tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / include / linux / audit.h
at v3.19 17 kB view raw
1/* audit.h -- Auditing support 2 * 3 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. 4 * All Rights Reserved. 5 * 6 * This program is free software; you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License as published by 8 * the Free Software Foundation; either version 2 of the License, or 9 * (at your option) any later version. 10 * 11 * This program is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 * GNU General Public License for more details. 15 * 16 * You should have received a copy of the GNU General Public License 17 * along with this program; if not, write to the Free Software 18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 * 20 * Written by Rickard E. (Rik) Faith <faith@redhat.com> 21 * 22 */ 23#ifndef _LINUX_AUDIT_H_ 24#define _LINUX_AUDIT_H_ 25 26#include <linux/sched.h> 27#include <linux/ptrace.h> 28#include <uapi/linux/audit.h> 29 30struct audit_sig_info { 31 uid_t uid; 32 pid_t pid; 33 char ctx[0]; 34}; 35 36struct audit_buffer; 37struct audit_context; 38struct inode; 39struct netlink_skb_parms; 40struct path; 41struct linux_binprm; 42struct mq_attr; 43struct mqstat; 44struct audit_watch; 45struct audit_tree; 46struct sk_buff; 47 48struct audit_krule { 49 int vers_ops; 50 u32 pflags; 51 u32 flags; 52 u32 listnr; 53 u32 action; 54 u32 mask[AUDIT_BITMASK_SIZE]; 55 u32 buflen; /* for data alloc on list rules */ 56 u32 field_count; 57 char *filterkey; /* ties events to rules */ 58 struct audit_field *fields; 59 struct audit_field *arch_f; /* quick access to arch field */ 60 struct audit_field *inode_f; /* quick access to an inode field */ 61 struct audit_watch *watch; /* associated watch */ 62 struct audit_tree *tree; /* associated watched tree */ 63 struct list_head rlist; /* entry in audit_{watch,tree}.rules list */ 64 struct list_head list; /* for AUDIT_LIST* purposes only */ 65 u64 prio; 66}; 67 68/* Flag to indicate legacy AUDIT_LOGINUID unset usage */ 69#define AUDIT_LOGINUID_LEGACY 0x1 70 71struct audit_field { 72 u32 type; 73 union { 74 u32 val; 75 kuid_t uid; 76 kgid_t gid; 77 struct { 78 char *lsm_str; 79 void *lsm_rule; 80 }; 81 }; 82 u32 op; 83}; 84 85extern int is_audit_feature_set(int which); 86 87extern int __init audit_register_class(int class, unsigned *list); 88extern int audit_classify_syscall(int abi, unsigned syscall); 89extern int audit_classify_arch(int arch); 90/* only for compat system calls */ 91extern unsigned compat_write_class[]; 92extern unsigned compat_read_class[]; 93extern unsigned compat_dir_class[]; 94extern unsigned compat_chattr_class[]; 95extern unsigned compat_signal_class[]; 96 97extern int audit_classify_compat_syscall(int abi, unsigned syscall); 98 99/* audit_names->type values */ 100#define AUDIT_TYPE_UNKNOWN 0 /* we don't know yet */ 101#define AUDIT_TYPE_NORMAL 1 /* a "normal" audit record */ 102#define AUDIT_TYPE_PARENT 2 /* a parent audit record */ 103#define AUDIT_TYPE_CHILD_DELETE 3 /* a child being deleted */ 104#define AUDIT_TYPE_CHILD_CREATE 4 /* a child being created */ 105 106/* maximized args number that audit_socketcall can process */ 107#define AUDITSC_ARGS 6 108 109struct filename; 110 111extern void audit_log_session_info(struct audit_buffer *ab); 112 113#ifdef CONFIG_AUDIT_COMPAT_GENERIC 114#define audit_is_compat(arch) (!((arch) & __AUDIT_ARCH_64BIT)) 115#else 116#define audit_is_compat(arch) false 117#endif 118 119#ifdef CONFIG_AUDITSYSCALL 120#include <asm/syscall.h> /* for syscall_get_arch() */ 121 122/* These are defined in auditsc.c */ 123 /* Public API */ 124extern int audit_alloc(struct task_struct *task); 125extern void __audit_free(struct task_struct *task); 126extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long a1, 127 unsigned long a2, unsigned long a3); 128extern void __audit_syscall_exit(int ret_success, long ret_value); 129extern struct filename *__audit_reusename(const __user char *uptr); 130extern void __audit_getname(struct filename *name); 131extern void audit_putname(struct filename *name); 132 133#define AUDIT_INODE_PARENT 1 /* dentry represents the parent */ 134#define AUDIT_INODE_HIDDEN 2 /* audit record should be hidden */ 135extern void __audit_inode(struct filename *name, const struct dentry *dentry, 136 unsigned int flags); 137extern void __audit_file(const struct file *); 138extern void __audit_inode_child(const struct inode *parent, 139 const struct dentry *dentry, 140 const unsigned char type); 141extern void __audit_seccomp(unsigned long syscall, long signr, int code); 142extern void __audit_ptrace(struct task_struct *t); 143 144static inline int audit_dummy_context(void) 145{ 146 void *p = current->audit_context; 147 return !p || *(int *)p; 148} 149static inline void audit_free(struct task_struct *task) 150{ 151 if (unlikely(task->audit_context)) 152 __audit_free(task); 153} 154static inline void audit_syscall_entry(int major, unsigned long a0, 155 unsigned long a1, unsigned long a2, 156 unsigned long a3) 157{ 158 if (unlikely(current->audit_context)) 159 __audit_syscall_entry(major, a0, a1, a2, a3); 160} 161static inline void audit_syscall_exit(void *pt_regs) 162{ 163 if (unlikely(current->audit_context)) { 164 int success = is_syscall_success(pt_regs); 165 long return_code = regs_return_value(pt_regs); 166 167 __audit_syscall_exit(success, return_code); 168 } 169} 170static inline struct filename *audit_reusename(const __user char *name) 171{ 172 if (unlikely(!audit_dummy_context())) 173 return __audit_reusename(name); 174 return NULL; 175} 176static inline void audit_getname(struct filename *name) 177{ 178 if (unlikely(!audit_dummy_context())) 179 __audit_getname(name); 180} 181static inline void audit_inode(struct filename *name, 182 const struct dentry *dentry, 183 unsigned int parent) { 184 if (unlikely(!audit_dummy_context())) { 185 unsigned int flags = 0; 186 if (parent) 187 flags |= AUDIT_INODE_PARENT; 188 __audit_inode(name, dentry, flags); 189 } 190} 191static inline void audit_file(struct file *file) 192{ 193 if (unlikely(!audit_dummy_context())) 194 __audit_file(file); 195} 196static inline void audit_inode_parent_hidden(struct filename *name, 197 const struct dentry *dentry) 198{ 199 if (unlikely(!audit_dummy_context())) 200 __audit_inode(name, dentry, 201 AUDIT_INODE_PARENT | AUDIT_INODE_HIDDEN); 202} 203static inline void audit_inode_child(const struct inode *parent, 204 const struct dentry *dentry, 205 const unsigned char type) { 206 if (unlikely(!audit_dummy_context())) 207 __audit_inode_child(parent, dentry, type); 208} 209void audit_core_dumps(long signr); 210 211static inline void audit_seccomp(unsigned long syscall, long signr, int code) 212{ 213 /* Force a record to be reported if a signal was delivered. */ 214 if (signr || unlikely(!audit_dummy_context())) 215 __audit_seccomp(syscall, signr, code); 216} 217 218static inline void audit_ptrace(struct task_struct *t) 219{ 220 if (unlikely(!audit_dummy_context())) 221 __audit_ptrace(t); 222} 223 224 /* Private API (for audit.c only) */ 225extern unsigned int audit_serial(void); 226extern int auditsc_get_stamp(struct audit_context *ctx, 227 struct timespec *t, unsigned int *serial); 228extern int audit_set_loginuid(kuid_t loginuid); 229 230static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 231{ 232 return tsk->loginuid; 233} 234 235static inline unsigned int audit_get_sessionid(struct task_struct *tsk) 236{ 237 return tsk->sessionid; 238} 239 240extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp); 241extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode); 242extern void __audit_bprm(struct linux_binprm *bprm); 243extern int __audit_socketcall(int nargs, unsigned long *args); 244extern int __audit_sockaddr(int len, void *addr); 245extern void __audit_fd_pair(int fd1, int fd2); 246extern void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr); 247extern void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout); 248extern void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification); 249extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat); 250extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, 251 const struct cred *new, 252 const struct cred *old); 253extern void __audit_log_capset(const struct cred *new, const struct cred *old); 254extern void __audit_mmap_fd(int fd, int flags); 255 256static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 257{ 258 if (unlikely(!audit_dummy_context())) 259 __audit_ipc_obj(ipcp); 260} 261static inline void audit_fd_pair(int fd1, int fd2) 262{ 263 if (unlikely(!audit_dummy_context())) 264 __audit_fd_pair(fd1, fd2); 265} 266static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode) 267{ 268 if (unlikely(!audit_dummy_context())) 269 __audit_ipc_set_perm(qbytes, uid, gid, mode); 270} 271static inline void audit_bprm(struct linux_binprm *bprm) 272{ 273 if (unlikely(!audit_dummy_context())) 274 __audit_bprm(bprm); 275} 276static inline int audit_socketcall(int nargs, unsigned long *args) 277{ 278 if (unlikely(!audit_dummy_context())) 279 return __audit_socketcall(nargs, args); 280 return 0; 281} 282static inline int audit_sockaddr(int len, void *addr) 283{ 284 if (unlikely(!audit_dummy_context())) 285 return __audit_sockaddr(len, addr); 286 return 0; 287} 288static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 289{ 290 if (unlikely(!audit_dummy_context())) 291 __audit_mq_open(oflag, mode, attr); 292} 293static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout) 294{ 295 if (unlikely(!audit_dummy_context())) 296 __audit_mq_sendrecv(mqdes, msg_len, msg_prio, abs_timeout); 297} 298static inline void audit_mq_notify(mqd_t mqdes, const struct sigevent *notification) 299{ 300 if (unlikely(!audit_dummy_context())) 301 __audit_mq_notify(mqdes, notification); 302} 303static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 304{ 305 if (unlikely(!audit_dummy_context())) 306 __audit_mq_getsetattr(mqdes, mqstat); 307} 308 309static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 310 const struct cred *new, 311 const struct cred *old) 312{ 313 if (unlikely(!audit_dummy_context())) 314 return __audit_log_bprm_fcaps(bprm, new, old); 315 return 0; 316} 317 318static inline void audit_log_capset(const struct cred *new, 319 const struct cred *old) 320{ 321 if (unlikely(!audit_dummy_context())) 322 __audit_log_capset(new, old); 323} 324 325static inline void audit_mmap_fd(int fd, int flags) 326{ 327 if (unlikely(!audit_dummy_context())) 328 __audit_mmap_fd(fd, flags); 329} 330 331extern int audit_n_rules; 332extern int audit_signals; 333#else /* CONFIG_AUDITSYSCALL */ 334static inline int audit_alloc(struct task_struct *task) 335{ 336 return 0; 337} 338static inline void audit_free(struct task_struct *task) 339{ } 340static inline void audit_syscall_entry(int major, unsigned long a0, 341 unsigned long a1, unsigned long a2, 342 unsigned long a3) 343{ } 344static inline void audit_syscall_exit(void *pt_regs) 345{ } 346static inline int audit_dummy_context(void) 347{ 348 return 1; 349} 350static inline struct filename *audit_reusename(const __user char *name) 351{ 352 return NULL; 353} 354static inline void audit_getname(struct filename *name) 355{ } 356static inline void audit_putname(struct filename *name) 357{ } 358static inline void __audit_inode(struct filename *name, 359 const struct dentry *dentry, 360 unsigned int flags) 361{ } 362static inline void __audit_inode_child(const struct inode *parent, 363 const struct dentry *dentry, 364 const unsigned char type) 365{ } 366static inline void audit_inode(struct filename *name, 367 const struct dentry *dentry, 368 unsigned int parent) 369{ } 370static inline void audit_file(struct file *file) 371{ 372} 373static inline void audit_inode_parent_hidden(struct filename *name, 374 const struct dentry *dentry) 375{ } 376static inline void audit_inode_child(const struct inode *parent, 377 const struct dentry *dentry, 378 const unsigned char type) 379{ } 380static inline void audit_core_dumps(long signr) 381{ } 382static inline void __audit_seccomp(unsigned long syscall, long signr, int code) 383{ } 384static inline void audit_seccomp(unsigned long syscall, long signr, int code) 385{ } 386static inline int auditsc_get_stamp(struct audit_context *ctx, 387 struct timespec *t, unsigned int *serial) 388{ 389 return 0; 390} 391static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 392{ 393 return INVALID_UID; 394} 395static inline unsigned int audit_get_sessionid(struct task_struct *tsk) 396{ 397 return -1; 398} 399static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 400{ } 401static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, 402 gid_t gid, umode_t mode) 403{ } 404static inline void audit_bprm(struct linux_binprm *bprm) 405{ } 406static inline int audit_socketcall(int nargs, unsigned long *args) 407{ 408 return 0; 409} 410static inline void audit_fd_pair(int fd1, int fd2) 411{ } 412static inline int audit_sockaddr(int len, void *addr) 413{ 414 return 0; 415} 416static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 417{ } 418static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, 419 unsigned int msg_prio, 420 