tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / include / linux / audit.h
at v5.2 19 kB view raw
1/* SPDX-License-Identifier: GPL-2.0-or-later */ 2/* audit.h -- Auditing support 3 * 4 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. 5 * All Rights Reserved. 6 * 7 * Written by Rickard E. (Rik) Faith <faith@redhat.com> 8 */ 9#ifndef _LINUX_AUDIT_H_ 10#define _LINUX_AUDIT_H_ 11 12#include <linux/sched.h> 13#include <linux/ptrace.h> 14#include <linux/namei.h> /* LOOKUP_* */ 15#include <uapi/linux/audit.h> 16 17#define AUDIT_INO_UNSET ((unsigned long)-1) 18#define AUDIT_DEV_UNSET ((dev_t)-1) 19 20struct audit_sig_info { 21 uid_t uid; 22 pid_t pid; 23 char ctx[0]; 24}; 25 26struct audit_buffer; 27struct audit_context; 28struct inode; 29struct netlink_skb_parms; 30struct path; 31struct linux_binprm; 32struct mq_attr; 33struct mqstat; 34struct audit_watch; 35struct audit_tree; 36struct sk_buff; 37 38struct audit_krule { 39 u32 pflags; 40 u32 flags; 41 u32 listnr; 42 u32 action; 43 u32 mask[AUDIT_BITMASK_SIZE]; 44 u32 buflen; /* for data alloc on list rules */ 45 u32 field_count; 46 char *filterkey; /* ties events to rules */ 47 struct audit_field *fields; 48 struct audit_field *arch_f; /* quick access to arch field */ 49 struct audit_field *inode_f; /* quick access to an inode field */ 50 struct audit_watch *watch; /* associated watch */ 51 struct audit_tree *tree; /* associated watched tree */ 52 struct audit_fsnotify_mark *exe; 53 struct list_head rlist; /* entry in audit_{watch,tree}.rules list */ 54 struct list_head list; /* for AUDIT_LIST* purposes only */ 55 u64 prio; 56}; 57 58/* Flag to indicate legacy AUDIT_LOGINUID unset usage */ 59#define AUDIT_LOGINUID_LEGACY 0x1 60 61struct audit_field { 62 u32 type; 63 union { 64 u32 val; 65 kuid_t uid; 66 kgid_t gid; 67 struct { 68 char *lsm_str; 69 void *lsm_rule; 70 }; 71 }; 72 u32 op; 73}; 74 75enum audit_ntp_type { 76 AUDIT_NTP_OFFSET, 77 AUDIT_NTP_FREQ, 78 AUDIT_NTP_STATUS, 79 AUDIT_NTP_TAI, 80 AUDIT_NTP_TICK, 81 AUDIT_NTP_ADJUST, 82 83 AUDIT_NTP_NVALS /* count */ 84}; 85 86#ifdef CONFIG_AUDITSYSCALL 87struct audit_ntp_val { 88 long long oldval, newval; 89}; 90 91struct audit_ntp_data { 92 struct audit_ntp_val vals[AUDIT_NTP_NVALS]; 93}; 94#else 95struct audit_ntp_data {}; 96#endif 97 98extern int is_audit_feature_set(int which); 99 100extern int __init audit_register_class(int class, unsigned *list); 101extern int audit_classify_syscall(int abi, unsigned syscall); 102extern int audit_classify_arch(int arch); 103/* only for compat system calls */ 104extern unsigned compat_write_class[]; 105extern unsigned compat_read_class[]; 106extern unsigned compat_dir_class[]; 107extern unsigned compat_chattr_class[]; 108extern unsigned compat_signal_class[]; 109 110extern int audit_classify_compat_syscall(int abi, unsigned syscall); 111 112/* audit_names->type values */ 113#define AUDIT_TYPE_UNKNOWN 0 /* we don't know yet */ 114#define AUDIT_TYPE_NORMAL 1 /* a "normal" audit record */ 115#define AUDIT_TYPE_PARENT 2 /* a parent audit record */ 116#define AUDIT_TYPE_CHILD_DELETE 3 /* a child being deleted */ 117#define AUDIT_TYPE_CHILD_CREATE 4 /* a child being created */ 118 119/* maximized args number that audit_socketcall can process */ 120#define AUDITSC_ARGS 6 121 122/* bit values for ->signal->audit_tty */ 123#define AUDIT_TTY_ENABLE BIT(0) 124#define AUDIT_TTY_LOG_PASSWD BIT(1) 125 126struct filename; 127 128#define AUDIT_OFF 0 129#define AUDIT_ON 1 130#define AUDIT_LOCKED 2 131#ifdef CONFIG_AUDIT 132/* These are defined in audit.c */ 133 /* Public API */ 134extern __printf(4, 5) 135void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 136 const char *fmt, ...); 137 138extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type); 139extern __printf(2, 3) 140void audit_log_format(struct audit_buffer *ab, const char *fmt, ...); 141extern void audit_log_end(struct audit_buffer *ab); 142extern bool audit_string_contains_control(const