tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / include / linux / audit.h
at v5.15 19 kB view raw
1/* SPDX-License-Identifier: GPL-2.0-or-later */ 2/* audit.h -- Auditing support 3 * 4 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. 5 * All Rights Reserved. 6 * 7 * Written by Rickard E. (Rik) Faith <faith@redhat.com> 8 */ 9#ifndef _LINUX_AUDIT_H_ 10#define _LINUX_AUDIT_H_ 11 12#include <linux/sched.h> 13#include <linux/ptrace.h> 14#include <uapi/linux/audit.h> 15#include <uapi/linux/netfilter/nf_tables.h> 16 17#define AUDIT_INO_UNSET ((unsigned long)-1) 18#define AUDIT_DEV_UNSET ((dev_t)-1) 19 20struct audit_sig_info { 21 uid_t uid; 22 pid_t pid; 23 char ctx[]; 24}; 25 26struct audit_buffer; 27struct audit_context; 28struct inode; 29struct netlink_skb_parms; 30struct path; 31struct linux_binprm; 32struct mq_attr; 33struct mqstat; 34struct audit_watch; 35struct audit_tree; 36struct sk_buff; 37 38struct audit_krule { 39 u32 pflags; 40 u32 flags; 41 u32 listnr; 42 u32 action; 43 u32 mask[AUDIT_BITMASK_SIZE]; 44 u32 buflen; /* for data alloc on list rules */ 45 u32 field_count; 46 char *filterkey; /* ties events to rules */ 47 struct audit_field *fields; 48 struct audit_field *arch_f; /* quick access to arch field */ 49 struct audit_field *inode_f; /* quick access to an inode field */ 50 struct audit_watch *watch; /* associated watch */ 51 struct audit_tree *tree; /* associated watched tree */ 52 struct audit_fsnotify_mark *exe; 53 struct list_head rlist; /* entry in audit_{watch,tree}.rules list */ 54 struct list_head list; /* for AUDIT_LIST* purposes only */ 55 u64 prio; 56}; 57 58/* Flag to indicate legacy AUDIT_LOGINUID unset usage */ 59#define AUDIT_LOGINUID_LEGACY 0x1 60 61struct audit_field { 62 u32 type; 63 union { 64 u32 val; 65 kuid_t uid; 66 kgid_t gid; 67 struct { 68 char *lsm_str; 69 void *lsm_rule; 70 }; 71 }; 72 u32 op; 73}; 74 75enum audit_ntp_type { 76 AUDIT_NTP_OFFSET, 77 AUDIT_NTP_FREQ, 78 AUDIT_NTP_STATUS, 79 AUDIT_NTP_TAI, 80 AUDIT_NTP_TICK, 81 AUDIT_NTP_ADJUST, 82 83 AUDIT_NTP_NVALS /* count */ 84}; 85 86#ifdef CONFIG_AUDITSYSCALL 87struct audit_ntp_val { 88 long long oldval, newval; 89}; 90 91struct audit_ntp_data { 92 struct audit_ntp_val vals[AUDIT_NTP_NVALS]; 93}; 94#else 95struct audit_ntp_data {}; 96#endif 97 98enum audit_nfcfgop { 99 AUDIT_XT_OP_REGISTER, 100 AUDIT_XT_OP_REPLACE, 101 AUDIT_XT_OP_UNREGISTER, 102 AUDIT_NFT_OP_TABLE_REGISTER, 103 AUDIT_NFT_OP_TABLE_UNREGISTER, 104 AUDIT_NFT_OP_CHAIN_REGISTER, 105 AUDIT_NFT_OP_CHAIN_UNREGISTER, 106 AUDIT_NFT_OP_RULE_REGISTER, 107 AUDIT_NFT_OP_RULE_UNREGISTER, 108 AUDIT_NFT_OP_SET_REGISTER, 109 AUDIT_NFT_OP_SET_UNREGISTER, 110 AUDIT_NFT_OP_SETELEM_REGISTER, 111 AUDIT_NFT_OP_SETELEM_UNREGISTER, 112 AUDIT_NFT_OP_GEN_REGISTER, 113 AUDIT_NFT_OP_OBJ_REGISTER, 114 AUDIT_NFT_OP_OBJ_UNREGISTER, 115 AUDIT_NFT_OP_OBJ_RESET, 116 AUDIT_NFT_OP_FLOWTABLE_REGISTER, 117 AUDIT_NFT_OP_FLOWTABLE_UNREGISTER, 118 AUDIT_NFT_OP_INVALID, 119}; 120 121extern int is_audit_feature_set(int which); 122 123extern int __init audit_register_class(int class, unsigned *list); 124extern int audit_classify_syscall(int abi, unsigned syscall); 125extern int audit_classify_arch(int arch); 126/* only for compat system calls */ 127extern unsigned compat_write_class[]; 128extern unsigned compat_read_class[]; 129extern unsigned compat_dir_class[]; 130extern unsigned compat_chattr_class[]; 131extern unsigned compat_signal_class[]; 132 133extern int audit_classify_compat_syscall(int abi, unsigned syscall); 134 135/* audit_names->type values */ 136#define AUDIT_TYPE_UNKNOWN 0 /* we don't know yet */ 137#define AUDIT_TYPE_NORMAL 1 /* a "normal" audit record */ 138#define AUDIT_TYPE_PARENT 2 /* a parent audit record */ 139#define AUDIT_TYPE_CHILD_DELETE 3 /* a child being deleted */ 140#define AUDIT_TYPE_CHILD_CREATE 4 /* a child being created */ 141 142/* maximized args number that audit_socketcall can process */ 143#define AUDITSC_ARGS 6 144 145/* bit values for ->signal->audit_tty */ 146#define AUDIT_TTY_ENABLE BIT(0) 147#define AUDIT_TTY_LOG_PASSWD BIT(1) 148 149struct filename; 150 151#define