tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / include / linux / audit.h
at v3.13 16 kB view raw
1/* audit.h -- Auditing support 2 * 3 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. 4 * All Rights Reserved. 5 * 6 * This program is free software; you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License as published by 8 * the Free Software Foundation; either version 2 of the License, or 9 * (at your option) any later version. 10 * 11 * This program is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 * GNU General Public License for more details. 15 * 16 * You should have received a copy of the GNU General Public License 17 * along with this program; if not, write to the Free Software 18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 * 20 * Written by Rickard E. (Rik) Faith <faith@redhat.com> 21 * 22 */ 23#ifndef _LINUX_AUDIT_H_ 24#define _LINUX_AUDIT_H_ 25 26#include <linux/sched.h> 27#include <linux/ptrace.h> 28#include <uapi/linux/audit.h> 29 30struct audit_sig_info { 31 uid_t uid; 32 pid_t pid; 33 char ctx[0]; 34}; 35 36struct audit_buffer; 37struct audit_context; 38struct inode; 39struct netlink_skb_parms; 40struct path; 41struct linux_binprm; 42struct mq_attr; 43struct mqstat; 44struct audit_watch; 45struct audit_tree; 46 47struct audit_krule { 48 int vers_ops; 49 u32 flags; 50 u32 listnr; 51 u32 action; 52 u32 mask[AUDIT_BITMASK_SIZE]; 53 u32 buflen; /* for data alloc on list rules */ 54 u32 field_count; 55 char *filterkey; /* ties events to rules */ 56 struct audit_field *fields; 57 struct audit_field *arch_f; /* quick access to arch field */ 58 struct audit_field *inode_f; /* quick access to an inode field */ 59 struct audit_watch *watch; /* associated watch */ 60 struct audit_tree *tree; /* associated watched tree */ 61 struct list_head rlist; /* entry in audit_{watch,tree}.rules list */ 62 struct list_head list; /* for AUDIT_LIST* purposes only */ 63 u64 prio; 64}; 65 66struct audit_field { 67 u32 type; 68 u32 val; 69 kuid_t uid; 70 kgid_t gid; 71 u32 op; 72 char *lsm_str; 73 void *lsm_rule; 74}; 75 76extern int is_audit_feature_set(int which); 77 78extern int __init audit_register_class(int class, unsigned *list); 79extern int audit_classify_syscall(int abi, unsigned syscall); 80extern int audit_classify_arch(int arch); 81 82/* audit_names->type values */ 83#define AUDIT_TYPE_UNKNOWN 0 /* we don't know yet */ 84#define AUDIT_TYPE_NORMAL 1 /* a "normal" audit record */ 85#define AUDIT_TYPE_PARENT 2 /* a parent audit record */ 86#define AUDIT_TYPE_CHILD_DELETE 3 /* a child being deleted */ 87#define AUDIT_TYPE_CHILD_CREATE 4 /* a child being created */ 88 89/* maximized args number that audit_socketcall can process */ 90#define AUDITSC_ARGS 6 91 92struct filename; 93 94extern void audit_log_session_info(struct audit_buffer *ab); 95 96#ifdef CONFIG_AUDITSYSCALL 97/* These are defined in auditsc.c */ 98 /* Public API */ 99extern int audit_alloc(struct task_struct *task); 100extern void __audit_free(struct task_struct *task); 101extern void __audit_syscall_entry(int arch, 102 int major, unsigned long a0, unsigned long a1, 103 unsigned long a2, unsigned long a3); 104extern void __audit_syscall_exit(int ret_success, long ret_value); 105extern struct filename *__audit_reusename(const __user char *uptr); 106extern void __audit_getname(struct filename *name); 107extern void audit_putname(struct filename *name); 108 109#define AUDIT_INODE_PARENT 1 /* dentry represents the parent */ 110#define AUDIT_INODE_HIDDEN 2 /* audit record should be hidden */ 111extern void __audit_inode(struct filename *name, const struct dentry *dentry, 112 unsigned int flags); 113extern void __audit_inode_child(const struct inode *parent, 114 const struct dentry *dentry, 115 const unsigned char type); 116extern void __audit_seccomp(unsigned long syscall, long signr, int code); 117extern void __audit_ptrace(struct task_struct *t); 118 119static inline int audit_dummy_context(void) 120{ 121 void *p = current->audit_context; 122 return !p || *(int *)p; 123} 124static inline void audit_free(struct task_struct *task) 125{ 126 if (unlikely(task->audit_context)) 127 __audit_free(task); 128} 