linux/include/linux/audit.h
<<
>>
Prefs
   1/* audit.h -- Auditing support
   2 *
   3 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
   4 * All Rights Reserved.
   5 *
   6 * This program is free software; you can redistribute it and/or modify
   7 * it under the terms of the GNU General Public License as published by
   8 * the Free Software Foundation; either version 2 of the License, or
   9 * (at your option) any later version.
  10 *
  11 * This program is distributed in the hope that it will be useful,
  12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14 * GNU General Public License for more details.
  15 *
  16 * You should have received a copy of the GNU General Public License
  17 * along with this program; if not, write to the Free Software
  18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  19 *
  20 * Written by Rickard E. (Rik) Faith <faith@redhat.com>
  21 *
  22 */
  23#ifndef _LINUX_AUDIT_H_
  24#define _LINUX_AUDIT_H_
  25
  26#include <linux/sched.h>
  27#include <linux/ptrace.h>
  28#include <uapi/linux/audit.h>
  29
  30struct audit_sig_info {
  31        uid_t           uid;
  32        pid_t           pid;
  33        char            ctx[0];
  34};
  35
  36struct audit_buffer;
  37struct audit_context;
  38struct inode;
  39struct netlink_skb_parms;
  40struct path;
  41struct linux_binprm;
  42struct mq_attr;
  43struct mqstat;
  44struct audit_watch;
  45struct audit_tree;
  46
  47struct audit_krule {
  48        int                     vers_ops;
  49        u32                     flags;
  50        u32                     listnr;
  51        u32                     action;
  52        u32                     mask[AUDIT_BITMASK_SIZE];
  53        u32                     buflen; /* for data alloc on list rules */
  54        u32                     field_count;
  55        char                    *filterkey; /* ties events to rules */
  56        struct audit_field      *fields;
  57        struct audit_field      *arch_f; /* quick access to arch field */
  58        struct audit_field      *inode_f; /* quick access to an inode field */
  59        struct audit_watch      *watch; /* associated watch */
  60        struct audit_tree       *tree;  /* associated watched tree */
  61        struct list_head        rlist;  /* entry in audit_{watch,tree}.rules list */
  62        struct list_head        list;   /* for AUDIT_LIST* purposes only */
  63        u64                     prio;
  64};
  65
  66struct audit_field {
  67        u32                             type;
  68        u32                             val;
  69        kuid_t                          uid;
  70        kgid_t                          gid;
  71        u32                             op;
  72        char                            *lsm_str;
  73        void                            *lsm_rule;
  74};
  75
  76extern int __init audit_register_class(int class, unsigned *list);
  77extern int audit_classify_syscall(int abi, unsigned syscall);
  78extern int audit_classify_arch(int arch);
  79
  80/* audit_names->type values */
  81#define AUDIT_TYPE_UNKNOWN      0       /* we don't know yet */
  82#define AUDIT_TYPE_NORMAL       1       /* a "normal" audit record */
  83#define AUDIT_TYPE_PARENT       2       /* a parent audit record */
  84#define AUDIT_TYPE_CHILD_DELETE 3       /* a child being deleted */
  85#define AUDIT_TYPE_CHILD_CREATE 4       /* a child being created */
  86
  87struct filename;
  88
  89#ifdef CONFIG_AUDITSYSCALL
  90/* These are defined in auditsc.c */
  91                                /* Public API */
  92extern int  audit_alloc(struct task_struct *task);
  93extern void __audit_free(struct task_struct *task);
  94extern void __audit_syscall_entry(int arch,
  95                                  int major, unsigned long a0, unsigned long a1,
  96                                  unsigned long a2, unsigned long a3);
  97extern void __audit_syscall_exit(int ret_success, long ret_value);
  98extern struct filename *__audit_reusename(const __user char *uptr);
  99extern void __audit_getname(struct filename *name);
 100extern void audit_putname(struct filename *name);
 101extern void __audit_inode(struct filename *name, const struct dentry *dentry,
 102                                unsigned int parent);
 103extern void __audit_inode_child(const struct inode *parent,
 104                                const struct dentry *dentry,
 105                                const unsigned char type);
 106extern void __audit_seccomp(unsigned long syscall, long signr, int code);
 107extern void __audit_ptrace(struct task_struct *t);
 108
 109static inline int audit_dummy_context(void)
 110{
 111        void *p = current->audit_context;
 112        return !p || *(int *)p;
 113}
 114static inline void audit_free(struct task_struct *task)
 115{
 116        if (unlikely(task->audit_context))
 117                __audit_free(task);
 118}
 119static inline void audit_syscall_entry(int arch, int major, unsigned long a0,
 120                                       unsigned long a1, unsigned long a2,
