1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23#ifndef _LINUX_AUDIT_H_
24#define _LINUX_AUDIT_H_
25
26#include <linux/sched.h>
27#include <linux/ptrace.h>
28#include <uapi/linux/audit.h>
29
30#define AUDIT_INO_UNSET ((unsigned long)-1)
31#define AUDIT_DEV_UNSET ((dev_t)-1)
32
33struct audit_sig_info {
34 uid_t uid;
35 pid_t pid;
36 char ctx[0];
37};
38
39struct audit_buffer;
40struct audit_context;
41struct inode;
42struct netlink_skb_parms;
43struct path;
44struct linux_binprm;
45struct mq_attr;
46struct mqstat;
47struct audit_watch;
48struct audit_tree;
49struct sk_buff;
50
51struct audit_krule {
52 u32 pflags;
53 u32 flags;
54 u32 listnr;
55 u32 action;
56 u32 mask[AUDIT_BITMASK_SIZE];
57 u32 buflen;
58 u32 field_count;
59 char *filterkey;
60 struct audit_field *fields;
61 struct audit_field *arch_f;
62 struct audit_field *inode_f;
63 struct audit_watch *watch;
64 struct audit_tree *tree;
65 struct audit_fsnotify_mark *exe;
66 struct list_head rlist;
67 struct list_head list;
68 u64 prio;
69};
70
71
72#define AUDIT_LOGINUID_LEGACY 0x1
73
74struct audit_field {
75 u32 type;
76 union {
77 u32 val;
78 kuid_t uid;
79 kgid_t gid;
80 struct {
81 char *lsm_str;
82 void *lsm_rule;
83 };
84 };
85 u32 op;
86};
87
88extern int is_audit_feature_set(int which);
89
90extern int __init audit_register_class(int class, unsigned *list);
91extern int audit_classify_syscall(int abi, unsigned syscall);
92extern int audit_classify_arch(int arch);
93
94extern unsigned compat_write_class[];
95extern unsigned compat_read_class[];
96extern unsigned compat_dir_class[];
97extern unsigned compat_chattr_class[];
98extern unsigned compat_signal_class[];
99
100extern int audit_classify_compat_syscall(int abi, unsigned syscall);
101
102
103#define AUDIT_TYPE_UNKNOWN 0
104#define AUDIT_TYPE_NORMAL 1
105#define AUDIT_TYPE_PARENT 2
106#define AUDIT_TYPE_CHILD_DELETE 3
107#define AUDIT_TYPE_CHILD_CREATE 4
108
109
110#define AUDITSC_ARGS 6
111
112
113#define AUDIT_TTY_ENABLE BIT(0)
114#define AUDIT_TTY_LOG_PASSWD BIT(1)
115
116struct filename;
117
118extern void audit_log_session_info(struct audit_buffer *ab);
119
120#ifdef CONFIG_AUDIT
121
122
123extern __printf(4, 5)
124void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
125 const char *fmt, ...);
126
127extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type);
128extern __printf(2, 3)
129void audit_log_format(struct audit_buffer *ab, const char *fmt, ...);
130extern void audit_log_end(struct audit_buffer *ab);
131extern bool audit_string_contains_control(const char *string,
132 size_t len);
133extern void audit_log_n_hex(struct audit_buffer *ab,
134 const unsigned char *buf,
135 size_t len);
136extern void audit_log_n_string(struct audit_buffer *ab,
137 const char *buf,
138 size_t n);
139extern void audit_log_n_untrustedstring(struct audit_buffer *ab,
140 const char *string,
141 size_t n);
142extern void audit_log_untrustedstring(struct audit_buffer *ab,
143 const char *string);
144extern void audit_log_d_path(struct audit_buffer *ab,
145 const char *prefix,
146 const struct path *path);
147extern void audit_log_key(struct audit_buffer *ab,
148 char *key);
149extern void audit_log_link_denied(const char *operation,
150 struct path *link);
151extern void audit_log_lost(const char *message);
152#ifdef CONFIG_SECURITY
153extern void audit_log_secctx(struct audit_buffer *ab, u32 secid);
154#else
155static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid)
156{ }
157#endif
158
159extern int audit_log_task_context(struct audit_buffer *ab);
160extern void audit_log_task_info(struct audit_buffer *ab,
161 struct task_struct *tsk);
162
163extern int audit_update_lsm_rules(void);
164
165
166extern int audit_rule_change(int type, __u32 portid, int seq,
167 void *data, size_t datasz);
168extern int audit_list_rules_send(struct sk_buff *request_skb, int seq);
169
170extern u32 audit_enabled;
171#else
172static inline __printf(4, 5)
173void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
174 const char *fmt, ...)
