tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / include / linux / audit.h
at v3.14 16 kB view raw
1/* audit.h -- Auditing support 2 * 3 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. 4 * All Rights Reserved. 5 * 6 * This program is free software; you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License as published by 8 * the Free Software Foundation; either version 2 of the License, or 9 * (at your option) any later version. 10 * 11 * This program is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 * GNU General Public License for more details. 15 * 16 * You should have received a copy of the GNU General Public License 17 * along with this program; if not, write to the Free Software 18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 * 20 * Written by Rickard E. (Rik) Faith <faith@redhat.com> 21 * 22 */ 23#ifndef _LINUX_AUDIT_H_ 24#define _LINUX_AUDIT_H_ 25 26#include <linux/sched.h> 27#include <linux/ptrace.h> 28#include <uapi/linux/audit.h> 29 30struct audit_sig_info { 31 uid_t uid; 32 pid_t pid; 33 char ctx[0]; 34}; 35 36struct audit_buffer; 37struct audit_context; 38struct inode; 39struct netlink_skb_parms; 40struct path; 41struct linux_binprm; 42struct mq_attr; 43struct mqstat; 44struct audit_watch; 45struct audit_tree; 46struct sk_buff; 47 48struct audit_krule { 49 int vers_ops; 50 u32 flags; 51 u32 listnr; 52 u32 action; 53 u32 mask[AUDIT_BITMASK_SIZE]; 54 u32 buflen; /* for data alloc on list rules */ 55 u32 field_count; 56 char *filterkey; /* ties events to rules */ 57 struct audit_field *fields; 58 struct audit_field *arch_f; /* quick access to arch field */ 59 struct audit_field *inode_f; /* quick access to an inode field */ 60 struct audit_watch *watch; /* associated watch */ 61 struct audit_tree *tree; /* associated watched tree */ 62 struct list_head rlist; /* entry in audit_{watch,tree}.rules list */ 63 struct list_head list; /* for AUDIT_LIST* purposes only */ 64 u64 prio; 65}; 66 67struct audit_field { 68 u32 type; 69 u32 val; 70 kuid_t uid; 71 kgid_t gid; 72 u32 op; 73 char *lsm_str; 74 void *lsm_rule; 75}; 76 77extern int is_audit_feature_set(int which); 78 79extern int __init audit_register_class(int class, unsigned *list); 80extern int audit_classify_syscall(int abi, unsigned syscall); 81extern int audit_classify_arch(int arch); 82 83/* audit_names->type values */ 84#define AUDIT_TYPE_UNKNOWN 0 /* we don't know yet */ 85#define AUDIT_TYPE_NORMAL 1 /* a "normal" audit record */ 86#define AUDIT_TYPE_PARENT 2 /* a parent audit record */ 87#define AUDIT_TYPE_CHILD_DELETE 3 /* a child being deleted */ 88#define AUDIT_TYPE_CHILD_CREATE 4 /* a child being created */ 89 90/* maximized args number that audit_socketcall can process */ 91#define AUDITSC_ARGS 6 92 93struct filename; 94 95extern void audit_log_session_info(struct audit_buffer *ab); 96 97#ifdef CONFIG_AUDITSYSCALL 98/* These are defined in auditsc.c */ 99 /* Public API */ 100extern int audit_alloc(struct task_struct *task); 101extern void __audit_free(struct task_struct *task); 102extern void __audit_syscall_entry(int arch, 103 int major, unsigned long a0, unsigned long a1, 104 unsigned long a2, unsigned long a3); 105extern void __audit_syscall_exit(int ret_success, long ret_value); 106extern struct filename *__audit_reusename(const __user char *uptr); 107extern void __audit_getname(struct filename *name); 108extern void audit_putname(struct filename *name); 109 110#define AUDIT_INODE_PARENT 1 /* dentry represents the parent */ 111#define AUDIT_INODE_HIDDEN 2 /* audit record should be hidden */ 112extern void __audit_inode(struct filename *name, const struct dentry *dentry, 113 unsigned int flags); 114extern void __audit_inode_child(const struct inode *parent, 115 const struct dentry *dentry, 116 const unsigned char type); 117extern void __audit_seccomp(unsigned long syscall, long signr, int code); 118extern void __audit_ptrace(struct task_struct *t); 119 120static inline int audit_dummy_context(void) 121{ 122 void *p = current->audit_context; 123 return !p || *(int *)p; 124} 125static inline void audit_free(struct task_struct *task) 126{ 127 if (unlikely(task->audit_context)) 128 __audit_free(task); 129} 