tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / include / linux / audit.h
at v4.19 18 kB view raw
1/* audit.h -- Auditing support 2 * 3 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. 4 * All Rights Reserved. 5 * 6 * This program is free software; you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License as published by 8 * the Free Software Foundation; either version 2 of the License, or 9 * (at your option) any later version. 10 * 11 * This program is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 * GNU General Public License for more details. 15 * 16 * You should have received a copy of the GNU General Public License 17 * along with this program; if not, write to the Free Software 18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 * 20 * Written by Rickard E. (Rik) Faith <faith@redhat.com> 21 * 22 */ 23#ifndef _LINUX_AUDIT_H_ 24#define _LINUX_AUDIT_H_ 25 26#include <linux/sched.h> 27#include <linux/ptrace.h> 28#include <uapi/linux/audit.h> 29 30#define AUDIT_INO_UNSET ((unsigned long)-1) 31#define AUDIT_DEV_UNSET ((dev_t)-1) 32 33struct audit_sig_info { 34 uid_t uid; 35 pid_t pid; 36 char ctx[0]; 37}; 38 39struct audit_buffer; 40struct audit_context; 41struct inode; 42struct netlink_skb_parms; 43struct path; 44struct linux_binprm; 45struct mq_attr; 46struct mqstat; 47struct audit_watch; 48struct audit_tree; 49struct sk_buff; 50 51struct audit_krule { 52 u32 pflags; 53 u32 flags; 54 u32 listnr; 55 u32 action; 56 u32 mask[AUDIT_BITMASK_SIZE]; 57 u32 buflen; /* for data alloc on list rules */ 58 u32 field_count; 59 char *filterkey; /* ties events to rules */ 60 struct audit_field *fields; 61 struct audit_field *arch_f; /* quick access to arch field */ 62 struct audit_field *inode_f; /* quick access to an inode field */ 63 struct audit_watch *watch; /* associated watch */ 64 struct audit_tree *tree; /* associated watched tree */ 65 struct audit_fsnotify_mark *exe; 66 struct list_head rlist; /* entry in audit_{watch,tree}.rules list */ 67 struct list_head list; /* for AUDIT_LIST* purposes only */ 68 u64 prio; 69}; 70 71/* Flag to indicate legacy AUDIT_LOGINUID unset usage */ 72#define AUDIT_LOGINUID_LEGACY 0x1 73 74struct audit_field { 75 u32 type; 76 union { 77 u32 val; 78 kuid_t uid; 79 kgid_t gid; 80 struct { 81 char *lsm_str; 82 void *lsm_rule; 83 }; 84 }; 85 u32 op; 86}; 87 88extern int is_audit_feature_set(int which); 89 90extern int __init audit_register_class(int class, unsigned *list); 91extern int audit_classify_syscall(int abi, unsigned syscall); 92extern int audit_classify_arch(int arch); 93/* only for compat system calls */ 94extern unsigned compat_write_class[]; 95extern unsigned compat_read_class[]; 96extern unsigned compat_dir_class[]; 97extern unsigned compat_chattr_class[]; 98extern unsigned compat_signal_class[]; 99 100extern int audit_classify_compat_syscall(int abi, unsigned syscall); 101 102/* audit_names->type values */ 103#define AUDIT_TYPE_UNKNOWN 0 /* we don't know yet */ 104#define AUDIT_TYPE_NORMAL 1 /* a "normal" audit record */ 105#define AUDIT_TYPE_PARENT 2 /* a parent audit record */ 106#define AUDIT_TYPE_CHILD_DELETE 3 /* a child being deleted */ 107#define AUDIT_TYPE_CHILD_CREATE 4 /* a child being created */ 108 109/* maximized args number that audit_socketcall can process */ 110#define AUDITSC_ARGS 6 111 112/* bit values for ->signal->audit_tty */ 113#define AUDIT_TTY_ENABLE BIT(0) 114#define AUDIT_TTY_LOG_PASSWD BIT(1) 115 116struct filename; 117 118extern void audit_log_session_info(struct audit_buffer *ab); 119 120#define AUDIT_OFF 0 121#define AUDIT_ON 1 122#define AUDIT_LOCKED 2 123#ifdef CONFIG_AUDIT 124/* These are defined in audit.c */ 125 /* Public API */ 126extern __printf(4, 5) 