| 1 | /* audit.h -- Auditing support |
| 2 | * |
| 3 | * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. |
| 4 | * All Rights Reserved. |
| 5 | * |
| 6 | * This program is free software; you can redistribute it and/or modify |
| 7 | * it under the terms of the GNU General Public License as published by |
| 8 | * the Free Software Foundation; either version 2 of the License, or |
| 9 | * (at your option) any later version. |
| 10 | * |
| 11 | * This program is distributed in the hope that it will be useful, |
| 12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 14 | * GNU General Public License for more details. |
| 15 | * |
| 16 | * You should have received a copy of the GNU General Public License |
| 17 | * along with this program; if not, write to the Free Software |
| 18 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
| 19 | * |
| 20 | * Written by Rickard E. (Rik) Faith <faith@redhat.com> |
| 21 | * |
| 22 | */ |
| 23 | #ifndef _LINUX_AUDIT_H_ |
| 24 | #define _LINUX_AUDIT_H_ |
| 25 | |
| 26 | #include <linux/sched.h> |
| 27 | #include <uapi/linux/audit.h> |
| 28 | |
| 29 | struct audit_sig_info { |
| 30 | uid_t uid; |
| 31 | pid_t pid; |
| 32 | char ctx[0]; |
| 33 | }; |
| 34 | |
| 35 | struct audit_buffer; |
| 36 | struct audit_context; |
| 37 | struct inode; |
| 38 | struct netlink_skb_parms; |
| 39 | struct path; |
| 40 | struct linux_binprm; |
| 41 | struct mq_attr; |
| 42 | struct mqstat; |
| 43 | struct audit_watch; |
| 44 | struct audit_tree; |
| 45 | |
| 46 | struct audit_krule { |
| 47 | int vers_ops; |
| 48 | u32 flags; |
| 49 | u32 listnr; |
| 50 | u32 action; |
| 51 | u32 mask[AUDIT_BITMASK_SIZE]; |
| 52 | u32 buflen; /* for data alloc on list rules */ |
| 53 | u32 field_count; |
| 54 | char *filterkey; /* ties events to rules */ |
| 55 | struct audit_field *fields; |
| 56 | struct audit_field *arch_f; /* quick access to arch field */ |
| 57 | struct audit_field *inode_f; /* quick access to an inode field */ |
| 58 | struct audit_watch *watch; /* associated watch */ |
| 59 | struct audit_tree *tree; /* associated watched tree */ |
| 60 | struct list_head rlist; /* entry in audit_{watch,tree}.rules list */ |
| 61 | struct list_head list; /* for AUDIT_LIST* purposes only */ |
| 62 | u64 prio; |
| 63 | }; |
| 64 | |
| 65 | struct audit_field { |
| 66 | u32 type; |
| 67 | u32 val; |
| 68 | kuid_t uid; |
| 69 | kgid_t gid; |
| 70 | u32 op; |
| 71 | char *lsm_str; |
| 72 | void *lsm_rule; |
| 73 | }; |
| 74 | |
| 75 | extern int __init audit_register_class(int class, unsigned *list); |
| 76 | extern int audit_classify_syscall(int abi, unsigned syscall); |
| 77 | extern int audit_classify_arch(int arch); |
| 78 | |
| 79 | /* audit_names->type values */ |
| 80 | #define AUDIT_TYPE_UNKNOWN 0 /* we don't know yet */ |
| 81 | #define AUDIT_TYPE_NORMAL 1 /* a "normal" audit record */ |
| 82 | #define AUDIT_TYPE_PARENT 2 /* a parent audit record */ |
| 83 | #define AUDIT_TYPE_CHILD_DELETE 3 /* a child being deleted */ |
| 84 | #define AUDIT_TYPE_CHILD_CREATE 4 /* a child being created */ |
| 85 | |
| 86 | struct filename; |
| 87 | |
| 88 | #ifdef CONFIG_AUDITSYSCALL |
| 89 | /* These are defined in auditsc.c */ |
| 90 | /* Public API */ |
| 91 | extern int audit_alloc(struct task_struct *task); |
| 92 | extern void __audit_free(struct task_struct *task); |
| 93 | extern void __audit_syscall_entry(int arch, |
| 94 | int major, unsigned long a0, unsigned long a1, |
| 95 | unsigned long a2, unsigned long a3); |
| 96 | extern void __audit_syscall_exit(int ret_success, long ret_value); |
| 97 | extern struct filename *__audit_reusename(const __user char *uptr); |
| 98 | extern void __audit_getname(struct filename *name); |
| 99 | extern void audit_putname(struct filename *name); |
