diff options
Diffstat (limited to 'include')
| -rw-r--r-- | include/asm-ppc/seccomp.h | 10 | ||||
| -rw-r--r-- | include/asm-ppc/thread_info.h | 7 | ||||
| -rw-r--r-- | include/linux/audit.h | 81 |
3 files changed, 82 insertions, 16 deletions
diff --git a/include/asm-ppc/seccomp.h b/include/asm-ppc/seccomp.h new file mode 100644 index 000000000000..666c4da96d87 --- /dev/null +++ b/include/asm-ppc/seccomp.h | |||
| @@ -0,0 +1,10 @@ | |||
| 1 | #ifndef _ASM_SECCOMP_H | ||
| 2 | |||
| 3 | #include <linux/unistd.h> | ||
| 4 | |||
| 5 | #define __NR_seccomp_read __NR_read | ||
| 6 | #define __NR_seccomp_write __NR_write | ||
| 7 | #define __NR_seccomp_exit __NR_exit | ||
| 8 | #define __NR_seccomp_sigreturn __NR_rt_sigreturn | ||
| 9 | |||
| 10 | #endif /* _ASM_SECCOMP_H */ | ||
diff --git a/include/asm-ppc/thread_info.h b/include/asm-ppc/thread_info.h index f7f01524e8a8..e3b5284a6f91 100644 --- a/include/asm-ppc/thread_info.h +++ b/include/asm-ppc/thread_info.h | |||
| @@ -77,12 +77,19 @@ static inline struct thread_info *current_thread_info(void) | |||
| 77 | #define TIF_POLLING_NRFLAG 4 /* true if poll_idle() is polling | 77 | #define TIF_POLLING_NRFLAG 4 /* true if poll_idle() is polling |
| 78 | TIF_NEED_RESCHED */ | 78 | TIF_NEED_RESCHED */ |
| 79 | #define TIF_MEMDIE 5 | 79 | #define TIF_MEMDIE 5 |
| 80 | #define TIF_SYSCALL_AUDIT 6 /* syscall auditing active */ | ||
| 81 | #define TIF_SECCOMP 7 /* secure computing */ | ||
| 82 | |||
| 80 | /* as above, but as bit values */ | 83 | /* as above, but as bit values */ |
| 81 | #define _TIF_SYSCALL_TRACE (1<<TIF_SYSCALL_TRACE) | 84 | #define _TIF_SYSCALL_TRACE (1<<TIF_SYSCALL_TRACE) |
| 82 | #define _TIF_NOTIFY_RESUME (1<<TIF_NOTIFY_RESUME) | 85 | #define _TIF_NOTIFY_RESUME (1<<TIF_NOTIFY_RESUME) |
| 83 | #define _TIF_SIGPENDING (1<<TIF_SIGPENDING) | 86 | #define _TIF_SIGPENDING (1<<TIF_SIGPENDING) |
| 84 | #define _TIF_NEED_RESCHED (1<<TIF_NEED_RESCHED) | 87 | #define _TIF_NEED_RESCHED (1<<TIF_NEED_RESCHED) |
| 85 | #define _TIF_POLLING_NRFLAG (1<<TIF_POLLING_NRFLAG) | 88 | #define _TIF_POLLING_NRFLAG (1<<TIF_POLLING_NRFLAG) |
| 89 | #define _TIF_SYSCALL_AUDIT (1<<TIF_SYSCALL_AUDIT) | ||
| 90 | #define _TIF_SECCOMP (1<<TIF_SECCOMP) | ||
| 91 | |||
| 92 | #define _TIF_SYSCALL_T_OR_A (_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT|_TIF_SECCOMP) | ||
| 86 | 93 | ||
| 87 | /* | 94 | /* |
| 88 | * Non racy (local) flags bit numbers | 95 | * Non racy (local) flags bit numbers |
diff --git a/include/linux/audit.h b/include/linux/audit.h index 19f04b049798..51e5879af7fc 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h | |||
| @@ -27,15 +27,55 @@ | |||
| 27 | #include <linux/sched.h> | 27 | #include <linux/sched.h> |
| 28 | #include <linux/elf.h> | 28 | #include <linux/elf.h> |
| 29 | 29 | ||
| 30 | /* Request and reply types */ | 30 | /* The netlink messages for the audit system is divided into blocks: |
| 31 | #define AUDIT_GET 1000 /* Get status */ | 31 | * 1000 - 1099 are for commanding the audit system |
| 32 | #define AUDIT_SET 1001 /* Set status (enable/disable/auditd) */ | 32 | * 1100 - 1199 user space trusted application messages |
| 33 | #define AUDIT_LIST 1002 /* List filtering rules */ | 33 | * 1200 - 1299 messages internal to the audit daemon |
| 34 | #define AUDIT_ADD 1003 /* Add filtering rule */ | 34 | * 1300 - 1399 audit event messages |
| 35 | #define AUDIT_DEL 1004 /* Delete filtering rule */ | 35 | * 1400 - 1499 SE Linux use |
| 36 | #define AUDIT_USER 1005 /* Send a message from user-space */ | 36 | * 1500 - 1999 future use |
| 37 | #define AUDIT_LOGIN 1006 /* Define the login id and informaiton */ | 37 | * 2000 is for otherwise unclassified kernel audit messages |
| 38 | #define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */ | 38 | * |
| 39 | * Messages from 1000-1199 are bi-directional. 1200-1299 are exclusively user | ||
| 40 | * space. Anything over that is kernel --> user space communication. | ||
