1 /* SPDX-License-Identifier: GPL-2.0-or-later * !! 1 /* audit -- definition of audit_context structure and supporting types
2 /* audit -- definition of audit_context struct <<
3 * 2 *
4 * Copyright 2003-2004 Red Hat, Inc. 3 * Copyright 2003-2004 Red Hat, Inc.
5 * Copyright 2005 Hewlett-Packard Development 4 * Copyright 2005 Hewlett-Packard Development Company, L.P.
6 * Copyright 2005 IBM Corporation 5 * Copyright 2005 IBM Corporation
>> 6 *
>> 7 * This program is free software; you can redistribute it and/or modify
>> 8 * it under the terms of the GNU General Public License as published by
>> 9 * the Free Software Foundation; either version 2 of the License, or
>> 10 * (at your option) any later version.
>> 11 *
>> 12 * This program is distributed in the hope that it will be useful,
>> 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
>> 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
>> 15 * GNU General Public License for more details.
>> 16 *
>> 17 * You should have received a copy of the GNU General Public License
>> 18 * along with this program; if not, write to the Free Software
>> 19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
7 */ 20 */
8 21
9 #ifndef _KERNEL_AUDIT_H_ <<
10 #define _KERNEL_AUDIT_H_ <<
11 <<
12 #include <linux/fs.h> 22 #include <linux/fs.h>
13 #include <linux/audit.h> 23 #include <linux/audit.h>
14 #include <linux/skbuff.h> 24 #include <linux/skbuff.h>
15 #include <uapi/linux/mqueue.h> !! 25
16 #include <linux/tty.h> !! 26 /* 0 = no checking
17 #include <uapi/linux/openat2.h> // struct open !! 27 1 = put_count checking
18 !! 28 2 = verbose put_count checking
19 /* AUDIT_NAMES is the number of slots we reser !! 29 */
20 * for saving names from getname(). If we get !! 30 #define AUDIT_DEBUG 0
21 * a name dynamically and also add those to th <<
22 #define AUDIT_NAMES 5 <<
23 31
24 /* At task start time, the audit_state is set 32 /* At task start time, the audit_state is set in the audit_context using
25 a per-task filter. At syscall entry, the a 33 a per-task filter. At syscall entry, the audit_state is augmented by
26 the syscall filter. */ 34 the syscall filter. */
27 enum audit_state { 35 enum audit_state {
28 AUDIT_STATE_DISABLED, /* Do not crea !! 36 AUDIT_DISABLED, /* Do not create per-task audit_context.
29 * No syscall- 37 * No syscall-specific audit records can
30 * be generate 38 * be generated. */
31 AUDIT_STATE_BUILD, /* Create the !! 39 AUDIT_SETUP_CONTEXT, /* Create the per-task audit_context,
32 * and fill it !! 40 * but don't necessarily fill it in at
>> 41 * syscall entry time (i.e., filter
>> 42 * instead). */
>> 43 AUDIT_BUILD_CONTEXT, /* Create the per-task audit_context,
>> 44 * and always fill it in at syscall
33 * entry time. 45 * entry time. This makes a full
34 * syscall rec 46 * syscall record available if some
35 * other part 47 * other part of the kernel decides it
36 * should be r 48 * should be recorded. */
37 AUDIT_STATE_RECORD /* Create the !! 49 AUDIT_RECORD_CONTEXT /* Create the per-task audit_context,
38 * always fill 50 * always fill it in at syscall entry
39 * time, and a 51 * time, and always write out the audit
40 * record at s 52 * record at syscall exit time. */
41 }; 53 };
42 54
43 /* Rule lists */ 55 /* Rule lists */