| 100 | extern void __audit_inode(struct filename *name, const struct dentry *dentry, |
| 101 | unsigned int parent); |
| 102 | extern void __audit_inode_child(const struct inode *parent, |
| 103 | const struct dentry *dentry, |
| 104 | const unsigned char type); |
| 105 | extern void __audit_seccomp(unsigned long syscall, long signr, int code); |
| 106 | extern void __audit_ptrace(struct task_struct *t); |
| 107 | |
| 108 | static inline int audit_dummy_context(void) |
| 109 | { |
| 110 | void *p = current->audit_context; |
| 111 | return !p || *(int *)p; |
| 112 | } |
| 113 | static inline void audit_free(struct task_struct *task) |
| 114 | { |
| 115 | if (unlikely(task->audit_context)) |
| 116 | __audit_free(task); |
| 117 | } |
| 118 | static inline void audit_syscall_entry(int arch, int major, unsigned long a0, |
| 119 | unsigned long a1, unsigned long a2, |
| 120 | unsigned long a3) |
| 121 | { |
| 122 | if (unlikely(!audit_dummy_context())) |
| 123 | __audit_syscall_entry(arch, major, a0, a1, a2, a3); |
| 124 | } |
| 125 | static inline void audit_syscall_exit(void *pt_regs) |
| 126 | { |
| 127 | if (unlikely(current->audit_context)) { |
| 128 | int success = is_syscall_success(pt_regs); |
| 129 | int return_code = regs_return_value(pt_regs); |
| 130 | |
| 131 | __audit_syscall_exit(success, return_code); |
| 132 | } |
| 133 | } |
| 134 | static inline struct filename *audit_reusename(const __user char *name) |
| 135 | { |
| 136 | if (unlikely(!audit_dummy_context())) |
| 137 | return __audit_reusename(name); |
| 138 | return NULL; |
| 139 | } |
| 140 | static inline void audit_getname(struct filename *name) |
| 141 | { |
| 142 | if (unlikely(!audit_dummy_context())) |
| 143 | __audit_getname(name); |
| 144 | } |
| 145 | static inline void audit_inode(struct filename *name, const struct dentry *dentry, |
| 146 | unsigned int parent) { |
| 147 | if (unlikely(!audit_dummy_context())) |
| 148 | __audit_inode(name, dentry, parent); |
| 149 | } |
| 150 | static inline void audit_inode_child(const struct inode *parent, |
| 151 | const struct dentry *dentry, |
| 152 | const unsigned char type) { |
| 153 | if (unlikely(!audit_dummy_context())) |
| 154 | __audit_inode_child(parent, dentry, type); |
| 155 | } |
| 156 | void audit_core_dumps(long signr); |
| 157 | |
| 158 | static inline void audit_seccomp(unsigned long syscall, long signr, int code) |
| 159 | { |
| 160 | if (unlikely(!audit_dummy_context())) |
| 161 | __audit_seccomp(syscall, signr, code); |
| 162 | } |
| 163 | |
| 164 | static inline void audit_ptrace(struct task_struct *t) |
| 165 | { |
| 166 | if (unlikely(!audit_dummy_context())) |
| 167 | __audit_ptrace(t); |
| 168 | } |
| 169 | |
| 170 | /* Private API (for audit.c only) */ |
| 171 | extern unsigned int audit_serial(void); |
| 172 | extern int auditsc_get_stamp(struct audit_context *ctx, |
| 173 | struct timespec *t, unsigned int *serial); |
| 174 | extern int audit_set_loginuid(kuid_t loginuid); |
| 175 | |
| 176 | static inline kuid_t audit_get_loginuid(struct task_struct *tsk) |
| 177 | { |
| 178 | return tsk->loginuid; |
| 179 | } |
| 180 | |
| 181 | static inline int audit_get_sessionid(struct task_struct *tsk) |
| 182 | { |
| 183 | return tsk->sessionid; |
| 184 | } |
| 185 | |
| 186 | extern void audit_log_task_context(struct audit_buffer *ab); |
| 187 | extern void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk); |
| 188 | extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp); |
| 189 | extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode); |
| 190 | extern int __audit_bprm(struct linux_binprm *bprm); |
| 191 | extern void __audit_socketcall(int nargs, unsigned long *args); |
| 192 | extern int __audit_sockaddr(int len, void *addr); |
