tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / include / linux / audit.h
at v5.2-rc1 19 kB view raw
1/* audit.h -- Auditing support 2 * 3 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. 4 * All Rights Reserved. 5 * 6 * This program is free software; you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License as published by 8 * the Free Software Foundation; either version 2 of the License, or 9 * (at your option) any later version. 10 * 11 * This program is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 * GNU General Public License for more details. 15 * 16 * You should have received a copy of the GNU General Public License 17 * along with this program; if not, write to the Free Software 18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 * 20 * Written by Rickard E. (Rik) Faith <faith@redhat.com> 21 * 22 */ 23#ifndef _LINUX_AUDIT_H_ 24#define _LINUX_AUDIT_H_ 25 26#include <linux/sched.h> 27#include <linux/ptrace.h> 28#include <linux/namei.h> /* LOOKUP_* */ 29#include <uapi/linux/audit.h> 30 31#define AUDIT_INO_UNSET ((unsigned long)-1) 32#define AUDIT_DEV_UNSET ((dev_t)-1) 33 34struct audit_sig_info { 35 uid_t uid; 36 pid_t pid; 37 char ctx[0]; 38}; 39 40struct audit_buffer; 41struct audit_context; 42struct inode; 43struct netlink_skb_parms; 44struct path; 45struct linux_binprm; 46struct mq_attr; 47struct mqstat; 48struct audit_watch; 49struct audit_tree; 50struct sk_buff; 51 52struct audit_krule { 53 u32 pflags; 54 u32 flags; 55 u32 listnr; 56 u32 action; 57 u32 mask[AUDIT_BITMASK_SIZE]; 58 u32 buflen; /* for data alloc on list rules */ 59 u32 field_count; 60 char *filterkey; /* ties events to rules */ 61 struct audit_field *fields; 62 struct audit_field *arch_f; /* quick access to arch field */ 63 struct audit_field *inode_f; /* quick access to an inode field */ 64 struct audit_watch *watch; /* associated watch */ 65 struct audit_tree *tree; /* associated watched tree */ 66 struct audit_fsnotify_mark *exe; 67 struct list_head rlist; /* entry in audit_{watch,tree}.rules list */ 68 struct list_head list; /* for AUDIT_LIST* purposes only */ 69 u64 prio; 70}; 71 72/* Flag to indicate legacy AUDIT_LOGINUID unset usage */ 73#define AUDIT_LOGINUID_LEGACY 0x1 74 75struct audit_field { 76 u32 type; 77 union { 78 u32 val; 79 kuid_t uid; 80 kgid_t gid; 81 struct { 82 char *lsm_str; 83 void *lsm_rule; 84 }; 85 }; 86 u32 op; 87}; 88 89enum audit_ntp_type { 90 AUDIT_NTP_OFFSET, 91 AUDIT_NTP_FREQ, 92 AUDIT_NTP_STATUS, 93 AUDIT_NTP_TAI, 94 AUDIT_NTP_TICK, 95 AUDIT_NTP_ADJUST, 96 97 AUDIT_NTP_NVALS /* count */ 98}; 99 100#ifdef CONFIG_AUDITSYSCALL 101struct audit_ntp_val { 102 long long oldval, newval; 103}; 104 105struct audit_ntp_data { 106 struct audit_ntp_val vals[AUDIT_NTP_NVALS]; 107}; 108#else 109struct audit_ntp_data {}; 110#endif 111 112extern int is_audit_feature_set(int which); 113 114extern int __init audit_register_class(int class, unsigned *list); 115extern int audit_classify_syscall(int abi, unsigned syscall); 116extern int audit_classify_arch(int arch); 117/* only for compat system calls */ 118extern unsigned compat_write_class[]; 119extern unsigned compat_read_class[]; 120extern unsigned compat_dir_class[]; 121extern unsigned compat_chattr_class[]; 122extern unsigned compat_signal_class[]; 123 124extern int audit_classify_compat_syscall(int abi, unsigned syscall); 125 126/* audit_names->type values */ 127#define AUDIT_TYPE_UNKNOWN 0 /* we don't know yet */ 128#define AUDIT_TYPE_NORMAL 1 /* a "normal" audit record */ 129#define AUDIT_TYPE_PARENT 2 /* a parent audit record */ 130#define AUDIT_TYPE_CHILD_DELETE 3 /* a child being deleted */ 131#define AUDIT_TYPE_CHILD_CREATE 4 /* a child being created */ 132 133/* maximized args number that audit_socketcall can process */ 134#define AUDITSC_ARGS 6 135 136/* bit values for ->signal->audit_tty */ 137#define AUDIT_TTY_ENABLE BIT(0) 138#define AUDIT_TTY_LOG_PASSWD BIT(1) 139 140struct filename; 141 142#define AUDIT_OFF 0 143#define AUDIT_ON 1 144#define AUDIT_LOCKED 2 145#ifdef CONFIG_AUDIT 146/* These are