audit.h 18 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466
  1. /* audit.h -- Auditing support
  2. *
  3. * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
  4. * All Rights Reserved.
  5. *
  6. * This program is free software; you can redistribute it and/or modify
  7. * it under the terms of the GNU General Public License as published by
  8. * the Free Software Foundation; either version 2 of the License, or
  9. * (at your option) any later version.
  10. *
  11. * This program is distributed in the hope that it will be useful,
  12. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  14. * GNU General Public License for more details.
  15. *
  16. * You should have received a copy of the GNU General Public License
  17. * along with this program; if not, write to the Free Software
  18. * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
  19. *
  20. * Written by Rickard E. (Rik) Faith <faith@redhat.com>
  21. *
  22. */
  23. #ifndef _LINUX_AUDIT_H_
  24. #define _LINUX_AUDIT_H_
  25. #include <linux/types.h>
  26. #include <linux/elf-em.h>
  27. /* The netlink messages for the audit system is divided into blocks:
  28. * 1000 - 1099 are for commanding the audit system
  29. * 1100 - 1199 user space trusted application messages
  30. * 1200 - 1299 messages internal to the audit daemon
  31. * 1300 - 1399 audit event messages
  32. * 1400 - 1499 SE Linux use
  33. * 1500 - 1599 kernel LSPP events
  34. * 1600 - 1699 kernel crypto events
  35. * 1700 - 1799 kernel anomaly records
  36. * 1800 - 1899 kernel integrity events
  37. * 1900 - 1999 future kernel use
  38. * 2000 is for otherwise unclassified kernel audit messages (legacy)
  39. * 2001 - 2099 unused (kernel)
  40. * 2100 - 2199 user space anomaly records
  41. * 2200 - 2299 user space actions taken in response to anomalies
  42. * 2300 - 2399 user space generated LSPP events
  43. * 2400 - 2499 user space crypto events
  44. * 2500 - 2999 future user space (maybe integrity labels and related events)
  45. *
  46. * Messages from 1000-1199 are bi-directional. 1200-1299 & 2100 - 2999 are
  47. * exclusively user space. 1300-2099 is kernel --> user space
  48. * communication.
  49. */
  50. #define AUDIT_GET 1000 /* Get status */
  51. #define AUDIT_SET 1001 /* Set status (enable/disable/auditd) */
  52. #define AUDIT_LIST 1002 /* List syscall rules -- deprecated */
  53. #define AUDIT_ADD 1003 /* Add syscall rule -- deprecated */
  54. #define AUDIT_DEL 1004 /* Delete syscall rule -- deprecated */
  55. #define AUDIT_USER 1005 /* Message from userspace -- deprecated */
  56. #define AUDIT_LOGIN 1006 /* Define the login id and information */
  57. #define AUDIT_WATCH_INS 1007 /* Insert file/dir watch entry */
  58. #define AUDIT_WATCH_REM 1008 /* Remove file/dir watch entry */
  59. #define AUDIT_WATCH_LIST 1009 /* List all file/dir watches */
  60. #define AUDIT_SIGNAL_INFO 1010 /* Get info about sender of signal to auditd */
  61. #define AUDIT_ADD_RULE 1011 /* Add syscall filtering rule */
  62. #define AUDIT_DEL_RULE 1012 /* Delete syscall filtering rule */
  63. #define AUDIT_LIST_RULES 1013 /* List syscall filtering rules */
  64. #define AUDIT_TRIM 1014 /* Trim junk from watched tree */
  65. #define AUDIT_MAKE_EQUIV 1015 /* Append to watched tree */