| 193 | extern void __audit_fd_pair(int fd1, int fd2); |
| 194 | extern void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr); |
| 195 | extern void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout); |
| 196 | extern void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification); |
| 197 | extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat); |
| 198 | extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, |
| 199 | const struct cred *new, |
| 200 | const struct cred *old); |
| 201 | extern void __audit_log_capset(pid_t pid, const struct cred *new, const struct cred *old); |
| 202 | extern void __audit_mmap_fd(int fd, int flags); |
| 203 | |
| 204 | static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) |
| 205 | { |
| 206 | if (unlikely(!audit_dummy_context())) |
| 207 | __audit_ipc_obj(ipcp); |
| 208 | } |
| 209 | static inline void audit_fd_pair(int fd1, int fd2) |
| 210 | { |
| 211 | if (unlikely(!audit_dummy_context())) |
| 212 | __audit_fd_pair(fd1, fd2); |
| 213 | } |
| 214 | static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode) |
| 215 | { |
| 216 | if (unlikely(!audit_dummy_context())) |
| 217 | __audit_ipc_set_perm(qbytes, uid, gid, mode); |
| 218 | } |
| 219 | static inline int audit_bprm(struct linux_binprm *bprm) |
| 220 | { |
| 221 | if (unlikely(!audit_dummy_context())) |
| 222 | return __audit_bprm(bprm); |
| 223 | return 0; |
| 224 | } |
| 225 | static inline void audit_socketcall(int nargs, unsigned long *args) |
| 226 | { |
| 227 | if (unlikely(!audit_dummy_context())) |
| 228 | __audit_socketcall(nargs, args); |
| 229 | } |
| 230 | static inline int audit_sockaddr(int len, void *addr) |
| 231 | { |
| 232 | if (unlikely(!audit_dummy_context())) |
| 233 | return __audit_sockaddr(len, addr); |
| 234 | return 0; |
| 235 | } |
| 236 | static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) |
| 237 | { |
| 238 | if (unlikely(!audit_dummy_context())) |
| 239 | __audit_mq_open(oflag, mode, attr); |
| 240 | } |
| 241 | static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout) |
| 242 | { |
| 243 | if (unlikely(!audit_dummy_context())) |
| 244 | __audit_mq_sendrecv(mqdes, msg_len, msg_prio, abs_timeout); |
| 245 | } |
| 246 | static inline void audit_mq_notify(mqd_t mqdes, const struct sigevent *notification) |
| 247 | { |
| 248 | if (unlikely(!audit_dummy_context())) |
| 249 | __audit_mq_notify(mqdes, notification); |
| 250 | } |
| 251 | static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) |
| 252 | { |
| 253 | if (unlikely(!audit_dummy_context())) |
| 254 | __audit_mq_getsetattr(mqdes, mqstat); |
| 255 | } |
| 256 | |
| 257 | static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, |
| 258 | const struct cred *new, |
| 259 | const struct cred *old) |
| 260 | { |
| 261 | if (unlikely(!audit_dummy_context())) |
| 262 | return __audit_log_bprm_fcaps(bprm, new, old); |
| 263 | return 0; |
| 264 | } |
| 265 | |
| 266 | static inline void audit_log_capset(pid_t pid, const struct cred *new, |
| 267 | const struct cred *old) |
| 268 | { |
| 269 | if (unlikely(!audit_dummy_context())) |
| 270 | __audit_log_capset(pid, new, old); |
| 271 | } |
| 272 | |
| 273 | static inline void audit_mmap_fd(int fd, int flags) |
| 274 | { |
| 275 | if (unlikely(!audit_dummy_context())) |
| 276 | __audit_mmap_fd(fd, flags); |
| 277 | } |
| 278 | |
| 279 | extern int audit_n_rules; |
| 280 | extern int audit_signals; |
| 281 | #else /* CONFIG_AUDITSYSCALL */ |
| 282 | static inline int audit_alloc(struct task_struct *task) |
| 283 | { |
| 284 | return 0; |
| 285 | } |
| 286 | static inline void audit_free(struct task_struct *task) |
| 287 | { } |
| 288 | static inline void audit_syscall_entry(int arch, int major, unsigned long a0, |
| 289 | unsigned long a1, unsigned long a2, |
