tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / include / linux / audit.h
at v3.15 17 kB view raw
1/* audit.h -- Auditing support 2 * 3 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. 4 * All Rights Reserved. 5 * 6 * This program is free software; you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License as published by 8 * the Free Software Foundation; either version 2 of the License, or 9 * (at your option) any later version. 10 * 11 * This program is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 * GNU General Public License for more details. 15 * 16 * You should have received a copy of the GNU General Public License 17 * along with this program; if not, write to the Free Software 18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 * 20 * Written by Rickard E. (Rik) Faith <faith@redhat.com> 21 * 22 */ 23#ifndef _LINUX_AUDIT_H_ 24#define _LINUX_AUDIT_H_ 25 26#include <linux/sched.h> 27#include <linux/ptrace.h> 28#include <uapi/linux/audit.h> 29 30struct audit_sig_info { 31 uid_t uid; 32 pid_t pid; 33 char ctx[0]; 34}; 35 36struct audit_buffer; 37struct audit_context; 38struct inode; 39struct netlink_skb_parms; 40struct path; 41struct linux_binprm; 42struct mq_attr; 43struct mqstat; 44struct audit_watch; 45struct audit_tree; 46struct sk_buff; 47 48struct audit_krule { 49 int vers_ops; 50 u32 flags; 51 u32 listnr; 52 u32 action; 53 u32 mask[AUDIT_BITMASK_SIZE]; 54 u32 buflen; /* for data alloc on list rules */ 55 u32 field_count; 56 char *filterkey; /* ties events to rules */ 57 struct audit_field *fields; 58 struct audit_field *arch_f; /* quick access to arch field */ 59 struct audit_field *inode_f; /* quick access to an inode field */ 60 struct audit_watch *watch; /* associated watch */ 61 struct audit_tree *tree; /* associated watched tree */ 62 struct list_head rlist; /* entry in audit_{watch,tree}.rules list */ 63 struct list_head list; /* for AUDIT_LIST* purposes only */ 64 u64 prio; 65}; 66 67struct audit_field { 68 u32 type; 69 u32 val; 70 kuid_t uid; 71 kgid_t gid; 72 u32 op; 73 char *lsm_str; 74 void *lsm_rule; 75}; 76 77extern int is_audit_feature_set(int which); 78 79extern int __init audit_register_class(int class, unsigned *list); 80extern int audit_classify_syscall(int abi, unsigned syscall); 81extern int audit_classify_arch(int arch); 82/* only for compat system calls */ 83extern unsigned compat_write_class[]; 84extern unsigned compat_read_class[]; 85extern unsigned compat_dir_class[]; 86extern unsigned compat_chattr_class[]; 87extern unsigned compat_signal_class[]; 88 89extern int __weak audit_classify_compat_syscall(int abi, unsigned syscall); 90 91/* audit_names->type values */ 92#define AUDIT_TYPE_UNKNOWN 0 /* we don't know yet */ 93#define AUDIT_TYPE_NORMAL 1 /* a "normal" audit record */ 94#define AUDIT_TYPE_PARENT 2 /* a parent audit record */ 95#define AUDIT_TYPE_CHILD_DELETE 3 /* a child being deleted */ 96#define AUDIT_TYPE_CHILD_CREATE 4 /* a child being created */ 97 98/* maximized args number that audit_socketcall can process */ 99#define AUDITSC_ARGS 6 100 101struct filename; 102 103extern void audit_log_session_info(struct audit_buffer *ab); 104 105#ifdef CONFIG_AUDIT_COMPAT_GENERIC 106#define audit_is_compat(arch) (!((arch) & __AUDIT_ARCH_64BIT)) 107#else 108#define audit_is_compat(arch) false 109#endif 110 111#ifdef CONFIG_AUDITSYSCALL 112/* These are defined in auditsc.c */ 113 /* Public API */ 114extern int audit_alloc(struct task_struct *task); 115extern void __audit_free(struct task_struct *task); 116extern void __audit_syscall_entry(int arch, 117 int major, unsigned long a0, unsigned long a1, 118 unsigned long a2, unsigned long a3); 119extern void __audit_syscall_exit(int ret_success, long ret_value); 120extern struct filename *__audit_reusename(const __user char *uptr); 121extern void __audit_getname(struct filename *name); 122extern void audit_putname(struct filename *name); 123 124#define AUDIT_INODE_PARENT 1 /* dentry represents the parent */ 125#define AUDIT_INODE_HIDDEN 2 /* audit record should be hidden */ 126extern void __audit_inode(struct filename *name, const struct dentry *dentry, 127 unsigned int flags); 128extern void __audit_inode_child(const struct inode *parent, 129 const struct dentry *dentry, 130 const unsigned char type); 131extern void __audit_seccomp(unsigned long syscall, long signr, int code); 132extern void __audit_ptrace(struct task_struct *t); 133 134static inline int audit_dummy_context(void) 135{ 136 void *p = current->audit_context; 137 return !p || *(int *)p; 138} 139static inline void audit_free(struct task_struct *task) 140{ 141 if (unlikely(task->audit_context)) 142 __audit_free(task); 143} 144static inline void audit_syscall_entry(int arch, int major, unsigned long a0, 145 unsigned long a1, unsigned long a2, 146 unsigned long a3) 147{ 148 if (unlikely(current->audit_context)) 149 __audit_syscall_entry(arch, major, a0, a1, a2, a3); 150} 151static inline void audit_syscall_exit(void *pt_regs) 152{ 153 if (unlikely(current->audit_context)) { 154 int success = is_syscall_success(pt_regs); 155 long return_code = regs_return_value(pt_regs); 156 157 __audit_syscall_exit(success, return_code); 158 } 159} 160static inline struct filename *audit_reusename(const __user char *name) 161{ 162 if (unlikely(!audit_dummy_context())) 163 return __audit_reusename(name); 164 return NULL; 165} 166static inline void audit_getname(struct filename *name) 167{ 168 if (unlikely(!audit_dummy_context())) 169 __audit_getname(name); 170} 171static inline void audit_inode(struct filename *name, 172 const struct dentry *dentry, 173 unsigned int parent) { 174 if (unlikely(!audit_dummy_context())) { 175 unsigned int flags = 0; 176 if (parent) 177 flags |= AUDIT_INODE_PARENT; 178 __audit_inode(name, dentry, flags); 179 } 180} 181static inline void audit_inode_parent_hidden(struct filename *name, 182 const struct dentry *dentry) 183{ 184 if (unlikely(!audit_dummy_context())) 185 __audit_inode(name, dentry, 186 AUDIT_INODE_PARENT | AUDIT_INODE_HIDDEN); 187} 188static inline void audit_inode_child(const struct inode *parent, 189 const struct dentry *dentry, 190 const unsigned char type) { 191 if (unlikely(!audit_dummy_context())) 192 __audit_inode_child(parent, dentry, type); 193} 194void audit_core_dumps(long signr); 195 196static inline void audit_seccomp(unsigned long syscall, long signr, int code) 197{ 198 /* Force a record to be reported if a signal was delivered. */ 199 if (signr || unlikely(!audit_dummy_context())) 200 __audit_seccomp(syscall, signr, code); 201} 202 203static inline void audit_ptrace(struct task_struct *t) 204{ 205 if (unlikely(!audit_dummy_context())) 206 __audit_ptrace(t); 207} 208 209 /* Private API (for audit.c only) */ 210extern unsigned int audit_serial(void); 211extern int auditsc_get_stamp(struct audit_context *ctx, 212 struct timespec *t, unsigned int *serial); 213extern int audit_set_loginuid(kuid_t loginuid); 214 215static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 216{ 217 return tsk->loginuid; 218} 219 220static inline unsigned int audit_get_sessionid(struct task_struct *tsk) 221{ 222 return tsk->sessionid; 223} 224 225extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp); 226extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode); 227extern void __audit_bprm(struct linux_binprm *bprm); 228extern int __audit_socketcall(int nargs, unsigned long *args); 229extern int __audit_sockaddr(int len, void *addr); 230extern void __audit_fd_pair(int fd1, int fd2); 231extern void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr); 232extern void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout); 233extern void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification); 234extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat); 235extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, 236 const struct cred *new, 237 const struct cred *old); 238extern void __audit_log_capset(const struct cred *new, const struct cred *old); 239extern void __audit_mmap_fd(int fd, int flags); 240 241static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 242{ 243 if (unlikely(!audit_dummy_context())) 244 __audit_ipc_obj(ipcp); 245} 246static inline void audit_fd_pair(int fd1, int fd2) 247{ 248 if (unlikely(!audit_dummy_context())) 249 __audit_fd_pair(fd1, fd2); 250} 251static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode) 252{ 253 if (unlikely(!audit_dummy_context())) 254 __audit_ipc_set_perm(qbytes, uid, gid, mode); 255} 256static inline void audit_bprm(struct linux_binprm *bprm) 257{ 258 if (unlikely(!audit_dummy_context())) 259 __audit_bprm(bprm); 260} 261static inline int audit_socketcall(int nargs, unsigned long *args) 262{ 263 if (unlikely(!audit_dummy_context())) 264 return __audit_socketcall(nargs, args); 265 return 0; 266} 267static inline int audit_sockaddr(int len, void *addr) 268{ 269 if (unlikely(!audit_dummy_context())) 270 return __audit_sockaddr(len, addr); 271 return 0; 272} 273static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 274{ 275 if (unlikely(!audit_dummy_context())) 276 __audit_mq_open(oflag, mode, attr); 277} 278static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout) 279{ 280 if (unlikely(!audit_dummy_context())) 281 __audit_mq_sendrecv(mqdes, msg_len, msg_prio, abs_timeout); 282} 283static inline void audit_mq_notify(mqd_t mqdes, const struct sigevent *notification) 284{ 285 if (unlikely(!audit_dummy_context())) 286 __audit_mq_notify(mqdes, notification); 287} 288static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 289{ 290 if (unlikely(!audit_dummy_context())) 291 __audit_mq_getsetattr(mqdes, mqstat); 292} 293 294static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 295 const struct cred *new, 296 const struct cred *old) 297{ 298 if (unlikely(!audit_dummy_context())) 299 return __audit_log_bprm_fcaps(bprm, new, old); 300 return 0; 301} 302 303static inline void audit_log_capset(const struct cred *new, 304 const struct cred *old) 305{ 306 if (unlikely(!audit_dummy_context())) 307 __audit_log_capset(new, old); 308} 309 310static inline void audit_mmap_fd(int fd, int flags) 311{ 312 if (unlikely(!audit_dummy_context())) 313 __audit_mmap_fd(fd, flags); 314} 315 316extern int audit_n_rules; 317extern int audit_signals; 318#else /* CONFIG_AUDITSYSCALL */ 319static inline int audit_alloc(struct task_struct *task) 320{ 321 return 0; 322} 323static inline void audit_free(struct task_struct *task) 324{ } 325static inline void audit_syscall_entry(int arch, int major, unsigned long a0, 326 unsigned long a1, unsigned long a2, 327 unsigned long a3) 328{ } 329static inline void audit_syscall_exit(void *pt_regs) 330{ } 331static inline int audit_dummy_context(void) 332{ 333 return 1; 334} 335static inline struct filename *audit_reusename(const __user char *name) 336{ 337 return NULL; 338} 339static inline void audit_getname(struct filename *name) 340{ } 341static inline void audit_putname(struct filename *name) 342{ } 343static inline void __audit_inode(struct filename *name, 344 const struct dentry *dentry, 345 unsigned int flags) 346{ } 347static inline void __audit_inode_child(const struct inode *parent, 348 const struct dentry *dentry, 349 const unsigned char type) 350{ } 351static inline void audit_inode(struct filename *name, 352 const struct dentry *dentry, 353 unsigned int parent) 354{ } 355static inline void audit_inode_parent_hidden(struct filename *name, 356 const struct dentry *dentry) 357{ } 358static inline void audit_inode_child(const struct inode *parent, 359 const struct dentry *dentry, 360 const unsigned char type) 361{ } 362static inline void audit_core_dumps(long signr) 363{ } 364static inline void __audit_seccomp(unsigned long syscall, long signr, int code) 365{ } 366static inline void audit_seccomp(unsigned long syscall, long signr, int code) 367{ } 368static inline int auditsc_get_stamp(struct audit_context *ctx, 369 struct timespec *t, unsigned int *serial) 370{ 371 return 0; 372} 373static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 374{ 375 return INVALID_UID; 376} 377static inline unsigned int audit_get_sessionid(struct task_struct *tsk) 378{ 379 return -1; 380} 381static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 382{ } 383static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, 384 gid_t gid, umode_t mode) 385{ } 386static inline void audit_bprm(struct linux_binprm *bprm) 387{ } 388static inline int audit_socketcall(int nargs, unsigned long *args) 389{ 390 return 0; 391} 392static inline void audit_fd_pair(int fd1, int fd2) 393{ } 394static inline int audit_sockaddr(int len, void *addr) 395{ 396 return 0; 397} 398static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 399{ } 400static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, 401 unsigned int msg_prio, 402 const struct timespec *abs_timeout) 403{ } 404static inline void audit_mq_notify(mqd_t mqdes, 405 