const struct timespec *abs_timeout) 421{ } 422static inline void audit_mq_notify(mqd_t mqdes, 423 const struct sigevent *notification) 424{ } 425static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 426{ } 427static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 428 const struct cred *new, 429 const struct cred *old) 430{ 431 return 0; 432} 433static inline void audit_log_capset(const struct cred *new, 434 const struct cred *old) 435{ } 436static inline void audit_mmap_fd(int fd, int flags) 437{ } 438static inline void audit_ptrace(struct task_struct *t) 439{ } 440#define audit_n_rules 0 441#define audit_signals 0 442#endif /* CONFIG_AUDITSYSCALL */ 443 444static inline bool audit_loginuid_set(struct task_struct *tsk) 445{ 446 return uid_valid(audit_get_loginuid(tsk)); 447} 448 449#ifdef CONFIG_AUDIT 450/* These are defined in audit.c */ 451 /* Public API */ 452extern __printf(4, 5) 453void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 454 const char *fmt, ...); 455 456extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type); 457extern __printf(2, 3) 458void audit_log_format(struct audit_buffer *ab, const char *fmt, ...); 459extern void audit_log_end(struct audit_buffer *ab); 460extern int audit_string_contains_control(const char *string, 461 size_t len); 462extern void audit_log_n_hex(struct audit_buffer *ab, 463 const unsigned char *buf, 464 size_t len); 465extern void audit_log_n_string(struct audit_buffer *ab, 466 const char *buf, 467 size_t n); 468extern void audit_log_n_untrustedstring(struct audit_buffer *ab, 469 const char *string, 470 size_t n); 471extern void audit_log_untrustedstring(struct audit_buffer *ab, 472 const char *string); 473extern void audit_log_d_path(struct audit_buffer *ab, 474 const char *prefix, 475 const struct path *path); 476extern void audit_log_key(struct audit_buffer *ab, 477 char *key); 478extern void audit_log_link_denied(const char *operation, 479 struct path *link); 480extern void audit_log_lost(const char *message); 481#ifdef CONFIG_SECURITY 482extern void audit_log_secctx(struct audit_buffer *ab, u32 secid); 483#else 484static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) 485{ } 486#endif 487 488extern int audit_log_task_context(struct audit_buffer *ab); 489extern void audit_log_task_info(struct audit_buffer *ab, 490 struct task_struct *tsk); 491 492extern int audit_update_lsm_rules(void); 493 494 /* Private API (for audit.c only) */ 495extern int audit_filter_user(int type); 496extern int audit_filter_type(int type); 497extern int audit_rule_change(int type, __u32 portid, int seq, 498 void *data, size_t datasz); 499extern int audit_list_rules_send(struct sk_buff *request_skb, int seq); 500 501extern u32 audit_enabled; 502#else /* CONFIG_AUDIT */ 503static inline __printf(4, 5) 504void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 505 const char *fmt, ...) 506{ } 507static inline struct audit_buffer *audit_log_start(struct audit_context *ctx, 508 gfp_t gfp_mask, int type) 509{ 510 return NULL; 511} 512static inline __printf(2, 3) 513void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) 514{ } 515static inline void audit_log_end(struct audit_buffer *ab) 516{ } 517static inline void audit_log_n_hex(struct audit_buffer *ab, 518 const unsigned char *buf, size_t len) 519{ } 520static inline void audit_log_n_string(struct audit_buffer *ab, 521 const char *buf, size_t n) 522{ } 523static inline void audit_log_n_untrustedstring(struct audit_buffer *ab, 524 const char *string, size_t n) 525{ } 526static inline void audit_log_untrustedstring(struct audit_buffer *ab, 527 const char *string) 528{ } 529static inline void audit_log_d_path(struct audit_buffer *ab, 530 const char *prefix, 531 const struct path *path) 532{ } 533static inline void audit_log_key(struct audit_buffer *ab, char *key) 534{ } 535static inline void audit_log_link_denied(const char *string, 536 const struct path *link) 537{ } 538static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) 539{ } 540static inline int audit_log_task_context(struct audit_buffer *ab) 541{ 542 return 0; 543} 544static inline void audit_log_task_info(struct audit_buffer *ab, 545 struct task_struct *tsk) 546{ } 547#define audit_enabled 0 548#endif /* CONFIG_AUDIT */ 549static inline void audit_log_string(struct audit_buffer *ab, const char *buf) 550{ 551 audit_log_n_string(ab, buf, strlen(buf)); 552} 553 554#endif