linux/include/linux/audit.h
<<
>>
Prefs
   1/* audit.h -- Auditing support
   2 *
   3 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
   4 * All Rights Reserved.
   5 *
   6 * This program is free software; you can redistribute it and/or modify
   7 * it under the terms of the GNU General Public License as published by
   8 * the Free Software Foundation; either version 2 of the License, or
   9 * (at your option) any later version.
  10 *
  11 * This program is distributed in the hope that it will be useful,
  12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14 * GNU General Public License for more details.
  15 *
  16 * You should have received a copy of the GNU General Public License
  17 * along with this program; if not, write to the Free Software
  18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  19 *
  20 * Written by Rickard E. (Rik) Faith <faith@redhat.com>
  21 *
  22 */
  23#ifndef _LINUX_AUDIT_H_
  24#define _LINUX_AUDIT_H_
  25
  26#include <linux/sched.h>
  27#include <uapi/linux/audit.h>
  28
  29struct audit_sig_info {
  30        uid_t           uid;
  31        pid_t           pid;
  32        char            ctx[0];
  33};
  34
  35struct audit_buffer;
  36struct audit_context;
  37struct inode;
  38struct netlink_skb_parms;
  39struct path;
  40struct linux_binprm;
  41struct mq_attr;
  42struct mqstat;
  43struct audit_watch;
  44struct audit_tree;
  45
  46struct audit_krule {
  47        int                     vers_ops;
  48        u32                     flags;
  49        u32                     listnr;
  50        u32                     action;
  51        u32                     mask[AUDIT_BITMASK_SIZE];
  52        u32                     buflen; /* for data alloc on list rules */
  53        u32                     field_count;
  54        char                    *filterkey; /* ties events to rules */
  55        struct audit_field      *fields;
  56        struct audit_field      *arch_f; /* quick access to arch field */
  57        struct audit_field      *inode_f; /* quick access to an inode field */
  58        struct audit_watch      *watch; /* associated watch */
  59        struct audit_tree       *tree;  /* associated watched tree */
  60        struct list_head        rlist;  /* entry in audit_{watch,tree}.rules list */
  61        struct list_head        list;   /* for AUDIT_LIST* purposes only */
  62        u64                     prio;
  63};
  64
  65struct audit_field {
  66        u32                             type;
  67        u32                             val;
  68        kuid_t                          uid;
  69        kgid_t                          gid;
  70        u32                             op;
  71        char                            *lsm_str;
  72        void                            *lsm_rule;
  73};
  74
  75extern int __init audit_register_class(int class, unsigned *list);
  76extern int audit_classify_syscall(int abi, unsigned syscall);
  77extern int audit_classify_arch(int arch);
  78
  79/* audit_names->type values */
  80#define AUDIT_TYPE_UNKNOWN      0       /* we don't know yet */
  81#define AUDIT_TYPE_NORMAL       1       /* a "normal" audit record */
  82#define AUDIT_TYPE_PARENT       2       /* a parent audit record */
  83#define AUDIT_TYPE_CHILD_DELETE 3       /* a child being deleted */
  84#define AUDIT_TYPE_CHILD_CREATE 4       /* a child being created */
  85
  86struct filename;
  87
  88#ifdef CONFIG_AUDITSYSCALL
  89/* These are defined in auditsc.c */
  90                                /* Public API */
  91extern int  audit_alloc(struct task_struct *task);
  92extern void __audit_free(struct task_struct *task);
  93extern void __audit_syscall_entry(int arch,
  94                                  int major, unsigned long a0, unsigned long a1,
  95                                  unsigned long a2, unsigned long a3);
  96extern void __audit_syscall_exit(int ret_success, long ret_value);
  97extern struct filename *__audit_reusename(const __user char *uptr);
  98extern void __audit_getname(struct filename *name);
  99extern void audit_putname(struct filename *name);
 100extern void __audit_inode(struct filename *name, const struct dentry *dentry,
 101                                unsigned int parent);
 102extern void __audit_inode_child(const struct inode *parent,
 103                                const struct dentry *dentry,
 104                                const unsigned char type);
 105extern void __audit_seccomp(unsigned long syscall, long signr, int code);
 106extern void __audit_ptrace(struct task_struct *t);
 107
 108static inline int audit_dummy_context(void)
 109{
 110        void *p = current->audit_context;
 111        return !p || *(int *)p;
 112}
 113static inline void audit_free(struct task_struct *task)
 114{
 115        if (unlikely(task->audit_context))
 116                __audit_free(task);
 117}
 118static inline void audit_syscall_entry(int arch, int major, unsigned long a0,
 119                                       unsigned long a1, unsigned long a2,
