]>
Commit | Line | Data |
---|---|---|
1 | /* audit.h -- Auditing support | |
2 | * | |
3 | * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. | |
4 | * All Rights Reserved. | |
5 | * | |
6 | * This program is free software; you can redistribute it and/or modify | |
7 | * it under the terms of the GNU General Public License as published by | |
8 | * the Free Software Foundation; either version 2 of the License, or | |
9 | * (at your option) any later version. | |
10 | * | |
11 | * This program is distributed in the hope that it will be useful, | |
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
14 | * GNU General Public License for more details. | |
15 | * | |
16 | * You should have received a copy of the GNU General Public License | |
17 | * along with this program; if not, write to the Free Software | |
18 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | |
19 | * | |
20 | * Written by Rickard E. (Rik) Faith <faith@redhat.com> | |
21 | * | |
22 | */ | |
23 | #ifndef _LINUX_AUDIT_H_ | |
24 | #define _LINUX_AUDIT_H_ | |
25 | ||
26 | #include <linux/sched.h> | |
27 | #include <linux/ptrace.h> | |
28 | #include <uapi/linux/audit.h> | |
29 | ||
30 | struct audit_sig_info { | |
31 | uid_t uid; | |
32 | pid_t pid; | |
33 | char ctx[0]; | |
34 | }; | |
35 | ||
36 | struct audit_buffer; | |
37 | struct audit_context; | |
38 | struct inode; | |
39 | struct netlink_skb_parms; | |
40 | struct path; | |
41 | struct linux_binprm; | |
42 | struct mq_attr; | |
43 | struct mqstat; | |
44 | struct audit_watch; | |
45 | struct audit_tree; | |
46 | struct sk_buff; | |
47 | ||
48 | struct audit_krule { | |
49 | int vers_ops; | |
50 | u32 flags; | |
51 | u32 listnr; | |
52 | u32 action; | |
53 | u32 mask[AUDIT_BITMASK_SIZE]; | |
54 | u32 buflen; /* for data alloc on list rules */ | |
55 | u32 field_count; | |
56 | char *filterkey; /* ties events to rules */ | |
57 | struct audit_field *fields; | |
58 | struct audit_field *arch_f; /* quick access to arch field */ | |
59 | struct audit_field *inode_f; /* quick access to an inode field */ | |
60 | struct audit_watch *watch; /* associated watch */ | |
61 | struct audit_tree *tree; /* associated watched tree */ | |
62 | struct list_head rlist; /* entry in audit_{watch,tree}.rules list */ | |
63 | struct list_head list; /* for AUDIT_LIST* purposes only */ | |
64 | u64 prio; | |
65 | }; | |
66 | ||
67 | struct audit_field { | |
68 | u32 type; | |
69 | u32 val; | |
70 | kuid_t uid; | |
71 | kgid_t gid; | |
72 | u32 op; | |
73 | char *lsm_str; | |
74 | void *lsm_rule; | |
75 | }; | |
76 | ||
77 | extern int is_audit_feature_set(int which); | |
78 | ||
79 | extern int __init audit_register_class(int class, unsigned *list); | |
80 | extern int audit_classify_syscall(int abi, unsigned syscall); | |
81 | extern int audit_classify_arch(int arch); | |
82 | /* only for compat system calls */ | |
83 | extern unsigned compat_write_class[]; | |
84 | extern unsigned compat_read_class[]; | |
85 | extern unsigned compat_dir_class[]; | |
86 | extern unsigned compat_chattr_class[]; | |
87 | extern unsigned compat_signal_class[]; | |
88 | ||
89 | extern int __weak audit_classify_compat_syscall(int abi, unsigned syscall); | |
90 | ||
91 | /* audit_names->type values */ | |
92 | #define AUDIT_TYPE_UNKNOWN 0 /* we don't know yet */ | |
93 | #define AUDIT_TYPE_NORMAL 1 /* a "normal" audit record */ | |
94 | #define AUDIT_TYPE_PARENT 2 /* a parent audit record */ | |
95 | #define AUDIT_TYPE_CHILD_DELETE 3 /* a child being deleted */ | |
96 | #define AUDIT_TYPE_CHILD_CREATE 4 /* a child being created */ | |
97 | ||
98 | /* maximized args number that audit_socketcall can process */ | |
99 | #define AUDITSC_ARGS 6 | |
100 | ||
101 | struct filename; | |
102 | ||
103 | extern void audit_log_session_info(struct audit_buffer *ab); | |
104 | ||
105 | #ifdef CONFIG_AUDIT_COMPAT_GENERIC | |
106 | #define audit_is_compat(arch) (!((arch) & __AUDIT_ARCH_64BIT)) | |
107 | #else | |
108 | #define audit_is_compat(arch) false | |
109 | #endif | |
110 | ||
111 | #ifdef CONFIG_AUDITSYSCALL | |
112 | #include <asm/syscall.h> /* for syscall_get_arch() */ | |
113 | ||
