1 /* SPDX-License-Identifier: GPL-2.0-or-later */ 2 /* audit.h -- Auditing support 3 * 4 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. 5 * All Rights Reserved. 6 * 7 * Written by Rickard E. (Rik) Faith <faith@redhat.com> 8 */ 9 #ifndef _LINUX_AUDIT_H_ 10 #define _LINUX_AUDIT_H_ 11 12 #include <linux/sched.h> 13 #include <linux/ptrace.h> 14 #include <uapi/linux/audit.h> 15 16 #define AUDIT_INO_UNSET ((unsigned long)-1) 17 #define AUDIT_DEV_UNSET ((dev_t)-1) 18 19 struct audit_sig_info { 20 uid_t uid; 21 pid_t pid; 22 char ctx[]; 23 }; 24 25 struct audit_buffer; 26 struct audit_context; 27 struct inode; 28 struct netlink_skb_parms; 29 struct path; 30 struct linux_binprm; 31 struct mq_attr; 32 struct mqstat; 33 struct audit_watch; 34 struct audit_tree; 35 struct sk_buff; 36 37 struct audit_krule { 38 u32 pflags; 39 u32 flags; 40 u32 listnr; 41 u32 action; 42 u32 mask[AUDIT_BITMASK_SIZE]; 43 u32 buflen; /* for data alloc on list rules */ 44 u32 field_count; 45 char *filterkey; /* ties events to rules */ 46 struct audit_field *fields; 47 struct audit_field *arch_f; /* quick access to arch field */ 48 struct audit_field *inode_f; /* quick access to an inode field */ 49 struct audit_watch *watch; /* associated watch */ 50 struct audit_tree *tree; /* associated watched tree */ 51 struct audit_fsnotify_mark *exe; 52 struct list_head rlist; /* entry in audit_{watch,tree}.rules list */ 53 struct list_head list; /* for AUDIT_LIST* purposes only */ 54 u64 prio; 55 }; 56 57 /* Flag to indicate legacy AUDIT_LOGINUID unset usage */ 58 #define AUDIT_LOGINUID_LEGACY 0x1 59 60 struct audit_field { 61 u32 type; 62 union { 63 u32 val; 64 kuid_t uid; 65 kgid_t gid; 66 struct { 67 char *lsm_str; 68 void *lsm_rule; 69 }; 70 }; 71 u32 op; 72 }; 73 74 enum audit_ntp_type { 75 AUDIT_NTP_OFFSET, 76 AUDIT_NTP_FREQ, 77 AUDIT_NTP_STATUS, 78 AUDIT_NTP_TAI, 79 AUDIT_NTP_TICK, 80 AUDIT_NTP_ADJUST, 81 82 AUDIT_NTP_NVALS /* count */ 83 }; 84 85 #ifdef CONFIG_AUDITSYSCALL 86 struct audit_ntp_val { 87 long long oldval, newval; 88 }; 89 90 struct audit_ntp_data { 91 struct audit_ntp_val vals[AUDIT_NTP_NVALS]; 92 }; 93 #else 94 struct audit_ntp_data {}; 95 #endif 96 97 enum audit_nfcfgop { 98 AUDIT_XT_OP_REGISTER, 99 AUDIT_XT_OP_REPLACE, 100 AUDIT_XT_OP_UNREGISTER, 101 }; 102 103 extern int is_audit_feature_set(int which); 104 105 extern int __init audit_register_class(int class, unsigned *list); 106 extern int audit_classify_syscall(int abi, unsigned syscall); 107 extern int audit_classify_arch(int arch); 108 /* only for compat system calls */ 109 extern unsigned compat_write_class[]; 110 extern unsigned compat_read_class[]; 111 extern unsigned compat_dir_class[]; 112 extern unsigned compat_chattr_class[]; 113 extern unsigned compat_signal_class[]; 114 115 extern int audit_classify_compat_syscall(int abi, unsigned syscall); 116 117 /* audit_names->type values */ 118 #define AUDIT_TYPE_UNKNOWN 0 /* we don't know yet */ 119 #define AUDIT_TYPE_NORMAL 1 /* a "normal" audit record */ 120 #define AUDIT_TYPE_PARENT 2 /* a parent audit record */ 121 #define AUDIT_TYPE_CHILD_DELETE 3 /* a child being deleted */ 122 #define AUDIT_TYPE_CHILD_CREATE 4 /* a child being created */ 123 124 /* maximized args number that audit_socketcall can process */ 125 #define AUDITSC_ARGS 6 126 127 /* bit values for ->signal->audit_tty */ 128 #define AUDIT_TTY_ENABLE BIT(0) 129 #define AUDIT_TTY_LOG_PASSWD BIT(1) 130 131 struct filename; 132 133 #define AUDIT_OFF 0 134 #define AUDIT_ON 1 135 #define AUDIT_LOCKED 2 136 #ifdef CONFIG_AUDIT 137 /* These are defined in audit.c */ 138 /* Public API */ 139 extern __printf(4, 5) 140 void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 141 const char *fmt, ...); 142 143 extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type); 144 extern __printf(2, 3) 145 void audit_log_format(struct audit_buffer *ab, const char *fmt, ...); 146 extern void audit_log_end(struct audit_buffer *ab); 147 extern bool audit_string_contains_control(const char *string, 148 size_t len); 149 extern void audit_log_n_hex(struct audit_buffer *ab, 150 const unsigned char *buf, 