353 lines
13 KiB
C
353 lines
13 KiB
C
/*
|
|
* Copyright (c) 2000-2021 Apple Inc. All rights reserved.
|
|
*
|
|
* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
|
|
*
|
|
* This file contains Original Code and/or Modifications of Original Code
|
|
* as defined in and that are subject to the Apple Public Source License
|
|
* Version 2.0 (the 'License'). You may not use this file except in
|
|
* compliance with the License. The rights granted to you under the License
|
|
* may not be used to create, or enable the creation or redistribution of,
|
|
* unlawful or unlicensed copies of an Apple operating system, or to
|
|
* circumvent, violate, or enable the circumvention or violation of, any
|
|
* terms of an Apple operating system software license agreement.
|
|
*
|
|
* Please obtain a copy of the License at
|
|
* http://www.opensource.apple.com/apsl/ and read it before using this file.
|
|
*
|
|
* The Original Code and all software distributed under the License are
|
|
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
|
|
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
|
|
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
|
|
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
|
|
* Please see the License for the specific language governing rights and
|
|
* limitations under the License.
|
|
*
|
|
* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
|
|
*/
|
|
/* Copyright (c) 1998, 1999 Apple Computer, Inc. All Rights Reserved */
|
|
/*!
|
|
* @header kern_event.h
|
|
* This header defines in-kernel functions for generating kernel events as
|
|
* well as functions for receiving kernel events using a kernel event
|
|
* socket.
|
|
*/
|
|
|
|
#ifndef SYS_KERN_EVENT_H
|
|
#define SYS_KERN_EVENT_H
|
|
|
|
#include <sys/appleapiopts.h>
|
|
#include <sys/ioccom.h>
|
|
#include <sys/sys_domain.h>
|
|
|
|
#define KEV_SNDSPACE (4 * 1024)
|
|
#define KEV_RECVSPACE (32 * 1024)
|
|
|
|
#define KEV_ANY_VENDOR 0
|
|
#define KEV_ANY_CLASS 0
|
|
#define KEV_ANY_SUBCLASS 0
|
|
|
|
/*
|
|
* Vendor Code
|
|
*/
|
|
|
|
/*!
|
|
* @defined KEV_VENDOR_APPLE
|
|
* @discussion Apple generated kernel events use the hard coded vendor code
|
|
* value of 1. Third party kernel events use a dynamically allocated vendor
|
|
* code. The vendor code can be found using the SIOCGKEVVENDOR ioctl.
|
|
*/
|
|
#define KEV_VENDOR_APPLE 1
|
|
|
|
/*
|
|
* Definition of top-level classifications for KEV_VENDOR_APPLE
|
|
*/
|
|
|
|
/*!
|
|
* @defined KEV_NETWORK_CLASS
|
|
* @discussion Network kernel event class.
|
|
*/
|
|
#define KEV_NETWORK_CLASS 1
|
|
|
|
/*!
|
|
* @defined KEV_IOKIT_CLASS
|
|
* @discussion IOKit kernel event class.
|
|
*/
|
|
#define KEV_IOKIT_CLASS 2
|
|
|
|
/*!
|
|
* @defined KEV_SYSTEM_CLASS
|
|
* @discussion System kernel event class.
|
|
*/
|
|
#define KEV_SYSTEM_CLASS 3
|
|
|
|
/*!
|
|
* @defined KEV_APPLESHARE_CLASS
|
|
* @discussion AppleShare kernel event class.
|
|
*/
|
|
#define KEV_APPLESHARE_CLASS 4
|
|
|
|
/*!
|
|
* @defined KEV_FIREWALL_CLASS
|
|
* @discussion Firewall kernel event class.
|
|
*/
|
|
#define KEV_FIREWALL_CLASS 5
|
|
|
|
/*!
|
|
* @defined KEV_IEEE80211_CLASS
|
|
* @discussion IEEE 802.11 kernel event class.
|
|
*/
|
|
#define KEV_IEEE80211_CLASS 6
|
|
|
|
/*!
