diff options
Diffstat (limited to 'include/linux/audit.h')
-rw-r--r-- | include/linux/audit.h | 130 |
1 files changed, 107 insertions, 23 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h index da3c01955f3d..1c47c59058c1 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h | |||
@@ -33,27 +33,42 @@ | |||
33 | * 1200 - 1299 messages internal to the audit daemon | 33 | * 1200 - 1299 messages internal to the audit daemon |
34 | * 1300 - 1399 audit event messages | 34 | * 1300 - 1399 audit event messages |
35 | * 1400 - 1499 SE Linux use | 35 | * 1400 - 1499 SE Linux use |
36 | * 1500 - 1999 future use | 36 | * 1500 - 1599 kernel LSPP events |
37 | * 2000 is for otherwise unclassified kernel audit messages | 37 | * 1600 - 1699 kernel crypto events |
38 | * 1700 - 1799 kernel anomaly records | ||
39 | * 1800 - 1999 future kernel use (maybe integrity labels and related events) | ||
40 | * 2000 is for otherwise unclassified kernel audit messages (legacy) | ||
41 | * 2001 - 2099 unused (kernel) | ||
42 | * 2100 - 2199 user space anomaly records | ||
43 | * 2200 - 2299 user space actions taken in response to anomalies | ||
44 | * 2300 - 2399 user space generated LSPP events | ||
45 | * 2400 - 2499 user space crypto events | ||
46 | * 2500 - 2999 future user space (maybe integrity labels and related events) | ||
38 | * | 47 | * |
39 | * Messages from 1000-1199 are bi-directional. 1200-1299 are exclusively user | 48 | * Messages from 1000-1199 are bi-directional. 1200-1299 & 2100 - 2999 are |
40 | * space. Anything over that is kernel --> user space communication. | 49 | * exclusively user space. 1300-2099 is kernel --> user space |
50 | * communication. | ||
41 | */ | 51 | */ |
42 | #define AUDIT_GET 1000 /* Get status */ | 52 | #define AUDIT_GET 1000 /* Get status */ |
43 | #define AUDIT_SET 1001 /* Set status (enable/disable/auditd) */ | 53 | #define AUDIT_SET 1001 /* Set status (enable/disable/auditd) */ |
44 | #define AUDIT_LIST 1002 /* List syscall filtering rules */ | 54 | #define AUDIT_LIST 1002 /* List syscall rules -- deprecated */ |
45 | #define AUDIT_ADD 1003 /* Add syscall filtering rule */ | 55 | #define AUDIT_ADD 1003 /* Add syscall rule -- deprecated */ |
46 | #define AUDIT_DEL 1004 /* Delete syscall filtering rule */ | 56 | #define AUDIT_DEL 1004 /* Delete syscall rule -- deprecated */ |
47 | #define AUDIT_USER 1005 /* Message from userspace -- deprecated */ | 57 | #define AUDIT_USER 1005 /* Message from userspace -- deprecated */ |
48 | #define AUDIT_LOGIN 1006 /* Define the login id and information */ | 58 | #define AUDIT_LOGIN 1006 /* Define the login id and information */ |
49 | #define AUDIT_WATCH_INS 1007 /* Insert file/dir watch entry */ | 59 | #define AUDIT_WATCH_INS 1007 /* Insert file/dir watch entry */ |
50 | #define AUDIT_WATCH_REM 1008 /* Remove file/dir watch entry */ | 60 | #define AUDIT_WATCH_REM 1008 /* Remove file/dir watch entry */ |
51 | #define AUDIT_WATCH_LIST 1009 /* List all file/dir watches */ | 61 | #define AUDIT_WATCH_LIST 1009 /* List all file/dir watches */ |
52 | #define AUDIT_SIGNAL_INFO 1010 /* Get info about sender of signal to auditd */ | 62 | #define AUDIT_SIGNAL_INFO 1010 /* Get info about sender of signal to auditd */ |
63 | #define AUDIT_ADD_RULE 1011 /* Add syscall filtering rule */ | ||
64 | #define AUDIT_DEL_RULE 1012 /* Delete syscall filtering rule */ | ||
