1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23#ifndef _LINUX_AUDIT_H_
24#define _LINUX_AUDIT_H_
25
26#include <linux/sched.h>
27#include <linux/ptrace.h>
28#include <uapi/linux/audit.h>
29
30#define AUDIT_INO_UNSET ((unsigned long)-1)
31#define AUDIT_DEV_UNSET ((dev_t)-1)
32
33struct audit_sig_info {
34 uid_t uid;
35 pid_t pid;
36 char ctx[0];
37};
38
39struct audit_buffer;
40struct audit_context;
41struct inode;
42struct netlink_skb_parms;
43struct path;
44struct linux_binprm;
45struct mq_attr;
46struct mqstat;
47struct audit_watch;
48struct audit_tree;
49struct sk_buff;
50
51struct audit_krule {
52 u32 pflags;
53 u32 flags;
54 u32 listnr;
55 u32 action;
56 u32 mask[AUDIT_BITMASK_SIZE];
57 u32 buflen;
58 u32 field_count;
59 char *filterkey;
60 struct audit_field *fields;
61 struct audit_field *arch_f;
62 struct audit_field *inode_f;
63 struct audit_watch *watch;
64 struct audit_tree *tree;
65 struct audit_fsnotify_mark *exe;
66 struct list_head rlist;
67 struct list_head list;
68 u64 prio;
69};
70
71
72#define AUDIT_LOGINUID_LEGACY 0x1
73
74struct audit_field {
75 u32 type;
76 union {
77 u32 val;
78 kuid_t uid;
79 kgid_t gid;
80 struct {
81 char *lsm_str;
82 void *lsm_rule;
83 };
84 };
85 u32 op;
86};
87
88extern int is_audit_feature_set(int which);
89
90extern int __init audit_register_class(int class, unsigned *list);
91extern int audit_classify_syscall(int abi, unsigned syscall);
92extern int audit_classify_arch(int arch);
93
94extern unsigned compat_write_class[];
95extern unsigned compat_read_class[];
96extern unsigned compat_dir_class[];
97extern unsigned compat_chattr_class[];
98extern unsigned compat_signal_class[];
99
100extern int audit_classify_compat_syscall(int abi, unsigned syscall);
101
102
103#define AUDIT_TYPE_UNKNOWN 0
104#define AUDIT_TYPE_NORMAL 1
105#define AUDIT_TYPE_PARENT 2
106#define AUDIT_TYPE_CHILD_DELETE 3
107#define AUDIT_TYPE_CHILD_CREATE 4
108
109
110#define AUDITSC_ARGS 6
111
112
113#define AUDIT_TTY_ENABLE BIT(0)
114#define AUDIT_TTY_LOG_PASSWD BIT(1)
115
116struct filename;
117
118extern void audit_log_session_info(struct audit_buffer *ab);
119
120#ifdef CONFIG_AUDIT
121
122
123extern __printf(4, 5)
124void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
125 const char *fmt, ...);
126
127extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type);
128extern __printf(2, 3)
129void audit_log_format(struct audit_buffer *ab, const char *fmt, ...);
130extern void audit_log_end(struct audit_buffer *ab);
131extern bool audit_string_contains_control(const char *string,
132 size_t len);
133extern void audit_log_n_hex(struct audit_buffer *ab,
134 const unsigned char *buf,
135 size_t len);
136extern void audit_log_n_string(struct audit_buffer *ab,
137 const char *buf,
138 size_t n);
139extern void audit_log_n_untrustedstring(struct audit_buffer *ab,
140 const char *string,
141 size_t n);
142extern void audit_log_untrustedstring(struct audit_buffer *ab,
143 const char *string);
144extern void audit_log_d_path(struct audit_buffer *ab,
145 const char *prefix,
146 const struct path *path);
147extern void audit_log_key(struct audit_buffer *ab,
148 char *key);
149extern void audit_log_link_denied(const char *operation);
150extern void audit_log_lost(const char *message);
151
152extern int audit_log_task_context(struct audit_buffer *ab);
153extern void audit_log_task_info(struct audit_buffer *ab,
154 struct task_struct *tsk);
155
156extern int audit_update_lsm_rules(void);
157
158
159extern int audit_rule_change(int type, int seq, void *data, size_t datasz);
160extern int audit_list_rules_send(struct sk_buff *request_skb, int seq);
161
162extern u32 audit_enabled;
163#else
164static inline __printf(4, 5)
165void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
166 const char *fmt, ...)