44 struct audit_watch; 56 struct audit_watch;
45 struct audit_fsnotify_mark; <<
46 struct audit_tree; 57 struct audit_tree;
47 struct audit_chunk; 58 struct audit_chunk;
48 59
49 struct audit_entry { 60 struct audit_entry {
50 struct list_head list; 61 struct list_head list;
51 struct rcu_head rcu; 62 struct rcu_head rcu;
52 struct audit_krule rule; 63 struct audit_krule rule;
53 }; 64 };
54 65
55 struct audit_cap_data { !! 66 #ifdef CONFIG_AUDIT
56 kernel_cap_t permitted; !! 67 extern int audit_enabled;
57 kernel_cap_t inheritable; !! 68 extern int audit_ever_enabled;
58 union { !! 69 #endif
59 unsigned int fE; <<
60 kernel_cap_t effective; <<
61 }; <<
62 kernel_cap_t ambient; <<
63 kuid_t rootid; <<
64 }; <<
65 <<
66 /* When fs/namei.c:getname() is called, we sto <<
67 * the refcnt in the associated filename struc <<
68 * <<
69 * Further, in fs/namei.c:path_lookup() we sto <<
70 */ <<
71 struct audit_names { <<
72 struct list_head list; <<
73 <<
74 struct filename *name; <<
75 int name_len; <<
76 bool hidden; <<
77 <<
78 unsigned long ino; <<
79 dev_t dev; <<
80 umode_t mode; <<
81 kuid_t uid; <<
82 kgid_t gid; <<
83 dev_t rdev; <<
84 u32 osid; <<
85 struct audit_cap_data fcap; <<
86 unsigned int fcap_ver; <<
87 unsigned char type; <<
88 /* <<
89 * This was an allocated audit_names a <<
90 * names allocated in the task audit c <<
91 * should be freed on syscall exit. <<
92 */ <<
93 bool should_free; <<
94 }; <<
95 <<
96 struct audit_proctitle { <<
97 int len; /* length of the cmdli <<
98 char *value; /* the cmdline field * <<
99 }; <<
100 <<
101 /* The per-task audit context. */ <<
102 struct audit_context { <<
103 int dummy; /* mus <<
104 enum { <<
105 AUDIT_CTX_UNUSED, /* aud <<
106 AUDIT_CTX_SYSCALL, /* in <<
107 AUDIT_CTX_URING, /* in <<
108 } context; <<
109 enum audit_state state, current_sta <<
110 unsigned int serial; /* ser <<
111 int major; /* sys <<
112 int uring_op; /* uri <<
113 struct timespec64 ctime; /* tim <<
114 unsigned long argv[4]; /* sys <<
115 long return_code;/* sys <<
116 u64 prio; <<
117 int return_valid; /* r <<
118 /* <<
119 * The names_list is the list of all a <<
120 * syscall. The first AUDIT_NAMES ent <<
121 * actually be from the preallocated_n <<
122 * reasons. Except during allocation <<
123 * through the preallocated_names arra <<
124 * by running the names_list. <<
125 */ <<
126 struct audit_names preallocated_names <<
127 int name_count; /* tot <<
128 struct list_head names_list; /* str <<
129 char *filterkey; /* key <<
130 struct path pwd; <<
131 struct audit_aux_data *aux; <<
132 struct audit_aux_data *aux_pids; <<
133 struct sockaddr_storage *sockaddr; <<
134 size_t sockaddr_len; <<
135 /* Save things <<
136 pid_t ppid; <<
137 kuid_t uid, euid, suid, f <<
138 kgid_t gid, egid, sgid, f <<
139 unsigned long personality; <<
140 int arch; <<
141 <<
142 pid_t target_pid; <<
143 kuid_t target_auid; <<
144 kuid_t target_uid; <<
145 unsigned int target_sessionid; <<
146 u32 target_sid; <<
147 char target_comm[TASK_C <<
148 <<
149 struct audit_tree_refs *trees, *first_ <<
150 struct list_head killed_trees; <<
151 int tree_count; <<
152 <<
153 int type; <<
154 union { <<
155 struct { <<
156 int nargs; <<
157 long args[6]; <<
158 } socketcall; <<
159 struct { <<
160 kuid_t <<