  66. #define AUDIT_TTY_GET 1016 /* Get TTY auditing status */
  67. #define AUDIT_TTY_SET 1017 /* Set TTY auditing status */
  68. #define AUDIT_SET_FEATURE 1018 /* Turn an audit feature on or off */
  69. #define AUDIT_GET_FEATURE 1019 /* Get which features are enabled */
  70. #define AUDIT_FIRST_USER_MSG 1100 /* Userspace messages mostly uninteresting to kernel */
  71. #define AUDIT_USER_AVC 1107 /* We filter this differently */
  72. #define AUDIT_USER_TTY 1124 /* Non-ICANON TTY input meaning */
  73. #define AUDIT_LAST_USER_MSG 1199
  74. #define AUDIT_FIRST_USER_MSG2 2100 /* More user space messages */
  75. #define AUDIT_LAST_USER_MSG2 2999
  76. #define AUDIT_DAEMON_START 1200 /* Daemon startup record */
  77. #define AUDIT_DAEMON_END 1201 /* Daemon normal stop record */
  78. #define AUDIT_DAEMON_ABORT 1202 /* Daemon error stop record */
  79. #define AUDIT_DAEMON_CONFIG 1203 /* Daemon config change */
  80. #define AUDIT_SYSCALL 1300 /* Syscall event */
  81. /* #define AUDIT_FS_WATCH 1301 * Deprecated */
  82. #define AUDIT_PATH 1302 /* Filename path information */
  83. #define AUDIT_IPC 1303 /* IPC record */
  84. #define AUDIT_SOCKETCALL 1304 /* sys_socketcall arguments */
  85. #define AUDIT_CONFIG_CHANGE 1305 /* Audit system configuration change */
  86. #define AUDIT_SOCKADDR 1306 /* sockaddr copied as syscall arg */
  87. #define AUDIT_CWD 1307 /* Current working directory */
  88. #define AUDIT_EXECVE 1309 /* execve arguments */
  89. #define AUDIT_IPC_SET_PERM 1311 /* IPC new permissions record type */
  90. #define AUDIT_MQ_OPEN 1312 /* POSIX MQ open record type */
  91. #define AUDIT_MQ_SENDRECV 1313 /* POSIX MQ send/receive record type */
  92. #define AUDIT_MQ_NOTIFY 1314 /* POSIX MQ notify record type */
  93. #define AUDIT_MQ_GETSETATTR 1315 /* POSIX MQ get/set attribute record type */
  94. #define AUDIT_KERNEL_OTHER 1316 /* For use by 3rd party modules */
  95. #define AUDIT_FD_PAIR 1317 /* audit record for pipe/socketpair */
  96. #define AUDIT_OBJ_PID 1318 /* ptrace target */
  97. #define AUDIT_TTY 1319 /* Input on an administrative TTY */
  98. #define AUDIT_EOE 1320 /* End of multi-record event */
  99. #define AUDIT_BPRM_FCAPS 1321 /* Information about fcaps increasing perms */
  100. #define AUDIT_CAPSET 1322 /* Record showing argument to sys_capset */
  101. #define AUDIT_MMAP 1323 /* Record showing descriptor and flags in mmap */
  102. #define AUDIT_NETFILTER_PKT 1324 /* Packets traversing netfilter chains */
  103. #define AUDIT_NETFILTER_CFG 1325 /* Netfilter chain modifications */
  104. #define AUDIT_SECCOMP 1326 /* Secure Computing event */
  105. #define AUDIT_PROCTITLE 1327 /* Proctitle emit event */
  106. #define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature changes */
  107. #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
  108. #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
  109. #define AUDIT_AVC_PATH 1402 /* dentry, vfsmount pair from avc */
  110. #define AUDIT_MAC_POLICY_LOAD 1403 /* Policy file load */
  111. #define AUDIT_MAC_STATUS 1404 /* Changed enforcing,permissive,off */
  112. #define AUDIT_MAC_CONFIG_CHANGE 1405 /* Changes to booleans */
  113. #define AUDIT_MAC_UNLBL_ALLOW 1406 /* NetLabel: allow unlabeled traffic */
