1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23#ifndef _LINUX_AUDIT_H_
24#define _LINUX_AUDIT_H_
25
26#include <linux/sched.h>
27#include <linux/ptrace.h>
28#include <uapi/linux/audit.h>
29
30struct audit_sig_info {
31 uid_t uid;
32 pid_t pid;
33 char ctx[0];
34};
35
36struct audit_buffer;
37struct audit_context;
38struct inode;
39struct netlink_skb_parms;
40struct path;
41struct linux_binprm;
42struct mq_attr;
43struct mqstat;
44struct audit_watch;
45struct audit_tree;
46
47struct audit_krule {
48 int vers_ops;
49 u32 flags;
50 u32 listnr;
51 u32 action;
52 u32 mask[AUDIT_BITMASK_SIZE];
53 u32 buflen;
54 u32 field_count;
55 char *filterkey;
56 struct audit_field *fields;
57 struct audit_field *arch_f;
58 struct audit_field *inode_f;
59 struct audit_watch *watch;
60 struct audit_tree *tree;
61 struct list_head rlist;
62 struct list_head list;
63 u64 prio;
64};
65
66struct audit_field {
67 u32 type;
68 u32 val;
69 kuid_t uid;
70 kgid_t gid;
71 u32 op;
72 char *lsm_str;
73 void *lsm_rule;
74};
75
76extern int __init audit_register_class(int class, unsigned *list);
77extern int audit_classify_syscall(int abi, unsigned syscall);
78extern int audit_classify_arch(int arch);
79
80
81#define AUDIT_TYPE_UNKNOWN 0
82#define AUDIT_TYPE_NORMAL 1
83#define AUDIT_TYPE_PARENT 2
84#define AUDIT_TYPE_CHILD_DELETE 3
85#define AUDIT_TYPE_CHILD_CREATE 4
86
87struct filename;
88
89#ifdef CONFIG_AUDITSYSCALL
90
91
92extern int audit_alloc(struct task_struct *task);
93extern void __audit_free(struct task_struct *task);
94extern void __audit_syscall_entry(int arch,
95 int major, unsigned long a0, unsigned long a1,
96 unsigned long a2, unsigned long a3);
97extern void __audit_syscall_exit(int ret_success, long ret_value);
98extern struct filename *__audit_reusename(const __user char *uptr);
99extern void __audit_getname(struct filename *name);
100extern void audit_putname(struct filename *name);
101extern void __audit_inode(struct filename *name, const struct dentry *dentry,
102 unsigned int parent);
103extern void __audit_inode_child(const struct inode *parent,
104 const struct dentry *dentry,
105 const unsigned char type);
106extern void __audit_seccomp(unsigned long syscall, long signr, int code);
107extern void __audit_ptrace(struct task_struct *t);
108
109static inline int audit_dummy_context(void)
110{
111 void *p = current->audit_context;
112 return !p || *(int *)p;
113}
114static inline void audit_free(struct task_struct *task)
115{
116 if (unlikely(task->audit_context))
117 __audit_free(task);
118}
119static inline void audit_syscall_entry(int arch, int major, unsigned long a0,
120 unsigned long a1, unsigned long a2,
121 unsigned long a3)
122{
123 if (unlikely(!audit_dummy_context()))
124 __audit_syscall_entry(arch, major, a0, a1, a2, a3);
125}
126static inline void audit_syscall_exit(void *pt_regs)
127{
128 if (unlikely(current->audit_context)) {
129 int success = is_syscall_success(pt_regs);
130 int return_code = regs_return_value(pt_regs);
131
132 __audit_syscall_exit(success, return_code);
133 }
134}
135static inline struct filename *audit_reusename(const __user char *name)
136{
137 if (unlikely(!audit_dummy_context()))
138 return __audit_reusename(name);
139 return NULL;
140}
141static inline void audit_getname(struct filename *name)
142{
143 if (unlikely(!audit_dummy_context()))
144 __audit_getname(name);
145}
146static inline void audit_inode(struct filename *name, const struct dentry *dentry,
147 unsigned int parent) {
148 if (unlikely(!audit_dummy_context()))
149 __audit_inode(name, dentry, parent);
150}
151static inline void audit_inode_child(const struct inode *parent,
152 const struct dentry *dentry,
153 const unsigned char type) {
154 if (unlikely(!audit_dummy_context()))
155 __audit_inode_child(parent, dentry, type);
156}
157void audit_core_dumps(long signr);
158
159static inline void audit_seccomp(unsigned long syscall, long signr, int code)
160{
161
162 if (signr || unlikely(!audit_dummy_context()))
163 __audit_seccomp(syscall, signr, code);
164}
165
166static inline void audit_ptrace(struct task_struct *t)
167{
168 if (unlikely(!audit_dummy_context()))
169 __audit_ptrace(t);
170}
171
172
173extern unsigned int audit_serial(void);
174extern int auditsc_get_stamp(struct audit_context *ctx,
175 struct timespec *t, unsigned int *serial);
176extern int audit_set_loginuid(kuid_t loginuid);
177
178static inline kuid_t audit_get_loginuid(struct task_struct *tsk)
179{
180 return tsk->loginuid;
181}
182
183static inline int audit_get_sessionid(struct task_struct *tsk)
184{
185 return tsk->sessionid;
186}
187
188extern void audit_log_task_context(struct audit_buffer *ab);
189extern void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk);
190extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);
191extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode);
192extern int __audit_bprm(struct linux_binprm *bprm);
193extern void __audit_socketcall(int nargs, unsigned long *args);
194extern int __audit_sockaddr(int len, void *addr);
195extern void __audit_fd_pair(int fd1, int fd2);
196extern void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr);
197extern void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout);
198extern void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification);
199extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat);
200extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
201 const struct cred *new,
202 const struct cred *old);
203extern void __audit_log_capset(pid_t pid, const struct cred *new, const struct cred *old);
204extern void __audit_mmap_fd(int fd, int flags);
205
206static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
207{
208 if (unlikely(!audit_dummy_context()))
209 __audit_ipc_obj(ipcp);
210}
211static inline void audit_fd_pair(int fd1, int fd2)
212{
213 if (unlikely(!audit_dummy_context()))
214 __audit_fd_pair(fd1, fd2);
215}
216static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode)
217{
218 if (unlikely(!audit_dummy_context()))
219 __audit_ipc_set_perm(qbytes, uid, gid, mode);
220}
221static inline int audit_bprm(struct linux_binprm *bprm)
222{
223 if (unlikely(!audit_dummy_context()))
224 return __audit_bprm(bprm);
225 return 0;
226}
227static inline void audit_socketcall(int nargs, unsigned long *args)
228{
229 if (unlikely(!audit_dummy_context()))
230 __audit_socketcall(nargs, args);
231}
232static inline int audit_sockaddr(int len, void *addr)
233{
234 if (unlikely(!audit_dummy_context()))
235 return __audit_sockaddr(len, addr);
236 return 0;
237}
238static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr)
239{
240 if (unlikely(!audit_dummy_context()))
241 __audit_mq_open(oflag, mode, attr);
242}
243static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout)
244{
245 if (unlikely(!audit_dummy_context()))
246 __audit_mq_sendrecv(mqdes, msg_len, msg_prio, abs_timeout);
247}
248static inline void audit_mq_notify(mqd_t mqdes, const struct sigevent *notification)
249{
250 if (unlikely(!audit_dummy_context()))
251 __audit_mq_notify(mqdes, notification);
252}
253static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
254{
255 if (unlikely(!audit_dummy_context()))
256 __audit_mq_getsetattr(mqdes, mqstat);
257}
258
259static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm,
260 const struct cred *new,
261 const struct cred *old)
262{
263 if (unlikely(!audit_dummy_context()))
264 return __audit_log_bprm_fcaps(bprm, new, old);
265 return 0;
266}
267
268static inline void audit_log_capset(pid_t pid, const struct cred *new,
269 const struct cred *old)
270{
271 if (unlikely(!audit_dummy_context()))
272 __audit_log_capset(pid, new, old);
273}
274
275static inline void audit_mmap_fd(int fd, int flags)
276{
277 if (unlikely(!audit_dummy_context()))
278 __audit_mmap_fd(fd, flags);
279}
280
281extern int audit_n_rules;
282extern int audit_signals;
283#else
284static inline int audit_alloc(struct task_struct *task)
285{
286 return 0;
287}
288static inline void audit_free(struct task_struct *task)
289{ }
290static inline void audit_syscall_entry(int arch, int major, unsigned long a0,
291 unsigned long a1, unsigned long a2,
292 unsigned long a3)
293{ }
294static inline void audit_syscall_exit(void *pt_regs)
295{ }
296static inline int audit_dummy_context(void)
297{
298 return 1;
299}
300static inline struct filename *audit_reusename(const __user char *name)
301{
302 return NULL;
303}
304static inline void audit_getname(struct filename *name)
305{ }
306static inline void audit_putname(struct filename *name)
307{ }
308static inline void __audit_inode(struct filename *name,
309 const struct dentry *dentry,
310 unsigned int parent)
311{ }
312static inline void __audit_inode_child(const struct inode *parent,
313 const struct dentry *dentry,
314 const unsigned char type)
315{ }
316static inline void audit_inode(struct filename *name,
317 const struct dentry *dentry,
318 unsigned int parent)
319{ }
320static inline void audit_inode_child(const struct inode *parent,
321 const struct dentry *dentry,
322 const unsigned char type)
323{ }
324static inline void audit_core_dumps(long signr)
325{ }
326static inline void __audit_seccomp(unsigned long syscall, long signr, int code)
327{ }
328static inline void audit_seccomp(unsigned long syscall, long signr, int code)
329{ }
330static inline int auditsc_get_stamp(struct audit_context *ctx,
331 struct timespec *t, unsigned int *serial)
332{
333 return 0;
334}
335static inline kuid_t audit_get_loginuid(struct task_struct *tsk)
