tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / include / linux / audit.h
at v3.19-rc1 550 lines 17 kB view raw
1/* audit.h -- Auditing support 2 * 3 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. 4 * All Rights Reserved. 5 * 6 * This program is free software; you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License as published by 8 * the Free Software Foundation; either version 2 of the License, or 9 * (at your option) any later version. 10 * 11 * This program is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 * GNU General Public License for more details. 15 * 16 * You should have received a copy of the GNU General Public License 17 * along with this program; if not, write to the Free Software 18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 * 20 * Written by Rickard E. (Rik) Faith <faith@redhat.com> 21 * 22 */ 23#ifndef _LINUX_AUDIT_H_ 24#define _LINUX_AUDIT_H_ 25 26#include <linux/sched.h> 27#include <linux/ptrace.h> 28#include <uapi/linux/audit.h> 29 30struct audit_sig_info { 31 uid_t uid; 32 pid_t pid; 33 char ctx[0]; 34}; 35 36struct audit_buffer; 37struct audit_context; 38struct inode; 39struct netlink_skb_parms; 40struct path; 41struct linux_binprm; 42struct mq_attr; 43struct mqstat; 44struct audit_watch; 45struct audit_tree; 46struct sk_buff; 47 48struct audit_krule { 49 int vers_ops; 50 u32 flags; 51 u32 listnr; 52 u32 action; 53 u32 mask[AUDIT_BITMASK_SIZE]; 54 u32 buflen; /* for data alloc on list rules */ 55 u32 field_count; 56 char *filterkey; /* ties events to rules */ 57 struct audit_field *fields; 58 struct audit_field *arch_f; /* quick access to arch field */ 59 struct audit_field *inode_f; /* quick access to an inode field */ 60 struct audit_watch *watch; /* associated watch */ 61 struct audit_tree *tree; /* associated watched tree */ 62 struct list_head rlist; /* entry in audit_{watch,tree}.rules list */ 63 struct list_head list; /* for AUDIT_LIST* purposes only */ 64 u64 prio; 65}; 66 67struct audit_field { 68 u32 type; 69 union { 70 u32 val; 71 kuid_t uid; 72 kgid_t gid; 73 struct { 74 char *lsm_str; 75 void *lsm_rule; 76 }; 77 }; 78 u32 op; 79}; 80 81extern int is_audit_feature_set(int which); 82 83extern int __init audit_register_class(int class, unsigned *list); 84extern int audit_classify_syscall(int abi, unsigned syscall); 85extern int audit_classify_arch(int arch); 86/* only for compat system calls */ 87extern unsigned compat_write_class[]; 88extern unsigned compat_read_class[]; 89extern unsigned compat_dir_class[]; 90extern unsigned compat_chattr_class[]; 91extern unsigned compat_signal_class[]; 92 93extern int audit_classify_compat_syscall(int abi, unsigned syscall); 94 95/* audit_names->type values */ 96#define AUDIT_TYPE_UNKNOWN 0 /* we don't know yet */ 97#define AUDIT_TYPE_NORMAL 1 /* a "normal" audit record */ 98#define AUDIT_TYPE_PARENT 2 /* a parent audit record */ 99#define AUDIT_TYPE_CHILD_DELETE 3 /* a child being deleted */ 100#define AUDIT_TYPE_CHILD_CREATE 4 /* a child being created */ 101 102/* maximized args number that audit_socketcall can process */ 103#define AUDITSC_ARGS 6 104 105struct filename; 106 107extern void audit_log_session_info(struct audit_buffer *ab); 108 109#ifdef CONFIG_AUDIT_COMPAT_GENERIC 110#define audit_is_compat(arch) (!((arch) & __AUDIT_ARCH_64BIT)) 111#else 112#define audit_is_compat(arch) false 113#endif 114 115#ifdef CONFIG_AUDITSYSCALL 116#include <asm/syscall.h> /* for syscall_get_arch() */ 117 118/* These are defined in auditsc.c */ 119 /* Public API */ 120extern int audit_alloc(struct task_struct *task); 121extern void __audit_free(struct task_struct *task); 122extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long a1, 123 unsigned long a2, unsigned long a3); 124extern void __audit_syscall_exit(int ret_success, long ret_value); 125extern struct filename *__audit_reusename(const __user char *uptr); 126extern void __audit_getname(struct filename *name); 127extern void audit_putname(struct filename *name); 128 129#define AUDIT_INODE_PARENT 1 /* dentry represents the parent */ 130#define AUDIT_INODE_HIDDEN 2 /* audit record should be hidden */ 131extern void __audit_inode(struct filename *name, const struct dentry *dentry, 132 unsigned int flags); 133extern void __audit_file(const struct file *); 134extern void __audit_inode_child(const struct inode *parent, 135 const struct dentry *dentry, 