xref: /openbmc/linux/kernel/audit.h (revision 7a010c3c) 
1 /* SPDX-License-Identifier: GPL-2.0-or-later */
2 /* audit -- definition of audit_context structure and supporting types
3  *
4  * Copyright 2003-2004 Red Hat, Inc.
5  * Copyright 2005 Hewlett-Packard Development Company, L.P.
6  * Copyright 2005 IBM Corporation
7  */
8 
9 #ifndef _KERNEL_AUDIT_H_
10 #define _KERNEL_AUDIT_H_
11 
12 #include <linux/fs.h>
13 #include <linux/audit.h>
14 #include <linux/skbuff.h>
15 #include <uapi/linux/mqueue.h>
16 #include <linux/tty.h>
17 
18 /* AUDIT_NAMES is the number of slots we reserve in the audit_context
19  * for saving names from getname().  If we get more names we will allocate
20  * a name dynamically and also add those to the list anchored by names_list. */
21 #define AUDIT_NAMES	5
22 
23 /* At task start time, the audit_state is set in the audit_context using
24    a per-task filter.  At syscall entry, the audit_state is augmented by
25    the syscall filter. */
26 enum audit_state {
27 	AUDIT_STATE_DISABLED,	/* Do not create per-task audit_context.
28 				 * No syscall-specific audit records can
29 				 * be generated. */
30 	AUDIT_STATE_BUILD,	/* Create the per-task audit_context,
31 				 * and fill it in at syscall
32 				 * entry time.  This makes a full
33 				 * syscall record available if some
34 				 * other part of the kernel decides it
35 				 * should be recorded. */
36 	AUDIT_STATE_RECORD	/* Create the per-task audit_context,
37 				 * always fill it in at syscall entry
38 				 * time, and always write out the audit
39 				 * record at syscall exit time.  */
40 };
41 
42 /* Rule lists */
43 struct audit_watch;
44 struct audit_fsnotify_mark;
45 struct audit_tree;
46 struct audit_chunk;
47 
48 struct audit_entry {
49 	struct list_head	list;
50 	struct rcu_head		rcu;
51 	struct audit_krule	rule;
52 };
53 
54 struct audit_cap_data {
55 	kernel_cap_t		permitted;
56 	kernel_cap_t		inheritable;
57 	union {
58 		unsigned int	fE;		/* effective bit of file cap */
59 		kernel_cap_t	effective;	/* effective set of process */
60 	};
61 	kernel_cap_t		ambient;
62 	kuid_t			rootid;
63 };
64 
65 /* When fs/namei.c:getname() is called, we store the pointer in name and bump
66  * the refcnt in the associated filename struct.
67  *
68  * Further, in fs/namei.c:path_lookup() we store the inode and device.
69  */
70 struct audit_names {
71 	struct list_head	list;		/* audit_context->names_list */
72 
73 	struct filename		*name;
74 	int			name_len;	/* number of chars to log */
75 	bool			hidden;		/* don't log this record */
76 
77 	unsigned long		ino;
78 	dev_t			dev;
79 	umode_t			mode;
80 	kuid_t			uid;
81 	kgid_t			gid;
82 	dev_t			rdev;
83 	u32			osid;
84 	struct audit_cap_data	fcap;
85 	unsigned int		fcap_ver;
86 	unsigned char		type;		/* record type */
87 	/*
88 	 * This was an allocated audit_names and not from the array of
89 	 * names allocated in the task audit context.  Thus this name
90 	 * should be freed on syscall exit.
91 	 */
92 	bool			should_free;
93 };
94 
95 struct audit_proctitle {
96 	int	len;	/* length of the cmdline field. */
97 	char	*value;	/* the cmdline field */
98 };
99 
100 /* The per-task audit context. */
101 struct audit_context {
102 	int		    dummy;	/* must be the first element */
103 	int		    in_syscall;	/* 1 if task is in a syscall */
104 	enum audit_state    state, current_state;
105 	unsigned int	    serial;     /* serial number for record */
106 	int		    major;      /* syscall number */
107 	struct timespec64   ctime;      /* time of syscall entry */
108 	unsigned long	    argv[4];    /* syscall arguments */
109 	long		    return_code;/* syscall return code */
110 	u64		    prio;
111 	int		    return_valid; /* return code is valid */
112 	/*
113 	 * The names_list is the list of all audit_names collected during this
114 	 * syscall.  The first AUDIT_NAMES entries in the names_list will
115 	 * actually be from the preallocated_names array for performance
116 	 * reasons.  Except during allocation they should never be referenced
117 	 * through the preallocated_names array and should only be found/used
118 	 * by running the names_list.
