tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / include / linux / audit.h
at v4.15 18 kB view raw
1/* audit.h -- Auditing support 2 * 3 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. 4 * All Rights Reserved. 5 * 6 * This program is free software; you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License as published by 8 * the Free Software Foundation; either version 2 of the License, or 9 * (at your option) any later version. 10 * 11 * This program is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 * GNU General Public License for more details. 15 * 16 * You should have received a copy of the GNU General Public License 17 * along with this program; if not, write to the Free Software 18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 * 20 * Written by Rickard E. (Rik) Faith <faith@redhat.com> 21 * 22 */ 23#ifndef _LINUX_AUDIT_H_ 24#define _LINUX_AUDIT_H_ 25 26#include <linux/sched.h> 27#include <linux/ptrace.h> 28#include <uapi/linux/audit.h> 29 30#define AUDIT_INO_UNSET ((unsigned long)-1) 31#define AUDIT_DEV_UNSET ((dev_t)-1) 32 33struct audit_sig_info { 34 uid_t uid; 35 pid_t pid; 36 char ctx[0]; 37}; 38 39struct audit_buffer; 40struct audit_context; 41struct inode; 42struct netlink_skb_parms; 43struct path; 44struct linux_binprm; 45struct mq_attr; 46struct mqstat; 47struct audit_watch; 48struct audit_tree; 49struct sk_buff; 50 51struct audit_krule { 52 u32 pflags; 53 u32 flags; 54 u32 listnr; 55 u32 action; 56 u32 mask[AUDIT_BITMASK_SIZE]; 57 u32 buflen; /* for data alloc on list rules */ 58 u32 field_count; 59 char *filterkey; /* ties events to rules */ 60 struct audit_field *fields; 61 struct audit_field *arch_f; /* quick access to arch field */ 62 struct audit_field *inode_f; /* quick access to an inode field */ 63 struct audit_watch *watch; /* associated watch */ 64 struct audit_tree *tree; /* associated watched tree */ 65 struct audit_fsnotify_mark *exe; 66 struct list_head rlist; /* entry in audit_{watch,tree}.rules list */ 67 struct list_head list; /* for AUDIT_LIST* purposes only */ 68 u64 prio; 69}; 70 71/* Flag to indicate legacy AUDIT_LOGINUID unset usage */ 72#define AUDIT_LOGINUID_LEGACY 0x1 73 74struct audit_field { 75 u32 type; 76 union { 77 u32 val; 78 kuid_t uid; 79 kgid_t gid; 80 struct { 81 char *lsm_str; 82 void *lsm_rule; 83 }; 84 }; 85 u32 op; 86}; 87 88extern int is_audit_feature_set(int which); 89 90extern int __init audit_register_class(int class, unsigned *list); 91extern int audit_classify_syscall(int abi, unsigned syscall); 92extern int audit_classify_arch(int arch); 93/* only for compat system calls */ 94extern unsigned compat_write_class[]; 95extern unsigned compat_read_class[]; 96extern unsigned compat_dir_class[]; 97extern unsigned compat_chattr_class[]; 98extern unsigned compat_signal_class[]; 99 100extern int audit_classify_compat_syscall(int abi, unsigned syscall); 101 102/* audit_names->type values */ 103#define AUDIT_TYPE_UNKNOWN 0 /* we don't know yet */ 104#define AUDIT_TYPE_NORMAL 1 /* a "normal" audit record */ 105#define AUDIT_TYPE_PARENT 2 /* a parent audit record */ 106#define AUDIT_TYPE_CHILD_DELETE 3 /* a child being deleted */ 107#define AUDIT_TYPE_CHILD_CREATE 4 /* a child being created */ 108 109/* maximized args number that audit_socketcall can process */ 110#define AUDITSC_ARGS 6 111 112/* bit values for ->signal->audit_tty */ 113#define AUDIT_TTY_ENABLE BIT(0) 114#define AUDIT_TTY_LOG_PASSWD BIT(1) 115 116struct filename; 117 118extern void audit_log_session_info(struct audit_buffer *ab); 119 120#ifdef CONFIG_AUDIT 121/* These are defined in audit.c */ 122 /* Public API */ 123extern __printf(4, 5) 124void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 125 const char *fmt, ...); 126 127extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type); 128extern __printf(2, 3) 129void audit_log_format(struct audit_buffer *ab, const char *fmt, ...); 130extern void audit_log_end(struct audit_buffer *ab); 131extern bool audit_string_contains_control(const char *string, 132 size_t len); 133extern void audit_log_n_hex(struct audit_buffer *ab, 134 const unsigned char *buf, 135 size_t len); 136extern void audit_log_n_string(struct audit_buffer *ab, 137 const char *buf, 138 size_t n); 139extern void audit_log_n_untrustedstring(struct audit_buffer *ab, 140 const char *string, 141 size_t n); 142extern void audit_log_untrustedstring(struct audit_buffer *ab, 143 const char *string); 144extern void audit_log_d_path(struct audit_buffer *ab, 145 const char *prefix, 146 const struct path *path); 147extern void