136 const unsigned char type); 137extern void __audit_seccomp(unsigned long syscall, long signr, int code); 138extern void __audit_ptrace(struct task_struct *t); 139 140static inline int audit_dummy_context(void) 141{ 142 void *p = current->audit_context; 143 return !p || *(int *)p; 144} 145static inline void audit_free(struct task_struct *task) 146{ 147 if (unlikely(task->audit_context)) 148 __audit_free(task); 149} 150static inline void audit_syscall_entry(int major, unsigned long a0, 151 unsigned long a1, unsigned long a2, 152 unsigned long a3) 153{ 154 if (unlikely(current->audit_context)) 155 __audit_syscall_entry(major, a0, a1, a2, a3); 156} 157static inline void audit_syscall_exit(void *pt_regs) 158{ 159 if (unlikely(current->audit_context)) { 160 int success = is_syscall_success(pt_regs); 161 long return_code = regs_return_value(pt_regs); 162 163 __audit_syscall_exit(success, return_code); 164 } 165} 166static inline struct filename *audit_reusename(const __user char *name) 167{ 168 if (unlikely(!audit_dummy_context())) 169 return __audit_reusename(name); 170 return NULL; 171} 172static inline void audit_getname(struct filename *name) 173{ 174 if (unlikely(!audit_dummy_context())) 175 __audit_getname(name); 176} 177static inline void audit_inode(struct filename *name, 178 const struct dentry *dentry, 179 unsigned int parent) { 180 if (unlikely(!audit_dummy_context())) { 181 unsigned int flags = 0; 182 if (parent) 183 flags |= AUDIT_INODE_PARENT; 184 __audit_inode(name, dentry, flags); 185 } 186} 187static inline void audit_file(struct file *file) 188{ 189 if (unlikely(!audit_dummy_context())) 190 __audit_file(file); 191} 192static inline void audit_inode_parent_hidden(struct filename *name, 193 const struct dentry *dentry) 194{ 195 if (unlikely(!audit_dummy_context())) 196 __audit_inode(name, dentry, 197 AUDIT_INODE_PARENT | AUDIT_INODE_HIDDEN); 198} 199static inline void audit_inode_child(const struct inode *parent, 200 const struct dentry *dentry, 201 const unsigned char type) { 202 if (unlikely(!audit_dummy_context())) 203 __audit_inode_child(parent, dentry, type); 204} 205void audit_core_dumps(long signr); 206 207static inline void audit_seccomp(unsigned long syscall, long signr, int code) 208{ 209 /* Force a record to be reported if a signal was delivered. */ 210 if (signr || unlikely(!audit_dummy_context())) 211 __audit_seccomp(syscall, signr, code); 212} 213 214static inline void audit_ptrace(struct task_struct *t) 215{ 216 if (unlikely(!audit_dummy_context())) 217 __audit_ptrace(t); 218} 219 220 /* Private API (for audit.c only) */ 221extern unsigned int audit_serial(void); 222extern int auditsc_get_stamp(struct audit_context *ctx, 223 struct timespec *t, unsigned int *serial); 224extern int audit_set_loginuid(kuid_t loginuid); 225 226static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 227{ 228 return tsk->loginuid; 229} 230 231static inline unsigned int audit_get_sessionid(struct task_struct *tsk) 232{ 233 return tsk->sessionid; 234} 235 236extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp); 237extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode); 238extern void __audit_bprm(struct linux_binprm *bprm); 239extern int __audit_socketcall(int nargs, unsigned long *args); 240extern int __audit_sockaddr(int len, void *addr); 241extern void __audit_fd_pair(int fd1, int fd2); 242extern void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr); 243extern void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout); 244extern void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification); 245extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat); 246extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, 247 const struct cred *new, 248 const struct cred *old); 249extern void __audit_log_capset(const struct cred *new, const struct cred *old); 250extern void __audit_mmap_fd(int fd, int flags); 251 252static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 253{ 254 if (unlikely(!audit_dummy_context())) 255 __audit_ipc_obj(ipcp); 256} 257static inline void audit_fd_pair(int fd1, int fd2) 258{ 259 if (unlikely(!audit_dummy_context())) 260 __audit_fd_pair(fd1, fd2); 261} 262static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode) 263{ 264 if (unlikely(!audit_dummy_context())) 265 __audit_ipc_set_perm(qbytes, uid, gid, mode); 266} 267static inline void