tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / include / linux / audit.h
at v4.7-rc2 586 lines 18 kB view raw
1/* audit.h -- Auditing support 2 * 3 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. 4 * All Rights Reserved. 5 * 6 * This program is free software; you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License as published by 8 * the Free Software Foundation; either version 2 of the License, or 9 * (at your option) any later version. 10 * 11 * This program is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 * GNU General Public License for more details. 15 * 16 * You should have received a copy of the GNU General Public License 17 * along with this program; if not, write to the Free Software 18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 * 20 * Written by Rickard E. (Rik) Faith <faith@redhat.com> 21 * 22 */ 23#ifndef _LINUX_AUDIT_H_ 24#define _LINUX_AUDIT_H_ 25 26#include <linux/sched.h> 27#include <linux/ptrace.h> 28#include <uapi/linux/audit.h> 29#include <linux/tty.h> 30 31#define AUDIT_INO_UNSET ((unsigned long)-1) 32#define AUDIT_DEV_UNSET ((dev_t)-1) 33 34struct audit_sig_info { 35 uid_t uid; 36 pid_t pid; 37 char ctx[0]; 38}; 39 40struct audit_buffer; 41struct audit_context; 42struct inode; 43struct netlink_skb_parms; 44struct path; 45struct linux_binprm; 46struct mq_attr; 47struct mqstat; 48struct audit_watch; 49struct audit_tree; 50struct sk_buff; 51 52struct audit_krule { 53 u32 pflags; 54 u32 flags; 55 u32 listnr; 56 u32 action; 57 u32 mask[AUDIT_BITMASK_SIZE]; 58 u32 buflen; /* for data alloc on list rules */ 59 u32 field_count; 60 char *filterkey; /* ties events to rules */ 61 struct audit_field *fields; 62 struct audit_field *arch_f; /* quick access to arch field */ 63 struct audit_field *inode_f; /* quick access to an inode field */ 64 struct audit_watch *watch; /* associated watch */ 65 struct audit_tree *tree; /* associated watched tree */ 66 struct audit_fsnotify_mark *exe; 67 struct list_head rlist; /* entry in audit_{watch,tree}.rules list */ 68 struct list_head list; /* for AUDIT_LIST* purposes only */ 69 u64 prio; 70}; 71 72/* Flag to indicate legacy AUDIT_LOGINUID unset usage */ 73#define AUDIT_LOGINUID_LEGACY 0x1 74 75struct audit_field { 76 u32 type; 77 union { 78 u32 val; 79 kuid_t uid; 80 kgid_t gid; 81 struct { 82 char *lsm_str; 83 void *lsm_rule; 84 }; 85 }; 86 u32 op; 87}; 88 89extern int is_audit_feature_set(int which); 90 91extern int __init audit_register_class(int class, unsigned *list); 92extern int audit_classify_syscall(int abi, unsigned syscall); 93extern int audit_classify_arch(int arch); 94/* only for compat system calls */ 95extern unsigned compat_write_class[]; 96extern unsigned compat_read_class[]; 97extern unsigned compat_dir_class[]; 98extern unsigned compat_chattr_class[]; 99extern unsigned compat_signal_class[]; 100 101extern int audit_classify_compat_syscall(int abi, unsigned syscall); 102 103/* audit_names->type values */ 104#define AUDIT_TYPE_UNKNOWN 0 /* we don't know yet */ 105#define AUDIT_TYPE_NORMAL 1 /* a "normal" audit record */ 106#define AUDIT_TYPE_PARENT 2 /* a parent audit record */ 107#define AUDIT_TYPE_CHILD_DELETE 3 /* a child being deleted */ 108#define AUDIT_TYPE_CHILD_CREATE 4 /* a child being created */ 109 110/* maximized args number that audit_socketcall can process */ 111#define AUDITSC_ARGS 6 112 113/* bit values for ->signal->audit_tty */ 114#define AUDIT_TTY_ENABLE BIT(0) 115#define AUDIT_TTY_LOG_PASSWD BIT(1) 116 117struct filename; 118 119extern void audit_log_session_info(struct audit_buffer *ab); 120 121#ifdef CONFIG_AUDIT 122/* These are defined in audit.c */ 123 /* Public API */ 124extern __printf(4, 