tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / include / linux / audit.h
at v3.8 16 kB view raw
1/* audit.h -- Auditing support 2 * 3 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. 4 * All Rights Reserved. 5 * 6 * This program is free software; you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License as published by 8 * the Free Software Foundation; either version 2 of the License, or 9 * (at your option) any later version. 10 * 11 * This program is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 * GNU General Public License for more details. 15 * 16 * You should have received a copy of the GNU General Public License 17 * along with this program; if not, write to the Free Software 18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 * 20 * Written by Rickard E. (Rik) Faith <faith@redhat.com> 21 * 22 */ 23#ifndef _LINUX_AUDIT_H_ 24#define _LINUX_AUDIT_H_ 25 26#include <linux/sched.h> 27#include <linux/ptrace.h> 28#include <uapi/linux/audit.h> 29 30struct audit_sig_info { 31 uid_t uid; 32 pid_t pid; 33 char ctx[0]; 34}; 35 36struct audit_buffer; 37struct audit_context; 38struct inode; 39struct netlink_skb_parms; 40struct path; 41struct linux_binprm; 42struct mq_attr; 43struct mqstat; 44struct audit_watch; 45struct audit_tree; 46 47struct audit_krule { 48 int vers_ops; 49 u32 flags; 50 u32 listnr; 51 u32 action; 52 u32 mask[AUDIT_BITMASK_SIZE]; 53 u32 buflen; /* for data alloc on list rules */ 54 u32 field_count; 55 char *filterkey; /* ties events to rules */ 56 struct audit_field *fields; 57 struct audit_field *arch_f; /* quick access to arch field */ 58 struct audit_field *inode_f; /* quick access to an inode field */ 59 struct audit_watch *watch; /* associated watch */ 60 struct audit_tree *tree; /* associated watched tree */ 61 struct list_head rlist; /* entry in audit_{watch,tree}.rules list */ 62 struct list_head list; /* for AUDIT_LIST* purposes only */ 63 u64 prio; 64}; 65 66struct audit_field { 67 u32 type; 68 u32 val; 69 kuid_t uid; 70 kgid_t gid; 71 u32 op; 72 char *lsm_str; 73 void *lsm_rule; 74}; 75 76extern int __init audit_register_class(int class, unsigned *list); 77extern int audit_classify_syscall(int abi, unsigned syscall); 78extern int audit_classify_arch(int arch); 79 80/* audit_names->type values */ 81#define AUDIT_TYPE_UNKNOWN 0 /* we don't know yet */ 82#define AUDIT_TYPE_NORMAL 1 /* a "normal" audit record */ 83#define AUDIT_TYPE_PARENT 2 /* a parent audit record */ 84#define AUDIT_TYPE_CHILD_DELETE 3 /* a child being deleted */ 85#define AUDIT_TYPE_CHILD_CREATE 4 /* a child being created */ 86 87struct filename; 88 89#ifdef CONFIG_AUDITSYSCALL 90/* These are defined in auditsc.c */ 91 /* Public API */ 92extern int audit_alloc(struct task_struct *task); 93extern void __audit_free(struct task_struct *task); 94extern void __audit_syscall_entry(int arch, 95 int major, unsigned long a0, unsigned long a1, 96 unsigned long a2, unsigned long a3); 97extern void __audit_syscall_exit(int ret_success, long ret_value); 98extern struct filename *__audit_reusename(const __user char *uptr); 99extern void __audit_getname(struct filename *name); 100extern void audit_putname(struct filename *name); 101extern void __audit_inode(struct filename *name, const struct dentry *dentry, 102 unsigned int parent); 103extern void __audit_inode_child(const struct inode *parent, 104 const struct dentry *dentry, 105 const unsigned char type); 106extern void __audit_seccomp(unsigned long syscall, long signr, int code); 107extern void __audit_ptrace(struct task_struct *t); 108 109static inline int audit_dummy_context(void) 110{ 111 void *p = current->audit_context; 112 return !p || *(int *)p; 113} 114static inline void audit_free(struct task_struct *task) 115{ 116 if (unlikely(task->audit_context)) 117 __audit_free(task); 118} 119static inline void audit_syscall_entry(int arch, int major, unsigned long a0, 120 unsigned long a1, unsigned long a2, 121 