1 /* audit.h -- Auditing support 2 * 3 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. 4 * All Rights Reserved. 5 * 6 * This program is free software; you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License as published by 8 * the Free Software Foundation; either version 2 of the License, or 9 * (at your option) any later version. 10 * 11 * This program is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 * GNU General Public License for more details. 15 * 16 * You should have received a copy of the GNU General Public License 17 * along with this program; if not, write to the Free Software 18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 * 20 * Written by Rickard E. (Rik) Faith <faith@redhat.com> 21 * 22 */ 23 #ifndef _LINUX_AUDIT_H_ 24 #define _LINUX_AUDIT_H_ 25 26 #include <linux/sched.h> 27 #include <linux/ptrace.h> 28 #include <uapi/linux/audit.h> 29 30 #define AUDIT_INO_UNSET ((unsigned long)-1) 31 #define AUDIT_DEV_UNSET ((dev_t)-1) 32 33 struct audit_sig_info { 34 uid_t uid; 35 pid_t pid; 36 char ctx[0]; 37 }; 38 39 struct audit_buffer; 40 struct audit_context; 41 struct inode; 42 struct netlink_skb_parms; 43 struct path; 44 struct linux_binprm; 45 struct mq_attr; 46 struct mqstat; 47 struct audit_watch; 48 struct audit_tree; 49 struct sk_buff; 50 51 struct audit_krule { 52 u32 pflags; 53 u32 flags; 54 u32 listnr; 55 u32 action; 56 u32 mask[AUDIT_BITMASK_SIZE]; 57 u32 buflen; /* for data alloc on list rules */ 58 u32 field_count; 59 char *filterkey; /* ties events to rules */ 60 struct audit_field *fields; 61 struct audit_field *arch_f; /* quick access to arch field */ 62 struct audit_field *inode_f; /* quick access to an inode field */ 63 struct audit_watch *watch; /* associated watch */ 64 struct audit_tree *tree; /* associated watched tree */ 65 struct audit_fsnotify_mark *exe; 66 struct list_head rlist; /* entry in audit_{watch,tree}.rules list */ 67 struct list_head list; /* for AUDIT_LIST* purposes only */ 68 u64 prio; 69 }; 70 71 /* Flag to indicate legacy AUDIT_LOGINUID unset usage */ 72 #define AUDIT_LOGINUID_LEGACY 0x1 73 74 struct audit_field { 75 u32 type; 76 union { 77 u32 val; 78 kuid_t uid; 79 kgid_t gid; 80 struct { 81 char *lsm_str; 82 void *lsm_rule; 83 }; 84 }; 85 u32 op; 86 }; 87 88 extern int is_audit_feature_set(int which); 89 90 extern int __init audit_register_class(int class, unsigned *list); 91 extern int audit_classify_syscall(int abi, unsigned syscall); 92 extern int audit_classify_arch(int arch); 93 /* only for compat system calls */ 94 extern unsigned compat_write_class[]; 95 extern unsigned compat_read_class[]; 96 extern unsigned compat_dir_class[]; 97 extern unsigned compat_chattr_class[]; 98 extern unsigned compat_signal_class[]; 99 100 extern int audit_classify_compat_syscall(int abi, unsigned syscall); 101 102 /* audit_names->type values */ 103 #define AUDIT_TYPE_UNKNOWN 0 /* we don't know yet */ 104 #define AUDIT_TYPE_NORMAL 1 /* a "normal" audit record */ 105 #define AUDIT_TYPE_PARENT 2 /* a parent audit record */ 106 #define AUDIT_TYPE_CHILD_DELETE 3 /* a child being deleted */ 107 #define AUDIT_TYPE_CHILD_CREATE 4 /* a child being created */ 108 109 /* maximized args number that audit_socketcall can process */ 110 #define AUDITSC_ARGS 6 111 112 /* bit values for ->signal->audit_tty */ 113 #define AUDIT_TTY_ENABLE BIT(0) 114 #define AUDIT_TTY_LOG_PASSWD BIT(1) 115 116 struct filename; 117 118 extern void audit_log_session_info(struct audit_buffer *ab); 119 120 #ifdef CONFIG_AUDIT 121 /* These are defined in audit.c */ 122 /* Public API */ 123 extern __printf(4, 5) 124 void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 125 const char *fmt, ...); 126 127 extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type); 128 extern __printf(2, 3) 129 void audit_log_format(struct audit_buffer *ab, const char *fmt, ...); 130 extern void audit_log_end(struct audit_buffer *ab); 131 extern bool audit_string_contains_control(const char *string, 132 size_t len); 133 extern void audit_log_n_hex(struct audit_buffer *ab, 134 const unsigned char *buf, 135 size_t len); 136 extern void audit_log_n_string(struct audit_buffer *ab, 137 const char *buf, 138 size_t n); 139 extern void audit_log_n_untrustedstring(struct audit_buffer *ab, 140 const char *string, 141 size_t n); 142 extern void audit_log_untrustedstring(struct audit_buffer *ab, 143 const char *string); 144 extern void audit_log_d_path(struct audit_buffer *ab, 145 const char *prefix, 146 const struct path *path); 147 extern void audit_log_key(struct audit_buffer *ab, 148 char *key); 149 extern void audit_log_link_denied(const char *operation, 150 const struct path *link); 151 extern void audit_log_lost(const char *message); 152 #ifdef CONFIG_SECURITY 153 extern void audit_log_secctx(struct audit_buffer *ab, u32 secid); 154 #else 155 static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) 156 { } 157 #endif 158 159 extern int audit_log_task_context(struct audit_buffer *ab); 160 extern void audit_log_task_info(struct audit_buffer *ab, 161 struct task_struct *tsk); 162 163 extern int audit_update_lsm_rules(void); 164 165 /* Private API (for audit.c only) */ 166 extern int audit_rule_change(int type, int seq, void *data, size_t datasz); 167 extern int audit_list_rules_send(struct sk_buff *request_skb, int seq); 168 169 extern u32 audit_enabled; 170 #else /* CONFIG_AUDIT */ 171 static inline __printf(4, 5) 172 void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 173 const char *fmt, ...) 174 { } 175 static inline struct audit_buffer *audit_log_start(struct audit_context *ctx, 176 gfp_t gfp_mask, int type) 177 { 178 return NULL; 179 } 180 static inline __printf(2, 3) 181 void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) 182 { } 183 static inline void audit_log_end(struct audit_buffer *ab) 184 { } 185 static inline void audit_log_n_hex(struct audit_buffer *ab, 186 const unsigned char *buf, size_t len) 187 { } 188 static inline void audit_log_n_string(struct audit_buffer *ab, 189 const char *buf, size_t n) 190 { } 191 static inline void audit_log_n_untrustedstring(struct audit_buffer *ab, 192 const char *string, size_t n) 193 { } 194 static inline void audit_log_untrustedstring(struct audit_buffer *ab, 195 const char *string) 196 { } 197 static inline void audit_log_d_path(struct audit_buffer *ab, 198 const char *prefix, 199 const struct path *path) 200 { } 201 static inline void audit_log_key(struct audit_buffer *ab, char *key) 202 { } 203 static inline void audit_log_link_denied(const char *string, 204 const struct path *link) 205 { } 206 static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) 207 { } 208 static inline int audit_log_task_context(struct audit_buffer *ab) 209 { 210 return 0; 211 } 212 static inline void audit_log_task_info(struct audit_buffer *ab, 213 struct task_struct *tsk) 214 { } 215 #define audit_enabled 0 216 #endif /* CONFIG_AUDIT */ 217 218 #ifdef CONFIG_AUDIT_COMPAT_GENERIC 219 #define audit_is_compat(arch) (!