Back to home page

LXR

 
 

    


0001 /* audit -- definition of audit_context structure and supporting types 
0002  *
0003  * Copyright 2003-2004 Red Hat, Inc.
0004  * Copyright 2005 Hewlett-Packard Development Company, L.P.
0005  * Copyright 2005 IBM Corporation
0006  *
0007  * This program is free software; you can redistribute it and/or modify
0008  * it under the terms of the GNU General Public License as published by
0009  * the Free Software Foundation; either version 2 of the License, or
0010  * (at your option) any later version.
0011  *
0012  * This program is distributed in the hope that it will be useful,
0013  * but WITHOUT ANY WARRANTY; without even the implied warranty of
0014  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
0015  * GNU General Public License for more details.
0016  *
0017  * You should have received a copy of the GNU General Public License
0018  * along with this program; if not, write to the Free Software
0019  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
0020  */
0021 
0022 #include <linux/fs.h>
0023 #include <linux/audit.h>
0024 #include <linux/skbuff.h>
0025 #include <uapi/linux/mqueue.h>
0026 #include <linux/tty.h>
0027 
0028 /* AUDIT_NAMES is the number of slots we reserve in the audit_context
0029  * for saving names from getname().  If we get more names we will allocate
0030  * a name dynamically and also add those to the list anchored by names_list. */
0031 #define AUDIT_NAMES 5
0032 
0033 /* At task start time, the audit_state is set in the audit_context using
0034    a per-task filter.  At syscall entry, the audit_state is augmented by
0035    the syscall filter. */
0036 enum audit_state {
0037     AUDIT_DISABLED,     /* Do not create per-task audit_context.
0038                  * No syscall-specific audit records can
0039                  * be generated. */
0040     AUDIT_BUILD_CONTEXT,    /* Create the per-task audit_context,
0041                  * and fill it in at syscall
0042                  * entry time.  This makes a full
0043                  * syscall record available if some
0044                  * other part of the kernel decides it
0045                  * should be recorded. */
0046     AUDIT_RECORD_CONTEXT    /* Create the per-task audit_context,
0047                  * always fill it in at syscall entry
0048                  * time, and always write out the audit
0049                  * record at syscall exit time.  */
0050 };
0051 
0052 /* Rule lists */
0053 struct audit_watch;
0054 struct audit_fsnotify_mark;
0055 struct audit_tree;
0056 struct audit_chunk;
0057 
0058 struct audit_entry {
0059     struct list_head    list;
0060     struct rcu_head     rcu;
0061     struct audit_krule  rule;
0062 };
0063 
0064 struct audit_cap_data {
0065     kernel_cap_t        permitted;
0066     kernel_cap_t        inheritable;
0067     union {
0068         unsigned int    fE;     /* effective bit of file cap */
0069         kernel_cap_t    effective;  /* effective set of process */
0070     };
0071 };
0072 
0073 /* When fs/namei.c:getname() is called, we store the pointer in name and bump
0074  * the refcnt in the associated filename struct.
0075  *
0076  * Further, in fs/namei.c:path_lookup() we store the inode and device.
0077  */
0078 struct audit_names {
0079     struct list_head    list;       /* audit_context->names_list */
0080 
0081     struct filename     *name;
0082     int         name_len;   /* number of chars to log */
0083     bool            hidden;     /* don't log this record */
0084 
0085     unsigned long       ino;
0086     dev_t           dev;
0087     umode_t         mode;
0088     kuid_t          uid;
0089     kgid_t          gid;
0090     dev_t           rdev;
0091     u32         osid;
0092     struct audit_cap_data   fcap;
0093     unsigned int        fcap_ver;
0094     unsigned char       type;       /* record type */
0095     /*
0096      * This was an allocated audit_names and not from the array of
0097      * names allocated in the task audit context.  Thus this name
0098      * should be freed on syscall exit.
0099      */
0100     bool            should_free;
0101 };
0102 
0103 struct audit_proctitle {
0104     int len;    /* length of the cmdline field. */
0105     char    *value; /* the cmdline field */
0106 };
0107 
0108 /* The per-task audit context. */
0109 struct audit_context {
0110     int         dummy;  /* must be the first element */
0111     int         in_syscall; /* 1 if task is in a syscall */
0112     enum audit_state    state, current_state;
0113     unsigned int        serial;     /* serial number for record */
0114     int         major;      /* syscall number */
0115     struct timespec     ctime;      /* time of syscall entry */
0116     unsigned long       argv[4];    /* syscall arguments */
0117     long            return_code;/* syscall return code */
0118     u64         prio;
0119     int         return_valid; /* return code is valid */
0120     /*
0121      * The names_list is the list of all audit_names collected during this
0122      * syscall.  The first AUDIT_NAMES entries in the names_list will
0123      * actually be from the preallocated_names array for performance
0124      * reasons.  Except during allocation they should never be referenced
0125      * through the preallocated_names array and should only be found/used
0126      * by running the names_list.