unsigned long a3) 122{ 123 if (unlikely(!audit_dummy_context())) 124 __audit_syscall_entry(arch, major, a0, a1, a2, a3); 125} 126static inline void audit_syscall_exit(void *pt_regs) 127{ 128 if (unlikely(current->audit_context)) { 129 int success = is_syscall_success(pt_regs); 130 int return_code = regs_return_value(pt_regs); 131 132 __audit_syscall_exit(success, return_code); 133 } 134} 135static inline struct filename *audit_reusename(const __user char *name) 136{ 137 if (unlikely(!audit_dummy_context())) 138 return __audit_reusename(name); 139 return NULL; 140} 141static inline void audit_getname(struct filename *name) 142{ 143 if (unlikely(!audit_dummy_context())) 144 __audit_getname(name); 145} 146static inline void audit_inode(struct filename *name, const struct dentry *dentry, 147 unsigned int parent) { 148 if (unlikely(!audit_dummy_context())) 149 __audit_inode(name, dentry, parent); 150} 151static inline void audit_inode_child(const struct inode *parent, 152 const struct dentry *dentry, 153 const unsigned char type) { 154 if (unlikely(!audit_dummy_context())) 155 __audit_inode_child(parent, dentry, type); 156} 157void audit_core_dumps(long signr); 158 159static inline void audit_seccomp(unsigned long syscall, long signr, int code) 160{ 161 /* Force a record to be reported if a signal was delivered. */ 162 if (signr || unlikely(!audit_dummy_context())) 163 __audit_seccomp(syscall, signr, code); 164} 165 166static inline void audit_ptrace(struct task_struct *t) 167{ 168 if (unlikely(!audit_dummy_context())) 169 __audit_ptrace(t); 170} 171 172 /* Private API (for audit.c only) */ 173extern unsigned int audit_serial(void); 174extern int auditsc_get_stamp(struct audit_context *ctx, 175 struct timespec *t, unsigned int *serial); 176extern int audit_set_loginuid(kuid_t loginuid); 177 178static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 179{ 180 return tsk->loginuid; 181} 182 183static inline int audit_get_sessionid(struct task_struct *tsk) 184{ 185 return tsk->sessionid; 186} 187 188extern void audit_log_task_context(struct audit_buffer *ab); 189extern void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk); 190extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp); 191extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode); 192extern int __audit_bprm(struct linux_binprm *bprm); 193extern void __audit_socketcall(int nargs, unsigned long *args); 194extern int __audit_sockaddr(int len, void *addr); 195extern void __audit_fd_pair(int fd1, int fd2); 196extern void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr); 197extern void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout); 198extern void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification); 199extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat); 200extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, 201 const struct cred *new, 202 const struct cred *old); 203extern void __audit_log_capset(pid_t pid, const struct cred *new, const struct cred *old); 204extern void __audit_mmap_fd(int fd, int flags); 205 206static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 207{ 208 if (unlikely(!audit_dummy_context())) 209 __audit_ipc_obj(ipcp); 210} 211static inline void audit_fd_pair(int fd1, int fd2) 212{ 213 if (unlikely(!audit_dummy_context())) 214 __audit_fd_pair(fd1, fd2); 215} 216static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode) 217{ 218 if (unlikely(!audit_dummy_context())) 219 __audit_ipc_set_perm(qbytes, uid, gid, mode); 220} 221static inline int audit_bprm(struct linux_binprm *bprm) 222{ 223 if (unlikely(!audit_dummy_context())) 224 return __audit_bprm(bprm); 225 return 0; 226} 227static inline void audit_socketcall(int nargs, unsigned long *args) 228{ 229 if (unlikely(!audit_dummy_context())) 230 __audit_socketcall(nargs, args); 231} 232static inline int audit_sockaddr(int len, void *addr) 233{ 234 if (unlikely(!audit_dummy_context())) 235 