161 kgid_t <<
162 umode_t <<
163 u32 <<
164 int <<
165 uid_t <<
166 gid_t <<
167 umode_t <<
168 unsigned long <<
169 } ipc; <<
170 struct { <<
171 mqd_t <<
172 struct mq_attr <<
173 } mq_getsetattr; <<
174 struct { <<
175 mqd_t <<
176 int <<
177 } mq_notify; <<
178 struct { <<
179 mqd_t <<
180 size_t <<
181 unsigned int <<
182 struct timespec64 <<
183 } mq_sendrecv; <<
184 struct { <<
185 int <<
186 umode_t <<
187 struct mq_attr <<
188 } mq_open; <<
189 struct { <<
190 pid_t <<
191 struct audit_cap_data <<
192 } capset; <<
193 struct { <<
194 int <<
195 int <<
196 } mmap; <<
197 struct open_how openat2; <<
198 struct { <<
199 int <<
200 } execve; <<
201 struct { <<
202 char <<
203 } module; <<
204 struct { <<
205 struct audit_ntp_data <<
206 struct timespec64 <<
207 } time; <<
208 }; <<
209 int fds[2]; <<
210 struct audit_proctitle proctitle; <<
211 }; <<
212 <<
213 extern bool audit_ever_enabled; <<
214 <<
215 extern void audit_log_session_info(struct audi <<
216 70
217 extern int auditd_test_task(struct task_struct !! 71 extern int audit_pid;
218 72
219 #define AUDIT_INODE_BUCKETS 32 73 #define AUDIT_INODE_BUCKETS 32
220 extern struct list_head audit_inode_hash[AUDIT 74 extern struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS];
221 75
222 static inline int audit_hash_ino(u32 ino) 76 static inline int audit_hash_ino(u32 ino)
223 { 77 {
224 return (ino & (AUDIT_INODE_BUCKETS-1)) 78 return (ino & (AUDIT_INODE_BUCKETS-1));
225 } 79 }
226 80
227 /* Indicates that audit should log the full pa <<
228 #define AUDIT_NAME_FULL -1 <<
229 <<
230 extern int audit_match_class(int class, unsign 81 extern int audit_match_class(int class, unsigned syscall);
231 extern int audit_comparator(const u32 left, co 82 extern int audit_comparator(const u32 left, const u32 op, const u32 right);
232 extern int audit_uid_comparator(kuid_t left, u !! 83 extern int audit_compare_dname_path(const char *dname, const char *path,
233 extern int audit_gid_comparator(kgid_t left, u !! 84 int *dirlen);
234 extern int parent_len(const char *path); !! 85 extern struct sk_buff * audit_make_reply(int pid, int seq, int type,
235 extern int audit_compare_dname_path(const stru !! 86 int done, int multi,
236 extern struct sk_buff *audit_make_reply(int se !! 87 void *payload, int size);
237 const !! 88 extern void audit_send_reply(int pid, int seq, int type,
>> 89 int done, int multi,
>> 90 void *payload, int size);
238 extern void audit_panic(const 91 extern void audit_panic(const char *message);
239 92
240 struct audit_netlink_list { 93 struct audit_netlink_list {
241 __u32 portid; !! 94 int pid;
242 struct net *net; <<
243 struct sk_buff_head q; 95 struct sk_buff_head q;
244 }; 96 };
245 97
246 int audit_send_list_thread(void *_dest); !! 98 int audit_send_list(void *);
>> 99
>> 100 extern int selinux_audit_rule_update(void);
247 101
248 extern struct mutex audit_filter_mutex; 102 extern struct mutex audit_filter_mutex;
249 extern int audit_del_rule(struct audit_entry * !! 103 extern void audit_free_rule_rcu(struct rcu_head *);
250 extern void audit_free_rule_rcu(struct rcu_hea <<
251 extern struct list_head audit_filter_list[]; 104 extern struct list_head audit_filter_list[];
252 105
253 extern struct audit_entry *audit_dupe_rule(str !! 106 /* audit watch functions */