65 | #define AUDIT_LIST_RULES 1013 /* List syscall filtering rules */ | ||
53 | 66 | ||
54 | #define AUDIT_FIRST_USER_MSG 1100 /* Userspace messages mostly uninteresting to kernel */ | 67 | #define AUDIT_FIRST_USER_MSG 1100 /* Userspace messages mostly uninteresting to kernel */ |
55 | #define AUDIT_USER_AVC 1107 /* We filter this differently */ | 68 | #define AUDIT_USER_AVC 1107 /* We filter this differently */ |
56 | #define AUDIT_LAST_USER_MSG 1199 | 69 | #define AUDIT_LAST_USER_MSG 1199 |
70 | #define AUDIT_FIRST_USER_MSG2 2100 /* More user space messages */ | ||
71 | #define AUDIT_LAST_USER_MSG2 2999 | ||
57 | 72 | ||
58 | #define AUDIT_DAEMON_START 1200 /* Daemon startup record */ | 73 | #define AUDIT_DAEMON_START 1200 /* Daemon startup record */ |
59 | #define AUDIT_DAEMON_END 1201 /* Daemon normal stop record */ | 74 | #define AUDIT_DAEMON_END 1201 /* Daemon normal stop record */ |
@@ -72,6 +87,13 @@ | |||
72 | #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ | 87 | #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ |
73 | #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ | 88 | #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ |
74 | #define AUDIT_AVC_PATH 1402 /* dentry, vfsmount pair from avc */ | 89 | #define AUDIT_AVC_PATH 1402 /* dentry, vfsmount pair from avc */ |
90 | #define AUDIT_MAC_POLICY_LOAD 1403 /* Policy file load */ | ||
91 | #define AUDIT_MAC_STATUS 1404 /* Changed enforcing,permissive,off */ | ||
92 | #define AUDIT_MAC_CONFIG_CHANGE 1405 /* Changes to booleans */ | ||
93 | |||
94 | #define AUDIT_FIRST_KERN_ANOM_MSG 1700 | ||
95 | #define AUDIT_LAST_KERN_ANOM_MSG 1799 | ||
96 | #define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */ | ||
75 | 97 | ||
76 | #define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */ | 98 | #define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */ |
77 | 99 | ||
@@ -81,8 +103,9 @@ | |||
81 | #define AUDIT_FILTER_ENTRY 0x02 /* Apply rule at syscall entry */ | 103 | #define AUDIT_FILTER_ENTRY 0x02 /* Apply rule at syscall entry */ |
82 | #define AUDIT_FILTER_WATCH 0x03 /* Apply rule to file system watches */ | 104 | #define AUDIT_FILTER_WATCH 0x03 /* Apply rule to file system watches */ |
83 | #define AUDIT_FILTER_EXIT 0x04 /* Apply rule at syscall exit */ | 105 | #define AUDIT_FILTER_EXIT 0x04 /* Apply rule at syscall exit */ |
106 | #define AUDIT_FILTER_TYPE 0x05 /* Apply rule at audit_log_start */ | ||
84 | 107 | ||
85 | #define AUDIT_NR_FILTERS 5 | 108 | #define AUDIT_NR_FILTERS 6 |
86 | 109 | ||
87 | #define AUDIT_FILTER_PREPEND 0x10 /* Prepend to front of list */ | 110 | #define AUDIT_FILTER_PREPEND 0x10 /* Prepend to front of list */ |
88 | 111 | ||
@@ -98,6 +121,13 @@ | |||
98 | #define AUDIT_WORD(nr) ((__u32)((nr)/32)) | 121 | #define AUDIT_WORD(nr) ((__u32)((nr)/32)) |
99 | #define AUDIT_BIT(nr) (1 << ((nr) - AUDIT_WORD(nr)*32)) | 122 | #define AUDIT_BIT(nr) (1 << ((nr) - AUDIT_WORD(nr)*32)) |
100 | 123 | ||
124 | /* This bitmask is used to validate user input. It represents all bits that | ||
125 | * are currently used in an audit field constant understood by the kernel. | ||
126 | * If you are adding a new #define AUDIT_<whatever>, please ensure that | ||
127 | * AUDIT_UNUSED_BITS is updated if need be. */ | ||
128 | #define AUDIT_UNUSED_BITS 0x0FFFFC00 | ||
129 | |||
130 | |||
