tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / include / linux / audit.h
at v5.8 19 kB view raw
1/* SPDX-License-Identifier: GPL-2.0-or-later */ 2/* audit.h -- Auditing support 3 * 4 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. 5 * All Rights Reserved. 6 * 7 * Written by Rickard E. (Rik) Faith <faith@redhat.com> 8 */ 9#ifndef _LINUX_AUDIT_H_ 10#define _LINUX_AUDIT_H_ 11 12#include <linux/sched.h> 13#include <linux/ptrace.h> 14#include <uapi/linux/audit.h> 15 16#define AUDIT_INO_UNSET ((unsigned long)-1) 17#define AUDIT_DEV_UNSET ((dev_t)-1) 18 19struct audit_sig_info { 20 uid_t uid; 21 pid_t pid; 22 char ctx[]; 23}; 24 25struct audit_buffer; 26struct audit_context; 27struct inode; 28struct netlink_skb_parms; 29struct path; 30struct linux_binprm; 31struct mq_attr; 32struct mqstat; 33struct audit_watch; 34struct audit_tree; 35struct sk_buff; 36 37struct audit_krule { 38 u32 pflags; 39 u32 flags; 40 u32 listnr; 41 u32 action; 42 u32 mask[AUDIT_BITMASK_SIZE]; 43 u32 buflen; /* for data alloc on list rules */ 44 u32 field_count; 45 char *filterkey; /* ties events to rules */ 46 struct audit_field *fields; 47 struct audit_field *arch_f; /* quick access to arch field */ 48 struct audit_field *inode_f; /* quick access to an inode field */ 49 struct audit_watch *watch; /* associated watch */ 50 struct audit_tree *tree; /* associated watched tree */ 51 struct audit_fsnotify_mark *exe; 52 struct list_head rlist; /* entry in audit_{watch,tree}.rules list */ 53 struct list_head list; /* for AUDIT_LIST* purposes only */ 54 u64 prio; 55}; 56 57/* Flag to indicate legacy AUDIT_LOGINUID unset usage */ 58#define AUDIT_LOGINUID_LEGACY 0x1 59 60struct audit_field { 61 u32 type; 62 union { 63 u32 val; 64 kuid_t uid; 65 kgid_t gid; 66 struct { 67 char *lsm_str; 68 void *lsm_rule; 69 }; 70 }; 71 u32 op; 72}; 73 74enum audit_ntp_type { 75 AUDIT_NTP_OFFSET, 76 AUDIT_NTP_FREQ, 77 AUDIT_NTP_STATUS, 78 AUDIT_NTP_TAI, 79 AUDIT_NTP_TICK, 80 AUDIT_NTP_ADJUST, 81 82 AUDIT_NTP_NVALS /* count */ 83}; 84 85#ifdef CONFIG_AUDITSYSCALL 86struct audit_ntp_val { 87 long long oldval, newval; 88}; 89 90struct audit_ntp_data { 91 struct audit_ntp_val vals[AUDIT_NTP_NVALS]; 92}; 93#else 94struct audit_ntp_data {}; 95#endif 96 97enum audit_nfcfgop { 98 AUDIT_XT_OP_REGISTER, 99 AUDIT_XT_OP_REPLACE, 100 AUDIT_XT_OP_UNREGISTER, 101}; 102 103extern int is_audit_feature_set(int which); 104 105extern int __init audit_register_class(int class, unsigned *list); 106extern int audit_classify_syscall(int abi, unsigned syscall); 107extern int audit_classify_arch(int arch); 108/* only for compat system calls */ 109extern unsigned compat_write_class[]; 110extern unsigned compat_read_class[]; 111extern unsigned compat_dir_class[]; 112extern unsigned compat_chattr_class[]; 113extern unsigned compat_signal_class[]; 114 115extern int audit_classify_compat_syscall(int abi, unsigned syscall); 116 117/* audit_names->type values */ 118#define AUDIT_TYPE_UNKNOWN 0 /* we don't know yet */ 119#define AUDIT_TYPE_NORMAL 1 /* a "normal" audit record */ 120#define AUDIT_TYPE_PARENT 2 /* a parent audit record */ 121#define AUDIT_TYPE_CHILD_DELETE 3 /* a child being deleted */ 122#define AUDIT_TYPE_CHILD_CREATE 4 /* a child being created */ 123 124/* maximized args number that audit_socketcall can process */ 125#define AUDITSC_ARGS 6 126 127/* bit values for ->signal->audit_tty */ 128#define AUDIT_TTY_ENABLE BIT(0) 129#define AUDIT_TTY_LOG_PASSWD BIT(1) 130 131struct filename; 132 133#define AUDIT_OFF 0 134#define AUDIT_ON 1 135#define AUDIT_LOCKED 2 136#ifdef CONFIG_AUDIT 137/* These are defined in audit.c */ 138 /* Public API */ 139extern __printf(4, 5) 140void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 141 const char *fmt, ...); 142 143extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type); 144extern __printf(2, 3) 145void audit_log_format(struct audit_buffer *ab, const char *fmt, ...); 146extern void audit_log_end(struct audit_buffer *ab); 147extern bool audit_string_contains_control(const char *string, 148 size_t len); 