return __audit_sockaddr(len, addr); 236 return 0; 237} 238static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 239{ 240 if (unlikely(!audit_dummy_context())) 241 __audit_mq_open(oflag, mode, attr); 242} 243static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout) 244{ 245 if (unlikely(!audit_dummy_context())) 246 __audit_mq_sendrecv(mqdes, msg_len, msg_prio, abs_timeout); 247} 248static inline void audit_mq_notify(mqd_t mqdes, const struct sigevent *notification) 249{ 250 if (unlikely(!audit_dummy_context())) 251 __audit_mq_notify(mqdes, notification); 252} 253static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 254{ 255 if (unlikely(!audit_dummy_context())) 256 __audit_mq_getsetattr(mqdes, mqstat); 257} 258 259static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 260 const struct cred *new, 261 const struct cred *old) 262{ 263 if (unlikely(!audit_dummy_context())) 264 return __audit_log_bprm_fcaps(bprm, new, old); 265 return 0; 266} 267 268static inline void audit_log_capset(pid_t pid, const struct cred *new, 269 const struct cred *old) 270{ 271 if (unlikely(!audit_dummy_context())) 272 __audit_log_capset(pid, new, old); 273} 274 275static inline void audit_mmap_fd(int fd, int flags) 276{ 277 if (unlikely(!audit_dummy_context())) 278 __audit_mmap_fd(fd, flags); 279} 280 281extern int audit_n_rules; 282extern int audit_signals; 283#else /* CONFIG_AUDITSYSCALL */ 284static inline int audit_alloc(struct task_struct *task) 285{ 286 return 0; 287} 288static inline void audit_free(struct task_struct *task) 289{ } 290static inline void audit_syscall_entry(int arch, int major, unsigned long a0, 291 unsigned long a1, unsigned long a2, 292 unsigned long a3) 293{ } 294static inline void audit_syscall_exit(void *pt_regs) 295{ } 296static inline int audit_dummy_context(void) 297{ 298 return 1; 299} 300static inline struct filename *audit_reusename(const __user char *name) 301{ 302 return NULL; 303} 304static inline void audit_getname(struct filename *name) 305{ } 306static inline void audit_putname(struct filename *name) 307{ } 308static inline void __audit_inode(struct filename *name, 309 const struct dentry *dentry, 310 unsigned int parent) 311{ } 312static inline void __audit_inode_child(const struct inode *parent, 313 const struct dentry *dentry, 314 const unsigned char type) 315{ } 316static inline void audit_inode(struct filename *name, 317 const struct dentry *dentry, 318 unsigned int parent) 319{ } 320static inline void audit_inode_child(const struct inode *parent, 321 const struct dentry *dentry, 322 const unsigned char type) 323{ } 324static inline void audit_core_dumps(long signr) 325{ } 326static inline void __audit_seccomp(unsigned long syscall, long signr, int code) 327{ } 328static inline void audit_seccomp(unsigned long syscall, long signr, int code) 329{ } 330static inline int auditsc_get_stamp(struct audit_context *ctx, 331 struct timespec *t, unsigned int *serial) 332{ 333 return 0; 334} 335static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 336{ 337 return INVALID_UID; 338} 339static inline int audit_get_sessionid(struct task_struct *tsk) 340{ 341 return -1; 342} 343static inline void audit_log_task_context(struct audit_buffer *ab) 344{ } 345static inline void audit_log_task_info(struct audit_buffer *ab, 346 struct task_struct *tsk) 347{ } 348static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 349{ } 350static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, 351 gid_t gid, umode_t mode) 352{ } 353static inline int audit_bprm(struct linux_binprm *bprm) 354{ 355 return 0; 356} 357static inline void audit_socketcall(int nargs, unsigned long *args) 358{ } 359static inline void audit_fd_pair(int fd1, int fd2) 360{ } 361static inline int audit_sockaddr(int len, void *addr) 362{ 363 return 0; 364} 365static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 366{ } 367static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, 