tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / include / linux / audit.h
at v5.3 19 kB view raw
1/* SPDX-License-Identifier: GPL-2.0-or-later */ 2/* audit.h -- Auditing support 3 * 4 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. 5 * All Rights Reserved. 6 * 7 * Written by Rickard E. (Rik) Faith <faith@redhat.com> 8 */ 9#ifndef _LINUX_AUDIT_H_ 10#define _LINUX_AUDIT_H_ 11 12#include <linux/sched.h> 13#include <linux/ptrace.h> 14#include <linux/namei.h> /* LOOKUP_* */ 15#include <uapi/linux/audit.h> 16 17#define AUDIT_INO_UNSET ((unsigned long)-1) 18#define AUDIT_DEV_UNSET ((dev_t)-1) 19 20struct audit_sig_info { 21 uid_t uid; 22 pid_t pid; 23 char ctx[0]; 24}; 25 26struct audit_buffer; 27struct audit_context; 28struct inode; 29struct netlink_skb_parms; 30struct path; 31struct linux_binprm; 32struct mq_attr; 33struct mqstat; 34struct audit_watch; 35struct audit_tree; 36struct sk_buff; 37 38struct audit_krule { 39 u32 pflags; 40 u32 flags; 41 u32 listnr; 42 u32 action; 43 u32 mask[AUDIT_BITMASK_SIZE]; 44 u32 buflen; /* for data alloc on list rules */ 45 u32 field_count; 46 char *filterkey; /* ties events to rules */ 47 struct audit_field *fields; 48 struct audit_field *arch_f; /* quick access to arch field */ 49 struct audit_field *inode_f; /* quick access to an inode field */ 50 struct audit_watch *watch; /* associated watch */ 51 struct audit_tree *tree; /* associated watched tree */ 52 struct audit_fsnotify_mark *exe; 53 struct list_head rlist; /* entry in audit_{watch,tree}.rules list */ 54 struct list_head list; /* for AUDIT_LIST* purposes only */ 55 u64 prio; 56}; 57 58/* Flag to indicate legacy AUDIT_LOGINUID unset usage */ 59#define AUDIT_LOGINUID_LEGACY 0x1 60 61struct audit_field { 62 u32 type; 63 union { 64 u32 val; 65 kuid_t uid; 66 kgid_t gid; 67 struct { 68 char *lsm_str; 69 void *lsm_rule; 70 }; 71 }; 72 u32 op; 73}; 74 75enum audit_ntp_type { 76 AUDIT_NTP_OFFSET, 77 AUDIT_NTP_FREQ, 78 AUDIT_NTP_STATUS, 79 AUDIT_NTP_TAI, 80 AUDIT_NTP_TICK, 81 AUDIT_NTP_ADJUST, 82 83 AUDIT_NTP_NVALS /* count */ 84}; 85 86#ifdef CONFIG_AUDITSYSCALL 87struct audit_ntp_val { 88 long long oldval, newval; 89}; 90 91struct audit_ntp_data { 92 struct audit_ntp_val vals[AUDIT_NTP_NVALS]; 93}; 94#else 95struct audit_ntp_data {}; 96#endif 97 98extern int is_audit_feature_set(int which); 99 100extern int __init audit_register_class(int class, unsigned *list); 101extern int audit_classify_syscall(int abi, unsigned syscall); 102extern int audit_classify_arch(int arch); 103/* only for compat system calls */ 104extern unsigned compat_write_class[]; 105extern unsigned compat_read_class[]; 106extern unsigned compat_dir_class[]; 107extern unsigned compat_chattr_class[]; 108extern unsigned compat_signal_class[]; 109 110extern int audit_classify_compat_syscall(int abi, unsigned syscall); 111 112/* audit_names->type values */ 113#define AUDIT_TYPE_UNKNOWN 0 /* we don't know yet */ 114#define AUDIT_TYPE_NORMAL 1 /* a "normal" audit record */ 115#define AUDIT_TYPE_PARENT 2 /* a parent audit record */ 116#define AUDIT_TYPE_CHILD_DELETE 3 /* a child being deleted */ 117#define AUDIT_TYPE_CHILD_CREATE 4 /* a child being created */ 118 119/* maximized args number that audit_socketcall can process */ 120#define AUDITSC_ARGS 6 121 122/* bit values for ->signal->audit_tty */ 123#define AUDIT_TTY_ENABLE BIT(0) 124#define AUDIT_TTY_LOG_PASSWD BIT(1) 125 126struct filename; 127 128#define AUDIT_OFF 0 129#define AUDIT_ON 1 130#define AUDIT_LOCKED 2 131#ifdef CONFIG_AUDIT 132/* These are defined in audit.c */ 133 /* Public API */ 134extern __printf(4, 5) 135void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 136 const char *fmt, ...); 137 138extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type); 139extern __printf(2, 3) 140void audit_log_format(struct audit_buffer *ab, const char *fmt, ...); 141extern void audit_log_end(struct audit_buffer *ab); 142extern bool audit_string_contains_control(const char *string, 143 size_t