 121                                       unsigned long a3)
 122{
 123        if (unlikely(!audit_dummy_context()))
 124                __audit_syscall_entry(arch, major, a0, a1, a2, a3);
 125}
 126static inline void audit_syscall_exit(void *pt_regs)
 127{
 128        if (unlikely(current->audit_context)) {
 129                int success = is_syscall_success(pt_regs);
 130                int return_code = regs_return_value(pt_regs);
 131
 132                __audit_syscall_exit(success, return_code);
 133        }
 134}
 135static inline struct filename *audit_reusename(const __user char *name)
 136{
 137        if (unlikely(!audit_dummy_context()))
 138                return __audit_reusename(name);
 139        return NULL;
 140}
 141static inline void audit_getname(struct filename *name)
 142{
 143        if (unlikely(!audit_dummy_context()))
 144                __audit_getname(name);
 145}
 146static inline void audit_inode(struct filename *name, const struct dentry *dentry,
 147                                unsigned int parent) {
 148        if (unlikely(!audit_dummy_context()))
 149                __audit_inode(name, dentry, parent);
 150}
 151static inline void audit_inode_child(const struct inode *parent,
 152                                     const struct dentry *dentry,
 153                                     const unsigned char type) {
 154        if (unlikely(!audit_dummy_context()))
 155                __audit_inode_child(parent, dentry, type);
 156}
 157void audit_core_dumps(long signr);
 158
 159static inline void audit_seccomp(unsigned long syscall, long signr, int code)
 160{
 161        /* Force a record to be reported if a signal was delivered. */
 162        if (signr || unlikely(!audit_dummy_context()))
 163                __audit_seccomp(syscall, signr, code);
 164}
 165
 166static inline void audit_ptrace(struct task_struct *t)
 167{
 168        if (unlikely(!audit_dummy_context()))
 169                __audit_ptrace(t);
 170}
 171
 172                                /* Private API (for audit.c only) */
 173extern unsigned int audit_serial(void);
 174extern int auditsc_get_stamp(struct audit_context *ctx,
 175                              struct timespec *t, unsigned int *serial);
 176extern int audit_set_loginuid(kuid_t loginuid);
 177
 178static inline kuid_t audit_get_loginuid(struct task_struct *tsk)
 179{
 180        return tsk->loginuid;
 181}
 182
 183static inline int audit_get_sessionid(struct task_struct *tsk)
 184{
 185        return tsk->sessionid;
 186}
 187
 188extern void audit_log_task_context(struct audit_buffer *ab);
 189extern void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk);
 190extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);
 191extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode);
 192extern int __audit_bprm(struct linux_binprm *bprm);
 193extern void __audit_socketcall(int nargs, unsigned long *args);
 194extern int __audit_sockaddr(int len, void *addr);
 195extern void __audit_fd_pair(int fd1, int fd2);
 196extern void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr);
 197extern void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout);
 198extern void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification);
 199extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat);
 200extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
 201                                  const struct cred *new,
 202                                  const struct cred *old);
 203extern void __audit_log_capset(pid_t pid, const struct cred *new, const struct cred *old);
 204extern void __audit_mmap_fd(int fd, int flags);
 205
 206static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
 207{
 208        if (unlikely(!audit_dummy_context()))
 209                __audit_ipc_obj(ipcp);
 210}
 211static inline void audit_fd_pair(int fd1, int fd2)
 212{
 213        if (unlikely(!audit_dummy_context()))
 214                __audit_fd_pair(fd1, fd2);
 215}
 216static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode)
 217{
 218        if (unlikely(!audit_dummy_context()))
 219                __audit_ipc_set_perm(qbytes, uid, gid, mode);
 220}
 221static inline int audit_bprm(struct linux_binprm *bprm)
 222{
 223        if (unlikely(!audit_dummy_context()))
 224                return __audit_bprm(bprm);
 225        return 0;
 226}
 227static inline void audit_socketcall(int nargs, unsigned long *args)
 228{
 229        if (unlikely(!audit_dummy_context()))
 230                __audit_socketcall(nargs, args);
 231}
 232static inline int audit_sockaddr(int len, void *addr)
 233{
 234        if (unlikely(!audit_dummy_context()))
 235                return __audit_sockaddr(len, addr);
 236        return 0;
 237}
 238static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr)
 239{
 240        if (unlikely(!audit_dummy_context()))
 241                __audit_mq_open(oflag, mode, attr);
 242}
 243static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout)
 244{
 245        if (unlikely(!audit_dummy_context()))
