| /* audit.h -- Auditing support |
| * |
| * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. |
| * All Rights Reserved. |
| * |
| * This program is free software; you can redistribute it and/or modify |
| * it under the terms of the GNU General Public License as published by |
| * the Free Software Foundation; either version 2 of the License, or |
| * (at your option) any later version. |
| * |
| * This program is distributed in the hope that it will be useful, |
| * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| * GNU General Public License for more details. |
| * |
| * You should have received a copy of the GNU General Public License |
| * along with this program; if not, write to the Free Software |
| * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
| * |
| * Written by Rickard E. (Rik) Faith <faith@redhat.com> |
| * |
| */ |
| #ifndef _LINUX_AUDIT_H_ |
| #define _LINUX_AUDIT_H_ |
| |
| #include <linux/sched.h> |
| #include <linux/ptrace.h> |
| #include <uapi/linux/audit.h> |
| #include <linux/tty.h> |
| |
| #define AUDIT_INO_UNSET ((unsigned long)-1) |
| #define AUDIT_DEV_UNSET ((dev_t)-1) |
| |
| struct audit_sig_info { |
| uid_t uid; |
| pid_t pid; |
| char ctx[0]; |
| }; |
| |
| struct audit_buffer; |
| struct audit_context; |
| struct inode; |
| struct netlink_skb_parms; |
| struct path; |
| struct linux_binprm; |
| struct mq_attr; |
| struct mqstat; |
| struct audit_watch; |
| struct audit_tree; |
| struct sk_buff; |
| |
| struct audit_krule { |
| u32 pflags; |
| u32 flags; |
| u32 listnr; |
| u32 action; |
| u32 mask[AUDIT_BITMASK_SIZE]; |
| u32 buflen; /* for data alloc on list rules */ |
| u32 field_count; |
| char *filterkey; /* ties events to rules */ |
| struct audit_field *fields; |
| struct audit_field *arch_f; /* quick access to arch field */ |
| struct audit_field *inode_f; /* quick access to an inode field */ |
| struct audit_watch *watch; /* associated watch */ |
| struct audit_tree *tree; /* associated watched tree */ |
| struct audit_fsnotify_mark *exe; |
| struct list_head rlist; /* entry in audit_{watch,tree}.rules list */ |
| struct list_head list; /* for AUDIT_LIST* purposes only */ |
| u64 prio; |
| }; |
| |
| /* Flag to indicate legacy AUDIT_LOGINUID unset usage */ |
| #define AUDIT_LOGINUID_LEGACY 0x1 |
| |
| struct audit_field { |
| u32 type; |
| union { |
| u32 val; |
| kuid_t uid; |
| kgid_t gid; |
| struct { |
| char *lsm_str; |
| void *lsm_rule; |
| }; |
| }; |
| u32 op; |
| }; |
| |
| extern int is_audit_feature_set(int which); |
| |
| extern int __init audit_register_class(int class, unsigned *list); |
| extern int audit_classify_syscall(int abi, unsigned syscall); |
| extern int audit_classify_arch(int arch); |
| /* only for compat system calls */ |
| extern unsigned compat_write_class[]; |
| extern unsigned compat_read_class[]; |
| extern unsigned compat_dir_class[]; |
| extern unsigned compat_chattr_class[]; |
| extern unsigned compat_signal_class[]; |
| |
| extern int audit_classify_compat_syscall(int abi, unsigned syscall); |
| |
| /* audit_names->type values */ |
| #define AUDIT_TYPE_UNKNOWN 0 /* we don't know yet */ |
| #define AUDIT_TYPE_NORMAL 1 /* a "normal" audit record */ |
| #define AUDIT_TYPE_PARENT 2 /* a parent audit record */ |
| #define AUDIT_TYPE_CHILD_DELETE 3 /* a child being deleted */ |
| #define AUDIT_TYPE_CHILD_CREATE 4 /* a child being created */ |
| |
| /* maximized args number that audit_socketcall can process */ |
| #define AUDITSC_ARGS 6 |
| |
| struct filename; |
| |
| extern void audit_log_session_info(struct audit_buffer *ab); |
| |
| #ifdef CONFIG_AUDIT_COMPAT_GENERIC |
| #define audit_is_compat(arch) (!((arch) & __AUDIT_ARCH_64BIT)) |
| #else |
| #define audit_is_compat(arch) false |
| #endif |
| |
| #ifdef CONFIG_AUDITSYSCALL |
| #include <asm/syscall.h> /* for syscall_get_arch() */ |