5) 125void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 126 const char *fmt, ...); 127 128extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type); 129extern __printf(2, 3) 130void audit_log_format(struct audit_buffer *ab, const char *fmt, ...); 131extern void audit_log_end(struct audit_buffer *ab); 132extern bool audit_string_contains_control(const char *string, 133 size_t len); 134extern void audit_log_n_hex(struct audit_buffer *ab, 135 const unsigned char *buf, 136 size_t len); 137extern void audit_log_n_string(struct audit_buffer *ab, 138 const char *buf, 139 size_t n); 140extern void audit_log_n_untrustedstring(struct audit_buffer *ab, 141 const char *string, 142 size_t n); 143extern void audit_log_untrustedstring(struct audit_buffer *ab, 144 const char *string); 145extern void audit_log_d_path(struct audit_buffer *ab, 146 const char *prefix, 147 const struct path *path); 148extern void audit_log_key(struct audit_buffer *ab, 149 char *key); 150extern void audit_log_link_denied(const char *operation, 151 struct path *link); 152extern void audit_log_lost(const char *message); 153#ifdef CONFIG_SECURITY 154extern void audit_log_secctx(struct audit_buffer *ab, u32 secid); 155#else 156static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) 157{ } 158#endif 159 160extern int audit_log_task_context(struct audit_buffer *ab); 161extern void audit_log_task_info(struct audit_buffer *ab, 162 struct task_struct *tsk); 163 164extern int audit_update_lsm_rules(void); 165 166 /* Private API (for audit.c only) */ 167extern int audit_filter_user(int type); 168extern int audit_filter_type(int type); 169extern int audit_rule_change(int type, __u32 portid, int seq, 170 void *data, size_t datasz); 171extern int audit_list_rules_send(struct sk_buff *request_skb, int seq); 172 173extern u32 audit_enabled; 174#else /* CONFIG_AUDIT */ 175static inline __printf(4, 5) 176void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 177 const char *fmt, ...) 178{ } 179static inline struct audit_buffer *audit_log_start(struct audit_context *ctx, 180 gfp_t gfp_mask, int type) 181{ 182 return NULL; 183} 184static inline __printf(2, 3) 185void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) 186{ } 187static inline void audit_log_end(struct audit_buffer *ab) 188{ } 189static inline void audit_log_n_hex(struct audit_buffer *ab, 190 const unsigned char *buf, size_t len) 191{ } 192static inline void audit_log_n_string(struct audit_buffer *ab, 193 const char *buf, size_t n) 194{ } 195static inline void audit_log_n_untrustedstring(struct audit_buffer *ab, 196 const char *string, size_t n) 197{ } 198static inline void audit_log_untrustedstring(struct audit_buffer *ab, 199 const char *string) 200{ } 201static inline void audit_log_d_path(struct audit_buffer *ab, 202 const char *prefix, 203 const struct path *path) 204{ } 205static inline void audit_log_key(struct audit_buffer *ab, char *key) 206{ } 207static inline void audit_log_link_denied(const char *string, 208 const struct path *link) 209{ } 210static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) 211{ } 212static inline int audit_log_task_context(struct audit_buffer *ab) 213{ 214 return 0; 215} 216static inline void audit_log_task_info(struct audit_buffer *ab, 217 struct task_struct *tsk) 218{ } 219#define audit_enabled 0 220#endif /* CONFIG_AUDIT */ 221 222#ifdef CONFIG_AUDIT_COMPAT_GENERIC 223#define audit_is_compat(arch) (!