audit.h 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502
  1. /* audit.h -- Auditing support
  2. *
  3. * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
  4. * All Rights Reserved.
  5. *
  6. * This program is free software; you can redistribute it and/or modify
  7. * it under the terms of the GNU General Public License as published by
  8. * the Free Software Foundation; either version 2 of the License, or
  9. * (at your option) any later version.
  10. *
  11. * This program is distributed in the hope that it will be useful,
  12. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  14. * GNU General Public License for more details.
  15. *
  16. * You should have received a copy of the GNU General Public License
  17. * along with this program; if not, write to the Free Software
  18. * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
  19. *
  20. * Written by Rickard E. (Rik) Faith <faith@redhat.com>
  21. *
  22. */
  23. #ifndef _LINUX_AUDIT_H_
  24. #define _LINUX_AUDIT_H_
  25. #include <linux/sched.h>
  26. #include <linux/ptrace.h>
  27. #include <uapi/linux/audit.h>
  28. struct audit_sig_info {
  29. uid_t uid;
  30. pid_t pid;
  31. char ctx[0];
  32. };
  33. struct audit_buffer;
  34. struct audit_context;
  35. struct inode;
  36. struct netlink_skb_parms;
  37. struct path;
  38. struct linux_binprm;
  39. struct mq_attr;
  40. struct mqstat;
  41. struct audit_watch;
  42. struct audit_tree;
  43. struct audit_krule {
  44. int vers_ops;
  45. u32 flags;
  46. u32 listnr;
  47. u32 action;
  48. u32 mask[AUDIT_BITMASK_SIZE];
  49. u32 buflen; /* for data alloc on list rules */
  50. u32 field_count;
  51. char *filterkey; /* ties events to rules */
  52. struct audit_field *fields;
  53. struct audit_field *arch_f; /* quick access to arch field */
  54. struct audit_field *inode_f; /* quick access to an inode field */
  55. struct audit_watch *watch; /* associated watch */
  56. struct audit_tree *tree; /* associated watched tree */
  57. struct list_head rlist; /* entry in audit_{watch,tree}.rules list */
  58. struct list_head list; /* for AUDIT_LIST* purposes only */
  59. u64 prio;
  60. };
  61. struct audit_field {
  62. u32 type;
  63. u32 val;
  64. kuid_t uid;
  65. kgid_t gid;
  66. u32 op;
  67. char *lsm_str;
  68. void *lsm_rule;
  69. };
  70. extern int __init audit_register_class(int class, unsigned *list);
  71. extern int audit_classify_syscall(int abi, unsigned syscall);
  72. extern int audit_classify_arch(int arch);
  73. /* audit_names->type values */
  74. #define AUDIT_TYPE_UNKNOWN 0 /* we don't know yet */
  75. #define AUDIT_TYPE_NORMAL 1 /* a "normal" audit record */
  76. #define AUDIT_TYPE_PARENT 2 /* a parent audit record */
  77. #define AUDIT_TYPE_CHILD_DELETE 3 /* a child being deleted */
  78. #define AUDIT_TYPE_CHILD_CREATE 4 /* a child being created */
  79. /* maximized args number that audit_socketcall can process */
  80. #define AUDITSC_ARGS 6
  81. struct filename;
  82. extern void audit_log_session_info(struct audit_buffer *ab);
  83. #ifdef CONFIG_AUDITSYSCALL
  84. /* These are defined in auditsc.c */
  85. /* Public API */
  86. extern int audit_alloc(struct task_struct *task);
  87. extern void __audit_free(struct task_struct *task);
  88. extern void __audit_syscall_entry(int arch,
  89. int major, unsigned long a0, unsigned long a1,
  90. unsigned long a2, unsigned long a3);
  91. extern void __audit_syscall_exit(int ret_success, long ret_value);
  92. extern struct filename *__audit_reusename(const __user char *uptr);
  93. extern void __audit_getname(struct filename *name);
  94. extern void audit_putname(struct filename *name);
  95. extern void __audit_inode(struct filename *name, const struct dentry *dentry,
  96. unsigned int parent);
  97. extern void __audit_inode_child(const struct inode *parent,
  98. const struct dentry *dentry,
  99. const unsigned char type);
  100. extern void __audit_seccomp(unsigned long syscall, long signr, int code);
  101. extern void __audit_ptrace(struct task_struct *t);
  102. static inline int audit_dummy_context(void)
  103. {
  104. void *p = current->audit_context;
  105. return !p || *(int *)p;
  106. }
  107. static inline void audit_free(struct task_struct *task)
  108. {
  109. if (unlikely(task->audit_context))
  110. __audit_free(task);
  111. }
  112. static inline void audit_syscall_entry(int arch, int major, unsigned long a0,