101 | /* Rule fields */ | 131 | /* Rule fields */ |
102 | /* These are useful when checking the | 132 | /* These are useful when checking the |
103 | * task structure at task creation time | 133 | * task structure at task creation time |
@@ -114,6 +144,7 @@ | |||
114 | #define AUDIT_LOGINUID 9 | 144 | #define AUDIT_LOGINUID 9 |
115 | #define AUDIT_PERS 10 | 145 | #define AUDIT_PERS 10 |
116 | #define AUDIT_ARCH 11 | 146 | #define AUDIT_ARCH 11 |
147 | #define AUDIT_MSGTYPE 12 | ||
117 | 148 | ||
118 | /* These are ONLY useful when checking | 149 | /* These are ONLY useful when checking |
119 | * at syscall exit time (AUDIT_AT_EXIT). */ | 150 | * at syscall exit time (AUDIT_AT_EXIT). */ |
@@ -128,8 +159,28 @@ | |||
128 | #define AUDIT_ARG2 (AUDIT_ARG0+2) | 159 | #define AUDIT_ARG2 (AUDIT_ARG0+2) |
129 | #define AUDIT_ARG3 (AUDIT_ARG0+3) | 160 | #define AUDIT_ARG3 (AUDIT_ARG0+3) |
130 | 161 | ||
131 | #define AUDIT_NEGATE 0x80000000 | 162 | #define AUDIT_NEGATE 0x80000000 |
132 | 163 | ||
164 | /* These are the supported operators. | ||
165 | * 4 2 1 | ||
166 | * = > < | ||
167 | * ------- | ||
168 | * 0 0 0 0 nonsense | ||
169 | * 0 0 1 1 < | ||
170 | * 0 1 0 2 > | ||
171 | * 0 1 1 3 != | ||
172 | * 1 0 0 4 = | ||
173 | * 1 0 1 5 <= | ||
174 | * 1 1 0 6 >= | ||
175 | * 1 1 1 7 all operators | ||
176 | */ | ||
177 | #define AUDIT_LESS_THAN 0x10000000 | ||
178 | #define AUDIT_GREATER_THAN 0x20000000 | ||
179 | #define AUDIT_NOT_EQUAL 0x30000000 | ||
180 | #define AUDIT_EQUAL 0x40000000 | ||
181 | #define AUDIT_LESS_THAN_OR_EQUAL (AUDIT_LESS_THAN|AUDIT_EQUAL) | ||
182 | #define AUDIT_GREATER_THAN_OR_EQUAL (AUDIT_GREATER_THAN|AUDIT_EQUAL) | ||
183 | #define AUDIT_OPERATORS (AUDIT_EQUAL|AUDIT_NOT_EQUAL) | ||
133 | 184 | ||
134 | /* Status symbols */ | 185 | /* Status symbols */ |
135 | /* Mask values */ | 186 | /* Mask values */ |
@@ -186,6 +237,26 @@ struct audit_status { | |||
186 | __u32 backlog; /* messages waiting in queue */ | 237 | __u32 backlog; /* messages waiting in queue */ |
187 | }; | 238 | }; |
188 | 239 | ||
240 | /* audit_rule_data supports filter rules with both integer and string | ||
241 | * fields. It corresponds with AUDIT_ADD_RULE, AUDIT_DEL_RULE and | ||
242 | * AUDIT_LIST_RULES requests. | ||
243 | */ | ||
244 | struct audit_rule_data { | ||
245 | __u32 flags; /* AUDIT_PER_{TASK,CALL}, AUDIT_PREPEND */ | ||
246 | __u32 action; /* AUDIT_NEVER, AUDIT_POSSIBLE, AUDIT_ALWAYS */ | ||
247 | __u32 field_count; | ||
248 | __u32 mask[AUDIT_BITMASK_SIZE]; /* syscall(s) affected */ | ||
249 | __u32 fields[AUDIT_MAX_FIELDS]; | ||
250 | __u32 values[AUDIT_MAX_FIELDS]; | ||
251 | __u32 fieldflags[AUDIT_MAX_FIELDS]; | ||
252 | __u32 buflen; /* total length of string fields */ | ||
253 | char buf[0]; /* string fields buffer */ | ||
254 | }; | ||
255 | |||
256 | /* audit_rule is supported to maintain backward compatibility with | ||
257 | * userspace. It supports integer fields only and corresponds to | ||
258 | * AUDIT_ADD, AUDIT_DEL and AUDIT_LIST requests. | ||
259 | */ | ||
189 | struct audit_rule { /* for AUDIT_LIST, AUDIT_ADD, and AUDIT_DEL */ | 260 | struct audit_rule { /* for AUDIT_LIST, AUDIT_ADD, and AUDIT_DEL */ |
190 | __u32 flags; /* AUDIT_PER_{TASK,CALL}, AUDIT_PREPEND */ | 261 | __u32 flags; /* AUDIT_PER_{TASK,CALL}, AUDIT_PREPEND */ |