AUDIT_OFF 0 152#define AUDIT_ON 1 153#define AUDIT_LOCKED 2 154#ifdef CONFIG_AUDIT 155/* These are defined in audit.c */ 156 /* Public API */ 157extern __printf(4, 5) 158void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 159 const char *fmt, ...); 160 161extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type); 162extern __printf(2, 3) 163void audit_log_format(struct audit_buffer *ab, const char *fmt, ...); 164extern void audit_log_end(struct audit_buffer *ab); 165extern bool audit_string_contains_control(const char *string, 166 size_t len); 167extern void audit_log_n_hex(struct audit_buffer *ab, 168 const unsigned char *buf, 169 size_t len); 170extern void audit_log_n_string(struct audit_buffer *ab, 171 const char *buf, 172 size_t n); 173extern void audit_log_n_untrustedstring(struct audit_buffer *ab, 174 const char *string, 175 size_t n); 176extern void audit_log_untrustedstring(struct audit_buffer *ab, 177 const char *string); 178extern void audit_log_d_path(struct audit_buffer *ab, 179 const char *prefix, 180 const struct path *path); 181extern void audit_log_key(struct audit_buffer *ab, 182 char *key); 183extern void audit_log_path_denied(int type, 184 const char *operation); 185extern void audit_log_lost(const char *message); 186 187extern int audit_log_task_context(struct audit_buffer *ab); 188extern void audit_log_task_info(struct audit_buffer *ab); 189 190extern int audit_update_lsm_rules(void); 191 192 /* Private API (for audit.c only) */ 193extern int audit_rule_change(int type, int seq, void *data, size_t datasz); 194extern int audit_list_rules_send(struct sk_buff *request_skb, int seq); 195 196extern int audit_set_loginuid(kuid_t loginuid); 197 198static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 199{ 200 return tsk->loginuid; 201} 202 203static inline unsigned int audit_get_sessionid(struct task_struct *tsk) 204{ 205 return tsk->sessionid; 206} 207 208extern u32 audit_enabled; 209 210extern int audit_signal_info(int sig, struct task_struct *t); 211 212#else /* CONFIG_AUDIT */ 213static inline __printf(4, 5) 214void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 215 const char *fmt, ...) 216{ } 217static inline struct audit_buffer *audit_log_start(struct audit_context *ctx, 218 gfp_t gfp_mask, int type) 219{ 220 return NULL; 221} 222static inline __printf(2, 3) 223void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) 224{ } 225static inline void audit_log_end(struct audit_buffer *ab) 226{ } 227static inline void audit_log_n_hex(struct audit_buffer *ab, 228 const unsigned char *buf, size_t len) 229{ } 230static inline void audit_log_n_string(struct audit_buffer *ab, 231 const char *buf, size_t n) 232{ } 233static inline void audit_log_n_untrustedstring(struct audit_buffer *ab, 234 const char *string, size_t n) 235{ } 236static inline void audit_log_untrustedstring(struct audit_buffer *ab, 237 const char *string) 238{ } 239static inline void audit_log_d_path(struct audit_buffer *ab, 240 const char *prefix, 241 const struct path *path) 242{ } 243static inline void audit_log_key(struct audit_buffer *ab, char *key) 244{ } 245static inline void audit_log_path_denied(int type, const char *operation) 246{ } 247static inline int audit_log_task_context(struct audit_buffer *ab) 248{ 249 return 0; 250} 251static inline void audit_log_task_info(struct audit_buffer *ab) 252{ } 253 254static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 255{ 256 return INVALID_UID; 257} 258 259static inline unsigned int audit_get_sessionid(struct task_struct *tsk) 260{ 261 return AUDIT_SID_UNSET; 262} 263 264#define audit_enabled AUDIT_OFF 265 266static inline int audit_signal_info(int sig, struct task_struct *t) 267{ 268 return 0; 269} 270 271#endif /* CONFIG_AUDIT */ 272 273#ifdef CONFIG_AUDIT_COMPAT_GENERIC 274#define audit_is_compat(arch) (!