151 size_t len); 152 extern void audit_log_n_string(struct audit_buffer *ab, 153 const char *buf, 154 size_t n); 155 extern void audit_log_n_untrustedstring(struct audit_buffer *ab, 156 const char *string, 157 size_t n); 158 extern void audit_log_untrustedstring(struct audit_buffer *ab, 159 const char *string); 160 extern void audit_log_d_path(struct audit_buffer *ab, 161 const char *prefix, 162 const struct path *path); 163 extern void audit_log_key(struct audit_buffer *ab, 164 char *key); 165 extern void audit_log_path_denied(int type, 166 const char *operation); 167 extern void audit_log_lost(const char *message); 168 169 extern int audit_log_task_context(struct audit_buffer *ab); 170 extern void audit_log_task_info(struct audit_buffer *ab); 171 172 extern int audit_update_lsm_rules(void); 173 174 /* Private API (for audit.c only) */ 175 extern int audit_rule_change(int type, int seq, void *data, size_t datasz); 176 extern int audit_list_rules_send(struct sk_buff *request_skb, int seq); 177 178 extern int audit_set_loginuid(kuid_t loginuid); 179 180 static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 181 { 182 return tsk->loginuid; 183 } 184 185 static inline unsigned int audit_get_sessionid(struct task_struct *tsk) 186 { 187 return tsk->sessionid; 188 } 189 190 extern u32 audit_enabled; 191 192 extern int audit_signal_info(int sig, struct task_struct *t); 193 194 #else /* CONFIG_AUDIT */ 195 static inline __printf(4, 5) 196 void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, 197 const char *fmt, ...) 198 { } 199 static inline struct audit_buffer *audit_log_start(struct audit_context *ctx, 200 gfp_t gfp_mask, int type) 201 { 202 return NULL; 203 } 204 static inline __printf(2, 3) 205 void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) 206 { } 207 static inline void audit_log_end(struct audit_buffer *ab) 208 { } 209 static inline void audit_log_n_hex(struct audit_buffer *ab, 210 const unsigned char *buf, size_t len) 211 { } 212 static inline void audit_log_n_string(struct audit_buffer *ab, 213 const char *buf, size_t n) 214 { } 215 static inline void audit_log_n_untrustedstring(struct audit_buffer *ab, 216 const char *string, size_t n) 217 { } 218 static inline void audit_log_untrustedstring(struct audit_buffer *ab, 219 const char *string) 220 { } 221 static inline void audit_log_d_path(struct audit_buffer *ab, 222 const char *prefix, 223 const struct path *path) 224 { } 225 static inline void audit_log_key(struct audit_buffer *ab, char *key) 226 { } 227 static inline void audit_log_path_denied(int type, const char *operation) 228 { } 229 static inline int audit_log_task_context(struct audit_buffer *ab) 230 { 231 return 0; 232 } 233 static inline void audit_log_task_info(struct audit_buffer *ab) 234 { } 235 236 static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 237 { 238 return INVALID_UID; 239 } 240 241 static inline unsigned int audit_get_sessionid(struct task_struct *tsk) 242 { 243 return AUDIT_SID_UNSET; 244 } 245 246 #define audit_enabled AUDIT_OFF 247 248 static inline int audit_signal_info(int sig, struct task_struct *t) 249 { 250 return 0; 251 } 252 253 #endif /* CONFIG_AUDIT */ 254 255 #ifdef CONFIG_AUDIT_COMPAT_GENERIC 256 #define audit_is_compat(arch) (!((arch) & __AUDIT_ARCH_64BIT)) 257 #else 258 #define audit_is_compat(arch) false 259 #endif 260 261 #define AUDIT_INODE_PARENT 1 /* dentry represents the parent */ 262 #define AUDIT_INODE_HIDDEN 2 /* audit record should be hidden */ 263 #define AUDIT_INODE_NOEVAL 4 /* audit record incomplete */ 264 265 #ifdef CONFIG_AUDITSYSCALL 266 #include <asm/syscall.h> /* for syscall_get_arch() */ 267 268 /* These are defined in auditsc.c */ 269 /* Public API */ 270 extern int audit_alloc(struct task_struct *task); 271 extern void __audit_free(struct task_struct *task); 272 extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long a1, 273 unsigned long a2, unsigned long a3); 274 extern void __audit_syscall_exit(int ret_success, long ret_value); 275 extern struct filename *__audit_reusename(const __user char *uptr); 276 extern void __audit_getname(struct filename *name); 277 278 extern void __audit_inode(struct filename *name, const struct dentry *dentry, 279 unsigned int flags); 280 extern void __audit_file(const struct file *); 281 extern void __audit_inode_child(struct inode *parent, 282 const struct dentry *dentry, 283 const unsigned char type); 284 extern void audit_seccomp(unsigned long syscall, long signr, int code); 285 extern void audit_seccomp_actions_logged(const char *names, 286 const char *old_names, int res); 287 extern void __audit_ptrace(struct task_struct *t); 288 289 static inline void audit_set_context(struct task_struct *task, struct audit_context *ctx) 290 { 291 task->audit_context = ctx; 292 } 293 294 static inline struct audit_context *audit_context(void) 295 { 296 return current->audit_context; 297 } 298 299 static inline bool audit_dummy_context(void) 300 { 301 void *p = audit_context(); 302 return !p || *(int *)p; 303 } 304 static inline void audit_free(struct task_struct *task) 305 { 306 if (unlikely(task->audit_context)) 307 __audit_free(task); 308 } 309 static inline void audit_syscall_entry(int major, unsigned long a0, 310 unsigned long a1, unsigned long a2, 311 unsigned long a3) 312 { 313 if (unlikely(audit_context())) 314 __audit_syscall_entry(major, a0, a1, a2, a3); 315 } 316 static inline void audit_syscall_exit(void *pt_regs) 317 { 318 if (unlikely(audit_context())) { 319 int success = is_syscall_success(pt_regs); 320 long return_code = regs_return_value(pt_regs); 321 322 __audit_syscall_exit(success, return_code); 323 } 324 } 325 static inline struct filename *audit_reusename(const __user char *name) 326 { 327 if (unlikely(!audit_dummy_context())) 328 return __audit_reusename(name); 329 return NULL; 330 } 331 static inline void audit_getname(struct filename *name) 332 { 333 if (unlikely(!audit_dummy_context())) 334 __audit_getname(name); 335 } 336 static inline void audit_inode(struct filename *name, 337 const struct dentry *dentry, 338 unsigned int aflags) { 339 if (unlikely(!audit_dummy_context())) 340 __audit_inode(name, dentry, aflags); 341 } 342 static inline void audit_file(struct file *file) 343 { 344 if (unlikely(!audit_dummy_context())) 345 __audit_file(file); 346 } 347 static inline void audit_inode_parent_hidden(struct filename *name, 348 const struct dentry *dentry) 349 { 350 if (unlikely(!audit_dummy_context())) 351 __audit_inode(name, dentry, 352 AUDIT_INODE_PARENT | AUDIT_INODE_HIDDEN); 353 } 354 static inline void audit_inode_child(struct inode *parent, 355 const struct dentry *dentry, 356 const unsigned char type) { 357 if (unlikely(!audit_dummy_context())) 358 __audit_inode_child(parent, dentry, type); 359 } 360 void audit_core_dumps(long signr); 361 362 static inline void audit_ptrace(struct task_struct *t) 363 { 364 if (unlikely(!audit_dummy_context())) 365 __audit_ptrace(t); 366 } 367 368 /* Private API (for audit.c only) */ 369 extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp); 370 extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode); 371 extern void __audit_bprm(struct linux_binprm *bprm); 372 extern int __audit_socketcall(int nargs, unsigned long *args); 373 extern int __audit_sockaddr(int len, void *addr); 374 extern void __audit_fd_pair(int fd1, int fd2); 375 extern void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr); 376 extern void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec64 *abs_timeout); 377 extern void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification); 378 extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat); 379 extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, 380 const struct cred *new, 381 const struct cred *old); 382 extern void __audit_log_capset(const struct cred *new, const struct cred *old); 383 extern void __audit_mmap_fd(int fd, int flags); 384 extern void __audit_log_kern_module(char *name); 385 extern void __audit_fanotify(unsigned int response); 386 extern void __audit_tk_injoffset(struct timespec64 offset); 387 extern void __audit_ntp_log(const struct audit_ntp_data *ad); 388 extern void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries, 389 enum