((arch) & __AUDIT_ARCH_64BIT)) 220 #else 221 #define audit_is_compat(arch) false 222 #endif 223 224 #ifdef CONFIG_AUDITSYSCALL 225 #include <asm/syscall.h> /* for syscall_get_arch() */ 226 227 /* These are defined in auditsc.c */ 228 /* Public API */ 229 extern int audit_alloc(struct task_struct *task); 230 extern void __audit_free(struct task_struct *task); 231 extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long a1, 232 unsigned long a2, unsigned long a3); 233 extern void __audit_syscall_exit(int ret_success, long ret_value); 234 extern struct filename *__audit_reusename(const __user char *uptr); 235 extern void __audit_getname(struct filename *name); 236 237 #define AUDIT_INODE_PARENT 1 /* dentry represents the parent */ 238 #define AUDIT_INODE_HIDDEN 2 /* audit record should be hidden */ 239 extern void __audit_inode(struct filename *name, const struct dentry *dentry, 240 unsigned int flags); 241 extern void __audit_file(const struct file *); 242 extern void __audit_inode_child(struct inode *parent, 243 const struct dentry *dentry, 244 const unsigned char type); 245 extern void __audit_seccomp(unsigned long syscall, long signr, int code); 246 extern void __audit_ptrace(struct task_struct *t); 247 248 static inline bool audit_dummy_context(void) 249 { 250 void *p = current->audit_context; 251 return !p || *(int *)p; 252 } 253 static inline void audit_free(struct task_struct *task) 254 { 255 if (unlikely(task->audit_context)) 256 __audit_free(task); 257 } 258 static inline void audit_syscall_entry(int major, unsigned long a0, 259 unsigned long a1, unsigned long a2, 260 unsigned long a3) 261 { 262 if (unlikely(current->audit_context)) 263 __audit_syscall_entry(major, a0, a1, a2, a3); 264 } 265 static inline void audit_syscall_exit(void *pt_regs) 266 { 267 if (unlikely(current->audit_context)) { 268 int success = is_syscall_success(pt_regs); 269 long return_code = regs_return_value(pt_regs); 270 271 __audit_syscall_exit(success, return_code); 272 } 273 } 274 static inline struct filename *audit_reusename(const __user char *name) 275 { 276 if (unlikely(!audit_dummy_context())) 277 return __audit_reusename(name); 278 return NULL; 279 } 280 static inline void audit_getname(struct filename *name) 281 { 282 if (unlikely(!audit_dummy_context())) 283 __audit_getname(name); 284 } 285 static inline void audit_inode(struct filename *name, 286 const struct dentry *dentry, 287 unsigned int parent) { 288 if (unlikely(!audit_dummy_context())) { 289 unsigned int flags = 0; 290 if (parent) 291 flags |= AUDIT_INODE_PARENT; 292 __audit_inode(name, dentry, flags); 293 } 294 } 295 static inline void audit_file(struct file *file) 296 { 297 if (unlikely(!audit_dummy_context())) 298 __audit_file(file); 299 } 300 static inline void audit_inode_parent_hidden(struct filename *name, 301 const struct dentry *dentry) 302 { 303 if (unlikely(!audit_dummy_context())) 304 __audit_inode(name, dentry, 305 AUDIT_INODE_PARENT | AUDIT_INODE_HIDDEN); 306 } 307 static inline void audit_inode_child(struct inode *parent, 308 const struct dentry *dentry, 309 const unsigned char type) { 310 if (unlikely(!audit_dummy_context())) 311 __audit_inode_child(parent, dentry, type); 312 } 313 void audit_core_dumps(long signr); 314 315 static inline void audit_seccomp(unsigned long syscall, long signr, int code) 316 { 317 if (audit_enabled && unlikely(!audit_dummy_context())) 318 __audit_seccomp(syscall, signr, code); 319 } 320 321 static inline void audit_ptrace(struct task_struct *t) 322 { 323 if (unlikely(!audit_dummy_context())) 324 __audit_ptrace(t); 325 } 326 327 /* Private API (for audit.c only) */ 328 extern unsigned int audit_serial(void); 329 extern int auditsc_get_stamp(struct audit_context *ctx, 330 struct timespec64 *t, unsigned int *serial); 331 extern int audit_set_loginuid(kuid_t loginuid); 332 333 static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 334 { 335 return tsk->loginuid; 336 } 337 338 static inline unsigned int audit_get_sessionid(struct task_struct *tsk) 339 { 340 return tsk->sessionid; 341 } 342 343 extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp); 