114 | /* These are defined in auditsc.c */ | |
115 | /* Public API */ | |
116 | extern int audit_alloc(struct task_struct *task); | |
117 | extern void __audit_free(struct task_struct *task); | |
118 | extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long a1, | |
119 | unsigned long a2, unsigned long a3); | |
120 | extern void __audit_syscall_exit(int ret_success, long ret_value); | |
121 | extern struct filename *__audit_reusename(const __user char *uptr); | |
122 | extern void __audit_getname(struct filename *name); | |
123 | extern void audit_putname(struct filename *name); | |
124 | ||
125 | #define AUDIT_INODE_PARENT 1 /* dentry represents the parent */ | |
126 | #define AUDIT_INODE_HIDDEN 2 /* audit record should be hidden */ | |
127 | extern void __audit_inode(struct filename *name, const struct dentry *dentry, | |
128 | unsigned int flags); | |
129 | extern void __audit_inode_child(const struct inode *parent, | |
130 | const struct dentry *dentry, | |
131 | const unsigned char type); | |
132 | extern void __audit_seccomp(unsigned long syscall, long signr, int code); | |
133 | extern void __audit_ptrace(struct task_struct *t); | |
134 | ||
135 | static inline int audit_dummy_context(void) | |
136 | { | |
137 | void *p = current->audit_context; | |
138 | return !p || *(int *)p; | |
139 | } | |
140 | static inline void audit_free(struct task_struct *task) | |
141 | { | |
142 | if (unlikely(task->audit_context)) | |
143 | __audit_free(task); | |
144 | } | |
145 | static inline void audit_syscall_entry(int major, unsigned long a0, | |
146 | unsigned long a1, unsigned long a2, | |
147 | unsigned long a3) | |
148 | { | |
149 | if (unlikely(current->audit_context)) | |
150 | __audit_syscall_entry(major, a0, a1, a2, a3); | |
151 | } | |
152 | static inline void audit_syscall_exit(void *pt_regs) | |
153 | { | |
154 | if (unlikely(current->audit_context)) { | |
155 | int success = is_syscall_success(pt_regs); | |
156 | long return_code = regs_return_value(pt_regs); | |
157 | ||
158 | __audit_syscall_exit(success, return_code); | |
159 | } | |
160 | } | |
161 | static inline struct filename *audit_reusename(const __user char *name) | |
162 | { | |
163 | if (unlikely(!audit_dummy_context())) | |
164 | return __audit_reusename(name); | |
165 | return NULL; | |
166 | } | |
167 | static inline void audit_getname(struct filename *name) | |
168 | { | |
169 | if (unlikely(!audit_dummy_context())) | |
170 | __audit_getname(name); | |
171 | } | |
172 | static inline void audit_inode(struct filename *name, | |
173 | const struct dentry *dentry, | |
174 | unsigned int parent) { | |
175 | if (unlikely(!audit_dummy_context())) { | |
176 | unsigned int flags = 0; | |
177 | if (parent) | |
178 | flags |= AUDIT_INODE_PARENT; | |
179 | __audit_inode(name, dentry, flags); | |
180 | } | |
181 | } | |
182 | static inline void audit_inode_parent_hidden(struct filename *name, | |
183 | const struct dentry *dentry) | |
184 | { | |
185 | if (unlikely(!audit_dummy_context())) | |
186 | __audit_inode(name, dentry, | |
187 | AUDIT_INODE_PARENT | AUDIT_INODE_HIDDEN); | |
188 | } | |
189 | static inline void audit_inode_child(const struct inode *parent, | |
190 | const struct dentry *dentry, | |
191 | const unsigned char type) { | |
192 | if (unlikely(!audit_dummy_context())) | |
193 | __audit_inode_child(parent, dentry, type); | |
194 | } | |
195 | void audit_core_dumps(long signr); | |
196 | ||
197 | static inline void audit_seccomp(unsigned long syscall, long signr, int code) | |
198 | { | |
199 | /* Force a record to be reported if a signal was delivered. */ | |
200 | if (signr || unlikely(!audit_dummy_context())) | |
201 | __audit_seccomp(syscall, signr, code); | |
202 | } | |
203 | ||
204 | static inline void audit_ptrace(struct task_struct *t) | |
205 | { | |
206 | if (unlikely(!audit_dummy_context())) | |
207 | __audit_ptrace(t); | |
208 | } | |
209 | ||
210 | /* Private API (for audit.c only) */ | |
211 | extern unsigned int audit_serial(void); | |
212 | extern int auditsc_get_stamp(struct audit_context *ctx, | |
213 | struct timespec *t, unsigned int *serial); | |
214 | extern int audit_set_loginuid(kuid_t loginuid); | |
