tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / include / linux / audit.h
at v3.7 15 kB view raw
1/* audit.h -- Auditing support 2 * 3 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. 4 * All Rights Reserved. 5 * 6 * This program is free software; you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License as published by 8 * the Free Software Foundation; either version 2 of the License, or 9 * (at your option) any later version. 10 * 11 * This program is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 * GNU General Public License for more details. 15 * 16 * You should have received a copy of the GNU General Public License 17 * along with this program; if not, write to the Free Software 18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 * 20 * Written by Rickard E. (Rik) Faith <faith@redhat.com> 21 * 22 */ 23#ifndef _LINUX_AUDIT_H_ 24#define _LINUX_AUDIT_H_ 25 26#include <linux/sched.h> 27#include <uapi/linux/audit.h> 28 29struct audit_sig_info { 30 uid_t uid; 31 pid_t pid; 32 char ctx[0]; 33}; 34 35struct audit_buffer; 36struct audit_context; 37struct inode; 38struct netlink_skb_parms; 39struct path; 40struct linux_binprm; 41struct mq_attr; 42struct mqstat; 43struct audit_watch; 44struct audit_tree; 45 46struct audit_krule { 47 int vers_ops; 48 u32 flags; 49 u32 listnr; 50 u32 action; 51 u32 mask[AUDIT_BITMASK_SIZE]; 52 u32 buflen; /* for data alloc on list rules */ 53 u32 field_count; 54 char *filterkey; /* ties events to rules */ 55 struct audit_field *fields; 56 struct audit_field *arch_f; /* quick access to arch field */ 57 struct audit_field *inode_f; /* quick access to an inode field */ 58 struct audit_watch *watch; /* associated watch */ 59 struct audit_tree *tree; /* associated watched tree */ 60 struct list_head rlist; /* entry in audit_{watch,tree}.rules list */ 61 struct list_head list; /* for AUDIT_LIST* purposes only */ 62 u64 prio; 63}; 64 65struct audit_field { 66 u32 type; 67 u32 val; 68 kuid_t uid; 69 kgid_t gid; 70 u32 op; 71 char *lsm_str; 72 void *lsm_rule; 73}; 74 75extern int __init audit_register_class(int class, unsigned *list); 76extern int audit_classify_syscall(int abi, unsigned syscall); 77extern int audit_classify_arch(int arch); 78 79/* audit_names->type values */ 80#define AUDIT_TYPE_UNKNOWN 0 /* we don't know yet */ 81#define AUDIT_TYPE_NORMAL 1 /* a "normal" audit record */ 82#define AUDIT_TYPE_PARENT 2 /* a parent audit record */ 83#define AUDIT_TYPE_CHILD_DELETE 3 /* a child being deleted */ 84#define AUDIT_TYPE_CHILD_CREATE 4 /* a child being created */ 85 86struct filename; 87 88#ifdef CONFIG_AUDITSYSCALL 89/* These are defined in auditsc.c */ 90 /* Public API */ 91extern int audit_alloc(struct task_struct *task); 92extern void __audit_free(struct task_struct *task); 93extern void __audit_syscall_entry(int arch, 94 int major, unsigned long a0, unsigned long a1, 95 unsigned long a2, unsigned long a3); 96extern void __audit_syscall_exit(int ret_success, long ret_value); 97extern struct filename *__audit_reusename(const __user char *uptr); 98extern void __audit_getname(struct filename *name); 99extern void audit_putname(struct filename *name); 100extern void __audit_inode(struct filename *name, const struct dentry *dentry, 101 unsigned int parent); 102extern void __audit_inode_child(const struct inode *parent, 103 const struct dentry *dentry, 104 const unsigned char type); 105extern void __audit_seccomp(unsigned long syscall, long signr, int code); 106extern void __audit_ptrace(struct task_struct *t); 107 108static inline int audit_dummy_context(void) 109{ 110 void *p = current->audit_context; 111 return !p || *(int *)p; 112} 113static inline void audit_free(struct task_struct *task) 114{ 115 if (unlikely(task->audit_context)) 116 __audit_free(task); 117} 118static inline void audit_syscall_entry(int arch, int major, unsigned long a0, 119 unsigned long a1, unsigned long a2, 120 