  114. #define AUDIT_MAC_CIPSOV4_ADD 1407 /* NetLabel: add CIPSOv4 DOI entry */
  115. #define AUDIT_MAC_CIPSOV4_DEL 1408 /* NetLabel: del CIPSOv4 DOI entry */
  116. #define AUDIT_MAC_MAP_ADD 1409 /* NetLabel: add LSM domain mapping */
  117. #define AUDIT_MAC_MAP_DEL 1410 /* NetLabel: del LSM domain mapping */
  118. #define AUDIT_MAC_IPSEC_ADDSA 1411 /* Not used */
  119. #define AUDIT_MAC_IPSEC_DELSA 1412 /* Not used */
  120. #define AUDIT_MAC_IPSEC_ADDSPD 1413 /* Not used */
  121. #define AUDIT_MAC_IPSEC_DELSPD 1414 /* Not used */
  122. #define AUDIT_MAC_IPSEC_EVENT 1415 /* Audit an IPSec event */
  123. #define AUDIT_MAC_UNLBL_STCADD 1416 /* NetLabel: add a static label */
  124. #define AUDIT_MAC_UNLBL_STCDEL 1417 /* NetLabel: del a static label */
  125. #define AUDIT_FIRST_KERN_ANOM_MSG 1700
  126. #define AUDIT_LAST_KERN_ANOM_MSG 1799
  127. #define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */
  128. #define AUDIT_ANOM_ABEND 1701 /* Process ended abnormally */
  129. #define AUDIT_ANOM_LINK 1702 /* Suspicious use of file links */
  130. #define AUDIT_INTEGRITY_DATA 1800 /* Data integrity verification */
  131. #define AUDIT_INTEGRITY_METADATA 1801 /* Metadata integrity verification */
  132. #define AUDIT_INTEGRITY_STATUS 1802 /* Integrity enable status */
  133. #define AUDIT_INTEGRITY_HASH 1803 /* Integrity HASH type */
  134. #define AUDIT_INTEGRITY_PCR 1804 /* PCR invalidation msgs */
  135. #define AUDIT_INTEGRITY_RULE 1805 /* policy rule */
  136. #define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */
  137. /* Rule flags */
  138. #define AUDIT_FILTER_USER 0x00 /* Apply rule to user-generated messages */
  139. #define AUDIT_FILTER_TASK 0x01 /* Apply rule at task creation (not syscall) */
  140. #define AUDIT_FILTER_ENTRY 0x02 /* Apply rule at syscall entry */
  141. #define AUDIT_FILTER_WATCH 0x03 /* Apply rule to file system watches */
  142. #define AUDIT_FILTER_EXIT 0x04 /* Apply rule at syscall exit */
  143. #define AUDIT_FILTER_TYPE 0x05 /* Apply rule at audit_log_start */
  144. #define AUDIT_NR_FILTERS 6
  145. #define AUDIT_FILTER_PREPEND 0x10 /* Prepend to front of list */
  146. /* Rule actions */
  147. #define AUDIT_NEVER 0 /* Do not build context if rule matches */
  148. #define AUDIT_POSSIBLE 1 /* Build context if rule matches */
  149. #define AUDIT_ALWAYS 2 /* Generate audit record if rule matches */
  150. /* Rule structure sizes -- if these change, different AUDIT_ADD and
  151. * AUDIT_LIST commands must be implemented. */
  152. #define AUDIT_MAX_FIELDS 64
  153. #define AUDIT_MAX_KEY_LEN 256
  154. #define AUDIT_BITMASK_SIZE 64
  155. #define AUDIT_WORD(nr) ((__u32)((nr)/32))
  156. #define AUDIT_BIT(nr) (1 << ((nr) - AUDIT_WORD(nr)*32))
  157. #define AUDIT_SYSCALL_CLASSES 16
  158. #define AUDIT_CLASS_DIR_WRITE 0
  159. #define AUDIT_CLASS_DIR_WRITE_32 1
  160. #define AUDIT_CLASS_CHATTR 2
  161. #define AUDIT_CLASS_CHATTR_32 3
  162. #define AUDIT_CLASS_READ 4
  163. #define AUDIT_CLASS_READ_32 5
  164. #define AUDIT_CLASS_WRITE 6
  165. #define AUDIT_CLASS_WRITE_32 7
  166. #define AUDIT_CLASS_SIGNAL 8
  167. #define AUDIT_CLASS_SIGNAL_32 9
  168. /* This bitmask is used to validate user input. It represents all bits that
  169. * are currently used in an audit field constant understood by the kernel.