129static inline void audit_syscall_entry(int arch, int major, unsigned long a0, 130 unsigned long a1, unsigned long a2, 131 unsigned long a3) 132{ 133 if (unlikely(current->audit_context)) 134 __audit_syscall_entry(arch, major, a0, a1, a2, a3); 135} 136static inline void audit_syscall_exit(void *pt_regs) 137{ 138 if (unlikely(current->audit_context)) { 139 int success = is_syscall_success(pt_regs); 140 int return_code = regs_return_value(pt_regs); 141 142 __audit_syscall_exit(success, return_code); 143 } 144} 145static inline struct filename *audit_reusename(const __user char *name) 146{ 147 if (unlikely(!audit_dummy_context())) 148 return __audit_reusename(name); 149 return NULL; 150} 151static inline void audit_getname(struct filename *name) 152{ 153 if (unlikely(!audit_dummy_context())) 154 __audit_getname(name); 155} 156static inline void audit_inode(struct filename *name, 157 const struct dentry *dentry, 158 unsigned int parent) { 159 if (unlikely(!audit_dummy_context())) { 160 unsigned int flags = 0; 161 if (parent) 162 flags |= AUDIT_INODE_PARENT; 163 __audit_inode(name, dentry, flags); 164 } 165} 166static inline void audit_inode_parent_hidden(struct filename *name, 167 const struct dentry *dentry) 168{ 169 if (unlikely(!audit_dummy_context())) 170 __audit_inode(name, dentry, 171 AUDIT_INODE_PARENT | AUDIT_INODE_HIDDEN); 172} 173static inline void audit_inode_child(const struct inode *parent, 174 const struct dentry *dentry, 175 const unsigned char type) { 176 if (unlikely(!audit_dummy_context())) 177 __audit_inode_child(parent, dentry, type); 178} 179void audit_core_dumps(long signr); 180 181static inline void audit_seccomp(unsigned long syscall, long signr, int code) 182{ 183 /* Force a record to be reported if a signal was delivered. */ 184 if (signr || unlikely(!audit_dummy_context())) 185 __audit_seccomp(syscall, signr, code); 186} 187 188static inline void audit_ptrace(struct task_struct *t) 189{ 190 if (unlikely(!audit_dummy_context())) 191 __audit_ptrace(t); 192} 193 194 /* Private API (for audit.c only) */ 195extern unsigned int audit_serial(void); 196extern int auditsc_get_stamp(struct audit_context *ctx, 197 struct timespec *t, unsigned int *serial); 198extern int audit_set_loginuid(kuid_t loginuid); 199 200static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 201{ 202 return tsk->loginuid; 203} 204 205static inline int audit_get_sessionid(struct task_struct *tsk) 206{ 207 return tsk->sessionid; 208} 209 210extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp); 211extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode); 212extern void __audit_bprm(struct linux_binprm *bprm); 213extern int __audit_socketcall(int nargs, unsigned long *args); 214extern int __audit_sockaddr(int len, void *addr); 215extern void __audit_fd_pair(int fd1, int fd2); 216extern void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr); 217extern void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout); 218extern void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification); 219extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat); 220extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, 221 const struct cred *new, 222 const struct cred *old); 223extern void __audit_log_capset(pid_t pid, const struct cred *new, const struct cred *old); 224extern void __audit_mmap_fd(int fd, int flags); 225 226static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 227{ 228 if (unlikely(!audit_dummy_context())) 229 __audit_ipc_obj(ipcp); 230} 231static inline void audit_fd_pair(int fd1, int fd2) 232{ 233 if (unlikely(!audit_dummy_context())) 234 __audit_fd_pair(fd1, fd2); 235} 236static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode) 237{ 238 if (unlikely(!audit_dummy_context())) 239 __audit_ipc_set_perm(qbytes, uid, gid, mode); 240} 241static inline void audit_bprm(struct linux_binprm *bprm) 242{ 243 if (unlikely(!audit_dummy_context())) 244 __audit_bprm(bprm); 245} 246static inline int audit_socketcall(int nargs, unsigned long *args) 247{ 248 if (unlikely(!audit_dummy_context())) 249 return __audit_socketcall(nargs, args); 250 return 0; 251} 252static inline int