149extern void audit_log_n_hex(struct audit_buffer *ab, 150 const unsigned char *buf, 151 size_t len); 152extern void audit_log_n_string(struct audit_buffer *ab, 153 const char *buf, 154 size_t n); 155extern void audit_log_n_untrustedstring(struct audit_buffer *ab, 156 const char *string, 157 size_t n); 158extern void audit_log_untrustedstring(struct audit_buffer *ab, 159 const char *string); 160extern void audit_log_d_path(struct audit_buffer *ab, 161 const char *prefix, 162 const struct path *path); 163extern void audit_log_key(struct audit_buffer *ab, 164 char *key); 165extern void audit_log_path_denied(int type, 166 const char *operation); 167extern void audit_log_lost(const char *message); 168 169extern int audit_log_task_context(struct audit_buffer *ab); 170extern void audit_log_task_info(struct audit_buffer *ab); 171 172extern int audit_update_lsm_rules(void); 173 174 /* Private API (for audit.c only) */ 175extern int audit_rule_change(int type, int seq, void *data, size_t datasz); 176extern int audit_list_rules_send(struct sk_buff *request_skb, int seq); 177 178extern int audit_set_loginuid(kuid_t loginuid); 179 180static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 181{ 182 return tsk->loginuid; 183} 184 185static inline unsigned int audit_get_sessionid(struct task_struct *tsk) 186{ 187 return tsk->sessionid; 188} 189 190extern u32 audit_enabled; 191 192extern int audit_signal_info(int sig, struct task_struct *t); 193 194#else /* CONFIG_AUDIT */ 195static inline __printf(4, 5) 196void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 197 const char *fmt, ...) 198{ } 199static inline struct audit_buffer *audit_log_start(struct audit_context *ctx, 200 gfp_t gfp_mask, int type) 201{ 202 return NULL; 203} 204static inline __printf(2, 3) 205void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) 206{ } 207static inline void audit_log_end(struct audit_buffer *ab) 208{ } 209static inline void audit_log_n_hex(struct audit_buffer *ab, 210 const unsigned char *buf, size_t len) 211{ } 212static inline void audit_log_n_string(struct audit_buffer *ab, 213 const char *buf, size_t n) 214{ } 215static inline void audit_log_n_untrustedstring(struct audit_buffer *ab, 216 const char *string, size_t n) 217{ } 218static inline void audit_log_untrustedstring(struct audit_buffer *ab, 219 const char *string) 220{ } 221static inline void audit_log_d_path(struct audit_buffer *ab, 222 const char *prefix, 223 const struct path *path) 224{ } 225static inline void audit_log_key(struct audit_buffer *ab, char *key) 226{ } 227static inline void audit_log_path_denied(int type, const char *operation) 228{ } 229static inline int audit_log_task_context(struct audit_buffer *ab) 230{ 231 return 0; 232} 233static inline void audit_log_task_info(struct audit_buffer *ab) 234{ } 235 236static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 237{ 238 return INVALID_UID; 239} 240 241static inline unsigned int audit_get_sessionid(struct task_struct *tsk) 242{ 243 return AUDIT_SID_UNSET; 244} 245 246#define audit_enabled AUDIT_OFF 247 248static inline int audit_signal_info(int sig, struct task_struct *t) 249{ 250 return 0; 251} 252 253#endif /* CONFIG_AUDIT */ 254 255#ifdef CONFIG_AUDIT_COMPAT_GENERIC 256#define audit_is_compat(arch) (!((arch) & __AUDIT_ARCH_64BIT)) 257#else 258#define audit_is_compat(arch) false 259#endif 260 261#define AUDIT_INODE_PARENT 1 /* dentry represents the parent */ 262#define AUDIT_INODE_HIDDEN 2 /* audit record should be hidden */ 263#define AUDIT_INODE_NOEVAL 4 /* audit record incomplete */ 264 265#ifdef CONFIG_AUDITSYSCALL 266#include <asm/syscall.h> /* for syscall_get_arch() */ 267 268/* These are defined in auditsc.c */ 269 /* Public API */ 270extern int audit_alloc(struct task_struct *task); 271extern void __audit_free(struct task_struct *task); 272extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long a1, 273 unsigned long a2, unsigned long a3); 274extern void __audit_syscall_exit(int ret_success, long ret_value); 275extern struct filename *__audit_reusename(const __user char *uptr); 276extern void __audit_getname(struct filename *name); 277 278extern void __audit_inode(struct filename *name, const struct dentry *dentry, 279 unsigned int flags); 280extern void __audit_file(const struct file *); 281extern void __audit_inode_child(struct inode *parent, 282 const struct dentry *dentry, 283 const unsigned char type); 284extern void audit_seccomp(unsigned long syscall, long signr, int code); 285extern void audit_seccomp_actions_logged(const char *names, 286 const char *old_names, int res); 287extern void __audit_ptrace(struct task_struct *t); 288 289static inline void audit_set_context(struct task_struct *task, struct audit_context *ctx) 290{ 291 task->audit_context = ctx; 292} 293 294static inline struct audit_context *audit_context(void) 295{ 296 return current->audit_context; 297} 298 299static inline bool audit_dummy_context(void) 300{ 301 void *p = audit_context(); 302 return !p || *(int *)p; 303} 304static inline void audit_free(struct task_struct *task) 305{ 306 if (unlikely(task->audit_context)) 307 __audit_free(task); 308} 309static inline void audit_syscall_entry(int major, unsigned long a0, 310 unsigned long a1, unsigned long a2, 311 unsigned long a3) 312{ 313 if (unlikely(audit_context())) 314 __audit_syscall_entry(major, a0, a1, a2, a3); 315} 316static inline void audit_syscall_exit(void *pt_regs) 317{ 318 if (unlikely(audit_context())) { 319 int success = is_syscall_success(pt_regs); 320 long return_code = regs_return_value(pt_regs); 321 322 __audit_syscall_exit(success, return_code); 323 } 324} 325static inline struct filename *audit_reusename(const __user char *name) 326{ 327 if (unlikely(!audit_dummy_context())) 328 return __audit_reusename(name); 329 return NULL; 330} 331static inline void audit_getname(struct filename *name) 332{ 333 if (unlikely(!audit_dummy_context())) 334 __audit_getname(name); 335} 336static inline void audit_inode(struct filename *name, 337 const struct dentry *dentry, 338 unsigned int aflags) { 339 if (unlikely(!audit_dummy_context())) 340 __audit_inode(name, dentry, aflags); 341} 342static inline void audit_file(struct file *file) 343{ 344 if (unlikely(!audit_dummy_context())) 345 __audit_file(file); 346} 347static inline void audit_inode_parent_hidden(struct filename *name, 348 const struct dentry *dentry) 349{ 350 if (unlikely(!audit_dummy_context())) 351 __audit_inode(name, dentry, 352 AUDIT_INODE_PARENT | AUDIT_INODE_HIDDEN); 353} 354static inline void audit_inode_child(struct inode *parent, 355 const struct dentry *dentry, 356 const unsigned char type) { 357 if (unlikely(!audit_dummy_context())) 358 __audit_inode_child(parent, dentry, type); 359} 360void audit_core_dumps(long signr); 361 362static inline void audit_ptrace(struct task_struct *t) 363{ 364 if (unlikely(!audit_dummy_context())) 365 __audit_ptrace(t); 366} 367 368 /* Private API (for audit.c only) */ 369extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp); 370extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode); 371extern void __audit_bprm(struct linux_binprm *bprm); 372extern int __audit_socketcall(int nargs, unsigned long *args); 373extern int __audit_sockaddr(int len, void *addr); 374extern void __audit_fd_pair(int fd1, int fd2); 375extern void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr); 376extern void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec64 *abs_timeout); 377extern void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification); 378extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat); 379extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, 380 const struct cred *new, 381 const struct cred *old); 382extern void __audit_log_capset(const struct cred *new, const struct cred *old); 383extern void __audit_mmap_fd(int fd, int flags); 384extern void __audit_log_kern_module(char *name); 385extern void __audit_fanotify(unsigned int response); 386extern void __audit_tk_injoffset(struct timespec64 offset); 387extern void __audit_ntp_log(const struct audit_ntp_data *ad); 388extern