((arch) & __AUDIT_ARCH_64BIT)) 275#else 276#define audit_is_compat(arch) false 277#endif 278 279#define AUDIT_INODE_PARENT 1 /* dentry represents the parent */ 280#define AUDIT_INODE_HIDDEN 2 /* audit record should be hidden */ 281#define AUDIT_INODE_NOEVAL 4 /* audit record incomplete */ 282 283#ifdef CONFIG_AUDITSYSCALL 284#include <asm/syscall.h> /* for syscall_get_arch() */ 285 286/* These are defined in auditsc.c */ 287 /* Public API */ 288extern int audit_alloc(struct task_struct *task); 289extern void __audit_free(struct task_struct *task); 290extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long a1, 291 unsigned long a2, unsigned long a3); 292extern void __audit_syscall_exit(int ret_success, long ret_value); 293extern struct filename *__audit_reusename(const __user char *uptr); 294extern void __audit_getname(struct filename *name); 295extern void __audit_inode(struct filename *name, const struct dentry *dentry, 296 unsigned int flags); 297extern void __audit_file(const struct file *); 298extern void __audit_inode_child(struct inode *parent, 299 const struct dentry *dentry, 300 const unsigned char type); 301extern void audit_seccomp(unsigned long syscall, long signr, int code); 302extern void audit_seccomp_actions_logged(const char *names, 303 const char *old_names, int res); 304extern void __audit_ptrace(struct task_struct *t); 305 306static inline void audit_set_context(struct task_struct *task, struct audit_context *ctx) 307{ 308 task->audit_context = ctx; 309} 310 311static inline struct audit_context *audit_context(void) 312{ 313 return current->audit_context; 314} 315 316static inline bool audit_dummy_context(void) 317{ 318 void *p = audit_context(); 319 return !p || *(int *)p; 320} 321static inline void audit_free(struct task_struct *task) 322{ 323 if (unlikely(task->audit_context)) 324 __audit_free(task); 325} 326static inline void audit_syscall_entry(int major, unsigned long a0, 327 unsigned long a1, unsigned long a2, 328 unsigned long a3) 329{ 330 if (unlikely(audit_context())) 331 __audit_syscall_entry(major, a0, a1, a2, a3); 332} 333static inline void audit_syscall_exit(void *pt_regs) 334{ 335 if (unlikely(audit_context())) { 336 int success = is_syscall_success(pt_regs); 337 long return_code = regs_return_value(pt_regs); 338 339 __audit_syscall_exit(success, return_code); 340 } 341} 342static inline struct filename *audit_reusename(const __user char *name) 343{ 344 if (unlikely(!audit_dummy_context())) 345 return __audit_reusename(name); 346 return NULL; 347} 348static inline void audit_getname(struct filename *name) 349{ 350 if (unlikely(!audit_dummy_context())) 351 __audit_getname(name); 352} 353static inline void audit_inode(struct filename *name, 354 const struct dentry *dentry, 355 unsigned int aflags) { 356 if (unlikely(!audit_dummy_context())) 357 __audit_inode(name, dentry, aflags); 358} 359static inline void audit_file(struct file *file) 360{ 361 if (unlikely(!audit_dummy_context())) 362 __audit_file(file); 363} 364static inline void audit_inode_parent_hidden(struct filename *name, 365 const struct dentry *dentry) 366{ 367 if (unlikely(!audit_dummy_context())) 368 __audit_inode(name, dentry, 369 AUDIT_INODE_PARENT | AUDIT_INODE_HIDDEN); 370} 371static inline void audit_inode_child(struct inode *parent, 372 const struct dentry *dentry, 373 const unsigned char type) { 374 if (unlikely(!audit_dummy_context())) 375 __audit_inode_child(parent, dentry, type); 376} 377void audit_core_dumps(long signr); 378 379static inline void audit_ptrace(struct task_struct *t) 380{ 381 if (unlikely(!audit_dummy_context())) 382 __audit_ptrace(t); 383} 384 385 /* Private API (for audit.c only) */ 386extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp); 387extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode); 388extern void __audit_bprm(struct linux_binprm *bprm); 389extern int __audit_socketcall(int nargs, unsigned long *args); 390extern int __audit_sockaddr(int len, void *addr); 391extern void __audit_fd_pair(int fd1, int fd2); 392extern void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr); 393extern void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec64 *abs_timeout); 394extern void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification); 395extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat); 396extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, 