| |
| /* These are defined in auditsc.c */ |
| /* Public API */ |
| extern int audit_alloc(struct task_struct *task); |
| extern void __audit_free(struct task_struct *task); |
| extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long a1, |
| unsigned long a2, unsigned long a3); |
| extern void __audit_syscall_exit(int ret_success, long ret_value); |
| extern struct filename *__audit_reusename(const __user char *uptr); |
| extern void __audit_getname(struct filename *name); |
| |
| #define AUDIT_INODE_PARENT 1 /* dentry represents the parent */ |
| #define AUDIT_INODE_HIDDEN 2 /* audit record should be hidden */ |
| extern void __audit_inode(struct filename *name, const struct dentry *dentry, |
| unsigned int flags); |
| extern void __audit_file(const struct file *); |
| extern void __audit_inode_child(struct inode *parent, |
| const struct dentry *dentry, |
| const unsigned char type); |
| extern void __audit_seccomp(unsigned long syscall, long signr, int code); |
| extern void __audit_ptrace(struct task_struct *t); |
| |
| static inline bool audit_dummy_context(void) |
| { |
| void *p = current->audit_context; |
| return !p || *(int *)p; |
| } |
| static inline void audit_free(struct task_struct *task) |
| { |
| if (unlikely(task->audit_context)) |
| __audit_free(task); |
| } |
| static inline void audit_syscall_entry(int major, unsigned long a0, |
| unsigned long a1, unsigned long a2, |
| unsigned long a3) |
| { |
| if (unlikely(current->audit_context)) |
| __audit_syscall_entry(major, a0, a1, a2, a3); |
| } |
| static inline void audit_syscall_exit(void *pt_regs) |
| { |
| if (unlikely(current->audit_context)) { |
| int success = is_syscall_success(pt_regs); |
| long return_code = regs_return_value(pt_regs); |
| |
| __audit_syscall_exit(success, return_code); |
| } |
| } |
| static inline struct filename *audit_reusename(const __user char *name) |
| { |
| if (unlikely(!audit_dummy_context())) |
| return __audit_reusename(name); |
| return NULL; |
| } |
| static inline void audit_getname(struct filename *name) |
| { |
| if (unlikely(!audit_dummy_context())) |
| __audit_getname(name); |
| } |
| static inline void audit_inode(struct filename *name, |
| const struct dentry *dentry, |
| unsigned int parent) { |
| if (unlikely(!audit_dummy_context())) { |
| unsigned int flags = 0; |
| if (parent) |
| flags |= AUDIT_INODE_PARENT; |
| __audit_inode(name, dentry, flags); |
| } |
| } |
| static inline void audit_file(struct file *file) |
| { |
| if (unlikely(!audit_dummy_context())) |
| __audit_file(file); |
| } |
| static inline void audit_inode_parent_hidden(struct filename *name, |
| const struct dentry *dentry) |
| { |
| if (unlikely(!audit_dummy_context())) |
| __audit_inode(name, dentry, |
| AUDIT_INODE_PARENT | AUDIT_INODE_HIDDEN); |
| } |
| static inline void audit_inode_child(struct inode *parent, |
| const struct dentry *dentry, |
| const unsigned char type) { |
| if (unlikely(!audit_dummy_context())) |
| __audit_inode_child(parent, dentry, type); |
| } |
| void audit_core_dumps(long signr); |
| |
| static inline void audit_seccomp(unsigned long syscall, long signr, int code) |
| { |
| /* Force a record to be reported if a signal was delivered. */ |
| if (signr || unlikely(!audit_dummy_context())) |
| __audit_seccomp(syscall, signr, code); |
| } |
| |
| static inline void audit_ptrace(struct task_struct *t) |
| { |
| if (unlikely(!audit_dummy_context())) |
| __audit_ptrace(t); |
| } |
| |
| /* Private API (for audit.c only) */ |
| extern unsigned int audit_serial(void); |
| extern int auditsc_get_stamp(struct audit_context *ctx, |
| struct timespec *t, unsigned int *serial); |
| extern int audit_set_loginuid(kuid_t loginuid); |
| |
| static inline kuid_t audit_get_loginuid(struct task_struct *tsk) |
| { |
| return tsk->loginuid; |
| } |
| |
