1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23#ifndef _LINUX_AUDIT_H_
24#define _LINUX_AUDIT_H_
25
26#include <linux/sched.h>
27#include <linux/ptrace.h>
28#include <uapi/linux/audit.h>
29
30#define AUDIT_INO_UNSET ((unsigned long)-1)
31#define AUDIT_DEV_UNSET ((dev_t)-1)
32
33struct audit_sig_info {
34 uid_t uid;
35 pid_t pid;
36 char ctx[0];
37};
38
39struct audit_buffer;
40struct audit_context;
41struct inode;
42struct netlink_skb_parms;
43struct path;
44struct linux_binprm;
45struct mq_attr;
46struct mqstat;
47struct audit_watch;
48struct audit_tree;
49struct sk_buff;
50
51struct audit_krule {
52 u32 pflags;
53 u32 flags;
54 u32 listnr;
55 u32 action;
56 u32 mask[AUDIT_BITMASK_SIZE];
57 u32 buflen;
58 u32 field_count;
59 char *filterkey;
60 struct audit_field *fields;
61 struct audit_field *arch_f;
62 struct audit_field *inode_f;
63 struct audit_watch *watch;
64 struct audit_tree *tree;
65 struct audit_fsnotify_mark *exe;
66 struct list_head rlist;
67 struct list_head list;
68 u64 prio;
69};
70
71
72#define AUDIT_LOGINUID_LEGACY 0x1
73
74struct audit_field {
75 u32 type;
76 union {
77 u32 val;
78 kuid_t uid;
79 kgid_t gid;
80 struct {
81 char *lsm_str;
82 void *lsm_rule;
83 };
84 };
85 u32 op;
86};
87
88extern int is_audit_feature_set(int which);
89
90extern int __init audit_register_class(int class, unsigned *list);
91extern int audit_classify_syscall(int abi, unsigned syscall);
92extern int audit_classify_arch(int arch);
93
94extern unsigned compat_write_class[];
95extern unsigned compat_read_class[];
96extern unsigned compat_dir_class[];
97extern unsigned compat_chattr_class[];
98extern unsigned compat_signal_class[];
99
100extern int audit_classify_compat_syscall(int abi, unsigned syscall);
101
102
103#define AUDIT_TYPE_UNKNOWN 0
104#define AUDIT_TYPE_NORMAL 1
105#define AUDIT_TYPE_PARENT 2
106#define AUDIT_TYPE_CHILD_DELETE 3
107#define AUDIT_TYPE_CHILD_CREATE 4
108
109
110#define AUDITSC_ARGS 6
111
112struct filename;
113
114extern void audit_log_session_info(struct audit_buffer *ab);
115
116#ifdef CONFIG_AUDIT_COMPAT_GENERIC
117#define audit_is_compat(arch) (!((arch) & __AUDIT_ARCH_64BIT))
118#else
119#define audit_is_compat(arch) false
120#endif
121
122#ifdef CONFIG_AUDITSYSCALL
123#include <asm/syscall.h>
124
125
126
127extern int audit_alloc(struct task_struct *task);
128extern void __audit_free(struct task_struct *task);
129extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long a1,
130 unsigned long a2, unsigned long a3);
131extern void __audit_syscall_exit(int ret_success, long ret_value);
132extern struct filename *__audit_reusename(const __user char *uptr);
133extern void __audit_getname(struct filename *name);
134
135#define AUDIT_INODE_PARENT 1
136#define AUDIT_INODE_HIDDEN 2
137extern void __audit_inode(struct filename *name, const struct dentry *dentry,
138 unsigned int flags);
139extern void __audit_file(const struct file *);
140extern void __audit_inode_child(const struct inode *parent,
141 const struct dentry *dentry,
142 const unsigned char type);
143extern void __audit_seccomp(unsigned long syscall, long signr, int code);
144extern void __audit_ptrace(struct task_struct *t);
145
146static inline int audit_dummy_context(void)
147{
148 void *p = current->audit_context;
149 return !p || *(int *)p;
150}
151static inline void audit_free(struct task_struct *task)
152{
153 if (unlikely(task->audit_context))
154 __audit_free(task);
155}
156static inline void audit_syscall_entry(int major, unsigned long a0,
157 unsigned long a1, unsigned long a2,
158 unsigned long a3)
159{
160 if (unlikely(current->audit_context))
161 __audit_syscall_entry(major, a0, a1, a2, a3);
162}
163static inline void audit_syscall_exit(void *pt_regs)
164{
165 if (unlikely(current->audit_context)) {
166 int success = is_syscall_success(pt_regs);
167 long return_code = regs_return_value(pt_regs);
168
169 __audit_syscall_exit(success, return_code);
170 }
171}
