the-tree/kernel/audit.h

0001 /* SPDX-License-Identifier: GPL-2.0-or-later */
0002 /* audit -- definition of audit_context structure and supporting types
0003  *
0004  * Copyright 2003-2004 Red Hat, Inc.
0005  * Copyright 2005 Hewlett-Packard Development Company, L.P.
0006  * Copyright 2005 IBM Corporation
0007  */
0008
0009 #ifndef _KERNEL_AUDIT_H_
0010 #define _KERNEL_AUDIT_H_
0011
0012 #include <linux/fs.h>
0013 #include <linux/audit.h>
0014 #include <linux/skbuff.h>
0015 #include <uapi/linux/mqueue.h>
0016 #include <linux/tty.h>
0017 #include <uapi/linux/openat2.h> // struct open_how
0018
0019 /* AUDIT_NAMES is the number of slots we reserve in the audit_context
0020  * for saving names from getname().  If we get more names we will allocate
0021  * a name dynamically and also add those to the list anchored by names_list. */
0022 #define AUDIT_NAMES 5
0023
0024 /* At task start time, the audit_state is set in the audit_context using
0025    a per-task filter.  At syscall entry, the audit_state is augmented by
0026    the syscall filter. */
0027 enum audit_state {
0028     AUDIT_STATE_DISABLED,   /* Do not create per-task audit_context.
0029                  * No syscall-specific audit records can
0030                  * be generated. */
0031     AUDIT_STATE_BUILD,  /* Create the per-task audit_context,
0032                  * and fill it in at syscall
0033                  * entry time.  This makes a full
0034                  * syscall record available if some
0035                  * other part of the kernel decides it
0036                  * should be recorded. */
0037     AUDIT_STATE_RECORD  /* Create the per-task audit_context,
0038                  * always fill it in at syscall entry
0039                  * time, and always write out the audit
0040                  * record at syscall exit time.  */
0041 };
0042
0043 /* Rule lists */
0044 struct audit_watch;
0045 struct audit_fsnotify_mark;
0046 struct audit_tree;
0047 struct audit_chunk;
0048
0049 struct audit_entry {
0050     struct list_head    list;
0051     struct rcu_head     rcu;
0052     struct audit_krule  rule;
0053 };
0054
0055 struct audit_cap_data {
0056     kernel_cap_t        permitted;
0057     kernel_cap_t        inheritable;
0058     union {
0059         unsigned int    fE;     /* effective bit of file cap */
0060         kernel_cap_t    effective;  /* effective set of process */
0061     };
0062     kernel_cap_t        ambient;
0063     kuid_t          rootid;
0064 };
0065
0066 /* When fs/namei.c:getname() is called, we store the pointer in name and bump
0067  * the refcnt in the associated filename struct.
0068  *
0069  * Further, in fs/namei.c:path_lookup() we store the inode and device.
0070  */
0071 struct audit_names {
0072     struct list_head    list;       /* audit_context->names_list */
0073
0074     struct filename     *name;
0075     int         name_len;   /* number of chars to log */
0076     bool            hidden;     /* don't log this record */
0077
0078     unsigned long       ino;
0079     dev_t           dev;
0080     umode_t         mode;
0081     kuid_t          uid;
0082     kgid_t          gid;
0083     dev_t           rdev;
0084     u32         osid;
0085     struct audit_cap_data   fcap;
0086     unsigned int        fcap_ver;
0087     unsigned char       type;       /* record type */
0088     /*
0089      * This was an allocated audit_names and not from the array of
0090      * names allocated in the task audit context.  Thus this name
0091      * should be freed on syscall exit.
0092      */
0093     bool            should_free;
0094 };
0095
0096 struct audit_proctitle {
0097     int len;    /* length of the cmdline field. */
0098     char    *value; /* the cmdline field */
0099 };
0100
0101 /* The per-task audit context. */
0102 struct audit_context {
0103     int         dummy;  /* must be the first element */
0104     enum {
0105         AUDIT_CTX_UNUSED,   /* audit_context is currently unused */
0106         AUDIT_CTX_SYSCALL,  /* in use by syscall */
0107         AUDIT_CTX_URING,    /* in use by io_uring */
0108     } context;
0109     enum audit_state    state, current_state;
0110     unsigned int        serial;     /* serial number for record */
0111     int         major;      /* syscall number */
0112     int         uring_op;   /* uring operation */
0113     struct timespec64   ctime;      /* time of syscall entry */
0114     unsigned long       argv[4];    /* syscall arguments */
0115     long            return_code;/* syscall return code */
0116     u64         prio;
0117     int         return_valid; /* return code is valid */
0118     /*
0119      * The names_list is the list of all audit_names collected during this
0120      * syscall.  The first AUDIT_NAMES entries in the names_list will
0121      * actually be from the preallocated_names array for performance
0122      * reasons.  Except during allocation they should never be referenced
0123      * through the preallocated_names array and should only be found/used
0124      * by running the names_list.
