1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23#ifndef _LINUX_AUDIT_H_
24#define _LINUX_AUDIT_H_
25
26#include <linux/sched.h>
27#include <linux/ptrace.h>
28#include <uapi/linux/audit.h>
29
30struct audit_sig_info {
31 uid_t uid;
32 pid_t pid;
33 char ctx[0];
34};
35
36struct audit_buffer;
37struct audit_context;
38struct inode;
39struct netlink_skb_parms;
40struct path;
41struct linux_binprm;
42struct mq_attr;
43struct mqstat;
44struct audit_watch;
45struct audit_tree;
46struct sk_buff;
47
48struct audit_krule {
49 int vers_ops;
50 u32 pflags;
51 u32 flags;
52 u32 listnr;
53 u32 action;
54 u32 mask[AUDIT_BITMASK_SIZE];
55 u32 buflen;
56 u32 field_count;
57 char *filterkey;
58 struct audit_field *fields;
59 struct audit_field *arch_f;
60 struct audit_field *inode_f;
61 struct audit_watch *watch;
62 struct audit_tree *tree;
63 struct list_head rlist;
64 struct list_head list;
65 u64 prio;
66};
67
68
69#define AUDIT_LOGINUID_LEGACY 0x1
70
71struct audit_field {
72 u32 type;
73 union {
74 u32 val;
75 kuid_t uid;
76 kgid_t gid;
77 struct {
78 char *lsm_str;
79 void *lsm_rule;
80 };
81 };
82 u32 op;
83};
84
85extern int is_audit_feature_set(int which);
86
87extern int __init audit_register_class(int class, unsigned *list);
88extern int audit_classify_syscall(int abi, unsigned syscall);
89extern int audit_classify_arch(int arch);
90
91extern unsigned compat_write_class[];
92extern unsigned compat_read_class[];
93extern unsigned compat_dir_class[];
94extern unsigned compat_chattr_class[];
95extern unsigned compat_signal_class[];
96
97extern int audit_classify_compat_syscall(int abi, unsigned syscall);
98
99
100#define AUDIT_TYPE_UNKNOWN 0
101#define AUDIT_TYPE_NORMAL 1
102#define AUDIT_TYPE_PARENT 2
103#define AUDIT_TYPE_CHILD_DELETE 3
104#define AUDIT_TYPE_CHILD_CREATE 4
105
106
107#define AUDITSC_ARGS 6
108
109struct filename;
110
111extern void audit_log_session_info(struct audit_buffer *ab);
112
113#ifdef CONFIG_AUDIT_COMPAT_GENERIC
114#define audit_is_compat(arch) (!((arch) & __AUDIT_ARCH_64BIT))
115#else
116#define audit_is_compat(arch) false
117#endif
118
119#ifdef CONFIG_AUDITSYSCALL
120#include <asm/syscall.h>
121
122
123
124extern int audit_alloc(struct task_struct *task);
125extern void __audit_free(struct task_struct *task);
126extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long a1,
127 unsigned long a2, unsigned long a3);
128extern void __audit_syscall_exit(int ret_success, long ret_value);
129extern struct filename *__audit_reusename(const __user char *uptr);
130extern void __audit_getname(struct filename *name);
131extern void audit_putname(struct filename *name);
132
133#define AUDIT_INODE_PARENT 1
134#define AUDIT_INODE_HIDDEN 2
135extern void __audit_inode(struct filename *name, const struct dentry *dentry,
136 unsigned int flags);
137extern void __audit_file(const struct file *);
138extern void __audit_inode_child(const struct inode *parent,
139 const struct dentry *dentry,
140 const unsigned char type);
141extern void __audit_seccomp(unsigned long syscall, long signr, int code);
142extern void __audit_ptrace(struct task_struct *t);
143
144static inline int audit_dummy_context(void)
145{
146 void *p = current->audit_context;
147 return !p || *(int *)p;
148}
149static inline void audit_free(struct task_struct *task)
150{
151 if (unlikely(task->audit_context))
152 __audit_free(task);
153}
154static inline void audit_syscall_entry(int major, unsigned long a0,
155 unsigned long a1, unsigned long a2,
156 unsigned long a3)
157{
158 if (unlikely(current->audit_context))
159 __audit_syscall_entry(major, a0, a1, a2, a3);
160}
161static inline void audit_syscall_exit(void *pt_regs)
162{
163 if (unlikely(current->audit_context)) {
164 int success = is_syscall_success(pt_regs);
165 long return_code = regs_return_value(pt_regs);
166
167 __audit_syscall_exit(success, return_code);
168 }
169}
170static inline struct filename *audit_reusename(const __user char *name)
171{
