xref: /openbmc/linux/kernel/audit.h (revision 588b48ca) 
1 /* audit -- definition of audit_context structure and supporting types
2  *
3  * Copyright 2003-2004 Red Hat, Inc.
4  * Copyright 2005 Hewlett-Packard Development Company, L.P.
5  * Copyright 2005 IBM Corporation
6  *
7  * This program is free software; you can redistribute it and/or modify
8  * it under the terms of the GNU General Public License as published by
9  * the Free Software Foundation; either version 2 of the License, or
10  * (at your option) any later version.
11  *
12  * This program is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15  * GNU General Public License for more details.
16  *
17  * You should have received a copy of the GNU General Public License
18  * along with this program; if not, write to the Free Software
19  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
20  */
21 
22 #include <linux/fs.h>
23 #include <linux/audit.h>
24 #include <linux/skbuff.h>
25 #include <uapi/linux/mqueue.h>
26 
27 /* 0 = no checking
28    1 = put_count checking
29    2 = verbose put_count checking
30 */
31 #define AUDIT_DEBUG 0
32 
33 /* AUDIT_NAMES is the number of slots we reserve in the audit_context
34  * for saving names from getname().  If we get more names we will allocate
35  * a name dynamically and also add those to the list anchored by names_list. */
36 #define AUDIT_NAMES	5
37 
38 /* At task start time, the audit_state is set in the audit_context using
39    a per-task filter.  At syscall entry, the audit_state is augmented by
40    the syscall filter. */
41 enum audit_state {
42 	AUDIT_DISABLED,		/* Do not create per-task audit_context.
43 				 * No syscall-specific audit records can
44 				 * be generated. */
45 	AUDIT_BUILD_CONTEXT,	/* Create the per-task audit_context,
46 				 * and fill it in at syscall
47 				 * entry time.  This makes a full
48 				 * syscall record available if some
49 				 * other part of the kernel decides it
50 				 * should be recorded. */
51 	AUDIT_RECORD_CONTEXT	/* Create the per-task audit_context,
52 				 * always fill it in at syscall entry
53 				 * time, and always write out the audit
54 				 * record at syscall exit time.  */
55 };
56 
57 /* Rule lists */
58 struct audit_watch;
59 struct audit_tree;
60 struct audit_chunk;
61 
62 struct audit_entry {
63 	struct list_head	list;
64 	struct rcu_head		rcu;
65 	struct audit_krule	rule;
66 };
67 
68 struct audit_cap_data {
69 	kernel_cap_t		permitted;
70 	kernel_cap_t		inheritable;
71 	union {
72 		unsigned int	fE;		/* effective bit of file cap */
73 		kernel_cap_t	effective;	/* effective set of process */
74 	};
75 };
76 
77 /* When fs/namei.c:getname() is called, we store the pointer in name and
78  * we don't let putname() free it (instead we free all of the saved
79  * pointers at syscall exit time).
80  *
81  * Further, in fs/namei.c:path_lookup() we store the inode and device.
82  */
83 struct audit_names {
84 	struct list_head	list;		/* audit_context->names_list */
85 
86 	struct filename		*name;
87 	int			name_len;	/* number of chars to log */
88 	bool			hidden;		/* don't log this record */
89 	bool			name_put;	/* call __putname()? */
90 
91 	unsigned long		ino;
92 	dev_t			dev;
93 	umode_t			mode;
94 	kuid_t			uid;
95 	kgid_t			gid;
96 	dev_t			rdev;
97 	u32			osid;
98 	struct audit_cap_data	fcap;
99 	unsigned int		fcap_ver;
100 	unsigned char		type;		/* record type */
101 	/*
102 	 * This was an allocated audit_names and not from the array of
103 	 * names allocated in the task audit context.  Thus this name
104 	 * should be freed on syscall exit.
105 	 */
106 	bool			should_free;
107 };
108 
109 struct audit_proctitle {
110 	int	len;	/* length of the cmdline field. */
111 	char	*value;	/* the cmdline field */
112 };
113 
114 /* The per-task audit context. */
115 struct audit_context {
116 	int		    dummy;	/* must be the first element */
117 	int		    in_syscall;	/* 1 if task is in a syscall */
118 	enum audit_state    state, current_state;
119 	unsigned int	    serial;     /* serial number for record */
120 	int		    major;      /* syscall number */
121 	struct timespec	    ctime;      /* time of syscall entry */
122 	unsigned long	    argv[4];    /* syscall arguments */
123 	long		    return_code;/* syscall return code */
124 	u64		    prio;
125 	int		    return_valid; /* return code is valid */
126 	/*
127 	 * The names_list is the list of all audit_names collected during this
128 	 * syscall.  The first AUDIT_NAMES entries in the names_list will
129 	 * actually be from the preallocated_names array for performance
130 	 * reasons.  Except during allocation they should never be referenced
131 	 * through the preallocated_names array and should only be found/used
132 	 * by running the names_list.