215 | ||
216 | static inline kuid_t audit_get_loginuid(struct task_struct *tsk) | |
217 | { | |
218 | return tsk->loginuid; | |
219 | } | |
220 | ||
221 | static inline unsigned int audit_get_sessionid(struct task_struct *tsk) | |
222 | { | |
223 | return tsk->sessionid; | |
224 | } | |
225 | ||
226 | extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp); | |
227 | extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode); | |
228 | extern void __audit_bprm(struct linux_binprm *bprm); | |
229 | extern int __audit_socketcall(int nargs, unsigned long *args); | |
230 | extern int __audit_sockaddr(int len, void *addr); | |
231 | extern void __audit_fd_pair(int fd1, int fd2); | |
232 | extern void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr); | |
233 | extern void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout); | |
234 | extern void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification); | |
235 | extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat); | |
236 | extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, | |
237 | const struct cred *new, | |
238 | const struct cred *old); | |
239 | extern void __audit_log_capset(const struct cred *new, const struct cred *old); | |
240 | extern void __audit_mmap_fd(int fd, int flags); | |
241 | ||
242 | static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) | |
243 | { | |
244 | if (unlikely(!audit_dummy_context())) | |
245 | __audit_ipc_obj(ipcp); | |
246 | } | |
247 | static inline void audit_fd_pair(int fd1, int fd2) | |
248 | { | |
249 | if (unlikely(!audit_dummy_context())) | |
250 | __audit_fd_pair(fd1, fd2); | |
251 | } | |
252 | static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode) | |
253 | { | |
254 | if (unlikely(!audit_dummy_context())) | |
255 | __audit_ipc_set_perm(qbytes, uid, gid, mode); | |
256 | } | |
257 | static inline void audit_bprm(struct linux_binprm *bprm) | |
258 | { | |
259 | if (unlikely(!audit_dummy_context())) | |
260 | __audit_bprm(bprm); | |
261 | } | |
262 | static inline int audit_socketcall(int nargs, unsigned long *args) | |
263 | { | |
264 | if (unlikely(!audit_dummy_context())) | |
265 | return __audit_socketcall(nargs, args); | |
266 | return 0; | |
267 | } | |
268 | static inline int audit_sockaddr(int len, void *addr) | |
269 | { | |
270 | if (unlikely(!audit_dummy_context())) | |
271 | return __audit_sockaddr(len, addr); | |
272 | return 0; | |
273 | } | |
274 | static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) | |
275 | { | |
276 | if (unlikely(!audit_dummy_context())) | |
277 | __audit_mq_open(oflag, mode, attr); | |
278 | } | |
279 | static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout) | |
280 | { | |
281 | if (unlikely(!audit_dummy_context())) | |
282 | __audit_mq_sendrecv(mqdes, msg_len, msg_prio, abs_timeout); | |
283 | } | |
284 | static inline void audit_mq_notify(mqd_t mqdes, const struct sigevent *notification) | |
285 | { | |
286 | if (unlikely(!audit_dummy_context())) | |
287 | __audit_mq_notify(mqdes, notification); | |
288 | } | |
289 | static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) | |
290 | { | |
291 | if (unlikely(!audit_dummy_context())) | |
292 | __audit_mq_getsetattr(mqdes, mqstat); | |
293 | } | |
294 | ||
295 | static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, | |
296 | const struct cred *new, | |
297 | const struct cred *old) | |
298 | { | |
299 | if (unlikely(!audit_dummy_context())) | |
300 | return __audit_log_bprm_fcaps(bprm, new, old); | |
301 | return 0; | |
302 | } | |
303 | ||
304 | static inline void audit_log_capset(const struct cred *new, | |
305 | const struct cred *old) | |
306 | { | |
307 | if (unlikely(!audit_dummy_context())) | |
308 | __audit_log_capset(new, old); | |
309 | } | |
310 | ||
311 | static inline void audit_mmap_fd(int fd, int flags) | |
312 | { | |
313 | if (unlikely(!audit_dummy_context())) | |
314 | __audit_mmap_fd(fd, flags); | |
315 | } | |
316 | ||
317 | extern int audit_n_rules; | |
318 | extern int audit_signals; | |
319 | #else /* CONFIG_AUDITSYSCALL */ | |
320 | static inline int audit_alloc(struct task_struct *task) | |