unsigned long a3) 121{ 122 if (unlikely(!audit_dummy_context())) 123 __audit_syscall_entry(arch, major, a0, a1, a2, a3); 124} 125static inline void audit_syscall_exit(void *pt_regs) 126{ 127 if (unlikely(current->audit_context)) { 128 int success = is_syscall_success(pt_regs); 129 int return_code = regs_return_value(pt_regs); 130 131 __audit_syscall_exit(success, return_code); 132 } 133} 134static inline struct filename *audit_reusename(const __user char *name) 135{ 136 if (unlikely(!audit_dummy_context())) 137 return __audit_reusename(name); 138 return NULL; 139} 140static inline void audit_getname(struct filename *name) 141{ 142 if (unlikely(!audit_dummy_context())) 143 __audit_getname(name); 144} 145static inline void audit_inode(struct filename *name, const struct dentry *dentry, 146 unsigned int parent) { 147 if (unlikely(!audit_dummy_context())) 148 __audit_inode(name, dentry, parent); 149} 150static inline void audit_inode_child(const struct inode *parent, 151 const struct dentry *dentry, 152 const unsigned char type) { 153 if (unlikely(!audit_dummy_context())) 154 __audit_inode_child(parent, dentry, type); 155} 156void audit_core_dumps(long signr); 157 158static inline void audit_seccomp(unsigned long syscall, long signr, int code) 159{ 160 if (unlikely(!audit_dummy_context())) 161 __audit_seccomp(syscall, signr, code); 162} 163 164static inline void audit_ptrace(struct task_struct *t) 165{ 166 if (unlikely(!audit_dummy_context())) 167 __audit_ptrace(t); 168} 169 170 /* Private API (for audit.c only) */ 171extern unsigned int audit_serial(void); 172extern int auditsc_get_stamp(struct audit_context *ctx, 173 struct timespec *t, unsigned int *serial); 174extern int audit_set_loginuid(kuid_t loginuid); 175 176static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 177{ 178 return tsk->loginuid; 179} 180 181static inline int audit_get_sessionid(struct task_struct *tsk) 182{ 183 return tsk->sessionid; 184} 185 186extern void audit_log_task_context(struct audit_buffer *ab); 187extern void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk); 188extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp); 189extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode); 190extern int __audit_bprm(struct linux_binprm *bprm); 191extern void __audit_socketcall(int nargs, unsigned long *args); 192extern int __audit_sockaddr(int len, void *addr); 193extern void __audit_fd_pair(int fd1, int fd2); 194extern void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr); 195extern void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout); 196extern void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification); 197extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat); 198extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, 199 const struct cred *new, 200 const struct cred *old); 201extern void __audit_log_capset(pid_t pid, const struct cred *new, const struct cred *old); 202extern void __audit_mmap_fd(int fd, int flags); 203 204static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 205{ 206 if (unlikely(!audit_dummy_context())) 207 __audit_ipc_obj(ipcp); 208} 209static inline void audit_fd_pair(int fd1, int fd2) 210{ 211 if (unlikely(!audit_dummy_context())) 212 __audit_fd_pair(fd1, fd2); 213} 214static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode) 215{ 216 if (unlikely(!audit_dummy_context())) 217 __audit_ipc_set_perm(qbytes, uid, gid, mode); 218} 219static inline int audit_bprm(struct linux_binprm *bprm) 220{ 221 if (unlikely(!audit_dummy_context())) 222 return __audit_bprm(bprm); 223 return 0; 224} 225static inline void audit_socketcall(int nargs, unsigned long *args) 226{ 227 if (unlikely(!audit_dummy_context())) 228 __audit_socketcall(nargs, args); 229} 230static inline int audit_sockaddr(int len, void *addr) 231{ 232 if (unlikely(!audit_dummy_context())) 233 return __audit_sockaddr(len, addr); 234 return 0; 235} 