audit.h (10998B)
1/* SPDX-License-Identifier: GPL-2.0-or-later */ 2/* audit -- definition of audit_context structure and supporting types 3 * 4 * Copyright 2003-2004 Red Hat, Inc. 5 * Copyright 2005 Hewlett-Packard Development Company, L.P. 6 * Copyright 2005 IBM Corporation 7 */ 8 9#ifndef _KERNEL_AUDIT_H_ 10#define _KERNEL_AUDIT_H_ 11 12#include <linux/fs.h> 13#include <linux/audit.h> 14#include <linux/skbuff.h> 15#include <uapi/linux/mqueue.h> 16#include <linux/tty.h> 17#include <uapi/linux/openat2.h> // struct open_how 18 19/* AUDIT_NAMES is the number of slots we reserve in the audit_context 20 * for saving names from getname(). If we get more names we will allocate 21 * a name dynamically and also add those to the list anchored by names_list. */ 22#define AUDIT_NAMES 5 23 24/* At task start time, the audit_state is set in the audit_context using 25 a per-task filter. At syscall entry, the audit_state is augmented by 26 the syscall filter. */ 27enum audit_state { 28 AUDIT_STATE_DISABLED, /* Do not create per-task audit_context. 29 * No syscall-specific audit records can 30 * be generated. */ 31 AUDIT_STATE_BUILD, /* Create the per-task audit_context, 32 * and fill it in at syscall 33 * entry time. This makes a full 34 * syscall record available if some 35 * other part of the kernel decides it 36 * should be recorded. */ 37 AUDIT_STATE_RECORD /* Create the per-task audit_context, 38 * always fill it in at syscall entry 39 * time, and always write out the audit 40 * record at syscall exit time. */ 41}; 42 43/* Rule lists */ 44struct audit_watch; 45struct audit_fsnotify_mark; 46struct audit_tree; 47struct audit_chunk; 48 49struct audit_entry { 50 struct list_head list; 51 struct rcu_head rcu; 52 struct audit_krule rule; 53}; 54 55struct audit_cap_data { 56 kernel_cap_t permitted; 57 kernel_cap_t inheritable; 58 union { 59 unsigned int fE; /* effective bit of file cap */ 60 kernel_cap_t effective; /* effective set of process */ 61 }; 62 kernel_cap_t ambient; 63 kuid_t rootid; 64}; 65 66/* When fs/namei.c:getname() is called, we store the pointer in name and bump 67 * the refcnt in the associated filename struct. 68 * 69 * Further, in fs/namei.c:path_lookup() we store the inode and device. 70 */ 71struct audit_names { 72 struct list_head list; /* audit_context->names_list */ 73 74 struct filename *name; 75 int name_len; /* number of chars to log */ 76 bool hidden; /* don't log this record */ 77 78 unsigned long ino; 79 dev_t dev; 80 umode_t mode; 81 kuid_t uid; 82 kgid_t gid; 83 dev_t rdev; 84 u32 osid; 85 struct audit_cap_data fcap; 86 unsigned int fcap_ver; 87 unsigned char type; /* record type */ 88 /* 89 * This was an allocated audit_names and not from the array of 90 * names allocated in the task audit context. Thus this name 91 * should be freed on syscall exit. 92 */ 93 bool should_free; 94}; 95 96struct audit_proctitle { 97 int len; /* length of the cmdline field. */ 98 char *value; /* the cmdline field */ 99}; 100 101/* The per-task audit context. */ 102struct audit_context { 103 int dummy; /* must be the first element */ 104 enum { 105 AUDIT_CTX_UNUSED, /* audit_context is currently unused */ 106 AUDIT_CTX_SYSCALL, /* in use by syscall */ 107 AUDIT_CTX_URING, /* in use by io_uring */ 108 } context; 109 enum audit_state state, current_state; 110 unsigned int serial; /* serial number for record */ 111 int major; /* syscall number */ 112 int uring_op; /* uring operation */ 113 struct timespec64 ctime; /* time of syscall entry */ 114 unsigned long argv[4]; /* syscall arguments */ 115 long return_code;/* syscall return code */ 116 u64 prio; 117 int return_valid; /* return code is valid */ 118 /* 119 * The names_list is the list of all audit_names collected during this 120 * syscall. The first AUDIT_NAMES entries in the names_list will 121 * actually be from the