397 const struct cred *new, 398 const struct cred *old); 399extern void __audit_log_capset(const struct cred *new, const struct cred *old); 400extern void __audit_mmap_fd(int fd, int flags); 401extern void __audit_log_kern_module(char *name); 402extern void __audit_fanotify(unsigned int response); 403extern void __audit_tk_injoffset(struct timespec64 offset); 404extern void __audit_ntp_log(const struct audit_ntp_data *ad); 405extern void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries, 406 enum audit_nfcfgop op, gfp_t gfp); 407 408static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 409{ 410 if (unlikely(!audit_dummy_context())) 411 __audit_ipc_obj(ipcp); 412} 413static inline void audit_fd_pair(int fd1, int fd2) 414{ 415 if (unlikely(!audit_dummy_context())) 416 __audit_fd_pair(fd1, fd2); 417} 418static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode) 419{ 420 if (unlikely(!audit_dummy_context())) 421 __audit_ipc_set_perm(qbytes, uid, gid, mode); 422} 423static inline void audit_bprm(struct linux_binprm *bprm) 424{ 425 if (unlikely(!audit_dummy_context())) 426 __audit_bprm(bprm); 427} 428static inline int audit_socketcall(int nargs, unsigned long *args) 429{ 430 if (unlikely(!audit_dummy_context())) 431 return __audit_socketcall(nargs, args); 432 return 0; 433} 434 435static inline int audit_socketcall_compat(int nargs, u32 *args) 436{ 437 unsigned long a[AUDITSC_ARGS]; 438 int i; 439 440 if (audit_dummy_context()) 441 return 0; 442 443 for (i = 0; i < nargs; i++) 444 a[i] = (unsigned long)args[i]; 445 return __audit_socketcall(nargs, a); 446} 447 448static inline int audit_sockaddr(int len, void *addr) 449{ 450 if (unlikely(!audit_dummy_context())) 451 return __audit_sockaddr(len, addr); 452 return 0; 453} 454static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 455{ 456 if (unlikely(!audit_dummy_context())) 457 __audit_mq_open(oflag, mode, attr); 458} 459static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec64 *abs_timeout) 460{ 461 if (unlikely(!audit_dummy_context())) 462 __audit_mq_sendrecv(mqdes, msg_len, msg_prio, abs_timeout); 463} 464static inline void audit_mq_notify(mqd_t mqdes, const struct sigevent *notification) 465{ 466 if (unlikely(!audit_dummy_context())) 467 __audit_mq_notify(mqdes, notification); 468} 469static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 470{ 471 if (unlikely(!audit_dummy_context())) 472 __audit_mq_getsetattr(mqdes, mqstat); 473} 474 475static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 476 const struct cred *new, 477 const struct cred *old) 478{ 479 if (unlikely(!audit_dummy_context())) 480 return __audit_log_bprm_fcaps(bprm, new, old); 481 return 0; 482} 483 484static inline void audit_log_capset(const struct cred *new, 485 const struct cred *old) 486{ 487 if (unlikely(!audit_dummy_context())) 488 __audit_log_capset(new, old); 489} 490 491static inline void audit_mmap_fd(int fd, int flags) 492{ 493 if (unlikely(!audit_dummy_context())) 494 __audit_mmap_fd(fd, flags); 495} 496 497static inline void audit_log_kern_module(char *name) 498{ 499 if (!audit_dummy_context()) 500 __audit_log_kern_module(name); 501} 502 503static inline void audit_fanotify(unsigned int response) 504{ 505 if (!audit_dummy_context()) 506 __audit_fanotify(response); 507} 508 509static inline void audit_tk_injoffset(struct timespec64 offset) 510{ 511 /* ignore no-op events */ 512 if (offset.tv_sec == 0 && offset.tv_nsec == 0) 513 return; 514 515 if (!audit_dummy_context()) 516 __audit_tk_injoffset(offset); 517} 518 519static inline void audit_ntp_init(struct audit_ntp_data *ad) 520{ 521 memset(ad, 0, sizeof(*ad)); 522} 523 524static inline void audit_ntp_set_old(struct audit_ntp_data *ad, 525 enum audit_ntp_type type, long long val) 526{ 527 ad->vals[type].oldval = val; 528} 529 530static inline void audit_ntp_set_new(struct audit_ntp_data *ad, 531 enum audit_ntp_type type, long long val) 532{ 533 ad->vals[type].newval = val; 534} 535 536static inline void audit_ntp_log(const struct audit_ntp_data *ad) 537{ 538 if (!audit_dummy_context()) 539 __audit_ntp_log(ad); 