1 /* audit.h -- Auditing support 2 * 3 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. 4 * All Rights Reserved. 5 * 6 * This program is free software; you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License as published by 8 * the Free Software Foundation; either version 2 of the License, or 9 * (at your option) any later version. 10 * 11 * This program is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 * GNU General Public License for more details. 15 * 16 * You should have received a copy of the GNU General Public License 17 * along with this program; if not, write to the Free Software 18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 * 20 * Written by Rickard E. (Rik) Faith <faith@redhat.com> 21 * 22 */ 23 #ifndef _LINUX_AUDIT_H_ 24 #define _LINUX_AUDIT_H_ 25 26 #include <linux/sched.h> 27 #include <linux/ptrace.h> 28 #include <uapi/linux/audit.h> 29 30 #define AUDIT_INO_UNSET ((unsigned long)-1) 31 #define AUDIT_DEV_UNSET ((dev_t)-1) 32 33 struct audit_sig_info { 34 uid_t uid; 35 pid_t pid; 36 char ctx[0]; 37 }; 38 39 struct audit_buffer; 40 struct audit_context; 41 struct inode; 42 struct netlink_skb_parms; 43 struct path; 44 struct linux_binprm; 45 struct mq_attr; 46 struct mqstat; 47 struct audit_watch; 48 struct audit_tree; 49 struct sk_buff; 50 51 struct audit_krule { 52 u32 pflags; 53 u32 flags; 54 u32 listnr; 55 u32 action; 56 u32 mask[AUDIT_BITMASK_SIZE]; 57 u32 buflen; /* for data alloc on list rules */ 58 u32 field_count; 59 char *filterkey; /* ties events to rules */ 60 struct audit_field *fields; 61 struct audit_field *arch_f; /* quick access to arch field */ 62 struct audit_field *inode_f; /* quick access to an inode field */ 63 struct audit_watch *watch; /* associated watch */ 64 struct audit_tree *tree; /* associated watched tree */ 65 struct audit_fsnotify_mark *exe; 66 struct list_head rlist; /* entry in audit_{watch,tree}.rules list */ 67 struct list_head list; /* for AUDIT_LIST* purposes only */ 68 u64 prio; 69 }; 70 71 /* Flag to indicate legacy AUDIT_LOGINUID unset usage */ 72 #define AUDIT_LOGINUID_LEGACY 0x1 73 74 struct audit_field { 75 u32 type; 76 union { 77 u32 val; 78 kuid_t uid; 79 kgid_t gid; 80 struct { 81 char *lsm_str; 82 void *lsm_rule; 83 }; 84 }; 85 u32 op; 86 }; 87 88 extern int is_audit_feature_set(int which); 89 90 extern int __init audit_register_class(int class, unsigned *list); 91 extern int audit_classify_syscall(int abi, unsigned syscall); 92 extern int audit_classify_arch(int arch); 93 /* only for compat system calls */ 94 extern unsigned compat_write_class[]; 95 extern unsigned compat_read_class[]; 96 extern unsigned compat_dir_class[]; 97 extern unsigned compat_chattr_class[]; 98 extern unsigned compat_signal_class[]; 99 100 extern int audit_classify_compat_syscall(int abi, unsigned syscall); 101 102 /* audit_names->type values */ 103 #define AUDIT_TYPE_UNKNOWN 0 /* we don't know yet */ 104 #define AUDIT_TYPE_NORMAL 1 /* a "normal" audit record */ 105 #define AUDIT_TYPE_PARENT 2 /* a parent audit record */ 106 #define AUDIT_TYPE_CHILD_DELETE 3 /* a child being deleted */ 107 #define AUDIT_TYPE_CHILD_CREATE 4 /* a child being created */ 108 109 /* maximized args number that audit_socketcall can process */ 110 #define AUDITSC_ARGS 6 111 112 /* bit values for ->signal->audit_tty */ 113 #define AUDIT_TTY_ENABLE BIT(0) 114 #define AUDIT_TTY_LOG_PASSWD BIT(1) 115 116 struct filename; 117 118 extern void audit_log_session_info(struct audit_buffer *ab); 119 120 #ifdef CONFIG_AUDIT 121 /* These are defined in audit.c */ 122 /* Public API */ 123 extern __printf(4, 5) 124 void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 125 const char *fmt, ...); 126 127 extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type); 128 