tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / include / linux / audit.h
at v5.7 19 kB view raw
1/* SPDX-License-Identifier: GPL-2.0-or-later */ 2/* audit.h -- Auditing support 3 * 4 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. 5 * All Rights Reserved. 6 * 7 * Written by Rickard E. (Rik) Faith <faith@redhat.com> 8 */ 9#ifndef _LINUX_AUDIT_H_ 10#define _LINUX_AUDIT_H_ 11 12#include <linux/sched.h> 13#include <linux/ptrace.h> 14#include <uapi/linux/audit.h> 15 16#define AUDIT_INO_UNSET ((unsigned long)-1) 17#define AUDIT_DEV_UNSET ((dev_t)-1) 18 19struct audit_sig_info { 20 uid_t uid; 21 pid_t pid; 22 char ctx[0]; 23}; 24 25struct audit_buffer; 26struct audit_context; 27struct inode; 28struct netlink_skb_parms; 29struct path; 30struct linux_binprm; 31struct mq_attr; 32struct mqstat; 33struct audit_watch; 34struct audit_tree; 35struct sk_buff; 36 37struct audit_krule { 38 u32 pflags; 39 u32 flags; 40 u32 listnr; 41 u32 action; 42 u32 mask[AUDIT_BITMASK_SIZE]; 43 u32 buflen; /* for data alloc on list rules */ 44 u32 field_count; 45 char *filterkey; /* ties events to rules */ 46 struct audit_field *fields; 47 struct audit_field *arch_f; /* quick access to arch field */ 48 struct audit_field *inode_f; /* quick access to an inode field */ 49 struct audit_watch *watch; /* associated watch */ 50 struct audit_tree *tree; /* associated watched tree */ 51 struct audit_fsnotify_mark *exe; 52 struct list_head rlist; /* entry in audit_{watch,tree}.rules list */ 53 struct list_head list; /* for AUDIT_LIST* purposes only */ 54 u64 prio; 55}; 56 57/* Flag to indicate legacy AUDIT_LOGINUID unset usage */ 58#define AUDIT_LOGINUID_LEGACY 0x1 59 60struct audit_field { 61 u32 type; 62 union { 63 u32 val; 64 kuid_t uid; 65 kgid_t gid; 66 struct { 67 char *lsm_str; 68 void *lsm_rule; 69 }; 70 }; 71 u32 op; 72}; 73 74enum audit_ntp_type { 75 AUDIT_NTP_OFFSET, 76 AUDIT_NTP_FREQ, 77 AUDIT_NTP_STATUS, 78 AUDIT_NTP_TAI, 79 AUDIT_NTP_TICK, 80 AUDIT_NTP_ADJUST, 81 82 AUDIT_NTP_NVALS /* count */ 83}; 84 85#ifdef CONFIG_AUDITSYSCALL 86struct audit_ntp_val { 87 long long oldval, newval; 88}; 89 90struct audit_ntp_data { 91 struct audit_ntp_val vals[AUDIT_NTP_NVALS]; 92}; 93#else 94struct audit_ntp_data {}; 95#endif 96 97extern int is_audit_feature_set(int which); 98 99extern int __init audit_register_class(int class, unsigned *list); 100extern int audit_classify_syscall(int abi, unsigned syscall); 101extern int audit_classify_arch(int arch); 102/* only for compat system calls */ 103extern unsigned compat_write_class[]; 104extern unsigned compat_read_class[]; 105extern unsigned compat_dir_class[]; 106extern unsigned compat_chattr_class[]; 107extern unsigned compat_signal_class[]; 108 109extern int audit_classify_compat_syscall(int abi, unsigned syscall); 110 111/* audit_names->type values */ 112#define AUDIT_TYPE_UNKNOWN 0 /* we don't know yet */ 113#define AUDIT_TYPE_NORMAL 1 /* a "normal" audit record */ 114#define AUDIT_TYPE_PARENT 2 /* a parent audit record */ 115#define AUDIT_TYPE_CHILD_DELETE 3 /* a child being deleted */ 116#define AUDIT_TYPE_CHILD_CREATE 4 /* a child being created */ 117 118/* maximized args number that audit_socketcall can process */ 119#define AUDITSC_ARGS 6 120 121/* bit values for ->signal->audit_tty */ 122#define AUDIT_TTY_ENABLE BIT(0) 123#define AUDIT_TTY_LOG_PASSWD BIT(1) 124 125struct filename; 126 127#define AUDIT_OFF 0 128#define AUDIT_ON 1 129#define AUDIT_LOCKED 2 130#ifdef CONFIG_AUDIT 131/* These are defined in audit.c */ 132 /* Public API */ 133extern __printf(4, 5) 134void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 135 const char *fmt, ...); 136 137extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type); 138extern __printf(2, 3) 139void audit_log_format(struct audit_buffer *ab, const char *fmt, ...); 140extern void audit_log_end(struct audit_buffer *ab); 141extern bool audit_string_contains_control(const char *string, 142 size_t len); 