  170. * If you are adding a new #define AUDIT_<whatever>, please ensure that
  171. * AUDIT_UNUSED_BITS is updated if need be. */
  172. #define AUDIT_UNUSED_BITS 0x07FFFC00
  173. /* AUDIT_FIELD_COMPARE rule list */
  174. #define AUDIT_COMPARE_UID_TO_OBJ_UID 1
  175. #define AUDIT_COMPARE_GID_TO_OBJ_GID 2
  176. #define AUDIT_COMPARE_EUID_TO_OBJ_UID 3
  177. #define AUDIT_COMPARE_EGID_TO_OBJ_GID 4
  178. #define AUDIT_COMPARE_AUID_TO_OBJ_UID 5
  179. #define AUDIT_COMPARE_SUID_TO_OBJ_UID 6
  180. #define AUDIT_COMPARE_SGID_TO_OBJ_GID 7
  181. #define AUDIT_COMPARE_FSUID_TO_OBJ_UID 8
  182. #define AUDIT_COMPARE_FSGID_TO_OBJ_GID 9
  183. #define AUDIT_COMPARE_UID_TO_AUID 10
  184. #define AUDIT_COMPARE_UID_TO_EUID 11
  185. #define AUDIT_COMPARE_UID_TO_FSUID 12
  186. #define AUDIT_COMPARE_UID_TO_SUID 13
  187. #define AUDIT_COMPARE_AUID_TO_FSUID 14
  188. #define AUDIT_COMPARE_AUID_TO_SUID 15
  189. #define AUDIT_COMPARE_AUID_TO_EUID 16
  190. #define AUDIT_COMPARE_EUID_TO_SUID 17
  191. #define AUDIT_COMPARE_EUID_TO_FSUID 18
  192. #define AUDIT_COMPARE_SUID_TO_FSUID 19
  193. #define AUDIT_COMPARE_GID_TO_EGID 20
  194. #define AUDIT_COMPARE_GID_TO_FSGID 21
  195. #define AUDIT_COMPARE_GID_TO_SGID 22
  196. #define AUDIT_COMPARE_EGID_TO_FSGID 23
  197. #define AUDIT_COMPARE_EGID_TO_SGID 24
  198. #define AUDIT_COMPARE_SGID_TO_FSGID 25
  199. #define AUDIT_MAX_FIELD_COMPARE AUDIT_COMPARE_SGID_TO_FSGID
  200. /* Rule fields */
  201. /* These are useful when checking the
  202. * task structure at task creation time
  203. * (AUDIT_PER_TASK). */
  204. #define AUDIT_PID 0
  205. #define AUDIT_UID 1
  206. #define AUDIT_EUID 2
  207. #define AUDIT_SUID 3
  208. #define AUDIT_FSUID 4
  209. #define AUDIT_GID 5
  210. #define AUDIT_EGID 6
  211. #define AUDIT_SGID 7
  212. #define AUDIT_FSGID 8
  213. #define AUDIT_LOGINUID 9
  214. #define AUDIT_PERS 10
  215. #define AUDIT_ARCH 11
  216. #define AUDIT_MSGTYPE 12
  217. #define AUDIT_SUBJ_USER 13 /* security label user */
  218. #define AUDIT_SUBJ_ROLE 14 /* security label role */
  219. #define AUDIT_SUBJ_TYPE 15 /* security label type */
  220. #define AUDIT_SUBJ_SEN 16 /* security label sensitivity label */
  221. #define AUDIT_SUBJ_CLR 17 /* security label clearance label */
  222. #define AUDIT_PPID 18
  223. #define AUDIT_OBJ_USER 19
  224. #define AUDIT_OBJ_ROLE 20
  225. #define AUDIT_OBJ_TYPE 21
  226. #define AUDIT_OBJ_LEV_LOW 22
  227. #define AUDIT_OBJ_LEV_HIGH 23
  228. #define AUDIT_LOGINUID_SET 24
  229. /* These are ONLY useful when checking
  230. * at syscall exit time (AUDIT_AT_EXIT). */
  231. #define AUDIT_DEVMAJOR 100
  232. #define AUDIT_DEVMINOR 101
  233. #define AUDIT_INODE 102
  234. #define AUDIT_EXIT 103
  235. #define AUDIT_SUCCESS 104 /* exit >= 0; value ignored */
