diff options
| author | <dwmw2@shinybook.infradead.org> | 2005-04-29 11:08:28 -0400 |
|---|---|---|
| committer | <dwmw2@shinybook.infradead.org> | 2005-04-29 11:08:28 -0400 |
| commit | 2fd6f58ba6efc82ea2c9c2630f7ff5ed9eeaf34a (patch) | |
| tree | 87cf236a78ad242ae01f1b71c289131e6d1c0662 /include/linux/audit.h | |
| parent | ea3834d9fb348fb1144ad3affea22df933eaf62e (diff) | |
[AUDIT] Don't allow ptrace to fool auditing, log arch of audited syscalls.
We were calling ptrace_notify() after auditing the syscall and arguments,
but the debugger could have _changed_ them before the syscall was actually
invoked. Reorder the calls to fix that.
While we're touching ever call to audit_syscall_entry(), we also make it
take an extra argument: the architecture of the syscall which was made,
because some architectures allow more than one type of syscall.
Also add an explicit success/failure flag to audit_syscall_exit(), for
the benefit of architectures which return that in a condition register
rather than only returning a single register.
Change type of syscall return value to 'long' not 'int'.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Diffstat (limited to 'include/linux/audit.h')
| -rw-r--r-- | include/linux/audit.h | 48 |
1 files changed, 44 insertions, 4 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h index 9b77992c4888..fad0c1dc21a9 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h | |||
| @@ -24,6 +24,9 @@ | |||
| 24 | #ifndef _LINUX_AUDIT_H_ | 24 | #ifndef _LINUX_AUDIT_H_ |
| 25 | #define _LINUX_AUDIT_H_ | 25 | #define _LINUX_AUDIT_H_ |
| 26 | 26 | ||
| 27 | #include <linux/sched.h> | ||
| 28 | #include <linux/elf.h> | ||
| 29 | |||
| 27 | /* Request and reply types */ | 30 | /* Request and reply types */ |
| 28 | #define AUDIT_GET 1000 /* Get status */ | 31 | #define AUDIT_GET 1000 /* Get status */ |
| 29 | #define AUDIT_SET 1001 /* Set status (enable/disable/auditd) */ | 32 | #define AUDIT_SET 1001 /* Set status (enable/disable/auditd) */ |
| @@ -67,6 +70,7 @@ | |||
| 67 | #define AUDIT_FSGID 8 | 70 | #define AUDIT_FSGID 8 |
| 68 | #define AUDIT_LOGINUID 9 | 71 | #define AUDIT_LOGINUID 9 |
| 69 | #define AUDIT_PERS 10 | 72 | #define AUDIT_PERS 10 |
| 73 | #define AUDIT_ARCH 11 | ||
| 70 | 74 | ||
| 71 | /* These are ONLY useful when checking | 75 | /* These are ONLY useful when checking |
| 72 | * at syscall exit time (AUDIT_AT_EXIT). */ | 76 | * at syscall exit time (AUDIT_AT_EXIT). */ |
| @@ -96,6 +100,38 @@ | |||
| 96 | #define AUDIT_FAIL_PRINTK 1 | 100 | #define AUDIT_FAIL_PRINTK 1 |
| 97 | #define AUDIT_FAIL_PANIC 2 | 101 | #define AUDIT_FAIL_PANIC 2 |
| 98 | 102 | ||
| 103 | /* distinguish syscall tables */ | ||
| 104 | #define __AUDIT_ARCH_64BIT 0x80000000 | ||
| 105 | #define __AUDIT_ARCH_LE 0x40000000 | ||
| 106 | #define AUDIT_ARCH_ALPHA (EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) | ||
| 107 | #define AUDIT_ARCH_ARM (EM_ARM|__AUDIT_ARCH_LE) | ||
| 108 | #define AUDIT_ARCH_ARMEB (EM_ARM) | ||
| 109 | #define AUDIT_ARCH_CRIS (EM_CRIS|__AUDIT_ARCH_LE) | ||
| 110 | #define AUDIT_ARCH_FRV (EM_FRV) | ||
| 111 | #define AUDIT_ARCH_H8300 (EM_H8_300) | ||
| 112 | #define AUDIT_ARCH_I386 (EM_386|__AUDIT_ARCH_LE) | ||
| 113 | #define AUDIT_ARCH_IA64 (EM_IA_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) | ||
| 114 | #define AUDIT_ARCH_M32R (EM_M32R) | ||
| 115 | #define AUDIT_ARCH_M68K (EM_68K) | ||
| 116 | #define AUDIT_ARCH_MIPS (EM_MIPS) | ||
| 117 | #define AUDIT_ARCH_MIPSEL (EM_MIPS|__AUDIT_ARCH_LE) | ||
| 118 | #define AUDIT_ARCH_MIPS64 (EM_MIPS|__AUDIT_ARCH_64BIT) | ||
| 119 | #define AUDIT_ARCH_MIPSEL64 (EM_MIPS|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) | ||