  113. unsigned long a1, unsigned long a2,
  114. unsigned long a3)
  115. {
  116. if (unlikely(current->audit_context))
  117. __audit_syscall_entry(arch, major, a0, a1, a2, a3);
  118. }
  119. static inline void audit_syscall_exit(void *pt_regs)
  120. {
  121. if (unlikely(current->audit_context)) {
  122. int success = is_syscall_success(pt_regs);
  123. int return_code = regs_return_value(pt_regs);
  124. __audit_syscall_exit(success, return_code);
  125. }
  126. }
  127. static inline struct filename *audit_reusename(const __user char *name)
  128. {
  129. if (unlikely(!audit_dummy_context()))
  130. return __audit_reusename(name);
  131. return NULL;
  132. }
  133. static inline void audit_getname(struct filename *name)
  134. {
  135. if (unlikely(!audit_dummy_context()))
  136. __audit_getname(name);
  137. }
  138. static inline void audit_inode(struct filename *name, const struct dentry *dentry,
  139. unsigned int parent) {
  140. if (unlikely(!audit_dummy_context()))
  141. __audit_inode(name, dentry, parent);
  142. }
  143. static inline void audit_inode_child(const struct inode *parent,
  144. const struct dentry *dentry,
  145. const unsigned char type) {
  146. if (unlikely(!audit_dummy_context()))
  147. __audit_inode_child(parent, dentry, type);
  148. }
  149. void audit_core_dumps(long signr);
  150. static inline void audit_seccomp(unsigned long syscall, long signr, int code)
  151. {
  152. /* Force a record to be reported if a signal was delivered. */
  153. if (signr || unlikely(!audit_dummy_context()))
  154. __audit_seccomp(syscall, signr, code);
  155. }
  156. static inline void audit_ptrace(struct task_struct *t)
  157. {
  158. if (unlikely(!audit_dummy_context()))
  159. __audit_ptrace(t);
  160. }
  161. /* Private API (for audit.c only) */
  162. extern unsigned int audit_serial(void);
  163. extern int auditsc_get_stamp(struct audit_context *ctx,
  164. struct timespec *t, unsigned int *serial);
  165. extern int audit_set_loginuid(kuid_t loginuid);
  166. static inline kuid_t audit_get_loginuid(struct task_struct *tsk)
  167. {
  168. return tsk->loginuid;
  169. }
  170. static inline int audit_get_sessionid(struct task_struct *tsk)
  171. {
  172. return tsk->sessionid;
  173. }
  174. extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);
  175. extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode);
  176. extern int __audit_bprm(struct linux_binprm *bprm);
  177. extern int __audit_socketcall(int nargs, unsigned long *args);
  178. extern int __audit_sockaddr(int len, void *addr);
  179. extern void __audit_fd_pair(int fd1, int fd2);
  180. extern void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr);
  181. extern void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout);
  182. extern void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification);
  183. extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat);
  184. extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
  185. const struct cred *new,
  186. const struct cred *old);
  187. extern void __audit_log_capset(pid_t pid, const struct cred *new, const struct cred *old);
  188. extern void __audit_mmap_fd(int fd, int flags);
  189. static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
  190. {
  191. if (unlikely(!audit_dummy_context()))
  192. __audit_ipc_obj(ipcp);
  193. }
  194. static inline void audit_fd_pair(int fd1, int fd2)
  195. {
  196. if (unlikely(!audit_dummy_context()))
  197. __audit_fd_pair(fd1, fd2);
  198. }
  199. static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode)
  200. {
  201. if (unlikely(!audit_dummy_context()))
  202. __audit_ipc_set_perm(qbytes, uid, gid, mode);
  203. }
  204. static inline int audit_bprm(struct linux_binprm *bprm)
  205. {
  206. if (unlikely(!audit_dummy_context()))
  207. return __audit_bprm(bprm);
  208. return 0;
  209. }
  210. static inline int audit_socketcall(int nargs, unsigned long *args)
  211. {
  212. if (unlikely(!audit_dummy_context()))
  213. return __audit_socketcall(nargs, args);
  214. return 0;
  215. }
  216. static inline int audit_sockaddr(int len, void *addr)
  217. {
  218. if (unlikely(!audit_dummy_context()))
  219. return __audit_sockaddr(len, addr);
  220. return 0;
  221. }
  222. static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr)
  223. {
  224. if (unlikely(!audit_dummy_context()))
