tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / include / linux / audit.h
at v3.10 16 kB view raw
1/* audit.h -- Auditing support 2 * 3 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. 4 * All Rights Reserved. 5 * 6 * This program is free software; you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License as published by 8 * the Free Software Foundation; either version 2 of the License, or 9 * (at your option) any later version. 10 * 11 * This program is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 * GNU General Public License for more details. 15 * 16 * You should have received a copy of the GNU General Public License 17 * along with this program; if not, write to the Free Software 18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 * 20 * Written by Rickard E. (Rik) Faith <faith@redhat.com> 21 * 22 */ 23#ifndef _LINUX_AUDIT_H_ 24#define _LINUX_AUDIT_H_ 25 26#include <linux/sched.h> 27#include <linux/ptrace.h> 28#include <uapi/linux/audit.h> 29 30struct audit_sig_info { 31 uid_t uid; 32 pid_t pid; 33 char ctx[0]; 34}; 35 36struct audit_buffer; 37struct audit_context; 38struct inode; 39struct netlink_skb_parms; 40struct path; 41struct linux_binprm; 42struct mq_attr; 43struct mqstat; 44struct audit_watch; 45struct audit_tree; 46 47struct audit_krule { 48 int vers_ops; 49 u32 flags; 50 u32 listnr; 51 u32 action; 52 u32 mask[AUDIT_BITMASK_SIZE]; 53 u32 buflen; /* for data alloc on list rules */ 54 u32 field_count; 55 char *filterkey; /* ties events to rules */ 56 struct audit_field *fields; 57 struct audit_field *arch_f; /* quick access to arch field */ 58 struct audit_field *inode_f; /* quick access to an inode field */ 59 struct audit_watch *watch; /* associated watch */ 60 struct audit_tree *tree; /* associated watched tree */ 61 struct list_head rlist; /* entry in audit_{watch,tree}.rules list */ 62 struct list_head list; /* for AUDIT_LIST* purposes only */ 63 u64 prio; 64}; 65 66struct audit_field { 67 u32 type; 68 u32 val; 69 kuid_t uid; 70 kgid_t gid; 71 u32 op; 72 char *lsm_str; 73 void *lsm_rule; 74}; 75 76extern int __init audit_register_class(int class, unsigned *list); 77extern int audit_classify_syscall(int abi, unsigned syscall); 78extern int audit_classify_arch(int arch); 79 80/* audit_names->type values */ 81#define AUDIT_TYPE_UNKNOWN 0 /* we don't know yet */ 82#define AUDIT_TYPE_NORMAL 1 /* a "normal" audit record */ 83#define AUDIT_TYPE_PARENT 2 /* a parent audit record */ 84#define AUDIT_TYPE_CHILD_DELETE 3 /* a child being deleted */ 85#define AUDIT_TYPE_CHILD_CREATE 4 /* a child being created */ 86 87/* maximized args number that audit_socketcall can process */ 88#define AUDITSC_ARGS 6 89 90struct filename; 91 92extern void audit_log_session_info(struct audit_buffer *ab); 93 94#ifdef CONFIG_AUDITSYSCALL 95/* These are defined in auditsc.c */ 96 /* Public API */ 97extern int audit_alloc(struct task_struct *task); 98extern void __audit_free(struct task_struct *task); 99extern void __audit_syscall_entry(int arch, 100 int major, unsigned long a0, unsigned long a1, 101 unsigned long a2, unsigned long a3); 102extern void __audit_syscall_exit(int ret_success, long ret_value); 103extern struct filename *__audit_reusename(const __user char *uptr); 104extern void __audit_getname(struct filename *name); 105extern void audit_putname(struct filename *name); 106extern void __audit_inode(struct filename *name, const struct dentry *dentry, 107 unsigned int parent); 108extern void __audit_inode_child(const struct inode *parent, 109 const struct dentry *dentry, 110 const unsigned char type); 111extern void __audit_seccomp(unsigned long syscall, long signr, int code); 112extern void __audit_ptrace(struct task_struct *t); 113 114static inline int audit_dummy_context(void) 115{ 116 void *p = current->audit_context; 117 return !p || *(int *)p; 118} 119static inline void audit_free(struct task_struct *task) 120{ 121 if (unlikely(task->audit_context)) 122 __audit_free(task); 123} 124static inline void audit_syscall_entry(int