audit_nfcfgop op); 390 391 static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 392 { 393 if (unlikely(!audit_dummy_context())) 394 __audit_ipc_obj(ipcp); 395 } 396 static inline void audit_fd_pair(int fd1, int fd2) 397 { 398 if (unlikely(!audit_dummy_context())) 399 __audit_fd_pair(fd1, fd2); 400 } 401 static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode) 402 { 403 if (unlikely(!audit_dummy_context())) 404 __audit_ipc_set_perm(qbytes, uid, gid, mode); 405 } 406 static inline void audit_bprm(struct linux_binprm *bprm) 407 { 408 if (unlikely(!audit_dummy_context())) 409 __audit_bprm(bprm); 410 } 411 static inline int audit_socketcall(int nargs, unsigned long *args) 412 { 413 if (unlikely(!audit_dummy_context())) 414 return __audit_socketcall(nargs, args); 415 return 0; 416 } 417 418 static inline int audit_socketcall_compat(int nargs, u32 *args) 419 { 420 unsigned long a[AUDITSC_ARGS]; 421 int i; 422 423 if (audit_dummy_context()) 424 return 0; 425 426 for (i = 0; i < nargs; i++) 427 a[i] = (unsigned long)args[i]; 428 return __audit_socketcall(nargs, a); 429 } 430 431 static inline int audit_sockaddr(int len, void *addr) 432 { 433 if (unlikely(!audit_dummy_context())) 434 return __audit_sockaddr(len, addr); 435 return 0; 436 } 437 static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 438 { 439 if (unlikely(!audit_dummy_context())) 440 __audit_mq_open(oflag, mode, attr); 441 } 442 static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec64 *abs_timeout) 443 { 444 if (unlikely(!audit_dummy_context())) 445 __audit_mq_sendrecv(mqdes, msg_len, msg_prio, abs_timeout); 446 } 447 static inline void audit_mq_notify(mqd_t mqdes, const struct sigevent *notification) 448 { 449 if (unlikely(!audit_dummy_context())) 450 __audit_mq_notify(mqdes, notification); 451 } 452 static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 453 { 454 if (unlikely(!audit_dummy_context())) 455 __audit_mq_getsetattr(mqdes, mqstat); 456 } 457 458 static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 459 const struct cred *new, 460 const struct cred *old) 461 { 462 if (unlikely(!audit_dummy_context())) 463 return __audit_log_bprm_fcaps(bprm, new, old); 464 return 0; 465 } 466 467 static inline void audit_log_capset(const struct cred *new, 468 const struct cred *old) 469 { 470 if (unlikely(!audit_dummy_context())) 471 __audit_log_capset(new, old); 472 } 473 474 static inline void audit_mmap_fd(int fd, int flags) 475 { 476 if (unlikely(!audit_dummy_context())) 477 __audit_mmap_fd(fd, flags); 478 } 479 480 static inline void audit_log_kern_module(char *name) 481 { 482 if (!audit_dummy_context()) 483 __audit_log_kern_module(name); 484 } 485 486 static inline void audit_fanotify(unsigned int response) 487 { 488 if (!audit_dummy_context()) 489 __audit_fanotify(response); 490 } 491 492 static inline void audit_tk_injoffset(struct timespec64 offset) 493 { 494 /* ignore no-op events */ 495 if (offset.tv_sec == 0 && offset.tv_nsec == 0) 496 return; 497 498 if (!audit_dummy_context()) 499 __audit_tk_injoffset(offset); 500 } 501 502 static inline void audit_ntp_init(struct audit_ntp_data *ad) 503 { 504 memset(ad, 0, sizeof(*ad)); 505 } 506 507 static inline void audit_ntp_set_old(struct audit_ntp_data *ad, 508 enum audit_ntp_type type, long long val) 509 { 510 ad->vals[type].oldval = val; 511 } 512 513 static inline void audit_ntp_set_new(struct audit_ntp_data *ad, 514 enum audit_ntp_type type, long long val) 515 { 516 ad->vals[type].newval = val; 517 } 518 519 static inline void audit_ntp_log(const struct audit_ntp_data *ad) 520 { 521 if (!audit_dummy_context()) 522 __audit_ntp_log(ad); 523 } 524 525 static inline void audit_log_nfcfg(const char *name, u8 af, 526 unsigned int nentries, 527 enum audit_nfcfgop op) 528 { 529 if (audit_enabled) 530 __audit_log_nfcfg(name, af, nentries, op); 531 } 532 533 extern int audit_n_rules; 534 extern int audit_signals; 535 #else /* CONFIG_AUDITSYSCALL */ 536 static inline int audit_alloc(struct task_struct *task) 537 { 538 return 0; 539 } 540 static inline void audit_free(struct task_struct *task) 541 { } 542 static