  225. __audit_mq_open(oflag, mode, attr);
  226. }
  227. static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout)
  228. {
  229. if (unlikely(!audit_dummy_context()))
  230. __audit_mq_sendrecv(mqdes, msg_len, msg_prio, abs_timeout);
  231. }
  232. static inline void audit_mq_notify(mqd_t mqdes, const struct sigevent *notification)
  233. {
  234. if (unlikely(!audit_dummy_context()))
  235. __audit_mq_notify(mqdes, notification);
  236. }
  237. static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
  238. {
  239. if (unlikely(!audit_dummy_context()))
  240. __audit_mq_getsetattr(mqdes, mqstat);
  241. }
  242. static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm,
  243. const struct cred *new,
  244. const struct cred *old)
  245. {
  246. if (unlikely(!audit_dummy_context()))
  247. return __audit_log_bprm_fcaps(bprm, new, old);
  248. return 0;
  249. }
  250. static inline void audit_log_capset(pid_t pid, const struct cred *new,
  251. const struct cred *old)
  252. {
  253. if (unlikely(!audit_dummy_context()))
  254. __audit_log_capset(pid, new, old);
  255. }
  256. static inline void audit_mmap_fd(int fd, int flags)
  257. {
  258. if (unlikely(!audit_dummy_context()))
  259. __audit_mmap_fd(fd, flags);
  260. }
  261. extern int audit_n_rules;
  262. extern int audit_signals;
  263. #else /* CONFIG_AUDITSYSCALL */
  264. static inline int audit_alloc(struct task_struct *task)
  265. {
  266. return 0;
  267. }
  268. static inline void audit_free(struct task_struct *task)
  269. { }
  270. static inline void audit_syscall_entry(int arch, int major, unsigned long a0,
  271. unsigned long a1, unsigned long a2,
  272. unsigned long a3)
  273. { }
  274. static inline void audit_syscall_exit(void *pt_regs)
  275. { }
  276. static inline int audit_dummy_context(void)
  277. {
  278. return 1;
  279. }
  280. static inline struct filename *audit_reusename(const __user char *name)
  281. {
  282. return NULL;
  283. }
  284. static inline void audit_getname(struct filename *name)
  285. { }
  286. static inline void audit_putname(struct filename *name)
  287. { }
  288. static inline void __audit_inode(struct filename *name,
  289. const struct dentry *dentry,
  290. unsigned int parent)
  291. { }
  292. static inline void __audit_inode_child(const struct inode *parent,
  293. const struct dentry *dentry,
  294. const unsigned char type)
  295. { }
  296. static inline void audit_inode(struct filename *name,
  297. const struct dentry *dentry,
  298. unsigned int parent)
  299. { }
  300. static inline void audit_inode_child(const struct inode *parent,
  301. const struct dentry *dentry,
  302. const unsigned char type)
  303. { }
  304. static inline void audit_core_dumps(long signr)
  305. { }
  306. static inline void __audit_seccomp(unsigned long syscall, long signr, int code)
  307. { }
  308. static inline void audit_seccomp(unsigned long syscall, long signr, int code)
  309. { }
  310. static inline int auditsc_get_stamp(struct audit_context *ctx,
  311. struct timespec *t, unsigned int *serial)
  312. {
  313. return 0;
  314. }
  315. static inline kuid_t audit_get_loginuid(struct task_struct *tsk)
  316. {
  317. return INVALID_UID;
  318. }
  319. static inline int audit_get_sessionid(struct task_struct *tsk)
  320. {
  321. return -1;
  322. }
  323. static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
  324. { }
  325. static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid,
  326. gid_t gid, umode_t mode)
  327. { }
  328. static inline int audit_bprm(struct linux_binprm *bprm)
  329. {
  330. return 0;
  331. }
  332. static inline int audit_socketcall(int nargs, unsigned long *args)
  333. {
  334. return 0;
  335. }
  336. static inline void audit_fd_pair(int fd1, int fd2)
  337. { }
  338. static inline int audit_sockaddr(int len, void *addr)
  339. {
  340. return 0;
  341. }
  342. static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr)
  343. { }
  344. static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len,
  345. unsigned int msg_prio,
  346. const struct timespec *abs_timeout)
  347. { }
  348. static inline void audit_mq_notify(mqd_t mqdes,
  349. const struct sigevent *notification)
  350. { }
  351. static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
  352. { }
  353. static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm,
  354. const struct cred *new,
  355. const struct cred *old)