| static inline unsigned int audit_get_sessionid(struct task_struct *tsk) |
| { |
| return tsk->sessionid; |
| } |
| |
| static inline struct tty_struct *audit_get_tty(struct task_struct *tsk) |
| { |
| struct tty_struct *tty = NULL; |
| unsigned long flags; |
| |
| spin_lock_irqsave(&tsk->sighand->siglock, flags); |
| if (tsk->signal) |
| tty = tty_kref_get(tsk->signal->tty); |
| spin_unlock_irqrestore(&tsk->sighand->siglock, flags); |
| return tty; |
| } |
| |
| static inline void audit_put_tty(struct tty_struct *tty) |
| { |
| tty_kref_put(tty); |
| } |
| |
| extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp); |
| extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode); |
| extern void __audit_bprm(struct linux_binprm *bprm); |
| extern int __audit_socketcall(int nargs, unsigned long *args); |
| extern int __audit_sockaddr(int len, void *addr); |
| extern void __audit_fd_pair(int fd1, int fd2); |
| extern void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr); |
| extern void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout); |
| extern void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification); |
| extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat); |
| extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, |
| const struct cred *new, |
| const struct cred *old); |
| extern void __audit_log_capset(const struct cred *new, const struct cred *old); |
| extern void __audit_mmap_fd(int fd, int flags); |
| |
| static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) |
| { |
| if (unlikely(!audit_dummy_context())) |
| __audit_ipc_obj(ipcp); |
| } |
| static inline void audit_fd_pair(int fd1, int fd2) |
| { |
| if (unlikely(!audit_dummy_context())) |
| __audit_fd_pair(fd1, fd2); |
| } |
| static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode) |
| { |
| if (unlikely(!audit_dummy_context())) |
| __audit_ipc_set_perm(qbytes, uid, gid, mode); |
| } |
| static inline void audit_bprm(struct linux_binprm *bprm) |
| { |
| if (unlikely(!audit_dummy_context())) |
| __audit_bprm(bprm); |
| } |
| static inline int audit_socketcall(int nargs, unsigned long *args) |
| { |
| if (unlikely(!audit_dummy_context())) |
| return __audit_socketcall(nargs, args); |
| return 0; |
| } |
| |
| static inline int audit_socketcall_compat(int nargs, u32 *args) |
| { |
| unsigned long a[AUDITSC_ARGS]; |
| int i; |
| |
| if (audit_dummy_context()) |
| return 0; |
| |
| for (i = 0; i < nargs; i++) |
| a[i] = (unsigned long)args[i]; |
| return __audit_socketcall(nargs, a); |
| } |
| |
| static inline int audit_sockaddr(int len, void *addr) |
| { |
| if (unlikely(!audit_dummy_context())) |
| return __audit_sockaddr(len, addr); |
| return 0; |
| } |
| static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) |
| { |
| if (unlikely(!audit_dummy_context())) |
| __audit_mq_open(oflag, mode, attr); |
| } |
| static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout) |
| { |
| if (unlikely(!audit_dummy_context())) |
| __audit_mq_sendrecv(mqdes, msg_len, msg_prio, abs_timeout); |
| } |
| static inline void audit_mq_notify(mqd_t mqdes, const struct sigevent *notification) |
| { |
| if (unlikely(!audit_dummy_context())) |
| __audit_mq_notify(mqdes, notification); |
| } |
| static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) |
| { |
| if (unlikely(!audit_dummy_context())) |
| __audit_mq_getsetattr(mqdes, mqstat); |
| } |
| |
| static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, |
| const struct cred *new, |
| const struct cred *old) |
| { |
| if (unlikely(!audit_dummy_context())) |
| return __audit_log_bprm_fcaps(bprm, new, old); |
| return 0; |
| } |
| |
| static inline void audit_log_capset(const struct cred *new, |
| const struct cred *old) |
| { |
| if (unlikely(!audit_dummy_context())) |
| __audit_log_capset(new, old); |
