AUDIT_HEADER_VERSION_OPENBSM	10
+
+/*
+ * BSM define is AUT_TRAILER_MAGIC; Apple BSM define is TRAILER_PAD_MAGIC; we
+ * split the difference, will remove the Apple define for the next release.
+ */
+#define	AUT_TRAILER_MAGIC	0xb105
+#define	TRAILER_PAD_MAGIC	AUT_TRAILER_MAGIC
+
+/* BSM library calls */
+
+__BEGIN_DECLS
+
+struct in_addr;
+struct in6_addr;
+struct ip;
+struct ipc_perm;
+struct kevent;
+struct sockaddr_in;
+struct sockaddr_in6;
+struct sockaddr_un;
+#if defined(_KERNEL) || defined(KERNEL)
+struct vnode_au_info;
+#endif
+
+int	 au_open(void);
+int	 au_write(int d, token_t *m);
+int	 au_close(int d, int keep, short event);
+int	 au_close_buffer(int d, short event, u_char *buffer, size_t *buflen);
+int	 au_close_token(token_t *tok, u_char *buffer, size_t *buflen);
+
+token_t	*au_to_file(char *file, struct timeval tm);
+
+token_t	*au_to_header32_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
+	    struct timeval tm);
+token_t	*au_to_header64_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
+	    struct timeval tm);
+#if !defined(KERNEL) && !defined(_KERNEL)
+token_t	*au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod);
+token_t	*au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod);
+token_t	*au_to_header64(int rec_size, au_event_t e_type, au_emod_t e_mod);
+#endif
+
+token_t	*au_to_me(void);
+token_t	*au_to_arg(char n, char *text, uint32_t v);
+token_t	*au_to_arg32(char n, char *text, uint32_t v);
+token_t	*au_to_arg64(char n, char *text, uint64_t v);
+
+#if defined(_KERNEL) || defined(KERNEL)
+token_t	*au_to_attr(struct vnode_au_info *vni);
+token_t	*au_to_attr32(struct vnode_au_info *vni);
+token_t	*au_to_attr64(struct vnode_au_info *vni);
+#endif
+
+token_t	*au_to_data(char unit_print, char unit_type, char unit_count,
+	    char *p);
+token_t	*au_to_exit(int retval, int err);
+token_t	*au_to_groups(int *groups);
+token_t	*au_to_newgroups(uint16_t n, gid_t *groups);
+token_t	*au_to_in_addr(struct in_addr *internet_addr);
+token_t	*au_to_in_addr_ex(struct in6_addr *internet_addr);
+token_t	*au_to_ip(struct ip *ip);
+token_t	*au_to_ipc(char type, int id);
+token_t	*au_to_ipc_perm(struct ipc_perm *perm);
+token_t	*au_to_iport(uint16_t iport);
+token_t	*au_to_opaque(char *data, uint16_t bytes);
+token_t	*au_to_path(char *path);
+token_t	*au_to_process(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+	    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
+token_t	*au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+	    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
+token_t	*au_to_process64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+	    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
+token_t	*au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+	    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid);
+token_t	*au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid,
+	    uid_t ruid, gid_t rgid, pid_t pid, au_asid_t sid,
+	    au_tid_addr_t *tid);
+token_t	*au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+	    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid);
+token_t	*au_to_return(char status, uint32_t ret);
+token_t	*au_to_return32(char status, uint32_t ret);
+token_t	*au_to_return64(char status, uint64_t ret);
+token_t	*au_to_seq(long audit_count);
+
+#if defined(_KERNEL) || defined(KERNEL)
+token_t	*au_to_socket(struct socket *so);
+token_t	*au_to_socket_ex_32(uint16_t lp, uint16_t rp, struct sockaddr *la,
+	    struct sockaddr *ta);
+token_t	*au_to_socket_ex_128(uint16_t lp, uint16_t rp, struct sockaddr *la,
+	    struct sockaddr *ta);
+#endif
+
+token_t	*au_to_sock_inet(struct sockaddr_in *so);
+token_t	*au_to_sock_inet32(struct sockaddr_in *so);
+token_t	*au_to_sock_inet128(struct sockaddr_in6 *so);
+token_t	*au_to_sock_unix(struct sockaddr_un *so);
+token_t	*au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+	    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
+token_t	*au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+	    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
+token_t	*au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+	    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
+token_t	*au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+	    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid);
+token_t	*au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+	    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid);
+token_t	*au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+	    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid);
+#if defined(_KERNEL) || defined(KERNEL)
+token_t	*au_to_exec_args(char *args, int argc);
+token_t	*au_to_exec_env(char *envs, int envc);
+#else
+token_t	*au_to_exec_args(char **argv);
+token_t	*au_to_exec_env(char **envp);
+#endif
+token_t	*au_to_text(char *text);
+token_t	*au_to_kevent(struct kevent *kev);
+token_t	*au_to_trailer(int rec_size);
+token_t	*au_to_zonename(char *zonename);
+
+__END_DECLS
+
+#endif /* ! _BSM_AUDIT_RECORD_H_ */
--- /dev/null
+++ sys/bsm/audit_internal.h
@@ -0,0 +1,117 @@
+/*
+ * Copyright (c) 2005 Apple Computer, Inc.