167{ }
168static inline struct audit_buffer *audit_log_start(struct audit_context *ctx,
169 gfp_t gfp_mask, int type)
170{
171 return NULL;
172}
173static inline __printf(2, 3)
174void audit_log_format(struct audit_buffer *ab, const char *fmt, ...)
175{ }
176static inline void audit_log_end(struct audit_buffer *ab)
177{ }
178static inline void audit_log_n_hex(struct audit_buffer *ab,
179 const unsigned char *buf, size_t len)
180{ }
181static inline void audit_log_n_string(struct audit_buffer *ab,
182 const char *buf, size_t n)
183{ }
184static inline void audit_log_n_untrustedstring(struct audit_buffer *ab,
185 const char *string, size_t n)
186{ }
187static inline void audit_log_untrustedstring(struct audit_buffer *ab,
188 const char *string)
189{ }
190static inline void audit_log_d_path(struct audit_buffer *ab,
191 const char *prefix,
192 const struct path *path)
193{ }
194static inline void audit_log_key(struct audit_buffer *ab, char *key)
195{ }
196static inline void audit_log_link_denied(const char *string)
197{ }
198static inline int audit_log_task_context(struct audit_buffer *ab)
199{
200 return 0;
201}
202static inline void audit_log_task_info(struct audit_buffer *ab,
203 struct task_struct *tsk)
204{ }
205#define audit_enabled 0
206#endif
207
208#ifdef CONFIG_AUDIT_COMPAT_GENERIC
209#define audit_is_compat(arch) (!((arch) & __AUDIT_ARCH_64BIT))
210#else
211#define audit_is_compat(arch) false
212#endif
213
214#ifdef CONFIG_AUDITSYSCALL
215#include <asm/syscall.h>
216
217
218
219extern int audit_alloc(struct task_struct *task);
220extern void __audit_free(struct task_struct *task);
221extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long a1,
222 unsigned long a2, unsigned long a3);
223extern void __audit_syscall_exit(int ret_success, long ret_value);
224extern struct filename *__audit_reusename(const __user char *uptr);
225extern void __audit_getname(struct filename *name);
226
227#define AUDIT_INODE_PARENT 1
228#define AUDIT_INODE_HIDDEN 2
229extern void __audit_inode(struct filename *name, const struct dentry *dentry,
230 unsigned int flags);
231extern void __audit_file(const struct file *);
232extern void __audit_inode_child(struct inode *parent,
233 const struct dentry *dentry,
234 const unsigned char type);
235extern void __audit_seccomp(unsigned long syscall, long signr, int code);
236extern void __audit_ptrace(struct task_struct *t);
237
238static inline bool audit_dummy_context(void)
239{
240 void *p = current->audit_context;
241 return !p || *(int *)p;
242}
243static inline void audit_free(struct task_struct *task)
244{
245 if (unlikely(task->audit_context))
246 __audit_free(task);
247}
248static inline void audit_syscall_entry(int major, unsigned long a0,
249 unsigned long a1, unsigned long a2,
250 unsigned long a3)
251{
252 if (unlikely(current->audit_context))
253 __audit_syscall_entry(major, a0, a1, a2, a3);
254}
255static inline void audit_syscall_exit(void *pt_regs)
256{
257 if (unlikely(current->audit_context)) {
258 int success = is_syscall_success(pt_regs);
259 long return_code = regs_return_value(pt_regs);
260
261 __audit_syscall_exit(success, return_code);
262 }
263}
264static inline struct filename *audit_reusename(const __user char *name)
265{
266 if (unlikely(!audit_dummy_context()))
267 return __audit_reusename(name);
268 return NULL;
269}
270static inline void audit_getname(struct filename *name)
271{
272 if (unlikely(!audit_dummy_context()))
273 __audit_getname(name);
274}
275static inline void audit_inode(struct filename *name,
276 const struct dentry *dentry,
277 unsigned int parent) {
278 if (unlikely(!audit_dummy_context())) {
279 unsigned int flags = 0;
280 if (parent)
281 flags |= AUDIT_INODE_PARENT;
282 __audit_inode(name, dentry, flags);
283 }
284}
285static inline void audit_file(struct file *file)
286{
287 if (unlikely(!audit_dummy_context()))
288 __audit_file(file);
289}
290static inline void audit_inode_parent_hidden(struct filename *name,
291 const struct dentry *dentry)
292{
293 if (unlikely(!audit_dummy_context()))
294 __audit_inode(name, dentry,
295 AUDIT_INODE_PARENT | AUDIT_INODE_HIDDEN);
296}
297static inline void audit_inode_child(struct inode *parent,
298 const struct dentry *dentry,