audit_sockaddr(int len, void *addr) 253{ 254 if (unlikely(!audit_dummy_context())) 255 return __audit_sockaddr(len, addr); 256 return 0; 257} 258static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 259{ 260 if (unlikely(!audit_dummy_context())) 261 __audit_mq_open(oflag, mode, attr); 262} 263static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout) 264{ 265 if (unlikely(!audit_dummy_context())) 266 __audit_mq_sendrecv(mqdes, msg_len, msg_prio, abs_timeout); 267} 268static inline void audit_mq_notify(mqd_t mqdes, const struct sigevent *notification) 269{ 270 if (unlikely(!audit_dummy_context())) 271 __audit_mq_notify(mqdes, notification); 272} 273static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 274{ 275 if (unlikely(!audit_dummy_context())) 276 __audit_mq_getsetattr(mqdes, mqstat); 277} 278 279static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 280 const struct cred *new, 281 const struct cred *old) 282{ 283 if (unlikely(!audit_dummy_context())) 284 return __audit_log_bprm_fcaps(bprm, new, old); 285 return 0; 286} 287 288static inline void audit_log_capset(pid_t pid, const struct cred *new, 289 const struct cred *old) 290{ 291 if (unlikely(!audit_dummy_context())) 292 __audit_log_capset(pid, new, old); 293} 294 295static inline void audit_mmap_fd(int fd, int flags) 296{ 297 if (unlikely(!audit_dummy_context())) 298 __audit_mmap_fd(fd, flags); 299} 300 301extern int audit_n_rules; 302extern int audit_signals; 303#else /* CONFIG_AUDITSYSCALL */ 304static inline int audit_alloc(struct task_struct *task) 305{ 306 return 0; 307} 308static inline void audit_free(struct task_struct *task) 309{ } 310static inline void audit_syscall_entry(int arch, int major, unsigned long a0, 311 unsigned long a1, unsigned long a2, 312 unsigned long a3) 313{ } 314static inline void audit_syscall_exit(void *pt_regs) 315{ } 316static inline int audit_dummy_context(void) 317{ 318 return 1; 319} 320static inline struct filename *audit_reusename(const __user char *name) 321{ 322 return NULL; 323} 324static inline void audit_getname(struct filename *name) 325{ } 326static inline void audit_putname(struct filename *name) 327{ } 328static inline void __audit_inode(struct filename *name, 329 const struct dentry *dentry, 330 unsigned int flags) 331{ } 332static inline void __audit_inode_child(const struct inode *parent, 333 const struct dentry *dentry, 334 const unsigned char type) 335{ } 336static inline void audit_inode(struct filename *name, 337 const struct dentry *dentry, 338 unsigned int parent) 339{ } 340static inline void audit_inode_parent_hidden(struct filename *name, 341 const struct dentry *dentry) 342{ } 343static inline void audit_inode_child(const struct inode *parent, 344 const struct dentry *dentry, 345 const unsigned char type) 346{ } 347static inline void audit_core_dumps(long signr) 348{ } 349static inline void __audit_seccomp(unsigned long syscall, long signr, int code) 350{ } 351static inline void audit_seccomp(unsigned long syscall, long signr, int code) 352{ } 353static inline int auditsc_get_stamp(struct audit_context *ctx, 354 struct timespec *t, unsigned int *serial) 355{ 356 return 0; 357} 358static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 359{ 360 return INVALID_UID; 361} 362static inline int audit_get_sessionid(struct task_struct *tsk) 363{ 364 return -1; 365} 366static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 367{ } 368static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, 369 gid_t gid, umode_t mode) 370{ } 371static inline void audit_bprm(struct linux_binprm *bprm) 372{ } 373static inline int audit_socketcall(int nargs, unsigned long *args) 374{ 375 return 0; 376} 377static inline void audit_fd_pair(int fd1, int fd2) 378{ } 379static inline int audit_sockaddr(int len, void *addr) 380{ 381 return 0; 382} 383static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 384{ } 385static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, 386 unsigned int msg_prio, 387 const struct timespec *abs_timeout) 388{ } 389static inline void audit_mq_notify(mqd_t mqdes, 390 const struct sigevent *notification) 391{ } 