368 unsigned int msg_prio, 369 const struct timespec *abs_timeout) 370{ } 371static inline void audit_mq_notify(mqd_t mqdes, 372 const struct sigevent *notification) 373{ } 374static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 375{ } 376static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 377 const struct cred *new, 378 const struct cred *old) 379{ 380 return 0; 381} 382static inline void audit_log_capset(pid_t pid, const struct cred *new, 383 const struct cred *old) 384{ } 385static inline void audit_mmap_fd(int fd, int flags) 386{ } 387static inline void audit_ptrace(struct task_struct *t) 388{ } 389#define audit_n_rules 0 390#define audit_signals 0 391#endif /* CONFIG_AUDITSYSCALL */ 392 393#ifdef CONFIG_AUDIT 394/* These are defined in audit.c */ 395 /* Public API */ 396extern __printf(4, 5) 397void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 398 const char *fmt, ...); 399 400extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type); 401extern __printf(2, 3) 402void audit_log_format(struct audit_buffer *ab, const char *fmt, ...); 403extern void audit_log_end(struct audit_buffer *ab); 404extern int audit_string_contains_control(const char *string, 405 size_t len); 406extern void audit_log_n_hex(struct audit_buffer *ab, 407 const unsigned char *buf, 408 size_t len); 409extern void audit_log_n_string(struct audit_buffer *ab, 410 const char *buf, 411 size_t n); 412extern void audit_log_n_untrustedstring(struct audit_buffer *ab, 413 const char *string, 414 size_t n); 415extern void audit_log_untrustedstring(struct audit_buffer *ab, 416 const char *string); 417extern void audit_log_d_path(struct audit_buffer *ab, 418 const char *prefix, 419 const struct path *path); 420extern void audit_log_key(struct audit_buffer *ab, 421 char *key); 422extern void audit_log_link_denied(const char *operation, 423 struct path *link); 424extern void audit_log_lost(const char *message); 425#ifdef CONFIG_SECURITY 426extern void audit_log_secctx(struct audit_buffer *ab, u32 secid); 427#else 428static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) 429{ } 430#endif 431 432extern int audit_update_lsm_rules(void); 433 434 /* Private API (for audit.c only) */ 435extern int audit_filter_user(void); 436extern int audit_filter_type(int type); 437extern int audit_receive_filter(int type, int pid, int seq, 438 void *data, size_t datasz, kuid_t loginuid, 439 u32 sessionid, u32 sid); 440extern int audit_enabled; 441#else /* CONFIG_AUDIT */ 442static inline __printf(4, 5) 443void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 444 const char *fmt, ...) 445{ } 446static inline struct audit_buffer *audit_log_start(struct audit_context *ctx, 447 gfp_t gfp_mask, int type) 448{ 449 return NULL; 450} 451static inline __printf(2, 3) 452void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) 453{ } 454static inline void audit_log_end(struct audit_buffer *ab) 455{ } 456static inline void audit_log_n_hex(struct audit_buffer *ab, 457 const unsigned char *buf, size_t len) 458{ } 459static inline void audit_log_n_string(struct audit_buffer *ab, 460 const char *buf, size_t n) 461{ } 462static inline void audit_log_n_untrustedstring(struct audit_buffer *ab, 463 const char *string, size_t n) 464{ } 465static inline void audit_log_untrustedstring(struct audit_buffer *ab, 466 const char *string) 467{ } 468static inline void audit_log_d_path(struct audit_buffer *ab, 469 const char *prefix, 470 const struct path *path) 471{ } 472static inline void audit_log_key(struct audit_buffer *ab, char *key) 473{ } 474static inline void audit_log_link_denied(const char *string, 475 const struct path *link) 476{ } 477static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) 478{ } 479#define audit_enabled 0 480#endif /* CONFIG_AUDIT */ 481static inline void audit_log_string(struct audit_buffer *ab, const char *buf) 482{ 483 audit_log_n_string(ab, buf, strlen(buf)); 484} 485 486#endif