175{ }
176static inline struct audit_buffer *audit_log_start(struct audit_context *ctx,
177 gfp_t gfp_mask, int type)
178{
179 return NULL;
180}
181static inline __printf(2, 3)
182void audit_log_format(struct audit_buffer *ab, const char *fmt, ...)
183{ }
184static inline void audit_log_end(struct audit_buffer *ab)
185{ }
186static inline void audit_log_n_hex(struct audit_buffer *ab,
187 const unsigned char *buf, size_t len)
188{ }
189static inline void audit_log_n_string(struct audit_buffer *ab,
190 const char *buf, size_t n)
191{ }
192static inline void audit_log_n_untrustedstring(struct audit_buffer *ab,
193 const char *string, size_t n)
194{ }
195static inline void audit_log_untrustedstring(struct audit_buffer *ab,
196 const char *string)
197{ }
198static inline void audit_log_d_path(struct audit_buffer *ab,
199 const char *prefix,
200 const struct path *path)
201{ }
202static inline void audit_log_key(struct audit_buffer *ab, char *key)
203{ }
204static inline void audit_log_link_denied(const char *string,
205 const struct path *link)
206{ }
207static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid)
208{ }
209static inline int audit_log_task_context(struct audit_buffer *ab)
210{
211 return 0;
212}
213static inline void audit_log_task_info(struct audit_buffer *ab,
214 struct task_struct *tsk)
215{ }
216#define audit_enabled 0
217#endif
218
219#ifdef CONFIG_AUDIT_COMPAT_GENERIC
220#define audit_is_compat(arch) (!((arch) & __AUDIT_ARCH_64BIT))
221#else
222#define audit_is_compat(arch) false
223#endif
224
225#ifdef CONFIG_AUDITSYSCALL
226#include <asm/syscall.h>
227
228
229
230extern int audit_alloc(struct task_struct *task);
231extern void __audit_free(struct task_struct *task);
232extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long a1,
233 unsigned long a2, unsigned long a3);
234extern void __audit_syscall_exit(int ret_success, long ret_value);
235extern struct filename *__audit_reusename(const __user char *uptr);
236extern void __audit_getname(struct filename *name);
237
238#define AUDIT_INODE_PARENT 1
239#define AUDIT_INODE_HIDDEN 2
240extern void __audit_inode(struct filename *name, const struct dentry *dentry,
241 unsigned int flags);
242extern void __audit_file(const struct file *);
243extern void __audit_inode_child(struct inode *parent,
244 const struct dentry *dentry,
245 const unsigned char type);
246extern void __audit_seccomp(unsigned long syscall, long signr, int code);
247extern void __audit_ptrace(struct task_struct *t);
248
249static inline bool audit_dummy_context(void)
250{
251 void *p = current->audit_context;
252 return !p || *(int *)p;
253}
254static inline void audit_free(struct task_struct *task)
255{
256 if (unlikely(task->audit_context))
257 __audit_free(task);
258}
259static inline void audit_syscall_entry(int major, unsigned long a0,
260 unsigned long a1, unsigned long a2,
261 unsigned long a3)
262{
263 if (unlikely(current->audit_context))
264 __audit_syscall_entry(major, a0, a1, a2, a3);
265}
266static inline void audit_syscall_exit(void *pt_regs)
267{
268 if (unlikely(current->audit_context)) {
269 int success = is_syscall_success(pt_regs);
270 long return_code = regs_return_value(pt_regs);
271
272 __audit_syscall_exit(success, return_code);
273 }
274}
275static inline struct filename *audit_reusename(const __user char *name)
276{
277 if (unlikely(!audit_dummy_context()))
278 return __audit_reusename(name);
279 return NULL;
280}
281static inline void audit_getname(struct filename *name)
282{
283 if (unlikely(!audit_dummy_context()))
284 __audit_getname(name);
285}
286static inline void audit_inode(struct filename *name,
287 const struct dentry *dentry,
288 unsigned int parent) {
289 if (unlikely(!audit_dummy_context())) {
290 unsigned int flags = 0;
291 if (parent)
292 flags |= AUDIT_INODE_PARENT;
293 __audit_inode(name, dentry, flags);
294 }
295}
296static inline void audit_file(struct file *file)
297{
298 if (unlikely(!audit_dummy_context()))