236static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 237{ 238 if (unlikely(!audit_dummy_context())) 239 __audit_mq_open(oflag, mode, attr); 240} 241static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout) 242{ 243 if (unlikely(!audit_dummy_context())) 244 __audit_mq_sendrecv(mqdes, msg_len, msg_prio, abs_timeout); 245} 246static inline void audit_mq_notify(mqd_t mqdes, const struct sigevent *notification) 247{ 248 if (unlikely(!audit_dummy_context())) 249 __audit_mq_notify(mqdes, notification); 250} 251static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 252{ 253 if (unlikely(!audit_dummy_context())) 254 __audit_mq_getsetattr(mqdes, mqstat); 255} 256 257static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 258 const struct cred *new, 259 const struct cred *old) 260{ 261 if (unlikely(!audit_dummy_context())) 262 return __audit_log_bprm_fcaps(bprm, new, old); 263 return 0; 264} 265 266static inline void audit_log_capset(pid_t pid, const struct cred *new, 267 const struct cred *old) 268{ 269 if (unlikely(!audit_dummy_context())) 270 __audit_log_capset(pid, new, old); 271} 272 273static inline void audit_mmap_fd(int fd, int flags) 274{ 275 if (unlikely(!audit_dummy_context())) 276 __audit_mmap_fd(fd, flags); 277} 278 279extern int audit_n_rules; 280extern int audit_signals; 281#else /* CONFIG_AUDITSYSCALL */ 282static inline int audit_alloc(struct task_struct *task) 283{ 284 return 0; 285} 286static inline void audit_free(struct task_struct *task) 287{ } 288static inline void audit_syscall_entry(int arch, int major, unsigned long a0, 289 unsigned long a1, unsigned long a2, 290 unsigned long a3) 291{ } 292static inline void audit_syscall_exit(void *pt_regs) 293{ } 294static inline int audit_dummy_context(void) 295{ 296 return 1; 297} 298static inline struct filename *audit_reusename(const __user char *name) 299{ 300 return NULL; 301} 302static inline void audit_getname(struct filename *name) 303{ } 304static inline void audit_putname(struct filename *name) 305{ } 306static inline void __audit_inode(struct filename *name, 307 const struct dentry *dentry, 308 unsigned int parent) 309{ } 310static inline void __audit_inode_child(const struct inode *parent, 311 const struct dentry *dentry, 312 const unsigned char type) 313{ } 314static inline void audit_inode(struct filename *name, 315 const struct dentry *dentry, 316 unsigned int parent) 317{ } 318static inline void audit_inode_child(const struct inode *parent, 319 const struct dentry *dentry, 320 const unsigned char type) 321{ } 322static inline void audit_core_dumps(long signr) 323{ } 324static inline void __audit_seccomp(unsigned long syscall, long signr, int code) 325{ } 326static inline void audit_seccomp(unsigned long syscall, long signr, int code) 327{ } 328static inline int auditsc_get_stamp(struct audit_context *ctx, 329 struct timespec *t, unsigned int *serial) 330{ 331 return 0; 332} 333static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 334{ 335 return INVALID_UID; 336} 337static inline int audit_get_sessionid(struct task_struct *tsk) 338{ 339 return -1; 340} 341static inline void audit_log_task_context(struct audit_buffer *ab) 342{ } 343static inline void audit_log_task_info(struct audit_buffer *ab, 344 struct task_struct *tsk) 345{ } 346static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 347{ } 348static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, 349 gid_t gid, umode_t mode) 350{ } 351static inline int audit_bprm(struct linux_binprm *bprm) 352{ 353 return 0; 354} 355static inline void audit_socketcall(int nargs, unsigned long *args) 356{ } 357static inline void audit_fd_pair(int fd1, int fd2) 358{ } 359static inline int audit_sockaddr(int len, void *addr) 360{ 361 return 0; 362} 363static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 364{ } 365static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, 366 unsigned int