| 41 | */ | ||
| 42 | #define AUDIT_GET 1000 /* Get status */ | ||
| 43 | #define AUDIT_SET 1001 /* Set status (enable/disable/auditd) */ | ||
| 44 | #define AUDIT_LIST 1002 /* List syscall filtering rules */ | ||
| 45 | #define AUDIT_ADD 1003 /* Add syscall filtering rule */ | ||
| 46 | #define AUDIT_DEL 1004 /* Delete syscall filtering rule */ | ||
| 47 | #define AUDIT_USER 1005 /* Message from userspace -- deprecated */ | ||
| 48 | #define AUDIT_LOGIN 1006 /* Define the login id and information */ | ||
| 49 | #define AUDIT_WATCH_INS 1007 /* Insert file/dir watch entry */ | ||
| 50 | #define AUDIT_WATCH_REM 1008 /* Remove file/dir watch entry */ | ||
| 51 | #define AUDIT_WATCH_LIST 1009 /* List all file/dir watches */ | ||
| 52 | #define AUDIT_SIGNAL_INFO 1010 /* Get info about sender of signal to auditd */ | ||
| 53 | |||
| 54 | #define AUDIT_USER_AUTH 1100 /* User space authentication */ | ||
| 55 | #define AUDIT_USER_ACCT 1101 /* User space acct change */ | ||
| 56 | #define AUDIT_USER_MGMT 1102 /* User space acct management */ | ||
| 57 | #define AUDIT_CRED_ACQ 1103 /* User space credential acquired */ | ||
| 58 | #define AUDIT_CRED_DISP 1104 /* User space credential disposed */ | ||
| 59 | #define AUDIT_USER_START 1105 /* User space session start */ | ||
| 60 | #define AUDIT_USER_END 1106 /* User space session end */ | ||
| 61 | #define AUDIT_USER_AVC 1107 /* User space avc message */ | ||
| 62 | |||
| 63 | #define AUDIT_DAEMON_START 1200 /* Daemon startup record */ | ||
| 64 | #define AUDIT_DAEMON_END 1201 /* Daemon normal stop record */ | ||
| 65 | #define AUDIT_DAEMON_ABORT 1202 /* Daemon error stop record */ | ||
| 66 | #define AUDIT_DAEMON_CONFIG 1203 /* Daemon config change */ | ||
| 67 | |||
| 68 | #define AUDIT_SYSCALL 1300 /* Syscall event */ | ||
| 69 | #define AUDIT_FS_WATCH 1301 /* Filesystem watch event */ | ||
| 70 | #define AUDIT_PATH 1302 /* Filname path information */ | ||
| 71 | #define AUDIT_IPC 1303 /* IPC record */ | ||
| 72 | #define AUDIT_SOCKET 1304 /* Socket record */ | ||
| 73 | #define AUDIT_CONFIG_CHANGE 1305 /* Audit system configuration change */ | ||
| 74 | |||
| 75 | #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ | ||
| 76 | #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ | ||
| 77 | |||
| 78 | #define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */ | ||
| 39 | 79 | ||
| 40 | /* Rule flags */ | 80 | /* Rule flags */ |
| 41 | #define AUDIT_PER_TASK 0x01 /* Apply rule at task creation (not syscall) */ | 81 | #define AUDIT_PER_TASK 0x01 /* Apply rule at task creation (not syscall) */ |
| @@ -141,7 +181,7 @@ struct audit_message { | |||
| 141 | 181 | ||
| 142 | struct audit_status { | 182 | struct audit_status { |
| 143 | __u32 mask; /* Bit mask for valid entries */ | 183 | __u32 mask; /* Bit mask for valid entries */ |
| 144 | __u32 enabled; /* 1 = enabled, 0 = disbaled */ | 184 | __u32 enabled; /* 1 = enabled, 0 = disabled */ |
| 145 | __u32 failure; /* Failure-to-log action */ | 185 | __u32 failure; /* Failure-to-log action */ |
| 146 | __u32 pid; /* pid of auditd process */ | 186 | __u32 pid; /* pid of auditd process */ |
| 147 | __u32 rate_limit; /* messages rate limit (per second) */ | 187 | __u32 rate_limit; /* messages rate limit (per second) */ |
| @@ -161,6 +201,11 @@ struct audit_rule { /* for AUDIT_LIST, AUDIT_ADD, and AUDIT_DEL */ | |||
| 161 | 201 | ||
| 162 | #ifdef __KERNEL__ | 202 | #ifdef __KERNEL__ |
| 163 | 203 | ||
| 204 | struct audit_sig_info { | ||
| 205 | uid_t uid; | ||
| 206 | pid_t pid; | ||
| 207 | }; | ||
| 208 | |||
| 164 | struct audit_buffer; | 209 | struct audit_buffer; |
| 165 | struct audit_context; | 210 | struct audit_context; |
| 166 | struct inode; | 211 | struct inode; |
| @@ -185,11 +230,12 @@ extern void audit_inode(const char *name, const struct inode *inode); | |||