254 !! 107 extern unsigned long audit_watch_inode(struct audit_watch *watch);
255 extern void audit_log_d_path_exe(struct audit_ !! 108 extern dev_t audit_watch_dev(struct audit_watch *watch);
256 struct mm_str <<
257 <<
258 extern struct tty_struct *audit_get_tty(void); <<
259 extern void audit_put_tty(struct tty_struct *t <<
260 <<
261 /* audit watch/mark/tree functions */ <<
262 extern unsigned int audit_serial(void); <<
263 #ifdef CONFIG_AUDITSYSCALL <<
264 extern int auditsc_get_stamp(struct audit_cont <<
265 struct timespec6 <<
266 <<
267 extern void audit_put_watch(struct audit_watch 109 extern void audit_put_watch(struct audit_watch *watch);
268 extern void audit_get_watch(struct audit_watch 110 extern void audit_get_watch(struct audit_watch *watch);
269 extern int audit_to_watch(struct audit_krule * !! 111 extern int audit_to_watch(struct audit_krule *krule, char *path, int len, u32 op);
270 u32 op); !! 112 extern int audit_add_watch(struct audit_krule *krule);
271 extern int audit_add_watch(struct audit_krule !! 113 extern void audit_remove_watch(struct audit_watch *watch);
272 extern void audit_remove_watch_rule(struct aud !! 114 extern void audit_remove_watch_rule(struct audit_krule *krule, struct list_head *list);
>> 115 extern void audit_inotify_unregister(struct list_head *in_list);
273 extern char *audit_watch_path(struct audit_wat 116 extern char *audit_watch_path(struct audit_watch *watch);
274 extern int audit_watch_compare(struct audit_wa !! 117 extern struct list_head *audit_watch_rules(struct audit_watch *watch);
275 dev_t dev); <<
276 118
277 extern struct audit_fsnotify_mark *audit_alloc !! 119 extern struct audit_entry *audit_dupe_rule(struct audit_krule *old,
278 !! 120 struct audit_watch *watch);
279 extern char *audit_mark_path(struct audit_fsno !! 121
280 extern void audit_remove_mark(struct audit_fsn !! 122 #ifdef CONFIG_AUDIT_TREE
281 extern void audit_remove_mark_rule(struct audi !! 123 extern struct audit_chunk *audit_tree_lookup(const struct inode *);
282 extern int audit_mark_compare(struct audit_fsn !! 124 extern void audit_put_chunk(struct audit_chunk *);
283 unsigned long in !! 125 extern int audit_tree_match(struct audit_chunk *, struct audit_tree *);
284 extern int audit_dupe_exe(struct audit_krule * !! 126 extern int audit_make_tree(struct audit_krule *, char *, u32);
285 extern int audit_exe_compare(struct task_struc !! 127 extern int audit_add_tree_rule(struct audit_krule *);
286 struct audit_fsno !! 128 extern int audit_remove_tree_rule(struct audit_krule *);
287 <<
288 extern struct audit_chunk *audit_tree_lookup(c <<
289 extern void audit_put_chunk(struct audit_chunk <<
290 extern bool audit_tree_match(struct audit_chun <<
291 struct audit_tree <<
292 extern int audit_make_tree(struct audit_krule <<
293 extern int audit_add_tree_rule(struct audit_kr <<
294 extern int audit_remove_tree_rule(struct audit <<
295 extern void audit_trim_trees(void); 129 extern void audit_trim_trees(void);
296 extern int audit_tag_tree(char *old, char *new 130 extern int audit_tag_tree(char *old, char *new);
297 extern const char *audit_tree_path(struct audi !! 131 extern const char *audit_tree_path(struct audit_tree *);