  236. #define AUDIT_WATCH 105
  237. #define AUDIT_PERM 106
  238. #define AUDIT_DIR 107
  239. #define AUDIT_FILETYPE 108
  240. #define AUDIT_OBJ_UID 109
  241. #define AUDIT_OBJ_GID 110
  242. #define AUDIT_FIELD_COMPARE 111
  243. #define AUDIT_EXE 112
  244. #define AUDIT_ARG0 200
  245. #define AUDIT_ARG1 (AUDIT_ARG0+1)
  246. #define AUDIT_ARG2 (AUDIT_ARG0+2)
  247. #define AUDIT_ARG3 (AUDIT_ARG0+3)
  248. #define AUDIT_FILTERKEY 210
  249. #define AUDIT_NEGATE 0x80000000
  250. /* These are the supported operators.
  251. * 4 2 1 8
  252. * = > < ?
  253. * ----------
  254. * 0 0 0 0 00 nonsense
  255. * 0 0 0 1 08 & bit mask
  256. * 0 0 1 0 10 <
  257. * 0 1 0 0 20 >
  258. * 0 1 1 0 30 !=
  259. * 1 0 0 0 40 =
  260. * 1 0 0 1 48 &= bit test
  261. * 1 0 1 0 50 <=
  262. * 1 1 0 0 60 >=
  263. * 1 1 1 1 78 all operators
  264. */
  265. #define AUDIT_BIT_MASK 0x08000000
  266. #define AUDIT_LESS_THAN 0x10000000
  267. #define AUDIT_GREATER_THAN 0x20000000
  268. #define AUDIT_NOT_EQUAL 0x30000000
  269. #define AUDIT_EQUAL 0x40000000
  270. #define AUDIT_BIT_TEST (AUDIT_BIT_MASK|AUDIT_EQUAL)
  271. #define AUDIT_LESS_THAN_OR_EQUAL (AUDIT_LESS_THAN|AUDIT_EQUAL)
  272. #define AUDIT_GREATER_THAN_OR_EQUAL (AUDIT_GREATER_THAN|AUDIT_EQUAL)
  273. #define AUDIT_OPERATORS (AUDIT_EQUAL|AUDIT_NOT_EQUAL|AUDIT_BIT_MASK)
  274. enum {
  275. Audit_equal,
  276. Audit_not_equal,
  277. Audit_bitmask,
  278. Audit_bittest,
  279. Audit_lt,
  280. Audit_gt,
  281. Audit_le,
  282. Audit_ge,
  283. Audit_bad
  284. };
  285. /* Status symbols */
  286. /* Mask values */
  287. #define AUDIT_STATUS_ENABLED 0x0001
  288. #define AUDIT_STATUS_FAILURE 0x0002
  289. #define AUDIT_STATUS_PID 0x0004
  290. #define AUDIT_STATUS_RATE_LIMIT 0x0008
  291. #define AUDIT_STATUS_BACKLOG_LIMIT 0x0010
  292. #define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020
  293. #define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001
  294. #define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
  295. #define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
  296. #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
  297. AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
  298. AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH)
  299. /* deprecated: AUDIT_VERSION_* */
  300. #define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL
  301. #define AUDIT_VERSION_BACKLOG_LIMIT AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT
  302. #define AUDIT_VERSION_BACKLOG_WAIT_TIME AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME
  303. /* Failure-to-log actions */
  304. #define AUDIT_FAIL_SILENT 0
  305. #define AUDIT_FAIL_PRINTK 1
  306. #define AUDIT_FAIL_PANIC 2
  307. /*