audit_bprm(struct linux_binprm *bprm) 268{ 269 if (unlikely(!audit_dummy_context())) 270 __audit_bprm(bprm); 271} 272static inline int audit_socketcall(int nargs, unsigned long *args) 273{ 274 if (unlikely(!audit_dummy_context())) 275 return __audit_socketcall(nargs, args); 276 return 0; 277} 278static inline int audit_sockaddr(int len, void *addr) 279{ 280 if (unlikely(!audit_dummy_context())) 281 return __audit_sockaddr(len, addr); 282 return 0; 283} 284static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 285{ 286 if (unlikely(!audit_dummy_context())) 287 __audit_mq_open(oflag, mode, attr); 288} 289static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout) 290{ 291 if (unlikely(!audit_dummy_context())) 292 __audit_mq_sendrecv(mqdes, msg_len, msg_prio, abs_timeout); 293} 294static inline void audit_mq_notify(mqd_t mqdes, const struct sigevent *notification) 295{ 296 if (unlikely(!audit_dummy_context())) 297 __audit_mq_notify(mqdes, notification); 298} 299static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 300{ 301 if (unlikely(!audit_dummy_context())) 302 __audit_mq_getsetattr(mqdes, mqstat); 303} 304 305static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 306 const struct cred *new, 307 const struct cred *old) 308{ 309 if (unlikely(!audit_dummy_context())) 310 return __audit_log_bprm_fcaps(bprm, new, old); 311 return 0; 312} 313 314static inline void audit_log_capset(const struct cred *new, 315 const struct cred *old) 316{ 317 if (unlikely(!audit_dummy_context())) 318 __audit_log_capset(new, old); 319} 320 321static inline void audit_mmap_fd(int fd, int flags) 322{ 323 if (unlikely(!audit_dummy_context())) 324 __audit_mmap_fd(fd, flags); 325} 326 327extern int audit_n_rules; 328extern int audit_signals; 329#else /* CONFIG_AUDITSYSCALL */ 330static inline int audit_alloc(struct task_struct *task) 331{ 332 return 0; 333} 334static inline void audit_free(struct task_struct *task) 335{ } 336static inline void audit_syscall_entry(int major, unsigned long a0, 337 unsigned long a1, unsigned long a2, 338 unsigned long a3) 339{ } 340static inline void audit_syscall_exit(void *pt_regs) 341{ } 342static inline int audit_dummy_context(void) 343{ 344 return 1; 345} 346static inline struct filename *audit_reusename(const __user char *name) 347{ 348 return NULL; 349} 350static inline void audit_getname(struct filename *name) 351{ } 352static inline void audit_putname(struct filename *name) 353{ } 354static inline void __audit_inode(struct filename *name, 355 const struct dentry *dentry, 356 unsigned int flags) 357{ } 358static inline void __audit_inode_child(const struct inode *parent, 359 const struct dentry *dentry, 360 const unsigned char type) 361{ } 362static inline void audit_inode(struct filename *name, 363 const struct dentry *dentry, 364 unsigned int parent) 365{ } 366static inline void audit_file(struct file *file) 367{ 368} 369static inline void audit_inode_parent_hidden(struct filename *name, 370 const struct dentry *dentry) 371{ } 372static inline void audit_inode_child(const struct inode *parent, 373 const struct dentry *dentry, 374 const unsigned char type) 375{ } 376static inline void audit_core_dumps(long signr) 377{ } 378static inline void __audit_seccomp(unsigned long syscall, long signr, int code) 379{ } 380static inline void audit_seccomp(unsigned long syscall, long signr, int code) 381{ } 382static inline int auditsc_get_stamp(struct audit_context *ctx, 383 struct timespec *t, unsigned int *serial) 384{ 385 return 0; 386} 387static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 388{ 389 return INVALID_UID; 390} 391static inline unsigned int audit_get_sessionid(struct task_struct *tsk) 392{ 393 return -1; 394} 395static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 396{ } 397static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, 398 gid_t gid, umode_t mode) 399{ } 400static inline void audit_bprm(struct linux_binprm *bprm) 401{ } 402static inline int audit_socketcall(int nargs, unsigned long *args) 403{ 404 return 0; 405} 406static inline void audit_fd_pair(int fd1, int fd2) 407{ } 408static inline int audit_sockaddr(int len, void *addr) 409{ 410 return 0; 411} 412static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 413{ } 414static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, 415 unsigned int msg_prio, 416 const struct timespec *abs_timeout) 417{ } 418static inline void audit_mq_notify(mqd_t mqdes, 419 const struct sigevent *notification) 420{ } 421static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 422{ } 423static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 424 const struct cred *new, 425 const struct cred *old) 426{ 427 return 0; 428} 429static inline void audit_log_capset(const struct cred *new, 430 const struct cred *old) 431{ } 432static inline void audit_mmap_fd(int fd, int flags) 433{ } 434static inline void audit_ptrace(struct task_struct *t) 435{ } 436#define audit_n_rules 0 437#define audit_signals 0 438#endif /* CONFIG_AUDITSYSCALL */ 439 440static inline bool audit_loginuid_set(struct task_struct *tsk) 441{ 442 return uid_valid(audit_get_loginuid(tsk)); 443} 444 445#ifdef CONFIG_AUDIT 446/* These are defined in audit.c */ 447 /* Public API */ 448extern __printf(4, 5) 449void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 450 const char *fmt, ...); 451 452extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type); 453extern __printf(2, 3) 454void audit_log_format(struct audit_buffer *ab, const char *fmt, ...); 455extern void audit_log_end(struct audit_buffer *ab); 456extern int audit_string_contains_control(const char *string, 457 size_t len); 458extern void audit_log_n_hex(struct audit_buffer *ab, 459 const unsigned char *buf, 460 size_t len); 461extern void audit_log_n_string(struct audit_buffer *ab, 462 const char *buf, 463 size_t n); 464extern void audit_log_n_untrustedstring(struct audit_buffer *ab, 465 const char *string, 466 size_t n); 467extern void audit_log_untrustedstring(struct audit_buffer *ab, 468 const char *string); 469extern void audit_log_d_path(struct audit_buffer *ab, 470 const char *prefix, 471 const struct path *path); 472extern void audit_log_key(struct audit_buffer *ab, 473 char *key); 474extern void audit_log_link_denied(const char *operation, 475 struct path *link); 476extern void audit_log_lost(const char *message); 477#ifdef CONFIG_SECURITY 478extern void audit_log_secctx(struct audit_buffer *ab, u32 secid); 479#else 480static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) 481{ } 482#endif 483 484extern int audit_log_task_context(struct audit_buffer *ab); 485extern void audit_log_task_info(struct audit_buffer *ab, 486 struct task_struct *tsk); 487 488extern int audit_update_lsm_rules(void); 489 490 /* Private API (for audit.c only) */ 491extern int audit_filter_user(int type); 492extern int audit_filter_type(int type); 493extern int audit_rule_change(int type, __u32 portid, int seq, 494 void *data, size_t datasz); 495extern int audit_list_rules_send(struct sk_buff *request_skb, int seq); 496 497extern u32 audit_enabled; 498#else /* CONFIG_AUDIT */ 499static inline __printf(4, 5) 500void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 501 const char *fmt, ...) 502{ } 503static inline struct audit_buffer *audit_log_start(struct audit_context *ctx, 504 gfp_t gfp_mask, int type) 505{ 506 return NULL; 507} 508static inline __printf(2, 3) 509void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) 510{ } 511static inline void audit_log_end(struct audit_buffer *ab) 512{ } 513static inline void audit_log_n_hex(struct audit_buffer *ab, 514 const unsigned char *buf, size_t len) 515{ } 516static inline void audit_log_n_string(struct audit_buffer *ab, 517 const char *buf, size_t n) 518{ } 519static inline void audit_log_n_untrustedstring(struct audit_buffer *ab, 520 const char *string, size_t n) 521{ } 522static inline void audit_log_untrustedstring(struct audit_buffer *ab, 523 const char *string) 524{ } 525static inline void audit_log_d_path(struct audit_buffer *ab, 526 const char *prefix, 527 const struct path *path) 528{ } 529static inline void audit_log_key(struct audit_buffer *ab, char *key) 530{ } 531static inline void audit_log_link_denied(const char *string, 532 const struct path *link) 533{ } 534static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) 535{ } 536static inline int audit_log_task_context(struct audit_buffer *ab) 537{ 538 return 0; 539} 540static inline void audit_log_task_info(struct audit_buffer *ab, 541 struct task_struct *tsk) 542{ } 543#define audit_enabled 0 544#endif /* CONFIG_AUDIT */ 545static inline void audit_log_string(struct audit_buffer *ab, const char *buf) 546{ 547 audit_log_n_string(ab, buf, strlen(buf)); 548} 549 550#endif