299 __audit_file(file);
300}
301static inline void audit_inode_parent_hidden(struct filename *name,
302 const struct dentry *dentry)
303{
304 if (unlikely(!audit_dummy_context()))
305 __audit_inode(name, dentry,
306 AUDIT_INODE_PARENT | AUDIT_INODE_HIDDEN);
307}
308static inline void audit_inode_child(struct inode *parent,
309 const struct dentry *dentry,
310 const unsigned char type) {
311 if (unlikely(!audit_dummy_context()))
312 __audit_inode_child(parent, dentry, type);
313}
314void audit_core_dumps(long signr);
315
316static inline void audit_seccomp(unsigned long syscall, long signr, int code)
317{
318 if (!audit_enabled)
319 return;
320
321
322 if (signr || unlikely(!audit_dummy_context()))
323 __audit_seccomp(syscall, signr, code);
324}
325
326static inline void audit_ptrace(struct task_struct *t)
327{
328 if (unlikely(!audit_dummy_context()))
329 __audit_ptrace(t);
330}
331
332
333extern unsigned int audit_serial(void);
334extern int auditsc_get_stamp(struct audit_context *ctx,
335 struct timespec *t, unsigned int *serial);
336extern int audit_set_loginuid(kuid_t loginuid);
337
338static inline kuid_t audit_get_loginuid(struct task_struct *tsk)
339{
340 return tsk->loginuid;
341}
342
343static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
344{
345 return tsk->sessionid;
346}
347
348extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);
349extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode);
350extern void __audit_bprm(struct linux_binprm *bprm);
351extern int __audit_socketcall(int nargs, unsigned long *args);
352extern int __audit_sockaddr(int len, void *addr);
353extern void __audit_fd_pair(int fd1, int fd2);
354extern void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr);
355extern void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout);
356extern void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification);
357extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat);
358extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
359 const struct cred *new,
360 const struct cred *old);
361extern void __audit_log_capset(const struct cred *new, const struct cred *old);
362extern void __audit_mmap_fd(int fd, int flags);
363
364static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
365{
366 if (unlikely(!audit_dummy_context()))
367 __audit_ipc_obj(ipcp);
368}
369static inline void audit_fd_pair(int fd1, int fd2)
370{
371 if (unlikely(!audit_dummy_context()))
372 __audit_fd_pair(fd1, fd2);
373}
374static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode)
375{
376 if (unlikely(!audit_dummy_context()))
377 __audit_ipc_set_perm(qbytes, uid, gid, mode);
378}
379static inline void audit_bprm(struct linux_binprm *bprm)
380{
381 if (unlikely(!audit_dummy_context()))
382 __audit_bprm(bprm);
383}
384static inline int audit_socketcall(int nargs, unsigned long *args)
385{
386 if (unlikely(!audit_dummy_context()))
387 return __audit_socketcall(nargs, args);
388 return 0;
389}
390static inline int audit_sockaddr(int len, void *addr)
391{
392 if (unlikely(!audit_dummy_context()))
393 return __audit_sockaddr(len, addr);
394 return 0;
395}
396static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr)
397{
398 if (unlikely(!audit_dummy_context()))
399 __audit_mq_open(oflag, mode, attr);
400}
401static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout)
402{
403 if (unlikely(!audit_dummy_context()))
404 __audit_mq_sendrecv(mqdes, msg_len, msg_prio, abs_timeout);
405}
406static inline void audit_mq_notify(mqd_t mqdes, const struct sigevent *notification)
407{
408 if (unlikely(!audit_dummy_context()))
409 __audit_mq_notify(mqdes, notification);
410}
411static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
412{
413 if (unlikely(!audit_dummy_context()))
414 __audit_mq_getsetattr(mqdes, mqstat);
415}
416
417static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm,
418 const struct cred *new,