preallocated_names array for performance 122 * reasons. Except during allocation they should never be referenced 123 * through the preallocated_names array and should only be found/used 124 * by running the names_list. 125 */ 126 struct audit_names preallocated_names[AUDIT_NAMES]; 127 int name_count; /* total records in names_list */ 128 struct list_head names_list; /* struct audit_names->list anchor */ 129 char *filterkey; /* key for rule that triggered record */ 130 struct path pwd; 131 struct audit_aux_data *aux; 132 struct audit_aux_data *aux_pids; 133 struct sockaddr_storage *sockaddr; 134 size_t sockaddr_len; 135 /* Save things to print about task_struct */ 136 pid_t pid, ppid; 137 kuid_t uid, euid, suid, fsuid; 138 kgid_t gid, egid, sgid, fsgid; 139 unsigned long personality; 140 int arch; 141 142 pid_t target_pid; 143 kuid_t target_auid; 144 kuid_t target_uid; 145 unsigned int target_sessionid; 146 u32 target_sid; 147 char target_comm[TASK_COMM_LEN]; 148 149 struct audit_tree_refs *trees, *first_trees; 150 struct list_head killed_trees; 151 int tree_count; 152 153 int type; 154 union { 155 struct { 156 int nargs; 157 long args[6]; 158 } socketcall; 159 struct { 160 kuid_t uid; 161 kgid_t gid; 162 umode_t mode; 163 u32 osid; 164 int has_perm; 165 uid_t perm_uid; 166 gid_t perm_gid; 167 umode_t perm_mode; 168 unsigned long qbytes; 169 } ipc; 170 struct { 171 mqd_t mqdes; 172 struct mq_attr mqstat; 173 } mq_getsetattr; 174 struct { 175 mqd_t mqdes; 176 int sigev_signo; 177 } mq_notify; 178 struct { 179 mqd_t mqdes; 180 size_t msg_len; 181 unsigned int msg_prio; 182 struct timespec64 abs_timeout; 183 } mq_sendrecv; 184 struct { 185 int oflag; 186 umode_t mode; 187 struct mq_attr attr; 188 } mq_open; 189 struct { 190 pid_t pid; 191 struct audit_cap_data cap; 192 } capset; 193 struct { 194 int fd; 195 int flags; 196 } mmap; 197 struct open_how openat2; 198 struct { 199 int argc; 200 } execve; 201 struct { 202 char *name; 203 } module; 204 struct { 205 struct audit_ntp_data ntp_data; 206 struct timespec64 tk_injoffset; 207 } time; 208 }; 209 int fds[2]; 210 struct audit_proctitle proctitle; 211}; 212 213extern bool audit_ever_enabled; 214 215extern void audit_log_session_info(struct audit_buffer *ab); 216 217extern int auditd_test_task(struct task_struct *task); 218 219#define AUDIT_INODE_BUCKETS 32 220extern struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS]; 221 222static inline int audit_hash_ino(u32 ino) 223{ 224 return (ino & (AUDIT_INODE_BUCKETS-1)); 225} 226 227/* Indicates that audit should log the full pathname. */ 228#define AUDIT_NAME_FULL -1 229 230extern int audit_match_class(int class, unsigned syscall); 231extern int audit_comparator(const u32 left, const u32 op, const u32 right); 232extern int audit_uid_comparator(kuid_t left, u32 op, kuid_t right); 233extern int audit_gid_comparator(kgid_t left, u32 op, kgid_t right); 234extern int parent_len(const char *path); 235extern int audit_compare_dname_path(const struct qstr *dname, const char *path, int plen); 236extern struct sk_buff *audit_make_reply(int seq, int type, int done, int multi, 237 const void *payload, int size); 238extern void audit_panic(const char *message); 239 240struct audit_netlink_list { 241 __u32 portid; 242 struct net *net; 243 struct sk_buff_head q; 244}; 245 246int audit_send_list_thread(void *_dest); 247 248extern int selinux_audit_rule_update(void); 249 250extern struct mutex audit_filter_mutex; 251extern int audit_del_rule(struct audit_entry *entry); 252extern void audit_free_rule_rcu(struct rcu_head *head); 253extern struct list_head audit_filter_list[]; 254 255extern struct audit_entry *audit_dupe_rule(struct audit_krule *old); 256 257extern void audit_log_d_path_exe(struct audit_buffer *ab, 258 struct mm_struct *mm); 259 260extern struct tty_struct *audit_get_tty(void); 261extern