143extern void audit_log_n_hex(struct audit_buffer *ab, 144 const unsigned char *buf, 145 size_t len); 146extern void audit_log_n_string(struct audit_buffer *ab, 147 const char *buf, 148 size_t n); 149extern void audit_log_n_untrustedstring(struct audit_buffer *ab, 150 const char *string, 151 size_t n); 152extern void audit_log_untrustedstring(struct audit_buffer *ab, 153 const char *string); 154extern void audit_log_d_path(struct audit_buffer *ab, 155 const char *prefix, 156 const struct path *path); 157extern void audit_log_key(struct audit_buffer *ab, 158 char *key); 159extern void audit_log_path_denied(int type, 160 const char *operation); 161extern void audit_log_lost(const char *message); 162 163extern int audit_log_task_context(struct audit_buffer *ab); 164extern void audit_log_task_info(struct audit_buffer *ab); 165 166extern int audit_update_lsm_rules(void); 167 168 /* Private API (for audit.c only) */ 169extern int audit_rule_change(int type, int seq, void *data, size_t datasz); 170extern int audit_list_rules_send(struct sk_buff *request_skb, int seq); 171 172extern int audit_set_loginuid(kuid_t loginuid); 173 174static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 175{ 176 return tsk->loginuid; 177} 178 179static inline unsigned int audit_get_sessionid(struct task_struct *tsk) 180{ 181 return tsk->sessionid; 182} 183 184extern u32 audit_enabled; 185 186extern int audit_signal_info(int sig, struct task_struct *t); 187 188#else /* CONFIG_AUDIT */ 189static inline __printf(4, 5) 190void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 191 const char *fmt, ...) 192{ } 193static inline struct audit_buffer *audit_log_start(struct audit_context *ctx, 194 gfp_t gfp_mask, int type) 195{ 196 return NULL; 197} 198static inline __printf(2, 3) 199void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) 200{ } 201static inline void audit_log_end(struct audit_buffer *ab) 202{ } 203static inline void audit_log_n_hex(struct audit_buffer *ab, 204 const unsigned char *buf, size_t len) 205{ } 206static inline void audit_log_n_string(struct audit_buffer *ab, 207 const char *buf, size_t n) 208{ } 209static inline void audit_log_n_untrustedstring(struct audit_buffer *ab, 210 const char *string, size_t n) 211{ } 212static inline void audit_log_untrustedstring(struct audit_buffer *ab, 213 const char *string) 214{ } 215static inline void audit_log_d_path(struct audit_buffer *ab, 216 const char *prefix, 217 const struct path *path) 218{ } 219static inline void audit_log_key(struct audit_buffer *ab, char *key) 220{ } 221static inline void audit_log_path_denied(int type, const char *operation) 222{ } 223static inline int audit_log_task_context(struct audit_buffer *ab) 224{ 225 return 0; 226} 227static inline void audit_log_task_info(struct audit_buffer *ab) 228{ } 229 230static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 231{ 232 return INVALID_UID; 233} 234 235static inline unsigned int audit_get_sessionid(struct task_struct *tsk) 236{ 237 return AUDIT_SID_UNSET; 238} 239 240#define audit_enabled AUDIT_OFF 241 242static inline int audit_signal_info(int sig, struct task_struct *t) 243{ 244 return 0; 245} 246 247#endif /* CONFIG_AUDIT */ 248 249#ifdef CONFIG_AUDIT_COMPAT_GENERIC 250#define audit_is_compat(arch) (!((arch) & __AUDIT_ARCH_64BIT)) 251#else 252#define audit_is_compat(arch) false 253#endif 254 255#define AUDIT_INODE_PARENT 1 /* dentry represents the parent */ 256#define AUDIT_INODE_HIDDEN 2 /* audit record should be hidden */ 257#define AUDIT_INODE_NOEVAL 4 /* audit record incomplete */ 258 259#ifdef CONFIG_AUDITSYSCALL 260#include <asm/syscall.h> /* for syscall_get_arch() */ 261 262/* These are defined in auditsc.c */ 263 /* Public API */ 264extern int audit_alloc(struct task_struct *task); 265extern void __audit_free(struct task_struct *task); 266extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long a1, 267 unsigned long a2, unsigned long a3); 268extern void __audit_syscall_exit(int ret_success, long ret_value); 269extern struct filename *__audit_reusename(const __user char *uptr); 270extern void __audit_getname(struct filename *name); 271 272extern void __audit_inode(struct filename *name, const struct dentry *dentry, 273 unsigned int flags); 274extern void __audit_file(const struct file *); 275extern void __audit_inode_child(struct inode *parent, 276 const struct dentry *dentry, 277 const unsigned char type); 278extern void audit_seccomp(unsigned long syscall, long signr, int code); 279extern void audit_seccomp_actions_logged(const char *names, 280 const char *old_names, int res); 281extern void __audit_ptrace(struct task_struct *t); 282 283static inline void audit_set_context(struct task_struct *task, struct audit_context *ctx) 284{ 285 task->audit_context = ctx; 286} 287 288static inline struct audit_context *audit_context(void) 289{ 290 return current->audit_context; 291} 292 293static inline bool audit_dummy_context(void) 294{ 295 void *p = audit_context(); 296 return !p || *(int *)p; 297} 298static inline void audit_free(struct task_struct *task) 299{ 300 if (unlikely(task->audit_context)) 301 __audit_free(task); 302} 303static inline void audit_syscall_entry(int major, unsigned long a0, 304 unsigned long a1, unsigned long a2, 305 unsigned long a3) 306{ 307 if (unlikely(audit_context())) 308 __audit_syscall_entry(major, a0, a1, a2, a3); 309} 310static inline void audit_syscall_exit(void *pt_regs) 311{ 312 if (unlikely(audit_context())) { 313 int success = is_syscall_success(pt_regs); 314 long return_code = regs_return_value(pt_regs); 315 316 __audit_syscall_exit(success, return_code); 317 } 318} 319static inline struct filename *audit_reusename(const __user char *name) 320{ 321 if (unlikely(!audit_dummy_context())) 322 return __audit_reusename(name); 323 return NULL; 324} 325static inline void audit_getname(struct filename *name) 326{ 327 if (unlikely(!audit_dummy_context())) 328 __audit_getname(name); 329} 330static inline void audit_inode(struct filename *name, 331 const struct dentry *dentry, 332 unsigned int aflags) { 333 if (unlikely(!audit_dummy_context())) 334 __audit_inode(name, dentry, aflags); 335} 336static inline void audit_file(struct file *file) 337{ 338 if (unlikely(!audit_dummy_context())) 339 __audit_file(file); 340} 341static inline void audit_inode_parent_hidden(struct filename *name, 342 const struct dentry *dentry) 343{ 344 if (unlikely(!audit_dummy_context())) 345 __audit_inode(name, dentry, 346 AUDIT_INODE_PARENT | AUDIT_INODE_HIDDEN); 347} 348static inline void audit_inode_child(struct inode *parent, 349 const struct dentry *dentry, 350 const unsigned char type) { 351 if (unlikely(!audit_dummy_context())) 352 __audit_inode_child(parent, dentry, type); 353} 354void audit_core_dumps(long signr); 355 356static inline void audit_ptrace(struct task_struct *t) 357{ 358 if (unlikely(!audit_dummy_context())) 359 __audit_ptrace(t); 360} 361 362 /* Private API (for audit.c only) */ 363extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp); 364extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode); 365extern void __audit_bprm(struct linux_binprm *bprm); 366extern int __audit_socketcall(int nargs, unsigned long *args); 367extern int __audit_sockaddr(int len, void *addr); 368extern void __audit_fd_pair(int fd1, int fd2); 369extern void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr); 370extern void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec64 *abs_timeout); 371extern void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification); 372extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat); 373extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, 374 const struct cred *new, 375 const struct cred *old); 376extern void __audit_log_capset(const struct cred *new, const struct cred *old); 377extern void __audit_mmap_fd(int fd, int flags); 378extern void __audit_log_kern_module(char *name); 379extern void __audit_fanotify(unsigned int response); 380extern void __audit_tk_injoffset(struct timespec64 offset); 381extern void __audit_ntp_log(const struct audit_ntp_data *ad); 382 383static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 384{ 385 if (unlikely(!audit_dummy_context())) 386 __audit_ipc_obj(ipcp); 387} 388static inline void audit_fd_pair(int fd1, int fd2) 389{ 390 if (unlikely(!audit_dummy_context())) 391 __audit_fd_pair(fd1, fd2); 392} 393static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode) 394{ 395 if (unlikely(!audit_dummy_context())) 396 __audit_ipc_set_perm(qbytes, uid, gid, mode); 397} 398static inline void audit_bprm(struct linux_binprm *bprm) 399{ 400 if (unlikely(!audit_dummy_context())) 401 __audit_bprm(bprm); 402} 403static inline int audit_socketcall(int nargs, unsigned long *args) 404{ 405 if (unlikely(!audit_dummy_context())) 406 return __audit_socketcall(nargs, args); 407 return 0; 408} 409 410static inline int audit_socketcall_compat(int nargs, u32 *args) 411{ 412 unsigned long a[AUDITSC_ARGS]; 413 int i; 414 415 if (audit_dummy_context()) 416 return 0; 417 418 for (i = 0; i < nargs; i++) 419 a[i] = (unsigned long)args[i]; 420 return __audit_socketcall(nargs, a); 421} 422 423static inline int audit_sockaddr(int len, void *addr) 424{ 425 if (unlikely(!audit_dummy_context())) 426 return __audit_sockaddr(len, addr); 427 return 0; 428} 429static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 430{ 431 if (unlikely(!audit_dummy_context())) 432 __audit_mq_open(oflag, mode, attr); 433} 434static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec64 *abs_timeout) 435{ 436 if (unlikely(!audit_dummy_context())) 437 __audit_mq_sendrecv(mqdes, msg_len, msg_prio, abs_timeout); 438} 439static inline void audit_mq_notify(mqd_t mqdes, const struct sigevent *notification) 440{ 441 if (unlikely(!audit_dummy_context())) 442 __audit_mq_notify(mqdes, notification); 443} 444static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 445{ 446 if (unlikely(!audit_dummy_context())) 447 __audit_mq_getsetattr(mqdes, mqstat); 448} 449 450static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 451 const struct cred *new, 452 const struct cred *old) 453{ 454 if (unlikely(!audit_dummy_context())) 455 return __audit_log_bprm_fcaps(bprm, new, old); 456 return 0; 457} 458 459static inline void audit_log_capset(const struct cred *new, 460 const struct cred *old) 461{ 462 if (unlikely(!audit_dummy_context())) 463 __audit_log_capset(new, old); 464} 465 466static inline void audit_mmap_fd(int fd, int flags) 467{ 468 if (unlikely(!audit_dummy_context())) 469 __audit_mmap_fd(fd, flags); 470} 471 472static inline void audit_log_kern_module(char *name) 473{ 474 if (!audit_dummy_context()) 475 __audit_log_kern_module(name); 476} 477 478static inline void audit_fanotify(unsigned int response) 479{ 480 if (!audit_dummy_context()) 481 __audit_fanotify(response); 482} 483 484static inline void audit_tk_injoffset(struct timespec64 offset) 485{ 486 /* ignore no-op events */ 487 if (offset.tv_sec == 0 && offset.tv_nsec == 0) 488 return; 489 490 if (!audit_dummy_context()) 491 __audit_tk_injoffset(offset); 492} 493 494static inline void audit_ntp_init(struct audit_ntp_data *ad) 495{ 496 memset(ad, 0, sizeof(*ad)); 497} 498 499static inline void audit_ntp_set_old(struct audit_ntp_data *ad, 500 enum audit_ntp_type type, long long val) 501{ 502 ad->vals[type].oldval = val; 503} 504 505static inline void audit_ntp_set_new(struct audit_ntp_data *ad, 506 enum audit_ntp_type type, long long val) 507{ 508 ad->vals[type].newval = val; 509} 510 511static inline void audit_ntp_log(const struct audit_ntp_data *ad) 512{ 513 if (!audit_dummy_context()) 514 __audit_ntp_log(ad); 515} 516 517extern int audit_n_rules; 518extern int audit_signals; 519#else /* CONFIG_AUDITSYSCALL */ 520static inline int audit_alloc(struct task_struct *task) 521{ 522 return 0; 523} 524static