xref: /openbmc/linux/kernel/audit.h (revision 0936cdfb) 
1 /* SPDX-License-Identifier: GPL-2.0-or-later */
2 /* audit -- definition of audit_context structure and supporting types
3  *
4  * Copyright 2003-2004 Red Hat, Inc.
5  * Copyright 2005 Hewlett-Packard Development Company, L.P.
6  * Copyright 2005 IBM Corporation
7  */
8 
9 #include <linux/fs.h>
10 #include <linux/audit.h>
11 #include <linux/skbuff.h>
12 #include <uapi/linux/mqueue.h>
13 #include <linux/tty.h>
14 
15 /* AUDIT_NAMES is the number of slots we reserve in the audit_context
16  * for saving names from getname().  If we get more names we will allocate
17  * a name dynamically and also add those to the list anchored by names_list. */
18 #define AUDIT_NAMES	5
19 
20 /* At task start time, the audit_state is set in the audit_context using
21    a per-task filter.  At syscall entry, the audit_state is augmented by
22    the syscall filter. */
23 enum audit_state {
24 	AUDIT_DISABLED,		/* Do not create per-task audit_context.
25 				 * No syscall-specific audit records can
26 				 * be generated. */
27 	AUDIT_BUILD_CONTEXT,	/* Create the per-task audit_context,
28 				 * and fill it in at syscall
29 				 * entry time.  This makes a full
30 				 * syscall record available if some
31 				 * other part of the kernel decides it
32 				 * should be recorded. */
33 	AUDIT_RECORD_CONTEXT	/* Create the per-task audit_context,
34 				 * always fill it in at syscall entry
35 				 * time, and always write out the audit
36 				 * record at syscall exit time.  */
37 };
38 
39 /* Rule lists */
40 struct audit_watch;
41 struct audit_fsnotify_mark;
42 struct audit_tree;
43 struct audit_chunk;
44 
45 struct audit_entry {
46 	struct list_head	list;
47 	struct rcu_head		rcu;
48 	struct audit_krule	rule;
49 };
50 
51 struct audit_cap_data {
52 	kernel_cap_t		permitted;
53 	kernel_cap_t		inheritable;
54 	union {
55 		unsigned int	fE;		/* effective bit of file cap */
56 		kernel_cap_t	effective;	/* effective set of process */
57 	};
58 	kernel_cap_t		ambient;
59 	kuid_t			rootid;
60 };
61 
62 /* When fs/namei.c:getname() is called, we store the pointer in name and bump
63  * the refcnt in the associated filename struct.
64  *
65  * Further, in fs/namei.c:path_lookup() we store the inode and device.
66  */
67 struct audit_names {
68 	struct list_head	list;		/* audit_context->names_list */
69 
70 	struct filename		*name;
71 	int			name_len;	/* number of chars to log */
72 	bool			hidden;		/* don't log this record */
73 
74 	unsigned long		ino;
75 	dev_t			dev;
76 	umode_t			mode;
77 	kuid_t			uid;
78 	kgid_t			gid;
79 	dev_t			rdev;
80 	u32			osid;
81 	struct audit_cap_data	fcap;
82 	unsigned int		fcap_ver;
83 	unsigned char		type;		/* record type */
84 	/*
85 	 * This was an allocated audit_names and not from the array of
86 	 * names allocated in the task audit context.  Thus this name
87 	 * should be freed on syscall exit.
88 	 */
89 	bool			should_free;
90 };
91 
92 struct audit_proctitle {
93 	int	len;	/* length of the cmdline field. */
94 	char	*value;	/* the cmdline field */
95 };
96 
97 /* The per-task audit context. */
98 struct audit_context {
99 	int		    dummy;	/* must be the first element */
100 	int		    in_syscall;	/* 1 if task is in a syscall */
101 	enum audit_state    state, current_state;
102 	unsigned int	    serial;     /* serial number for record */
103 	int		    major;      /* syscall number */
104 	struct timespec64   ctime;      /* time of syscall entry */
105 	unsigned long	    argv[4];    /* syscall arguments */
106 	long		    return_code;/* syscall return code */
107 	u64		    prio;
108 	int		    return_valid; /* return code is valid */
109 	/*
110 	 * The names_list is the list of all audit_names collected during this
111 	 * syscall.  The first AUDIT_NAMES entries in the names_list will
112 	 * actually be from the preallocated_names array for performance
113 	 * reasons.  Except during allocation they should never be referenced
114 	 * through the preallocated_names array and should only be found/used
115 	 * by running the names_list.