arch, int major, unsigned long a0, 125 unsigned long a1, unsigned long a2, 126 unsigned long a3) 127{ 128 if (unlikely(current->audit_context)) 129 __audit_syscall_entry(arch, major, a0, a1, a2, a3); 130} 131static inline void audit_syscall_exit(void *pt_regs) 132{ 133 if (unlikely(current->audit_context)) { 134 int success = is_syscall_success(pt_regs); 135 int return_code = regs_return_value(pt_regs); 136 137 __audit_syscall_exit(success, return_code); 138 } 139} 140static inline struct filename *audit_reusename(const __user char *name) 141{ 142 if (unlikely(!audit_dummy_context())) 143 return __audit_reusename(name); 144 return NULL; 145} 146static inline void audit_getname(struct filename *name) 147{ 148 if (unlikely(!audit_dummy_context())) 149 __audit_getname(name); 150} 151static inline void audit_inode(struct filename *name, const struct dentry *dentry, 152 unsigned int parent) { 153 if (unlikely(!audit_dummy_context())) 154 __audit_inode(name, dentry, parent); 155} 156static inline void audit_inode_child(const struct inode *parent, 157 const struct dentry *dentry, 158 const unsigned char type) { 159 if (unlikely(!audit_dummy_context())) 160 __audit_inode_child(parent, dentry, type); 161} 162void audit_core_dumps(long signr); 163 164static inline void audit_seccomp(unsigned long syscall, long signr, int code) 165{ 166 /* Force a record to be reported if a signal was delivered. */ 167 if (signr || unlikely(!audit_dummy_context())) 168 __audit_seccomp(syscall, signr, code); 169} 170 171static inline void audit_ptrace(struct task_struct *t) 172{ 173 if (unlikely(!audit_dummy_context())) 174 __audit_ptrace(t); 175} 176 177 /* Private API (for audit.c only) */ 178extern unsigned int audit_serial(void); 179extern int auditsc_get_stamp(struct audit_context *ctx, 180 struct timespec *t, unsigned int *serial); 181extern int audit_set_loginuid(kuid_t loginuid); 182 183static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 184{ 185 return tsk->loginuid; 186} 187 188static inline int audit_get_sessionid(struct task_struct *tsk) 189{ 190 return tsk->sessionid; 191} 192 193extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp); 194extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode); 195extern int __audit_bprm(struct linux_binprm *bprm); 196extern int __audit_socketcall(int nargs, unsigned long *args); 197extern int __audit_sockaddr(int len, void *addr); 198extern void __audit_fd_pair(int fd1, int fd2); 199extern void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr); 200extern void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout); 201extern void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification); 202extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat); 203extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, 204 const struct cred *new, 205 const struct cred *old); 206extern void __audit_log_capset(pid_t pid, const struct cred *new, const struct cred *old); 207extern void __audit_mmap_fd(int fd, int flags); 208 209static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 210{ 211 if (unlikely(!audit_dummy_context())) 212 __audit_ipc_obj(ipcp); 213} 214static inline void audit_fd_pair(int fd1, int fd2) 215{ 216 if (unlikely(!audit_dummy_context())) 217 __audit_fd_pair(fd1, fd2); 218} 219static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode) 220{ 221 if (unlikely(!audit_dummy_context())) 222 __audit_ipc_set_perm(qbytes, uid, gid, mode); 223} 224static inline int audit_bprm(struct linux_binprm *bprm) 225{ 226 if (unlikely(!audit_dummy_context())) 227 return __audit_bprm(bprm); 228 return 0; 229} 230static inline int audit_socketcall(int nargs, unsigned long *args) 231{ 232 if (unlikely(!audit_dummy_context())) 233 return __audit_socketcall(nargs, args); 234 return 0; 235} 236static inline int audit_sockaddr(int len, void *addr) 237{ 238 if (unlikely(!audit_dummy_context())) 239 return __audit_sockaddr(len, addr); 240 return 0; 241} 242static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 