0125      */
0126     struct audit_names  preallocated_names[AUDIT_NAMES];
0127     int         name_count; /* total records in names_list */
0128     struct list_head    names_list; /* struct audit_names->list anchor */
0129     char            *filterkey; /* key for rule that triggered record */
0130     struct path     pwd;
0131     struct audit_aux_data *aux;
0132     struct audit_aux_data *aux_pids;
0133     struct sockaddr_storage *sockaddr;
0134     size_t sockaddr_len;
0135                 /* Save things to print about task_struct */
0136     pid_t           pid, ppid;
0137     kuid_t          uid, euid, suid, fsuid;
0138     kgid_t          gid, egid, sgid, fsgid;
0139     unsigned long       personality;
0140     int         arch;
0141
0142     pid_t           target_pid;
0143     kuid_t          target_auid;
0144     kuid_t          target_uid;
0145     unsigned int        target_sessionid;
0146     u32         target_sid;
0147     char            target_comm[TASK_COMM_LEN];
0148
0149     struct audit_tree_refs *trees, *first_trees;
0150     struct list_head killed_trees;
0151     int tree_count;
0152
0153     int type;
0154     union {
0155         struct {
0156             int nargs;
0157             long args[6];
0158         } socketcall;
0159         struct {
0160             kuid_t          uid;
0161             kgid_t          gid;
0162             umode_t         mode;
0163             u32         osid;
0164             int         has_perm;
0165             uid_t           perm_uid;
0166             gid_t           perm_gid;
0167             umode_t         perm_mode;
0168             unsigned long       qbytes;
0169         } ipc;
0170         struct {
0171             mqd_t           mqdes;
0172             struct mq_attr      mqstat;
0173         } mq_getsetattr;
0174         struct {
0175             mqd_t           mqdes;
0176             int         sigev_signo;
0177         } mq_notify;
0178         struct {
0179             mqd_t           mqdes;
0180             size_t          msg_len;
0181             unsigned int        msg_prio;
0182             struct timespec64   abs_timeout;
0183         } mq_sendrecv;
0184         struct {
0185             int         oflag;
0186             umode_t         mode;
0187             struct mq_attr      attr;
0188         } mq_open;
0189         struct {
0190             pid_t           pid;
0191             struct audit_cap_data   cap;
0192         } capset;
0193         struct {
0194             int         fd;
0195             int         flags;
0196         } mmap;
0197         struct open_how openat2;
0198         struct {
0199             int         argc;
0200         } execve;
0201         struct {
0202             char            *name;
0203         } module;
0204         struct {
0205             struct audit_ntp_data   ntp_data;
0206             struct timespec64   tk_injoffset;
0207         } time;
0208     };
0209     int fds[2];
0210     struct audit_proctitle proctitle;
0211 };
0212
0213 extern bool audit_ever_enabled;
0214
0215 extern void audit_log_session_info(struct audit_buffer *ab);
0216
0217 extern int auditd_test_task(struct task_struct *task);
0218
0219 #define AUDIT_INODE_BUCKETS 32
0220 extern struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS];
0221
0222 static inline int audit_hash_ino(u32 ino)
0223 {
0224     return (ino & (AUDIT_INODE_BUCKETS-1));
0225 }
0226
0227 /* Indicates that audit should log the full pathname. */
0228 #define AUDIT_NAME_FULL -1
0229
0230 extern int audit_match_class(int class, unsigned syscall);
0231 extern int audit_comparator(const u32 left, const u32 op, const u32 right);
0232 extern int audit_uid_comparator(kuid_t left, u32 op, kuid_t right);
0233 extern int audit_gid_comparator(kgid_t left, u32 op, kgid_t right);
0234 extern int parent_len(const char *path);
0235 extern int audit_compare_dname_path(const struct qstr *dname, const char *path, int plen);
0236 extern struct sk_buff *audit_make_reply(int seq, int type, int done, int multi,
0237                     const void *payload, int size);
0238 extern void         audit_panic(const char *message);
0239
0240 struct audit_netlink_list {
0241     __u32 portid;
0242     struct net *net;
0243     struct sk_buff_head q;
0244 };
0245
0246 int audit_send_list_thread(void *_dest);
0247
0248 extern int selinux_audit_rule_update(void);
0249
0250 extern struct mutex audit_filter_mutex;
0251 extern int audit_del_rule(struct audit_entry *entry);