392static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 393{ } 394static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 395 const struct cred *new, 396 const struct cred *old) 397{ 398 return 0; 399} 400static inline void audit_log_capset(pid_t pid, const struct cred *new, 401 const struct cred *old) 402{ } 403static inline void audit_mmap_fd(int fd, int flags) 404{ } 405static inline void audit_ptrace(struct task_struct *t) 406{ } 407#define audit_n_rules 0 408#define audit_signals 0 409#endif /* CONFIG_AUDITSYSCALL */ 410 411static inline bool audit_loginuid_set(struct task_struct *tsk) 412{ 413 return uid_valid(audit_get_loginuid(tsk)); 414} 415 416#ifdef CONFIG_AUDIT 417/* These are defined in audit.c */ 418 /* Public API */ 419extern __printf(4, 5) 420void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 421 const char *fmt, ...); 422 423extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type); 424extern __printf(2, 3) 425void audit_log_format(struct audit_buffer *ab, const char *fmt, ...); 426extern void audit_log_end(struct audit_buffer *ab); 427extern int audit_string_contains_control(const char *string, 428 size_t len); 429extern void audit_log_n_hex(struct audit_buffer *ab, 430 const unsigned char *buf, 431 size_t len); 432extern void audit_log_n_string(struct audit_buffer *ab, 433 const char *buf, 434 size_t n); 435extern void audit_log_n_untrustedstring(struct audit_buffer *ab, 436 const char *string, 437 size_t n); 438extern void audit_log_untrustedstring(struct audit_buffer *ab, 439 const char *string); 440extern void audit_log_d_path(struct audit_buffer *ab, 441 const char *prefix, 442 const struct path *path); 443extern void audit_log_key(struct audit_buffer *ab, 444 char *key); 445extern void audit_log_link_denied(const char *operation, 446 struct path *link); 447extern void audit_log_lost(const char *message); 448#ifdef CONFIG_SECURITY 449extern void audit_log_secctx(struct audit_buffer *ab, u32 secid); 450#else 451static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) 452{ } 453#endif 454 455extern int audit_log_task_context(struct audit_buffer *ab); 456extern void audit_log_task_info(struct audit_buffer *ab, 457 struct task_struct *tsk); 458 459extern int audit_update_lsm_rules(void); 460 461 /* Private API (for audit.c only) */ 462extern int audit_filter_user(int type); 463extern int audit_filter_type(int type); 464extern int audit_receive_filter(int type, int pid, int seq, 465 void *data, size_t datasz); 466extern int audit_enabled; 467#else /* CONFIG_AUDIT */ 468static inline __printf(4, 5) 469void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 470 const char *fmt, ...) 471{ } 472static inline struct audit_buffer *audit_log_start(struct audit_context *ctx, 473 gfp_t gfp_mask, int type) 474{ 475 return NULL; 476} 477static inline __printf(2, 3) 478void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) 479{ } 480static inline void audit_log_end(struct audit_buffer *ab) 481{ } 482static inline void audit_log_n_hex(struct audit_buffer *ab, 483 const unsigned char *buf, size_t len) 484{ } 485static inline void audit_log_n_string(struct audit_buffer *ab, 486 const char *buf, size_t n) 487{ } 488static inline void audit_log_n_untrustedstring(struct audit_buffer *ab, 489 const char *string, size_t n) 490{ } 491static inline void audit_log_untrustedstring(struct audit_buffer *ab, 492 const char *string) 493{ } 494static inline void audit_log_d_path(struct audit_buffer *ab, 495 const char *prefix, 496 const struct path *path) 497{ } 498static inline void audit_log_key(struct audit_buffer *ab, char *key) 499{ } 500static inline void audit_log_link_denied(const char *string, 501 const struct path *link) 502{ } 503static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) 504{ } 505static inline int audit_log_task_context(struct audit_buffer *ab) 506{ 507 return 0; 508} 509static inline void audit_log_task_info(struct audit_buffer *ab, 510 struct task_struct *tsk) 511{ } 512#define audit_enabled 0 513#endif /* CONFIG_AUDIT */ 514static inline void audit_log_string(struct audit_buffer *ab, const char *buf) 515{ 516 audit_log_n_string(ab, buf, strlen(buf)); 517} 518 519#endif