| } |
| |
| static inline void audit_mmap_fd(int fd, int flags) |
| { |
| if (unlikely(!audit_dummy_context())) |
| __audit_mmap_fd(fd, flags); |
| } |
| |
| extern int audit_n_rules; |
| extern int audit_signals; |
| #else /* CONFIG_AUDITSYSCALL */ |
| static inline int audit_alloc(struct task_struct *task) |
| { |
| return 0; |
| } |
| static inline void audit_free(struct task_struct *task) |
| { } |
| static inline void audit_syscall_entry(int major, unsigned long a0, |
| unsigned long a1, unsigned long a2, |
| unsigned long a3) |
| { } |
| static inline void audit_syscall_exit(void *pt_regs) |
| { } |
| static inline bool audit_dummy_context(void) |
| { |
| return true; |
| } |
| static inline struct filename *audit_reusename(const __user char *name) |
| { |
| return NULL; |
| } |
| static inline void audit_getname(struct filename *name) |
| { } |
| static inline void __audit_inode(struct filename *name, |
| const struct dentry *dentry, |
| unsigned int flags) |
| { } |
| static inline void __audit_inode_child(struct inode *parent, |
| const struct dentry *dentry, |
| const unsigned char type) |
| { } |
| static inline void audit_inode(struct filename *name, |
| const struct dentry *dentry, |
| unsigned int parent) |
| { } |
| static inline void audit_file(struct file *file) |
| { |
| } |
| static inline void audit_inode_parent_hidden(struct filename *name, |
| const struct dentry *dentry) |
| { } |
| static inline void audit_inode_child(struct inode *parent, |
| const struct dentry *dentry, |
| const unsigned char type) |
| { } |
| static inline void audit_core_dumps(long signr) |
| { } |
| static inline void __audit_seccomp(unsigned long syscall, long signr, int code) |
| { } |
| static inline void audit_seccomp(unsigned long syscall, long signr, int code) |
| { } |
| static inline int auditsc_get_stamp(struct audit_context *ctx, |
| struct timespec *t, unsigned int *serial) |
| { |
| return 0; |
| } |
| static inline kuid_t audit_get_loginuid(struct task_struct *tsk) |
| { |
| return INVALID_UID; |
| } |
| static inline unsigned int audit_get_sessionid(struct task_struct *tsk) |
| { |
| return -1; |
| } |
| static inline struct tty_struct *audit_get_tty(struct task_struct *tsk) |
| { |
| return NULL; |
| } |
| static inline void audit_put_tty(struct tty_struct *tty) |
| { } |
| static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) |
| { } |
| static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, |
| gid_t gid, umode_t mode) |
| { } |
| static inline void audit_bprm(struct linux_binprm *bprm) |
| { } |
| static inline int audit_socketcall(int nargs, unsigned long *args) |
| { |
| return 0; |
| } |
| |
| static inline int audit_socketcall_compat(int nargs, u32 *args) |
| { |
| return 0; |
| } |
| |
| static inline void audit_fd_pair(int fd1, int fd2) |
| { } |
| static inline int audit_sockaddr(int len, void *addr) |
| { |
| return 0; |
| } |
| static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) |
| { } |
| static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, |
| unsigned int msg_prio, |
| const struct timespec *abs_timeout) |
| { } |
| static inline void audit_mq_notify(mqd_t mqdes, |
| const struct sigevent *notification) |
| { } |
| static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) |
| { } |
| static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, |
| const struct cred *new, |
| const struct cred *old) |
| { |
| return 0; |
| } |
| static inline void audit_log_capset(const struct cred *new, |
| const struct cred *old) |
| { } |
| static inline void audit_mmap_fd(int fd, int flags) |
| { } |
| static inline void audit_ptrace(struct task_struct *t) |
| { } |
| #define audit_n_rules 0 |
| #define audit_signals 0 |
| #endif /* CONFIG_AUDITSYSCALL */ |
| |
| static inline bool audit_loginuid_set(struct task_struct *tsk) |