172static inline struct filename *audit_reusename(const __user char *name)
173{
174 if (unlikely(!audit_dummy_context()))
175 return __audit_reusename(name);
176 return NULL;
177}
178static inline void audit_getname(struct filename *name)
179{
180 if (unlikely(!audit_dummy_context()))
181 __audit_getname(name);
182}
183static inline void audit_inode(struct filename *name,
184 const struct dentry *dentry,
185 unsigned int parent) {
186 if (unlikely(!audit_dummy_context())) {
187 unsigned int flags = 0;
188 if (parent)
189 flags |= AUDIT_INODE_PARENT;
190 __audit_inode(name, dentry, flags);
191 }
192}
193static inline void audit_file(struct file *file)
194{
195 if (unlikely(!audit_dummy_context()))
196 __audit_file(file);
197}
198static inline void audit_inode_parent_hidden(struct filename *name,
199 const struct dentry *dentry)
200{
201 if (unlikely(!audit_dummy_context()))
202 __audit_inode(name, dentry,
203 AUDIT_INODE_PARENT | AUDIT_INODE_HIDDEN);
204}
205static inline void audit_inode_child(const struct inode *parent,
206 const struct dentry *dentry,
207 const unsigned char type) {
208 if (unlikely(!audit_dummy_context()))
209 __audit_inode_child(parent, dentry, type);
210}
211void audit_core_dumps(long signr);
212
213static inline void audit_seccomp(unsigned long syscall, long signr, int code)
214{
215
216 if (signr || unlikely(!audit_dummy_context()))
217 __audit_seccomp(syscall, signr, code);
218}
219
220static inline void audit_ptrace(struct task_struct *t)
221{
222 if (unlikely(!audit_dummy_context()))
223 __audit_ptrace(t);
224}
225
226
227extern unsigned int audit_serial(void);
228extern int auditsc_get_stamp(struct audit_context *ctx,
229 struct timespec *t, unsigned int *serial);
230extern int audit_set_loginuid(kuid_t loginuid);
231
232static inline kuid_t audit_get_loginuid(struct task_struct *tsk)
233{
234 return tsk->loginuid;
235}
236
237static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
238{
239 return tsk->sessionid;
240}
241
242extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);
243extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode);
244extern void __audit_bprm(struct linux_binprm *bprm);
245extern int __audit_socketcall(int nargs, unsigned long *args);
246extern int __audit_sockaddr(int len, void *addr);
247extern void __audit_fd_pair(int fd1, int fd2);
248extern void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr);
249extern void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout);
250extern void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification);
251extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat);
252extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
253 const struct cred *new,
254 const struct cred *old);
255extern void __audit_log_capset(const struct cred *new, const struct cred *old);
256extern void __audit_mmap_fd(int fd, int flags);
257
258static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
259{
260 if (unlikely(!audit_dummy_context()))
261 __audit_ipc_obj(ipcp);
262}
263static inline void audit_fd_pair(int fd1, int fd2)
264{
265 if (unlikely(!audit_dummy_context()))
266 __audit_fd_pair(fd1, fd2);
267}
268static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode)
269{
270 if (unlikely(!audit_dummy_context()))
271 __audit_ipc_set_perm(qbytes, uid, gid, mode);
272}
273static inline void audit_bprm(struct linux_binprm *bprm)
274{
275 if (unlikely(!audit_dummy_context()))
276 __audit_bprm(bprm);
277}
278static inline int audit_socketcall(int nargs, unsigned long *args)
279{
280 if (unlikely(!audit_dummy_context()))
281 return __audit_socketcall(nargs, args);
282 return 0;
283}
284static inline int audit_sockaddr(int len, void *addr)
285{
286 if (unlikely(!audit_dummy_context()))
287 return __audit_sockaddr(len, addr);
288 return 0;
289}
290static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr)
291{
292 if (unlikely(!audit_dummy_context()))
293 __audit_mq_open(oflag, mode, attr);
294}