inline void audit_syscall_entry(int major, unsigned long a0, 543 unsigned long a1, unsigned long a2, 544 unsigned long a3) 545 { } 546 static inline void audit_syscall_exit(void *pt_regs) 547 { } 548 static inline bool audit_dummy_context(void) 549 { 550 return true; 551 } 552 static inline void audit_set_context(struct task_struct *task, struct audit_context *ctx) 553 { } 554 static inline struct audit_context *audit_context(void) 555 { 556 return NULL; 557 } 558 static inline struct filename *audit_reusename(const __user char *name) 559 { 560 return NULL; 561 } 562 static inline void audit_getname(struct filename *name) 563 { } 564 static inline void __audit_inode(struct filename *name, 565 const struct dentry *dentry, 566 unsigned int flags) 567 { } 568 static inline void __audit_inode_child(struct inode *parent, 569 const struct dentry *dentry, 570 const unsigned char type) 571 { } 572 static inline void audit_inode(struct filename *name, 573 const struct dentry *dentry, 574 unsigned int aflags) 575 { } 576 static inline void audit_file(struct file *file) 577 { 578 } 579 static inline void audit_inode_parent_hidden(struct filename *name, 580 const struct dentry *dentry) 581 { } 582 static inline void audit_inode_child(struct inode *parent, 583 const struct dentry *dentry, 584 const unsigned char type) 585 { } 586 static inline void audit_core_dumps(long signr) 587 { } 588 static inline void audit_seccomp(unsigned long syscall, long signr, int code) 589 { } 590 static inline void audit_seccomp_actions_logged(const char *names, 591 const char *old_names, int res) 592 { } 593 static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) 594 { } 595 static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, 596 gid_t gid, umode_t mode) 597 { } 598 static inline void audit_bprm(struct linux_binprm *bprm) 599 { } 600 static inline int audit_socketcall(int nargs, unsigned long *args) 601 { 602 return 0; 603 } 604 605 static inline int audit_socketcall_compat(int nargs, u32 *args) 606 { 607 return 0; 608 } 609 610 static inline void audit_fd_pair(int fd1, int fd2) 611 { } 612 static inline int audit_sockaddr(int len, void *addr) 613 { 614 return 0; 615 } 616 static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) 617 { } 618 static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, 619 unsigned int msg_prio, 620 const struct timespec64 *abs_timeout) 621 { } 622 static inline void audit_mq_notify(mqd_t mqdes, 623 const struct sigevent *notification) 624 { } 625 static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) 626 { } 627 static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm, 628 const struct cred *new, 629 const struct cred *old) 630 { 631 return 0; 632 } 633 static inline void audit_log_capset(const struct cred *new, 634 const struct cred *old) 635 { } 636 static inline void audit_mmap_fd(int fd, int flags) 637 { } 638 639 static inline void audit_log_kern_module(char *name) 640 { 641 } 642 643 static inline void audit_fanotify(unsigned int response) 644 { } 645 646 static inline void audit_tk_injoffset(struct timespec64 offset) 647 { } 648 649 static inline void audit_ntp_init(struct audit_ntp_data *ad) 650 { } 651 652 static inline void audit_ntp_set_old(struct audit_ntp_data *ad, 653 enum audit_ntp_type type, long long val) 654 { } 655 656 static inline void audit_ntp_set_new(struct audit_ntp_data *ad, 657 enum audit_ntp_type type, long long val) 658 { } 659 660 static inline void audit_ntp_log(const struct audit_ntp_data *ad) 661 { } 662 663 static inline void audit_ptrace(struct task_struct *t) 664 { } 665 666 static inline void audit_log_nfcfg(const char *name, u8 af, 667 unsigned int nentries, 668 enum audit_nfcfgop op) 669 { } 670 671 #define audit_n_rules 0 672 #define audit_signals 0 673 #endif /* CONFIG_AUDITSYSCALL */ 674 675 static inline bool audit_loginuid_set(struct task_struct *tsk) 676 { 677 return uid_valid(audit_get_loginuid(tsk)); 678 } 679 680 static inline void audit_log_string(struct audit_buffer *ab, const char *buf) 681 { 682 audit_log_n_string(ab, buf, strlen(buf)); 683 } 684 685 #endif 686