Page MenuHomeFreeBSD
Differential D17348 Diff 48553 sys/security/audit/audit.h

Changeset View

Standalone View

View Options

sys/security/audit/audit.h

/*- /*-
* SPDX-License-Identifier: BSD-3-Clause * SPDX-License-Identifier: BSD-3-Clause
* *
* Copyright (c) 1999-2005 Apple Inc. * Copyright (c) 1999-2005 Apple Inc.
* Copyright (c) 2016-2017 Robert N. M. Watson * Copyright (c) 2016-2018 Robert N. M. Watson
* All rights reserved. * All rights reserved.
* *
* This software was developed by BAE Systems, the University of Cambridge * This software was developed by BAE Systems, the University of Cambridge
* Computer Laboratory, and Memorial University under DARPA/AFRL contract * Computer Laboratory, and Memorial University under DARPA/AFRL contract
* FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent Computing * FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent Computing
* (TC) research program. * (TC) research program.
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
Show All 36 Lines
#endif #endif
#include <bsm/audit.h> #include <bsm/audit.h>
#include <sys/file.h> #include <sys/file.h>
#include <sys/sysctl.h> #include <sys/sysctl.h>
/* /*
* Audit subsystem condition flags. The audit_enabled flag is set and * Audit subsystem condition flags. The audit_trail_enabled flag is set and
* removed automatically as a result of configuring log files, and can be * removed automatically as a result of configuring log files, and can be
* observed but should not be directly manipulated. The audit suspension * observed but should not be directly manipulated. The audit suspension
* flag permits audit to be temporarily disabled without reconfiguring the * flag permits audit to be temporarily disabled without reconfiguring the
* audit target. * audit target.
*
* As DTrace can also request system-call auditing, a further
* audit_syscalls_enabled flag tracks whether newly entering system calls
* should be considered for auditing or not.
*
* XXXRW: Move trail flags to audit_private.h, as they no longer need to be
* visible outside the audit code...?
*/ */
extern int audit_enabled; #ifdef KDTRACE_HOOKS
extern int audit_suspended; extern u_int audit_dtrace_enabled;
#endif
extern int audit_trail_enabled;
extern int audit_trail_suspended;
extern int audit_syscalls_enabled;
void audit_syscall_enter(unsigned short code, struct thread *td); void audit_syscall_enter(unsigned short code, struct thread *td);
void audit_syscall_exit(int error, struct thread *td); void audit_syscall_exit(int error, struct thread *td);
/* /*
* The remaining kernel functions are conditionally compiled in as they are * The remaining kernel functions are conditionally compiled in as they are
* wrapped by a macro, and the macro should be the only place in the source * wrapped by a macro, and the macro should be the only place in the source
* tree where these functions are referenced. * tree where these functions are referenced.
▲ Show 20 LinesShow All 60 Lines▼ Show 20 Lines
void audit_cred_kproc0(struct ucred *cred); void audit_cred_kproc0(struct ucred *cred);
void audit_cred_proc1(struct ucred *cred); void audit_cred_proc1(struct ucred *cred);
void audit_proc_coredump(struct thread *td, char *path, int errcode); void audit_proc_coredump(struct thread *td, char *path, int errcode);
void audit_thread_alloc(struct thread *td); void audit_thread_alloc(struct thread *td);
void audit_thread_free(struct thread *td); void audit_thread_free(struct thread *td);
/* /*
* Define macros to wrap the audit_arg_* calls by checking the global * Define macros to wrap the audit_arg_* calls by checking the global
* audit_enabled flag before performing the actual call. * audit_syscalls_enabled flag before performing the actual call.
*/ */
#define AUDITING_TD(td) ((td)->td_pflags & TDP_AUDITREC) #define AUDITING_TD(td) ((td)->td_pflags & TDP_AUDITREC)
#define AUDIT_ARG_ADDR(addr) do { \ #define AUDIT_ARG_ADDR(addr) do { \
if (AUDITING_TD(curthread)) \ if (AUDITING_TD(curthread)) \
audit_arg_addr((addr)); \ audit_arg_addr((addr)); \
} while (0) } while (0)
▲ Show 20 LinesShow All 213 Lines▼ Show 20 Lines
} while (0) } while (0)
#define AUDIT_ARG_VNODE2(vp) do { \ #define AUDIT_ARG_VNODE2(vp) do { \
if (AUDITING_TD(curthread)) \ if (AUDITING_TD(curthread)) \
audit_arg_vnode2((vp)); \ audit_arg_vnode2((vp)); \
} while (0) } while (0)
#define AUDIT_SYSCALL_ENTER(code, td) do { \ #define AUDIT_SYSCALL_ENTER(code, td) do { \
if (audit_enabled) { \ if (audit_syscalls_enabled) { \
audit_syscall_enter(code, td); \ audit_syscall_enter(code, td); \
} \ } \
} while (0) } while (0)
/* /*
* Wrap the audit_syscall_exit() function so that it is called only when * Wrap the audit_syscall_exit() function so that it is called only when
* we have a audit record on the thread. Audit records can persist after * we have a audit record on the thread. Audit records can persist after
* auditing is disabled, so we don't just check audit_enabled here. * auditing is disabled, so we don't just check audit_syscalls_enabled here.
*/ */
#define AUDIT_SYSCALL_EXIT(error, td) do { \ #define AUDIT_SYSCALL_EXIT(error, td) do { \
if (td->td_pflags & TDP_AUDITREC) \ if (td->td_pflags & TDP_AUDITREC) \
audit_syscall_exit(error, td); \ audit_syscall_exit(error, td); \
} while (0) } while (0)
/* /*
* A Macro to wrap the audit_sysclose() function. * A Macro to wrap the audit_sysclose() function.
▲ Show 20 LinesShow All 62 LinesShow Last 20 Lines