295static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout)
296{
297 if (unlikely(!audit_dummy_context()))
298 __audit_mq_sendrecv(mqdes, msg_len, msg_prio, abs_timeout);
299}
300static inline void audit_mq_notify(mqd_t mqdes, const struct sigevent *notification)
301{
302 if (unlikely(!audit_dummy_context()))
303 __audit_mq_notify(mqdes, notification);
304}
305static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
306{
307 if (unlikely(!audit_dummy_context()))
308 __audit_mq_getsetattr(mqdes, mqstat);
309}
310
311static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm,
312 const struct cred *new,
313 const struct cred *old)
314{
315 if (unlikely(!audit_dummy_context()))
316 return __audit_log_bprm_fcaps(bprm, new, old);
317 return 0;
318}
319
320static inline void audit_log_capset(const struct cred *new,
321 const struct cred *old)
322{
323 if (unlikely(!audit_dummy_context()))
324 __audit_log_capset(new, old);
325}
326
327static inline void audit_mmap_fd(int fd, int flags)
328{
329 if (unlikely(!audit_dummy_context()))
330 __audit_mmap_fd(fd, flags);
331}
332
333extern int audit_n_rules;
334extern int audit_signals;
335#else
336static inline int audit_alloc(struct task_struct *task)
337{
338 return 0;
339}
340static inline void audit_free(struct task_struct *task)
341{ }
342static inline void audit_syscall_entry(int major, unsigned long a0,
343 unsigned long a1, unsigned long a2,
344 unsigned long a3)
345{ }
346static inline void audit_syscall_exit(void *pt_regs)
347{ }
348static inline int audit_dummy_context(void)
349{
350 return 1;
351}
352static inline struct filename *audit_reusename(const __user char *name)
353{
354 return NULL;
355}
356static inline void audit_getname(struct filename *name)
357{ }
358static inline void __audit_inode(struct filename *name,
359 const struct dentry *dentry,
360 unsigned int flags)
361{ }
362static inline void __audit_inode_child(const struct inode *parent,
363 const struct dentry *dentry,
364 const unsigned char type)
365{ }
366static inline void audit_inode(struct filename *name,
367 const struct dentry *dentry,
368 unsigned int parent)
369{ }
370static inline void audit_file(struct file *file)
371{
372}
373static inline void audit_inode_parent_hidden(struct filename *name,
374 const struct dentry *dentry)
375{ }
376static inline void audit_inode_child(const struct inode *parent,
377 const struct dentry *dentry,
378 const unsigned char type)
379{ }
380static inline void audit_core_dumps(long signr)
381{ }
382static inline void __audit_seccomp(unsigned long syscall, long signr, int code)
383{ }
384static inline void audit_seccomp(unsigned long syscall, long signr, int code)
385{ }
386static inline int auditsc_get_stamp(struct audit_context *ctx,
387 struct timespec *t, unsigned int *serial)
388{
389 return 0;
390}
391static inline kuid_t audit_get_loginuid(struct task_struct *tsk)
392{
393 return INVALID_UID;
394}
395static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
396{
397 return -1;
398}
399static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
400{ }
401static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid,
402 gid_t gid, umode_t mode)
403{ }
404static inline void audit_bprm(struct linux_binprm *bprm)
405{ }
406static inline int audit_socketcall(int nargs, unsigned long *args)
407{
408 return 0;
409}
410static inline void audit_fd_pair(int fd1, int fd2)
411{ }
412static inline int audit_sockaddr(int len, void *addr)
413{
414 return 0;
415}
416static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr)
417{ }
418static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len,
419 unsigned int msg_prio,
420 const struct timespec *abs_timeout)
421{ }
422static inline void audit_mq_notify(mqd_t mqdes,
423 const struct sigevent *notification)
424{ }
425static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
426{ }
427static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm,
428 const struct cred *new,
429 const struct cred *old)