audit_log_key(struct audit_buffer *ab, 148 char *key); 149extern void audit_log_link_denied(const char *operation, 150 const struct path *link); 151extern void audit_log_lost(const char *message); 152 153extern int audit_log_task_context(struct audit_buffer *ab); 154extern void audit_log_task_info(struct audit_buffer *ab, 155 struct task_struct *tsk); 156 157extern int audit_update_lsm_rules(void); 158 159 /* Private API (for audit.c only) */ 160extern int audit_rule_change(int type, int seq, void *data, size_t datasz); 161extern int audit_list_rules_send(struct sk_buff *request_skb, int seq); 162 163extern u32 audit_enabled; 164#else /* CONFIG_AUDIT */ 165static inline __printf(4, 5) 166void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 167 const char *fmt, ...) 168{ } 169static inline struct audit_buffer *audit_log_start(struct audit_context *ctx, 170 gfp_t gfp_mask, int type) 171{ 172 return NULL; 173} 174static inline __printf(2, 3) 175void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) 176{ } 177static inline void audit_log_end(struct audit_buffer *ab) 178{ } 179static inline void audit_log_n_hex(struct audit_buffer *ab, 180 const unsigned char *buf, size_t len) 181{ } 182static inline void audit_log_n_string(struct audit_buffer *ab, 183 const char *buf, size_t n) 184{ } 185static inline void audit_log_n_untrustedstring(struct audit_buffer *ab, 186 const char *string, size_t n) 187{ } 188static inline void audit_log_untrustedstring(struct audit_buffer *ab, 189 const char *string) 190{ } 191static inline void audit_log_d_path(struct audit_buffer *ab, 192 const char *prefix, 193 const struct path *path) 194{ } 195static inline void audit_log_key(struct audit_buffer *ab, char *key) 196{ } 197static inline void audit_log_link_denied(const char *string, 198 const struct path *link) 199{ } 200static inline int audit_log_task_context(struct audit_buffer *ab) 201{ 202 return 0; 203} 204static inline void audit_log_task_info(struct audit_buffer *ab, 205 struct task_struct *tsk) 206{ } 207#define audit_enabled 0 208#endif /* CONFIG_AUDIT */ 209 210#ifdef CONFIG_AUDIT_COMPAT_GENERIC 211#define audit_is_compat(arch) (!((arch) & __AUDIT_ARCH_64BIT)) 212#else 213#define audit_is_compat(arch) false 214#endif 215 216#ifdef CONFIG_AUDITSYSCALL 217#include <asm/syscall.h> /* for syscall_get_arch() */ 218 219/* These are defined in auditsc.c */ 220 /* Public API */ 221extern int audit_alloc(struct task_struct *task); 222extern void __audit_free(struct task_struct *task); 223extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long a1, 224 unsigned long a2, unsigned long a3); 225extern void __audit_syscall_exit(int ret_success, long ret_value); 226extern struct filename *__audit_reusename(const __user char *uptr); 227extern void __audit_getname(struct filename *name); 228 229#define AUDIT_INODE_PARENT 1 /* dentry represents the parent */ 230#define AUDIT_INODE_HIDDEN 2 /* audit record should be hidden */ 231extern void __audit_inode(struct filename *name, const struct dentry *dentry, 232 unsigned int flags); 233extern void __audit_file(const struct file *); 234extern void __audit_inode_child(struct inode *parent, 235 const struct dentry *dentry, 236 const unsigned char type); 237extern void __audit_seccomp(unsigned long syscall, long signr, int code); 238extern void __audit_ptrace(struct task_struct *t); 239 240static inline bool audit_dummy_context(void) 241{ 242 void *p = current->audit_context; 243 return !p || *(int *)p; 244} 245static inline void audit_free(struct task_struct *task) 246{ 247 if (unlikely(task->audit_context)) 248 __audit_free(task); 249} 250static inline void audit_syscall_entry(int major, unsigned long a0, 251 unsigned long a1, unsigned long a2, 252 unsigned long a3) 253{ 254 if (unlikely(current->audit_context)) 255 __audit_syscall_entry(major, a0, a1, a2, a3); 256} 257static inline void audit_syscall_exit(void *pt_regs) 258{ 259 if (unlikely(current->audit_context)) { 260 int success = is_syscall_success(pt_regs); 261 long return_code = regs_return_value(pt_regs); 262 263 __audit_syscall_exit(success, return_code); 264 } 265} 266static inline struct filename *audit_reusename(const __user char *name) 267{ 268 if (unlikely(!audit_dummy_context())) 269 return __audit_reusename(name); 270 return NULL; 271} 272static inline void audit_getname(struct filename *name) 273{ 274 if (unlikely(!audit_dummy_context())) 275 __audit_getname(name); 276} 277static inline void audit_inode(struct filename *name, 278 const struct dentry *dentry, 279 unsigned int parent) { 280 if (unlikely(!audit_dummy_context())) { 281 unsigned int flags = 0; 282 if (parent) 283 flags |= AUDIT_INODE_PARENT; 284 __audit_inode(name, dentry, flags); 285 } 286} 287static inline void audit_file(struct file *file) 288{ 289 if (unlikely(!audit_dummy_context())) 290 __audit_file(file); 291} 292static inline void audit_inode_parent_hidden(struct filename *name, 293 const struct dentry *dentry) 294{ 295 if (unlikely(!audit_dummy_context())) 296 __audit_inode(name, dentry, 297 AUDIT_INODE_PARENT | AUDIT_INODE_HIDDEN); 298} 299static inline void audit_inode_child(struct inode *parent, 300 const struct dentry *dentry, 301 const unsigned char type) { 302 if (unlikely(!audit_dummy_context())) 303 __audit_inode_child(parent, dentry, type); 304} 305void audit_core_dumps(long signr); 306 307static inline void audit_seccomp(unsigned long syscall, long signr, int code) 308{ 309 if (audit_enabled && unlikely(!audit_dummy_context())) 310 __audit_seccomp(syscall, signr, code); 311} 312 313static inline void audit_ptrace(struct task_struct *t) 314{ 315 if (unlikely(!audit_dummy_context())) 316 __audit_ptrace(t); 317} 318 319 /* Private API (for audit.c only) */ 320extern unsigned int audit_serial(void); 321extern int auditsc_get_stamp(struct audit_context *ctx, 322 struct timespec64 *t, unsigned int *serial); 323extern int audit_set_loginuid(kuid_t loginuid); 324 325static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 326{ 327 return tsk->loginuid; 328} 329 330static inline unsigned int audit_get_sessionid(struct task_struct *tsk) 331{ 332 return tsk->sessionid; 333} 334 335extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp); 336extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode); 337extern void __audit_bprm(struct linux_binprm *bprm); 338extern int __audit_socketcall(int nargs, unsigned long *args); 339extern int __audit_sockaddr(int len, void *addr); 340extern void __audit_fd_pair(int fd1, int fd2); 341extern void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr); 342extern void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec64 *abs_timeout); 343extern void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification); 344extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat); 345extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, 346 const struct cred *new, 347 const struct cred *old); 348extern void __audit_log_capset(const struct cred *new, const struct cred *old); 349extern void __audit_mmap_fd(int fd, int flags); 350extern void __audit_log_kern_module(char *name); 351extern void __audit_fanotify(unsigned int response); 352 353static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 354{ 355 if (unlikely(!audit_dummy_context())) 356 __audit_ipc_obj(ipcp); 357} 358static inline void audit_fd_pair(int fd1, int fd2) 359{ 360 if (unlikely(!audit_dummy_context())) 361 __audit_fd_pair(fd1, fd2); 362} 363static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode) 364{ 365 if (unlikely(!audit_dummy_context())) 366 __audit_ipc_set_perm(qbytes, uid, gid, mode); 367} 368static inline void audit_bprm(struct linux_binprm *bprm) 369{ 370 if (unlikely(!audit_dummy_context())) 371 __audit_bprm(bprm); 372} 373static inline int audit_socketcall(int nargs, unsigned long *args) 374{ 375 if (unlikely(!audit_dummy_context())) 376 return __audit_socketcall(nargs, args); 377 return 0; 378} 379 380static inline int audit_socketcall_compat(int nargs, u32 *args) 381{ 382 unsigned long a[AUDITSC_ARGS]; 383 int i; 384 385 if (audit_dummy_context()) 386 return 0; 387 388 for (i = 0; i < nargs; i++) 389 a[i] = (unsigned long)args[i]; 390 return __audit_socketcall(nargs, a); 391} 392 393static inline int audit_sockaddr(int len, void *addr) 394{ 395 if (unlikely(!audit_dummy_context())) 396 return __audit_sockaddr(len, addr); 397 return 0; 398} 399static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 400{ 401 if (unlikely(!audit_dummy_context())) 402 __audit_mq_open(oflag, mode, attr); 403} 404static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec64 *abs_timeout) 405{ 406 if (unlikely(!audit_dummy_context())) 407 __audit_mq_sendrecv(mqdes, msg_len, msg_prio, abs_timeout); 408} 409static inline void audit_mq_notify(mqd_t mqdes, const struct sigevent *notification) 410{ 411 if (unlikely(!audit_dummy_context())) 412 __audit_mq_notify(mqdes, notification); 413} 414static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 415{ 416 if (unlikely(!audit_dummy_context())) 417 __audit_mq_getsetattr(mqdes, mqstat); 418} 419 420static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 