419 const struct cred *old)
420{
421 if (unlikely(!audit_dummy_context()))
422 return __audit_log_bprm_fcaps(bprm, new, old);
423 return 0;
424}
425
426static inline void audit_log_capset(const struct cred *new,
427 const struct cred *old)
428{
429 if (unlikely(!audit_dummy_context()))
430 __audit_log_capset(new, old);
431}
432
433static inline void audit_mmap_fd(int fd, int flags)
434{
435 if (unlikely(!audit_dummy_context()))
436 __audit_mmap_fd(fd, flags);
437}
438
439extern int audit_n_rules;
440extern int audit_signals;
441#else
442static inline int audit_alloc(struct task_struct *task)
443{
444 return 0;
445}
446static inline void audit_free(struct task_struct *task)
447{ }
448static inline void audit_syscall_entry(int major, unsigned long a0,
449 unsigned long a1, unsigned long a2,
450 unsigned long a3)
451{ }
452static inline void audit_syscall_exit(void *pt_regs)
453{ }
454static inline bool audit_dummy_context(void)
455{
456 return true;
457}
458static inline struct filename *audit_reusename(const __user char *name)
459{
460 return NULL;
461}
462static inline void audit_getname(struct filename *name)
463{ }
464static inline void __audit_inode(struct filename *name,
465 const struct dentry *dentry,
466 unsigned int flags)
467{ }
468static inline void __audit_inode_child(struct inode *parent,
469 const struct dentry *dentry,
470 const unsigned char type)
471{ }
472static inline void audit_inode(struct filename *name,
473 const struct dentry *dentry,
474 unsigned int parent)
475{ }
476static inline void audit_file(struct file *file)
477{
478}
479static inline void audit_inode_parent_hidden(struct filename *name,
480 const struct dentry *dentry)
481{ }
482static inline void audit_inode_child(struct inode *parent,
483 const struct dentry *dentry,
484 const unsigned char type)
485{ }
486static inline void audit_core_dumps(long signr)
487{ }
488static inline void __audit_seccomp(unsigned long syscall, long signr, int code)
489{ }
490static inline void audit_seccomp(unsigned long syscall, long signr, int code)
491{ }
492static inline int auditsc_get_stamp(struct audit_context *ctx,
493 struct timespec *t, unsigned int *serial)
494{
495 return 0;
496}
497static inline kuid_t audit_get_loginuid(struct task_struct *tsk)
498{
499 return INVALID_UID;
500}
501static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
502{
503 return -1;
504}
505static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
506{ }
507static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid,
508 gid_t gid, umode_t mode)
509{ }
510static inline void audit_bprm(struct linux_binprm *bprm)
511{ }
512static inline int audit_socketcall(int nargs, unsigned long *args)
513{
514 return 0;
515}
516static inline void audit_fd_pair(int fd1, int fd2)
517{ }
518static inline int audit_sockaddr(int len, void *addr)
519{
520 return 0;
521}
522static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr)
523{ }
524static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len,
525 unsigned int msg_prio,
526 const struct timespec *abs_timeout)
527{ }
528static inline void audit_mq_notify(mqd_t mqdes,
529 const struct sigevent *notification)
530{ }
531static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
532{ }
533static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm,
534 const struct cred *new,
535 const struct cred *old)
536{
537 return 0;
538}
539static inline void audit_log_capset(const struct cred *new,
540 const struct cred *old)
541{ }
542static inline void audit_mmap_fd(int fd, int flags)
543{ }
544static inline void audit_ptrace(struct task_struct *t)
545{ }
546#define audit_n_rules 0
547#define audit_signals 0
548#endif
549
550static inline bool audit_loginuid_set(struct task_struct *tsk)
551{
552 return uid_valid(audit_get_loginuid(tsk));
553}
554
555static inline void audit_log_string(struct audit_buffer *ab, const char *buf)
556{
557 audit_log_n_string(ab, buf, strlen(buf));
558}
559
560#endif
561