void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries, 389 enum audit_nfcfgop op); 390 391static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 392{ 393 if (unlikely(!audit_dummy_context())) 394 __audit_ipc_obj(ipcp); 395} 396static inline void audit_fd_pair(int fd1, int fd2) 397{ 398 if (unlikely(!audit_dummy_context())) 399 __audit_fd_pair(fd1, fd2); 400} 401static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode) 402{ 403 if (unlikely(!audit_dummy_context())) 404 __audit_ipc_set_perm(qbytes, uid, gid, mode); 405} 406static inline void audit_bprm(struct linux_binprm *bprm) 407{ 408 if (unlikely(!audit_dummy_context())) 409 __audit_bprm(bprm); 410} 411static inline int audit_socketcall(int nargs, unsigned long *args) 412{ 413 if (unlikely(!audit_dummy_context())) 414 return __audit_socketcall(nargs, args); 415 return 0; 416} 417 418static inline int audit_socketcall_compat(int nargs, u32 *args) 419{ 420 unsigned long a[AUDITSC_ARGS]; 421 int i; 422 423 if (audit_dummy_context()) 424 return 0; 425 426 for (i = 0; i < nargs; i++) 427 a[i] = (unsigned long)args[i]; 428 return __audit_socketcall(nargs, a); 429} 430 431static inline int audit_sockaddr(int len, void *addr) 432{ 433 if (unlikely(!audit_dummy_context())) 434 return __audit_sockaddr(len, addr); 435 return 0; 436} 437static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 438{ 439 if (unlikely(!audit_dummy_context())) 440 __audit_mq_open(oflag, mode, attr); 441} 442static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec64 *abs_timeout) 443{ 444 if (unlikely(!audit_dummy_context())) 445 __audit_mq_sendrecv(mqdes, msg_len, msg_prio, abs_timeout); 446} 447static inline void audit_mq_notify(mqd_t mqdes, const struct sigevent *notification) 448{ 449 if (unlikely(!audit_dummy_context())) 450 __audit_mq_notify(mqdes, notification); 451} 452static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 453{ 454 if (unlikely(!audit_dummy_context())) 455 __audit_mq_getsetattr(mqdes, mqstat); 456} 457 458static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 459 const struct cred *new, 460 const struct cred *old) 461{ 462 if (unlikely(!audit_dummy_context())) 463 return __audit_log_bprm_fcaps(bprm, new, old); 464 return 0; 465} 466 467static inline void audit_log_capset(const struct cred *new, 468 const struct cred *old) 469{ 470 if (unlikely(!audit_dummy_context())) 471 __audit_log_capset(new, old); 472} 473 474static inline void audit_mmap_fd(int fd, int flags) 475{ 476 if (unlikely(!audit_dummy_context())) 477 __audit_mmap_fd(fd, flags); 478} 479 480static inline void audit_log_kern_module(char *name) 481{ 482 if (!audit_dummy_context()) 483 __audit_log_kern_module(name); 484} 485 486static inline void audit_fanotify(unsigned int response) 487{ 488 if (!audit_dummy_context()) 489 __audit_fanotify(response); 490} 491 492static inline void audit_tk_injoffset(struct timespec64 offset) 493{ 494 /* ignore no-op events */ 495 if (offset.tv_sec == 0 && offset.tv_nsec == 0) 496 return; 497 498 if (!audit_dummy_context()) 499 __audit_tk_injoffset(offset); 500} 501 502static inline void audit_ntp_init(struct audit_ntp_data *ad) 503{ 504 memset(ad, 0, sizeof(*ad)); 505} 506 507static inline void audit_ntp_set_old(struct audit_ntp_data *ad, 508 enum audit_ntp_type type, long long val) 509{ 510 ad->vals[type].oldval = val; 511} 512 513static inline void audit_ntp_set_new(struct audit_ntp_data *ad, 514 enum audit_ntp_type type, long long val) 515{ 516 ad->vals[type].newval = val; 517} 518 519static inline void audit_ntp_log(const struct audit_ntp_data *ad) 520{ 521 if (!audit_dummy_context()) 522 __audit_ntp_log(ad); 523} 524 525static inline void audit_log_nfcfg(const char *name, u8 af, 526 unsigned int nentries, 527 enum audit_nfcfgop op) 528{ 529 if (audit_enabled) 530 __audit_log_nfcfg(name, af, nentries, op); 531} 532 533extern int audit_n_rules; 534extern int audit_signals; 535#else /* CONFIG_AUDITSYSCALL */ 536static inline int audit_alloc(struct task_struct *task) 537{ 538 return 0; 539} 540static inline void