tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / include / linux / audit.h
at v5.1 18 kB view raw
1/* audit.h -- Auditing support 2 * 3 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. 4 * All Rights Reserved. 5 * 6 * This program is free software; you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License as published by 8 * the Free Software Foundation; either version 2 of the License, or 9 * (at your option) any later version. 10 * 11 * This program is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 * GNU General Public License for more details. 15 * 16 * You should have received a copy of the GNU General Public License 17 * along with this program; if not, write to the Free Software 18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 * 20 * Written by Rickard E. (Rik) Faith <faith@redhat.com> 21 * 22 */ 23#ifndef _LINUX_AUDIT_H_ 24#define _LINUX_AUDIT_H_ 25 26#include <linux/sched.h> 27#include <linux/ptrace.h> 28#include <linux/namei.h> /* LOOKUP_* */ 29#include <uapi/linux/audit.h> 30 31#define AUDIT_INO_UNSET ((unsigned long)-1) 32#define AUDIT_DEV_UNSET ((dev_t)-1) 33 34struct audit_sig_info { 35 uid_t uid; 36 pid_t pid; 37 char ctx[0]; 38}; 39 40struct audit_buffer; 41struct audit_context; 42struct inode; 43struct netlink_skb_parms; 44struct path; 45struct linux_binprm; 46struct mq_attr; 47struct mqstat; 48struct audit_watch; 49struct audit_tree; 50struct sk_buff; 51 52struct audit_krule { 53 u32 pflags; 54 u32 flags; 55 u32 listnr; 56 u32 action; 57 u32 mask[AUDIT_BITMASK_SIZE]; 58 u32 buflen; /* for data alloc on list rules */ 59 u32 field_count; 60 char *filterkey; /* ties events to rules */ 61 struct audit_field *fields; 62 struct audit_field *arch_f; /* quick access to arch field */ 63 struct audit_field *inode_f; /* quick access to an inode field */ 64 struct audit_watch *watch; /* associated watch */ 65 struct audit_tree *tree; /* associated watched tree */ 66 struct audit_fsnotify_mark *exe; 67 struct list_head rlist; /* entry in audit_{watch,tree}.rules list */ 68 struct list_head list; /* for AUDIT_LIST* purposes only */ 69 u64 prio; 70}; 71 72/* Flag to indicate legacy AUDIT_LOGINUID unset usage */ 73#define AUDIT_LOGINUID_LEGACY 0x1 74 75struct audit_field { 76 u32 type; 77 union { 78 u32 val; 79 kuid_t uid; 80 kgid_t gid; 81 struct { 82 char *lsm_str; 83 void *lsm_rule; 84 }; 85 }; 86 u32 op; 87}; 88 89extern int is_audit_feature_set(int which); 90 91extern int __init audit_register_class(int class, unsigned *list); 92extern int audit_classify_syscall(int abi, unsigned syscall); 93extern int audit_classify_arch(int arch); 94/* only for compat system calls */ 95extern unsigned compat_write_class[]; 96extern unsigned compat_read_class[]; 97extern unsigned compat_dir_class[]; 98extern unsigned compat_chattr_class[]; 99extern unsigned compat_signal_class[]; 100 101extern int audit_classify_compat_syscall(int abi, unsigned syscall); 102 103/* audit_names->type values */ 104#define AUDIT_TYPE_UNKNOWN 0 /* we don't know yet */ 105#define AUDIT_TYPE_NORMAL 1 /* a "normal" audit record */ 106#define AUDIT_TYPE_PARENT 2 /* a parent audit record */ 107#define AUDIT_TYPE_CHILD_DELETE 3 /* a child being deleted */ 108#define AUDIT_TYPE_CHILD_CREATE 4 /* a child being created */ 109 110/* maximized args number that audit_socketcall can process */ 111#define AUDITSC_ARGS 6 112 113/* bit values for ->signal->audit_tty */ 114#define AUDIT_TTY_ENABLE BIT(0) 115#define AUDIT_TTY_LOG_PASSWD BIT(1) 116 117struct filename; 118 119#define AUDIT_OFF 0 120#define AUDIT_ON 1 121#define AUDIT_LOCKED 2 122#ifdef CONFIG_AUDIT 123/* These are defined in audit.c */ 124 /* Public API */ 125extern __printf(4, 5) 126void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 127 const char *fmt, ...); 128 129extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type); 130extern __printf(2, 3) 131void audit_log_format(struct audit_buffer *ab, const char *fmt, ...); 132extern void audit_log_end(struct audit_buffer *ab); 133extern bool audit_string_contains_control(const char *string, 134 size_t len); 135extern void audit_log_n_hex(struct audit_buffer *ab, 136 const unsigned char *buf, 137 size_t len); 138extern void audit_log_n_string(struct audit_buffer *ab, 139 const char *buf, 140 size_t n); 141extern void audit_log_n_untrustedstring(struct audit_buffer *ab, 142 const char *string, 143 size_t n); 144extern void audit_log_untrustedstring(struct audit_buffer *ab, 145 const char *string); 146extern void audit_log_d_path(struct audit_buffer *ab, 147 const char *prefix, 148 const struct path *path); 149extern void audit_log_key(struct audit_buffer *ab, 150 char *key); 151extern void audit_log_link_denied(const char *operation); 152extern void audit_log_lost(const char *message); 153 154extern int audit_log_task_context(struct audit_buffer *ab); 155extern void audit_log_task_info(struct audit_buffer *ab); 156 157extern int audit_update_lsm_rules(void); 158 159 /* Private API (for audit.c only) */ 160extern int audit_rule_change(int type, int seq, void *data, size_t datasz); 161extern int audit_list_rules_send(struct sk_buff *request_skb, int seq); 162 163extern int audit_set_loginuid(kuid_t loginuid); 164 165static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 166{ 167 return tsk->loginuid; 168} 169 170static inline unsigned int audit_get_sessionid(struct task_struct *tsk) 171{ 172 return tsk->sessionid; 173} 174 175extern u32 audit_enabled; 176#else /* CONFIG_AUDIT */ 177static inline __printf(4, 5) 178void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 179 const char *fmt, ...) 180{ } 181static inline struct audit_buffer *audit_log_start(struct audit_context *ctx, 182 gfp_t gfp_mask, int type) 183{ 184 return NULL; 185} 186static inline __printf(2, 3) 187void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) 188{ } 189static inline void audit_log_end(struct audit_buffer *ab) 190{ } 191static inline void audit_log_n_hex(struct audit_buffer *ab, 192 const unsigned char *buf, size_t len) 193{ } 194static inline void audit_log_n_string(struct audit_buffer *ab, 195 const char *buf, size_t n) 196{ } 197static inline void audit_log_n_untrustedstring(struct audit_buffer *ab, 198 const char *string, size_t n) 199{ } 200static inline void audit_log_untrustedstring(struct audit_buffer *ab, 201 const char *string) 202{ } 203static inline void audit_log_d_path(struct audit_buffer *ab, 204 const char *prefix, 205 const struct path *path) 206{ } 207static inline void audit_log_key(struct audit_buffer *ab, char *key) 208{ } 209static inline void audit_log_link_denied(const char *string) 210{ } 211static inline int audit_log_task_context(struct audit_buffer *ab) 212{ 213 return 0; 214} 215static inline void audit_log_task_info(struct audit_buffer *ab) 216{ } 217 218static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 219{ 220 return INVALID_UID; 221} 222 223static inline unsigned int audit_get_sessionid(struct task_struct *tsk) 224{ 225 return AUDIT_SID_UNSET; 226} 227 228#define audit_enabled AUDIT_OFF 229#endif /* CONFIG_AUDIT */ 230 231#ifdef CONFIG_AUDIT_COMPAT_GENERIC 232#define audit_is_compat(arch) (!