  308. * These bits disambiguate different calling conventions that share an
  309. * ELF machine type, bitness, and endianness
  310. */
  311. #define __AUDIT_ARCH_CONVENTION_MASK 0x30000000
  312. #define __AUDIT_ARCH_CONVENTION_MIPS64_N32 0x20000000
  313. /* distinguish syscall tables */
  314. #define __AUDIT_ARCH_64BIT 0x80000000
  315. #define __AUDIT_ARCH_LE 0x40000000
  316. #define AUDIT_ARCH_AARCH64 (EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
  317. #define AUDIT_ARCH_ALPHA (EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
  318. #define AUDIT_ARCH_ARM (EM_ARM|__AUDIT_ARCH_LE)
  319. #define AUDIT_ARCH_ARMEB (EM_ARM)
  320. #define AUDIT_ARCH_CRIS (EM_CRIS|__AUDIT_ARCH_LE)
  321. #define AUDIT_ARCH_FRV (EM_FRV)
  322. #define AUDIT_ARCH_I386 (EM_386|__AUDIT_ARCH_LE)
  323. #define AUDIT_ARCH_IA64 (EM_IA_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
  324. #define AUDIT_ARCH_M32R (EM_M32R)
  325. #define AUDIT_ARCH_M68K (EM_68K)
  326. #define AUDIT_ARCH_MICROBLAZE (EM_MICROBLAZE)
  327. #define AUDIT_ARCH_MIPS (EM_MIPS)
  328. #define AUDIT_ARCH_MIPSEL (EM_MIPS|__AUDIT_ARCH_LE)
  329. #define AUDIT_ARCH_MIPS64 (EM_MIPS|__AUDIT_ARCH_64BIT)
  330. #define AUDIT_ARCH_MIPS64N32 (EM_MIPS|__AUDIT_ARCH_64BIT|\
  331. __AUDIT_ARCH_CONVENTION_MIPS64_N32)
  332. #define AUDIT_ARCH_MIPSEL64 (EM_MIPS|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
  333. #define AUDIT_ARCH_MIPSEL64N32 (EM_MIPS|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE|\
  334. __AUDIT_ARCH_CONVENTION_MIPS64_N32)
  335. #define AUDIT_ARCH_OPENRISC (EM_OPENRISC)
  336. #define AUDIT_ARCH_PARISC (EM_PARISC)
  337. #define AUDIT_ARCH_PARISC64 (EM_PARISC|__AUDIT_ARCH_64BIT)
  338. #define AUDIT_ARCH_PPC (EM_PPC)
  339. /* do not define AUDIT_ARCH_PPCLE since it is not supported by audit */
  340. #define AUDIT_ARCH_PPC64 (EM_PPC64|__AUDIT_ARCH_64BIT)
  341. #define AUDIT_ARCH_PPC64LE (EM_PPC64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
  342. #define AUDIT_ARCH_S390 (EM_S390)
  343. #define AUDIT_ARCH_S390X (EM_S390|__AUDIT_ARCH_64BIT)
  344. #define AUDIT_ARCH_SH (EM_SH)
  345. #define AUDIT_ARCH_SHEL (EM_SH|__AUDIT_ARCH_LE)
  346. #define AUDIT_ARCH_SH64 (EM_SH|__AUDIT_ARCH_64BIT)
  347. #define AUDIT_ARCH_SHEL64 (EM_SH|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
  348. #define AUDIT_ARCH_SPARC (EM_SPARC)
  349. #define AUDIT_ARCH_SPARC64 (EM_SPARCV9|__AUDIT_ARCH_64BIT)
  350. #define AUDIT_ARCH_TILEGX (EM_TILEGX|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
  351. #define AUDIT_ARCH_TILEGX32 (EM_TILEGX|__AUDIT_ARCH_LE)
  352. #define AUDIT_ARCH_TILEPRO (EM_TILEPRO|__AUDIT_ARCH_LE)
  353. #define AUDIT_ARCH_X86_64 (EM_X86_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
  354. #define AUDIT_PERM_EXEC 1
  355. #define AUDIT_PERM_WRITE 2