344 extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode); 345 extern void __audit_bprm(struct linux_binprm *bprm); 346 extern int __audit_socketcall(int nargs, unsigned long *args); 347 extern int __audit_sockaddr(int len, void *addr); 348 extern void __audit_fd_pair(int fd1, int fd2); 349 extern void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr); 350 extern void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec64 *abs_timeout); 351 extern void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification); 352 extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat); 353 extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, 354 const struct cred *new, 355 const struct cred *old); 356 extern void __audit_log_capset(const struct cred *new, const struct cred *old); 357 extern void __audit_mmap_fd(int fd, int flags); 358 extern void __audit_log_kern_module(char *name); 359 360 static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 361 { 362 if (unlikely(!audit_dummy_context())) 363 __audit_ipc_obj(ipcp); 364 } 365 static inline void audit_fd_pair(int fd1, int fd2) 366 { 367 if (unlikely(!audit_dummy_context())) 368 __audit_fd_pair(fd1, fd2); 369 } 370 static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode) 371 { 372 if (unlikely(!audit_dummy_context())) 373 __audit_ipc_set_perm(qbytes, uid, gid, mode); 374 } 375 static inline void audit_bprm(struct linux_binprm *bprm) 376 { 377 if (unlikely(!audit_dummy_context())) 378 __audit_bprm(bprm); 379 } 380 static inline int audit_socketcall(int nargs, unsigned long *args) 381 { 382 if (unlikely(!audit_dummy_context())) 383 return __audit_socketcall(nargs, args); 384 return 0; 385 } 386 387 static inline int audit_socketcall_compat(int nargs, u32 *args) 388 { 389 unsigned long a[AUDITSC_ARGS]; 390 int i; 391 392 if (audit_dummy_context()) 393 return 0; 394 395 for (i = 0; i < nargs; i++) 396 a[i] = (unsigned long)args[i]; 397 return __audit_socketcall(nargs, a); 398 } 399 400 static inline int audit_sockaddr(int len, void *addr) 401 { 402 if (unlikely(!audit_dummy_context())) 403 return __audit_sockaddr(len, addr); 404 return 0; 405 } 406 static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 407 { 408 if (unlikely(!audit_dummy_context())) 409 __audit_mq_open(oflag, mode, attr); 410 } 411 static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec64 *abs_timeout) 412 { 413 if (unlikely(!audit_dummy_context())) 414 __audit_mq_sendrecv(mqdes, msg_len, msg_prio, abs_timeout); 415 } 416 static inline void audit_mq_notify(mqd_t mqdes, const struct sigevent *notification) 417 { 418 if (unlikely(!audit_dummy_context())) 419 __audit_mq_notify(mqdes, notification); 420 } 421 static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 422 { 423 if (unlikely(!audit_dummy_context())) 424 __audit_mq_getsetattr(mqdes, mqstat); 425 } 426 427 static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 428 const struct cred *new, 429 const struct cred *old) 430 { 431 if (unlikely(!audit_dummy_context())) 432 return __audit_log_bprm_fcaps(bprm, new, old); 433 return 0; 434 } 435 436 static inline void audit_log_capset(const struct cred *new, 437 const struct cred *old) 438 { 439 if (unlikely(!audit_dummy_context())) 440 __audit_log_capset(new, old); 441 } 442 443 static inline void audit_mmap_fd(int fd, int flags) 444 { 445 if (unlikely(!audit_dummy_context())) 446 __audit_mmap_fd(fd, flags); 447 } 448 449 static inline void audit_log_kern_module(char *name) 450 { 451 if (!audit_dummy_context()) 452 __audit_log_kern_module(name); 453 } 454 455 extern int audit_n_rules; 456 extern int audit_signals; 457 #else /* CONFIG_AUDITSYSCALL */ 458 static