540} 541 542static inline void audit_log_nfcfg(const char *name, u8 af, 543 unsigned int nentries, 544 enum audit_nfcfgop op, gfp_t gfp) 545{ 546 if (audit_enabled) 547 __audit_log_nfcfg(name, af, nentries, op, gfp); 548} 549 550extern int audit_n_rules; 551extern int audit_signals; 552#else /* CONFIG_AUDITSYSCALL */ 553static inline int audit_alloc(struct task_struct *task) 554{ 555 return 0; 556} 557static inline void audit_free(struct task_struct *task) 558{ } 559static inline void audit_syscall_entry(int major, unsigned long a0, 560 unsigned long a1, unsigned long a2, 561 unsigned long a3) 562{ } 563static inline void audit_syscall_exit(void *pt_regs) 564{ } 565static inline bool audit_dummy_context(void) 566{ 567 return true; 568} 569static inline void audit_set_context(struct task_struct *task, struct audit_context *ctx) 570{ } 571static inline struct audit_context *audit_context(void) 572{ 573 return NULL; 574} 575static inline struct filename *audit_reusename(const __user char *name) 576{ 577 return NULL; 578} 579static inline void audit_getname(struct filename *name) 580{ } 581static inline void audit_inode(struct filename *name, 582 const struct dentry *dentry, 583 unsigned int aflags) 584{ } 585static inline void audit_file(struct file *file) 586{ 587} 588static inline void audit_inode_parent_hidden(struct filename *name, 589 const struct dentry *dentry) 590{ } 591static inline void audit_inode_child(struct inode *parent, 592 const struct dentry *dentry, 593 const unsigned char type) 594{ } 595static inline void audit_core_dumps(long signr) 596{ } 597static inline void audit_seccomp(unsigned long syscall, long signr, int code) 598{ } 599static inline void audit_seccomp_actions_logged(const char *names, 600 const char *old_names, int res) 601{ } 602static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 603{ } 604static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, 605 gid_t gid, umode_t mode) 606{ } 607static inline void audit_bprm(struct linux_binprm *bprm) 608{ } 609static inline int audit_socketcall(int nargs, unsigned long *args) 610{ 611 return 0; 612} 613 614static inline int audit_socketcall_compat(int nargs, u32 *args) 615{ 616 return 0; 617} 618 619static inline void audit_fd_pair(int fd1, int fd2) 620{ } 621static inline int audit_sockaddr(int len, void *addr) 622{ 623 return 0; 624} 625static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 626{ } 627static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, 628 unsigned int msg_prio, 629 const struct timespec64 *abs_timeout) 630{ } 631static inline void audit_mq_notify(mqd_t mqdes, 632 const struct sigevent *notification) 633{ } 634static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 635{ } 636static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 637 const struct cred *new, 638 const struct cred *old) 639{ 640 return 0; 641} 642static inline void audit_log_capset(const struct cred *new, 643 const struct cred *old) 644{ } 645static inline void audit_mmap_fd(int fd, int flags) 646{ } 647 648static inline void audit_log_kern_module(char *name) 649{ 650} 651 652static inline void audit_fanotify(unsigned int response) 653{ } 654 655static inline void audit_tk_injoffset(struct timespec64 offset) 656{ } 657 658static inline void audit_ntp_init(struct audit_ntp_data *ad) 659{ } 660 661static inline void audit_ntp_set_old(struct audit_ntp_data *ad, 662 enum audit_ntp_type type, long long val) 663{ } 664 665static inline void audit_ntp_set_new(struct audit_ntp_data *ad, 666 enum audit_ntp_type type, long long val) 667{ } 668 669static inline void audit_ntp_log(const struct audit_ntp_data *ad) 670{ } 671 672static inline void audit_ptrace(struct task_struct *t) 673{ } 674 675static inline void audit_log_nfcfg(const char *name, u8 af, 676 unsigned int nentries, 677 enum audit_nfcfgop op, gfp_t gfp) 678{ } 679 680#define audit_n_rules 0 681#define audit_signals 0 682#endif /* CONFIG_AUDITSYSCALL */ 683 684static inline bool audit_loginuid_set(struct task_struct *tsk) 685{ 686 return uid_valid(audit_get_loginuid(tsk)); 687} 688 689#endif