((arch) & __AUDIT_ARCH_64BIT)) 224#else 225#define audit_is_compat(arch) false 226#endif 227 228#ifdef CONFIG_AUDITSYSCALL 229#include <asm/syscall.h> /* for syscall_get_arch() */ 230 231/* These are defined in auditsc.c */ 232 /* Public API */ 233extern int audit_alloc(struct task_struct *task); 234extern void __audit_free(struct task_struct *task); 235extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long a1, 236 unsigned long a2, unsigned long a3); 237extern void __audit_syscall_exit(int ret_success, long ret_value); 238extern struct filename *__audit_reusename(const __user char *uptr); 239extern void __audit_getname(struct filename *name); 240 241#define AUDIT_INODE_PARENT 1 /* dentry represents the parent */ 242#define AUDIT_INODE_HIDDEN 2 /* audit record should be hidden */ 243extern void __audit_inode(struct filename *name, const struct dentry *dentry, 244 unsigned int flags); 245extern void __audit_file(const struct file *); 246extern void __audit_inode_child(struct inode *parent, 247 const struct dentry *dentry, 248 const unsigned char type); 249extern void __audit_seccomp(unsigned long syscall, long signr, int code); 250extern void __audit_ptrace(struct task_struct *t); 251 252static inline bool audit_dummy_context(void) 253{ 254 void *p = current->audit_context; 255 return !p || *(int *)p; 256} 257static inline void audit_free(struct task_struct *task) 258{ 259 if (unlikely(task->audit_context)) 260 __audit_free(task); 261} 262static inline void audit_syscall_entry(int major, unsigned long a0, 263 unsigned long a1, unsigned long a2, 264 unsigned long a3) 265{ 266 if (unlikely(current->audit_context)) 267 __audit_syscall_entry(major, a0, a1, a2, a3); 268} 269static inline void audit_syscall_exit(void *pt_regs) 270{ 271 if (unlikely(current->audit_context)) { 272 int success = is_syscall_success(pt_regs); 273 long return_code = regs_return_value(pt_regs); 274 275 __audit_syscall_exit(success, return_code); 276 } 277} 278static inline struct filename *audit_reusename(const __user char *name) 279{ 280 if (unlikely(!audit_dummy_context())) 281 return __audit_reusename(name); 282 return NULL; 283} 284static inline void audit_getname(struct filename *name) 285{ 286 if (unlikely(!audit_dummy_context())) 287 __audit_getname(name); 288} 289static inline void audit_inode(struct filename *name, 290 const struct dentry *dentry, 291 unsigned int parent) { 292 if (unlikely(!audit_dummy_context())) { 293 unsigned int flags = 0; 294 if (parent) 295 flags |= AUDIT_INODE_PARENT; 296 __audit_inode(name, dentry, flags); 297 } 298} 299static inline void audit_file(struct file *file) 300{ 301 if (unlikely(!audit_dummy_context())) 302 __audit_file(file); 303} 304static inline void audit_inode_parent_hidden(struct filename *name, 305 const struct dentry *dentry) 306{ 307 if (unlikely(!audit_dummy_context())) 308 __audit_inode(name, dentry, 309 AUDIT_INODE_PARENT | AUDIT_INODE_HIDDEN); 310} 311static inline void audit_inode_child(struct inode *parent, 312 const struct dentry *dentry, 313 const unsigned char type) { 314 if (unlikely(!audit_dummy_context())) 315 __audit_inode_child(parent, dentry, type); 316} 317void audit_core_dumps(long signr); 318 319static inline void audit_seccomp(unsigned long syscall, long signr, int code) 320{ 321 if (!audit_enabled) 322 return; 323 324 /* Force a record to be reported if a signal was delivered. */ 325 if (signr || unlikely(!audit_dummy_context())) 326 __audit_seccomp(syscall, signr, code); 327} 328 329static inline void audit_ptrace(struct task_struct *t) 330{ 331 if (unlikely(!audit_dummy_context())) 332 __audit_ptrace(t); 333} 334 335 /* Private API (for audit.c only) */ 336extern unsigned int audit_serial(void); 337extern int auditsc_get_stamp(struct audit_context *ctx, 338 struct timespec *t, unsigned int *serial); 339extern int audit_set_loginuid(kuid_t loginuid); 340 341static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 