/* SPDX-License-Identifier: GPL-2.0+ WITH Linux-syscall-note */ /* audit.h -- Auditing support * * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina. * All Rights Reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * * Written by Rickard E. (Rik) Faith <[email protected]> * */ #ifndef _UAPI_LINUX_AUDIT_H_ #define _UAPI_LINUX_AUDIT_H_ #include <linux/types.h> #include <linux/elf-em.h> /* The netlink messages for the audit system is divided into blocks: * 1000 - 1099 are for commanding the audit system * 1100 - 1199 user space trusted application messages * 1200 - 1299 messages internal to the audit daemon * 1300 - 1399 audit event messages * 1400 - 1499 SE Linux use * 1500 - 1599 kernel LSPP events * 1600 - 1699 kernel crypto events * 1700 - 1799 kernel anomaly records * 1800 - 1899 kernel integrity events * 1900 - 1999 future kernel use * 2000 is for otherwise unclassified kernel audit messages (legacy) * 2001 - 2099 unused (kernel) * 2100 - 2199 user space anomaly records * 2200 - 2299 user space actions taken in response to anomalies * 2300 - 2399 user space generated LSPP events * 2400 - 2499 user space crypto events * 2500 - 2999 future user space (maybe integrity labels and related events) * * Messages from 1000-1199 are bi-directional. 1200-1299 & 2100 - 2999 are * exclusively user space. 1300-2099 is kernel --> user space * communication. */ #define AUDIT_GET … #define AUDIT_SET … #define AUDIT_LIST … #define AUDIT_ADD … #define AUDIT_DEL … #define AUDIT_USER … #define AUDIT_LOGIN … #define AUDIT_WATCH_INS … #define AUDIT_WATCH_REM … #define AUDIT_WATCH_LIST … #define AUDIT_SIGNAL_INFO … #define AUDIT_ADD_RULE … #define AUDIT_DEL_RULE … #define AUDIT_LIST_RULES … #define AUDIT_TRIM … #define AUDIT_MAKE_EQUIV … #define AUDIT_TTY_GET … #define AUDIT_TTY_SET … #define AUDIT_SET_FEATURE … #define AUDIT_GET_FEATURE … #define AUDIT_FIRST_USER_MSG … #define AUDIT_USER_AVC … #define AUDIT_USER_TTY … #define AUDIT_LAST_USER_MSG … #define AUDIT_FIRST_USER_MSG2 … #define AUDIT_LAST_USER_MSG2 … #define AUDIT_DAEMON_START … #define AUDIT_DAEMON_END … #define AUDIT_DAEMON_ABORT … #define AUDIT_DAEMON_CONFIG … #define AUDIT_SYSCALL … /* #define AUDIT_FS_WATCH 1301 * Deprecated */ #define AUDIT_PATH … #define AUDIT_IPC … #define AUDIT_SOCKETCALL … #define AUDIT_CONFIG_CHANGE … #define AUDIT_SOCKADDR … #define AUDIT_CWD … #define AUDIT_EXECVE … #define AUDIT_IPC_SET_PERM … #define AUDIT_MQ_OPEN … #define AUDIT_MQ_SENDRECV … #define AUDIT_MQ_NOTIFY … #define AUDIT_MQ_GETSETATTR … #define AUDIT_KERNEL_OTHER … #define AUDIT_FD_PAIR … #define AUDIT_OBJ_PID … #define AUDIT_TTY … #define AUDIT_EOE … #define AUDIT_BPRM_FCAPS … #define AUDIT_CAPSET … #define AUDIT_MMAP … #define AUDIT_NETFILTER_PKT … #define