 246                __audit_mq_sendrecv(mqdes, msg_len, msg_prio, abs_timeout);
 247}
 248static inline void audit_mq_notify(mqd_t mqdes, const struct sigevent *notification)
 249{
 250        if (unlikely(!audit_dummy_context()))
 251                __audit_mq_notify(mqdes, notification);
 252}
 253static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
 254{
 255        if (unlikely(!audit_dummy_context()))
 256                __audit_mq_getsetattr(mqdes, mqstat);
 257}
 258
 259static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm,
 260                                       const struct cred *new,
 261                                       const struct cred *old)
 262{
 263        if (unlikely(!audit_dummy_context()))
 264                return __audit_log_bprm_fcaps(bprm, new, old);
 265        return 0;
 266}
 267
 268static inline void audit_log_capset(pid_t pid, const struct cred *new,
 269                                   const struct cred *old)
 270{
 271        if (unlikely(!audit_dummy_context()))
 272                __audit_log_capset(pid, new, old);
 273}
 274
 275static inline void audit_mmap_fd(int fd, int flags)
 276{
 277        if (unlikely(!audit_dummy_context()))
 278                __audit_mmap_fd(fd, flags);
 279}
 280
 281extern int audit_n_rules;
 282extern int audit_signals;
 283#else /* CONFIG_AUDITSYSCALL */
 284static inline int audit_alloc(struct task_struct *task)
 285{
 286        return 0;
 287}
 288static inline void audit_free(struct task_struct *task)
 289{ }
 290static inline void audit_syscall_entry(int arch, int major, unsigned long a0,
 291                                       unsigned long a1, unsigned long a2,
 292                                       unsigned long a3)
 293{ }
 294static inline void audit_syscall_exit(void *pt_regs)
 295{ }
 296static inline int audit_dummy_context(void)
 297{
 298        return 1;
 299}
 300static inline struct filename *audit_reusename(const __user char *name)
 301{
 302        return NULL;
 303}
 304static inline void audit_getname(struct filename *name)
 305{ }
 306static inline void audit_putname(struct filename *name)
 307{ }
 308static inline void __audit_inode(struct filename *name,
 309                                        const struct dentry *dentry,
 310                                        unsigned int parent)
 311{ }
 312static inline void __audit_inode_child(const struct inode *parent,
 313                                        const struct dentry *dentry,
 314                                        const unsigned char type)
 315{ }
 316static inline void audit_inode(struct filename *name,
 317                                const struct dentry *dentry,
 318                                unsigned int parent)
 319{ }
 320static inline void audit_inode_child(const struct inode *parent,
 321                                     const struct dentry *dentry,
 322                                     const unsigned char type)
 323{ }
 324static inline void audit_core_dumps(long signr)
 325{ }
 326static inline void __audit_seccomp(unsigned long syscall, long signr, int code)
 327{ }
 328static inline void audit_seccomp(unsigned long syscall, long signr, int code)
 329{ }
 330static inline int auditsc_get_stamp(struct audit_context *ctx,
 331                              struct timespec *t, unsigned int *serial)
 332{
 333        return 0;
 334}
 335static inline kuid_t audit_get_loginuid(struct task_struct *tsk)
 336{
 337        return INVALID_UID;
 338}
 339static inline int audit_get_sessionid(struct task_struct *tsk)
 340{
 341        return -1;
 342}
 343static inline void audit_log_task_context(struct audit_buffer *ab)
 344{ }
 345static inline void audit_log_task_info(struct audit_buffer *ab,
 346                                       struct task_struct *tsk)
 347{ }
 348static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
 349{ }
 350static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid,
 351                                        gid_t gid, umode_t mode)
 352{ }
 353static inline int audit_bprm(struct linux_binprm *bprm)
 354{
 355        return 0;
 356}
 357static inline void audit_socketcall(int nargs, unsigned long *args)
 358{ }
 359static inline void audit_fd_pair(int fd1, int fd2)
 360{ }
 361static inline int audit_sockaddr(int len, void *addr)
 362{
 363        return 0;
 364}
 365static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr)
 366{ }
 367static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len,
 368                                     unsigned int msg_prio,
 369                                     const struct timespec *abs_timeout)
 370{ }
 371static inline void audit_mq_notify(mqd_t mqdes,
 372                                   const struct sigevent *notification)
 373{ }
 374static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
 375{ }
 376static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm,
 377                                       const struct cred *new,
 378                                       const struct cred *old)
 379{
 380        return 0;