  356. #define AUDIT_PERM_READ 4
  357. #define AUDIT_PERM_ATTR 8
  358. /* MAX_AUDIT_MESSAGE_LENGTH is set in audit:lib/libaudit.h as:
  359. * 8970 // PATH_MAX*2+CONTEXT_SIZE*2+11+256+1
  360. * max header+body+tailer: 44 + 29 + 32 + 262 + 7 + pad
  361. */
  362. #define AUDIT_MESSAGE_TEXT_MAX 8560
  363. /* Multicast Netlink socket groups (default up to 32) */
  364. enum audit_nlgrps {
  365. AUDIT_NLGRP_NONE, /* Group 0 not used */
  366. AUDIT_NLGRP_READLOG, /* "best effort" read only socket */
  367. __AUDIT_NLGRP_MAX
  368. };
  369. #define AUDIT_NLGRP_MAX (__AUDIT_NLGRP_MAX - 1)
  370. struct audit_status {
  371. __u32 mask; /* Bit mask for valid entries */
  372. __u32 enabled; /* 1 = enabled, 0 = disabled */
  373. __u32 failure; /* Failure-to-log action */
  374. __u32 pid; /* pid of auditd process */
  375. __u32 rate_limit; /* messages rate limit (per second) */
  376. __u32 backlog_limit; /* waiting messages limit */
  377. __u32 lost; /* messages lost */
  378. __u32 backlog; /* messages waiting in queue */
  379. union {
  380. __u32 version; /* deprecated: audit api version num */
  381. __u32 feature_bitmap; /* bitmap of kernel audit features */
  382. };
  383. __u32 backlog_wait_time;/* message queue wait timeout */
  384. };
  385. struct audit_features {
  386. #define AUDIT_FEATURE_VERSION 1
  387. __u32 vers;
  388. __u32 mask; /* which bits we are dealing with */
  389. __u32 features; /* which feature to enable/disable */
  390. __u32 lock; /* which features to lock */
  391. };
  392. #define AUDIT_FEATURE_ONLY_UNSET_LOGINUID 0
  393. #define AUDIT_FEATURE_LOGINUID_IMMUTABLE 1
  394. #define AUDIT_LAST_FEATURE AUDIT_FEATURE_LOGINUID_IMMUTABLE
  395. #define audit_feature_valid(x) ((x) >= 0 && (x) <= AUDIT_LAST_FEATURE)
  396. #define AUDIT_FEATURE_TO_MASK(x) (1 << ((x) & 31)) /* mask for __u32 */
  397. struct audit_tty_status {
  398. __u32 enabled; /* 1 = enabled, 0 = disabled */
  399. __u32 log_passwd; /* 1 = enabled, 0 = disabled */
  400. };
  401. #define AUDIT_UID_UNSET (unsigned int)-1
  402. /* audit_rule_data supports filter rules with both integer and string
  403. * fields. It corresponds with AUDIT_ADD_RULE, AUDIT_DEL_RULE and
  404. * AUDIT_LIST_RULES requests.
  405. */
  406. struct audit_rule_data {
  407. __u32 flags; /* AUDIT_PER_{TASK,CALL}, AUDIT_PREPEND */
  408. __u32 action; /* AUDIT_NEVER, AUDIT_POSSIBLE, AUDIT_ALWAYS */
  409. __u32 field_count;
  410. __u32 mask[AUDIT_BITMASK_SIZE]; /* syscall(s) affected */
  411. __u32 fields[AUDIT_MAX_FIELDS];
  412. __u32 values[AUDIT_MAX_FIELDS];
  413. __u32 fieldflags[AUDIT_MAX_FIELDS];
  414. __u32 buflen; /* total length of string fields */
  415. char buf[0]; /* string fields buffer */
  416. };
  417. #endif /* _LINUX_AUDIT_H_ */