172 if (unlikely(!audit_dummy_context()))
173 return __audit_reusename(name);
174 return NULL;
175}
176static inline void audit_getname(struct filename *name)
177{
178 if (unlikely(!audit_dummy_context()))
179 __audit_getname(name);
180}
181static inline void audit_inode(struct filename *name,
182 const struct dentry *dentry,
183 unsigned int parent) {
184 if (unlikely(!audit_dummy_context())) {
185 unsigned int flags = 0;
186 if (parent)
187 flags |= AUDIT_INODE_PARENT;
188 __audit_inode(name, dentry, flags);
189 }
190}
191static inline void audit_file(struct file *file)
192{
193 if (unlikely(!audit_dummy_context()))
194 __audit_file(file);
195}
196static inline void audit_inode_parent_hidden(struct filename *name,
197 const struct dentry *dentry)
198{
199 if (unlikely(!audit_dummy_context()))
200 __audit_inode(name, dentry,
201 AUDIT_INODE_PARENT | AUDIT_INODE_HIDDEN);
202}
203static inline void audit_inode_child(const struct inode *parent,
204 const struct dentry *dentry,
205 const unsigned char type) {
206 if (unlikely(!audit_dummy_context()))
207 __audit_inode_child(parent, dentry, type);
208}
209void audit_core_dumps(long signr);
210
211static inline void audit_seccomp(unsigned long syscall, long signr, int code)
212{
213
214 if (signr || unlikely(!audit_dummy_context()))
215 __audit_seccomp(syscall, signr, code);
216}
217
218static inline void audit_ptrace(struct task_struct *t)
219{
220 if (unlikely(!audit_dummy_context()))
221 __audit_ptrace(t);
222}
223
224
225extern unsigned int audit_serial(void);
226extern int auditsc_get_stamp(struct audit_context *ctx,
227 struct timespec *t, unsigned int *serial);
228extern int audit_set_loginuid(kuid_t loginuid);
229
230static inline kuid_t audit_get_loginuid(struct task_struct *tsk)
231{
232 return tsk->loginuid;
233}
234
235static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
236{
237 return tsk->sessionid;
238}
239
240extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);
241extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode);
242extern void __audit_bprm(struct linux_binprm *bprm);
243extern int __audit_socketcall(int nargs, unsigned long *args);
244extern int __audit_sockaddr(int len, void *addr);
245extern void __audit_fd_pair(int fd1, int fd2);
246extern void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr);
247extern void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout);
248extern void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification);
249extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat);
250extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
251 const struct cred *new,
252 const struct cred *old);
253extern void __audit_log_capset(const struct cred *new, const struct cred *old);
254extern void __audit_mmap_fd(int fd, int flags);
255
256static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
257{
258 if (unlikely(!audit_dummy_context()))
259 __audit_ipc_obj(ipcp);
260}
261static inline void audit_fd_pair(int fd1, int fd2)
262{
263 if (unlikely(!audit_dummy_context()))
264 __audit_fd_pair(fd1, fd2);
265}
266static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode)
267{
268 if (unlikely(!audit_dummy_context()))
269 __audit_ipc_set_perm(qbytes, uid, gid, mode);
270}
271static inline void audit_bprm(struct linux_binprm *bprm)
272{
273 if (unlikely(!audit_dummy_context()))
274 __audit_bprm(bprm);
275}
276static inline int audit_socketcall(int nargs, unsigned long *args)
277{
278 if (unlikely(!audit_dummy_context()))
279 return __audit_socketcall(nargs, args);
280 return 0;
281}
282static inline int audit_sockaddr(int len, void *addr)
283{
284 if (unlikely(!audit_dummy_context()))
285 return __audit_sockaddr(len, addr);
286 return 0;
287}
288static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr)
289{
290 if (unlikely(!audit_dummy_context()))
291 __audit_mq_open(oflag, mode, attr);
292}
293static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout)
294{