|
|
* @defined KEV_NKE_CLASS
|
|
* @discussion NKE kernel event class.
|
|
*/
|
|
#define KEV_NKE_CLASS 7
|
|
|
|
#define KEV_NKE_ALF_SUBCLASS 1
|
|
#define KEV_NKE_ALF_STATE_CHANGED 1
|
|
|
|
/*
|
|
* The following struct is KPI, but it was originally defined with a trailing
|
|
* array member of size one, intended to be used as a Variable-Length Array.
|
|
* That's problematic because the compiler doesn't know that the array is
|
|
* accessed out-of-bounds and can assume it isn't. This makes
|
|
* -Warray-bounds-pointer-arithmetic sad. We can't just change the code because
|
|
* it requires users to also change their uses of the class, at a minimum
|
|
* because kern_event_msg's size changes when making the last member a VLA. This
|
|
* macro allows users of this KPI to opt-in to the new behavior.
|
|
*/
|
|
#if defined(XNU_KERN_EVENT_DATA_IS_VLA)
|
|
#define XNU_KERN_EVENT_DATA_SIZE /* nothing, it's a VLA */
|
|
#else
|
|
#define XNU_KERN_EVENT_DATA_SIZE 1
|
|
#endif
|
|
|
|
/*!
|
|
* @struct kern_event_msg
|
|
* @discussion This structure is prepended to all kernel events. This
|
|
* structure is used to determine the format of the remainder of
|
|
* the kernel event. This structure will appear on all messages
|
|
* received on a kernel event socket. To post a kernel event, a
|
|
* slightly different structure is used.
|
|
* @field total_size Total size of the kernel event message including the
|
|
* header.
|
|
* @field vendor_code The vendor code indicates which vendor generated the
|
|
* kernel event. This gives every vendor a unique set of classes
|
|
* and subclasses to use. Use the SIOCGKEVVENDOR ioctl to look up
|
|
* vendor codes for vendors other than Apple. Apple uses
|
|
* KEV_VENDOR_APPLE.
|
|
* @field kev_class The class of the kernel event.
|
|
* @field kev_subclass The subclass of the kernel event.
|
|
* @field id Monotonically increasing value.
|
|
* @field event_code The event code.
|
|
* @field event_data Any additional data about this event. Format will
|
|
* depend on the vendor_code, kev_class, kev_subclass, and
|
|
* event_code. The length of the event_data can be determined
|
|
* using total_size - KEV_MSG_HEADER_SIZE.
|
|
*/
|
|
struct kern_event_msg {
|
|
u_int32_t total_size; /* Size of entire event msg */
|
|
u_int32_t vendor_code; /* For non-Apple extensibility */
|
|
u_int32_t kev_class; /* Layer of event source */
|
|
u_int32_t kev_subclass; /* Component within layer */
|
|
u_int32_t id; /* Monotonically increasing value */
|
|
u_int32_t event_code; /* unique code */
|
|
u_int32_t event_data[XNU_KERN_EVENT_DATA_SIZE]; /* One or more data words */
|
|
};
|
|
|
|
/*!
|
|
* @defined KEV_MSG_HEADER_SIZE
|
|
* @discussion Size of the header portion of the kern_event_msg structure.
|
|
* This accounts for everything right up to event_data. The size
|
|
* of the data can be found by subtracting KEV_MSG_HEADER_SIZE
|
|
* from the total size from the kern_event_msg.
|
|
*/
|
|
#define KEV_MSG_HEADER_SIZE (offsetof(struct kern_event_msg, event_data[0]))
|
|
|
|
/*!
|
|
* @struct kev_request
|
|
* @discussion This structure is used with the SIOCSKEVFILT and
|
|
* SIOCGKEVFILT to set and get the control filter setting for a
|
|
* kernel control socket.
|
|
* @field total_size Total size of the kernel event message including the
|
|
* header.
|
|
* @field vendor_code All kernel events that don't match this vendor code
|
|
* will be ignored. KEV_ANY_VENDOR can be used to receive kernel
|
|
* events with any vendor code.