116 	 */
117 	struct audit_names  preallocated_names[AUDIT_NAMES];
118 	int		    name_count; /* total records in names_list */
119 	struct list_head    names_list;	/* struct audit_names->list anchor */
120 	char		    *filterkey;	/* key for rule that triggered record */
121 	struct path	    pwd;
122 	struct audit_aux_data *aux;
123 	struct audit_aux_data *aux_pids;
124 	struct sockaddr_storage *sockaddr;
125 	size_t sockaddr_len;
126 				/* Save things to print about task_struct */
127 	pid_t		    pid, ppid;
128 	kuid_t		    uid, euid, suid, fsuid;
129 	kgid_t		    gid, egid, sgid, fsgid;
130 	unsigned long	    personality;
131 	int		    arch;
132 
133 	pid_t		    target_pid;
134 	kuid_t		    target_auid;
135 	kuid_t		    target_uid;
136 	unsigned int	    target_sessionid;
137 	u32		    target_sid;
138 	char		    target_comm[TASK_COMM_LEN];
139 
140 	struct audit_tree_refs *trees, *first_trees;
141 	struct list_head killed_trees;
142 	int tree_count;
143 
144 	int type;
145 	union {
146 		struct {
147 			int nargs;
148 			long args[6];
149 		} socketcall;
150 		struct {
151 			kuid_t			uid;
152 			kgid_t			gid;
153 			umode_t			mode;
154 			u32			osid;
155 			int			has_perm;
156 			uid_t			perm_uid;
157 			gid_t			perm_gid;
158 			umode_t			perm_mode;
159 			unsigned long		qbytes;
160 		} ipc;
161 		struct {
162 			mqd_t			mqdes;
163 			struct mq_attr		mqstat;
164 		} mq_getsetattr;
165 		struct {
166 			mqd_t			mqdes;
167 			int			sigev_signo;
168 		} mq_notify;
169 		struct {
170 			mqd_t			mqdes;
171 			size_t			msg_len;
172 			unsigned int		msg_prio;
173 			struct timespec64	abs_timeout;
174 		} mq_sendrecv;
175 		struct {
176 			int			oflag;
177 			umode_t			mode;
178 			struct mq_attr		attr;
179 		} mq_open;
180 		struct {
181 			pid_t			pid;
182 			struct audit_cap_data	cap;
183 		} capset;
184 		struct {
185 			int			fd;
186 			int			flags;
187 		} mmap;
188 		struct {
189 			int			argc;
190 		} execve;
191 		struct {
192 			char			*name;
193 		} module;
194 	};
195 	int fds[2];
196 	struct audit_proctitle proctitle;
197 };
198 
199 extern bool audit_ever_enabled;
200 
201 extern void audit_log_session_info(struct audit_buffer *ab);
202 
203 extern int auditd_test_task(struct task_struct *task);
204 
205 #define AUDIT_INODE_BUCKETS	32
206 extern struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS];
207 
208 static inline int audit_hash_ino(u32 ino)
209 {
210 	return (ino & (AUDIT_INODE_BUCKETS-1));
211 }
212 
213 /* Indicates that audit should log the full pathname. */
214 #define AUDIT_NAME_FULL -1
215 
216 extern int audit_match_class(int class, unsigned syscall);
217 extern int audit_comparator(const u32 left, const u32 op, const u32 right);
218 extern int audit_uid_comparator(kuid_t left, u32 op, kuid_t right);
219 extern int audit_gid_comparator(kgid_t left, u32 op, kgid_t right);
220 extern int parent_len(const char *path);
221 extern int audit_compare_dname_path(const struct qstr *dname, const char *path, int plen);
222 extern struct sk_buff *audit_make_reply(int seq, int type, int done, int multi,
223 					const void *payload, int size);
224 extern void		    audit_panic(const char *message);
225 
226 struct audit_netlink_list {
227 	__u32 portid;
228 	struct net *net;
229 	struct sk_buff_head q;
230 };
231 
232 int audit_send_list_thread(void *_dest);
233 
234 extern int selinux_audit_rule_update(void);
235 
236 extern struct mutex audit_filter_mutex;
237 extern int audit_del_rule(struct audit_entry *entry);
238 extern void audit_free_rule_rcu(struct rcu_head *head);
239 extern struct list_head audit_filter_list[];
240 
241 extern struct audit_entry *audit_dupe_rule(struct audit_krule *old);
242 
243 extern void audit_log_d_path_exe(struct audit_buffer *ab,
244 				 struct mm_struct *mm);
245 
246 extern struct tty_struct *audit_get_tty(void);
247 extern void audit_put_tty(struct tty_struct *tty);
248 
249 /* audit watch/mark/tree functions */
250 #ifdef CONFIG_AUDITSYSCALL
251 extern unsigned int audit_serial(void);