430{
431 return 0;
432}
433static inline void audit_log_capset(const struct cred *new,
434 const struct cred *old)
435{ }
436static inline void audit_mmap_fd(int fd, int flags)
437{ }
438static inline void audit_ptrace(struct task_struct *t)
439{ }
440#define audit_n_rules 0
441#define audit_signals 0
442#endif
443
444static inline bool audit_loginuid_set(struct task_struct *tsk)
445{
446 return uid_valid(audit_get_loginuid(tsk));
447}
448
449#ifdef CONFIG_AUDIT
450
451
452extern __printf(4, 5)
453void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
454 const char *fmt, ...);
455
456extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type);
457extern __printf(2, 3)
458void audit_log_format(struct audit_buffer *ab, const char *fmt, ...);
459extern void audit_log_end(struct audit_buffer *ab);
460extern int audit_string_contains_control(const char *string,
461 size_t len);
462extern void audit_log_n_hex(struct audit_buffer *ab,
463 const unsigned char *buf,
464 size_t len);
465extern void audit_log_n_string(struct audit_buffer *ab,
466 const char *buf,
467 size_t n);
468extern void audit_log_n_untrustedstring(struct audit_buffer *ab,
469 const char *string,
470 size_t n);
471extern void audit_log_untrustedstring(struct audit_buffer *ab,
472 const char *string);
473extern void audit_log_d_path(struct audit_buffer *ab,
474 const char *prefix,
475 const struct path *path);
476extern void audit_log_key(struct audit_buffer *ab,
477 char *key);
478extern void audit_log_link_denied(const char *operation,
479 struct path *link);
480extern void audit_log_lost(const char *message);
481#ifdef CONFIG_SECURITY
482extern void audit_log_secctx(struct audit_buffer *ab, u32 secid);
483#else
484static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid)
485{ }
486#endif
487
488extern int audit_log_task_context(struct audit_buffer *ab);
489extern void audit_log_task_info(struct audit_buffer *ab,
490 struct task_struct *tsk);
491
492extern int audit_update_lsm_rules(void);
493
494
495extern int audit_filter_user(int type);
496extern int audit_filter_type(int type);
497extern int audit_rule_change(int type, __u32 portid, int seq,
498 void *data, size_t datasz);
499extern int audit_list_rules_send(struct sk_buff *request_skb, int seq);
500
501extern u32 audit_enabled;
502#else
503static inline __printf(4, 5)
504void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
505 const char *fmt, ...)
506{ }
507static inline struct audit_buffer *audit_log_start(struct audit_context *ctx,
508 gfp_t gfp_mask, int type)
509{
510 return NULL;
511}
512static inline __printf(2, 3)
513void audit_log_format(struct audit_buffer *ab, const char *fmt, ...)
514{ }
515static inline void audit_log_end(struct audit_buffer *ab)
516{ }
517static inline void audit_log_n_hex(struct audit_buffer *ab,
518 const unsigned char *buf, size_t len)
519{ }
520static inline void audit_log_n_string(struct audit_buffer *ab,
521 const char *buf, size_t n)
522{ }
523static inline void audit_log_n_untrustedstring(struct audit_buffer *ab,
524 const char *string, size_t n)
525{ }
526static inline void audit_log_untrustedstring(struct audit_buffer *ab,
527 const char *string)
528{ }
529static inline void audit_log_d_path(struct audit_buffer *ab,
530 const char *prefix,
531 const struct path *path)
532{ }
533static inline void audit_log_key(struct audit_buffer *ab, char *key)
534{ }
535static inline void audit_log_link_denied(const char *string,
536 const struct path *link)
537{ }
538static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid)
539{ }
540static inline int audit_log_task_context(struct audit_buffer *ab)
541{
542 return 0;
543}
544static inline void audit_log_task_info(struct audit_buffer *ab,
545 struct task_struct *tsk)
546{ }
547#define audit_enabled 0
548#endif
549static inline void audit_log_string(struct audit_buffer *ab, const char *buf)
550{
551 audit_log_n_string(ab, buf, strlen(buf));
552}
553
554#endif
555