| 290 | unsigned long a3) |
| 291 | { } |
| 292 | static inline void audit_syscall_exit(void *pt_regs) |
| 293 | { } |
| 294 | static inline int audit_dummy_context(void) |
| 295 | { |
| 296 | return 1; |
| 297 | } |
| 298 | static inline struct filename *audit_reusename(const __user char *name) |
| 299 | { |
| 300 | return NULL; |
| 301 | } |
| 302 | static inline void audit_getname(struct filename *name) |
| 303 | { } |
| 304 | static inline void audit_putname(struct filename *name) |
| 305 | { } |
| 306 | static inline void __audit_inode(struct filename *name, |
| 307 | const struct dentry *dentry, |
| 308 | unsigned int parent) |
| 309 | { } |
| 310 | static inline void __audit_inode_child(const struct inode *parent, |
| 311 | const struct dentry *dentry, |
| 312 | const unsigned char type) |
| 313 | { } |
| 314 | static inline void audit_inode(struct filename *name, |
| 315 | const struct dentry *dentry, |
| 316 | unsigned int parent) |
| 317 | { } |
| 318 | static inline void audit_inode_child(const struct inode *parent, |
| 319 | const struct dentry *dentry, |
| 320 | const unsigned char type) |
| 321 | { } |
| 322 | static inline void audit_core_dumps(long signr) |
| 323 | { } |
| 324 | static inline void __audit_seccomp(unsigned long syscall, long signr, int code) |
| 325 | { } |
| 326 | static inline void audit_seccomp(unsigned long syscall, long signr, int code) |
| 327 | { } |
| 328 | static inline int auditsc_get_stamp(struct audit_context *ctx, |
| 329 | struct timespec *t, unsigned int *serial) |
| 330 | { |
| 331 | return 0; |
| 332 | } |
| 333 | static inline kuid_t audit_get_loginuid(struct task_struct *tsk) |
| 334 | { |
| 335 | return INVALID_UID; |
| 336 | } |
| 337 | static inline int audit_get_sessionid(struct task_struct *tsk) |
| 338 | { |
| 339 | return -1; |
| 340 | } |
| 341 | static inline void audit_log_task_context(struct audit_buffer *ab) |
| 342 | { } |
| 343 | static inline void audit_log_task_info(struct audit_buffer *ab, |
| 344 | struct task_struct *tsk) |
| 345 | { } |
| 346 | static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) |
| 347 | { } |
| 348 | static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, |
| 349 | gid_t gid, umode_t mode) |
| 350 | { } |
| 351 | static inline int audit_bprm(struct linux_binprm *bprm) |
| 352 | { |
| 353 | return 0; |
| 354 | } |
| 355 | static inline void audit_socketcall(int nargs, unsigned long *args) |
| 356 | { } |
| 357 | static inline void audit_fd_pair(int fd1, int fd2) |
| 358 | { } |
| 359 | static inline int audit_sockaddr(int len, void *addr) |
| 360 | { |
| 361 | return 0; |
| 362 | } |
| 363 | static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) |
| 364 | { } |
| 365 | static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, |
| 366 | unsigned int msg_prio, |
| 367 | const struct timespec *abs_timeout) |
| 368 | { } |
| 369 | static inline void audit_mq_notify(mqd_t mqdes, |
| 370 | const struct sigevent *notification) |
| 371 | { } |
| 372 | static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) |
| 373 | { } |
| 374 | static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, |
| 375 | const struct cred *new, |
| 376 | const struct cred *old) |
| 377 | { |
| 378 | return 0; |
| 379 | } |
| 380 | static inline void audit_log_capset(pid_t pid, const struct cred *new, |
| 381 | const struct cred *old) |
| 382 | { } |
| 383 | static inline void audit_mmap_fd(int fd, int flags) |
| 384 | { } |
| 385 | static inline void audit_ptrace(struct task_struct *t) |
| 386 | { } |
| 387 | #define audit_n_rules 0 |
| 388 | #define audit_signals 0 |
| 389 | #endif /* CONFIG_AUDITSYSCALL */ |
| 390 | |
| 391 | #ifdef CONFIG_AUDIT |
| 392 | /* These are defined in audit.c */ |