inline void audit_free(struct task_struct *task) 525{ } 526static inline void audit_syscall_entry(int major, unsigned long a0, 527 unsigned long a1, unsigned long a2, 528 unsigned long a3) 529{ } 530static inline void audit_syscall_exit(void *pt_regs) 531{ } 532static inline bool audit_dummy_context(void) 533{ 534 return true; 535} 536static inline void audit_set_context(struct task_struct *task, struct audit_context *ctx) 537{ } 538static inline struct audit_context *audit_context(void) 539{ 540 return NULL; 541} 542static inline struct filename *audit_reusename(const __user char *name) 543{ 544 return NULL; 545} 546static inline void audit_getname(struct filename *name) 547{ } 548static inline void __audit_inode(struct filename *name, 549 const struct dentry *dentry, 550 unsigned int flags) 551{ } 552static inline void __audit_inode_child(struct inode *parent, 553 const struct dentry *dentry, 554 const unsigned char type) 555{ } 556static inline void audit_inode(struct filename *name, 557 const struct dentry *dentry, 558 unsigned int aflags) 559{ } 560static inline void audit_file(struct file *file) 561{ 562} 563static inline void audit_inode_parent_hidden(struct filename *name, 564 const struct dentry *dentry) 565{ } 566static inline void audit_inode_child(struct inode *parent, 567 const struct dentry *dentry, 568 const unsigned char type) 569{ } 570static inline void audit_core_dumps(long signr) 571{ } 572static inline void audit_seccomp(unsigned long syscall, long signr, int code) 573{ } 574static inline void audit_seccomp_actions_logged(const char *names, 575 const char *old_names, int res) 576{ } 577static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 578{ } 579static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, 580 gid_t gid, umode_t mode) 581{ } 582static inline void audit_bprm(struct linux_binprm *bprm) 583{ } 584static inline int audit_socketcall(int nargs, unsigned long *args) 585{ 586 return 0; 587} 588 589static inline int audit_socketcall_compat(int nargs, u32 *args) 590{ 591 return 0; 592} 593 594static inline void audit_fd_pair(int fd1, int fd2) 595{ } 596static inline int audit_sockaddr(int len, void *addr) 597{ 598 return 0; 599} 600static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 601{ } 602static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, 603 unsigned int msg_prio, 604 const struct timespec64 *abs_timeout) 605{ } 606static inline void audit_mq_notify(mqd_t mqdes, 607 const struct sigevent *notification) 608{ } 609static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 610{ } 611static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 612 const struct cred *new, 613 const struct cred *old) 614{ 615 return 0; 616} 617static inline void audit_log_capset(const struct cred *new, 618 const struct cred *old) 619{ } 620static inline void audit_mmap_fd(int fd, int flags) 621{ } 622 623static inline void audit_log_kern_module(char *name) 624{ 625} 626 627static inline void audit_fanotify(unsigned int response) 628{ } 629 630static inline void audit_tk_injoffset(struct timespec64 offset) 631{ } 632 633static inline void audit_ntp_init(struct audit_ntp_data *ad) 634{ } 635 636static inline void audit_ntp_set_old(struct audit_ntp_data *ad, 637 enum audit_ntp_type type, long long val) 638{ } 639 640static inline void audit_ntp_set_new(struct audit_ntp_data *ad, 641 enum audit_ntp_type type, long long val) 642{ } 643 644static inline void audit_ntp_log(const struct audit_ntp_data *ad) 645{ } 646 647static inline void audit_ptrace(struct task_struct *t) 648{ } 649#define audit_n_rules 0 650#define audit_signals 0 651#endif /* CONFIG_AUDITSYSCALL */ 652 653static inline bool audit_loginuid_set(struct task_struct *tsk) 654{ 655 return uid_valid(audit_get_loginuid(tsk)); 656} 657 658static inline void audit_log_string(struct audit_buffer *ab, const char *buf) 659{ 660 audit_log_n_string(ab, buf, strlen(buf)); 661} 662 663#endif