extern __printf(2, 3) 129 void audit_log_format(struct audit_buffer *ab, const char *fmt, ...); 130 extern void audit_log_end(struct audit_buffer *ab); 131 extern bool audit_string_contains_control(const char *string, 132 size_t len); 133 extern void audit_log_n_hex(struct audit_buffer *ab, 134 const unsigned char *buf, 135 size_t len); 136 extern void audit_log_n_string(struct audit_buffer *ab, 137 const char *buf, 138 size_t n); 139 extern void audit_log_n_untrustedstring(struct audit_buffer *ab, 140 const char *string, 141 size_t n); 142 extern void audit_log_untrustedstring(struct audit_buffer *ab, 143 const char *string); 144 extern void audit_log_d_path(struct audit_buffer *ab, 145 const char *prefix, 146 const struct path *path); 147 extern void audit_log_key(struct audit_buffer *ab, 148 char *key); 149 extern void audit_log_link_denied(const char *operation); 150 extern void audit_log_lost(const char *message); 151 152 extern int audit_log_task_context(struct audit_buffer *ab); 153 extern void audit_log_task_info(struct audit_buffer *ab, 154 struct task_struct *tsk); 155 156 extern int audit_update_lsm_rules(void); 157 158 /* Private API (for audit.c only) */ 159 extern int audit_rule_change(int type, int seq, void *data, size_t datasz); 160 extern int audit_list_rules_send(struct sk_buff *request_skb, int seq); 161 162 extern u32 audit_enabled; 163 #else /* CONFIG_AUDIT */ 164 static inline __printf(4, 5) 165 void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 166 const char *fmt, ...) 167 { } 168 static inline struct audit_buffer *audit_log_start(struct audit_context *ctx, 169 gfp_t gfp_mask, int type) 170 { 171 return NULL; 172 } 173 static inline __printf(2, 3) 174 void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) 175 { } 176 static inline void audit_log_end(struct audit_buffer *ab) 177 { } 178 static inline void audit_log_n_hex(struct audit_buffer *ab, 179 const unsigned char *buf, size_t len) 180 { } 181 static inline void audit_log_n_string(struct audit_buffer *ab, 182 const char *buf, size_t n) 183 { } 184 static inline void audit_log_n_untrustedstring(struct audit_buffer *ab, 185 const char *string, size_t n) 186 { } 187 static inline void audit_log_untrustedstring(struct audit_buffer *ab, 188 const char *string) 189 { } 190 static inline void audit_log_d_path(struct audit_buffer *ab, 191 const char *prefix, 192 const struct path *path) 193 { } 194 static inline void audit_log_key(struct audit_buffer *ab, char *key) 195 { } 196 static inline void audit_log_link_denied(const char *string) 197 { } 198 static inline int audit_log_task_context(struct audit_buffer *ab) 199 { 200 return 0; 201 } 202 static inline void audit_log_task_info(struct audit_buffer *ab, 203 struct task_struct *tsk) 204 { } 205 #define audit_enabled 0 206 #endif /* CONFIG_AUDIT */ 207 208 #ifdef CONFIG_AUDIT_COMPAT_GENERIC 209 #define audit_is_compat(arch) (!((arch) & __AUDIT_ARCH_64BIT)) 210 #else 211 #define audit_is_compat(arch) false 212 #endif 213 214 #ifdef CONFIG_AUDITSYSCALL 215 #include <asm/syscall.h> /* for syscall_get_arch() */ 216 217 /* These are defined in auditsc.c */ 218 /* Public API */ 219 extern int audit_alloc(struct task_struct *task); 220 extern void __audit_free(struct task_struct *task); 221 extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long a1, 222 unsigned long a2, unsigned long a3); 223 extern void __audit_syscall_exit(int ret_success, long ret_value); 224 extern struct filename *__audit_reusename(const __user char *uptr); 225 extern void __audit_getname(struct filename *name); 226 227 #define AUDIT_INODE_PARENT 1 /* dentry represents the parent */ 228 #define AUDIT_INODE_HIDDEN 2 /* audit record should be hidden */ 229 extern void __audit_inode(struct