119 	 */
120 	struct audit_names  preallocated_names[AUDIT_NAMES];
121 	int		    name_count; /* total records in names_list */
122 	struct list_head    names_list;	/* struct audit_names->list anchor */
123 	char		    *filterkey;	/* key for rule that triggered record */
124 	struct path	    pwd;
125 	struct audit_aux_data *aux;
126 	struct audit_aux_data *aux_pids;
127 	struct sockaddr_storage *sockaddr;
128 	size_t sockaddr_len;
129 				/* Save things to print about task_struct */
130 	pid_t		    pid, ppid;
131 	kuid_t		    uid, euid, suid, fsuid;
132 	kgid_t		    gid, egid, sgid, fsgid;
133 	unsigned long	    personality;
134 	int		    arch;
135 
136 	pid_t		    target_pid;
137 	kuid_t		    target_auid;
138 	kuid_t		    target_uid;
139 	unsigned int	    target_sessionid;
140 	u32		    target_sid;
141 	char		    target_comm[TASK_COMM_LEN];
142 
143 	struct audit_tree_refs *trees, *first_trees;
144 	struct list_head killed_trees;
145 	int tree_count;
146 
147 	int type;
148 	union {
149 		struct {
150 			int nargs;
151 			long args[6];
152 		} socketcall;
153 		struct {
154 			kuid_t			uid;
155 			kgid_t			gid;
156 			umode_t			mode;
157 			u32			osid;
158 			int			has_perm;
159 			uid_t			perm_uid;
160 			gid_t			perm_gid;
161 			umode_t			perm_mode;
162 			unsigned long		qbytes;
163 		} ipc;
164 		struct {
165 			mqd_t			mqdes;
166 			struct mq_attr		mqstat;
167 		} mq_getsetattr;
168 		struct {
169 			mqd_t			mqdes;
170 			int			sigev_signo;
171 		} mq_notify;
172 		struct {
173 			mqd_t			mqdes;
174 			size_t			msg_len;
175 			unsigned int		msg_prio;
176 			struct timespec64	abs_timeout;
177 		} mq_sendrecv;
178 		struct {
179 			int			oflag;
180 			umode_t			mode;
181 			struct mq_attr		attr;
182 		} mq_open;
183 		struct {
184 			pid_t			pid;
185 			struct audit_cap_data	cap;
186 		} capset;
187 		struct {
188 			int			fd;
189 			int			flags;
190 		} mmap;
191 		struct {
192 			int			argc;
193 		} execve;
194 		struct {
195 			char			*name;
196 		} module;
197 	};
198 	int fds[2];
199 	struct audit_proctitle proctitle;
200 };
201 
202 extern bool audit_ever_enabled;
203 
204 extern void audit_log_session_info(struct audit_buffer *ab);
205 
206 extern int auditd_test_task(struct task_struct *task);
207 
208 #define AUDIT_INODE_BUCKETS	32
209 extern struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS];
210 
211 static inline int audit_hash_ino(u32 ino)
212 {
213 	return (ino & (AUDIT_INODE_BUCKETS-1));
214 }
215 
216 /* Indicates that audit should log the full pathname. */
217 #define AUDIT_NAME_FULL -1
218 
219 extern int audit_match_class(int class, unsigned syscall);
220 extern int audit_comparator(const u32 left, const u32 op, const u32 right);
221 extern int audit_uid_comparator(kuid_t left, u32 op, kuid_t right);
222 extern int audit_gid_comparator(kgid_t left, u32 op, kgid_t right);
223 extern int parent_len(const char *path);
224 extern int audit_compare_dname_path(const struct qstr *dname, const char *path, int plen);
225 extern struct sk_buff *audit_make_reply(int seq, int type, int done, int multi,
226 					const void *payload, int size);
227 extern void		    audit_panic(const char *message);
228 
229 struct audit_netlink_list {
230 	__u32 portid;
231 	struct net *net;
232 	struct sk_buff_head q;
233 };
234 
235 int audit_send_list_thread(void *_dest);
236 
237 extern int selinux_audit_rule_update(void);
238 
239 extern struct mutex audit_filter_mutex;
240 extern int audit_del_rule(struct audit_entry *entry);
241 extern void audit_free_rule_rcu(struct rcu_head *head);
242 extern struct list_head audit_filter_list[];
243 
244 extern struct audit_entry *audit_dupe_rule(struct audit_krule *old);
245 
246 extern void audit_log_d_path_exe(struct audit_buffer *ab,
247 				 struct mm_struct *mm);
248 
249 extern struct tty_struct *audit_get_tty(void);
250 extern void audit_put_tty(struct tty_struct *tty);
251 