127void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 128 const char *fmt, ...); 129 130extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type); 131extern __printf(2, 3) 132void audit_log_format(struct audit_buffer *ab, const char *fmt, ...); 133extern void audit_log_end(struct audit_buffer *ab); 134extern bool audit_string_contains_control(const char *string, 135 size_t len); 136extern void audit_log_n_hex(struct audit_buffer *ab, 137 const unsigned char *buf, 138 size_t len); 139extern void audit_log_n_string(struct audit_buffer *ab, 140 const char *buf, 141 size_t n); 142extern void audit_log_n_untrustedstring(struct audit_buffer *ab, 143 const char *string, 144 size_t n); 145extern void audit_log_untrustedstring(struct audit_buffer *ab, 146 const char *string); 147extern void audit_log_d_path(struct audit_buffer *ab, 148 const char *prefix, 149 const struct path *path); 150extern void audit_log_key(struct audit_buffer *ab, 151 char *key); 152extern void audit_log_link_denied(const char *operation); 153extern void audit_log_lost(const char *message); 154 155extern int audit_log_task_context(struct audit_buffer *ab); 156extern void audit_log_task_info(struct audit_buffer *ab, 157 struct task_struct *tsk); 158 159extern int audit_update_lsm_rules(void); 160 161 /* Private API (for audit.c only) */ 162extern int audit_rule_change(int type, int seq, void *data, size_t datasz); 163extern int audit_list_rules_send(struct sk_buff *request_skb, int seq); 164 165extern u32 audit_enabled; 166#else /* CONFIG_AUDIT */ 167static inline __printf(4, 5) 168void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 169 const char *fmt, ...) 170{ } 171static inline struct audit_buffer *audit_log_start(struct audit_context *ctx, 172 gfp_t gfp_mask, int type) 173{ 174 return NULL; 175} 176static inline __printf(2, 3) 177void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) 178{ } 179static inline void audit_log_end(struct audit_buffer *ab) 180{ } 181static inline void audit_log_n_hex(struct audit_buffer *ab, 182 const unsigned char *buf, size_t len) 183{ } 184static inline void audit_log_n_string(struct audit_buffer *ab, 185 const char *buf, size_t n) 186{ } 187static inline void audit_log_n_untrustedstring(struct audit_buffer *ab, 188 const char *string, size_t n) 189{ } 190static inline void audit_log_untrustedstring(struct audit_buffer *ab, 191 const char *string) 192{ } 193static inline void audit_log_d_path(struct audit_buffer *ab, 194 const char *prefix, 195 const struct path *path) 196{ } 197static inline void audit_log_key(struct audit_buffer *ab, char *key) 198{ } 199static inline void audit_log_link_denied(const char *string) 200{ } 201static inline int audit_log_task_context(struct audit_buffer *ab) 202{ 203 return 0; 204} 205static inline void audit_log_task_info(struct audit_buffer *ab, 206 struct task_struct *tsk) 207{ } 208#define audit_enabled AUDIT_OFF 209#endif /* CONFIG_AUDIT */ 210 211#ifdef CONFIG_AUDIT_COMPAT_GENERIC 212#define audit_is_compat(arch) (!((arch) & __AUDIT_ARCH_64BIT)) 213#else 214#define audit_is_compat(arch) false 215#endif 216 217#ifdef CONFIG_AUDITSYSCALL 218#include <asm/syscall.h> /* for syscall_get_arch() */ 219 220/* These are defined in auditsc.c */ 221 /* Public API */ 222extern int audit_alloc(struct task_struct *task); 223extern void __audit_free(struct task_struct *task); 224extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long a1, 225 unsigned long a2, unsigned long a3); 226extern void __audit_syscall_exit(int ret_success, long ret_value); 227extern struct filename *__audit_reusename(const __user char *uptr); 228extern void __audit_getname(struct filename *name); 229 230#define AUDIT_INODE_PARENT 1 /* dentry