filename *name, const struct dentry *dentry, 230 unsigned int flags); 231 extern void __audit_file(const struct file *); 232 extern void __audit_inode_child(struct inode *parent, 233 const struct dentry *dentry, 234 const unsigned char type); 235 extern void audit_seccomp(unsigned long syscall, long signr, int code); 236 extern void audit_seccomp_actions_logged(const char *names, 237 const char *old_names, int res); 238 extern void __audit_ptrace(struct task_struct *t); 239 240 static inline void audit_set_context(struct task_struct *task, struct audit_context *ctx) 241 { 242 task->audit_context = ctx; 243 } 244 245 static inline struct audit_context *audit_context(void) 246 { 247 return current->audit_context; 248 } 249 250 static inline bool audit_dummy_context(void) 251 { 252 void *p = audit_context(); 253 return !p || *(int *)p; 254 } 255 static inline void audit_free(struct task_struct *task) 256 { 257 if (unlikely(task->audit_context)) 258 __audit_free(task); 259 } 260 static inline void audit_syscall_entry(int major, unsigned long a0, 261 unsigned long a1, unsigned long a2, 262 unsigned long a3) 263 { 264 if (unlikely(audit_context())) 265 __audit_syscall_entry(major, a0, a1, a2, a3); 266 } 267 static inline void audit_syscall_exit(void *pt_regs) 268 { 269 if (unlikely(audit_context())) { 270 int success = is_syscall_success(pt_regs); 271 long return_code = regs_return_value(pt_regs); 272 273 __audit_syscall_exit(success, return_code); 274 } 275 } 276 static inline struct filename *audit_reusename(const __user char *name) 277 { 278 if (unlikely(!audit_dummy_context())) 279 return __audit_reusename(name); 280 return NULL; 281 } 282 static inline void audit_getname(struct filename *name) 283 { 284 if (unlikely(!audit_dummy_context())) 285 __audit_getname(name); 286 } 287 static inline void audit_inode(struct filename *name, 288 const struct dentry *dentry, 289 unsigned int parent) { 290 if (unlikely(!audit_dummy_context())) { 291 unsigned int flags = 0; 292 if (parent) 293 flags |= AUDIT_INODE_PARENT; 294 __audit_inode(name, dentry, flags); 295 } 296 } 297 static inline void audit_file(struct file *file) 298 { 299 if (unlikely(!audit_dummy_context())) 300 __audit_file(file); 301 } 302 static inline void audit_inode_parent_hidden(struct filename *name, 303 const struct dentry *dentry) 304 { 305 if (unlikely(!audit_dummy_context())) 306 __audit_inode(name, dentry, 307 AUDIT_INODE_PARENT | AUDIT_INODE_HIDDEN); 308 } 309 static inline void audit_inode_child(struct inode *parent, 310 const struct dentry *dentry, 311 const unsigned char type) { 312 if (unlikely(!audit_dummy_context())) 313 __audit_inode_child(parent, dentry, type); 314 } 315 void audit_core_dumps(long signr); 316 317 static inline void audit_ptrace(struct task_struct *t) 318 { 319 if (unlikely(!audit_dummy_context())) 320 __audit_ptrace(t); 321 } 322 323 /* Private API (for audit.c only) */ 324 extern unsigned int audit_serial(void); 325 extern int auditsc_get_stamp(struct audit_context *ctx, 326 struct timespec64 *t, unsigned int *serial); 327 extern int audit_set_loginuid(kuid_t loginuid); 328 329 static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 330 { 331 return tsk->loginuid; 332 } 333 334 static inline unsigned int audit_get_sessionid(struct task_struct *tsk) 335 { 336 return tsk->sessionid; 337 } 338 339 extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp); 340 extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode); 341 extern void __audit_bprm(struct linux_binprm *bprm); 342 extern int __audit_socketcall(int nargs, unsigned long *args); 343 extern int __audit_sockaddr(int len, void *addr); 344 extern void __audit_fd_pair(int fd1, int fd2); 345 extern void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr); 