342{ 343 return tsk->loginuid; 344} 345 346static inline unsigned int audit_get_sessionid(struct task_struct *tsk) 347{ 348 return tsk->sessionid; 349} 350 351static inline struct tty_struct *audit_get_tty(struct task_struct *tsk) 352{ 353 struct tty_struct *tty = NULL; 354 unsigned long flags; 355 356 spin_lock_irqsave(&tsk->sighand->siglock, flags); 357 if (tsk->signal) 358 tty = tty_kref_get(tsk->signal->tty); 359 spin_unlock_irqrestore(&tsk->sighand->siglock, flags); 360 return tty; 361} 362 363static inline void audit_put_tty(struct tty_struct *tty) 364{ 365 tty_kref_put(tty); 366} 367 368extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp); 369extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode); 370extern void __audit_bprm(struct linux_binprm *bprm); 371extern int __audit_socketcall(int nargs, unsigned long *args); 372extern int __audit_sockaddr(int len, void *addr); 373extern void __audit_fd_pair(int fd1, int fd2); 374extern void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr); 375extern void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout); 376extern void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification); 377extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat); 378extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, 379 const struct cred *new, 380 const struct cred *old); 381extern void __audit_log_capset(const struct cred *new, const struct cred *old); 382extern void __audit_mmap_fd(int fd, int flags); 383 384static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 385{ 386 if (unlikely(!audit_dummy_context())) 387 __audit_ipc_obj(ipcp); 388} 389static inline void audit_fd_pair(int fd1, int fd2) 390{ 391 if (unlikely(!audit_dummy_context())) 392 __audit_fd_pair(fd1, fd2); 393} 394static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode) 395{ 396 if (unlikely(!audit_dummy_context())) 397 __audit_ipc_set_perm(qbytes, uid, gid, mode); 398} 399static inline void audit_bprm(struct linux_binprm *bprm) 400{ 401 if (unlikely(!audit_dummy_context())) 402 __audit_bprm(bprm); 403} 404static inline int audit_socketcall(int nargs, unsigned long *args) 405{ 406 if (unlikely(!audit_dummy_context())) 407 return __audit_socketcall(nargs, args); 408 return 0; 409} 410static inline int audit_sockaddr(int len, void *addr) 411{ 412 if (unlikely(!audit_dummy_context())) 413 return __audit_sockaddr(len, addr); 414 return 0; 415} 416static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 417{ 418 if (unlikely(!audit_dummy_context())) 419 __audit_mq_open(oflag, mode, attr); 420} 421static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout) 422{ 423 if (unlikely(!audit_dummy_context())) 424 __audit_mq_sendrecv(mqdes, msg_len, msg_prio, abs_timeout); 425} 426static inline void audit_mq_notify(mqd_t mqdes, const struct sigevent *notification) 427{ 428 if (unlikely(!audit_dummy_context())) 429 __audit_mq_notify(mqdes, notification); 430} 431static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 432{ 433 if (unlikely(!audit_dummy_context())) 434 __audit_mq_getsetattr(mqdes, mqstat); 435} 436 437static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 438 const struct cred *new, 439 const struct cred *old) 440{ 441 if (unlikely(!audit_dummy_context())) 442 return __audit_log_bprm_fcaps(bprm, new, old); 443 return 0; 444} 445 446static inline void audit_log_capset(const struct cred *new, 447 const struct cred *old) 448{ 449 if (unlikely(!audit_dummy_context())) 450 __audit_log_capset(new, old); 451} 452 453static inline void audit_mmap_fd(int fd, int flags) 454{ 455 if (unlikely(!audit_dummy_context())) 456 __audit_mmap_fd(fd, flags); 457} 458 459extern int