0127      */
0128     struct audit_names  preallocated_names[AUDIT_NAMES];
0129     int         name_count; /* total records in names_list */
0130     struct list_head    names_list; /* struct audit_names->list anchor */
0131     char            *filterkey; /* key for rule that triggered record */
0132     struct path     pwd;
0133     struct audit_aux_data *aux;
0134     struct audit_aux_data *aux_pids;
0135     struct sockaddr_storage *sockaddr;
0136     size_t sockaddr_len;
0137                 /* Save things to print about task_struct */
0138     pid_t           pid, ppid;
0139     kuid_t          uid, euid, suid, fsuid;
0140     kgid_t          gid, egid, sgid, fsgid;
0141     unsigned long       personality;
0142     int         arch;
0143 
0144     pid_t           target_pid;
0145     kuid_t          target_auid;
0146     kuid_t          target_uid;
0147     unsigned int        target_sessionid;
0148     u32         target_sid;
0149     char            target_comm[TASK_COMM_LEN];
0150 
0151     struct audit_tree_refs *trees, *first_trees;
0152     struct list_head killed_trees;
0153     int tree_count;
0154 
0155     int type;
0156     union {
0157         struct {
0158             int nargs;
0159             long args[6];
0160         } socketcall;
0161         struct {
0162             kuid_t          uid;
0163             kgid_t          gid;
0164             umode_t         mode;
0165             u32         osid;
0166             int         has_perm;
0167             uid_t           perm_uid;
0168             gid_t           perm_gid;
0169             umode_t         perm_mode;
0170             unsigned long       qbytes;
0171         } ipc;
0172         struct {
0173             mqd_t           mqdes;
0174             struct mq_attr      mqstat;
0175         } mq_getsetattr;
0176         struct {
0177             mqd_t           mqdes;
0178             int         sigev_signo;
0179         } mq_notify;
0180         struct {
0181             mqd_t           mqdes;
0182             size_t          msg_len;
0183             unsigned int        msg_prio;
0184             struct timespec     abs_timeout;
0185         } mq_sendrecv;
0186         struct {
0187             int         oflag;
0188             umode_t         mode;
0189             struct mq_attr      attr;
0190         } mq_open;
0191         struct {
0192             pid_t           pid;
0193             struct audit_cap_data   cap;
0194         } capset;
0195         struct {
0196             int         fd;
0197             int         flags;
0198         } mmap;
0199         struct {
0200             int         argc;
0201         } execve;
0202     };
0203     int fds[2];
0204     struct audit_proctitle proctitle;
0205 };
0206 
0207 extern u32 audit_ever_enabled;
0208 
0209 extern void audit_copy_inode(struct audit_names *name,
0210                  const struct dentry *dentry,
0211                  struct inode *inode);
0212 extern void audit_log_cap(struct audit_buffer *ab, char *prefix,
0213               kernel_cap_t *cap);
0214 extern void audit_log_name(struct audit_context *context,
0215                struct audit_names *n, const struct path *path,
0216                int record_num, int *call_panic);
0217 
0218 extern int audit_pid;
0219 
0220 #define AUDIT_INODE_BUCKETS 32
0221 extern struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS];
0222 
0223 static inline int audit_hash_ino(u32 ino)
0224 {
0225     return (ino & (AUDIT_INODE_BUCKETS-1));
0226 }
0227 
0228 /* Indicates that audit should log the full pathname. */
0229 #define AUDIT_NAME_FULL -1
0230 
0231 extern int audit_match_class(int class, unsigned syscall);
0232 extern int audit_comparator(const u32 left, const u32 op, const u32 right);
0233 extern int audit_uid_comparator(kuid_t left, u32 op, kuid_t right);
0234 extern int audit_gid_comparator(kgid_t left, u32 op, kgid_t right);
0235 extern int parent_len(const char *path);
0236 extern int audit_compare_dname_path(const char *dname, const char *path, int plen);
0237 extern struct sk_buff *audit_make_reply(__u32 portid, int seq, int type,
0238                     int done, int multi,
0239                     const void *payload, int size);
0240 extern void         audit_panic(const char *message);
0241 
0242 struct audit_netlink_list {
0243     __u32 portid;
0244     struct net *net;
0245     struct sk_buff_head q;
0246 };
0247 
0248 int audit_send_list(void *);
0249 
0250 struct audit_net {
0251     struct sock *nlsk;