346 extern void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec64 *abs_timeout); 347 extern void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification); 348 extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat); 349 extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, 350 const struct cred *new, 351 const struct cred *old); 352 extern void __audit_log_capset(const struct cred *new, const struct cred *old); 353 extern void __audit_mmap_fd(int fd, int flags); 354 extern void __audit_log_kern_module(char *name); 355 extern void __audit_fanotify(unsigned int response); 356 357 static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 358 { 359 if (unlikely(!audit_dummy_context())) 360 __audit_ipc_obj(ipcp); 361 } 362 static inline void audit_fd_pair(int fd1, int fd2) 363 { 364 if (unlikely(!audit_dummy_context())) 365 __audit_fd_pair(fd1, fd2); 366 } 367 static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode) 368 { 369 if (unlikely(!audit_dummy_context())) 370 __audit_ipc_set_perm(qbytes, uid, gid, mode); 371 } 372 static inline void audit_bprm(struct linux_binprm *bprm) 373 { 374 if (unlikely(!audit_dummy_context())) 375 __audit_bprm(bprm); 376 } 377 static inline int audit_socketcall(int nargs, unsigned long *args) 378 { 379 if (unlikely(!audit_dummy_context())) 380 return __audit_socketcall(nargs, args); 381 return 0; 382 } 383 384 static inline int audit_socketcall_compat(int nargs, u32 *args) 385 { 386 unsigned long a[AUDITSC_ARGS]; 387 int i; 388 389 if (audit_dummy_context()) 390 return 0; 391 392 for (i = 0; i < nargs; i++) 393 a[i] = (unsigned long)args[i]; 394 return __audit_socketcall(nargs, a); 395 } 396 397 static inline int audit_sockaddr(int len, void *addr) 398 { 399 if (unlikely(!audit_dummy_context())) 400 return __audit_sockaddr(len, addr); 401 return 0; 402 } 403 static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 404 { 405 if (unlikely(!audit_dummy_context())) 406 __audit_mq_open(oflag, mode, attr); 407 } 408 static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec64 *abs_timeout) 409 { 410 if (unlikely(!audit_dummy_context())) 411 __audit_mq_sendrecv(mqdes, msg_len, msg_prio, abs_timeout); 412 } 413 static inline void audit_mq_notify(mqd_t mqdes, const struct sigevent *notification) 414 { 415 if (unlikely(!audit_dummy_context())) 416 __audit_mq_notify(mqdes, notification); 417 } 418 static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 419 { 420 if (unlikely(!audit_dummy_context())) 421 __audit_mq_getsetattr(mqdes, mqstat); 422 } 423 424 static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 425 const struct cred *new, 426 const struct cred *old) 427 { 428 if (unlikely(!audit_dummy_context())) 429 return __audit_log_bprm_fcaps(bprm, new, old); 430 return 0; 431 } 432 433 static inline void audit_log_capset(const struct cred *new, 434 const struct cred *old) 435 { 436 if (unlikely(!audit_dummy_context())) 437 __audit_log_capset(new, old); 438 } 439 440 static inline void audit_mmap_fd(int fd, int flags) 441 { 442 if (unlikely(!audit_dummy_context())) 443 __audit_mmap_fd(fd, flags); 444 } 445 446 static inline void audit_log_kern_module(char *name) 447 { 448 if (!audit_dummy_context()) 449 __audit_log_kern_module(name); 450 } 451 452 static inline void audit_fanotify(unsigned int response) 453 { 454 if (!audit_dummy_context()) 455 __audit_fanotify(response); 456 } 457 458 extern int audit_n_rules; 459 extern int audit_signals; 460 #else /* CONFIG_AUDITSYSCALL */ 461 static inline int audit_alloc(struct task_struct *task) 462 { 463 return 0; 464 } 465 static inline void audit_free(struct task_struct *task) 466 { } 467 static inline void audit_syscall_entry(int major, unsigned long a0, 468 unsigned long