len); 144extern void audit_log_n_hex(struct audit_buffer *ab, 145 const unsigned char *buf, 146 size_t len); 147extern void audit_log_n_string(struct audit_buffer *ab, 148 const char *buf, 149 size_t n); 150extern void audit_log_n_untrustedstring(struct audit_buffer *ab, 151 const char *string, 152 size_t n); 153extern void audit_log_untrustedstring(struct audit_buffer *ab, 154 const char *string); 155extern void audit_log_d_path(struct audit_buffer *ab, 156 const char *prefix, 157 const struct path *path); 158extern void audit_log_key(struct audit_buffer *ab, 159 char *key); 160extern void audit_log_link_denied(const char *operation); 161extern void audit_log_lost(const char *message); 162 163extern int audit_log_task_context(struct audit_buffer *ab); 164extern void audit_log_task_info(struct audit_buffer *ab); 165 166extern int audit_update_lsm_rules(void); 167 168 /* Private API (for audit.c only) */ 169extern int audit_rule_change(int type, int seq, void *data, size_t datasz); 170extern int audit_list_rules_send(struct sk_buff *request_skb, int seq); 171 172extern int audit_set_loginuid(kuid_t loginuid); 173 174static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 175{ 176 return tsk->loginuid; 177} 178 179static inline unsigned int audit_get_sessionid(struct task_struct *tsk) 180{ 181 return tsk->sessionid; 182} 183 184extern u32 audit_enabled; 185 186extern int audit_signal_info(int sig, struct task_struct *t); 187 188#else /* CONFIG_AUDIT */ 189static inline __printf(4, 5) 190void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 191 const char *fmt, ...) 192{ } 193static inline struct audit_buffer *audit_log_start(struct audit_context *ctx, 194 gfp_t gfp_mask, int type) 195{ 196 return NULL; 197} 198static inline __printf(2, 3) 199void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) 200{ } 201static inline void audit_log_end(struct audit_buffer *ab) 202{ } 203static inline void audit_log_n_hex(struct audit_buffer *ab, 204 const unsigned char *buf, size_t len) 205{ } 206static inline void audit_log_n_string(struct audit_buffer *ab, 207 const char *buf, size_t n) 208{ } 209static inline void audit_log_n_untrustedstring(struct audit_buffer *ab, 210 const char *string, size_t n) 211{ } 212static inline void audit_log_untrustedstring(struct audit_buffer *ab, 213 const char *string) 214{ } 215static inline void audit_log_d_path(struct audit_buffer *ab, 216 const char *prefix, 217 const struct path *path) 218{ } 219static inline void audit_log_key(struct audit_buffer *ab, char *key) 220{ } 221static inline void audit_log_link_denied(const char *string) 222{ } 223static inline int audit_log_task_context(struct audit_buffer *ab) 224{ 225 return 0; 226} 227static inline void audit_log_task_info(struct audit_buffer *ab) 228{ } 229 230static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 231{ 232 return INVALID_UID; 233} 234 235static inline unsigned int audit_get_sessionid(struct task_struct *tsk) 236{ 237 return AUDIT_SID_UNSET; 238} 239 240#define audit_enabled AUDIT_OFF 241 242static inline int audit_signal_info(int sig, struct task_struct *t) 243{ 244 return 0; 245} 246 247#endif /* CONFIG_AUDIT */ 248 249#ifdef CONFIG_AUDIT_COMPAT_GENERIC 250#define audit_is_compat(arch) (!((arch) & __AUDIT_ARCH_64BIT)) 251#else 252#define audit_is_compat(arch) false 253#endif 254 255#ifdef CONFIG_AUDITSYSCALL 256#include <asm/syscall.h> /* for syscall_get_arch() */ 257 258/* These are defined in auditsc.c */ 259 /* Public API */ 260extern int audit_alloc(struct task_struct *task); 261extern void __audit_free(struct task_struct *task); 262extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long a1, 263 unsigned long a2, unsigned long a3); 264extern void __audit_syscall_exit(int ret_success, long ret_value); 265extern struct filename *__audit_reusename(const __user char *uptr); 266extern void __audit_getname(struct filename *name); 267 268#define AUDIT_INODE_PARENT 1 /* dentry represents the parent */ 