defined in audit.c */ 147 /* Public API */ 148extern __printf(4, 5) 149void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 150 const char *fmt, ...); 151 152extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type); 153extern __printf(2, 3) 154void audit_log_format(struct audit_buffer *ab, const char *fmt, ...); 155extern void audit_log_end(struct audit_buffer *ab); 156extern bool audit_string_contains_control(const char *string, 157 size_t len); 158extern void audit_log_n_hex(struct audit_buffer *ab, 159 const unsigned char *buf, 160 size_t len); 161extern void audit_log_n_string(struct audit_buffer *ab, 162 const char *buf, 163 size_t n); 164extern void audit_log_n_untrustedstring(struct audit_buffer *ab, 165 const char *string, 166 size_t n); 167extern void audit_log_untrustedstring(struct audit_buffer *ab, 168 const char *string); 169extern void audit_log_d_path(struct audit_buffer *ab, 170 const char *prefix, 171 const struct path *path); 172extern void audit_log_key(struct audit_buffer *ab, 173 char *key); 174extern void audit_log_link_denied(const char *operation); 175extern void audit_log_lost(const char *message); 176 177extern int audit_log_task_context(struct audit_buffer *ab); 178extern void audit_log_task_info(struct audit_buffer *ab); 179 180extern int audit_update_lsm_rules(void); 181 182 /* Private API (for audit.c only) */ 183extern int audit_rule_change(int type, int seq, void *data, size_t datasz); 184extern int audit_list_rules_send(struct sk_buff *request_skb, int seq); 185 186extern int audit_set_loginuid(kuid_t loginuid); 187 188static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 189{ 190 return tsk->loginuid; 191} 192 193static inline unsigned int audit_get_sessionid(struct task_struct *tsk) 194{ 195 return tsk->sessionid; 196} 197 198extern u32 audit_enabled; 199#else /* CONFIG_AUDIT */ 200static inline __printf(4, 5) 201void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 202 const char *fmt, ...) 203{ } 204static inline struct audit_buffer *audit_log_start(struct audit_context *ctx, 205 gfp_t gfp_mask, int type) 206{ 207 return NULL; 208} 209static inline __printf(2, 3) 210void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) 211{ } 212static inline void audit_log_end(struct audit_buffer *ab) 213{ } 214static inline void audit_log_n_hex(struct audit_buffer *ab, 215 const unsigned char *buf, size_t len) 216{ } 217static inline void audit_log_n_string(struct audit_buffer *ab, 218 const char *buf, size_t n) 219{ } 220static inline void audit_log_n_untrustedstring(struct audit_buffer *ab, 221 const char *string, size_t n) 222{ } 223static inline void audit_log_untrustedstring(struct audit_buffer *ab, 224 const char *string) 225{ } 226static inline void audit_log_d_path(struct audit_buffer *ab, 227 const char *prefix, 228 const struct path *path) 229{ } 230static inline void audit_log_key(struct audit_buffer *ab, char *key) 231{ } 232static inline void audit_log_link_denied(const char *string) 233{ } 234static inline int audit_log_task_context(struct audit_buffer *ab) 235{ 236 return 0; 237} 238static inline void audit_log_task_info(struct audit_buffer *ab) 239{ } 240 241static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 242{ 243 return INVALID_UID; 244} 245 246static inline unsigned int audit_get_sessionid(struct task_struct *tsk) 247{ 248 return AUDIT_SID_UNSET; 249} 250 251#define audit_enabled AUDIT_OFF 252#endif /* CONFIG_AUDIT */ 253 254#ifdef CONFIG_AUDIT_COMPAT_GENERIC 255#define audit_is_compat(arch) (!