| 120 | #define AUDIT_ARCH_PARISC (EM_PARISC) | ||
| 121 | #define AUDIT_ARCH_PARISC64 (EM_PARISC|__AUDIT_ARCH_64BIT) | ||
| 122 | #define AUDIT_ARCH_PPC (EM_PPC) | ||
| 123 | #define AUDIT_ARCH_PPC64 (EM_PPC64|__AUDIT_ARCH_64BIT) | ||
| 124 | #define AUDIT_ARCH_S390 (EM_S390) | ||
| 125 | #define AUDIT_ARCH_S390X (EM_S390|__AUDIT_ARCH_64BIT) | ||
| 126 | #define AUDIT_ARCH_SH (EM_SH) | ||
| 127 | #define AUDIT_ARCH_SHEL (EM_SH|__AUDIT_ARCH_LE) | ||
| 128 | #define AUDIT_ARCH_SH64 (EM_SH|__AUDIT_ARCH_64BIT) | ||
| 129 | #define AUDIT_ARCH_SHEL64 (EM_SH|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) | ||
| 130 | #define AUDIT_ARCH_SPARC (EM_SPARC) | ||
| 131 | #define AUDIT_ARCH_SPARC64 (EM_SPARC64|__AUDIT_ARCH_64BIT) | ||
| 132 | #define AUDIT_ARCH_V850 (EM_V850|__AUDIT_ARCH_LE) | ||
| 133 | #define AUDIT_ARCH_X86_64 (EM_X86_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) | ||
| 134 | |||
| 99 | #ifndef __KERNEL__ | 135 | #ifndef __KERNEL__ |
| 100 | struct audit_message { | 136 | struct audit_message { |
| 101 | struct nlmsghdr nlh; | 137 | struct nlmsghdr nlh; |
| @@ -129,15 +165,19 @@ struct audit_buffer; | |||
| 129 | struct audit_context; | 165 | struct audit_context; |
| 130 | struct inode; | 166 | struct inode; |
| 131 | 167 | ||
| 168 | #define AUDITSC_INVALID 0 | ||
| 169 | #define AUDITSC_SUCCESS 1 | ||
| 170 | #define AUDITSC_FAILURE 2 | ||
| 171 | #define AUDITSC_RESULT(x) ( ((long)(x))<0?AUDITSC_FAILURE:AUDITSC_SUCCESS ) | ||
| 132 | #ifdef CONFIG_AUDITSYSCALL | 172 | #ifdef CONFIG_AUDITSYSCALL |
| 133 | /* These are defined in auditsc.c */ | 173 | /* These are defined in auditsc.c */ |
| 134 | /* Public API */ | 174 | /* Public API */ |
| 135 | extern int audit_alloc(struct task_struct *task); | 175 | extern int audit_alloc(struct task_struct *task); |
| 136 | extern void audit_free(struct task_struct *task); | 176 | extern void audit_free(struct task_struct *task); |
| 137 | extern void audit_syscall_entry(struct task_struct *task, | 177 | extern void audit_syscall_entry(struct task_struct *task, int arch, |
| 138 | int major, unsigned long a0, unsigned long a1, | 178 | int major, unsigned long a0, unsigned long a1, |
| 139 | unsigned long a2, unsigned long a3); | 179 | unsigned long a2, unsigned long a3); |
| 140 | extern void audit_syscall_exit(struct task_struct *task, int return_code); | 180 | extern void audit_syscall_exit(struct task_struct *task, int failed, long return_code); |
| 141 | extern void audit_getname(const char *name); | 181 | extern void audit_getname(const char *name); |
| 142 | extern void audit_putname(const char *name); | 182 | extern void audit_putname(const char *name); |
| 143 | extern void audit_inode(const char *name, const struct inode *inode); | 183 | extern void audit_inode(const char *name, const struct inode *inode); |
| @@ -153,8 +193,8 @@ extern int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mo | |||
| 153 | #else | 193 | #else |
| 154 | #define audit_alloc(t) ({ 0; }) | 194 | #define audit_alloc(t) ({ 0; }) |
| 155 | #define audit_free(t) do { ; } while (0) | 195 | #define audit_free(t) do { ; } while (0) |
| 156 | #define audit_syscall_entry(t,a,b,c,d,e) do { ; } while (0) | 196 | #define audit_syscall_entry(t,ta,a,b,c,d,e) do { ; } while (0) |
| 157 | #define audit_syscall_exit(t,r) do { ; } while (0) | 197 | #define audit_syscall_exit(t,f,r) do { ; } while (0) |
| 158 | #define audit_getname(n) do { ; } while (0) | 198 | #define audit_getname(n) do { ; } while (0) |
| 159 | #define audit_putname(n) do { ; } while (0) | 199 | #define audit_putname(n) do { ; } while (0) |
| 160 | #define audit_inode(n,i) do { ; } while (0) | 200 | #define audit_inode(n,i) do { ; } while (0) |