299 const unsigned char type) {
300 if (unlikely(!audit_dummy_context()))
301 __audit_inode_child(parent, dentry, type);
302}
303void audit_core_dumps(long signr);
304
305static inline void audit_seccomp(unsigned long syscall, long signr, int code)
306{
307 if (audit_enabled && unlikely(!audit_dummy_context()))
308 __audit_seccomp(syscall, signr, code);
309}
310
311static inline void audit_ptrace(struct task_struct *t)
312{
313 if (unlikely(!audit_dummy_context()))
314 __audit_ptrace(t);
315}
316
317
318extern unsigned int audit_serial(void);
319extern int auditsc_get_stamp(struct audit_context *ctx,
320 struct timespec64 *t, unsigned int *serial);
321extern int audit_set_loginuid(kuid_t loginuid);
322
323static inline kuid_t audit_get_loginuid(struct task_struct *tsk)
324{
325 return tsk->loginuid;
326}
327
328static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
329{
330 return tsk->sessionid;
331}
332
333extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);
334extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode);
335extern void __audit_bprm(struct linux_binprm *bprm);
336extern int __audit_socketcall(int nargs, unsigned long *args);
337extern int __audit_sockaddr(int len, void *addr);
338extern void __audit_fd_pair(int fd1, int fd2);
339extern void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr);
340extern void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec64 *abs_timeout);
341extern void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification);
342extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat);
343extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
344 const struct cred *new,
345 const struct cred *old);
346extern void __audit_log_capset(const struct cred *new, const struct cred *old);
347extern void __audit_mmap_fd(int fd, int flags);
348extern void __audit_log_kern_module(char *name);
349extern void __audit_fanotify(unsigned int response);
350
351static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
352{
353 if (unlikely(!audit_dummy_context()))
354 __audit_ipc_obj(ipcp);
355}
356static inline void audit_fd_pair(int fd1, int fd2)
357{
358 if (unlikely(!audit_dummy_context()))
359 __audit_fd_pair(fd1, fd2);
360}
361static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode)
362{
363 if (unlikely(!audit_dummy_context()))
364 __audit_ipc_set_perm(qbytes, uid, gid, mode);
365}
366static inline void audit_bprm(struct linux_binprm *bprm)
367{
368 if (unlikely(!audit_dummy_context()))
369 __audit_bprm(bprm);
370}
371static inline int audit_socketcall(int nargs, unsigned long *args)
372{
373 if (unlikely(!audit_dummy_context()))
374 return __audit_socketcall(nargs, args);
375 return 0;
376}
377
378static inline int audit_socketcall_compat(int nargs, u32 *args)
379{
380 unsigned long a[AUDITSC_ARGS];
381 int i;
382
383 if (audit_dummy_context())
384 return 0;
385
386 for (i = 0; i < nargs; i++)
387 a[i] = (unsigned long)args[i];
388 return __audit_socketcall(nargs, a);
389}
390
391static inline int audit_sockaddr(int len, void *addr)
392{
393 if (unlikely(!audit_dummy_context()))
394 return __audit_sockaddr(len, addr);
395 return 0;
396}
397static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr)
398{
399 if (unlikely(!audit_dummy_context()))
400 __audit_mq_open(oflag, mode, attr);
401}
402static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec64 *abs_timeout)
403{
404 if (unlikely(!audit_dummy_context()))
405 __audit_mq_sendrecv(mqdes, msg_len, msg_prio, abs_timeout);
406}
407static inline void audit_mq_notify(mqd_t mqdes, const struct sigevent *notification)
408{
409 if (unlikely(!audit_dummy_context()))
410 __audit_mq_notify(mqdes, notification);
411}
412static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
413{
414 if (unlikely(!audit_dummy_context()))
415 __audit_mq_getsetattr(mqdes, mqstat);
416}
417
418static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm,
419 const struct cred *new,
420 const struct cred *old)
421{
422 if (unlikely(!audit_dummy_context()))
423 return __audit_log_bprm_fcaps(bprm, new, old);
424 return 0;
425}
426
427static inline void audit_log_capset(const struct cred *new,
428 const struct cred *old)
429{