represents the parent */ 231#define AUDIT_INODE_HIDDEN 2 /* audit record should be hidden */ 232extern void __audit_inode(struct filename *name, const struct dentry *dentry, 233 unsigned int flags); 234extern void __audit_file(const struct file *); 235extern void __audit_inode_child(struct inode *parent, 236 const struct dentry *dentry, 237 const unsigned char type); 238extern void audit_seccomp(unsigned long syscall, long signr, int code); 239extern void audit_seccomp_actions_logged(const char *names, 240 const char *old_names, int res); 241extern void __audit_ptrace(struct task_struct *t); 242 243static inline void audit_set_context(struct task_struct *task, struct audit_context *ctx) 244{ 245 task->audit_context = ctx; 246} 247 248static inline struct audit_context *audit_context(void) 249{ 250 return current->audit_context; 251} 252 253static inline bool audit_dummy_context(void) 254{ 255 void *p = audit_context(); 256 return !p || *(int *)p; 257} 258static inline void audit_free(struct task_struct *task) 259{ 260 if (unlikely(task->audit_context)) 261 __audit_free(task); 262} 263static inline void audit_syscall_entry(int major, unsigned long a0, 264 unsigned long a1, unsigned long a2, 265 unsigned long a3) 266{ 267 if (unlikely(audit_context())) 268 __audit_syscall_entry(major, a0, a1, a2, a3); 269} 270static inline void audit_syscall_exit(void *pt_regs) 271{ 272 if (unlikely(audit_context())) { 273 int success = is_syscall_success(pt_regs); 274 long return_code = regs_return_value(pt_regs); 275 276 __audit_syscall_exit(success, return_code); 277 } 278} 279static inline struct filename *audit_reusename(const __user char *name) 280{ 281 if (unlikely(!audit_dummy_context())) 282 return __audit_reusename(name); 283 return NULL; 284} 285static inline void audit_getname(struct filename *name) 286{ 287 if (unlikely(!audit_dummy_context())) 288 __audit_getname(name); 289} 290static inline void audit_inode(struct filename *name, 291 const struct dentry *dentry, 292 unsigned int parent) { 293 if (unlikely(!audit_dummy_context())) { 294 unsigned int flags = 0; 295 if (parent) 296 flags |= AUDIT_INODE_PARENT; 297 __audit_inode(name, dentry, flags); 298 } 299} 300static inline void audit_file(struct file *file) 301{ 302 if (unlikely(!audit_dummy_context())) 303 __audit_file(file); 304} 305static inline void audit_inode_parent_hidden(struct filename *name, 306 const struct dentry *dentry) 307{ 308 if (unlikely(!audit_dummy_context())) 309 __audit_inode(name, dentry, 310 AUDIT_INODE_PARENT | AUDIT_INODE_HIDDEN); 311} 312static inline void audit_inode_child(struct inode *parent, 313 const struct dentry *dentry, 314 const unsigned char type) { 315 if (unlikely(!audit_dummy_context())) 316 __audit_inode_child(parent, dentry, type); 317} 318void audit_core_dumps(long signr); 319 320static inline void audit_ptrace(struct task_struct *t) 321{ 322 if (unlikely(!audit_dummy_context())) 323 __audit_ptrace(t); 324} 325 326 /* Private API (for audit.c only) */ 327extern unsigned int audit_serial(void); 328extern int auditsc_get_stamp(struct audit_context *ctx, 329 struct timespec64 *t, unsigned int *serial); 330extern int audit_set_loginuid(kuid_t loginuid); 331 332static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 333{ 334 return tsk->loginuid; 335} 336 337static inline unsigned int audit_get_sessionid(struct task_struct *tsk) 338{ 339 return tsk->sessionid; 340} 341 342extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp); 343extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode); 344extern void __audit_bprm(struct linux_binprm *bprm); 345extern int __audit_socketcall(int nargs, unsigned long *args); 346extern int __audit_sockaddr(int len, void *addr); 347extern