 120                                       unsigned long a3)
 121{
 122        if (unlikely(!audit_dummy_context()))
 123                __audit_syscall_entry(arch, major, a0, a1, a2, a3);
 124}
 125static inline void audit_syscall_exit(void *pt_regs)
 126{
 127        if (unlikely(current->audit_context)) {
 128                int success = is_syscall_success(pt_regs);
 129                int return_code = regs_return_value(pt_regs);
 130
 131                __audit_syscall_exit(success, return_code);
 132        }
 133}
 134static inline struct filename *audit_reusename(const __user char *name)
 135{
 136        if (unlikely(!audit_dummy_context()))
 137                return __audit_reusename(name);
 138        return NULL;
 139}
 140static inline void audit_getname(struct filename *name)
 141{
 142        if (unlikely(!audit_dummy_context()))
 143                __audit_getname(name);
 144}
 145static inline void audit_inode(struct filename *name, const struct dentry *dentry,
 146                                unsigned int parent) {
 147        if (unlikely(!audit_dummy_context()))
 148                __audit_inode(name, dentry, parent);
 149}
 150static inline void audit_inode_child(const struct inode *parent,
 151                                     const struct dentry *dentry,
 152                                     const unsigned char type) {
 153        if (unlikely(!audit_dummy_context()))
 154                __audit_inode_child(parent, dentry, type);
 155}
 156void audit_core_dumps(long signr);
 157
 158static inline void audit_seccomp(unsigned long syscall, long signr, int code)
 159{
 160        if (unlikely(!audit_dummy_context()))
 161                __audit_seccomp(syscall, signr, code);
 162}
 163
 164static inline void audit_ptrace(struct task_struct *t)
 165{
 166        if (unlikely(!audit_dummy_context()))
 167                __audit_ptrace(t);
 168}
 169
 170                                /* Private API (for audit.c only) */
 171extern unsigned int audit_serial(void);
 172extern int auditsc_get_stamp(struct audit_context *ctx,
 173                              struct timespec *t, unsigned int *serial);
 174extern int audit_set_loginuid(kuid_t loginuid);
 175
 176static inline kuid_t audit_get_loginuid(struct task_struct *tsk)
 177{
 178        return tsk->loginuid;
 179}
 180
 181static inline int audit_get_sessionid(struct task_struct *tsk)
 182{
 183        return tsk->sessionid;
 184}
 185
 186extern void audit_log_task_context(struct audit_buffer *ab);
 187extern void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk);
 188extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);
 189extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode);
 190extern int __audit_bprm(struct linux_binprm *bprm);
 191extern void __audit_socketcall(int nargs, unsigned long *args);
 192extern int __audit_sockaddr(int len, void *addr);
 193extern void __audit_fd_pair(int fd1, int fd2);
 194extern void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr);
 195extern void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout);
 196extern void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification);
 197extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat);
 198extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
 199                                  const struct cred *new,
 200                                  const struct cred *old);
 201extern void __audit_log_capset(pid_t pid, const struct cred *new, const struct cred *old);
 202extern void __audit_mmap_fd(int fd, int flags);
 203
 204static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
 205{
 206        if (unlikely(!audit_dummy_context()))
 207                __audit_ipc_obj(ipcp);
 208}
 209static inline void audit_fd_pair(int fd1, int fd2)
 210{
 211        if (unlikely(!audit_dummy_context()))
 212                __audit_fd_pair(fd1, fd2);
 213}
 214static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode)
 215{
 216        if (unlikely(!audit_dummy_context()))
 217                __audit_ipc_set_perm(qbytes, uid, gid, mode);
 218}
 219static inline int audit_bprm(struct linux_binprm *bprm)
 220{
 221        if (unlikely(!audit_dummy_context()))
 222                return __audit_bprm(bprm);
 223        return 0;
 224}
 225static inline void audit_socketcall(int nargs, unsigned long *args)
 226{
 227        if (unlikely(!audit_dummy_context()))
 228                __audit_socketcall(nargs, args);
 229}
 230static inline int audit_sockaddr(int len, void *addr)
 231{
 232        if (unlikely(!audit_dummy_context()))
 233                return __audit_sockaddr(len, addr);
 234        return 0;
 235}
 236static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr)
 237{
 238        if (unlikely(!audit_dummy_context()))
 239                __audit_mq_open(oflag, mode, attr);
 240}
 241static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout)
 242{
 243        if (unlikely(!audit_dummy_context()))
 244                __audit_mq_sendrecv(mqdes, msg_len, msg_prio, abs_timeout);