|
|
* @field kev_class All kernel events that don't match this class will be
|
|
* ignored. KEV_ANY_CLASS can be used to receive kernel events with
|
|
* any class.
|
|
* @field kev_subclass All kernel events that don't match this subclass
|
|
* will be ignored. KEV_ANY_SUBCLASS can be used to receive kernel
|
|
* events with any subclass.
|
|
*/
|
|
struct kev_request {
|
|
u_int32_t vendor_code;
|
|
u_int32_t kev_class;
|
|
u_int32_t kev_subclass;
|
|
};
|
|
|
|
/*!
|
|
* @defined KEV_VENDOR_CODE_MAX_STR_LEN
|
|
* @discussion This define sets the maximum length of a string that can be
|
|
* used to identify a vendor or kext when looking up a vendor code.
|
|
*/
|
|
#define KEV_VENDOR_CODE_MAX_STR_LEN 200
|
|
|
|
/*!
|
|
* @struct kev_vendor_code
|
|
* @discussion This structure is used with the SIOCGKEVVENDOR ioctl to
|
|
* convert from a string identifying a kext or vendor, in the
|
|
* form of a bundle identifier, to a vendor code.
|
|
* @field vendor_code After making the SIOCGKEVVENDOR ioctl call, this will
|
|
* be filled in with the vendor code if there is one.
|
|
* @field vendor_string A bundle style identifier.
|
|
*/
|
|
#pragma pack(4)
|
|
struct kev_vendor_code {
|
|
u_int32_t vendor_code;
|
|
char vendor_string[KEV_VENDOR_CODE_MAX_STR_LEN];
|
|
};
|
|
#pragma pack()
|
|
|
|
/*!
|
|
* @defined SIOCGKEVID
|
|
* @discussion Retrieve the current event id. Each event generated will
|
|
* have a new id. The next event to be generated will have an id
|
|
* of id+1.
|
|
*/
|
|
#define SIOCGKEVID _IOR('e', 1, u_int32_t)
|
|
|
|
/*!
|
|
* @defined SIOCSKEVFILT
|
|
* @discussion Set the kernel event filter for this socket. Kernel events
|
|
* not matching this filter will not be received on this socket.
|
|
*/
|
|
#define SIOCSKEVFILT _IOW('e', 2, struct kev_request)
|
|
|
|
/*!
|
|
* @defined SIOCGKEVFILT
|
|
* @discussion Retrieve the kernel event filter for this socket. Kernel
|
|
* events not matching this filter will not be received on this
|
|
* socket.
|
|
*/
|
|
#define SIOCGKEVFILT _IOR('e', 3, struct kev_request)
|
|
|
|
/*!
|
|
* @defined SIOCGKEVVENDOR
|
|
* @discussion Lookup the vendor code for the specified vendor. ENOENT will
|
|
* be returned if a vendor code for that vendor string does not
|
|
* exist.
|
|
*/
|
|
#define SIOCGKEVVENDOR _IOWR('e', 4, struct kev_vendor_code)
|
|
|
|
#ifdef PRIVATE
|
|
struct xkevtpcb {
|
|
u_int32_t kep_len;
|
|
u_int32_t kep_kind;
|
|
u_int64_t kep_evtpcb;
|
|
u_int32_t kep_vendor_code_filter;
|
|
u_int32_t kep_class_filter;
|
|
u_int32_t kep_subclass_filter;
|
|
};
|
|
|
|
struct kevtstat {
|
|
u_int64_t kes_pcbcount __attribute__((aligned(8)));
|
|
u_int64_t kes_gencnt __attribute__((aligned(8)));
|
|
u_int64_t kes_badvendor __attribute__((aligned(8)));
|
|
u_int64_t kes_toobig __attribute__((aligned(8)));
|
|
u_int64_t kes_nomem __attribute__((aligned(8)));
|
|
u_int64_t kes_fullsock __attribute__((aligned(8)));
|
|
u_int64_t kes_posted __attribute__((aligned(8)));
|
|
};
|
|
#endif /* PRIVATE */
|
|
|
|
#ifdef KERNEL
|
|
/*!