295 if (unlikely(!audit_dummy_context()))
296 __audit_mq_sendrecv(mqdes, msg_len, msg_prio, abs_timeout);
297}
298static inline void audit_mq_notify(mqd_t mqdes, const struct sigevent *notification)
299{
300 if (unlikely(!audit_dummy_context()))
301 __audit_mq_notify(mqdes, notification);
302}
303static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
304{
305 if (unlikely(!audit_dummy_context()))
306 __audit_mq_getsetattr(mqdes, mqstat);
307}
308
309static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm,
310 const struct cred *new,
311 const struct cred *old)
312{
313 if (unlikely(!audit_dummy_context()))
314 return __audit_log_bprm_fcaps(bprm, new, old);
315 return 0;
316}
317
318static inline void audit_log_capset(const struct cred *new,
319 const struct cred *old)
320{
321 if (unlikely(!audit_dummy_context()))
322 __audit_log_capset(new, old);
323}
324
325static inline void audit_mmap_fd(int fd, int flags)
326{
327 if (unlikely(!audit_dummy_context()))
328 __audit_mmap_fd(fd, flags);
329}
330
331extern int audit_n_rules;
332extern int audit_signals;
333#else
334static inline int audit_alloc(struct task_struct *task)
335{
336 return 0;
337}
338static inline void audit_free(struct task_struct *task)
339{ }
340static inline void audit_syscall_entry(int major, unsigned long a0,
341 unsigned long a1, unsigned long a2,
342 unsigned long a3)
343{ }
344static inline void audit_syscall_exit(void *pt_regs)
345{ }
346static inline int audit_dummy_context(void)
347{
348 return 1;
349}
350static inline struct filename *audit_reusename(const __user char *name)
351{
352 return NULL;
353}
354static inline void audit_getname(struct filename *name)
355{ }
356static inline void audit_putname(struct filename *name)
357{ }
358static inline void __audit_inode(struct filename *name,
359 const struct dentry *dentry,
360 unsigned int flags)
361{ }
362static inline void __audit_inode_child(const struct inode *parent,
363 const struct dentry *dentry,
364 const unsigned char type)
365{ }
366static inline void audit_inode(struct filename *name,
367 const struct dentry *dentry,
368 unsigned int parent)
369{ }
370static inline void audit_file(struct file *file)
371{
372}
373static inline void audit_inode_parent_hidden(struct filename *name,
374 const struct dentry *dentry)
375{ }
376static inline void audit_inode_child(const struct inode *parent,
377 const struct dentry *dentry,
378 const unsigned char type)
379{ }
380static inline void audit_core_dumps(long signr)
381{ }
382static inline void __audit_seccomp(unsigned long syscall, long signr, int code)
383{ }
384static inline void audit_seccomp(unsigned long syscall, long signr, int code)
385{ }
386static inline int auditsc_get_stamp(struct audit_context *ctx,
387 struct timespec *t, unsigned int *serial)
388{
389 return 0;
390}
391static inline kuid_t audit_get_loginuid(struct task_struct *tsk)
392{
393 return INVALID_UID;
394}
395static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
396{
397 return -1;
398}
399static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
400{ }
401static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid,
402 gid_t gid, umode_t mode)
403{ }
404static inline void audit_bprm(struct linux_binprm *bprm)
405{ }
406static inline int audit_socketcall(int nargs, unsigned long *args)
407{
408 return 0;
409}
410static inline void audit_fd_pair(int fd1, int fd2)
411{ }
412static inline int audit_sockaddr(int len, void *addr)
413{
414 return 0;
415}
416static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr)
417{ }
418static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len,
419 unsigned int msg_prio,
420 const struct timespec *abs_timeout)
421{ }
422static inline void audit_mq_notify(mqd_t mqdes,
423 const struct sigevent *notification)
424{ }
425static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
426{ }
427static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm,
428 const struct cred *new,
429 const struct cred *old)