243{ 244 if (unlikely(!audit_dummy_context())) 245 __audit_mq_open(oflag, mode, attr); 246} 247static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout) 248{ 249 if (unlikely(!audit_dummy_context())) 250 __audit_mq_sendrecv(mqdes, msg_len, msg_prio, abs_timeout); 251} 252static inline void audit_mq_notify(mqd_t mqdes, const struct sigevent *notification) 253{ 254 if (unlikely(!audit_dummy_context())) 255 __audit_mq_notify(mqdes, notification); 256} 257static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 258{ 259 if (unlikely(!audit_dummy_context())) 260 __audit_mq_getsetattr(mqdes, mqstat); 261} 262 263static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 264 const struct cred *new, 265 const struct cred *old) 266{ 267 if (unlikely(!audit_dummy_context())) 268 return __audit_log_bprm_fcaps(bprm, new, old); 269 return 0; 270} 271 272static inline void audit_log_capset(pid_t pid, const struct cred *new, 273 const struct cred *old) 274{ 275 if (unlikely(!audit_dummy_context())) 276 __audit_log_capset(pid, new, old); 277} 278 279static inline void audit_mmap_fd(int fd, int flags) 280{ 281 if (unlikely(!audit_dummy_context())) 282 __audit_mmap_fd(fd, flags); 283} 284 285extern int audit_n_rules; 286extern int audit_signals; 287#else /* CONFIG_AUDITSYSCALL */ 288static inline int audit_alloc(struct task_struct *task) 289{ 290 return 0; 291} 292static inline void audit_free(struct task_struct *task) 293{ } 294static inline void audit_syscall_entry(int arch, int major, unsigned long a0, 295 unsigned long a1, unsigned long a2, 296 unsigned long a3) 297{ } 298static inline void audit_syscall_exit(void *pt_regs) 299{ } 300static inline int audit_dummy_context(void) 301{ 302 return 1; 303} 304static inline struct filename *audit_reusename(const __user char *name) 305{ 306 return NULL; 307} 308static inline void audit_getname(struct filename *name) 309{ } 310static inline void audit_putname(struct filename *name) 311{ } 312static inline void __audit_inode(struct filename *name, 313 const struct dentry *dentry, 314 unsigned int parent) 315{ } 316static inline void __audit_inode_child(const struct inode *parent, 317 const struct dentry *dentry, 318 const unsigned char type) 319{ } 320static inline void audit_inode(struct filename *name, 321 const struct dentry *dentry, 322 unsigned int parent) 323{ } 324static inline void audit_inode_child(const struct inode *parent, 325 const struct dentry *dentry, 326 const unsigned char type) 327{ } 328static inline void audit_core_dumps(long signr) 329{ } 330static inline void __audit_seccomp(unsigned long syscall, long signr, int code) 331{ } 332static inline void audit_seccomp(unsigned long syscall, long signr, int code) 333{ } 334static inline int auditsc_get_stamp(struct audit_context *ctx, 335 struct timespec *t, unsigned int *serial) 336{ 337 return 0; 338} 339static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 340{ 341 return INVALID_UID; 342} 343static inline int audit_get_sessionid(struct task_struct *tsk) 344{ 345 return -1; 346} 347static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 348{ } 349static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, 350 gid_t gid, umode_t mode) 351{ } 352static inline int audit_bprm(struct linux_binprm *bprm) 353{ 354 return 0; 355} 356static inline int audit_socketcall(int nargs, unsigned long *args) 357{ 358 return 0; 359} 360static inline void audit_fd_pair(int fd1, int fd2) 361{ } 362static inline int audit_sockaddr(int len, void *addr) 363{ 364 return 0; 365} 366static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 367{ } 368static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, 369 unsigned int msg_prio, 370 const struct timespec *abs_timeout) 371{ } 372static inline void audit_mq_notify(mqd_t mqdes, 373 const struct sigevent *notification) 374{ } 375static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 376{ } 377static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 378 const struct cred *new, 379 const struct