| 393 | /* Public API */ |
| 394 | extern __printf(4, 5) |
| 395 | void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, |
| 396 | const char *fmt, ...); |
| 397 | |
| 398 | extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type); |
| 399 | extern __printf(2, 3) |
| 400 | void audit_log_format(struct audit_buffer *ab, const char *fmt, ...); |
| 401 | extern void audit_log_end(struct audit_buffer *ab); |
| 402 | extern int audit_string_contains_control(const char *string, |
| 403 | size_t len); |
| 404 | extern void audit_log_n_hex(struct audit_buffer *ab, |
| 405 | const unsigned char *buf, |
| 406 | size_t len); |
| 407 | extern void audit_log_n_string(struct audit_buffer *ab, |
| 408 | const char *buf, |
| 409 | size_t n); |
| 410 | extern void audit_log_n_untrustedstring(struct audit_buffer *ab, |
| 411 | const char *string, |
| 412 | size_t n); |
| 413 | extern void audit_log_untrustedstring(struct audit_buffer *ab, |
| 414 | const char *string); |
| 415 | extern void audit_log_d_path(struct audit_buffer *ab, |
| 416 | const char *prefix, |
| 417 | const struct path *path); |
| 418 | extern void audit_log_key(struct audit_buffer *ab, |
| 419 | char *key); |
| 420 | extern void audit_log_link_denied(const char *operation, |
| 421 | struct path *link); |
| 422 | extern void audit_log_lost(const char *message); |
| 423 | #ifdef CONFIG_SECURITY |
| 424 | extern void audit_log_secctx(struct audit_buffer *ab, u32 secid); |
| 425 | #else |
| 426 | static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) |
| 427 | { } |
| 428 | #endif |
| 429 | |
| 430 | extern int audit_update_lsm_rules(void); |
| 431 | |
| 432 | /* Private API (for audit.c only) */ |
| 433 | extern int audit_filter_user(void); |
| 434 | extern int audit_filter_type(int type); |
| 435 | extern int audit_receive_filter(int type, int pid, int seq, |
| 436 | void *data, size_t datasz, kuid_t loginuid, |
| 437 | u32 sessionid, u32 sid); |
| 438 | extern int audit_enabled; |
| 439 | #else /* CONFIG_AUDIT */ |
| 440 | static inline __printf(4, 5) |
| 441 | void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, |
| 442 | const char *fmt, ...) |
| 443 | { } |
| 444 | static inline struct audit_buffer *audit_log_start(struct audit_context *ctx, |
| 445 | gfp_t gfp_mask, int type) |
| 446 | { |
| 447 | return NULL; |
| 448 | } |
| 449 | static inline __printf(2, 3) |
| 450 | void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) |
| 451 | { } |
| 452 | static inline void audit_log_end(struct audit_buffer *ab) |
| 453 | { } |
| 454 | static inline void audit_log_n_hex(struct audit_buffer *ab, |
| 455 | const unsigned char *buf, size_t len) |
| 456 | { } |
| 457 | static inline void audit_log_n_string(struct audit_buffer *ab, |
| 458 | const char *buf, size_t n) |
| 459 | { } |
| 460 | static inline void audit_log_n_untrustedstring(struct audit_buffer *ab, |
| 461 | const char *string, size_t n) |
| 462 | { } |
| 463 | static inline void audit_log_untrustedstring(struct audit_buffer *ab, |
| 464 | const char *string) |
| 465 | { } |
| 466 | static inline void audit_log_d_path(struct audit_buffer *ab, |
| 467 | const char *prefix, |
| 468 | const struct path *path) |
| 469 | { } |
| 470 | static inline void audit_log_key(struct audit_buffer *ab, char *key) |
| 471 | { } |
| 472 | static inline void audit_log_link_denied(const char *string, |
| 473 | const struct path *link) |
| 474 | { } |
| 475 | static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) |
| 476 | { } |
| 477 | #define audit_enabled 0 |
| 478 | #endif /* CONFIG_AUDIT */ |
| 479 | static inline void audit_log_string(struct audit_buffer *ab, const char *buf) |
| 480 | { |
| 481 | audit_log_n_string(ab, buf, strlen(buf)); |
| 482 | } |
| 483 | |
| 484 | #endif |