0252 };
0253 
0254 extern int selinux_audit_rule_update(void);
0255 
0256 extern struct mutex audit_filter_mutex;
0257 extern int audit_del_rule(struct audit_entry *);
0258 extern void audit_free_rule_rcu(struct rcu_head *);
0259 extern struct list_head audit_filter_list[];
0260 
0261 extern struct audit_entry *audit_dupe_rule(struct audit_krule *old);
0262 
0263 extern void audit_log_d_path_exe(struct audit_buffer *ab,
0264                  struct mm_struct *mm);
0265 
0266 extern struct tty_struct *audit_get_tty(struct task_struct *tsk);
0267 extern void audit_put_tty(struct tty_struct *tty);
0268 
0269 /* audit watch functions */
0270 #ifdef CONFIG_AUDIT_WATCH
0271 extern void audit_put_watch(struct audit_watch *watch);
0272 extern void audit_get_watch(struct audit_watch *watch);
0273 extern int audit_to_watch(struct audit_krule *krule, char *path, int len, u32 op);
0274 extern int audit_add_watch(struct audit_krule *krule, struct list_head **list);
0275 extern void audit_remove_watch_rule(struct audit_krule *krule);
0276 extern char *audit_watch_path(struct audit_watch *watch);
0277 extern int audit_watch_compare(struct audit_watch *watch, unsigned long ino, dev_t dev);
0278 
0279 extern struct audit_fsnotify_mark *audit_alloc_mark(struct audit_krule *krule, char *pathname, int len);
0280 extern char *audit_mark_path(struct audit_fsnotify_mark *mark);
0281 extern void audit_remove_mark(struct audit_fsnotify_mark *audit_mark);
0282 extern void audit_remove_mark_rule(struct audit_krule *krule);
0283 extern int audit_mark_compare(struct audit_fsnotify_mark *mark, unsigned long ino, dev_t dev);
0284 extern int audit_dupe_exe(struct audit_krule *new, struct audit_krule *old);
0285 extern int audit_exe_compare(struct task_struct *tsk, struct audit_fsnotify_mark *mark);
0286 
0287 #else
0288 #define audit_put_watch(w) {}
0289 #define audit_get_watch(w) {}
0290 #define audit_to_watch(k, p, l, o) (-EINVAL)
0291 #define audit_add_watch(k, l) (-EINVAL)
0292 #define audit_remove_watch_rule(k) BUG()
0293 #define audit_watch_path(w) ""
0294 #define audit_watch_compare(w, i, d) 0
0295 
0296 #define audit_alloc_mark(k, p, l) (ERR_PTR(-EINVAL))
0297 #define audit_mark_path(m) ""
0298 #define audit_remove_mark(m)
0299 #define audit_remove_mark_rule(k)
0300 #define audit_mark_compare(m, i, d) 0
0301 #define audit_exe_compare(t, m) (-EINVAL)
0302 #define audit_dupe_exe(n, o) (-EINVAL)
0303 #endif /* CONFIG_AUDIT_WATCH */
0304 
0305 #ifdef CONFIG_AUDIT_TREE
0306 extern struct audit_chunk *audit_tree_lookup(const struct inode *);
0307 extern void audit_put_chunk(struct audit_chunk *);
0308 extern bool audit_tree_match(struct audit_chunk *, struct audit_tree *);
0309 extern int audit_make_tree(struct audit_krule *, char *, u32);
0310 extern int audit_add_tree_rule(struct audit_krule *);
0311 extern int audit_remove_tree_rule(struct audit_krule *);
0312 extern void audit_trim_trees(void);
0313 extern int audit_tag_tree(char *old, char *new);
0314 extern const char *audit_tree_path(struct audit_tree *);
0315 extern void audit_put_tree(struct audit_tree *);
0316 extern void audit_kill_trees(struct list_head *);
0317 #else
0318 #define audit_remove_tree_rule(rule) BUG()
0319 #define audit_add_tree_rule(rule) -EINVAL
0320 #define audit_make_tree(rule, str, op) -EINVAL
0321 #define audit_trim_trees() (void)0
0322 #define audit_put_tree(tree) (void)0
0323 #define audit_tag_tree(old, new) -EINVAL
0324 #define audit_tree_path(rule) ""    /* never called */
0325 #define audit_kill_trees(list) BUG()
0326 #endif
0327 
0328 extern char *audit_unpack_string(void **, size_t *, size_t);
0329 
0330 extern pid_t audit_sig_pid;
0331 extern kuid_t audit_sig_uid;
0332 extern u32 audit_sig_sid;
0333 
0334 extern int audit_filter(int msgtype, unsigned int listtype);
0335 
0336 #ifdef CONFIG_AUDITSYSCALL
0337 extern int __audit_signal_info(int sig, struct task_struct *t);
0338 static inline int audit_signal_info(int sig, struct task_struct *t)
0339 {
0340     if (unlikely((audit_pid && t->tgid == audit_pid) ||
0341              (audit_signals && !audit_dummy_context())))
0342         return __audit_signal_info(sig, t);
0343     return 0;
0344 }
0345 extern void audit_filter_inodes(struct task_struct *, struct audit_context *);
0346 extern struct list_head *audit_killed_trees(void);
0347 #else
0348 #define audit_signal_info(s,t) AUDIT_DISABLED
0349 #define audit_filter_inodes(t,c) AUDIT_DISABLED
0350 #endif
0351 
0352 extern struct mutex audit_cmd_mutex;