tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / include / linux / audit.h
at v4.5 17 kB view raw
1/* audit.h -- Auditing support 2 * 3 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. 4 * All Rights Reserved. 5 * 6 * This program is free software; you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License as published by 8 * the Free Software Foundation; either version 2 of the License, or 9 * (at your option) any later version. 10 * 11 * This program is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 * GNU General Public License for more details. 15 * 16 * You should have received a copy of the GNU General Public License 17 * along with this program; if not, write to the Free Software 18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 * 20 * Written by Rickard E. (Rik) Faith <faith@redhat.com> 21 * 22 */ 23#ifndef _LINUX_AUDIT_H_ 24#define _LINUX_AUDIT_H_ 25 26#include <linux/sched.h> 27#include <linux/ptrace.h> 28#include <uapi/linux/audit.h> 29 30#define AUDIT_INO_UNSET ((unsigned long)-1) 31#define AUDIT_DEV_UNSET ((dev_t)-1) 32 33struct audit_sig_info { 34 uid_t uid; 35 pid_t pid; 36 char ctx[0]; 37}; 38 39struct audit_buffer; 40struct audit_context; 41struct inode; 42struct netlink_skb_parms; 43struct path; 44struct linux_binprm; 45struct mq_attr; 46struct mqstat; 47struct audit_watch; 48struct audit_tree; 49struct sk_buff; 50 51struct audit_krule { 52 u32 pflags; 53 u32 flags; 54 u32 listnr; 55 u32 action; 56 u32 mask[AUDIT_BITMASK_SIZE]; 57 u32 buflen; /* for data alloc on list rules */ 58 u32 field_count; 59 char *filterkey; /* ties events to rules */ 60 struct audit_field *fields; 61 struct audit_field *arch_f; /* quick access to arch field */ 62 struct audit_field *inode_f; /* quick access to an inode field */ 63 struct audit_watch *watch; /* associated watch */ 64 struct audit_tree *tree; /* associated watched tree */ 65 struct audit_fsnotify_mark *exe; 66 struct list_head rlist; /* entry in audit_{watch,tree}.rules list */ 67 struct list_head list; /* for AUDIT_LIST* purposes only */ 68 u64 prio; 69}; 70 71/* Flag to indicate legacy AUDIT_LOGINUID unset usage */ 72#define AUDIT_LOGINUID_LEGACY 0x1 73 74struct audit_field { 75 u32 type; 76 union { 77 u32 val; 78 kuid_t uid; 79 kgid_t gid; 80 struct { 81 char *lsm_str; 82 void *lsm_rule; 83 }; 84 }; 85 u32 op; 86}; 87 88extern int is_audit_feature_set(int which); 89 90extern int __init audit_register_class(int class, unsigned *list); 91extern int audit_classify_syscall(int abi, unsigned syscall); 92extern int audit_classify_arch(int arch); 93/* only for compat system calls */ 94extern unsigned compat_write_class[]; 95extern unsigned compat_read_class[]; 96extern unsigned compat_dir_class[]; 97extern unsigned compat_chattr_class[]; 98extern unsigned compat_signal_class[]; 99 100extern int audit_classify_compat_syscall(int abi, unsigned syscall); 101 102/* audit_names->type values */ 103#define AUDIT_TYPE_UNKNOWN 0 /* we don't know yet */ 104#define AUDIT_TYPE_NORMAL 1 /* a "normal" audit record */ 105#define AUDIT_TYPE_PARENT 2 /* a parent audit record */ 106#define AUDIT_TYPE_CHILD_DELETE 3 /* a child being deleted */ 107#define AUDIT_TYPE_CHILD_CREATE 4 /* a child being created */ 108 109/* maximized args number that audit_socketcall can process */ 110#define AUDITSC_ARGS 6 111 112struct filename; 113 114extern void audit_log_session_info(struct audit_buffer *ab); 115 116#ifdef CONFIG_AUDIT 117/* These are defined in audit.c */ 118 /* Public API */ 119extern __printf(4, 5) 120void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 121 const char *fmt, ...); 122 123extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type); 124extern __printf(2, 3) 125void audit_log_format(struct audit_buffer *ab, const char *fmt, ...); 126extern void audit_log_end(struct audit_buffer *ab); 127extern bool audit_string_contains_control(const char *string, 128 size_t len); 129extern void audit_log_n_hex(struct audit_buffer *ab, 130 const unsigned char *buf, 131 size_t len); 132extern void audit_log_n_string(struct audit_buffer *ab, 133 const char *buf, 134 size_t n); 135extern void audit_log_n_untrustedstring(struct audit_buffer *ab, 136 const char *string, 137 size_t n); 138extern void audit_log_untrustedstring(struct audit_buffer *ab, 139 const char *string); 140extern void audit_log_d_path(struct audit_buffer *ab, 141 const char *prefix, 142 const struct