  356. {
  357. return 0;
  358. }
  359. static inline void audit_log_capset(pid_t pid, const struct cred *new,
  360. const struct cred *old)
  361. { }
  362. static inline void audit_mmap_fd(int fd, int flags)
  363. { }
  364. static inline void audit_ptrace(struct task_struct *t)
  365. { }
  366. #define audit_n_rules 0
  367. #define audit_signals 0
  368. #endif /* CONFIG_AUDITSYSCALL */
  369. static inline bool audit_loginuid_set(struct task_struct *tsk)
  370. {
  371. return uid_valid(audit_get_loginuid(tsk));
  372. }
  373. #ifdef CONFIG_AUDIT
  374. /* These are defined in audit.c */
  375. /* Public API */
  376. extern __printf(4, 5)
  377. void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
  378. const char *fmt, ...);
  379. extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type);
  380. extern __printf(2, 3)
  381. void audit_log_format(struct audit_buffer *ab, const char *fmt, ...);
  382. extern void audit_log_end(struct audit_buffer *ab);
  383. extern int audit_string_contains_control(const char *string,
  384. size_t len);
  385. extern void audit_log_n_hex(struct audit_buffer *ab,
  386. const unsigned char *buf,
  387. size_t len);
  388. extern void audit_log_n_string(struct audit_buffer *ab,
  389. const char *buf,
  390. size_t n);
  391. extern void audit_log_n_untrustedstring(struct audit_buffer *ab,
  392. const char *string,
  393. size_t n);
  394. extern void audit_log_untrustedstring(struct audit_buffer *ab,
  395. const char *string);
  396. extern void audit_log_d_path(struct audit_buffer *ab,
  397. const char *prefix,
  398. const struct path *path);
  399. extern void audit_log_key(struct audit_buffer *ab,
  400. char *key);
  401. extern void audit_log_link_denied(const char *operation,
  402. struct path *link);
  403. extern void audit_log_lost(const char *message);
  404. #ifdef CONFIG_SECURITY
  405. extern void audit_log_secctx(struct audit_buffer *ab, u32 secid);
  406. #else
  407. static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid)
  408. { }
  409. #endif
  410. extern int audit_log_task_context(struct audit_buffer *ab);
  411. extern void audit_log_task_info(struct audit_buffer *ab,
  412. struct task_struct *tsk);
  413. extern int audit_update_lsm_rules(void);
  414. /* Private API (for audit.c only) */
  415. extern int audit_filter_user(int type);
  416. extern int audit_filter_type(int type);
  417. extern int audit_receive_filter(int type, int pid, int seq,
  418. void *data, size_t datasz);
  419. extern int audit_enabled;
  420. #else /* CONFIG_AUDIT */
  421. static inline __printf(4, 5)
  422. void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
  423. const char *fmt, ...)
  424. { }
  425. static inline struct audit_buffer *audit_log_start(struct audit_context *ctx,
  426. gfp_t gfp_mask, int type)
  427. {
  428. return NULL;
  429. }
  430. static inline __printf(2, 3)
  431. void audit_log_format(struct audit_buffer *ab, const char *fmt, ...)
  432. { }
  433. static inline void audit_log_end(struct audit_buffer *ab)
  434. { }
  435. static inline void audit_log_n_hex(struct audit_buffer *ab,
  436. const unsigned char *buf, size_t len)
  437. { }
  438. static inline void audit_log_n_string(struct audit_buffer *ab,
  439. const char *buf, size_t n)
  440. { }
  441. static inline void audit_log_n_untrustedstring(struct audit_buffer *ab,
  442. const char *string, size_t n)
  443. { }
  444. static inline void audit_log_untrustedstring(struct audit_buffer *ab,
  445. const char *string)
  446. { }
  447. static inline void audit_log_d_path(struct audit_buffer *ab,
  448. const char *prefix,
  449. const struct path *path)
  450. { }
  451. static inline void audit_log_key(struct audit_buffer *ab, char *key)
  452. { }
  453. static inline void audit_log_link_denied(const char *string,
  454. const struct path *link)
  455. { }
  456. static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid)
  457. { }
  458. static inline int audit_log_task_context(struct audit_buffer *ab)
  459. {
  460. return 0;
  461. }
  462. static inline void audit_log_task_info(struct audit_buffer *ab,
  463. struct task_struct *tsk)
  464. { }
  465. #define audit_enabled 0
  466. #endif /* CONFIG_AUDIT */
  467. static inline void audit_log_string(struct audit_buffer *ab, const char *buf)
  468. {
  469. audit_log_n_string(ab, buf, strlen(buf));
  470. }
  471. #endif