|
|
* @define N_KEV_VECTORS
|
|
* @discussion The maximum number of kev_d_vectors for a kernel event.
|
|
*/
|
|
#define N_KEV_VECTORS 5
|
|
|
|
/*!
|
|
* @struct kev_d_vectors
|
|
* @discussion This structure is used to append some data to a kernel
|
|
* event.
|
|
* @field data_length The length of data.
|
|
* @field data_ptr A pointer to data.
|
|
*/
|
|
struct kev_d_vectors {
|
|
u_int32_t data_length; /* Length of the event data */
|
|
void *data_ptr; /* Pointer to event data */
|
|
};
|
|
|
|
/*!
|
|
* @struct kev_msg
|
|
* @discussion This structure is used when posting a kernel event.
|
|
* @field vendor_code The vendor code assigned by kev_vendor_code_find.
|
|
* @field kev_class The event's class.
|
|
* @field kev_class The event's subclass.
|
|
* @field kev_class The event's code.
|
|
* @field dv An array of vectors describing additional data to be appended
|
|
* to the kernel event.
|
|
*/
|
|
struct kev_msg {
|
|
u_int32_t vendor_code; /* For non-Apple extensibility */
|
|
u_int32_t kev_class; /* Layer of event source */
|
|
u_int32_t kev_subclass; /* Component within layer */
|
|
u_int32_t event_code; /* The event code */
|
|
struct kev_d_vectors dv[N_KEV_VECTORS]; /* Up to n data vectors */
|
|
};
|
|
|
|
/*!
|
|
* @function kev_vendor_code_find
|
|
* @discussion Lookup a vendor_code given a unique string. If the vendor
|
|
* code has not been used since launch, a unique integer will be
|
|
* assigned for that string. Vendor codes will remain the same
|
|
* until the machine is rebooted.
|
|
* @param vendor_string A bundle style vendor identifier(i.e. com.apple).
|
|
* @param vendor_code Upon return, a unique vendor code for use when
|
|
* posting kernel events.
|
|
* @result May return ENOMEM if memory constraints prevent allocation of a
|
|
* new vendor code.
|
|
*/
|
|
errno_t kev_vendor_code_find(const char *vendor_string, u_int32_t *vendor_code);
|
|
|
|
/*!
|
|
* @function kev_msg_post
|
|
* @discussion Post a kernel event message.
|
|
* @param event_msg A structure defining the kernel event message to post.
|
|
* @result Will return zero upon success. May return a number of errors
|
|
* depending on the type of failure. EINVAL indicates that there
|
|
* was something wrong with the kerne event. The vendor code of
|
|
* the kernel event must be assigned using kev_vendor_code_find.
|
|
* If the message is too large, EMSGSIZE will be returned.
|
|
*/
|
|
errno_t kev_msg_post(struct kev_msg *event_msg);
|
|
|
|
#ifdef PRIVATE
|
|
/*
|
|
* Internal version of kev_msg_post. Allows posting Apple vendor code kernel
|
|
* events.
|
|
*/
|
|
int kev_post_msg(struct kev_msg *event);
|
|
int kev_post_msg_nowait(struct kev_msg *event);
|
|
|
|
LIST_HEAD(kern_event_head, kern_event_pcb);
|
|
|
|
struct kern_event_pcb {
|
|
decl_lck_mtx_data(, evp_mtx); /* per-socket mutex */
|
|
LIST_ENTRY(kern_event_pcb) evp_link; /* glue on list of all PCBs */
|
|
struct socket *evp_socket; /* pointer back to socket */
|
|
u_int32_t evp_vendor_code_filter;
|
|
u_int32_t evp_class_filter;
|
|
u_int32_t evp_subclass_filter;
|
|
};
|
|
|
|
#define sotoevpcb(so) ((struct kern_event_pcb *)((so)->so_pcb))
|
|
|
|
#endif /* PRIVATE */
|
|
#endif /* KERNEL */
|
|
#endif /* SYS_KERN_EVENT_H */
|