321 | { | |
322 | return 0; | |
323 | } | |
324 | static inline void audit_free(struct task_struct *task) | |
325 | { } | |
326 | static inline void audit_syscall_entry(int major, unsigned long a0, | |
327 | unsigned long a1, unsigned long a2, | |
328 | unsigned long a3) | |
329 | { } | |
330 | static inline void audit_syscall_exit(void *pt_regs) | |
331 | { } | |
332 | static inline int audit_dummy_context(void) | |
333 | { | |
334 | return 1; | |
335 | } | |
336 | static inline struct filename *audit_reusename(const __user char *name) | |
337 | { | |
338 | return NULL; | |
339 | } | |
340 | static inline void audit_getname(struct filename *name) | |
341 | { } | |
342 | static inline void audit_putname(struct filename *name) | |
343 | { } | |
344 | static inline void __audit_inode(struct filename *name, | |
345 | const struct dentry *dentry, | |
346 | unsigned int flags) | |
347 | { } | |
348 | static inline void __audit_inode_child(const struct inode *parent, | |
349 | const struct dentry *dentry, | |
350 | const unsigned char type) | |
351 | { } | |
352 | static inline void audit_inode(struct filename *name, | |
353 | const struct dentry *dentry, | |
354 | unsigned int parent) | |
355 | { } | |
356 | static inline void audit_inode_parent_hidden(struct filename *name, | |
357 | const struct dentry *dentry) | |
358 | { } | |
359 | static inline void audit_inode_child(const struct inode *parent, | |
360 | const struct dentry *dentry, | |
361 | const unsigned char type) | |
362 | { } | |
363 | static inline void audit_core_dumps(long signr) | |
364 | { } | |
365 | static inline void __audit_seccomp(unsigned long syscall, long signr, int code) | |
366 | { } | |
367 | static inline void audit_seccomp(unsigned long syscall, long signr, int code) | |
368 | { } | |
369 | static inline int auditsc_get_stamp(struct audit_context *ctx, | |
370 | struct timespec *t, unsigned int *serial) | |
371 | { | |
372 | return 0; | |
373 | } | |
374 | static inline kuid_t audit_get_loginuid(struct task_struct *tsk) | |
375 | { | |
376 | return INVALID_UID; | |
377 | } | |
378 | static inline unsigned int audit_get_sessionid(struct task_struct *tsk) | |
379 | { | |
380 | return -1; | |
381 | } | |
382 | static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) | |
383 | { } | |
384 | static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, | |
385 | gid_t gid, umode_t mode) | |
386 | { } | |
387 | static inline void audit_bprm(struct linux_binprm *bprm) | |
388 | { } | |
389 | static inline int audit_socketcall(int nargs, unsigned long *args) | |
390 | { | |
391 | return 0; | |
392 | } | |
393 | static inline void audit_fd_pair(int fd1, int fd2) | |
394 | { } | |
395 | static inline int audit_sockaddr(int len, void *addr) | |
396 | { | |
397 | return 0; | |
398 | } | |
399 | static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) | |
400 | { } | |
401 | static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, | |
402 | unsigned int msg_prio, | |
403 | const struct timespec *abs_timeout) | |
404 | { } | |
405 | static inline void audit_mq_notify(mqd_t mqdes, | |
406 | const struct sigevent *notification) | |
407 | { } | |
408 | static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) | |
409 | { } | |
410 | static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, | |
411 | const struct cred *new, | |
412 | const struct cred *old) | |
413 | { | |
414 | return 0; | |
415 | } | |
416 | static inline void audit_log_capset(const struct cred *new, | |
417 | const struct cred *old) | |
418 | { } | |
419 | static inline void audit_mmap_fd(int fd, int flags) | |
420 | { } | |
421 | static inline void audit_ptrace(struct task_struct *t) | |
422 | { } | |
423 | #define audit_n_rules 0 | |
424 | #define audit_signals 0 | |
425 | #endif /* CONFIG_AUDITSYSCALL */ | |
426 | ||
427 | static inline bool audit_loginuid_set(struct task_struct *tsk) | |
428 | { | |
429 | return uid_valid(audit_get_loginuid(tsk)); | |
430 | } | |
431 | ||
432 | #ifdef CONFIG_AUDIT | |
433 | /* These are defined in audit.c */ | |
434 | /* Public API */ | |
435 | extern __printf(4, 5) | |