 381}
 382static inline void audit_log_capset(pid_t pid, const struct cred *new,
 383                                   const struct cred *old)
 384{ }
 385static inline void audit_mmap_fd(int fd, int flags)
 386{ }
 387static inline void audit_ptrace(struct task_struct *t)
 388{ }
 389#define audit_n_rules 0
 390#define audit_signals 0
 391#endif /* CONFIG_AUDITSYSCALL */
 392
 393#ifdef CONFIG_AUDIT
 394/* These are defined in audit.c */
 395                                /* Public API */
 396extern __printf(4, 5)
 397void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
 398               const char *fmt, ...);
 399
 400extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type);
 401extern __printf(2, 3)
 402void audit_log_format(struct audit_buffer *ab, const char *fmt, ...);
 403extern void                 audit_log_end(struct audit_buffer *ab);
 404extern int                  audit_string_contains_control(const char *string,
 405                                                          size_t len);
 406extern void                 audit_log_n_hex(struct audit_buffer *ab,
 407                                          const unsigned char *buf,
 408                                          size_t len);
 409extern void                 audit_log_n_string(struct audit_buffer *ab,
 410                                               const char *buf,
 411                                               size_t n);
 412extern void                 audit_log_n_untrustedstring(struct audit_buffer *ab,
 413                                                        const char *string,
 414                                                        size_t n);
 415extern void                 audit_log_untrustedstring(struct audit_buffer *ab,
 416                                                      const char *string);
 417extern void                 audit_log_d_path(struct audit_buffer *ab,
 418                                             const char *prefix,
 419                                             const struct path *path);
 420extern void                 audit_log_key(struct audit_buffer *ab,
 421                                          char *key);
 422extern void                 audit_log_link_denied(const char *operation,
 423                                                  struct path *link);
 424extern void                 audit_log_lost(const char *message);
 425#ifdef CONFIG_SECURITY
 426extern void                 audit_log_secctx(struct audit_buffer *ab, u32 secid);
 427#else
 428static inline void          audit_log_secctx(struct audit_buffer *ab, u32 secid)
 429{ }
 430#endif
 431
 432extern int                  audit_update_lsm_rules(void);
 433
 434                                /* Private API (for audit.c only) */
 435extern int audit_filter_user(void);
 436extern int audit_filter_type(int type);
 437extern int  audit_receive_filter(int type, int pid, int seq,
 438                                void *data, size_t datasz, kuid_t loginuid,
 439                                u32 sessionid, u32 sid);
 440extern int audit_enabled;
 441#else /* CONFIG_AUDIT */
 442static inline __printf(4, 5)
 443void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
 444               const char *fmt, ...)
 445{ }
 446static inline struct audit_buffer *audit_log_start(struct audit_context *ctx,
 447                                                   gfp_t gfp_mask, int type)
 448{
 449        return NULL;
 450}
 451static inline __printf(2, 3)
 452void audit_log_format(struct audit_buffer *ab, const char *fmt, ...)
 453{ }
 454static inline void audit_log_end(struct audit_buffer *ab)
 455{ }
 456static inline void audit_log_n_hex(struct audit_buffer *ab,
 457                                   const unsigned char *buf, size_t len)
 458{ }
 459static inline void audit_log_n_string(struct audit_buffer *ab,
 460                                      const char *buf, size_t n)
 461{ }
 462static inline void  audit_log_n_untrustedstring(struct audit_buffer *ab,
 463                                                const char *string, size_t n)
 464{ }
 465static inline void audit_log_untrustedstring(struct audit_buffer *ab,
 466                                             const char *string)
 467{ }
 468static inline void audit_log_d_path(struct audit_buffer *ab,
 469                                    const char *prefix,
 470                                    const struct path *path)
 471{ }
 472static inline void audit_log_key(struct audit_buffer *ab, char *key)
 473{ }
 474static inline void audit_log_link_denied(const char *string,
 475                                         const struct path *link)
 476{ }
 477static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid)
 478{ }
 479#define audit_enabled 0
 480#endif /* CONFIG_AUDIT */
 481static inline void audit_log_string(struct audit_buffer *ab, const char *buf)
 482{
 483        audit_log_n_string(ab, buf, strlen(buf));
 484}
 485
 486#endif
 487
lxr.linux.no kindly hosted by Redpill Linpro AS, provider of Linux consulting and operations services since 1995.