((arch) & __AUDIT_ARCH_64BIT)) 256#else 257#define audit_is_compat(arch) false 258#endif 259 260#ifdef CONFIG_AUDITSYSCALL 261#include <asm/syscall.h> /* for syscall_get_arch() */ 262 263/* These are defined in auditsc.c */ 264 /* Public API */ 265extern int audit_alloc(struct task_struct *task); 266extern void __audit_free(struct task_struct *task); 267extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long a1, 268 unsigned long a2, unsigned long a3); 269extern void __audit_syscall_exit(int ret_success, long ret_value); 270extern struct filename *__audit_reusename(const __user char *uptr); 271extern void __audit_getname(struct filename *name); 272 273#define AUDIT_INODE_PARENT 1 /* dentry represents the parent */ 274#define AUDIT_INODE_HIDDEN 2 /* audit record should be hidden */ 275#define AUDIT_INODE_NOEVAL 4 /* audit record incomplete */ 276extern void __audit_inode(struct filename *name, const struct dentry *dentry, 277 unsigned int flags); 278extern void __audit_file(const struct file *); 279extern void __audit_inode_child(struct inode *parent, 280 const struct dentry *dentry, 281 const unsigned char type); 282extern void audit_seccomp(unsigned long syscall, long signr, int code); 283extern void audit_seccomp_actions_logged(const char *names, 284 const char *old_names, int res); 285extern void __audit_ptrace(struct task_struct *t); 286 287static inline void audit_set_context(struct task_struct *task, struct audit_context *ctx) 288{ 289 task->audit_context = ctx; 290} 291 292static inline struct audit_context *audit_context(void) 293{ 294 return current->audit_context; 295} 296 297static inline bool audit_dummy_context(void) 298{ 299 void *p = audit_context(); 300 return !p || *(int *)p; 301} 302static inline void audit_free(struct task_struct *task) 303{ 304 if (unlikely(task->audit_context)) 305 __audit_free(task); 306} 307static inline void audit_syscall_entry(int major, unsigned long a0, 308 unsigned long a1, unsigned long a2, 309 unsigned long a3) 310{ 311 if (unlikely(audit_context())) 312 __audit_syscall_entry(major, a0, a1, a2, a3); 313} 314static inline void audit_syscall_exit(void *pt_regs) 315{ 316 if (unlikely(audit_context())) { 317 int success = is_syscall_success(pt_regs); 318 long return_code = regs_return_value(pt_regs); 319 320 __audit_syscall_exit(success, return_code); 321 } 322} 323static inline struct filename *audit_reusename(const __user char *name) 324{ 325 if (unlikely(!audit_dummy_context())) 326 return __audit_reusename(name); 327 return NULL; 328} 329static inline void audit_getname(struct filename *name) 330{ 331 if (unlikely(!audit_dummy_context())) 332 __audit_getname(name); 333} 334static inline void audit_inode(struct filename *name, 335 const struct dentry *dentry, 336 unsigned int flags) { 337 if (unlikely(!audit_dummy_context())) { 338 unsigned int aflags = 0; 339 340 if (flags & LOOKUP_PARENT) 341 aflags |= AUDIT_INODE_PARENT; 342 if (flags & LOOKUP_NO_EVAL) 343 aflags |= AUDIT_INODE_NOEVAL; 344 __audit_inode(name, dentry, aflags); 345 } 346} 347static inline void audit_file(struct file *file) 348{ 349 if (unlikely(!audit_dummy_context())) 350 __audit_file(file); 351} 352static inline void audit_inode_parent_hidden(struct filename *name, 353 const struct dentry *dentry) 354{ 355 if (unlikely(!audit_dummy_context())) 356 __audit_inode(name, dentry, 357 AUDIT_INODE_PARENT | AUDIT_INODE_HIDDEN); 358} 359static inline void audit_inode_child(struct inode *parent, 360 const struct dentry *dentry, 361 const unsigned char type) { 362 if (unlikely(!audit_dummy_context())) 363 __audit_inode_child(parent, dentry, type); 364} 365void audit_core_dumps(long signr); 366 367static inline void audit_ptrace(struct task_struct *t) 368{ 369 if (unlikely(!audit_dummy_context())) 370 __audit_ptrace(t); 371} 372 373 /* Private API (for audit.c only) */ 374extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp); 375extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode); 376extern void __audit_bprm(struct linux_binprm *bprm); 377extern int __audit_socketcall(int nargs, unsigned long *args); 378extern int __audit_sockaddr(int len, void *addr); 379extern void __audit_fd_pair(int fd1, int fd2); 380extern void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr); 381extern void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec64 *abs_timeout); 382extern void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification); 383extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat); 384extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, 385 const struct