269#define AUDIT_INODE_HIDDEN 2 /* audit record should be hidden */ 270#define AUDIT_INODE_NOEVAL 4 /* audit record incomplete */ 271extern void __audit_inode(struct filename *name, const struct dentry *dentry, 272 unsigned int flags); 273extern void __audit_file(const struct file *); 274extern void __audit_inode_child(struct inode *parent, 275 const struct dentry *dentry, 276 const unsigned char type); 277extern void audit_seccomp(unsigned long syscall, long signr, int code); 278extern void audit_seccomp_actions_logged(const char *names, 279 const char *old_names, int res); 280extern void __audit_ptrace(struct task_struct *t); 281 282static inline void audit_set_context(struct task_struct *task, struct audit_context *ctx) 283{ 284 task->audit_context = ctx; 285} 286 287static inline struct audit_context *audit_context(void) 288{ 289 return current->audit_context; 290} 291 292static inline bool audit_dummy_context(void) 293{ 294 void *p = audit_context(); 295 return !p || *(int *)p; 296} 297static inline void audit_free(struct task_struct *task) 298{ 299 if (unlikely(task->audit_context)) 300 __audit_free(task); 301} 302static inline void audit_syscall_entry(int major, unsigned long a0, 303 unsigned long a1, unsigned long a2, 304 unsigned long a3) 305{ 306 if (unlikely(audit_context())) 307 __audit_syscall_entry(major, a0, a1, a2, a3); 308} 309static inline void audit_syscall_exit(void *pt_regs) 310{ 311 if (unlikely(audit_context())) { 312 int success = is_syscall_success(pt_regs); 313 long return_code = regs_return_value(pt_regs); 314 315 __audit_syscall_exit(success, return_code); 316 } 317} 318static inline struct filename *audit_reusename(const __user char *name) 319{ 320 if (unlikely(!audit_dummy_context())) 321 return __audit_reusename(name); 322 return NULL; 323} 324static inline void audit_getname(struct filename *name) 325{ 326 if (unlikely(!audit_dummy_context())) 327 __audit_getname(name); 328} 329static inline void audit_inode(struct filename *name, 330 const struct dentry *dentry, 331 unsigned int flags) { 332 if (unlikely(!audit_dummy_context())) { 333 unsigned int aflags = 0; 334 335 if (flags & LOOKUP_PARENT) 336 aflags |= AUDIT_INODE_PARENT; 337 if (flags & LOOKUP_NO_EVAL) 338 aflags |= AUDIT_INODE_NOEVAL; 339 __audit_inode(name, dentry, aflags); 340 } 341} 342static inline void audit_file(struct file *file) 343{ 344 if (unlikely(!audit_dummy_context())) 345 __audit_file(file); 346} 347static inline void audit_inode_parent_hidden(struct filename *name, 348 const struct dentry *dentry) 349{ 350 if (unlikely(!audit_dummy_context())) 351 __audit_inode(name, dentry, 352 AUDIT_INODE_PARENT | AUDIT_INODE_HIDDEN); 353} 354static inline void audit_inode_child(struct inode *parent, 355 const struct dentry *dentry, 356 const unsigned char type) { 357 if (unlikely(!audit_dummy_context())) 358 __audit_inode_child(parent, dentry, type); 359} 360void audit_core_dumps(long signr); 361 362static inline void audit_ptrace(struct task_struct *t) 363{ 364 if (unlikely(!audit_dummy_context())) 365 __audit_ptrace(t); 366} 367 368 /* Private API (for audit.c only) */ 369extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp); 370extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode); 371extern void __audit_bprm(struct linux_binprm *bprm); 372extern int __audit_socketcall(int nargs, unsigned long *args); 373extern int __audit_sockaddr(int len, void *addr); 374extern void __audit_fd_pair(int fd1, int fd2); 375extern void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr); 376extern void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec64 *abs_timeout); 377extern void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification); 378extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat); 379extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, 380 const struct cred *new, 381 const struct cred *old); 382extern void __audit_log_capset(const struct cred *new, const struct cred *old); 383extern void __audit_mmap_fd(int fd, int flags); 384extern void __audit_log_kern_module(char *name); 385extern void __audit_fanotify(unsigned int response); 386extern void __audit_tk_injoffset(struct timespec64 offset); 387extern void __audit_ntp_log(const struct audit_ntp_data *ad); 388 389static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 390{ 391 if (unlikely(!audit_dummy_context())) 392 __audit_ipc_obj(ipcp); 393} 394static inline void audit_fd_pair(int fd1, int fd2) 395{ 396 if (unlikely(!audit_dummy_context())) 397 __audit_fd_pair(fd1, fd2); 398} 399static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode) 400{ 401 if (unlikely(!audit_dummy_context())) 402 __audit_ipc_set_perm(qbytes, uid, gid, mode); 403} 404static inline void audit_bprm(struct linux_binprm *bprm) 405{ 406 if (unlikely(!audit_dummy_context())) 407 __audit_bprm(bprm); 408} 409static inline int audit_socketcall(int nargs, unsigned long *args) 410{ 411 if (unlikely(!audit_dummy_context())) 412 return __audit_socketcall(nargs, args); 413 return 0; 414} 415 416static inline int audit_socketcall_compat(int nargs, u32 *args) 417{ 418 unsigned long a[AUDITSC_ARGS]; 419 int i; 420 421 if (audit_dummy_context()) 422 return 0; 423 424 for (i = 0; i < nargs; i++) 425 a[i] = (unsigned long)args[i]; 426 return __audit_socketcall(nargs, a); 427} 428 429static inline int audit_sockaddr(int len, void *addr) 430{ 431 if (unlikely(!audit_dummy_context())) 432 return __audit_sockaddr(len, addr); 433 return 0; 434} 435static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 436{ 437 if (unlikely(!audit_dummy_context())) 438 __audit_mq_open(oflag, mode, attr); 439} 440static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec64 *abs_timeout) 441{ 442 if (unlikely(!audit_dummy_context())) 443 __audit_mq_sendrecv(mqdes, msg_len, msg_prio, abs_timeout); 444} 445static inline void audit_mq_notify(mqd_t mqdes, const struct sigevent *notification) 446{ 447 if (unlikely(!audit_dummy_context())) 448 __audit_mq_notify(mqdes, notification); 449} 450static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 451{ 452 if (unlikely(!audit_dummy_context())) 453 __audit_mq_getsetattr(mqdes, mqstat); 454} 455 456static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 457 const struct cred *new, 458 const struct cred *old) 459{ 460 if (unlikely(!audit_dummy_context())) 461 return __audit_log_bprm_fcaps(bprm, new, old); 462 return 0; 463} 464 465static inline void audit_log_capset(const struct cred *new, 466 const struct cred *old) 467{ 468 if (unlikely(!audit_dummy_context())) 469 __audit_log_capset(new, old); 470} 471 472static inline void audit_mmap_fd(int fd, int flags) 473{ 474 if (unlikely(!audit_dummy_context())) 475 __audit_mmap_fd(fd, flags); 476} 477 478static inline void audit_log_kern_module(char *name) 479{ 480 if (!audit_dummy_context()) 481 __audit_log_kern_module(name); 482} 483 484static inline void audit_fanotify(unsigned int response) 485{ 486 if (!audit_dummy_context()) 487 __audit_fanotify(response); 488} 489 490static inline void audit_tk_injoffset(struct timespec64 offset) 491{ 492 /* ignore no-op events */ 493 if (offset.tv_sec == 0 && offset.tv_nsec == 0) 494 return; 495 496 if (!audit_dummy_context()) 497 __audit_tk_injoffset(offset); 498} 499 500static inline void audit_ntp_init(struct audit_ntp_data *ad) 501{ 502 memset(ad, 0, sizeof(*ad)); 503} 504 505static inline void audit_ntp_set_old(struct audit_ntp_data *ad, 506 enum audit_ntp_type type, long long val) 507{ 508 ad->vals[type].oldval = val; 509} 510 511static inline void audit_ntp_set_new(struct audit_ntp_data *ad, 512 enum audit_ntp_type type, long long val) 513{ 514 ad->vals[type].newval = val; 515} 516 517static inline void audit_ntp_log(const struct audit_ntp_data *ad) 518{ 519 if (!audit_dummy_context()) 520 __audit_ntp_log(ad); 521} 522 523extern int audit_n_rules; 524extern int audit_signals; 525#else /* CONFIG_AUDITSYSCALL */ 526static inline int audit_alloc(struct task_struct *task) 527{ 528 return 0; 529} 530static inline void audit_free(struct task_struct *task) 531{ } 532static inline void audit_syscall_entry(int major, unsigned long a0, 533 unsigned long a1, unsigned long a2, 534 unsigned long a3) 535{ } 536static inline void audit_syscall_exit(void *pt_regs) 537{ } 538static inline bool audit_dummy_context(void) 539{ 540 return true; 541} 542static inline void audit_set_context(struct task_struct *task, struct audit_context *ctx) 543{ } 544static inline struct audit_context *audit_context(void) 545{ 546 return NULL; 547} 548static inline struct filename *audit_reusename(const __user char *name) 549{ 550 return NULL; 551} 552static inline void audit_getname(struct filename *name) 553{ } 554static inline void __audit_inode(struct filename *name, 555 const struct dentry *dentry, 556 unsigned int flags) 557{ } 558static inline void __audit_inode_child(struct inode *parent, 559 const struct dentry *dentry, 560 const unsigned char type) 561{ } 562static inline void audit_inode(struct filename *name, 563 const struct dentry *dentry, 564 unsigned int parent) 565{ } 566static inline void audit_file(struct file *file) 567{ 568} 569static inline void audit_inode_parent_hidden(struct filename *name, 570 const struct dentry *dentry) 571{ } 572static inline void audit_inode_child(struct inode *parent, 573 const struct dentry *dentry, 574 const unsigned char type) 575{ } 576static inline void audit_core_dumps(long signr) 577{ } 578static inline void audit_seccomp(unsigned long syscall, long signr, int code) 579{ } 580static inline void audit_seccomp_actions_logged(const char *names, 581 const char *old_names, int res) 582{ } 583static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 584{ } 585static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, 586 gid_t gid, umode_t mode) 587{ } 588static inline void audit_bprm(struct linux_binprm *bprm) 589{ } 590static inline int audit_socketcall(int nargs, unsigned long *args) 591{ 592 return 0; 593} 594 595static inline int audit_socketcall_compat(int nargs, u32 *args) 596{ 597 return 0; 598} 599 600static inline void audit_fd_pair(int fd1, int fd2) 601{ } 602static inline int audit_sockaddr(int len, void *addr) 603{ 604 return 0; 605} 606static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 607{ } 608static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, 609 unsigned int msg_prio, 610 const struct timespec64 *abs_timeout) 611{ } 612static inline void audit_mq_notify(mqd_t mqdes, 613 const struct sigevent *notification) 614{ } 615static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 616{ } 617static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 618 const struct cred *new, 619 const struct cred *old) 620{ 621 return 0; 622} 623static inline void audit_log_capset(const struct cred *new, 624 const struct cred *old) 625{ } 626static inline void audit_mmap_fd(int fd, int flags) 627{ } 628 629static inline void audit_log_kern_module(char *name) 630{ 631} 632 633static inline void audit_fanotify(unsigned int response) 634{ } 635 636static inline void audit_tk_injoffset(struct timespec64 offset) 637{ } 638 639static inline void audit_ntp_init(struct audit_ntp_data *ad) 640{ } 641 642static inline void audit_ntp_set_old(struct audit_ntp_data *ad, 643 enum audit_ntp_type type, long long val) 644{ } 645 646static inline void audit_ntp_set_new(struct audit_ntp_data *ad, 647 enum audit_ntp_type type, long long val) 648{ } 649 650static inline void audit_ntp_log(const struct audit_ntp_data *ad) 651{ } 652 653static inline void audit_ptrace(struct task_struct *t) 654{ } 655#define audit_n_rules 0 656#define audit_signals 0 657#endif /* CONFIG_AUDITSYSCALL */ 658 659static inline bool audit_loginuid_set(struct task_struct *tsk) 660{ 661 return uid_valid(audit_get_loginuid(tsk)); 662} 663 664static inline void audit_log_string(struct audit_buffer *ab, const char *buf) 665{ 666 audit_log_n_string(ab, buf, strlen(buf)); 667} 668 669#endif