aboutsummaryrefslogtreecommitdiffstats
path: root/kernel/audit.h
diff options
context:
space:
mode:
authorAl Viro <viro@zeniv.linux.org.uk>2007-07-22 08:04:18 -0400
committerAl Viro <viro@zeniv.linux.org.uk>2007-10-21 02:37:45 -0400
commit74c3cbe33bc077ac1159cadfea608b501e100344 (patch)
tree4c4023caa4e15d19780255fa5880df3d36eb292c /kernel/audit.h
parent455434d450a358ac5bcf3fc58f8913d13c544622 (diff)
[PATCH] audit: watching subtrees
New kind of audit rule predicates: "object is visible in given subtree". The part that can be sanely implemented, that is. Limitations: * if you have hardlink from outside of tree, you'd better watch it too (or just watch the object itself, obviously) * if you mount something under a watched tree, tell audit that new chunk should be added to watched subtrees * if you umount something in a watched tree and it's still mounted elsewhere, you will get matches on events happening there. New command tells audit to recalculate the trees, trimming such sources of false positives. Note that it's _not_ about path - if something mounted in several places (multiple mount, bindings, different namespaces, etc.), the match does _not_ depend on which one we are using for access. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'kernel/audit.h')
-rw-r--r--kernel/audit.h34
1 files changed, 33 insertions, 1 deletions
diff --git a/kernel/audit.h b/kernel/audit.h
index 95877435c347..2554bd524fd1 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -73,6 +73,9 @@ struct audit_field {
73 struct selinux_audit_rule *se_rule; 73 struct selinux_audit_rule *se_rule;
74}; 74};
75 75
76struct audit_tree;
77struct audit_chunk;
78
76struct audit_krule { 79struct audit_krule {
77 int vers_ops; 80 int vers_ops;
78 u32 flags; 81 u32 flags;
@@ -86,7 +89,8 @@ struct audit_krule {
86 struct audit_field *arch_f; /* quick access to arch field */ 89 struct audit_field *arch_f; /* quick access to arch field */
87 struct audit_field *inode_f; /* quick access to an inode field */ 90 struct audit_field *inode_f; /* quick access to an inode field */
88 struct audit_watch *watch; /* associated watch */ 91 struct audit_watch *watch; /* associated watch */
89 struct list_head rlist; /* entry in audit_watch.rules list */ 92 struct audit_tree *tree; /* associated watched tree */
93 struct list_head rlist; /* entry in audit_{watch,tree}.rules list */
90}; 94};
91 95
92struct audit_entry { 96struct audit_entry {
@@ -130,6 +134,34 @@ extern void audit_handle_ievent(struct inotify_watch *, u32, u32, u32,
130 const char *, struct inode *); 134 const char *, struct inode *);
131extern int selinux_audit_rule_update(void); 135extern int selinux_audit_rule_update(void);
132 136
137extern struct mutex audit_filter_mutex;
138extern void audit_free_rule_rcu(struct rcu_head *);
139
140#ifdef CONFIG_AUDIT_TREE
141extern struct audit_chunk *audit_tree_lookup(const struct inode *);
142extern void audit_put_chunk(struct audit_chunk *);
143extern int audit_tree_match(struct audit_chunk *, struct audit_tree *);
144extern int audit_make_tree(struct audit_krule *, char *, u32);
145extern int audit_add_tree_rule(struct audit_krule *);
146extern int audit_remove_tree_rule(struct audit_krule *);
147extern void audit_trim_trees(void);
148extern int audit_tag_tree(char *old, char *new);
149extern void audit_schedule_prune(void);
150extern void audit_prune_trees(void);
151extern const char *audit_tree_path(struct audit_tree *);
152extern void audit_put_tree(struct audit_tree *);
153#else
154#define audit_remove_tree_rule(rule) BUG()
155#define audit_add_tree_rule(rule) -EINVAL
156#define audit_make_tree(rule, str, op) -EINVAL
157#define audit_trim_trees() (void)0
158#define audit_put_tree(tree) (void)0
159#define audit_tag_tree(old, new) -EINVAL
160#define audit_tree_path(rule) "" /* never called */
161#endif
162
163extern char *audit_unpack_string(void **, size_t *, size_t);
164
133#ifdef CONFIG_AUDITSYSCALL 165#ifdef CONFIG_AUDITSYSCALL
134extern int __audit_signal_info(int sig, struct task_struct *t); 166extern int __audit_signal_info(int sig, struct task_struct *t);
135static inline int audit_signal_info(int sig, struct task_struct *t) 167static inline int audit_signal_info(int sig, struct task_struct *t)