Changeset View
Changeset View
Standalone View
Standalone View
sys/security/audit/audit.h
/*- | /*- | ||||
* SPDX-License-Identifier: BSD-3-Clause | * SPDX-License-Identifier: BSD-3-Clause | ||||
* | * | ||||
* Copyright (c) 1999-2005 Apple Inc. | * Copyright (c) 1999-2005 Apple Inc. | ||||
* Copyright (c) 2016-2017 Robert N. M. Watson | * Copyright (c) 2016-2018 Robert N. M. Watson | ||||
* All rights reserved. | * All rights reserved. | ||||
* | * | ||||
* This software was developed by BAE Systems, the University of Cambridge | * This software was developed by BAE Systems, the University of Cambridge | ||||
* Computer Laboratory, and Memorial University under DARPA/AFRL contract | * Computer Laboratory, and Memorial University under DARPA/AFRL contract | ||||
* FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent Computing | * FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent Computing | ||||
* (TC) research program. | * (TC) research program. | ||||
* | * | ||||
* Redistribution and use in source and binary forms, with or without | * Redistribution and use in source and binary forms, with or without | ||||
Show All 36 Lines | |||||
#endif | #endif | ||||
#include <bsm/audit.h> | #include <bsm/audit.h> | ||||
#include <sys/file.h> | #include <sys/file.h> | ||||
#include <sys/sysctl.h> | #include <sys/sysctl.h> | ||||
/* | /* | ||||
* Audit subsystem condition flags. The audit_enabled flag is set and | * Audit subsystem condition flags. The audit_trail_enabled flag is set and | ||||
* removed automatically as a result of configuring log files, and can be | * removed automatically as a result of configuring log files, and can be | ||||
* observed but should not be directly manipulated. The audit suspension | * observed but should not be directly manipulated. The audit suspension | ||||
* flag permits audit to be temporarily disabled without reconfiguring the | * flag permits audit to be temporarily disabled without reconfiguring the | ||||
* audit target. | * audit target. | ||||
* | |||||
* As DTrace can also request system-call auditing, a further | |||||
* audit_syscalls_enabled flag tracks whether newly entering system calls | |||||
* should be considered for auditing or not. | |||||
* | |||||
* XXXRW: Move trail flags to audit_private.h, as they no longer need to be | |||||
* visible outside the audit code...? | |||||
*/ | */ | ||||
extern int audit_enabled; | #ifdef KDTRACE_HOOKS | ||||
extern int audit_suspended; | extern u_int audit_dtrace_enabled; | ||||
#endif | |||||
extern int audit_trail_enabled; | |||||
extern int audit_trail_suspended; | |||||
extern int audit_syscalls_enabled; | |||||
void audit_syscall_enter(unsigned short code, struct thread *td); | void audit_syscall_enter(unsigned short code, struct thread *td); | ||||
void audit_syscall_exit(int error, struct thread *td); | void audit_syscall_exit(int error, struct thread *td); | ||||
/* | /* | ||||
* The remaining kernel functions are conditionally compiled in as they are | * The remaining kernel functions are conditionally compiled in as they are | ||||
* wrapped by a macro, and the macro should be the only place in the source | * wrapped by a macro, and the macro should be the only place in the source | ||||
* tree where these functions are referenced. | * tree where these functions are referenced. | ||||
▲ Show 20 Lines • Show All 60 Lines • ▼ Show 20 Lines | |||||
void audit_cred_kproc0(struct ucred *cred); | void audit_cred_kproc0(struct ucred *cred); | ||||
void audit_cred_proc1(struct ucred *cred); | void audit_cred_proc1(struct ucred *cred); | ||||
void audit_proc_coredump(struct thread *td, char *path, int errcode); | void audit_proc_coredump(struct thread *td, char *path, int errcode); | ||||
void audit_thread_alloc(struct thread *td); | void audit_thread_alloc(struct thread *td); | ||||
void audit_thread_free(struct thread *td); | void audit_thread_free(struct thread *td); | ||||
/* | /* | ||||
* Define macros to wrap the audit_arg_* calls by checking the global | * Define macros to wrap the audit_arg_* calls by checking the global | ||||
* audit_enabled flag before performing the actual call. | * audit_syscalls_enabled flag before performing the actual call. | ||||
*/ | */ | ||||
#define AUDITING_TD(td) ((td)->td_pflags & TDP_AUDITREC) | #define AUDITING_TD(td) ((td)->td_pflags & TDP_AUDITREC) | ||||
#define AUDIT_ARG_ADDR(addr) do { \ | #define AUDIT_ARG_ADDR(addr) do { \ | ||||
if (AUDITING_TD(curthread)) \ | if (AUDITING_TD(curthread)) \ | ||||
audit_arg_addr((addr)); \ | audit_arg_addr((addr)); \ | ||||
} while (0) | } while (0) | ||||
▲ Show 20 Lines • Show All 213 Lines • ▼ Show 20 Lines | |||||
} while (0) | } while (0) | ||||
#define AUDIT_ARG_VNODE2(vp) do { \ | #define AUDIT_ARG_VNODE2(vp) do { \ | ||||
if (AUDITING_TD(curthread)) \ | if (AUDITING_TD(curthread)) \ | ||||
audit_arg_vnode2((vp)); \ | audit_arg_vnode2((vp)); \ | ||||
} while (0) | } while (0) | ||||
#define AUDIT_SYSCALL_ENTER(code, td) do { \ | #define AUDIT_SYSCALL_ENTER(code, td) do { \ | ||||
if (audit_enabled) { \ | if (audit_syscalls_enabled) { \ | ||||
audit_syscall_enter(code, td); \ | audit_syscall_enter(code, td); \ | ||||
} \ | } \ | ||||
} while (0) | } while (0) | ||||
/* | /* | ||||
* Wrap the audit_syscall_exit() function so that it is called only when | * Wrap the audit_syscall_exit() function so that it is called only when | ||||
* we have a audit record on the thread. Audit records can persist after | * we have a audit record on the thread. Audit records can persist after | ||||
* auditing is disabled, so we don't just check audit_enabled here. | * auditing is disabled, so we don't just check audit_syscalls_enabled here. | ||||
*/ | */ | ||||
#define AUDIT_SYSCALL_EXIT(error, td) do { \ | #define AUDIT_SYSCALL_EXIT(error, td) do { \ | ||||
if (td->td_pflags & TDP_AUDITREC) \ | if (td->td_pflags & TDP_AUDITREC) \ | ||||
audit_syscall_exit(error, td); \ | audit_syscall_exit(error, td); \ | ||||
} while (0) | } while (0) | ||||
/* | /* | ||||
* A Macro to wrap the audit_sysclose() function. | * A Macro to wrap the audit_sysclose() function. | ||||
▲ Show 20 Lines • Show All 62 Lines • Show Last 20 Lines |