130static inline void audit_syscall_entry(int arch, int major, unsigned long a0, 131 unsigned long a1, unsigned long a2, 132 unsigned long a3) 133{ 134 if (unlikely(current->audit_context)) 135 __audit_syscall_entry(arch, major, a0, a1, a2, a3); 136} 137static inline void audit_syscall_exit(void *pt_regs) 138{ 139 if (unlikely(current->audit_context)) { 140 int success = is_syscall_success(pt_regs); 141 long return_code = regs_return_value(pt_regs); 142 143 __audit_syscall_exit(success, return_code); 144 } 145} 146static inline struct filename *audit_reusename(const __user char *name) 147{ 148 if (unlikely(!audit_dummy_context())) 149 return __audit_reusename(name); 150 return NULL; 151} 152static inline void audit_getname(struct filename *name) 153{ 154 if (unlikely(!audit_dummy_context())) 155 __audit_getname(name); 156} 157static inline void audit_inode(struct filename *name, 158 const struct dentry *dentry, 159 unsigned int parent) { 160 if (unlikely(!audit_dummy_context())) { 161 unsigned int flags = 0; 162 if (parent) 163 flags |= AUDIT_INODE_PARENT; 164 __audit_inode(name, dentry, flags); 165 } 166} 167static inline void audit_inode_parent_hidden(struct filename *name, 168 const struct dentry *dentry) 169{ 170 if (unlikely(!audit_dummy_context())) 171 __audit_inode(name, dentry, 172 AUDIT_INODE_PARENT | AUDIT_INODE_HIDDEN); 173} 174static inline void audit_inode_child(const struct inode *parent, 175 const struct dentry *dentry, 176 const unsigned char type) { 177 if (unlikely(!audit_dummy_context())) 178 __audit_inode_child(parent, dentry, type); 179} 180void audit_core_dumps(long signr); 181 182static inline void audit_seccomp(unsigned long syscall, long signr, int code) 183{ 184 /* Force a record to be reported if a signal was delivered. */ 185 if (signr || unlikely(!audit_dummy_context())) 186 __audit_seccomp(syscall, signr, code); 187} 188 189static inline void audit_ptrace(struct task_struct *t) 190{ 191 if (unlikely(!audit_dummy_context())) 192 __audit_ptrace(t); 193} 194 195 /* Private API (for audit.c only) */ 196extern unsigned int audit_serial(void); 197extern int auditsc_get_stamp(struct audit_context *ctx, 198 struct timespec *t, unsigned int *serial); 199extern int audit_set_loginuid(kuid_t loginuid); 200 201static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 202{ 203 return tsk->loginuid; 204} 205 206static inline unsigned int audit_get_sessionid(struct task_struct *tsk) 207{ 208 return tsk->sessionid; 209} 210 211extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp); 212extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode); 213extern void __audit_bprm(struct linux_binprm *bprm); 214extern int __audit_socketcall(int nargs, unsigned long *args); 215extern int __audit_sockaddr(int len, void *addr); 216extern void __audit_fd_pair(int fd1, int fd2); 217extern void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr); 218extern void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout); 219extern void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification); 220extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat); 221extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, 222 const struct cred *new, 223 const struct cred *old); 224extern void __audit_log_capset(const struct cred *new, const struct cred *old); 225extern void __audit_mmap_fd(int fd, int flags); 226 227static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 228{ 229 if (unlikely(!audit_dummy_context())) 230 __audit_ipc_obj(ipcp); 231} 232static inline void audit_fd_pair(int fd1, int fd2) 233{ 234 if (unlikely(!audit_dummy_context())) 235 __audit_fd_pair(fd1, fd2); 236} 237static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode) 238{ 239 if (unlikely(!audit_dummy_context())) 240 __audit_ipc_set_perm(qbytes, uid, gid, mode); 241} 242static inline void audit_bprm(struct linux_binprm *bprm) 243{ 244 if (unlikely(!audit_dummy_context())) 245 __audit_bprm(bprm); 246} 247static inline int audit_socketcall(int nargs, unsigned long *args) 248{ 249 if (unlikely(!audit_dummy_context())) 250 return __audit_socketcall(nargs, args); 251 return 0; 252} 253static inline int audit_sockaddr(int len, void *addr) 254{ 255 if (unlikely(!audit_dummy_context())) 256 return __audit_sockaddr(len, addr); 257 return 0; 258} 259static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 260{ 261 if (unlikely(!audit_dummy_context())) 262 __audit_mq_open(oflag, mode, attr); 263} 264static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout) 265{ 266 if (unlikely(!audit_dummy_context())) 267 __audit_mq_sendrecv(mqdes, msg_len, msg_prio, abs_timeout); 268} 269static inline void audit_mq_notify(mqd_t mqdes, const struct sigevent *notification) 270{ 271 if (unlikely(!audit_dummy_context())) 272 __audit_mq_notify(mqdes, notification); 273} 274static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 275{ 276 if (unlikely(!audit_dummy_context())) 277 __audit_mq_getsetattr(mqdes, mqstat); 278} 279 280static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 281 const struct cred *new, 282 const struct cred *old) 283{ 284 if (unlikely(!audit_dummy_context())) 285 return __audit_log_bprm_fcaps(bprm, new, old); 286 return 0; 287} 288 289static inline void audit_log_capset(const struct cred *new, 290 const struct cred *old) 291{ 292 if (unlikely(!audit_dummy_context())) 293 __audit_log_capset(new, old); 294} 295 296static inline void audit_mmap_fd(int fd, int flags) 297{ 298 if (unlikely(!audit_dummy_context())) 299 __audit_mmap_fd(fd, flags); 300} 301 302extern int audit_n_rules; 303extern int audit_signals; 304#else /* CONFIG_AUDITSYSCALL */ 305static inline int audit_alloc(struct task_struct *task) 306{ 307 return 0; 308} 309static inline void audit_free(struct task_struct *task) 310{ } 311static inline void audit_syscall_entry(int arch, int major, unsigned long a0, 312 unsigned long a1, unsigned long a2, 313 unsigned long a3) 314{ } 315static inline void audit_syscall_exit(void *pt_regs) 316{ } 317static inline int audit_dummy_context(void) 318{ 319 return 1; 320} 321static inline struct filename *audit_reusename(const __user char *name) 322{ 323 return NULL; 324} 325static inline void audit_getname(struct filename *name) 326{ } 327static inline void audit_putname(struct filename *name) 328{ } 329static inline void __audit_inode(struct filename *name, 330 const struct dentry *dentry, 331 unsigned int flags) 332{ } 333static inline void __audit_inode_child(const struct inode *parent, 334 const struct dentry *dentry, 335 const unsigned char type) 336{ } 337static inline void audit_inode(struct filename *name, 338 const struct dentry *dentry, 339 unsigned int parent) 340{ } 341static inline void audit_inode_parent_hidden(struct filename *name, 342 const struct dentry *dentry) 343{ } 344static inline void audit_inode_child(const struct inode *parent, 345 const struct dentry *dentry, 346 const unsigned char type) 347{ } 348static inline void audit_core_dumps(long signr) 349{ } 350static inline void __audit_seccomp(unsigned long syscall, long signr, int code) 351{ } 352static inline void audit_seccomp(unsigned long syscall, long signr, int code) 353{ } 354static inline int auditsc_get_stamp(struct audit_context *ctx, 355 struct timespec *t, unsigned int *serial) 356{ 357 return 0; 358} 359static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 360{ 361 return INVALID_UID; 362} 363static inline unsigned int audit_get_sessionid(struct task_struct *tsk) 364{ 365 return -1; 366} 367static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 368{ } 369static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, 370 gid_t gid, umode_t mode) 371{ } 372static inline void audit_bprm(struct linux_binprm *bprm) 373{ } 374static inline int audit_socketcall(int nargs, unsigned long *args) 375{ 376 return 0; 377} 378static inline void audit_fd_pair(int fd1, int fd2) 379{ } 380static inline int audit_sockaddr(int len, void *addr) 381{ 382 return 0; 383} 384static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 385{ } 386static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, 387 unsigned int msg_prio, 388 const struct timespec *abs_timeout) 389{ } 390static inline void audit_mq_notify(mqd_t mqdes, 391 const struct sigevent *notification) 392{ } 393static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 394{ } 