336{
337 return INVALID_UID;
338}
339static inline int audit_get_sessionid(struct task_struct *tsk)
340{
341 return -1;
342}
343static inline void audit_log_task_context(struct audit_buffer *ab)
344{ }
345static inline void audit_log_task_info(struct audit_buffer *ab,
346 struct task_struct *tsk)
347{ }
348static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
349{ }
350static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid,
351 gid_t gid, umode_t mode)
352{ }
353static inline int audit_bprm(struct linux_binprm *bprm)
354{
355 return 0;
356}
357static inline void audit_socketcall(int nargs, unsigned long *args)
358{ }
359static inline void audit_fd_pair(int fd1, int fd2)
360{ }
361static inline int audit_sockaddr(int len, void *addr)
362{
363 return 0;
364}
365static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr)
366{ }
367static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len,
368 unsigned int msg_prio,
369 const struct timespec *abs_timeout)
370{ }
371static inline void audit_mq_notify(mqd_t mqdes,
372 const struct sigevent *notification)
373{ }
374static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
375{ }
376static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm,
377 const struct cred *new,
378 const struct cred *old)
379{
380 return 0;
381}
382static inline void audit_log_capset(pid_t pid, const struct cred *new,
383 const struct cred *old)
384{ }
385static inline void audit_mmap_fd(int fd, int flags)
386{ }
387static inline void audit_ptrace(struct task_struct *t)
388{ }
389#define audit_n_rules 0
390#define audit_signals 0
391#endif
392
393#ifdef CONFIG_AUDIT
394
395
396extern __printf(4, 5)
397void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
398 const char *fmt, ...);
399
400extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type);
401extern __printf(2, 3)
402void audit_log_format(struct audit_buffer *ab, const char *fmt, ...);
403extern void audit_log_end(struct audit_buffer *ab);
404extern int audit_string_contains_control(const char *string,
405 size_t len);
406extern void audit_log_n_hex(struct audit_buffer *ab,
407 const unsigned char *buf,
408 size_t len);
409extern void audit_log_n_string(struct audit_buffer *ab,
410 const char *buf,
411 size_t n);
412extern void audit_log_n_untrustedstring(struct audit_buffer *ab,
413 const char *string,
414 size_t n);
415extern void audit_log_untrustedstring(struct audit_buffer *ab,
416 const char *string);
417extern void audit_log_d_path(struct audit_buffer *ab,
418 const char *prefix,
419 const struct path *path);
420extern void audit_log_key(struct audit_buffer *ab,
421 char *key);
422extern void audit_log_link_denied(const char *operation,
423 struct path *link);
424extern void audit_log_lost(const char *message);
425#ifdef CONFIG_SECURITY
426extern void audit_log_secctx(struct audit_buffer *ab, u32 secid);
427#else
428static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid)
429{ }
430#endif
431
432extern int audit_update_lsm_rules(void);
433
434
435extern int audit_filter_user(void);
436extern int audit_filter_type(int type);
437extern int audit_receive_filter(int type, int pid, int seq,
438 void *data, size_t datasz, kuid_t loginuid,
439 u32 sessionid, u32 sid);
440extern int audit_enabled;
441#else
442static inline __printf(4, 5)
443void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
444 const char *fmt, ...)
445{ }
446static inline struct audit_buffer *audit_log_start(struct audit_context *ctx,
447 gfp_t gfp_mask, int type)
448{
449 return NULL;
450}
451static inline __printf(2, 3)
452void audit_log_format(struct audit_buffer *ab, const char *fmt, ...)
453{ }
454static inline void audit_log_end(struct audit_buffer *ab)
455{ }
456static inline void audit_log_n_hex(struct audit_buffer *ab,
457 const unsigned char *buf, size_t len)
458{ }
459static inline void audit_log_n_string(struct audit_buffer *ab,
460 const char *buf, size_t n)
461{ }
462static inline void audit_log_n_untrustedstring(struct audit_buffer *ab,
463 const char *string, size_t n)
464{ }
465static inline void audit_log_untrustedstring(struct audit_buffer *ab,
466 const char *string)
467{ }
468static inline void audit_log_d_path(struct audit_buffer *ab,
469 const char *prefix,
470 const struct path *path)
471{ }
472static inline void audit_log_key(struct audit_buffer *ab, char *key)
473{ }
474static inline void audit_log_link_denied(const char *string,
475 const struct path *link)
476{ }
477static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid)
478{ }
479#define audit_enabled 0
480#endif
481static inline void audit_log_string(struct audit_buffer *ab, const char *buf)
482{
483 audit_log_n_string(ab, buf, strlen(buf));
484}
485
486#endif
487