 245}
 246static inline void audit_mq_notify(mqd_t mqdes, const struct sigevent *notification)
 247{
 248        if (unlikely(!audit_dummy_context()))
 249                __audit_mq_notify(mqdes, notification);
 250}
 251static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
 252{
 253        if (unlikely(!audit_dummy_context()))
 254                __audit_mq_getsetattr(mqdes, mqstat);
 255}
 256
 257static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm,
 258                                       const struct cred *new,
 259                                       const struct cred *old)
 260{
 261        if (unlikely(!audit_dummy_context()))
 262                return __audit_log_bprm_fcaps(bprm, new, old);
 263        return 0;
 264}
 265
 266static inline void audit_log_capset(pid_t pid, const struct cred *new,
 267                                   const struct cred *old)
 268{
 269        if (unlikely(!audit_dummy_context()))
 270                __audit_log_capset(pid, new, old);
 271}
 272
 273static inline void audit_mmap_fd(int fd, int flags)
 274{
 275        if (unlikely(!audit_dummy_context()))
 276                __audit_mmap_fd(fd, flags);
 277}
 278
 279extern int audit_n_rules;
 280extern int audit_signals;
 281#else /* CONFIG_AUDITSYSCALL */
 282static inline int audit_alloc(struct task_struct *task)
 283{
 284        return 0;
 285}
 286static inline void audit_free(struct task_struct *task)
 287{ }
 288static inline void audit_syscall_entry(int arch, int major, unsigned long a0,
 289                                       unsigned long a1, unsigned long a2,
 290                                       unsigned long a3)
 291{ }
 292static inline void audit_syscall_exit(void *pt_regs)
 293{ }
 294static inline int audit_dummy_context(void)
 295{
 296        return 1;
 297}
 298static inline struct filename *audit_reusename(const __user char *name)
 299{
 300        return NULL;
 301}
 302static inline void audit_getname(struct filename *name)
 303{ }
 304static inline void audit_putname(struct filename *name)
 305{ }
 306static inline void __audit_inode(struct filename *name,
 307                                        const struct dentry *dentry,
 308                                        unsigned int parent)
 309{ }
 310static inline void __audit_inode_child(const struct inode *parent,
 311                                        const struct dentry *dentry,
 312                                        const unsigned char type)
 313{ }
 314static inline void audit_inode(struct filename *name,
 315                                const struct dentry *dentry,
 316                                unsigned int parent)
 317{ }
 318static inline void audit_inode_child(const struct inode *parent,
 319                                     const struct dentry *dentry,
 320                                     const unsigned char type)
 321{ }
 322static inline void audit_core_dumps(long signr)
 323{ }
 324static inline void __audit_seccomp(unsigned long syscall, long signr, int code)
 325{ }
 326static inline void audit_seccomp(unsigned long syscall, long signr, int code)
 327{ }
 328static inline int auditsc_get_stamp(struct audit_context *ctx,
 329                              struct timespec *t, unsigned int *serial)
 330{
 331        return 0;
 332}
 333static inline kuid_t audit_get_loginuid(struct task_struct *tsk)
 334{
 335        return INVALID_UID;
 336}
 337static inline int audit_get_sessionid(struct task_struct *tsk)
 338{
 339        return -1;
 340}
 341static inline void audit_log_task_context(struct audit_buffer *ab)
 342{ }
 343static inline void audit_log_task_info(struct audit_buffer *ab,
 344                                       struct task_struct *tsk)
 345{ }
 346static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
 347{ }
 348static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid,
 349                                        gid_t gid, umode_t mode)
 350{ }
 351static inline int audit_bprm(struct linux_binprm *bprm)
 352{
 353        return 0;
 354}
 355static inline void audit_socketcall(int nargs, unsigned long *args)
 356{ }
 357static inline void audit_fd_pair(int fd1, int fd2)
 358{ }
 359static inline int audit_sockaddr(int len, void *addr)
 360{
 361        return 0;
 362}
 363static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr)
 364{ }
 365static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len,
 366                                     unsigned int msg_prio,
 367                                     const struct timespec *abs_timeout)
 368{ }
 369static inline void audit_mq_notify(mqd_t mqdes,
 370                                   const struct sigevent *notification)
 371{ }
 372static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
 373{ }
 374static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm,
 375                                       const struct cred *new,
 376                                       const struct cred *old)
 377{
 378        return 0;
 379}