cred *new, 386 const struct cred *old); 387extern void __audit_log_capset(const struct cred *new, const struct cred *old); 388extern void __audit_mmap_fd(int fd, int flags); 389extern void __audit_log_kern_module(char *name); 390extern void __audit_fanotify(unsigned int response); 391extern void __audit_tk_injoffset(struct timespec64 offset); 392extern void __audit_ntp_log(const struct audit_ntp_data *ad); 393 394static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 395{ 396 if (unlikely(!audit_dummy_context())) 397 __audit_ipc_obj(ipcp); 398} 399static inline void audit_fd_pair(int fd1, int fd2) 400{ 401 if (unlikely(!audit_dummy_context())) 402 __audit_fd_pair(fd1, fd2); 403} 404static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode) 405{ 406 if (unlikely(!audit_dummy_context())) 407 __audit_ipc_set_perm(qbytes, uid, gid, mode); 408} 409static inline void audit_bprm(struct linux_binprm *bprm) 410{ 411 if (unlikely(!audit_dummy_context())) 412 __audit_bprm(bprm); 413} 414static inline int audit_socketcall(int nargs, unsigned long *args) 415{ 416 if (unlikely(!audit_dummy_context())) 417 return __audit_socketcall(nargs, args); 418 return 0; 419} 420 421static inline int audit_socketcall_compat(int nargs, u32 *args) 422{ 423 unsigned long a[AUDITSC_ARGS]; 424 int i; 425 426 if (audit_dummy_context()) 427 return 0; 428 429 for (i = 0; i < nargs; i++) 430 a[i] = (unsigned long)args[i]; 431 return __audit_socketcall(nargs, a); 432} 433 434static inline int audit_sockaddr(int len, void *addr) 435{ 436 if (unlikely(!audit_dummy_context())) 437 return __audit_sockaddr(len, addr); 438 return 0; 439} 440static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 441{ 442 if (unlikely(!audit_dummy_context())) 443 __audit_mq_open(oflag, mode, attr); 444} 445static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec64 *abs_timeout) 446{ 447 if (unlikely(!audit_dummy_context())) 448 __audit_mq_sendrecv(mqdes, msg_len, msg_prio, abs_timeout); 449} 450static inline void audit_mq_notify(mqd_t mqdes, const struct sigevent *notification) 451{ 452 if (unlikely(!audit_dummy_context())) 453 __audit_mq_notify(mqdes, notification); 454} 455static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 456{ 457 if (unlikely(!audit_dummy_context())) 458 __audit_mq_getsetattr(mqdes, mqstat); 459} 460 461static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 462 const struct cred *new, 463 const struct cred *old) 464{ 465 if (unlikely(!audit_dummy_context())) 466 return __audit_log_bprm_fcaps(bprm, new, old); 467 return 0; 468} 469 470static inline void audit_log_capset(const struct cred *new, 471 const struct cred *old) 472{ 473 if (unlikely(!audit_dummy_context())) 474 __audit_log_capset(new, old); 475} 476 477static inline void audit_mmap_fd(int fd, int flags) 478{ 479 if (unlikely(!audit_dummy_context())) 480 __audit_mmap_fd(fd, flags); 481} 482 483static inline void audit_log_kern_module(char *name) 484{ 485 if (!audit_dummy_context()) 486 __audit_log_kern_module(name); 487} 488 489static inline void audit_fanotify(unsigned int response) 490{ 491 if (!audit_dummy_context()) 492 __audit_fanotify(response); 493} 494 495static inline void audit_tk_injoffset(struct timespec64 offset) 496{ 497 /* ignore no-op events */ 498 if (offset.tv_sec == 0 && offset.tv_nsec == 0) 499 return; 500 501 if (!audit_dummy_context()) 502 __audit_tk_injoffset(offset); 503} 504 505static inline void audit_ntp_init(struct audit_ntp_data *ad) 506{ 507 memset(ad, 0, sizeof(*ad)); 508} 509 510static inline void audit_ntp_set_old(struct audit_ntp_data *ad, 511 enum audit_ntp_type type, long long val) 512{ 513 ad->vals[type].oldval = val; 514} 515 516static inline void audit_ntp_set_new(struct audit_ntp_data *ad, 517 enum audit_ntp_type type, long long val) 518{ 519 ad->vals[type].newval = val; 520} 521 522static inline void audit_ntp_log(const struct audit_ntp_data *ad) 523{ 524 if (!audit_dummy_context()) 525 __audit_ntp_log(ad); 526} 527 528extern int audit_n_rules; 529extern int audit_signals; 530#else /* CONFIG_AUDITSYSCALL */ 531static inline int audit_alloc(struct task_struct *task) 532{ 533 return 0; 534} 535static inline void audit_free(struct task_struct *task) 536{ } 537static inline void audit_syscall_entry(int major, unsigned long a0, 538 unsigned long a1, unsigned long a2, 539 unsigned long a3) 540{ } 541static inline void audit_syscall_exit(void *pt_regs) 542{ } 543static inline bool audit_dummy_context(void) 544{ 545 return true; 546} 547static inline void audit_set_context(struct task_struct *task, struct audit_context *ctx) 548{ } 549static inline struct audit_context *audit_context(void) 550{ 551 return NULL; 552} 553static inline struct filename *audit_reusename(const __user char *name) 554{ 555 return NULL; 556} 557static inline void audit_getname(struct filename *name) 558{ } 559static inline void __audit_inode(struct filename *name, 560 const struct dentry *dentry, 561 unsigned int flags) 562{ } 563static inline void __audit_inode_child(struct inode *parent, 564 const struct dentry *dentry, 565 const unsigned char type) 566{ } 567static inline void audit_inode(struct filename *name, 568 const struct dentry *dentry, 569 unsigned int parent) 570{ } 571static inline void audit_file(struct file *file) 572{ 573} 574static inline void audit_inode_parent_hidden(struct filename *name, 575 const struct dentry *dentry) 576{ } 577static inline void audit_inode_child(struct inode *parent, 578 const struct dentry *dentry, 579 const unsigned char type) 580{ } 581static inline void audit_core_dumps(long signr) 582{ } 583static inline void audit_seccomp(unsigned long syscall, long signr, int code) 584{ } 585static inline void audit_seccomp_actions_logged(const char *names, 586 const char *old_names, int res) 587{ } 588static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 589{ } 590static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, 591 gid_t gid, umode_t mode) 592{ } 593static inline void audit_bprm(struct linux_binprm *bprm) 594{ } 595static inline int audit_socketcall(int nargs, unsigned long *args) 596{ 597 return 0; 598} 599 600static inline int audit_socketcall_compat(int nargs, u32 *args) 601{ 602 return 0; 603} 604 605static inline void audit_fd_pair(int fd1, int fd2) 606{ } 607static inline int audit_sockaddr(int len, void *addr) 608{ 609 return 0; 610} 611static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 612{ } 613static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, 614 unsigned int msg_prio, 615 const struct timespec64 *abs_timeout) 616{ } 617static inline void audit_mq_notify(mqd_t mqdes, 618 const struct sigevent *notification) 619{ } 620static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 621{ } 622static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 623 const struct cred *new, 624 const struct cred *old) 625{ 626 return 0; 627} 628static inline void audit_log_capset(const struct cred *new, 629 const struct cred *old) 630{ } 631static inline void audit_mmap_fd(int fd, int flags) 632{ } 633 634static inline void audit_log_kern_module(char *name) 635{ 636} 637 638static inline void audit_fanotify(unsigned int response) 639{ } 640 641static inline void audit_tk_injoffset(struct timespec64 offset) 642{ } 643 644static inline void audit_ntp_init(struct audit_ntp_data *ad) 645{ } 646 647static inline void audit_ntp_set_old(struct audit_ntp_data *ad, 648 enum audit_ntp_type type, long long val) 649{ } 650 651static inline void audit_ntp_set_new(struct audit_ntp_data *ad, 652 enum audit_ntp_type type, long long val) 653{ } 654 655static inline void audit_ntp_log(const struct audit_ntp_data *ad) 656{ } 657 658static inline void audit_ptrace(struct task_struct *t) 659{ } 660#define audit_n_rules 0 661#define audit_signals 0 662#endif /* CONFIG_AUDITSYSCALL */ 663 664static inline bool audit_loginuid_set(struct task_struct *tsk) 665{ 666 return uid_valid(audit_get_loginuid(tsk)); 667} 668 669static inline void audit_log_string(struct audit_buffer *ab, const char *buf) 670{ 671 audit_log_n_string(ab, buf, strlen(buf)); 672} 673 674#endif