char *string, 143 size_t len); 144extern void audit_log_n_hex(struct audit_buffer *ab, 145 const unsigned char *buf, 146 size_t len); 147extern void audit_log_n_string(struct audit_buffer *ab, 148 const char *buf, 149 size_t n); 150extern void audit_log_n_untrustedstring(struct audit_buffer *ab, 151 const char *string, 152 size_t n); 153extern void audit_log_untrustedstring(struct audit_buffer *ab, 154 const char *string); 155extern void audit_log_d_path(struct audit_buffer *ab, 156 const char *prefix, 157 const struct path *path); 158extern void audit_log_key(struct audit_buffer *ab, 159 char *key); 160extern void audit_log_link_denied(const char *operation); 161extern void audit_log_lost(const char *message); 162 163extern int audit_log_task_context(struct audit_buffer *ab); 164extern void audit_log_task_info(struct audit_buffer *ab); 165 166extern int audit_update_lsm_rules(void); 167 168 /* Private API (for audit.c only) */ 169extern int audit_rule_change(int type, int seq, void *data, size_t datasz); 170extern int audit_list_rules_send(struct sk_buff *request_skb, int seq); 171 172extern int audit_set_loginuid(kuid_t loginuid); 173 174static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 175{ 176 return tsk->loginuid; 177} 178 179static inline unsigned int audit_get_sessionid(struct task_struct *tsk) 180{ 181 return tsk->sessionid; 182} 183 184extern u32 audit_enabled; 185#else /* CONFIG_AUDIT */ 186static inline __printf(4, 5) 187void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 188 const char *fmt, ...) 189{ } 190static inline struct audit_buffer *audit_log_start(struct audit_context *ctx, 191 gfp_t gfp_mask, int type) 192{ 193 return NULL; 194} 195static inline __printf(2, 3) 196void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) 197{ } 198static inline void audit_log_end(struct audit_buffer *ab) 199{ } 200static inline void audit_log_n_hex(struct audit_buffer *ab, 201 const unsigned char *buf, size_t len) 202{ } 203static inline void audit_log_n_string(struct audit_buffer *ab, 204 const char *buf, size_t n) 205{ } 206static inline void audit_log_n_untrustedstring(struct audit_buffer *ab, 207 const char *string, size_t n) 208{ } 209static inline void audit_log_untrustedstring(struct audit_buffer *ab, 210 const char *string) 211{ } 212static inline void audit_log_d_path(struct audit_buffer *ab, 213 const char *prefix, 214 const struct path *path) 215{ } 216static inline void audit_log_key(struct audit_buffer *ab, char *key) 217{ } 218static inline void audit_log_link_denied(const char *string) 219{ } 220static inline int audit_log_task_context(struct audit_buffer *ab) 221{ 222 return 0; 223} 224static inline void audit_log_task_info(struct audit_buffer *ab) 225{ } 226 227static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 228{ 229 return INVALID_UID; 230} 231 232static inline unsigned int audit_get_sessionid(struct task_struct *tsk) 233{ 234 return AUDIT_SID_UNSET; 235} 236 237#define audit_enabled AUDIT_OFF 238#endif /* CONFIG_AUDIT */ 239 240#ifdef CONFIG_AUDIT_COMPAT_GENERIC 241#define audit_is_compat(arch) (!((arch) & __AUDIT_ARCH_64BIT)) 242#else 243#define audit_is_compat(arch) false 244#endif 245 246#ifdef CONFIG_AUDITSYSCALL 247#include <asm/syscall.h> /* for syscall_get_arch() */ 248 249/* These are defined in auditsc.c */ 250 /* Public API */ 251extern int audit_alloc(struct task_struct *task); 252extern void __audit_free(struct task_struct *task); 253extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long a1, 254 unsigned long a2, unsigned long a3); 255extern void __audit_syscall_exit(int ret_success, long ret_value); 256extern struct filename *__audit_reusename(const __user char *uptr); 257extern void __audit_getname(struct filename *name); 258 259#define AUDIT_INODE_PARENT 1 /* dentry represents the parent */ 260#define AUDIT_INODE_HIDDEN 2 /* audit record should be hidden */ 261#define AUDIT_INODE_NOEVAL 4 /* audit