Line data Source code
1 : /* audit -- definition of audit_context structure and supporting types
2 : *
3 : * Copyright 2003-2004 Red Hat, Inc.
4 : * Copyright 2005 Hewlett-Packard Development Company, L.P.
5 : * Copyright 2005 IBM Corporation
6 : *
7 : * This program is free software; you can redistribute it and/or modify
8 : * it under the terms of the GNU General Public License as published by
9 : * the Free Software Foundation; either version 2 of the License, or
10 : * (at your option) any later version.
11 : *
12 : * This program is distributed in the hope that it will be useful,
13 : * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 : * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 : * GNU General Public License for more details.
16 : *
17 : * You should have received a copy of the GNU General Public License
18 : * along with this program; if not, write to the Free Software
19 : * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20 : */
21 :
22 : #include <linux/fs.h>
23 : #include <linux/audit.h>
24 : #include <linux/skbuff.h>
25 : #include <uapi/linux/mqueue.h>
26 :
27 : /* 0 = no checking
28 : 1 = put_count checking
29 : 2 = verbose put_count checking
30 : */
31 : #define AUDIT_DEBUG 0
32 :
33 : /* AUDIT_NAMES is the number of slots we reserve in the audit_context
34 : * for saving names from getname(). If we get more names we will allocate
35 : * a name dynamically and also add those to the list anchored by names_list. */
36 : #define AUDIT_NAMES 5
37 :
38 : /* At task start time, the audit_state is set in the audit_context using
39 : a per-task filter. At syscall entry, the audit_state is augmented by
40 : the syscall filter. */
41 : enum audit_state {
42 : AUDIT_DISABLED, /* Do not create per-task audit_context.
43 : * No syscall-specific audit records can
44 : * be generated. */
45 : AUDIT_BUILD_CONTEXT, /* Create the per-task audit_context,
46 : * and fill it in at syscall
47 : * entry time. This makes a full
48 : * syscall record available if some
49 : * other part of the kernel decides it
50 : * should be recorded. */
51 : AUDIT_RECORD_CONTEXT /* Create the per-task audit_context,
52 : * always fill it in at syscall entry
53 : * time, and always write out the audit
54 : * record at syscall exit time. */
55 : };
56 :
57 : /* Rule lists */
58 : struct audit_watch;
59 : struct audit_tree;
60 : struct audit_chunk;
61 :
62 : struct audit_entry {
63 : struct list_head list;
64 : struct rcu_head rcu;
65 : struct audit_krule rule;
66 : };
67 :
68 : struct audit_cap_data {
69 : kernel_cap_t permitted;
70 : kernel_cap_t inheritable;
71 : union {
72 : unsigned int fE; /* effective bit of file cap */
73 : kernel_cap_t effective; /* effective set of process */
74 : };
75 : };
76 :
77 : /* When fs/namei.c:getname() is called, we store the pointer in name and
78 : * we don't let putname() free it (instead we free all of the saved
79 : * pointers at syscall exit time).
80 : *
81 : * Further, in fs/namei.c:path_lookup() we store the inode and device.
82 : */
83 : struct audit_names {
84 : struct list_head list; /* audit_context->names_list */
85 :
86 : struct filename *name;
87 : int name_len; /* number of chars to log */
88 : bool hidden; /* don't log this record */
89 : bool name_put; /* call __putname()? */
90 :
91 : unsigned long ino;
92 : dev_t dev;
93 : umode_t mode;
94 : kuid_t uid;
95 : kgid_t gid;
96 : dev_t rdev;
97 : u32 osid;
98 : struct audit_cap_data fcap;
99 : unsigned int fcap_ver;
100 : unsigned char type; /* record type */
101 : /*
102 : * This was an allocated audit_names and not from the array of
103 : * names allocated in the task audit context. Thus this name
104 : * should be freed on syscall exit.
105 : */
106 : bool should_free;
107 : };
108 :
109 : struct audit_proctitle {
110 : int len; /* length of the cmdline field. */
111 : char *value; /* the cmdline field */
112 : };
113 :
114 : /* The per-task audit context. */
115 : struct audit_context {
116 : int dummy; /* must be the first element */
117 : int in_syscall; /* 1 if task is in a syscall */
118 : enum audit_state state, current_state;
119 : unsigned int serial; /* serial number for record */
120 : int major; /* syscall number */
121 : struct timespec ctime; /* time of syscall entry */
122 : unsigned long argv[4]; /* syscall arguments */
123 : long return_code;/* syscall return code */
124 : u64 prio;
125 : int return_valid; /* return code is valid */
126 : /*
127 : * The names_list is the list of all audit_names collected during this
128 : * syscall. The first AUDIT_NAMES entries in the names_list will
129 : * actually be from the preallocated_names array for performance
130 : * reasons. Except during allocation they should never be referenced
131 : * through the preallocated_names array and should only be found/used
132 : * by running the names_list.