path *path); 143extern void audit_log_key(struct audit_buffer *ab, 144 char *key); 145extern void audit_log_link_denied(const char *operation, 146 struct path *link); 147extern void audit_log_lost(const char *message); 148#ifdef CONFIG_SECURITY 149extern void audit_log_secctx(struct audit_buffer *ab, u32 secid); 150#else 151static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) 152{ } 153#endif 154 155extern int audit_log_task_context(struct audit_buffer *ab); 156extern void audit_log_task_info(struct audit_buffer *ab, 157 struct task_struct *tsk); 158 159extern int audit_update_lsm_rules(void); 160 161 /* Private API (for audit.c only) */ 162extern int audit_filter_user(int type); 163extern int audit_filter_type(int type); 164extern int audit_rule_change(int type, __u32 portid, int seq, 165 void *data, size_t datasz); 166extern int audit_list_rules_send(struct sk_buff *request_skb, int seq); 167 168extern u32 audit_enabled; 169#else /* CONFIG_AUDIT */ 170static inline __printf(4, 5) 171void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 172 const char *fmt, ...) 173{ } 174static inline struct audit_buffer *audit_log_start(struct audit_context *ctx, 175 gfp_t gfp_mask, int type) 176{ 177 return NULL; 178} 179static inline __printf(2, 3) 180void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) 181{ } 182static inline void audit_log_end(struct audit_buffer *ab) 183{ } 184static inline void audit_log_n_hex(struct audit_buffer *ab, 185 const unsigned char *buf, size_t len) 186{ } 187static inline void audit_log_n_string(struct audit_buffer *ab, 188 const char *buf, size_t n) 189{ } 190static inline void audit_log_n_untrustedstring(struct audit_buffer *ab, 191 const char *string, size_t n) 192{ } 193static inline void audit_log_untrustedstring(struct audit_buffer *ab, 194 const char *string) 195{ } 196static inline void audit_log_d_path(struct audit_buffer *ab, 197 const char *prefix, 198 const struct path *path) 199{ } 200static inline void audit_log_key(struct audit_buffer *ab, char *key) 201{ } 202static inline void audit_log_link_denied(const char *string, 203 const struct path *link) 204{ } 205static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) 206{ } 207static inline int audit_log_task_context(struct audit_buffer *ab) 208{ 209 return 0; 210} 211static inline void audit_log_task_info(struct audit_buffer *ab, 212 struct task_struct *tsk) 213{ } 214#define audit_enabled 0 215#endif /* CONFIG_AUDIT */ 216 217#ifdef CONFIG_AUDIT_COMPAT_GENERIC 218#define audit_is_compat(arch) (!((arch) & __AUDIT_ARCH_64BIT)) 219#else 220#define audit_is_compat(arch) false 221#endif 222 223#ifdef CONFIG_AUDITSYSCALL 224#include <asm/syscall.h> /* for syscall_get_arch() */ 225 226/* These are defined in auditsc.c */ 227 /* Public API */ 228extern int audit_alloc(struct task_struct *task); 229extern void __audit_free(struct task_struct *task); 230extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long a1, 231 unsigned long a2, unsigned long a3); 232extern void __audit_syscall_exit(int ret_success, long ret_value); 233extern struct filename *__audit_reusename(const __user char *uptr); 234extern void __audit_getname(struct filename *name); 235 236#define AUDIT_INODE_PARENT 1 /* dentry represents the parent */ 237#define AUDIT_INODE_HIDDEN 2 /* audit record should be hidden */ 238extern void __audit_inode(struct filename *name, const struct dentry *dentry, 239 unsigned int flags); 240extern void __audit_file(const struct file *); 241extern void __audit_inode_child(struct inode *parent, 242 const struct dentry *dentry, 243 const unsigned char type); 244extern void __audit_seccomp(unsigned long syscall, long signr, int code); 245extern void __audit_ptrace(struct task_struct *t); 246 247static inline bool audit_dummy_context(void) 248{ 249 void *p = current->audit_context; 250 return !p || *(int *)p; 251} 252static inline void audit_free(struct task_struct *task) 253{ 254 if (unlikely(task->audit_context)) 255 __audit_free(task); 256} 257static inline void audit_syscall_entry(int major, unsigned long a0, 258 unsigned long a1, unsigned long a2, 259 unsigned long a3) 260{ 261 if (unlikely(current->audit_context)) 262 __audit_syscall_entry(major, a0, a1, a2, a3); 263} 264static inline void audit_syscall_exit(void *pt_regs) 265{ 266 if (unlikely(current->audit_context)) { 267 int success = is_syscall_success(pt_regs); 268 long return_code = regs_return_value(pt_regs); 269 270 __audit_syscall_exit(success, return_code); 271 } 272} 273static inline struct filename *audit_reusename(const __user char *name) 274{ 275 if (unlikely(!audit_dummy_context())) 276 return __audit_reusename(name); 277 return NULL; 278} 279static inline void audit_getname(struct filename *name) 280{ 281 if (unlikely(!audit_dummy_context())) 282 __audit_getname(name); 283} 284static inline void audit_inode(struct filename *name, 285 const struct dentry *dentry, 286 unsigned int parent) { 287 if (unlikely(!audit_dummy_context())) { 288 unsigned int flags = 0; 289 if (parent) 290 flags |= AUDIT_INODE_PARENT; 291 __audit_inode(name, dentry, flags); 292 } 293} 294static inline void audit_file(struct file *file) 295{ 296 if (unlikely(!audit_dummy_context())) 297 __audit_file(file); 298} 299static inline void audit_inode_parent_hidden(struct filename *name, 300 const struct dentry *dentry) 301{ 302 if (unlikely(!audit_dummy_context())) 303 __audit_inode(name, dentry, 304 AUDIT_INODE_PARENT | AUDIT_INODE_HIDDEN); 305} 306static inline void audit_inode_child(struct inode *parent, 307 const struct dentry *dentry, 308 const unsigned char type) { 309 if (unlikely(!audit_dummy_context())) 310 __audit_inode_child(parent, dentry, type); 311} 312void audit_core_dumps(long signr); 313 314static inline void audit_seccomp(unsigned long syscall, long signr, int code) 315{ 316 if (!audit_enabled) 317 return; 318 319 /* Force a record to be reported if a signal was delivered. */ 320 if (signr || unlikely(!audit_dummy_context())) 321 __audit_seccomp(syscall, signr, code); 322} 323 324static inline void audit_ptrace(struct task_struct *t) 325{ 326 if (unlikely(!audit_dummy_context())) 327 __audit_ptrace(t); 328} 329 330 /* Private API (for audit.c only) */ 331extern unsigned int audit_serial(void); 332extern int auditsc_get_stamp(struct audit_context *ctx, 333 struct timespec *t, unsigned int *serial); 334extern int audit_set_loginuid(kuid_t loginuid); 335 336static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 337{ 338 return tsk->loginuid; 339} 340 341static inline unsigned int audit_get_sessionid(struct task_struct *tsk) 342{ 343 return tsk->sessionid; 344} 345 346extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp); 347extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode); 348extern void __audit_bprm(struct linux_binprm *bprm); 349extern int __audit_socketcall(int nargs, unsigned long *args); 350extern int __audit_sockaddr(int len, void *addr); 351extern void __audit_fd_pair(int fd1, int fd2); 352extern void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr); 353extern void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout); 354extern void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification); 355extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat); 356extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, 357 const struct cred *new, 358 const struct cred *old); 359extern void __audit_log_capset(const struct cred *new, const struct cred *old); 360extern void __audit_mmap_fd(int fd, int flags); 361 362static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 363{ 364 if (unlikely(!audit_dummy_context())) 365 __audit_ipc_obj(ipcp); 366} 367static inline void audit_fd_pair(int fd1, int fd2) 368{ 369 if (unlikely(!audit_dummy_context())) 370 __audit_fd_pair(fd1, fd2); 371} 372static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode) 373{ 374 if (unlikely(!audit_dummy_context())) 375 __audit_ipc_set_perm(qbytes, uid, gid, mode); 376} 377static inline void audit_bprm(struct linux_binprm *bprm) 378{ 379 if (unlikely(!audit_dummy_context())) 380 __audit_bprm(bprm); 381} 382static inline int audit_socketcall(int nargs, unsigned long *args) 383{ 384 if (unlikely(!audit_dummy_context())) 385 return __audit_socketcall(nargs, args); 386 return 0; 387} 388static inline int audit_sockaddr(int len, void *addr) 389{ 390 if (unlikely(!audit_dummy_context())) 391 return __audit_sockaddr(len, addr); 392 return 0; 393} 394static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 395{ 396 if (unlikely(!audit_dummy_context())) 397 __audit_mq_open(oflag, mode, attr); 398} 399static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout) 400{ 401 if (unlikely(!audit_dummy_context())) 402 __audit_mq_sendrecv(mqdes, msg_len, msg_prio, abs_timeout); 403} 404static inline void