inline int audit_alloc(struct task_struct *task) 459 { 460 return 0; 461 } 462 static inline void audit_free(struct task_struct *task) 463 { } 464 static inline void audit_syscall_entry(int major, unsigned long a0, 465 unsigned long a1, unsigned long a2, 466 unsigned long a3) 467 { } 468 static inline void audit_syscall_exit(void *pt_regs) 469 { } 470 static inline bool audit_dummy_context(void) 471 { 472 return true; 473 } 474 static inline struct filename *audit_reusename(const __user char *name) 475 { 476 return NULL; 477 } 478 static inline void audit_getname(struct filename *name) 479 { } 480 static inline void __audit_inode(struct filename *name, 481 const struct dentry *dentry, 482 unsigned int flags) 483 { } 484 static inline void __audit_inode_child(struct inode *parent, 485 const struct dentry *dentry, 486 const unsigned char type) 487 { } 488 static inline void audit_inode(struct filename *name, 489 const struct dentry *dentry, 490 unsigned int parent) 491 { } 492 static inline void audit_file(struct file *file) 493 { 494 } 495 static inline void audit_inode_parent_hidden(struct filename *name, 496 const struct dentry *dentry) 497 { } 498 static inline void audit_inode_child(struct inode *parent, 499 const struct dentry *dentry, 500 const unsigned char type) 501 { } 502 static inline void audit_core_dumps(long signr) 503 { } 504 static inline void __audit_seccomp(unsigned long syscall, long signr, int code) 505 { } 506 static inline void audit_seccomp(unsigned long syscall, long signr, int code) 507 { } 508 static inline int auditsc_get_stamp(struct audit_context *ctx, 509 struct timespec64 *t, unsigned int *serial) 510 { 511 return 0; 512 } 513 static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 514 { 515 return INVALID_UID; 516 } 517 static inline unsigned int audit_get_sessionid(struct task_struct *tsk) 518 { 519 return -1; 520 } 521 static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 522 { } 523 static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, 524 gid_t gid, umode_t mode) 525 { } 526 static inline void audit_bprm(struct linux_binprm *bprm) 527 { } 528 static inline int audit_socketcall(int nargs, unsigned long *args) 529 { 530 return 0; 531 } 532 533 static inline int audit_socketcall_compat(int nargs, u32 *args) 534 { 535 return 0; 536 } 537 538 static inline void audit_fd_pair(int fd1, int fd2) 539 { } 540 static inline int audit_sockaddr(int len, void *addr) 541 { 542 return 0; 543 } 544 static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 545 { } 546 static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, 547 unsigned int msg_prio, 548 const struct timespec64 *abs_timeout) 549 { } 550 static inline void audit_mq_notify(mqd_t mqdes, 551 const struct sigevent *notification) 552 { } 553 static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 554 { } 555 static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 556 const struct cred *new, 557 const struct cred *old) 558 { 559 return 0; 560 } 561 static inline void audit_log_capset(const struct cred *new, 562 const struct cred *old) 563 { } 564 static inline void audit_mmap_fd(int fd, int flags) 565 { } 566 567 static inline void audit_log_kern_module(char *name) 568 { 569 } 570 571 static inline void audit_ptrace(struct task_struct *t) 572 { } 573 #define audit_n_rules 0 574 #define audit_signals 0 575 #endif /* CONFIG_AUDITSYSCALL */ 576 577 static inline bool audit_loginuid_set(struct task_struct *tsk) 578 { 579 return uid_valid(audit_get_loginuid(tsk)); 580 } 581 582 static inline void audit_log_string(struct audit_buffer *ab, const char *buf) 583 { 584 audit_log_n_string(ab, buf, strlen(buf)); 585 } 586 587 #endif 588