133 	 */
134 	struct audit_names  preallocated_names[AUDIT_NAMES];
135 	int		    name_count; /* total records in names_list */
136 	struct list_head    names_list;	/* struct audit_names->list anchor */
137 	char		    *filterkey;	/* key for rule that triggered record */
138 	struct path	    pwd;
139 	struct audit_aux_data *aux;
140 	struct audit_aux_data *aux_pids;
141 	struct sockaddr_storage *sockaddr;
142 	size_t sockaddr_len;
143 				/* Save things to print about task_struct */
144 	pid_t		    pid, ppid;
145 	kuid_t		    uid, euid, suid, fsuid;
146 	kgid_t		    gid, egid, sgid, fsgid;
147 	unsigned long	    personality;
148 	int		    arch;
149 
150 	pid_t		    target_pid;
151 	kuid_t		    target_auid;
152 	kuid_t		    target_uid;
153 	unsigned int	    target_sessionid;
154 	u32		    target_sid;
155 	char		    target_comm[TASK_COMM_LEN];
156 
157 	struct audit_tree_refs *trees, *first_trees;
158 	struct list_head killed_trees;
159 	int tree_count;
160 
161 	int type;
162 	union {
163 		struct {
164 			int nargs;
165 			long args[6];
166 		} socketcall;
167 		struct {
168 			kuid_t			uid;
169 			kgid_t			gid;
170 			umode_t			mode;
171 			u32			osid;
172 			int			has_perm;
173 			uid_t			perm_uid;
174 			gid_t			perm_gid;
175 			umode_t			perm_mode;
176 			unsigned long		qbytes;
177 		} ipc;
178 		struct {
179 			mqd_t			mqdes;
180 			struct mq_attr		mqstat;
181 		} mq_getsetattr;
182 		struct {
183 			mqd_t			mqdes;
184 			int			sigev_signo;
185 		} mq_notify;
186 		struct {
187 			mqd_t			mqdes;
188 			size_t			msg_len;
189 			unsigned int		msg_prio;
190 			struct timespec		abs_timeout;
191 		} mq_sendrecv;
192 		struct {
193 			int			oflag;
194 			umode_t			mode;
195 			struct mq_attr		attr;
196 		} mq_open;
197 		struct {
198 			pid_t			pid;
199 			struct audit_cap_data	cap;
200 		} capset;
201 		struct {
202 			int			fd;
203 			int			flags;
204 		} mmap;
205 		struct {
206 			int			argc;
207 		} execve;
208 	};
209 	int fds[2];
210 	struct audit_proctitle proctitle;
211 
212 #if AUDIT_DEBUG
213 	int		    put_count;
214 	int		    ino_count;
215 #endif
216 };
217 
218 extern u32 audit_ever_enabled;
219 
220 extern void audit_copy_inode(struct audit_names *name,
221 			     const struct dentry *dentry,
222 			     const struct inode *inode);
223 extern void audit_log_cap(struct audit_buffer *ab, char *prefix,
224 			  kernel_cap_t *cap);
225 extern void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name);
226 extern void audit_log_name(struct audit_context *context,
227 			   struct audit_names *n, struct path *path,
228 			   int record_num, int *call_panic);
229 
230 extern int audit_pid;
231 
232 #define AUDIT_INODE_BUCKETS	32
233 extern struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS];
234 
235 static inline int audit_hash_ino(u32 ino)
236 {
237 	return (ino & (AUDIT_INODE_BUCKETS-1));
238 }
239 
240 /* Indicates that audit should log the full pathname. */
241 #define AUDIT_NAME_FULL -1
242 
243 extern int audit_match_class(int class, unsigned syscall);
244 extern int audit_comparator(const u32 left, const u32 op, const u32 right);
245 extern int audit_uid_comparator(kuid_t left, u32 op, kuid_t right);
246 extern int audit_gid_comparator(kgid_t left, u32 op, kgid_t right);
247 extern int parent_len(const char *path);
248 extern int audit_compare_dname_path(const char *dname, const char *path, int plen);
249 extern struct sk_buff *audit_make_reply(__u32 portid, int seq, int type,