msg_prio, 367 const struct timespec *abs_timeout) 368{ } 369static inline void audit_mq_notify(mqd_t mqdes, 370 const struct sigevent *notification) 371{ } 372static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 373{ } 374static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 375 const struct cred *new, 376 const struct cred *old) 377{ 378 return 0; 379} 380static inline void audit_log_capset(pid_t pid, const struct cred *new, 381 const struct cred *old) 382{ } 383static inline void audit_mmap_fd(int fd, int flags) 384{ } 385static inline void audit_ptrace(struct task_struct *t) 386{ } 387#define audit_n_rules 0 388#define audit_signals 0 389#endif /* CONFIG_AUDITSYSCALL */ 390 391#ifdef CONFIG_AUDIT 392/* These are defined in audit.c */ 393 /* Public API */ 394extern __printf(4, 5) 395void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 396 const char *fmt, ...); 397 398extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type); 399extern __printf(2, 3) 400void audit_log_format(struct audit_buffer *ab, const char *fmt, ...); 401extern void audit_log_end(struct audit_buffer *ab); 402extern int audit_string_contains_control(const char *string, 403 size_t len); 404extern void audit_log_n_hex(struct audit_buffer *ab, 405 const unsigned char *buf, 406 size_t len); 407extern void audit_log_n_string(struct audit_buffer *ab, 408 const char *buf, 409 size_t n); 410extern void audit_log_n_untrustedstring(struct audit_buffer *ab, 411 const char *string, 412 size_t n); 413extern void audit_log_untrustedstring(struct audit_buffer *ab, 414 const char *string); 415extern void audit_log_d_path(struct audit_buffer *ab, 416 const char *prefix, 417 const struct path *path); 418extern void audit_log_key(struct audit_buffer *ab, 419 char *key); 420extern void audit_log_link_denied(const char *operation, 421 struct path *link); 422extern void audit_log_lost(const char *message); 423#ifdef CONFIG_SECURITY 424extern void audit_log_secctx(struct audit_buffer *ab, u32 secid); 425#else 426static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) 427{ } 428#endif 429 430extern int audit_update_lsm_rules(void); 431 432 /* Private API (for audit.c only) */ 433extern int audit_filter_user(void); 434extern int audit_filter_type(int type); 435extern int audit_receive_filter(int type, int pid, int seq, 436 void *data, size_t datasz, kuid_t loginuid, 437 u32 sessionid, u32 sid); 438extern int audit_enabled; 439#else /* CONFIG_AUDIT */ 440static inline __printf(4, 5) 441void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 442 const char *fmt, ...) 443{ } 444static inline struct audit_buffer *audit_log_start(struct audit_context *ctx, 445 gfp_t gfp_mask, int type) 446{ 447 return NULL; 448} 449static inline __printf(2, 3) 450void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) 451{ } 452static inline void audit_log_end(struct audit_buffer *ab) 453{ } 454static inline void audit_log_n_hex(struct audit_buffer *ab, 455 const unsigned char *buf, size_t len) 456{ } 457static inline void audit_log_n_string(struct audit_buffer *ab, 458 const char *buf, size_t n) 459{ } 460static inline void audit_log_n_untrustedstring(struct audit_buffer *ab, 461 const char *string, size_t n) 462{ } 463static inline void audit_log_untrustedstring(struct audit_buffer *ab, 464 const char *string) 465{ } 466static inline void audit_log_d_path(struct audit_buffer *ab, 467 const char *prefix, 468 const struct path *path) 469{ } 470static inline void audit_log_key(struct audit_buffer *ab, char *key) 471{ } 472static inline void audit_log_link_denied(const char *string, 473 const struct path *link) 474{ } 475static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) 476{ } 477#define audit_enabled 0 478#endif /* CONFIG_AUDIT */ 479static inline void audit_log_string(struct audit_buffer *ab, const char *buf) 480{ 481 audit_log_n_string(ab, buf, strlen(buf)); 482} 483 484#endif