395static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 396 const struct cred *new, 397 const struct cred *old) 398{ 399 return 0; 400} 401static inline void audit_log_capset(const struct cred *new, 402 const struct cred *old) 403{ } 404static inline void audit_mmap_fd(int fd, int flags) 405{ } 406static inline void audit_ptrace(struct task_struct *t) 407{ } 408#define audit_n_rules 0 409#define audit_signals 0 410#endif /* CONFIG_AUDITSYSCALL */ 411 412static inline bool audit_loginuid_set(struct task_struct *tsk) 413{ 414 return uid_valid(audit_get_loginuid(tsk)); 415} 416 417#ifdef CONFIG_AUDIT 418/* These are defined in audit.c */ 419 /* Public API */ 420extern __printf(4, 5) 421void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 422 const char *fmt, ...); 423 424extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type); 425extern __printf(2, 3) 426void audit_log_format(struct audit_buffer *ab, const char *fmt, ...); 427extern void audit_log_end(struct audit_buffer *ab); 428extern int audit_string_contains_control(const char *string, 429 size_t len); 430extern void audit_log_n_hex(struct audit_buffer *ab, 431 const unsigned char *buf, 432 size_t len); 433extern void audit_log_n_string(struct audit_buffer *ab, 434 const char *buf, 435 size_t n); 436extern void audit_log_n_untrustedstring(struct audit_buffer *ab, 437 const char *string, 438 size_t n); 439extern void audit_log_untrustedstring(struct audit_buffer *ab, 440 const char *string); 441extern void audit_log_d_path(struct audit_buffer *ab, 442 const char *prefix, 443 const struct path *path); 444extern void audit_log_key(struct audit_buffer *ab, 445 char *key); 446extern void audit_log_link_denied(const char *operation, 447 struct path *link); 448extern void audit_log_lost(const char *message); 449#ifdef CONFIG_SECURITY 450extern void audit_log_secctx(struct audit_buffer *ab, u32 secid); 451#else 452static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) 453{ } 454#endif 455 456extern int audit_log_task_context(struct audit_buffer *ab); 457extern void audit_log_task_info(struct audit_buffer *ab, 458 struct task_struct *tsk); 459 460extern int audit_update_lsm_rules(void); 461 462 /* Private API (for audit.c only) */ 463extern int audit_filter_user(int type); 464extern int audit_filter_type(int type); 465extern int audit_rule_change(int type, __u32 portid, int seq, 466 void *data, size_t datasz); 467extern int audit_list_rules_send(struct sk_buff *request_skb, int seq); 468 469extern u32 audit_enabled; 470#else /* CONFIG_AUDIT */ 471static inline __printf(4, 5) 472void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 473 const char *fmt, ...) 474{ } 475static inline struct audit_buffer *audit_log_start(struct audit_context *ctx, 476 gfp_t gfp_mask, int type) 477{ 478 return NULL; 479} 480static inline __printf(2, 3) 481void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) 482{ } 483static inline void audit_log_end(struct audit_buffer *ab) 484{ } 485static inline void audit_log_n_hex(struct audit_buffer *ab, 486 const unsigned char *buf, size_t len) 487{ } 488static inline void audit_log_n_string(struct audit_buffer *ab, 489 const char *buf, size_t n) 490{ } 491static inline void audit_log_n_untrustedstring(struct audit_buffer *ab, 492 const char *string, size_t n) 493{ } 494static inline void audit_log_untrustedstring(struct audit_buffer *ab, 495 const char *string) 496{ } 497static inline void audit_log_d_path(struct audit_buffer *ab, 498 const char *prefix, 499 const struct path *path) 500{ } 501static inline void audit_log_key(struct audit_buffer *ab, char *key) 502{ } 503static inline void audit_log_link_denied(const char *string, 504 const struct path *link) 505{ } 506static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) 507{ } 508static inline int audit_log_task_context(struct audit_buffer *ab) 509{ 510 return 0; 511} 512static inline void audit_log_task_info(struct audit_buffer *ab, 513 struct task_struct *tsk) 514{ } 515#define audit_enabled 0 516#endif /* CONFIG_AUDIT */ 517static inline void audit_log_string(struct audit_buffer *ab, const char *buf) 518{ 519 audit_log_n_string(ab, buf, strlen(buf)); 520} 521 522#endif