298 extern void audit_put_tree(struct audit_tree * !! 132 extern void audit_put_tree(struct audit_tree *);
299 extern void audit_kill_trees(struct audit_cont !! 133 extern void audit_kill_trees(struct list_head *);
300 !! 134 #else
301 extern int audit_signal_info_syscall(struct ta <<
302 extern void audit_filter_inodes(struct task_st <<
303 struct audit_c <<
304 extern struct list_head *audit_killed_trees(vo <<
305 #else /* CONFIG_AUDITSYSCALL */ <<
306 #define auditsc_get_stamp(c, t, s) 0 <<
307 #define audit_put_watch(w) do { } while (0) <<
308 #define audit_get_watch(w) do { } while (0) <<
309 #define audit_to_watch(k, p, l, o) (-EINVAL) <<
310 #define audit_add_watch(k, l) (-EINVAL) <<
311 #define audit_remove_watch_rule(k) BUG() <<
312 #define audit_watch_path(w) "" <<
313 #define audit_watch_compare(w, i, d) 0 <<
314 <<
315 #define audit_alloc_mark(k, p, l) (ERR_PTR(-EI <<
316 #define audit_mark_path(m) "" <<
317 #define audit_remove_mark(m) do { } while (0) <<
318 #define audit_remove_mark_rule(k) do { } while <<
319 #define audit_mark_compare(m, i, d) 0 <<
320 #define audit_exe_compare(t, m) (-EINVAL) <<
321 #define audit_dupe_exe(n, o) (-EINVAL) <<
322 <<
323 #define audit_remove_tree_rule(rule) BUG() 135 #define audit_remove_tree_rule(rule) BUG()
324 #define audit_add_tree_rule(rule) -EINVAL 136 #define audit_add_tree_rule(rule) -EINVAL
325 #define audit_make_tree(rule, str, op) -EINVAL 137 #define audit_make_tree(rule, str, op) -EINVAL
326 #define audit_trim_trees() do { } while (0) !! 138 #define audit_trim_trees() (void)0
327 #define audit_put_tree(tree) do { } while (0) !! 139 #define audit_put_tree(tree) (void)0
328 #define audit_tag_tree(old, new) -EINVAL 140 #define audit_tag_tree(old, new) -EINVAL
329 #define audit_tree_path(rule) "" /* nev 141 #define audit_tree_path(rule) "" /* never called */
330 #define audit_kill_trees(context) BUG() !! 142 #define audit_kill_trees(list) BUG()
>> 143 #endif
>> 144
>> 145 extern char *audit_unpack_string(void **, size_t *, size_t);
331 146
332 static inline int audit_signal_info_syscall(st !! 147 extern pid_t audit_sig_pid;
>> 148 extern uid_t audit_sig_uid;
>> 149 extern u32 audit_sig_sid;
>> 150
>> 151 #ifdef CONFIG_AUDITSYSCALL
>> 152 extern int __audit_signal_info(int sig, struct task_struct *t);
>> 153 static inline int audit_signal_info(int sig, struct task_struct *t)
333 { 154 {
>> 155 if (unlikely((audit_pid && t->tgid == audit_pid) ||
>> 156 (audit_signals && !audit_dummy_context())))
>> 157 return __audit_signal_info(sig, t);
334 return 0; 158 return 0;
335 } 159 }
336 !! 160 extern void audit_filter_inodes(struct task_struct *, struct audit_context *);
337 #define audit_filter_inodes(t, c) do { } while !! 161 extern struct list_head *audit_killed_trees(void);
338 #endif /* CONFIG_AUDITSYSCALL */ !! 162 #else
339 !! 163 #define audit_signal_info(s,t) AUDIT_DISABLED
340 extern char *audit_unpack_string(void **bufp, !! 164 #define audit_filter_inodes(t,c) AUDIT_DISABLED
341 <<
342 extern int audit_filter(int msgtype, unsigned <<
343 <<
344 extern void audit_ctl_lock(void); <<
345 extern void audit_ctl_unlock(void); <<
346 <<
347 #endif 165 #endif
>> 166
>> 167 extern struct mutex audit_cmd_mutex;
348 168
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.