250 					int done, int multi,
251 					const void *payload, int size);
252 extern void		    audit_panic(const char *message);
253 
254 struct audit_netlink_list {
255 	__u32 portid;
256 	struct net *net;
257 	struct sk_buff_head q;
258 };
259 
260 int audit_send_list(void *);
261 
262 struct audit_net {
263 	struct sock *nlsk;
264 };
265 
266 extern int selinux_audit_rule_update(void);
267 
268 extern struct mutex audit_filter_mutex;
269 extern void audit_free_rule_rcu(struct rcu_head *);
270 extern struct list_head audit_filter_list[];
271 
272 extern struct audit_entry *audit_dupe_rule(struct audit_krule *old);
273 
274 /* audit watch functions */
275 #ifdef CONFIG_AUDIT_WATCH
276 extern void audit_put_watch(struct audit_watch *watch);
277 extern void audit_get_watch(struct audit_watch *watch);
278 extern int audit_to_watch(struct audit_krule *krule, char *path, int len, u32 op);
279 extern int audit_add_watch(struct audit_krule *krule, struct list_head **list);
280 extern void audit_remove_watch_rule(struct audit_krule *krule);
281 extern char *audit_watch_path(struct audit_watch *watch);
282 extern int audit_watch_compare(struct audit_watch *watch, unsigned long ino, dev_t dev);
283 #else
284 #define audit_put_watch(w) {}
285 #define audit_get_watch(w) {}
286 #define audit_to_watch(k, p, l, o) (-EINVAL)
287 #define audit_add_watch(k, l) (-EINVAL)
288 #define audit_remove_watch_rule(k) BUG()
289 #define audit_watch_path(w) ""
290 #define audit_watch_compare(w, i, d) 0
291 
292 #endif /* CONFIG_AUDIT_WATCH */
293 
294 #ifdef CONFIG_AUDIT_TREE
295 extern struct audit_chunk *audit_tree_lookup(const struct inode *);
296 extern void audit_put_chunk(struct audit_chunk *);
297 extern int audit_tree_match(struct audit_chunk *, struct audit_tree *);
298 extern int audit_make_tree(struct audit_krule *, char *, u32);
299 extern int audit_add_tree_rule(struct audit_krule *);
300 extern int audit_remove_tree_rule(struct audit_krule *);
301 extern void audit_trim_trees(void);
302 extern int audit_tag_tree(char *old, char *new);
303 extern const char *audit_tree_path(struct audit_tree *);
304 extern void audit_put_tree(struct audit_tree *);
305 extern void audit_kill_trees(struct list_head *);
306 #else
307 #define audit_remove_tree_rule(rule) BUG()
308 #define audit_add_tree_rule(rule) -EINVAL
309 #define audit_make_tree(rule, str, op) -EINVAL
310 #define audit_trim_trees() (void)0
311 #define audit_put_tree(tree) (void)0
312 #define audit_tag_tree(old, new) -EINVAL
313 #define audit_tree_path(rule) ""	/* never called */
314 #define audit_kill_trees(list) BUG()
315 #endif
316 
317 extern char *audit_unpack_string(void **, size_t *, size_t);
318 
319 extern pid_t audit_sig_pid;
320 extern kuid_t audit_sig_uid;
321 extern u32 audit_sig_sid;
322 
323 #ifdef CONFIG_AUDITSYSCALL
324 extern int __audit_signal_info(int sig, struct task_struct *t);
325 static inline int audit_signal_info(int sig, struct task_struct *t)
326 {
327 	if (unlikely((audit_pid && t->tgid == audit_pid) ||
328 		     (audit_signals && !audit_dummy_context())))
329 		return __audit_signal_info(sig, t);
330 	return 0;
331 }
332 extern void audit_filter_inodes(struct task_struct *, struct audit_context *);
333 extern struct list_head *audit_killed_trees(void);
334 #else
335 #define audit_signal_info(s,t) AUDIT_DISABLED
336 #define audit_filter_inodes(t,c) AUDIT_DISABLED
337 #endif
338 
339 extern struct mutex audit_cmd_mutex;
340