a1, unsigned long a2, 469 unsigned long a3) 470 { } 471 static inline void audit_syscall_exit(void *pt_regs) 472 { } 473 static inline bool audit_dummy_context(void) 474 { 475 return true; 476 } 477 static inline void audit_set_context(struct task_struct *task, struct audit_context *ctx) 478 { } 479 static inline struct audit_context *audit_context(void) 480 { 481 return NULL; 482 } 483 static inline struct filename *audit_reusename(const __user char *name) 484 { 485 return NULL; 486 } 487 static inline void audit_getname(struct filename *name) 488 { } 489 static inline void __audit_inode(struct filename *name, 490 const struct dentry *dentry, 491 unsigned int flags) 492 { } 493 static inline void __audit_inode_child(struct inode *parent, 494 const struct dentry *dentry, 495 const unsigned char type) 496 { } 497 static inline void audit_inode(struct filename *name, 498 const struct dentry *dentry, 499 unsigned int parent) 500 { } 501 static inline void audit_file(struct file *file) 502 { 503 } 504 static inline void audit_inode_parent_hidden(struct filename *name, 505 const struct dentry *dentry) 506 { } 507 static inline void audit_inode_child(struct inode *parent, 508 const struct dentry *dentry, 509 const unsigned char type) 510 { } 511 static inline void audit_core_dumps(long signr) 512 { } 513 static inline void audit_seccomp(unsigned long syscall, long signr, int code) 514 { } 515 static inline void audit_seccomp_actions_logged(const char *names, 516 const char *old_names, int res) 517 { } 518 static inline int auditsc_get_stamp(struct audit_context *ctx, 519 struct timespec64 *t, unsigned int *serial) 520 { 521 return 0; 522 } 523 static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 524 { 525 return INVALID_UID; 526 } 527 static inline unsigned int audit_get_sessionid(struct task_struct *tsk) 528 { 529 return AUDIT_SID_UNSET; 530 } 531 static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 532 { } 533 static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, 534 gid_t gid, umode_t mode) 535 { } 536 static inline void audit_bprm(struct linux_binprm *bprm) 537 { } 538 static inline int audit_socketcall(int nargs, unsigned long *args) 539 { 540 return 0; 541 } 542 543 static inline int audit_socketcall_compat(int nargs, u32 *args) 544 { 545 return 0; 546 } 547 548 static inline void audit_fd_pair(int fd1, int fd2) 549 { } 550 static inline int audit_sockaddr(int len, void *addr) 551 { 552 return 0; 553 } 554 static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 555 { } 556 static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, 557 unsigned int msg_prio, 558 const struct timespec64 *abs_timeout) 559 { } 560 static inline void audit_mq_notify(mqd_t mqdes, 561 const struct sigevent *notification) 562 { } 563 static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 564 { } 565 static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 566 const struct cred *new, 567 const struct cred *old) 568 { 569 return 0; 570 } 571 static inline void audit_log_capset(const struct cred *new, 572 const struct cred *old) 573 { } 574 static inline void audit_mmap_fd(int fd, int flags) 575 { } 576 577 static inline void audit_log_kern_module(char *name) 578 { 579 } 580 581 static inline void audit_fanotify(unsigned int response) 582 { } 583 584 static inline void audit_ptrace(struct task_struct *t) 585 { } 586 #define audit_n_rules 0 587 #define audit_signals 0 588 #endif /* CONFIG_AUDITSYSCALL */ 589 590 static inline bool audit_loginuid_set(struct task_struct *tsk) 591 { 592 return uid_valid(audit_get_loginuid(tsk)); 593 } 594 595 static inline void audit_log_string(struct audit_buffer *ab, const char *buf) 596 { 597 audit_log_n_string(ab, buf, strlen(buf)); 598 } 599 600 #endif 601