| { |
| return uid_valid(audit_get_loginuid(tsk)); |
| } |
| |
| #ifdef CONFIG_AUDIT |
| /* These are defined in audit.c */ |
| /* Public API */ |
| extern __printf(4, 5) |
| void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, |
| const char *fmt, ...); |
| |
| extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type); |
| extern __printf(2, 3) |
| void audit_log_format(struct audit_buffer *ab, const char *fmt, ...); |
| extern void audit_log_end(struct audit_buffer *ab); |
| extern bool audit_string_contains_control(const char *string, |
| size_t len); |
| extern void audit_log_n_hex(struct audit_buffer *ab, |
| const unsigned char *buf, |
| size_t len); |
| extern void audit_log_n_string(struct audit_buffer *ab, |
| const char *buf, |
| size_t n); |
| extern void audit_log_n_untrustedstring(struct audit_buffer *ab, |
| const char *string, |
| size_t n); |
| extern void audit_log_untrustedstring(struct audit_buffer *ab, |
| const char *string); |
| extern void audit_log_d_path(struct audit_buffer *ab, |
| const char *prefix, |
| const struct path *path); |
| extern void audit_log_key(struct audit_buffer *ab, |
| char *key); |
| extern void audit_log_link_denied(const char *operation, |
| struct path *link); |
| extern void audit_log_lost(const char *message); |
| #ifdef CONFIG_SECURITY |
| extern void audit_log_secctx(struct audit_buffer *ab, u32 secid); |
| #else |
| static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) |
| { } |
| #endif |
| |
| extern int audit_log_task_context(struct audit_buffer *ab); |
| extern void audit_log_task_info(struct audit_buffer *ab, |
| struct task_struct *tsk); |
| |
| extern int audit_update_lsm_rules(void); |
| |
| /* Private API (for audit.c only) */ |
| extern int audit_filter_user(int type); |
| extern int audit_filter_type(int type); |
| extern int audit_rule_change(int type, __u32 portid, int seq, |
| void *data, size_t datasz); |
| extern int audit_list_rules_send(struct sk_buff *request_skb, int seq); |
| |
| extern u32 audit_enabled; |
| #else /* CONFIG_AUDIT */ |
| static inline __printf(4, 5) |
| void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, |
| const char *fmt, ...) |
| { } |
| static inline struct audit_buffer *audit_log_start(struct audit_context *ctx, |
| gfp_t gfp_mask, int type) |
| { |
| return NULL; |
| } |
| static inline __printf(2, 3) |
| void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) |
| { } |
| static inline void audit_log_end(struct audit_buffer *ab) |
| { } |
| static inline void audit_log_n_hex(struct audit_buffer *ab, |
| const unsigned char *buf, size_t len) |
| { } |
| static inline void audit_log_n_string(struct audit_buffer *ab, |
| const char *buf, size_t n) |
| { } |
| static inline void audit_log_n_untrustedstring(struct audit_buffer *ab, |
| const char *string, size_t n) |
| { } |
| static inline void audit_log_untrustedstring(struct audit_buffer *ab, |
| const char *string) |
| { } |
| static inline void audit_log_d_path(struct audit_buffer *ab, |
| const char *prefix, |
| const struct path *path) |
| { } |
| static inline void audit_log_key(struct audit_buffer *ab, char *key) |
| { } |
| static inline void audit_log_link_denied(const char *string, |
| const struct path *link) |
| { } |
| static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) |
| { } |
| static inline int audit_log_task_context(struct audit_buffer *ab) |
| { |
| return 0; |
| } |
| static inline void audit_log_task_info(struct audit_buffer *ab, |
| struct task_struct *tsk) |
| { } |
| static inline int audit_update_lsm_rules(void) |
| { |
| return 0; |
| } |
| #define audit_enabled 0 |
| #endif /* CONFIG_AUDIT */ |
| static inline void audit_log_string(struct audit_buffer *ab, const char *buf) |
| { |
| audit_log_n_string(ab, buf, strlen(buf)); |
| } |
| |
| #endif |