430{
431 return 0;
432}
433static inline void audit_log_capset(const struct cred *new,
434 const struct cred *old)
435{ }
436static inline void audit_mmap_fd(int fd, int flags)
437{ }
438static inline void audit_ptrace(struct task_struct *t)
439{ }
440#define audit_n_rules 0
441#define audit_signals 0
442#endif
443
444static inline bool audit_loginuid_set(struct task_struct *tsk)
445{
446 return uid_valid(audit_get_loginuid(tsk));
447}
448
449#ifdef CONFIG_AUDIT
450
451
452extern __printf(4, 5)
453void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
454 const char *fmt, ...);
455
456extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type);
457extern __printf(2, 3)
458void audit_log_format(struct audit_buffer *ab, const char *fmt, ...);
459extern void audit_log_end(struct audit_buffer *ab);
460extern int audit_string_contains_control(const char *string,
461 size_t len);
462extern void audit_log_n_hex(struct audit_buffer *ab,
463 const unsigned char *buf,
464 size_t len);
465extern void audit_log_n_string(struct audit_buffer *ab,
466 const char *buf,
467 size_t n);
468extern void audit_log_n_untrustedstring(struct audit_buffer *ab,
469 const char *string,
470 size_t n);
471extern void audit_log_untrustedstring(struct audit_buffer *ab,
472 const char *string);
473extern void audit_log_d_path(struct audit_buffer *ab,
474 const char *prefix,
475 const struct path *path);
476extern void audit_log_key(struct audit_buffer *ab,
477 char *key);
478extern void audit_log_link_denied(const char *operation,
479 struct path *link);
480extern void audit_log_lost(const char *message);
481#ifdef CONFIG_SECURITY
482extern void audit_log_secctx(struct audit_buffer *ab, u32 secid);
483#else
484static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid)
485{ }
486#endif
487
488extern int audit_log_task_context(struct audit_buffer *ab);
489extern void audit_log_task_info(struct audit_buffer *ab,
490 struct task_struct *tsk);
491
492extern int audit_update_lsm_rules(void);
493
494
495extern int audit_filter_user(int type);
496extern int audit_filter_type(int type);
497extern int audit_rule_change(int type, __u32 portid, int seq,
498 void *data, size_t datasz);
499extern int audit_list_rules_send(struct sk_buff *request_skb, int seq);
500
501extern u32 audit_enabled;
502#else
503static inline __printf(4, 5)
504void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
505 const char *fmt, ...)
506{ }
507static inline struct audit_buffer *audit_log_start(struct audit_context *ctx,
508 gfp_t gfp_mask, int type)
509{
510 return NULL;
511}
512static inline __printf(2, 3)
513void audit_log_format(struct audit_buffer *ab, const char *fmt, ...)
514{ }
515static inline void audit_log_end(struct audit_buffer *ab)
516{ }
517static inline void audit_log_n_hex(struct audit_buffer *ab,
518 const unsigned char *buf, size_t len)
519{ }
520static inline void audit_log_n_string(struct audit_buffer *ab,
521 const char *buf, size_t n)
522{ }
523static inline void audit_log_n_untrustedstring(struct audit_buffer *ab,
524 const char *string, size_t n)
525{ }
526static inline void audit_log_untrustedstring(struct audit_buffer *ab,
527 const char *string)
528{ }
529static inline void audit_log_d_path(struct audit_buffer *ab,
530 const char *prefix,
531 const struct path *path)
532{ }
533static inline void audit_log_key(struct audit_buffer *ab, char *key)
534{ }
535static inline void audit_log_link_denied(const char *string,
536 const struct path *link)
537{ }
538static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid)
539{ }
540static inline int audit_log_task_context(struct audit_buffer *ab)
541{
542 return 0;
543}
544static inline void audit_log_task_info(struct audit_buffer *ab,
545 struct task_struct *tsk)
546{ }
547#define audit_enabled 0
548#endif
549static inline void audit_log_string(struct audit_buffer *ab, const char *buf)
550{
551 audit_log_n_string(ab, buf, strlen(buf));
552}
553
554#endif
555