430 if (unlikely(!audit_dummy_context()))
431 __audit_log_capset(new, old);
432}
433
434static inline void audit_mmap_fd(int fd, int flags)
435{
436 if (unlikely(!audit_dummy_context()))
437 __audit_mmap_fd(fd, flags);
438}
439
440static inline void audit_log_kern_module(char *name)
441{
442 if (!audit_dummy_context())
443 __audit_log_kern_module(name);
444}
445
446static inline void audit_fanotify(unsigned int response)
447{
448 if (!audit_dummy_context())
449 __audit_fanotify(response);
450}
451
452extern int audit_n_rules;
453extern int audit_signals;
454#else
455static inline int audit_alloc(struct task_struct *task)
456{
457 return 0;
458}
459static inline void audit_free(struct task_struct *task)
460{ }
461static inline void audit_syscall_entry(int major, unsigned long a0,
462 unsigned long a1, unsigned long a2,
463 unsigned long a3)
464{ }
465static inline void audit_syscall_exit(void *pt_regs)
466{ }
467static inline bool audit_dummy_context(void)
468{
469 return true;
470}
471static inline struct filename *audit_reusename(const __user char *name)
472{
473 return NULL;
474}
475static inline void audit_getname(struct filename *name)
476{ }
477static inline void __audit_inode(struct filename *name,
478 const struct dentry *dentry,
479 unsigned int flags)
480{ }
481static inline void __audit_inode_child(struct inode *parent,
482 const struct dentry *dentry,
483 const unsigned char type)
484{ }
485static inline void audit_inode(struct filename *name,
486 const struct dentry *dentry,
487 unsigned int parent)
488{ }
489static inline void audit_file(struct file *file)
490{
491}
492static inline void audit_inode_parent_hidden(struct filename *name,
493 const struct dentry *dentry)
494{ }
495static inline void audit_inode_child(struct inode *parent,
496 const struct dentry *dentry,
497 const unsigned char type)
498{ }
499static inline void audit_core_dumps(long signr)
500{ }
501static inline void __audit_seccomp(unsigned long syscall, long signr, int code)
502{ }
503static inline void audit_seccomp(unsigned long syscall, long signr, int code)
504{ }
505static inline int auditsc_get_stamp(struct audit_context *ctx,
506 struct timespec64 *t, unsigned int *serial)
507{
508 return 0;
509}
510static inline kuid_t audit_get_loginuid(struct task_struct *tsk)
511{
512 return INVALID_UID;
513}
514static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
515{
516 return -1;
517}
518static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
519{ }
520static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid,
521 gid_t gid, umode_t mode)
522{ }
523static inline void audit_bprm(struct linux_binprm *bprm)
524{ }
525static inline int audit_socketcall(int nargs, unsigned long *args)
526{
527 return 0;
528}
529
530static inline int audit_socketcall_compat(int nargs, u32 *args)
531{
532 return 0;
533}
534
535static inline void audit_fd_pair(int fd1, int fd2)
536{ }
537static inline int audit_sockaddr(int len, void *addr)
538{
539 return 0;
540}
541static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr)
542{ }
543static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len,
544 unsigned int msg_prio,
545 const struct timespec64 *abs_timeout)
546{ }
547static inline void audit_mq_notify(mqd_t mqdes,
548 const struct sigevent *notification)
549{ }
550static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
551{ }
552static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm,
553 const struct cred *new,
554 const struct cred *old)
555{
556 return 0;
557}
558static inline void audit_log_capset(const struct cred *new,
559 const struct cred *old)
560{ }
561static inline void audit_mmap_fd(int fd, int flags)
562{ }
563
564static inline void audit_log_kern_module(char *name)
565{
566}
567
568static inline void audit_fanotify(unsigned int response)
569{ }
570
571static inline void audit_ptrace(struct task_struct *t)
572{ }
573#define audit_n_rules 0
574#define audit_signals 0
575#endif
576
577static inline bool audit_loginuid_set(struct task_struct *tsk)
578{
579 return uid_valid(audit_get_loginuid(tsk));
580}
581
582static inline void audit_log_string(struct audit_buffer *ab, const char *buf)
583{
584 audit_log_n_string(ab, buf, strlen(buf));
585}
586
587#endif
588