252 extern int auditsc_get_stamp(struct audit_context *ctx,
253 			      struct timespec64 *t, unsigned int *serial);
254 
255 extern void audit_put_watch(struct audit_watch *watch);
256 extern void audit_get_watch(struct audit_watch *watch);
257 extern int audit_to_watch(struct audit_krule *krule, char *path, int len,
258 			  u32 op);
259 extern int audit_add_watch(struct audit_krule *krule, struct list_head **list);
260 extern void audit_remove_watch_rule(struct audit_krule *krule);
261 extern char *audit_watch_path(struct audit_watch *watch);
262 extern int audit_watch_compare(struct audit_watch *watch, unsigned long ino,
263 			       dev_t dev);
264 
265 extern struct audit_fsnotify_mark *audit_alloc_mark(struct audit_krule *krule,
266 						    char *pathname, int len);
267 extern char *audit_mark_path(struct audit_fsnotify_mark *mark);
268 extern void audit_remove_mark(struct audit_fsnotify_mark *audit_mark);
269 extern void audit_remove_mark_rule(struct audit_krule *krule);
270 extern int audit_mark_compare(struct audit_fsnotify_mark *mark,
271 			      unsigned long ino, dev_t dev);
272 extern int audit_dupe_exe(struct audit_krule *new, struct audit_krule *old);
273 extern int audit_exe_compare(struct task_struct *tsk,
274 			     struct audit_fsnotify_mark *mark);
275 
276 extern struct audit_chunk *audit_tree_lookup(const struct inode *inode);
277 extern void audit_put_chunk(struct audit_chunk *chunk);
278 extern bool audit_tree_match(struct audit_chunk *chunk,
279 			     struct audit_tree *tree);
280 extern int audit_make_tree(struct audit_krule *rule, char *pathname, u32 op);
281 extern int audit_add_tree_rule(struct audit_krule *rule);
282 extern int audit_remove_tree_rule(struct audit_krule *rule);
283 extern void audit_trim_trees(void);
284 extern int audit_tag_tree(char *old, char *new);
285 extern const char *audit_tree_path(struct audit_tree *tree);
286 extern void audit_put_tree(struct audit_tree *tree);
287 extern void audit_kill_trees(struct audit_context *context);
288 
289 extern int audit_signal_info_syscall(struct task_struct *t);
290 extern void audit_filter_inodes(struct task_struct *tsk,
291 				struct audit_context *ctx);
292 extern struct list_head *audit_killed_trees(void);
293 
294 static inline void audit_clear_dummy(struct audit_context *ctx)
295 {
296 	if (ctx)
297 		ctx->dummy = 0;
298 }
299 
300 #else /* CONFIG_AUDITSYSCALL */
301 #define auditsc_get_stamp(c, t, s) 0
302 #define audit_put_watch(w) {}
303 #define audit_get_watch(w) {}
304 #define audit_to_watch(k, p, l, o) (-EINVAL)
305 #define audit_add_watch(k, l) (-EINVAL)
306 #define audit_remove_watch_rule(k) BUG()
307 #define audit_watch_path(w) ""
308 #define audit_watch_compare(w, i, d) 0
309 
310 #define audit_alloc_mark(k, p, l) (ERR_PTR(-EINVAL))
311 #define audit_mark_path(m) ""
312 #define audit_remove_mark(m)
313 #define audit_remove_mark_rule(k)
314 #define audit_mark_compare(m, i, d) 0
315 #define audit_exe_compare(t, m) (-EINVAL)
316 #define audit_dupe_exe(n, o) (-EINVAL)
317 
318 #define audit_remove_tree_rule(rule) BUG()
319 #define audit_add_tree_rule(rule) -EINVAL
320 #define audit_make_tree(rule, str, op) -EINVAL
321 #define audit_trim_trees() (void)0
322 #define audit_put_tree(tree) (void)0
323 #define audit_tag_tree(old, new) -EINVAL
324 #define audit_tree_path(rule) ""	/* never called */
325 #define audit_kill_trees(context) BUG()
326 
327 static inline int audit_signal_info_syscall(struct task_struct *t)
328 {
329 	return 0;
330 }
331 
332 #define audit_filter_inodes(t, c) AUDIT_DISABLED
333 #define audit_clear_dummy(c) {}
334 #endif /* CONFIG_AUDITSYSCALL */
335 
336 extern char *audit_unpack_string(void **bufp, size_t *remain, size_t len);
337 
338 extern pid_t audit_sig_pid;
339 extern kuid_t audit_sig_uid;
340 extern u32 audit_sig_sid;
341 
342 extern int audit_filter(int msgtype, unsigned int listtype);
343 
344 extern void audit_ctl_lock(void);
345 extern void audit_ctl_unlock(void);
346