133 : */
134 : struct audit_names preallocated_names[AUDIT_NAMES];
135 : int name_count; /* total records in names_list */
136 : struct list_head names_list; /* struct audit_names->list anchor */
137 : char *filterkey; /* key for rule that triggered record */
138 : struct path pwd;
139 : struct audit_aux_data *aux;
140 : struct audit_aux_data *aux_pids;
141 : struct sockaddr_storage *sockaddr;
142 : size_t sockaddr_len;
143 : /* Save things to print about task_struct */
144 : pid_t pid, ppid;
145 : kuid_t uid, euid, suid, fsuid;
146 : kgid_t gid, egid, sgid, fsgid;
147 : unsigned long personality;
148 : int arch;
149 :
150 : pid_t target_pid;
151 : kuid_t target_auid;
152 : kuid_t target_uid;
153 : unsigned int target_sessionid;
154 : u32 target_sid;
155 : char target_comm[TASK_COMM_LEN];
156 :
157 : struct audit_tree_refs *trees, *first_trees;
158 : struct list_head killed_trees;
159 : int tree_count;
160 :
161 : int type;
162 : union {
163 : struct {
164 : int nargs;
165 : long args[6];
166 : } socketcall;
167 : struct {
168 : kuid_t uid;
169 : kgid_t gid;
170 : umode_t mode;
171 : u32 osid;
172 : int has_perm;
173 : uid_t perm_uid;
174 : gid_t perm_gid;
175 : umode_t perm_mode;
176 : unsigned long qbytes;
177 : } ipc;
178 : struct {
179 : mqd_t mqdes;
180 : struct mq_attr mqstat;
181 : } mq_getsetattr;
182 : struct {
183 : mqd_t mqdes;
184 : int sigev_signo;
185 : } mq_notify;
186 : struct {
187 : mqd_t mqdes;
188 : size_t msg_len;
189 : unsigned int msg_prio;
190 : struct timespec abs_timeout;
191 : } mq_sendrecv;
192 : struct {
193 : int oflag;
194 : umode_t mode;
195 : struct mq_attr attr;
196 : } mq_open;
197 : struct {
198 : pid_t pid;
199 : struct audit_cap_data cap;
200 : } capset;
201 : struct {
202 : int fd;
203 : int flags;
204 : } mmap;
205 : struct {
206 : int argc;
207 : } execve;
208 : };
209 : int fds[2];
210 : struct audit_proctitle proctitle;
211 :
212 : #if AUDIT_DEBUG
213 : int put_count;
214 : int ino_count;
215 : #endif
216 : };
217 :
218 : extern u32 audit_ever_enabled;
219 :
220 : extern void audit_copy_inode(struct audit_names *name,
221 : const struct dentry *dentry,
222 : const struct inode *inode);
223 : extern void audit_log_cap(struct audit_buffer *ab, char *prefix,
224 : kernel_cap_t *cap);
225 : extern void audit_log_name(struct audit_context *context,
226 : struct audit_names *n, struct path *path,
227 : int record_num, int *call_panic);
228 :
229 : extern int audit_pid;
230 :
231 : #define AUDIT_INODE_BUCKETS 32
232 : extern struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS];
233 :
234 : static inline int audit_hash_ino(u32 ino)
235 : {
236 0 : return (ino & (AUDIT_INODE_BUCKETS-1));
237 : }
238 :
239 : /* Indicates that audit should log the full pathname. */
240 : #define AUDIT_NAME_FULL -1
241 :
242 : extern int audit_match_class(int class, unsigned syscall);
243 : extern int audit_comparator(const u32 left, const u32 op, const u32 right);
244 : extern int audit_uid_comparator(kuid_t left, u32 op, kuid_t right);
245 : extern int audit_gid_comparator(kgid_t left, u32 op, kgid_t right);
246 : extern int parent_len(const char *path);
247 : extern int audit_compare_dname_path(const char *dname, const char *path, int plen);
248 : extern struct sk_buff *audit_make_reply(__u32 portid, int seq, int type,
249 : int done, int multi,
250 : const void *payload, int size);
251 : extern void audit_panic(const char *message);
252 :