191 | __u32 action; /* AUDIT_NEVER, AUDIT_POSSIBLE, AUDIT_ALWAYS */ | 262 | __u32 action; /* AUDIT_NEVER, AUDIT_POSSIBLE, AUDIT_ALWAYS */ |
@@ -222,22 +293,33 @@ extern void audit_syscall_entry(struct task_struct *task, int arch, | |||
222 | extern void audit_syscall_exit(struct task_struct *task, int failed, long return_code); | 293 | extern void audit_syscall_exit(struct task_struct *task, int failed, long return_code); |
223 | extern void audit_getname(const char *name); | 294 | extern void audit_getname(const char *name); |
224 | extern void audit_putname(const char *name); | 295 | extern void audit_putname(const char *name); |
225 | extern void audit_inode(const char *name, const struct inode *inode, unsigned flags); | 296 | extern void __audit_inode(const char *name, const struct inode *inode, unsigned flags); |
297 | extern void __audit_inode_child(const char *dname, const struct inode *inode, | ||
298 | unsigned long pino); | ||
299 | static inline void audit_inode(const char *name, const struct inode *inode, | ||
300 | unsigned flags) { | ||
301 | if (unlikely(current->audit_context)) | ||
302 | __audit_inode(name, inode, flags); | ||
303 | } | ||
304 | static inline void audit_inode_child(const char *dname, | ||
305 | const struct inode *inode, | ||
306 | unsigned long pino) { | ||
307 | if (unlikely(current->audit_context)) | ||
308 | __audit_inode_child(dname, inode, pino); | ||
309 | } | ||
226 | 310 | ||
227 | /* Private API (for audit.c only) */ | 311 | /* Private API (for audit.c only) */ |
228 | extern int audit_receive_filter(int type, int pid, int uid, int seq, | ||
229 | void *data, uid_t loginuid); | ||
230 | extern unsigned int audit_serial(void); | 312 | extern unsigned int audit_serial(void); |
231 | extern void auditsc_get_stamp(struct audit_context *ctx, | 313 | extern void auditsc_get_stamp(struct audit_context *ctx, |
232 | struct timespec *t, unsigned int *serial); | 314 | struct timespec *t, unsigned int *serial); |
233 | extern int audit_set_loginuid(struct task_struct *task, uid_t loginuid); | 315 | extern int audit_set_loginuid(struct task_struct *task, uid_t loginuid); |
234 | extern uid_t audit_get_loginuid(struct audit_context *ctx); | 316 | extern uid_t audit_get_loginuid(struct audit_context *ctx); |
235 | extern int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode); | 317 | extern int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode, struct kern_ipc_perm *ipcp); |
236 | extern int audit_socketcall(int nargs, unsigned long *args); | 318 | extern int audit_socketcall(int nargs, unsigned long *args); |
237 | extern int audit_sockaddr(int len, void *addr); | 319 | extern int audit_sockaddr(int len, void *addr); |
238 | extern int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt); | 320 | extern int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt); |
239 | extern void audit_signal_info(int sig, struct task_struct *t); | 321 | extern void audit_signal_info(int sig, struct task_struct *t); |
240 | extern int audit_filter_user(struct netlink_skb_parms *cb, int type); | 322 | extern int audit_set_macxattr(const char *name); |
241 | #else | 323 | #else |
242 | #define audit_alloc(t) ({ 0; }) | 324 | #define audit_alloc(t) ({ 0; }) |
243 | #define audit_free(t) do { ; } while (0) | 325 | #define audit_free(t) do { ; } while (0) |
@@ -245,16 +327,18 @@ extern int audit_filter_user(struct netlink_skb_parms *cb, int type); | |||