AUDIT_NETFILTER_CFG … #define AUDIT_SECCOMP … #define AUDIT_PROCTITLE … #define AUDIT_FEATURE_CHANGE … #define AUDIT_REPLACE … #define AUDIT_KERN_MODULE … #define AUDIT_FANOTIFY … #define AUDIT_TIME_INJOFFSET … #define AUDIT_TIME_ADJNTPVAL … #define AUDIT_BPF … #define AUDIT_EVENT_LISTENER … #define AUDIT_URINGOP … #define AUDIT_OPENAT2 … #define AUDIT_DM_CTRL … #define AUDIT_DM_EVENT … #define AUDIT_AVC … #define AUDIT_SELINUX_ERR … #define AUDIT_AVC_PATH … #define AUDIT_MAC_POLICY_LOAD … #define AUDIT_MAC_STATUS … #define AUDIT_MAC_CONFIG_CHANGE … #define AUDIT_MAC_UNLBL_ALLOW … #define AUDIT_MAC_CIPSOV4_ADD … #define AUDIT_MAC_CIPSOV4_DEL … #define AUDIT_MAC_MAP_ADD … #define AUDIT_MAC_MAP_DEL … #define AUDIT_MAC_IPSEC_ADDSA … #define AUDIT_MAC_IPSEC_DELSA … #define AUDIT_MAC_IPSEC_ADDSPD … #define AUDIT_MAC_IPSEC_DELSPD … #define AUDIT_MAC_IPSEC_EVENT … #define AUDIT_MAC_UNLBL_STCADD … #define AUDIT_MAC_UNLBL_STCDEL … #define AUDIT_MAC_CALIPSO_ADD … #define AUDIT_MAC_CALIPSO_DEL … #define AUDIT_FIRST_KERN_ANOM_MSG … #define AUDIT_LAST_KERN_ANOM_MSG … #define AUDIT_ANOM_PROMISCUOUS … #define AUDIT_ANOM_ABEND … #define AUDIT_ANOM_LINK … #define AUDIT_ANOM_CREAT … #define AUDIT_INTEGRITY_DATA … #define AUDIT_INTEGRITY_METADATA … #define AUDIT_INTEGRITY_STATUS … #define AUDIT_INTEGRITY_HASH … #define AUDIT_INTEGRITY_PCR … #define AUDIT_INTEGRITY_RULE … #define AUDIT_INTEGRITY_EVM_XATTR … #define AUDIT_INTEGRITY_POLICY_RULE … #define AUDIT_KERNEL … /* Rule flags */ #define AUDIT_FILTER_USER … #define AUDIT_FILTER_TASK … #define AUDIT_FILTER_ENTRY … #define AUDIT_FILTER_WATCH … #define AUDIT_FILTER_EXIT … #define AUDIT_FILTER_EXCLUDE … #define AUDIT_FILTER_TYPE … #define AUDIT_FILTER_FS … #define AUDIT_FILTER_URING_EXIT … #define AUDIT_NR_FILTERS … #define AUDIT_FILTER_PREPEND … /* Rule actions */ #define AUDIT_NEVER … #define AUDIT_POSSIBLE … #define AUDIT_ALWAYS … /* Rule structure sizes -- if these change, different AUDIT_ADD and * AUDIT_LIST commands must be implemented. */ #define AUDIT_MAX_FIELDS … #define AUDIT_MAX_KEY_LEN … #define AUDIT_BITMASK_SIZE … #define AUDIT_WORD(nr) … #define AUDIT_BIT(nr) … #define AUDIT_SYSCALL_CLASSES … #define AUDIT_CLASS_DIR_WRITE … #define AUDIT_CLASS_DIR_WRITE_32 … #define AUDIT_CLASS_CHATTR … #define AUDIT_CLASS_CHATTR_32 … #define AUDIT_CLASS_READ … #define AUDIT_CLASS_READ_32 … #define AUDIT_CLASS_WRITE … #define AUDIT_CLASS_WRITE_32 … #define AUDIT_CLASS_SIGNAL … #define AUDIT_CLASS_SIGNAL_32 … /* This bitmask is used to validate user input. It represents all bits that * are currently used in an audit field constant understood by the kernel. * If you are adding a new #define AUDIT_<whatever>, please ensure that * AUDIT_UNUSED_BITS is updated if need be. */ #define