0252 extern void audit_free_rule_rcu(struct rcu_head *head);
0253 extern struct list_head audit_filter_list[];
0254
0255 extern struct audit_entry *audit_dupe_rule(struct audit_krule *old);
0256
0257 extern void audit_log_d_path_exe(struct audit_buffer *ab,
0258                  struct mm_struct *mm);
0259
0260 extern struct tty_struct *audit_get_tty(void);
0261 extern void audit_put_tty(struct tty_struct *tty);
0262
0263 /* audit watch/mark/tree functions */
0264 #ifdef CONFIG_AUDITSYSCALL
0265 extern unsigned int audit_serial(void);
0266 extern int auditsc_get_stamp(struct audit_context *ctx,
0267                   struct timespec64 *t, unsigned int *serial);
0268
0269 extern void audit_put_watch(struct audit_watch *watch);
0270 extern void audit_get_watch(struct audit_watch *watch);
0271 extern int audit_to_watch(struct audit_krule *krule, char *path, int len,
0272               u32 op);
0273 extern int audit_add_watch(struct audit_krule *krule, struct list_head **list);
0274 extern void audit_remove_watch_rule(struct audit_krule *krule);
0275 extern char *audit_watch_path(struct audit_watch *watch);
0276 extern int audit_watch_compare(struct audit_watch *watch, unsigned long ino,
0277                    dev_t dev);
0278
0279 extern struct audit_fsnotify_mark *audit_alloc_mark(struct audit_krule *krule,
0280                             char *pathname, int len);
0281 extern char *audit_mark_path(struct audit_fsnotify_mark *mark);
0282 extern void audit_remove_mark(struct audit_fsnotify_mark *audit_mark);
0283 extern void audit_remove_mark_rule(struct audit_krule *krule);
0284 extern int audit_mark_compare(struct audit_fsnotify_mark *mark,
0285                   unsigned long ino, dev_t dev);
0286 extern int audit_dupe_exe(struct audit_krule *new, struct audit_krule *old);
0287 extern int audit_exe_compare(struct task_struct *tsk,
0288                  struct audit_fsnotify_mark *mark);
0289
0290 extern struct audit_chunk *audit_tree_lookup(const struct inode *inode);
0291 extern void audit_put_chunk(struct audit_chunk *chunk);
0292 extern bool audit_tree_match(struct audit_chunk *chunk,
0293                  struct audit_tree *tree);
0294 extern int audit_make_tree(struct audit_krule *rule, char *pathname, u32 op);
0295 extern int audit_add_tree_rule(struct audit_krule *rule);
0296 extern int audit_remove_tree_rule(struct audit_krule *rule);
0297 extern void audit_trim_trees(void);
0298 extern int audit_tag_tree(char *old, char *new);
0299 extern const char *audit_tree_path(struct audit_tree *tree);
0300 extern void audit_put_tree(struct audit_tree *tree);
0301 extern void audit_kill_trees(struct audit_context *context);
0302
0303 extern int audit_signal_info_syscall(struct task_struct *t);
0304 extern void audit_filter_inodes(struct task_struct *tsk,
0305                 struct audit_context *ctx);
0306 extern struct list_head *audit_killed_trees(void);
0307 #else /* CONFIG_AUDITSYSCALL */
0308 #define auditsc_get_stamp(c, t, s) 0
0309 #define audit_put_watch(w) do { } while (0)
0310 #define audit_get_watch(w) do { } while (0)
0311 #define audit_to_watch(k, p, l, o) (-EINVAL)
0312 #define audit_add_watch(k, l) (-EINVAL)
0313 #define audit_remove_watch_rule(k) BUG()
0314 #define audit_watch_path(w) ""
0315 #define audit_watch_compare(w, i, d) 0
0316
0317 #define audit_alloc_mark(k, p, l) (ERR_PTR(-EINVAL))
0318 #define audit_mark_path(m) ""
0319 #define audit_remove_mark(m) do { } while (0)
0320 #define audit_remove_mark_rule(k) do { } while (0)
0321 #define audit_mark_compare(m, i, d) 0
0322 #define audit_exe_compare(t, m) (-EINVAL)
0323 #define audit_dupe_exe(n, o) (-EINVAL)
0324
0325 #define audit_remove_tree_rule(rule) BUG()
0326 #define audit_add_tree_rule(rule) -EINVAL
0327 #define audit_make_tree(rule, str, op) -EINVAL
0328 #define audit_trim_trees() do { } while (0)
0329 #define audit_put_tree(tree) do { } while (0)
0330 #define audit_tag_tree(old, new) -EINVAL
0331 #define audit_tree_path(rule) ""    /* never called */
0332 #define audit_kill_trees(context) BUG()
0333
0334 static inline int audit_signal_info_syscall(struct task_struct *t)
0335 {
0336     return 0;
0337 }
0338
0339 #define audit_filter_inodes(t, c) AUDIT_STATE_DISABLED
0340 #endif /* CONFIG_AUDITSYSCALL */
0341
0342 extern char *audit_unpack_string(void **bufp, size_t *remain, size_t len);
0343
0344 extern int audit_filter(int msgtype, unsigned int listtype);
0345
0346 extern void audit_ctl_lock(void);
0347 extern void audit_ctl_unlock(void);
0348
0349 #endif