((arch) & __AUDIT_ARCH_64BIT)) 233#else 234#define audit_is_compat(arch) false 235#endif 236 237#ifdef CONFIG_AUDITSYSCALL 238#include <asm/syscall.h> /* for syscall_get_arch() */ 239 240/* These are defined in auditsc.c */ 241 /* Public API */ 242extern int audit_alloc(struct task_struct *task); 243extern void __audit_free(struct task_struct *task); 244extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long a1, 245 unsigned long a2, unsigned long a3); 246extern void __audit_syscall_exit(int ret_success, long ret_value); 247extern struct filename *__audit_reusename(const __user char *uptr); 248extern void __audit_getname(struct filename *name); 249 250#define AUDIT_INODE_PARENT 1 /* dentry represents the parent */ 251#define AUDIT_INODE_HIDDEN 2 /* audit record should be hidden */ 252#define AUDIT_INODE_NOEVAL 4 /* audit record incomplete */ 253extern void __audit_inode(struct filename *name, const struct dentry *dentry, 254 unsigned int flags); 255extern void __audit_file(const struct file *); 256extern void __audit_inode_child(struct inode *parent, 257 const struct dentry *dentry, 258 const unsigned char type); 259extern void audit_seccomp(unsigned long syscall, long signr, int code); 260extern void audit_seccomp_actions_logged(const char *names, 261 const char *old_names, int res); 262extern void __audit_ptrace(struct task_struct *t); 263 264static inline void audit_set_context(struct task_struct *task, struct audit_context *ctx) 265{ 266 task->audit_context = ctx; 267} 268 269static inline struct audit_context *audit_context(void) 270{ 271 return current->audit_context; 272} 273 274static inline bool audit_dummy_context(void) 275{ 276 void *p = audit_context(); 277 return !p || *(int *)p; 278} 279static inline void audit_free(struct task_struct *task) 280{ 281 if (unlikely(task->audit_context)) 282 __audit_free(task); 283} 284static inline void audit_syscall_entry(int major, unsigned long a0, 285 unsigned long a1, unsigned long a2, 286 unsigned long a3) 287{ 288 if (unlikely(audit_context())) 289 __audit_syscall_entry(major, a0, a1, a2, a3); 290} 291static inline void audit_syscall_exit(void *pt_regs) 292{ 293 if (unlikely(audit_context())) { 294 int success = is_syscall_success(pt_regs); 295 long return_code = regs_return_value(pt_regs); 296 297 __audit_syscall_exit(success, return_code); 298 } 299} 300static inline struct filename *audit_reusename(const __user char *name) 301{ 302 if (unlikely(!audit_dummy_context())) 303 return __audit_reusename(name); 304 return NULL; 305} 306static inline void audit_getname(struct filename *name) 307{ 308 if (unlikely(!audit_dummy_context())) 309 __audit_getname(name); 310} 311static inline void audit_inode(struct filename *name, 312 const struct dentry *dentry, 313 unsigned int flags) { 314 if (unlikely(!audit_dummy_context())) { 315 unsigned int aflags = 0; 316 317 if (flags & LOOKUP_PARENT) 318 aflags |= AUDIT_INODE_PARENT; 319 if (flags & LOOKUP_NO_EVAL) 320 aflags |= AUDIT_INODE_NOEVAL; 321 __audit_inode(name, dentry, aflags); 322 } 323} 324static inline void audit_file(struct file *file) 325{ 326 if (unlikely(!audit_dummy_context())) 327 __audit_file(file); 328} 329static inline void audit_inode_parent_hidden(struct filename *name, 330 const struct dentry *dentry) 331{ 332 if (unlikely(!audit_dummy_context())) 333 __audit_inode(name, dentry, 334 AUDIT_INODE_PARENT | AUDIT_INODE_HIDDEN); 335} 336static inline void audit_inode_child(struct inode *parent, 337 const struct dentry *dentry, 338 const unsigned char type) { 339 if (unlikely(!audit_dummy_context())) 340 __audit_inode_child(parent, dentry, type); 341} 342void audit_core_dumps(long signr); 343 344static inline void audit_ptrace(struct task_struct *t) 345{ 346 if (unlikely(!audit_dummy_context())) 347 __audit_ptrace(t); 348} 349 350 /* Private API (for audit.c only) */ 351extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp); 352extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode); 353extern void __audit_bprm(struct linux_binprm *bprm); 354extern int __audit_socketcall(int nargs, unsigned long *args); 355extern int __audit_sockaddr(int len, void *addr); 356extern void __audit_fd_pair(int fd1, int fd2); 357extern void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr); 358extern void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec64 *abs_timeout); 359extern void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification); 360extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat); 361extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, 362 const struct cred *new, 363 const struct cred *old); 364extern void __audit_log_capset(const struct cred *new, const struct cred *old); 365extern void __audit_mmap_fd(int fd, int flags); 366extern void __audit_log_kern_module(char *name); 367extern void __audit_fanotify(unsigned int response); 368 369static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 370{ 371 if (unlikely(!audit_dummy_context())) 372 __audit_ipc_obj(ipcp); 373} 374static inline void audit_fd_pair(int fd1, int fd2) 375{ 376 if (unlikely(!audit_dummy_context())) 377 __audit_fd_pair(fd1, fd2); 378} 379static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode) 380{ 381 if (unlikely(!audit_dummy_context())) 382 __audit_ipc_set_perm(qbytes, uid, gid, mode); 383} 384static inline void audit_bprm(struct linux_binprm *bprm) 385{ 386 if (unlikely(!audit_dummy_context())) 387 __audit_bprm(bprm); 388} 389static inline int audit_socketcall(int nargs, unsigned long *args) 390{ 391 if (unlikely(!audit_dummy_context())) 392 return __audit_socketcall(nargs, args); 393 return 0; 394} 395 396static inline int audit_socketcall_compat(int nargs, u32 *args) 397{ 398 unsigned long a[AUDITSC_ARGS]; 399 int i; 400 401 if (audit_dummy_context()) 402 return 0; 403 404 for (i = 0; i < nargs; i++) 405 a[i] = (unsigned long)args[i]; 406 return __audit_socketcall(nargs, a); 407} 408 409static inline int audit_sockaddr(int len, void *addr) 410{ 411 if (unlikely(!audit_dummy_context())) 412 return __audit_sockaddr(len, addr); 413 return 0; 414} 415static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 416{ 417 if (unlikely(!audit_dummy_context())) 418 __audit_mq_open(oflag, mode, attr); 419} 420static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec64 *abs_timeout) 421{ 422 if (unlikely(!audit_dummy_context())) 423 __audit_mq_sendrecv(mqdes, msg_len, msg_prio, abs_timeout); 424} 425static inline void audit_mq_notify(mqd_t mqdes, const struct sigevent *notification) 426{ 427 if (unlikely(!audit_dummy_context())) 428 __audit_mq_notify(mqdes, notification); 429} 430static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 431{ 432 if (unlikely(!audit_dummy_context())) 433 __audit_mq_getsetattr(mqdes, mqstat); 434} 435 436static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 437 const struct cred *new, 438 const struct cred *old) 439{ 440 if (unlikely(!audit_dummy_context())) 441 return __audit_log_bprm_fcaps(bprm, new, old); 442 return 0; 443} 444 445static inline void audit_log_capset(const struct cred *new, 446 const struct cred *old) 447{ 448 if (unlikely(!audit_dummy_context())) 449 __audit_log_capset(new, old); 450} 451 452static inline void audit_mmap_fd(int fd, int flags) 453{ 454 if (unlikely(!audit_dummy_context())) 455 __audit_mmap_fd(fd, flags); 456} 457 458static inline void audit_log_kern_module(char *name) 459{ 460 if (!audit_dummy_context()) 461 __audit_log_kern_module(name); 462} 463 464static inline void audit_fanotify(unsigned int response) 465{ 466 if (!audit_dummy_context()) 467 __audit_fanotify(response); 468} 469 470extern int audit_n_rules; 471extern int audit_signals; 472#else /* CONFIG_AUDITSYSCALL */ 473static inline int audit_alloc(struct task_struct *task) 474{ 475 return 0; 476} 477static inline void audit_free(struct task_struct *task) 478{ } 479static inline void audit_syscall_entry(int major, unsigned long a0, 480 unsigned long a1, unsigned long a2, 481 unsigned long a3) 482{ } 483static inline void audit_syscall_exit(void *pt_regs) 484{ } 485static inline bool audit_dummy_context(void) 486{ 487 return true; 488} 489static inline void audit_set_context(struct task_struct *task, struct audit_context *ctx) 490{ } 491static inline struct audit_context *audit_context(void) 492{ 493 return NULL; 494} 495static inline struct filename *audit_reusename(const __user char *name) 496{ 497 return NULL; 498} 499static inline void audit_getname(struct filename *name) 500{ } 501static inline void __audit_inode(struct filename *name, 502 const struct dentry *dentry, 503 unsigned int flags) 504{ } 505static inline void __audit_inode_child(struct inode *parent, 506 const struct dentry *dentry, 507 const unsigned char type) 508{ } 509static inline void audit_inode(struct filename *name, 510 const struct dentry *dentry, 511 unsigned int parent) 512{ } 513static inline void audit_file(struct file *file) 514{ 515} 516static inline void audit_inode_parent_hidden(struct filename *name, 517 const struct dentry *dentry) 518{ } 519static inline void audit_inode_child(struct inode *parent, 520 const struct dentry *dentry, 521 const unsigned char type) 522{ } 523static inline void audit_core_dumps(long signr) 524{ } 525static inline void audit_seccomp(unsigned long syscall, long signr, int code) 526{ } 527static inline void audit_seccomp_actions_logged(const char *names, 528 const char *old_names, int res) 529{ } 530static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 531{ } 532static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, 533 gid_t gid, umode_t mode) 534{ } 535static inline void audit_bprm(struct linux_binprm *bprm) 536{ } 537static inline int audit_socketcall(int nargs, unsigned long *args) 538{ 539 return 0; 540} 541 542static inline int audit_socketcall_compat(int nargs, u32 *args) 543{ 544 return 0; 545} 546 547static inline void audit_fd_pair(int fd1, int fd2) 548{ } 549static inline int audit_sockaddr(int len, void *addr) 550{ 551 return 0; 552} 553static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 554{ } 555static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, 556 unsigned int msg_prio, 557 const struct timespec64 *abs_timeout) 558{ } 559static inline void audit_mq_notify(mqd_t mqdes, 560 const struct sigevent *notification) 561{ } 562static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 563{ } 564static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 565 const struct cred *new, 566 const struct cred *old) 567{ 568 return 0; 569} 570static inline void audit_log_capset(const struct cred *new, 571 const struct cred *old) 572{ } 573static inline void audit_mmap_fd(int fd, int flags) 574{ } 575 576static inline void audit_log_kern_module(char *name) 577{ 578} 579 580static inline void audit_fanotify(unsigned int response) 581{ } 582 583static inline void audit_ptrace(struct task_struct *t) 584{ } 585#define audit_n_rules 0 586#define audit_signals 0 587#endif /* CONFIG_AUDITSYSCALL */ 588 589static inline bool audit_loginuid_set(struct task_struct *tsk) 590{ 591 return uid_valid(audit_get_loginuid(tsk)); 592} 593 594static inline void audit_log_string(struct audit_buffer *ab, const char *buf) 595{ 596 audit_log_n_string(ab, buf, strlen(buf)); 597} 598 599#endif