cred *old) 380{ 381 return 0; 382} 383static inline void audit_log_capset(pid_t pid, const struct cred *new, 384 const struct cred *old) 385{ } 386static inline void audit_mmap_fd(int fd, int flags) 387{ } 388static inline void audit_ptrace(struct task_struct *t) 389{ } 390#define audit_n_rules 0 391#define audit_signals 0 392#endif /* CONFIG_AUDITSYSCALL */ 393 394static inline bool audit_loginuid_set(struct task_struct *tsk) 395{ 396 return uid_valid(audit_get_loginuid(tsk)); 397} 398 399#ifdef CONFIG_AUDIT 400/* These are defined in audit.c */ 401 /* Public API */ 402extern __printf(4, 5) 403void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 404 const char *fmt, ...); 405 406extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type); 407extern __printf(2, 3) 408void audit_log_format(struct audit_buffer *ab, const char *fmt, ...); 409extern void audit_log_end(struct audit_buffer *ab); 410extern int audit_string_contains_control(const char *string, 411 size_t len); 412extern void audit_log_n_hex(struct audit_buffer *ab, 413 const unsigned char *buf, 414 size_t len); 415extern void audit_log_n_string(struct audit_buffer *ab, 416 const char *buf, 417 size_t n); 418extern void audit_log_n_untrustedstring(struct audit_buffer *ab, 419 const char *string, 420 size_t n); 421extern void audit_log_untrustedstring(struct audit_buffer *ab, 422 const char *string); 423extern void audit_log_d_path(struct audit_buffer *ab, 424 const char *prefix, 425 const struct path *path); 426extern void audit_log_key(struct audit_buffer *ab, 427 char *key); 428extern void audit_log_link_denied(const char *operation, 429 struct path *link); 430extern void audit_log_lost(const char *message); 431#ifdef CONFIG_SECURITY 432extern void audit_log_secctx(struct audit_buffer *ab, u32 secid); 433#else 434static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) 435{ } 436#endif 437 438extern int audit_log_task_context(struct audit_buffer *ab); 439extern void audit_log_task_info(struct audit_buffer *ab, 440 struct task_struct *tsk); 441 442extern int audit_update_lsm_rules(void); 443 444 /* Private API (for audit.c only) */ 445extern int audit_filter_user(int type); 446extern int audit_filter_type(int type); 447extern int audit_receive_filter(int type, int pid, int seq, 448 void *data, size_t datasz); 449extern int audit_enabled; 450#else /* CONFIG_AUDIT */ 451static inline __printf(4, 5) 452void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 453 const char *fmt, ...) 454{ } 455static inline struct audit_buffer *audit_log_start(struct audit_context *ctx, 456 gfp_t gfp_mask, int type) 457{ 458 return NULL; 459} 460static inline __printf(2, 3) 461void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) 462{ } 463static inline void audit_log_end(struct audit_buffer *ab) 464{ } 465static inline void audit_log_n_hex(struct audit_buffer *ab, 466 const unsigned char *buf, size_t len) 467{ } 468static inline void audit_log_n_string(struct audit_buffer *ab, 469 const char *buf, size_t n) 470{ } 471static inline void audit_log_n_untrustedstring(struct audit_buffer *ab, 472 const char *string, size_t n) 473{ } 474static inline void audit_log_untrustedstring(struct audit_buffer *ab, 475 const char *string) 476{ } 477static inline void audit_log_d_path(struct audit_buffer *ab, 478 const char *prefix, 479 const struct path *path) 480{ } 481static inline void audit_log_key(struct audit_buffer *ab, char *key) 482{ } 483static inline void audit_log_link_denied(const char *string, 484 const struct path *link) 485{ } 486static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) 487{ } 488static inline int audit_log_task_context(struct audit_buffer *ab) 489{ 490 return 0; 491} 492static inline void audit_log_task_info(struct audit_buffer *ab, 493 struct task_struct *tsk) 494{ } 495#define audit_enabled 0 496#endif /* CONFIG_AUDIT */ 497static inline void audit_log_string(struct audit_buffer *ab, const char *buf) 498{ 499 audit_log_n_string(ab, buf, strlen(buf)); 500} 501 502#endif