 380static inline void audit_log_capset(pid_t pid, const struct cred *new,
 381                                   const struct cred *old)
 382{ }
 383static inline void audit_mmap_fd(int fd, int flags)
 384{ }
 385static inline void audit_ptrace(struct task_struct *t)
 386{ }
 387#define audit_n_rules 0
 388#define audit_signals 0
 389#endif /* CONFIG_AUDITSYSCALL */
 390
 391#ifdef CONFIG_AUDIT
 392/* These are defined in audit.c */
 393                                /* Public API */
 394extern __printf(4, 5)
 395void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
 396               const char *fmt, ...);
 397
 398extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type);
 399extern __printf(2, 3)
 400void audit_log_format(struct audit_buffer *ab, const char *fmt, ...);
 401extern void                 audit_log_end(struct audit_buffer *ab);
 402extern int                  audit_string_contains_control(const char *string,
 403                                                          size_t len);
 404extern void                 audit_log_n_hex(struct audit_buffer *ab,
 405                                          const unsigned char *buf,
 406                                          size_t len);
 407extern void                 audit_log_n_string(struct audit_buffer *ab,
 408                                               const char *buf,
 409                                               size_t n);
 410extern void                 audit_log_n_untrustedstring(struct audit_buffer *ab,
 411                                                        const char *string,
 412                                                        size_t n);
 413extern void                 audit_log_untrustedstring(struct audit_buffer *ab,
 414                                                      const char *string);
 415extern void                 audit_log_d_path(struct audit_buffer *ab,
 416                                             const char *prefix,
 417                                             const struct path *path);
 418extern void                 audit_log_key(struct audit_buffer *ab,
 419                                          char *key);
 420extern void                 audit_log_link_denied(const char *operation,
 421                                                  struct path *link);
 422extern void                 audit_log_lost(const char *message);
 423#ifdef CONFIG_SECURITY
 424extern void                 audit_log_secctx(struct audit_buffer *ab, u32 secid);
 425#else
 426static inline void          audit_log_secctx(struct audit_buffer *ab, u32 secid)
 427{ }
 428#endif
 429
 430extern int                  audit_update_lsm_rules(void);
 431
 432                                /* Private API (for audit.c only) */
 433extern int audit_filter_user(void);
 434extern int audit_filter_type(int type);
 435extern int  audit_receive_filter(int type, int pid, int seq,
 436                                void *data, size_t datasz, kuid_t loginuid,
 437                                u32 sessionid, u32 sid);
 438extern int audit_enabled;
 439#else /* CONFIG_AUDIT */
 440static inline __printf(4, 5)
 441void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
 442               const char *fmt, ...)
 443{ }
 444static inline struct audit_buffer *audit_log_start(struct audit_context *ctx,
 445                                                   gfp_t gfp_mask, int type)
 446{
 447        return NULL;
 448}
 449static inline __printf(2, 3)
 450void audit_log_format(struct audit_buffer *ab, const char *fmt, ...)
 451{ }
 452static inline void audit_log_end(struct audit_buffer *ab)
 453{ }
 454static inline void audit_log_n_hex(struct audit_buffer *ab,
 455                                   const unsigned char *buf, size_t len)
 456{ }
 457static inline void audit_log_n_string(struct audit_buffer *ab,
 458                                      const char *buf, size_t n)
 459{ }
 460static inline void  audit_log_n_untrustedstring(struct audit_buffer *ab,
 461                                                const char *string, size_t n)
 462{ }
 463static inline void audit_log_untrustedstring(struct audit_buffer *ab,
 464                                             const char *string)
 465{ }
 466static inline void audit_log_d_path(struct audit_buffer *ab,
 467                                    const char *prefix,
 468                                    const struct path *path)
 469{ }
 470static inline void audit_log_key(struct audit_buffer *ab, char *key)
 471{ }
 472static inline void audit_log_link_denied(const char *string,
 473                                         const struct path *link)
 474{ }
 475static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid)
 476{ }
 477#define audit_enabled 0
 478#endif /* CONFIG_AUDIT */
 479static inline void audit_log_string(struct audit_buffer *ab, const char *buf)
 480{
 481        audit_log_n_string(ab, buf, strlen(buf));
 482}
 483
 484#endif
 485
lxr.linux.no kindly hosted by Redpill Linpro AS, provider of Linux consulting and operations services since 1995.