const struct sigevent *notification) 406{ } 407static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 408{ } 409static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 410 const struct cred *new, 411 const struct cred *old) 412{ 413 return 0; 414} 415static inline void audit_log_capset(const struct cred *new, 416 const struct cred *old) 417{ } 418static inline void audit_mmap_fd(int fd, int flags) 419{ } 420static inline void audit_ptrace(struct task_struct *t) 421{ } 422#define audit_n_rules 0 423#define audit_signals 0 424#endif /* CONFIG_AUDITSYSCALL */ 425 426static inline bool audit_loginuid_set(struct task_struct *tsk) 427{ 428 return uid_valid(audit_get_loginuid(tsk)); 429} 430 431#ifdef CONFIG_AUDIT 432/* These are defined in audit.c */ 433 /* Public API */ 434extern __printf(4, 5) 435void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 436 const char *fmt, ...); 437 438extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type); 439extern __printf(2, 3) 440void audit_log_format(struct audit_buffer *ab, const char *fmt, ...); 441extern void audit_log_end(struct audit_buffer *ab); 442extern int audit_string_contains_control(const char *string, 443 size_t len); 444extern void audit_log_n_hex(struct audit_buffer *ab, 445 const unsigned char *buf, 446 size_t len); 447extern void audit_log_n_string(struct audit_buffer *ab, 448 const char *buf, 449 size_t n); 450extern void audit_log_n_untrustedstring(struct audit_buffer *ab, 451 const char *string, 452 size_t n); 453extern void audit_log_untrustedstring(struct audit_buffer *ab, 454 const char *string); 455extern void audit_log_d_path(struct audit_buffer *ab, 456 const char *prefix, 457 const struct path *path); 458extern void audit_log_key(struct audit_buffer *ab, 459 char *key); 460extern void audit_log_link_denied(const char *operation, 461 struct path *link); 462extern void audit_log_lost(const char *message); 463#ifdef CONFIG_SECURITY 464extern void audit_log_secctx(struct audit_buffer *ab, u32 secid); 465#else 466static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) 467{ } 468#endif 469 470extern int audit_log_task_context(struct audit_buffer *ab); 471extern void audit_log_task_info(struct audit_buffer *ab, 472 struct task_struct *tsk); 473 474extern int audit_update_lsm_rules(void); 475 476 /* Private API (for audit.c only) */ 477extern int audit_filter_user(int type); 478extern int audit_filter_type(int type); 479extern int audit_rule_change(int type, __u32 portid, int seq, 480 void *data, size_t datasz); 481extern int audit_list_rules_send(struct sk_buff *request_skb, int seq); 482 483extern u32 audit_enabled; 484#else /* CONFIG_AUDIT */ 485static inline __printf(4, 5) 486void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 487 const char *fmt, ...) 488{ } 489static inline struct audit_buffer *audit_log_start(struct audit_context *ctx, 490 gfp_t gfp_mask, int type) 491{ 492 return NULL; 493} 494static inline __printf(2, 3) 495void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) 496{ } 497static inline void audit_log_end(struct audit_buffer *ab) 498{ } 499static inline void audit_log_n_hex(struct audit_buffer *ab, 500 const unsigned char *buf, size_t len) 501{ } 502static inline void audit_log_n_string(struct audit_buffer *ab, 503 const char *buf, size_t n) 504{ } 505static inline void audit_log_n_untrustedstring(struct audit_buffer *ab, 506 const char *string, size_t n) 507{ } 508static inline void audit_log_untrustedstring(struct audit_buffer *ab, 509 const char *string) 510{ } 511static inline void audit_log_d_path(struct audit_buffer *ab, 512 const char *prefix, 513 const struct path *path) 514{ } 515static inline void audit_log_key(struct audit_buffer *ab, char *key) 516{ } 517static inline void audit_log_link_denied(const char *string, 518 const struct path *link) 519{ } 520static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) 521{ } 522static inline int audit_log_task_context(struct audit_buffer *ab) 523{ 524 return 0; 525} 526static inline void audit_log_task_info(struct audit_buffer *ab, 527 struct task_struct *tsk) 528{ } 529#define audit_enabled 0 530#endif /* CONFIG_AUDIT */ 531static inline void audit_log_string(struct audit_buffer *ab, const char *buf) 532{ 533 audit_log_n_string(ab, buf, strlen(buf)); 534} 535 536#endif