void __audit_fd_pair(int fd1, int fd2); 348extern void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr); 349extern void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec64 *abs_timeout); 350extern void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification); 351extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat); 352extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, 353 const struct cred *new, 354 const struct cred *old); 355extern void __audit_log_capset(const struct cred *new, const struct cred *old); 356extern void __audit_mmap_fd(int fd, int flags); 357extern void __audit_log_kern_module(char *name); 358extern void __audit_fanotify(unsigned int response); 359 360static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 361{ 362 if (unlikely(!audit_dummy_context())) 363 __audit_ipc_obj(ipcp); 364} 365static inline void audit_fd_pair(int fd1, int fd2) 366{ 367 if (unlikely(!audit_dummy_context())) 368 __audit_fd_pair(fd1, fd2); 369} 370static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode) 371{ 372 if (unlikely(!audit_dummy_context())) 373 __audit_ipc_set_perm(qbytes, uid, gid, mode); 374} 375static inline void audit_bprm(struct linux_binprm *bprm) 376{ 377 if (unlikely(!audit_dummy_context())) 378 __audit_bprm(bprm); 379} 380static inline int audit_socketcall(int nargs, unsigned long *args) 381{ 382 if (unlikely(!audit_dummy_context())) 383 return __audit_socketcall(nargs, args); 384 return 0; 385} 386 387static inline int audit_socketcall_compat(int nargs, u32 *args) 388{ 389 unsigned long a[AUDITSC_ARGS]; 390 int i; 391 392 if (audit_dummy_context()) 393 return 0; 394 395 for (i = 0; i < nargs; i++) 396 a[i] = (unsigned long)args[i]; 397 return __audit_socketcall(nargs, a); 398} 399 400static inline int audit_sockaddr(int len, void *addr) 401{ 402 if (unlikely(!audit_dummy_context())) 403 return __audit_sockaddr(len, addr); 404 return 0; 405} 406static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 407{ 408 if (unlikely(!audit_dummy_context())) 409 __audit_mq_open(oflag, mode, attr); 410} 411static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec64 *abs_timeout) 412{ 413 if (unlikely(!audit_dummy_context())) 414 __audit_mq_sendrecv(mqdes, msg_len, msg_prio, abs_timeout); 415} 416static inline void audit_mq_notify(mqd_t mqdes, const struct sigevent *notification) 417{ 418 if (unlikely(!audit_dummy_context())) 419 __audit_mq_notify(mqdes, notification); 420} 421static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 422{ 423 if (unlikely(!audit_dummy_context())) 424 __audit_mq_getsetattr(mqdes, mqstat); 425} 426 427static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 428 const struct cred *new, 429 const struct cred *old) 430{ 431 if (unlikely(!audit_dummy_context())) 432 return __audit_log_bprm_fcaps(bprm, new, old); 433 return 0; 434} 435 436static inline void audit_log_capset(const struct cred *new, 437 const struct cred *old) 438{ 439 if (unlikely(!audit_dummy_context())) 440 __audit_log_capset(new, old); 441} 442 443static inline void audit_mmap_fd(int fd, int flags) 444{ 445 if (unlikely(!audit_dummy_context())) 446 __audit_mmap_fd(fd, flags); 447} 448 449static inline void audit_log_kern_module(char *name) 450{ 451 if (!audit_dummy_context()) 452 __audit_log_kern_module(name); 453} 454 455static inline void audit_fanotify(unsigned int response) 456{ 457 if (!audit_dummy_context()) 458 __audit_fanotify(response); 459} 460 461extern int audit_n_rules; 462extern int audit_signals; 463#else /* CONFIG_AUDITSYSCALL */ 464static inline int audit_alloc(struct task_struct *task) 465{ 466 return 0; 467} 468static inline void audit_free(struct task_struct *task) 469{ } 470static inline void