audit_mq_notify(mqd_t mqdes, const struct sigevent *notification) 405{ 406 if (unlikely(!audit_dummy_context())) 407 __audit_mq_notify(mqdes, notification); 408} 409static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 410{ 411 if (unlikely(!audit_dummy_context())) 412 __audit_mq_getsetattr(mqdes, mqstat); 413} 414 415static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 416 const struct cred *new, 417 const struct cred *old) 418{ 419 if (unlikely(!audit_dummy_context())) 420 return __audit_log_bprm_fcaps(bprm, new, old); 421 return 0; 422} 423 424static inline void audit_log_capset(const struct cred *new, 425 const struct cred *old) 426{ 427 if (unlikely(!audit_dummy_context())) 428 __audit_log_capset(new, old); 429} 430 431static inline void audit_mmap_fd(int fd, int flags) 432{ 433 if (unlikely(!audit_dummy_context())) 434 __audit_mmap_fd(fd, flags); 435} 436 437extern int audit_n_rules; 438extern int audit_signals; 439#else /* CONFIG_AUDITSYSCALL */ 440static inline int audit_alloc(struct task_struct *task) 441{ 442 return 0; 443} 444static inline void audit_free(struct task_struct *task) 445{ } 446static inline void audit_syscall_entry(int major, unsigned long a0, 447 unsigned long a1, unsigned long a2, 448 unsigned long a3) 449{ } 450static inline void audit_syscall_exit(void *pt_regs) 451{ } 452static inline bool audit_dummy_context(void) 453{ 454 return true; 455} 456static inline struct filename *audit_reusename(const __user char *name) 457{ 458 return NULL; 459} 460static inline void audit_getname(struct filename *name) 461{ } 462static inline void __audit_inode(struct filename *name, 463 const struct dentry *dentry, 464 unsigned int flags) 465{ } 466static inline void __audit_inode_child(struct inode *parent, 467 const struct dentry *dentry, 468 const unsigned char type) 469{ } 470static inline void audit_inode(struct filename *name, 471 const struct dentry *dentry, 472 unsigned int parent) 473{ } 474static inline void audit_file(struct file *file) 475{ 476} 477static inline void audit_inode_parent_hidden(struct filename *name, 478 const struct dentry *dentry) 479{ } 480static inline void audit_inode_child(struct inode *parent, 481 const struct dentry *dentry, 482 const unsigned char type) 483{ } 484static inline void audit_core_dumps(long signr) 485{ } 486static inline void __audit_seccomp(unsigned long syscall, long signr, int code) 487{ } 488static inline void audit_seccomp(unsigned long syscall, long signr, int code) 489{ } 490static inline int auditsc_get_stamp(struct audit_context *ctx, 491 struct timespec *t, unsigned int *serial) 492{ 493 return 0; 494} 495static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 496{ 497 return INVALID_UID; 498} 499static inline unsigned int audit_get_sessionid(struct task_struct *tsk) 500{ 501 return -1; 502} 503static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 504{ } 505static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, 506 gid_t gid, umode_t mode) 507{ } 508static inline void audit_bprm(struct linux_binprm *bprm) 509{ } 510static inline int audit_socketcall(int nargs, unsigned long *args) 511{ 512 return 0; 513} 514static inline void audit_fd_pair(int fd1, int fd2) 515{ } 516static inline int audit_sockaddr(int len, void *addr) 517{ 518 return 0; 519} 520static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 521{ } 522static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, 523 unsigned int msg_prio, 524 const struct timespec *abs_timeout) 525{ } 526static inline void audit_mq_notify(mqd_t mqdes, 527 const struct sigevent *notification) 528{ } 529static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 530{ } 531static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 532 const struct cred *new, 533 const struct cred *old) 534{ 535 return 0; 536} 537static inline void audit_log_capset(const struct cred *new, 538 const struct cred *old) 539{ } 540static inline void audit_mmap_fd(int fd, int flags) 541{ } 542static inline void audit_ptrace(struct task_struct *t) 543{ } 544#define audit_n_rules 0 545#define audit_signals 0 546#endif /* CONFIG_AUDITSYSCALL */ 547 548static inline bool audit_loginuid_set(struct task_struct *tsk) 549{ 550 return uid_valid(audit_get_loginuid(tsk)); 551} 552 553static inline void audit_log_string(struct audit_buffer *ab, const char *buf) 554{ 555 audit_log_n_string(ab, buf, strlen(buf)); 556} 557 558#endif