245 | #define audit_syscall_exit(t,f,r) do { ; } while (0) | 327 | #define audit_syscall_exit(t,f,r) do { ; } while (0) |
246 | #define audit_getname(n) do { ; } while (0) | 328 | #define audit_getname(n) do { ; } while (0) |
247 | #define audit_putname(n) do { ; } while (0) | 329 | #define audit_putname(n) do { ; } while (0) |
330 | #define __audit_inode(n,i,f) do { ; } while (0) | ||
331 | #define __audit_inode_child(d,i,p) do { ; } while (0) | ||
248 | #define audit_inode(n,i,f) do { ; } while (0) | 332 | #define audit_inode(n,i,f) do { ; } while (0) |
249 | #define audit_receive_filter(t,p,u,s,d,l) ({ -EOPNOTSUPP; }) | 333 | #define audit_inode_child(d,i,p) do { ; } while (0) |
250 | #define auditsc_get_stamp(c,t,s) do { BUG(); } while (0) | 334 | #define auditsc_get_stamp(c,t,s) do { BUG(); } while (0) |
251 | #define audit_get_loginuid(c) ({ -1; }) | 335 | #define audit_get_loginuid(c) ({ -1; }) |
252 | #define audit_ipc_perms(q,u,g,m) ({ 0; }) | 336 | #define audit_ipc_perms(q,u,g,m,i) ({ 0; }) |
253 | #define audit_socketcall(n,a) ({ 0; }) | 337 | #define audit_socketcall(n,a) ({ 0; }) |
254 | #define audit_sockaddr(len, addr) ({ 0; }) | 338 | #define audit_sockaddr(len, addr) ({ 0; }) |
255 | #define audit_avc_path(dentry, mnt) ({ 0; }) | 339 | #define audit_avc_path(dentry, mnt) ({ 0; }) |
256 | #define audit_signal_info(s,t) do { ; } while (0) | 340 | #define audit_signal_info(s,t) do { ; } while (0) |
257 | #define audit_filter_user(cb,t) ({ 1; }) | 341 | #define audit_set_macxattr(n) do { ; } while (0) |
258 | #endif | 342 | #endif |
259 | 343 | ||
260 | #ifdef CONFIG_AUDIT | 344 | #ifdef CONFIG_AUDIT |
@@ -278,12 +362,11 @@ extern void audit_log_d_path(struct audit_buffer *ab, | |||
278 | const char *prefix, | 362 | const char *prefix, |
279 | struct dentry *dentry, | 363 | struct dentry *dentry, |
280 | struct vfsmount *vfsmnt); | 364 | struct vfsmount *vfsmnt); |
281 | /* Private API (for auditsc.c only) */ | 365 | /* Private API (for audit.c only) */ |
282 | extern void audit_send_reply(int pid, int seq, int type, | 366 | extern int audit_filter_user(struct netlink_skb_parms *cb, int type); |
283 | int done, int multi, | 367 | extern int audit_filter_type(int type); |
284 | void *payload, int size); | 368 | extern int audit_receive_filter(int type, int pid, int uid, int seq, |
285 | extern void audit_log_lost(const char *message); | 369 | void *data, size_t datasz, uid_t loginuid); |
286 | extern struct semaphore audit_netlink_sem; | ||
287 | #else | 370 | #else |
288 | #define audit_log(c,g,t,f,...) do { ; } while (0) | 371 | #define audit_log(c,g,t,f,...) do { ; } while (0) |
289 | #define audit_log_start(c,g,t) ({ NULL; }) | 372 | #define audit_log_start(c,g,t) ({ NULL; }) |
@@ -293,6 +376,7 @@ extern struct semaphore audit_netlink_sem; | |||
293 | #define audit_log_hex(a,b,l) do { ; } while (0) | 376 | #define audit_log_hex(a,b,l) do { ; } while (0) |
294 | #define audit_log_untrustedstring(a,s) do { ; } while (0) | 377 | #define audit_log_untrustedstring(a,s) do { ; } while (0) |
295 | #define audit_log_d_path(b,p,d,v) do { ; } while (0) | 378 | #define audit_log_d_path(b,p,d,v) do { ; } while (0) |
379 | #define audit_panic(m) do { ; } while (0) | ||
296 | #endif | 380 | #endif |
297 | #endif | 381 | #endif |
298 | #endif | 382 | #endif |