| 185 | /* Private API (for audit.c only) */ | 230 | /* Private API (for audit.c only) */ |
| 186 | extern int audit_receive_filter(int type, int pid, int uid, int seq, | 231 | extern int audit_receive_filter(int type, int pid, int uid, int seq, |
| 187 | void *data, uid_t loginuid); | 232 | void *data, uid_t loginuid); |
| 188 | extern void audit_get_stamp(struct audit_context *ctx, | 233 | extern int audit_get_stamp(struct audit_context *ctx, |
| 189 | struct timespec *t, unsigned int *serial); | 234 | struct timespec *t, unsigned int *serial); |
| 190 | extern int audit_set_loginuid(struct task_struct *task, uid_t loginuid); | 235 | extern int audit_set_loginuid(struct task_struct *task, uid_t loginuid); |
| 191 | extern uid_t audit_get_loginuid(struct audit_context *ctx); | 236 | extern uid_t audit_get_loginuid(struct audit_context *ctx); |
| 192 | extern int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode); | 237 | extern int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode); |
| 238 | extern void audit_signal_info(int sig, struct task_struct *t); | ||
| 193 | #else | 239 | #else |
| 194 | #define audit_alloc(t) ({ 0; }) | 240 | #define audit_alloc(t) ({ 0; }) |
| 195 | #define audit_free(t) do { ; } while (0) | 241 | #define audit_free(t) do { ; } while (0) |
| @@ -198,18 +244,21 @@ extern int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mo | |||
| 198 | #define audit_getname(n) do { ; } while (0) | 244 | #define audit_getname(n) do { ; } while (0) |
| 199 | #define audit_putname(n) do { ; } while (0) | 245 | #define audit_putname(n) do { ; } while (0) |
| 200 | #define audit_inode(n,i) do { ; } while (0) | 246 | #define audit_inode(n,i) do { ; } while (0) |
| 247 | #define audit_receive_filter(t,p,u,s,d,l) ({ -EOPNOTSUPP; }) | ||
| 248 | #define audit_get_stamp(c,t,s) ({ 0; }) | ||
| 201 | #define audit_get_loginuid(c) ({ -1; }) | 249 | #define audit_get_loginuid(c) ({ -1; }) |
| 202 | #define audit_ipc_perms(q,u,g,m) ({ 0; }) | 250 | #define audit_ipc_perms(q,u,g,m) ({ 0; }) |
| 251 | #define audit_signal_info(s,t) do { ; } while (0) | ||
| 203 | #endif | 252 | #endif |
| 204 | 253 | ||
| 205 | #ifdef CONFIG_AUDIT | 254 | #ifdef CONFIG_AUDIT |
| 206 | /* These are defined in audit.c */ | 255 | /* These are defined in audit.c */ |
| 207 | /* Public API */ | 256 | /* Public API */ |
| 208 | extern void audit_log(struct audit_context *ctx, | 257 | extern void audit_log(struct audit_context *ctx, int type, |
| 209 | const char *fmt, ...) | 258 | const char *fmt, ...) |
| 210 | __attribute__((format(printf,2,3))); | 259 | __attribute__((format(printf,3,4))); |
| 211 | 260 | ||
| 212 | extern struct audit_buffer *audit_log_start(struct audit_context *ctx); | 261 | extern struct audit_buffer *audit_log_start(struct audit_context *ctx,int type); |
| 213 | extern void audit_log_format(struct audit_buffer *ab, | 262 | extern void audit_log_format(struct audit_buffer *ab, |
| 214 | const char *fmt, ...) | 263 | const char *fmt, ...) |
| 215 | __attribute__((format(printf,2,3))); | 264 | __attribute__((format(printf,2,3))); |
| @@ -229,8 +278,8 @@ extern void audit_send_reply(int pid, int seq, int type, | |||
| 229 | void *payload, int size); | 278 | void *payload, int size); |
| 230 | extern void audit_log_lost(const char *message); | 279 | extern void audit_log_lost(const char *message); |
| 231 | #else | 280 | #else |
| 232 | #define audit_log(t,f,...) do { ; } while (0) | 281 | #define audit_log(c,t,f,...) do { ; } while (0) |
| 233 | #define audit_log_start(t) ({ NULL; }) | 282 | #define audit_log_start(c,t) ({ NULL; }) |
| 234 | #define audit_log_vformat(b,f,a) do { ; } while (0) | 283 | #define audit_log_vformat(b,f,a) do { ; } while (0) |
| 235 | #define audit_log_format(b,f,...) do { ; } while (0) | 284 | #define audit_log_format(b,f,...) do { ; } while (0) |
| 236 | #define audit_log_end(b) do { ; } while (0) | 285 | #define audit_log_end(b) do { ; } while (0) |