253 : struct audit_netlink_list {
254 : __u32 portid;
255 : struct net *net;
256 : struct sk_buff_head q;
257 : };
258 :
259 : int audit_send_list(void *);
260 :
261 : struct audit_net {
262 : struct sock *nlsk;
263 : };
264 :
265 : extern int selinux_audit_rule_update(void);
266 :
267 : extern struct mutex audit_filter_mutex;
268 : extern void audit_free_rule_rcu(struct rcu_head *);
269 : extern struct list_head audit_filter_list[];
270 :
271 : extern struct audit_entry *audit_dupe_rule(struct audit_krule *old);
272 :
273 : /* audit watch functions */
274 : #ifdef CONFIG_AUDIT_WATCH
275 : extern void audit_put_watch(struct audit_watch *watch);
276 : extern void audit_get_watch(struct audit_watch *watch);
277 : extern int audit_to_watch(struct audit_krule *krule, char *path, int len, u32 op);
278 : extern int audit_add_watch(struct audit_krule *krule, struct list_head **list);
279 : extern void audit_remove_watch_rule(struct audit_krule *krule);
280 : extern char *audit_watch_path(struct audit_watch *watch);
281 : extern int audit_watch_compare(struct audit_watch *watch, unsigned long ino, dev_t dev);
282 : #else
283 : #define audit_put_watch(w) {}
284 : #define audit_get_watch(w) {}
285 : #define audit_to_watch(k, p, l, o) (-EINVAL)
286 : #define audit_add_watch(k, l) (-EINVAL)
287 : #define audit_remove_watch_rule(k) BUG()
288 : #define audit_watch_path(w) ""
289 : #define audit_watch_compare(w, i, d) 0
290 :
291 : #endif /* CONFIG_AUDIT_WATCH */
292 :
293 : #ifdef CONFIG_AUDIT_TREE
294 : extern struct audit_chunk *audit_tree_lookup(const struct inode *);
295 : extern void audit_put_chunk(struct audit_chunk *);
296 : extern int audit_tree_match(struct audit_chunk *, struct audit_tree *);
297 : extern int audit_make_tree(struct audit_krule *, char *, u32);
298 : extern int audit_add_tree_rule(struct audit_krule *);
299 : extern int audit_remove_tree_rule(struct audit_krule *);
300 : extern void audit_trim_trees(void);
301 : extern int audit_tag_tree(char *old, char *new);
302 : extern const char *audit_tree_path(struct audit_tree *);
303 : extern void audit_put_tree(struct audit_tree *);
304 : extern void audit_kill_trees(struct list_head *);
305 : #else
306 : #define audit_remove_tree_rule(rule) BUG()
307 : #define audit_add_tree_rule(rule) -EINVAL
308 : #define audit_make_tree(rule, str, op) -EINVAL
309 : #define audit_trim_trees() (void)0
310 : #define audit_put_tree(tree) (void)0
311 : #define audit_tag_tree(old, new) -EINVAL
312 : #define audit_tree_path(rule) "" /* never called */
313 : #define audit_kill_trees(list) BUG()
314 : #endif
315 :
316 : extern char *audit_unpack_string(void **, size_t *, size_t);
317 :
318 : extern pid_t audit_sig_pid;
319 : extern kuid_t audit_sig_uid;
320 : extern u32 audit_sig_sid;
321 :
322 : #ifdef CONFIG_AUDITSYSCALL
323 : extern int __audit_signal_info(int sig, struct task_struct *t);
324 : static inline int audit_signal_info(int sig, struct task_struct *t)
325 : {
326 : if (unlikely((audit_pid && t->tgid == audit_pid) ||
327 : (audit_signals && !audit_dummy_context())))
328 : return __audit_signal_info(sig, t);
329 : return 0;
330 : }
331 : extern void audit_filter_inodes(struct task_struct *, struct audit_context *);
332 : extern struct list_head *audit_killed_trees(void);
333 : #else
334 : #define audit_signal_info(s,t) AUDIT_DISABLED
335 : #define audit_filter_inodes(t,c) AUDIT_DISABLED
336 : #endif
337 :
338 : extern struct mutex audit_cmd_mutex;
|