record incomplete */ 262extern void __audit_inode(struct filename *name, const struct dentry *dentry, 263 unsigned int flags); 264extern void __audit_file(const struct file *); 265extern void __audit_inode_child(struct inode *parent, 266 const struct dentry *dentry, 267 const unsigned char type); 268extern void audit_seccomp(unsigned long syscall, long signr, int code); 269extern void audit_seccomp_actions_logged(const char *names, 270 const char *old_names, int res); 271extern void __audit_ptrace(struct task_struct *t); 272 273static inline void audit_set_context(struct task_struct *task, struct audit_context *ctx) 274{ 275 task->audit_context = ctx; 276} 277 278static inline struct audit_context *audit_context(void) 279{ 280 return current->audit_context; 281} 282 283static inline bool audit_dummy_context(void) 284{ 285 void *p = audit_context(); 286 return !p || *(int *)p; 287} 288static inline void audit_free(struct task_struct *task) 289{ 290 if (unlikely(task->audit_context)) 291 __audit_free(task); 292} 293static inline void audit_syscall_entry(int major, unsigned long a0, 294 unsigned long a1, unsigned long a2, 295 unsigned long a3) 296{ 297 if (unlikely(audit_context())) 298 __audit_syscall_entry(major, a0, a1, a2, a3); 299} 300static inline void audit_syscall_exit(void *pt_regs) 301{ 302 if (unlikely(audit_context())) { 303 int success = is_syscall_success(pt_regs); 304 long return_code = regs_return_value(pt_regs); 305 306 __audit_syscall_exit(success, return_code); 307 } 308} 309static inline struct filename *audit_reusename(const __user char *name) 310{ 311 if (unlikely(!audit_dummy_context())) 312 return __audit_reusename(name); 313 return NULL; 314} 315static inline void audit_getname(struct filename *name) 316{ 317 if (unlikely(!audit_dummy_context())) 318 __audit_getname(name); 319} 320static inline void audit_inode(struct filename *name, 321 const struct dentry *dentry, 322 unsigned int flags) { 323 if (unlikely(!audit_dummy_context())) { 324 unsigned int aflags = 0; 325 326 if (flags & LOOKUP_PARENT) 327 aflags |= AUDIT_INODE_PARENT; 328 if (flags & LOOKUP_NO_EVAL) 329 aflags |= AUDIT_INODE_NOEVAL; 330 __audit_inode(name, dentry, aflags); 331 } 332} 333static inline void audit_file(struct file *file) 334{ 335 if (unlikely(!audit_dummy_context())) 336 __audit_file(file); 337} 338static inline void audit_inode_parent_hidden(struct filename *name, 339 const struct dentry *dentry) 340{ 341 if (unlikely(!audit_dummy_context())) 342 __audit_inode(name, dentry, 343 AUDIT_INODE_PARENT | AUDIT_INODE_HIDDEN); 344} 345static inline void audit_inode_child(struct inode *parent, 346 const struct dentry *dentry, 347 const unsigned char type) { 348 if (unlikely(!audit_dummy_context())) 349 __audit_inode_child(parent, dentry, type); 350} 351void audit_core_dumps(long signr); 352 353static inline void audit_ptrace(struct task_struct *t) 354{ 355 if (unlikely(!audit_dummy_context())) 356 __audit_ptrace(t); 357} 358 359 /* Private API (for audit.c only) */ 360extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp); 361extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode); 362extern void __audit_bprm(struct linux_binprm *bprm); 363extern int __audit_socketcall(int nargs, unsigned long *args); 364extern int __audit_sockaddr(int len, void *addr); 365extern void __audit_fd_pair(int fd1, int fd2); 366extern void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr); 367extern void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec64 *abs_timeout); 368extern void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification); 369extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat); 370extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, 371 const struct cred *new, 372 const struct cred *old); 373extern void __audit_log_capset(const struct cred *new, const struct cred *old); 374extern void __audit_mmap_fd(int fd, int flags); 375extern void __audit_log_kern_module(char *name); 376extern void __audit_fanotify(unsigned int response); 377extern void __audit_tk_injoffset(struct timespec64 offset); 378extern void __audit_ntp_log(const struct audit_ntp_data *ad); 379 380static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 381{ 382 if (unlikely(!audit_dummy_context())) 383 __audit_ipc_obj(ipcp); 384} 385static inline void audit_fd_pair(int fd1, int fd2) 386{ 387 if (unlikely(!audit_dummy_context())) 388 __audit_fd_pair(fd1, fd2); 389} 390static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode) 391{ 392 if (unlikely(!audit_dummy_context())) 393 __audit_ipc_set_perm(qbytes, uid, gid, mode); 394} 395static inline void audit_bprm(struct linux_binprm *bprm) 396{ 397 if (unlikely(!audit_dummy_context())) 398 __audit_bprm(bprm); 399} 400static inline int audit_socketcall(int nargs, unsigned long *args) 401{ 402 if (unlikely(!audit_dummy_context())) 403 return __audit_socketcall(nargs, args); 404 return 0; 405} 406 407static inline int audit_socketcall_compat(int nargs, u32 *args) 408{ 409 unsigned long a[AUDITSC_ARGS]; 410 int i; 411 412 if (audit_dummy_context()) 413 return 0; 414 415 for (i = 0; i < nargs; i++) 416 a[i] = (unsigned long)args[i]; 417 return __audit_socketcall(nargs, a); 418} 419 420static inline int audit_sockaddr(int len, void *addr) 421{ 422 if (unlikely(!audit_dummy_context())) 423 return __audit_sockaddr(len, addr); 424 return 0; 425} 426static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 427{ 428 if (unlikely(!audit_dummy_context())) 429 __audit_mq_open(oflag, mode, attr); 430} 431static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec64 *abs_timeout) 432{ 433 if (unlikely(!audit_dummy_context())) 434 __audit_mq_sendrecv(mqdes, msg_len, msg_prio, abs_timeout); 435} 436static inline void audit_mq_notify(mqd_t mqdes, const struct sigevent *notification) 437{ 438 if (unlikely(!audit_dummy_context())) 439 __audit_mq_notify(mqdes, notification); 440} 441static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 442{ 443 if (unlikely(!audit_dummy_context())) 444 __audit_mq_getsetattr(mqdes, mqstat); 445} 446 447static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 448 const struct cred *new, 449 const struct cred *old) 450{ 451 if (unlikely(!audit_dummy_context())) 452 return __audit_log_bprm_fcaps(bprm, new, old); 453 return 0; 454} 455 456static inline void audit_log_capset(const struct cred *new, 457 const struct cred *old) 458{ 459 if (unlikely(!audit_dummy_context())) 460 __audit_log_capset(new, old); 461} 462 463static inline void audit_mmap_fd(int fd, int flags) 464{ 465 if (unlikely(!audit_dummy_context())) 466 __audit_mmap_fd(fd, flags); 467} 468 469static inline void audit_log_kern_module(char *name) 470{ 471 if (!audit_dummy_context()) 472 __audit_log_kern_module(name); 473} 474 475static inline void audit_fanotify(unsigned int response) 476{ 477 if (!audit_dummy_context()) 478 __audit_fanotify(response); 479} 480 481static inline void audit_tk_injoffset(struct timespec64 offset) 482{ 483 /* ignore no-op events */ 484 if (offset.tv_sec == 0 && offset.tv_nsec == 0) 485 return; 486 487 if (!audit_dummy_context()) 488 __audit_tk_injoffset(offset); 489} 490 491static inline void audit_ntp_init(struct audit_ntp_data *ad) 492{ 493 memset(ad, 0, sizeof(*ad)); 494} 495 496static inline void audit_ntp_set_old(struct audit_ntp_data *ad, 497 enum audit_ntp_type type, long long val) 498{ 499 ad->vals[type].oldval = val; 500} 501 502static inline void audit_ntp_set_new(struct audit_ntp_data *ad, 503 enum audit_ntp_type type, long long val) 504{ 505 ad->vals[type].newval = val; 506} 507 508static inline void audit_ntp_log(const struct audit_ntp_data *ad) 509{ 510 if (!audit_dummy_context()) 511 __audit_ntp_log(ad); 512} 513 514extern int audit_n_rules; 515extern int audit_signals; 516#else /* CONFIG_AUDITSYSCALL */ 517static inline int audit_alloc(struct task_struct *task) 518{ 519 return 0; 520} 