audit_n_rules; 460extern int audit_signals; 461#else /* CONFIG_AUDITSYSCALL */ 462static inline int audit_alloc(struct task_struct *task) 463{ 464 return 0; 465} 466static inline void audit_free(struct task_struct *task) 467{ } 468static inline void audit_syscall_entry(int major, unsigned long a0, 469 unsigned long a1, unsigned long a2, 470 unsigned long a3) 471{ } 472static inline void audit_syscall_exit(void *pt_regs) 473{ } 474static inline bool audit_dummy_context(void) 475{ 476 return true; 477} 478static inline struct filename *audit_reusename(const __user char *name) 479{ 480 return NULL; 481} 482static inline void audit_getname(struct filename *name) 483{ } 484static inline void __audit_inode(struct filename *name, 485 const struct dentry *dentry, 486 unsigned int flags) 487{ } 488static inline void __audit_inode_child(struct inode *parent, 489 const struct dentry *dentry, 490 const unsigned char type) 491{ } 492static inline void audit_inode(struct filename *name, 493 const struct dentry *dentry, 494 unsigned int parent) 495{ } 496static inline void audit_file(struct file *file) 497{ 498} 499static inline void audit_inode_parent_hidden(struct filename *name, 500 const struct dentry *dentry) 501{ } 502static inline void audit_inode_child(struct inode *parent, 503 const struct dentry *dentry, 504 const unsigned char type) 505{ } 506static inline void audit_core_dumps(long signr) 507{ } 508static inline void __audit_seccomp(unsigned long syscall, long signr, int code) 509{ } 510static inline void audit_seccomp(unsigned long syscall, long signr, int code) 511{ } 512static inline int auditsc_get_stamp(struct audit_context *ctx, 513 struct timespec *t, unsigned int *serial) 514{ 515 return 0; 516} 517static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 518{ 519 return INVALID_UID; 520} 521static inline unsigned int audit_get_sessionid(struct task_struct *tsk) 522{ 523 return -1; 524} 525static inline struct tty_struct *audit_get_tty(struct task_struct *tsk) 526{ 527 return NULL; 528} 529static inline void audit_put_tty(struct tty_struct *tty) 530{ } 531static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 532{ } 533static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, 534 gid_t gid, umode_t mode) 535{ } 536static inline void audit_bprm(struct linux_binprm *bprm) 537{ } 538static inline int audit_socketcall(int nargs, unsigned long *args) 539{ 540 return 0; 541} 542static inline void audit_fd_pair(int fd1, int fd2) 543{ } 544static inline int audit_sockaddr(int len, void *addr) 545{ 546 return 0; 547} 548static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 549{ } 550static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, 551 unsigned int msg_prio, 552 const struct timespec *abs_timeout) 553{ } 554static inline void audit_mq_notify(mqd_t mqdes, 555 const struct sigevent *notification) 556{ } 557static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 558{ } 559static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 560 const struct cred *new, 561 const struct cred *old) 562{ 563 return 0; 564} 565static inline void audit_log_capset(const struct cred *new, 566 const struct cred *old) 567{ } 568static inline void audit_mmap_fd(int fd, int flags) 569{ } 570static inline void audit_ptrace(struct task_struct *t) 571{ } 572#define audit_n_rules 0 573#define audit_signals 0 574#endif /* CONFIG_AUDITSYSCALL */ 575 576static inline bool audit_loginuid_set(struct task_struct *tsk) 577{ 578 return uid_valid(audit_get_loginuid(tsk)); 579} 580 581static inline void audit_log_string(struct audit_buffer *ab, const char *buf) 582{ 583 audit_log_n_string(ab, buf, strlen(buf)); 584} 585 586#endif