421 const struct cred *new, 422 const struct cred *old) 423{ 424 if (unlikely(!audit_dummy_context())) 425 return __audit_log_bprm_fcaps(bprm, new, old); 426 return 0; 427} 428 429static inline void audit_log_capset(const struct cred *new, 430 const struct cred *old) 431{ 432 if (unlikely(!audit_dummy_context())) 433 __audit_log_capset(new, old); 434} 435 436static inline void audit_mmap_fd(int fd, int flags) 437{ 438 if (unlikely(!audit_dummy_context())) 439 __audit_mmap_fd(fd, flags); 440} 441 442static inline void audit_log_kern_module(char *name) 443{ 444 if (!audit_dummy_context()) 445 __audit_log_kern_module(name); 446} 447 448static inline void audit_fanotify(unsigned int response) 449{ 450 if (!audit_dummy_context()) 451 __audit_fanotify(response); 452} 453 454extern int audit_n_rules; 455extern int audit_signals; 456#else /* CONFIG_AUDITSYSCALL */ 457static inline int audit_alloc(struct task_struct *task) 458{ 459 return 0; 460} 461static inline void audit_free(struct task_struct *task) 462{ } 463static inline void audit_syscall_entry(int major, unsigned long a0, 464 unsigned long a1, unsigned long a2, 465 unsigned long a3) 466{ } 467static inline void audit_syscall_exit(void *pt_regs) 468{ } 469static inline bool audit_dummy_context(void) 470{ 471 return true; 472} 473static inline struct filename *audit_reusename(const __user char *name) 474{ 475 return NULL; 476} 477static inline void audit_getname(struct filename *name) 478{ } 479static inline void __audit_inode(struct filename *name, 480 const struct dentry *dentry, 481 unsigned int flags) 482{ } 483static inline void __audit_inode_child(struct inode *parent, 484 const struct dentry *dentry, 485 const unsigned char type) 486{ } 487static inline void audit_inode(struct filename *name, 488 const struct dentry *dentry, 489 unsigned int parent) 490{ } 491static inline void audit_file(struct file *file) 492{ 493} 494static inline void audit_inode_parent_hidden(struct filename *name, 495 const struct dentry *dentry) 496{ } 497static inline void audit_inode_child(struct inode *parent, 498 const struct dentry *dentry, 499 const unsigned char type) 500{ } 501static inline void audit_core_dumps(long signr) 502{ } 503static inline void __audit_seccomp(unsigned long syscall, long signr, int code) 504{ } 505static inline void audit_seccomp(unsigned long syscall, long signr, int code) 506{ } 507static inline int auditsc_get_stamp(struct audit_context *ctx, 508 struct timespec64 *t, unsigned int *serial) 509{ 510 return 0; 511} 512static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 513{ 514 return INVALID_UID; 515} 516static inline unsigned int audit_get_sessionid(struct task_struct *tsk) 517{ 518 return -1; 519} 520static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 521{ } 522static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, 523 gid_t gid, umode_t mode) 524{ } 525static inline void audit_bprm(struct linux_binprm *bprm) 526{ } 527static inline int audit_socketcall(int nargs, unsigned long *args) 528{ 529 return 0; 530} 531 532static inline int audit_socketcall_compat(int nargs, u32 *args) 533{ 534 return 0; 535} 536 537static inline void audit_fd_pair(int fd1, int fd2) 538{ } 539static inline int audit_sockaddr(int len, void *addr) 540{ 541 return 0; 542} 543static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 544{ } 545static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, 546 unsigned int msg_prio, 547 const struct timespec64 *abs_timeout) 548{ } 549static inline void audit_mq_notify(mqd_t mqdes, 550 const struct sigevent *notification) 551{ } 552static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 553{ } 554static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 555 const struct cred *new, 556 const struct cred *old) 557{ 558 return 0; 559} 560static inline void audit_log_capset(const struct cred *new, 561 const struct cred *old) 562{ } 563static inline void audit_mmap_fd(int fd, int flags) 564{ } 565 566static inline void audit_log_kern_module(char *name) 567{ 568} 569 570static inline void audit_fanotify(unsigned int response) 571{ } 572 573static inline void audit_ptrace(struct task_struct *t) 574{ } 575#define audit_n_rules 0 576#define audit_signals 0 577#endif /* CONFIG_AUDITSYSCALL */ 578 579static inline bool audit_loginuid_set(struct task_struct *tsk) 580{ 581 return uid_valid(audit_get_loginuid(tsk)); 582} 583 584static inline void audit_log_string(struct audit_buffer *ab, const char *buf) 585{ 586 audit_log_n_string(ab, buf, strlen(buf)); 587} 588 589#endif