audit_free(struct task_struct *task) 541{ } 542static inline void audit_syscall_entry(int major, unsigned long a0, 543 unsigned long a1, unsigned long a2, 544 unsigned long a3) 545{ } 546static inline void audit_syscall_exit(void *pt_regs) 547{ } 548static inline bool audit_dummy_context(void) 549{ 550 return true; 551} 552static inline void audit_set_context(struct task_struct *task, struct audit_context *ctx) 553{ } 554static inline struct audit_context *audit_context(void) 555{ 556 return NULL; 557} 558static inline struct filename *audit_reusename(const __user char *name) 559{ 560 return NULL; 561} 562static inline void audit_getname(struct filename *name) 563{ } 564static inline void __audit_inode(struct filename *name, 565 const struct dentry *dentry, 566 unsigned int flags) 567{ } 568static inline void __audit_inode_child(struct inode *parent, 569 const struct dentry *dentry, 570 const unsigned char type) 571{ } 572static inline void audit_inode(struct filename *name, 573 const struct dentry *dentry, 574 unsigned int aflags) 575{ } 576static inline void audit_file(struct file *file) 577{ 578} 579static inline void audit_inode_parent_hidden(struct filename *name, 580 const struct dentry *dentry) 581{ } 582static inline void audit_inode_child(struct inode *parent, 583 const struct dentry *dentry, 584 const unsigned char type) 585{ } 586static inline void audit_core_dumps(long signr) 587{ } 588static inline void audit_seccomp(unsigned long syscall, long signr, int code) 589{ } 590static inline void audit_seccomp_actions_logged(const char *names, 591 const char *old_names, int res) 592{ } 593static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 594{ } 595static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, 596 gid_t gid, umode_t mode) 597{ } 598static inline void audit_bprm(struct linux_binprm *bprm) 599{ } 600static inline int audit_socketcall(int nargs, unsigned long *args) 601{ 602 return 0; 603} 604 605static inline int audit_socketcall_compat(int nargs, u32 *args) 606{ 607 return 0; 608} 609 610static inline void audit_fd_pair(int fd1, int fd2) 611{ } 612static inline int audit_sockaddr(int len, void *addr) 613{ 614 return 0; 615} 616static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 617{ } 618static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, 619 unsigned int msg_prio, 620 const struct timespec64 *abs_timeout) 621{ } 622static inline void audit_mq_notify(mqd_t mqdes, 623 const struct sigevent *notification) 624{ } 625static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 626{ } 627static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 628 const struct cred *new, 629 const struct cred *old) 630{ 631 return 0; 632} 633static inline void audit_log_capset(const struct cred *new, 634 const struct cred *old) 635{ } 636static inline void audit_mmap_fd(int fd, int flags) 637{ } 638 639static inline void audit_log_kern_module(char *name) 640{ 641} 642 643static inline void audit_fanotify(unsigned int response) 644{ } 645 646static inline void audit_tk_injoffset(struct timespec64 offset) 647{ } 648 649static inline void audit_ntp_init(struct audit_ntp_data *ad) 650{ } 651 652static inline void audit_ntp_set_old(struct audit_ntp_data *ad, 653 enum audit_ntp_type type, long long val) 654{ } 655 656static inline void audit_ntp_set_new(struct audit_ntp_data *ad, 657 enum audit_ntp_type type, long long val) 658{ } 659 660static inline void audit_ntp_log(const struct audit_ntp_data *ad) 661{ } 662 663static inline void audit_ptrace(struct task_struct *t) 664{ } 665 666static inline void audit_log_nfcfg(const char *name, u8 af, 667 unsigned int nentries, 668 enum audit_nfcfgop op) 669{ } 670 671#define audit_n_rules 0 672#define audit_signals 0 673#endif /* CONFIG_AUDITSYSCALL */ 674 675static inline bool audit_loginuid_set(struct task_struct *tsk) 676{ 677 return uid_valid(audit_get_loginuid(tsk)); 678} 679 680static inline void audit_log_string(struct audit_buffer *ab, const char *buf) 681{ 682 audit_log_n_string(ab, buf, strlen(buf)); 683} 684 685#endif