436 | void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, | |
437 | const char *fmt, ...); | |
438 | ||
439 | extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type); | |
440 | extern __printf(2, 3) | |
441 | void audit_log_format(struct audit_buffer *ab, const char *fmt, ...); | |
442 | extern void audit_log_end(struct audit_buffer *ab); | |
443 | extern int audit_string_contains_control(const char *string, | |
444 | size_t len); | |
445 | extern void audit_log_n_hex(struct audit_buffer *ab, | |
446 | const unsigned char *buf, | |
447 | size_t len); | |
448 | extern void audit_log_n_string(struct audit_buffer *ab, | |
449 | const char *buf, | |
450 | size_t n); | |
451 | extern void audit_log_n_untrustedstring(struct audit_buffer *ab, | |
452 | const char *string, | |
453 | size_t n); | |
454 | extern void audit_log_untrustedstring(struct audit_buffer *ab, | |
455 | const char *string); | |
456 | extern void audit_log_d_path(struct audit_buffer *ab, | |
457 | const char *prefix, | |
458 | const struct path *path); | |
459 | extern void audit_log_key(struct audit_buffer *ab, | |
460 | char *key); | |
461 | extern void audit_log_link_denied(const char *operation, | |
462 | struct path *link); | |
463 | extern void audit_log_lost(const char *message); | |
464 | #ifdef CONFIG_SECURITY | |
465 | extern void audit_log_secctx(struct audit_buffer *ab, u32 secid); | |
466 | #else | |
467 | static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) | |
468 | { } | |
469 | #endif | |
470 | ||
471 | extern int audit_log_task_context(struct audit_buffer *ab); | |
472 | extern void audit_log_task_info(struct audit_buffer *ab, | |
473 | struct task_struct *tsk); | |
474 | ||
475 | extern int audit_update_lsm_rules(void); | |
476 | ||
477 | /* Private API (for audit.c only) */ | |
478 | extern int audit_filter_user(int type); | |
479 | extern int audit_filter_type(int type); | |
480 | extern int audit_rule_change(int type, __u32 portid, int seq, | |
481 | void *data, size_t datasz); | |
482 | extern int audit_list_rules_send(struct sk_buff *request_skb, int seq); | |
483 | ||
484 | extern u32 audit_enabled; | |
485 | #else /* CONFIG_AUDIT */ | |
486 | static inline __printf(4, 5) | |
487 | void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, | |
488 | const char *fmt, ...) | |
489 | { } | |
490 | static inline struct audit_buffer *audit_log_start(struct audit_context *ctx, | |
491 | gfp_t gfp_mask, int type) | |
492 | { | |
493 | return NULL; | |
494 | } | |
495 | static inline __printf(2, 3) | |
496 | void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) | |
497 | { } | |
498 | static inline void audit_log_end(struct audit_buffer *ab) | |
499 | { } | |
500 | static inline void audit_log_n_hex(struct audit_buffer *ab, | |
501 | const unsigned char *buf, size_t len) | |
502 | { } | |
503 | static inline void audit_log_n_string(struct audit_buffer *ab, | |
504 | const char *buf, size_t n) | |
505 | { } | |
506 | static inline void audit_log_n_untrustedstring(struct audit_buffer *ab, | |
507 | const char *string, size_t n) | |
508 | { } | |
509 | static inline void audit_log_untrustedstring(struct audit_buffer *ab, | |
510 | const char *string) | |
511 | { } | |
512 | static inline void audit_log_d_path(struct audit_buffer *ab, | |
513 | const char *prefix, | |
514 | const struct path *path) | |
515 | { } | |
516 | static inline void audit_log_key(struct audit_buffer *ab, char *key) | |
517 | { } | |
518 | static inline void audit_log_link_denied(const char *string, | |
519 | const struct path *link) | |
520 | { } | |
521 | static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) | |
522 | { } | |
523 | static inline int audit_log_task_context(struct audit_buffer *ab) | |
524 | { | |
525 | return 0; | |
526 | } | |
527 | static inline void audit_log_task_info(struct audit_buffer *ab, | |
528 | struct task_struct *tsk) | |
529 | { } | |
530 | #define audit_enabled 0 | |
531 | #endif /* CONFIG_AUDIT */ | |
532 | static inline void audit_log_string(struct audit_buffer *ab, const char *buf) | |
533 | { | |
534 | audit_log_n_string(ab, buf, strlen(buf)); | |
535 | } | |
536 | ||
537 | #endif |