void audit_put_tty(struct tty_struct *tty); 262 263/* audit watch/mark/tree functions */ 264#ifdef CONFIG_AUDITSYSCALL 265extern unsigned int audit_serial(void); 266extern int auditsc_get_stamp(struct audit_context *ctx, 267 struct timespec64 *t, unsigned int *serial); 268 269extern void audit_put_watch(struct audit_watch *watch); 270extern void audit_get_watch(struct audit_watch *watch); 271extern int audit_to_watch(struct audit_krule *krule, char *path, int len, 272 u32 op); 273extern int audit_add_watch(struct audit_krule *krule, struct list_head **list); 274extern void audit_remove_watch_rule(struct audit_krule *krule); 275extern char *audit_watch_path(struct audit_watch *watch); 276extern int audit_watch_compare(struct audit_watch *watch, unsigned long ino, 277 dev_t dev); 278 279extern struct audit_fsnotify_mark *audit_alloc_mark(struct audit_krule *krule, 280 char *pathname, int len); 281extern char *audit_mark_path(struct audit_fsnotify_mark *mark); 282extern void audit_remove_mark(struct audit_fsnotify_mark *audit_mark); 283extern void audit_remove_mark_rule(struct audit_krule *krule); 284extern int audit_mark_compare(struct audit_fsnotify_mark *mark, 285 unsigned long ino, dev_t dev); 286extern int audit_dupe_exe(struct audit_krule *new, struct audit_krule *old); 287extern int audit_exe_compare(struct task_struct *tsk, 288 struct audit_fsnotify_mark *mark); 289 290extern struct audit_chunk *audit_tree_lookup(const struct inode *inode); 291extern void audit_put_chunk(struct audit_chunk *chunk); 292extern bool audit_tree_match(struct audit_chunk *chunk, 293 struct audit_tree *tree); 294extern int audit_make_tree(struct audit_krule *rule, char *pathname, u32 op); 295extern int audit_add_tree_rule(struct audit_krule *rule); 296extern int audit_remove_tree_rule(struct audit_krule *rule); 297extern void audit_trim_trees(void); 298extern int audit_tag_tree(char *old, char *new); 299extern const char *audit_tree_path(struct audit_tree *tree); 300extern void audit_put_tree(struct audit_tree *tree); 301extern void audit_kill_trees(struct audit_context *context); 302 303extern int audit_signal_info_syscall(struct task_struct *t); 304extern void audit_filter_inodes(struct task_struct *tsk, 305 struct audit_context *ctx); 306extern struct list_head *audit_killed_trees(void); 307#else /* CONFIG_AUDITSYSCALL */ 308#define auditsc_get_stamp(c, t, s) 0 309#define audit_put_watch(w) do { } while (0) 310#define audit_get_watch(w) do { } while (0) 311#define audit_to_watch(k, p, l, o) (-EINVAL) 312#define audit_add_watch(k, l) (-EINVAL) 313#define audit_remove_watch_rule(k) BUG() 314#define audit_watch_path(w) "" 315#define audit_watch_compare(w, i, d) 0 316 317#define audit_alloc_mark(k, p, l) (ERR_PTR(-EINVAL)) 318#define audit_mark_path(m) "" 319#define audit_remove_mark(m) do { } while (0) 320#define audit_remove_mark_rule(k) do { } while (0) 321#define audit_mark_compare(m, i, d) 0 322#define audit_exe_compare(t, m) (-EINVAL) 323#define audit_dupe_exe(n, o) (-EINVAL) 324 325#define audit_remove_tree_rule(rule) BUG() 326#define audit_add_tree_rule(rule) -EINVAL 327#define audit_make_tree(rule, str, op) -EINVAL 328#define audit_trim_trees() do { } while (0) 329#define audit_put_tree(tree) do { } while (0) 330#define audit_tag_tree(old, new) -EINVAL 331#define audit_tree_path(rule) "" /* never called */ 332#define audit_kill_trees(context) BUG() 333 334static inline int audit_signal_info_syscall(struct task_struct *t) 335{ 336 return 0; 337} 338 339#define audit_filter_inodes(t, c) AUDIT_STATE_DISABLED 340#endif /* CONFIG_AUDITSYSCALL */ 341 342extern char *audit_unpack_string(void **bufp, size_t *remain, size_t len); 343 344extern int audit_filter(int msgtype, unsigned int listtype); 345 346extern void audit_ctl_lock(void); 347extern void audit_ctl_unlock(void); 348 349#endif