521static inline void audit_free(struct task_struct *task) 522{ } 523static inline void audit_syscall_entry(int major, unsigned long a0, 524 unsigned long a1, unsigned long a2, 525 unsigned long a3) 526{ } 527static inline void audit_syscall_exit(void *pt_regs) 528{ } 529static inline bool audit_dummy_context(void) 530{ 531 return true; 532} 533static inline void audit_set_context(struct task_struct *task, struct audit_context *ctx) 534{ } 535static inline struct audit_context *audit_context(void) 536{ 537 return NULL; 538} 539static inline struct filename *audit_reusename(const __user char *name) 540{ 541 return NULL; 542} 543static inline void audit_getname(struct filename *name) 544{ } 545static inline void __audit_inode(struct filename *name, 546 const struct dentry *dentry, 547 unsigned int flags) 548{ } 549static inline void __audit_inode_child(struct inode *parent, 550 const struct dentry *dentry, 551 const unsigned char type) 552{ } 553static inline void audit_inode(struct filename *name, 554 const struct dentry *dentry, 555 unsigned int parent) 556{ } 557static inline void audit_file(struct file *file) 558{ 559} 560static inline void audit_inode_parent_hidden(struct filename *name, 561 const struct dentry *dentry) 562{ } 563static inline void audit_inode_child(struct inode *parent, 564 const struct dentry *dentry, 565 const unsigned char type) 566{ } 567static inline void audit_core_dumps(long signr) 568{ } 569static inline void audit_seccomp(unsigned long syscall, long signr, int code) 570{ } 571static inline void audit_seccomp_actions_logged(const char *names, 572 const char *old_names, int res) 573{ } 574static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 575{ } 576static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, 577 gid_t gid, umode_t mode) 578{ } 579static inline void audit_bprm(struct linux_binprm *bprm) 580{ } 581static inline int audit_socketcall(int nargs, unsigned long *args) 582{ 583 return 0; 584} 585 586static inline int audit_socketcall_compat(int nargs, u32 *args) 587{ 588 return 0; 589} 590 591static inline void audit_fd_pair(int fd1, int fd2) 592{ } 593static inline int audit_sockaddr(int len, void *addr) 594{ 595 return 0; 596} 597static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 598{ } 599static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, 600 unsigned int msg_prio, 601 const struct timespec64 *abs_timeout) 602{ } 603static inline void audit_mq_notify(mqd_t mqdes, 604 const struct sigevent *notification) 605{ } 606static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 607{ } 608static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 609 const struct cred *new, 610 const struct cred *old) 611{ 612 return 0; 613} 614static inline void audit_log_capset(const struct cred *new, 615 const struct cred *old) 616{ } 617static inline void audit_mmap_fd(int fd, int flags) 618{ } 619 620static inline void audit_log_kern_module(char *name) 621{ 622} 623 624static inline void audit_fanotify(unsigned int response) 625{ } 626 627static inline void audit_tk_injoffset(struct timespec64 offset) 628{ } 629 630static inline void audit_ntp_init(struct audit_ntp_data *ad) 631{ } 632 633static inline void audit_ntp_set_old(struct audit_ntp_data *ad, 634 enum audit_ntp_type type, long long val) 635{ } 636 637static inline void audit_ntp_set_new(struct audit_ntp_data *ad, 638 enum audit_ntp_type type, long long val) 639{ } 640 641static inline void audit_ntp_log(const struct audit_ntp_data *ad) 642{ } 643 644static inline void audit_ptrace(struct task_struct *t) 645{ } 646#define audit_n_rules 0 647#define audit_signals 0 648#endif /* CONFIG_AUDITSYSCALL */ 649 650static inline bool audit_loginuid_set(struct task_struct *tsk) 651{ 652 return uid_valid(audit_get_loginuid(tsk)); 653} 654 655static inline void audit_log_string(struct audit_buffer *ab, const char *buf) 656{ 657 audit_log_n_string(ab, buf, strlen(buf)); 658} 659 660#endif