252 /* audit watch/mark/tree functions */
253 #ifdef CONFIG_AUDITSYSCALL
254 extern unsigned int audit_serial(void);
255 extern int auditsc_get_stamp(struct audit_context *ctx,
256 			      struct timespec64 *t, unsigned int *serial);
257 
258 extern void audit_put_watch(struct audit_watch *watch);
259 extern void audit_get_watch(struct audit_watch *watch);
260 extern int audit_to_watch(struct audit_krule *krule, char *path, int len,
261 			  u32 op);
262 extern int audit_add_watch(struct audit_krule *krule, struct list_head **list);
263 extern void audit_remove_watch_rule(struct audit_krule *krule);
264 extern char *audit_watch_path(struct audit_watch *watch);
265 extern int audit_watch_compare(struct audit_watch *watch, unsigned long ino,
266 			       dev_t dev);
267 
268 extern struct audit_fsnotify_mark *audit_alloc_mark(struct audit_krule *krule,
269 						    char *pathname, int len);
270 extern char *audit_mark_path(struct audit_fsnotify_mark *mark);
271 extern void audit_remove_mark(struct audit_fsnotify_mark *audit_mark);
272 extern void audit_remove_mark_rule(struct audit_krule *krule);
273 extern int audit_mark_compare(struct audit_fsnotify_mark *mark,
274 			      unsigned long ino, dev_t dev);
275 extern int audit_dupe_exe(struct audit_krule *new, struct audit_krule *old);
276 extern int audit_exe_compare(struct task_struct *tsk,
277 			     struct audit_fsnotify_mark *mark);
278 
279 extern struct audit_chunk *audit_tree_lookup(const struct inode *inode);
280 extern void audit_put_chunk(struct audit_chunk *chunk);
281 extern bool audit_tree_match(struct audit_chunk *chunk,
282 			     struct audit_tree *tree);
283 extern int audit_make_tree(struct audit_krule *rule, char *pathname, u32 op);
284 extern int audit_add_tree_rule(struct audit_krule *rule);
285 extern int audit_remove_tree_rule(struct audit_krule *rule);
286 extern void audit_trim_trees(void);
287 extern int audit_tag_tree(char *old, char *new);
288 extern const char *audit_tree_path(struct audit_tree *tree);
289 extern void audit_put_tree(struct audit_tree *tree);
290 extern void audit_kill_trees(struct audit_context *context);
291 
292 extern int audit_signal_info_syscall(struct task_struct *t);
293 extern void audit_filter_inodes(struct task_struct *tsk,
294 				struct audit_context *ctx);
295 extern struct list_head *audit_killed_trees(void);
296 #else /* CONFIG_AUDITSYSCALL */
297 #define auditsc_get_stamp(c, t, s) 0
298 #define audit_put_watch(w) do { } while (0)
299 #define audit_get_watch(w) do { } while (0)
300 #define audit_to_watch(k, p, l, o) (-EINVAL)
301 #define audit_add_watch(k, l) (-EINVAL)
302 #define audit_remove_watch_rule(k) BUG()
303 #define audit_watch_path(w) ""
304 #define audit_watch_compare(w, i, d) 0
305 
306 #define audit_alloc_mark(k, p, l) (ERR_PTR(-EINVAL))
307 #define audit_mark_path(m) ""
308 #define audit_remove_mark(m) do { } while (0)
309 #define audit_remove_mark_rule(k) do { } while (0)
310 #define audit_mark_compare(m, i, d) 0
311 #define audit_exe_compare(t, m) (-EINVAL)
312 #define audit_dupe_exe(n, o) (-EINVAL)
313 
314 #define audit_remove_tree_rule(rule) BUG()
315 #define audit_add_tree_rule(rule) -EINVAL
316 #define audit_make_tree(rule, str, op) -EINVAL
317 #define audit_trim_trees() do { } while (0)
318 #define audit_put_tree(tree) do { } while (0)
319 #define audit_tag_tree(old, new) -EINVAL
320 #define audit_tree_path(rule) ""	/* never called */
321 #define audit_kill_trees(context) BUG()
322 
323 static inline int audit_signal_info_syscall(struct task_struct *t)
324 {
325 	return 0;
326 }
327 
328 #define audit_filter_inodes(t, c) AUDIT_STATE_DISABLED
329 #endif /* CONFIG_AUDITSYSCALL */
330 
331 extern char *audit_unpack_string(void **bufp, size_t *remain, size_t len);
332 
333 extern int audit_filter(int msgtype, unsigned int listtype);
334 
335 extern void audit_ctl_lock(void);
336 extern void audit_ctl_unlock(void);
337 
338 #endif
339