+ * Copyright (c) 2005 SPARTA, Inc.
+ * All rights reserved.
+ *
+ * This code was developed in part by Robert N. M. Watson, Senior Principal
+ * Scientist, SPARTA, Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * P4: //depot/projects/trustedbsd/audit3/sys/bsm/audit_internal.h#18
+ * $FreeBSD: src/sys/bsm/audit_internal.h,v 1.8 2007/07/22 12:28:12 rwatson Exp $
+ * $MidnightBSD: src/sys/bsm/audit_internal.h,v 1.1 2008/09/03 02:01:51 laffer1 Exp $
+ */
+
+#ifndef _AUDIT_INTERNAL_H
+#define	_AUDIT_INTERNAL_H
+
+#if defined(__linux__) && !defined(__unused)
+#define	__unused
+#endif
+
+/*
+ * audit_internal.h contains private interfaces that are shared by user space
+ * and the kernel for the purposes of assembling audit records.  Applications
+ * should not include this file or use the APIs found within, or it may be
+ * broken with future releases of OpenBSM, which may delete, modify, or
+ * otherwise break these interfaces or the assumptions they rely on.
+ */
+struct au_token {
+	u_char			*t_data;
+	size_t			 len;
+	TAILQ_ENTRY(au_token)	 tokens;
+};
+
+struct au_record {
+	char			 used;		/* Record currently in use? */
+	int			 desc;		/* Descriptor for record. */
+	TAILQ_HEAD(, au_token)	 token_q;	/* Queue of BSM tokens. */
+	u_char			*data;
+	size_t			 len;
+	LIST_ENTRY(au_record)	 au_rec_q;
+};
+typedef	struct au_record	au_record_t;
+
+
+/*
+ * We could determined the header and trailer sizes by defining appropriate
+ * structures.  We hold off that approach until we have a consistent way of
+ * using structures for all tokens.  This is not straightforward since these
+ * token structures may contain pointers of whose contents we do not know the
+ * size (e.g text tokens).
+ */
+#define	AUDIT_HEADER_SIZE	18
+#define	AUDIT_TRAILER_SIZE	7
+
+/*
+ * BSM token streams store fields in big endian byte order, so as to be
+ * portable; when encoding and decoding, we must convert byte orders for
+ * typed values.
+ */
+#define	ADD_U_CHAR(loc, val)						\
+	do {								\
+		*(loc) = (val);						\
+		(loc) += sizeof(u_char);				\
+	} while(0)
+
+
+#define	ADD_U_INT16(loc, val)						\
+	do {								\
+		be16enc((loc), (val));					\
+		(loc) += sizeof(u_int16_t);				\
+	} while(0)
+
+#define	ADD_U_INT32(loc, val)						\
+	do {								\
+		be32enc((loc), (val));					\
+		(loc) += sizeof(u_int32_t);				\
+	} while(0)
+
+#define	ADD_U_INT64(loc, val)						\
+	do {								\
+		be64enc((loc), (val));					\
+		(loc) += sizeof(u_int64_t); 				\
+	} while(0)
+
+#define	ADD_MEM(loc, data, size)					\
+	do {								\
+		memcpy((loc), (data), (size));				\
+		(loc) += size;						\
+	} while(0)
+
+#define	ADD_STRING(loc, data, size)	ADD_MEM(loc, data, size)
+
+#endif /* !_AUDIT_INTERNAL_H_ */