audit_syscall_entry(int major, unsigned long a0, 471 unsigned long a1, unsigned long a2, 472 unsigned long a3) 473{ } 474static inline void audit_syscall_exit(void *pt_regs) 475{ } 476static inline bool audit_dummy_context(void) 477{ 478 return true; 479} 480static inline void audit_set_context(struct task_struct *task, struct audit_context *ctx) 481{ } 482static inline struct audit_context *audit_context(void) 483{ 484 return NULL; 485} 486static inline struct filename *audit_reusename(const __user char *name) 487{ 488 return NULL; 489} 490static inline void audit_getname(struct filename *name) 491{ } 492static inline void __audit_inode(struct filename *name, 493 const struct dentry *dentry, 494 unsigned int flags) 495{ } 496static inline void __audit_inode_child(struct inode *parent, 497 const struct dentry *dentry, 498 const unsigned char type) 499{ } 500static inline void audit_inode(struct filename *name, 501 const struct dentry *dentry, 502 unsigned int parent) 503{ } 504static inline void audit_file(struct file *file) 505{ 506} 507static inline void audit_inode_parent_hidden(struct filename *name, 508 const struct dentry *dentry) 509{ } 510static inline void audit_inode_child(struct inode *parent, 511 const struct dentry *dentry, 512 const unsigned char type) 513{ } 514static inline void audit_core_dumps(long signr) 515{ } 516static inline void audit_seccomp(unsigned long syscall, long signr, int code) 517{ } 518static inline void audit_seccomp_actions_logged(const char *names, 519 const char *old_names, int res) 520{ } 521static inline int auditsc_get_stamp(struct audit_context *ctx, 522 struct timespec64 *t, unsigned int *serial) 523{ 524 return 0; 525} 526static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 527{ 528 return INVALID_UID; 529} 530static inline unsigned int audit_get_sessionid(struct task_struct *tsk) 531{ 532 return AUDIT_SID_UNSET; 533} 534static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 535{ } 536static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, 537 gid_t gid, umode_t mode) 538{ } 539static inline void audit_bprm(struct linux_binprm *bprm) 540{ } 541static inline int audit_socketcall(int nargs, unsigned long *args) 542{ 543 return 0; 544} 545 546static inline int audit_socketcall_compat(int nargs, u32 *args) 547{ 548 return 0; 549} 550 551static inline void audit_fd_pair(int fd1, int fd2) 552{ } 553static inline int audit_sockaddr(int len, void *addr) 554{ 555 return 0; 556} 557static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 558{ } 559static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, 560 unsigned int msg_prio, 561 const struct timespec64 *abs_timeout) 562{ } 563static inline void audit_mq_notify(mqd_t mqdes, 564 const struct sigevent *notification) 565{ } 566static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 567{ } 568static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 569 const struct cred *new, 570 const struct cred *old) 571{ 572 return 0; 573} 574static inline void audit_log_capset(const struct cred *new, 575 const struct cred *old) 576{ } 577static inline void audit_mmap_fd(int fd, int flags) 578{ } 579 580static inline void audit_log_kern_module(char *name) 581{ 582} 583 584static inline void audit_fanotify(unsigned int response) 585{ } 586 587static inline void audit_ptrace(struct task_struct *t) 588{ } 589#define audit_n_rules 0 590#define audit_signals 0 591#endif /* CONFIG_AUDITSYSCALL */ 592 593static inline bool audit_loginuid_set(struct task_struct *tsk) 594{ 595 return uid_valid(audit_get_loginuid(tsk)); 596} 597 598static inline void audit_log_string(struct audit_buffer *ab, const char *buf) 599{ 600 audit_log_n_string(ab, buf, strlen(buf)); 601} 602 603#endif