AUDIT_UNUSED_BITS … /* AUDIT_FIELD_COMPARE rule list */ #define AUDIT_COMPARE_UID_TO_OBJ_UID … #define AUDIT_COMPARE_GID_TO_OBJ_GID … #define AUDIT_COMPARE_EUID_TO_OBJ_UID … #define AUDIT_COMPARE_EGID_TO_OBJ_GID … #define AUDIT_COMPARE_AUID_TO_OBJ_UID … #define AUDIT_COMPARE_SUID_TO_OBJ_UID … #define AUDIT_COMPARE_SGID_TO_OBJ_GID … #define AUDIT_COMPARE_FSUID_TO_OBJ_UID … #define AUDIT_COMPARE_FSGID_TO_OBJ_GID … #define AUDIT_COMPARE_UID_TO_AUID … #define AUDIT_COMPARE_UID_TO_EUID … #define AUDIT_COMPARE_UID_TO_FSUID … #define AUDIT_COMPARE_UID_TO_SUID … #define AUDIT_COMPARE_AUID_TO_FSUID … #define AUDIT_COMPARE_AUID_TO_SUID … #define AUDIT_COMPARE_AUID_TO_EUID … #define AUDIT_COMPARE_EUID_TO_SUID … #define AUDIT_COMPARE_EUID_TO_FSUID … #define AUDIT_COMPARE_SUID_TO_FSUID … #define AUDIT_COMPARE_GID_TO_EGID … #define AUDIT_COMPARE_GID_TO_FSGID … #define AUDIT_COMPARE_GID_TO_SGID … #define AUDIT_COMPARE_EGID_TO_FSGID … #define AUDIT_COMPARE_EGID_TO_SGID … #define AUDIT_COMPARE_SGID_TO_FSGID … #define AUDIT_MAX_FIELD_COMPARE … /* Rule fields */ /* These are useful when checking the * task structure at task creation time * (AUDIT_PER_TASK). */ #define AUDIT_PID … #define AUDIT_UID … #define AUDIT_EUID … #define AUDIT_SUID … #define AUDIT_FSUID … #define AUDIT_GID … #define AUDIT_EGID … #define AUDIT_SGID … #define AUDIT_FSGID … #define AUDIT_LOGINUID … #define AUDIT_PERS … #define AUDIT_ARCH … #define AUDIT_MSGTYPE … #define AUDIT_SUBJ_USER … #define AUDIT_SUBJ_ROLE … #define AUDIT_SUBJ_TYPE … #define AUDIT_SUBJ_SEN … #define AUDIT_SUBJ_CLR … #define AUDIT_PPID … #define AUDIT_OBJ_USER … #define AUDIT_OBJ_ROLE … #define AUDIT_OBJ_TYPE … #define AUDIT_OBJ_LEV_LOW … #define AUDIT_OBJ_LEV_HIGH … #define AUDIT_LOGINUID_SET … #define AUDIT_SESSIONID … #define AUDIT_FSTYPE … /* These are ONLY useful when checking * at syscall exit time (AUDIT_AT_EXIT). */ #define AUDIT_DEVMAJOR … #define AUDIT_DEVMINOR … #define AUDIT_INODE … #define AUDIT_EXIT … #define AUDIT_SUCCESS … #define AUDIT_WATCH … #define AUDIT_PERM … #define AUDIT_DIR … #define AUDIT_FILETYPE … #define AUDIT_OBJ_UID … #define AUDIT_OBJ_GID … #define AUDIT_FIELD_COMPARE … #define AUDIT_EXE … #define AUDIT_SADDR_FAM … #define AUDIT_ARG0 … #define AUDIT_ARG1 … #define AUDIT_ARG2 … #define AUDIT_ARG3 … #define AUDIT_FILTERKEY … #define AUDIT_NEGATE … /* These are the supported operators. * 4 2 1 8 * = > < ? * ---------- * 0 0 0 0 00 nonsense * 0 0 0 1 08 & bit mask * 0 0 1 0 10 < * 0 1 0 0 20 > * 0 1 1 0 30 != * 1 0 0 0 40 = * 1 0 0 1 48 &= bit test * 1 0 1 0 50 <= * 1 1 0 0 60 >= * 1 1 1 1 78 all operators */ #define AUDIT_BIT_MASK … #define AUDIT_LESS_THAN … #define AUDIT_GREATER_THAN … #define AUDIT_NOT_EQUAL … #define AUDIT_EQUAL … #define AUDIT_BIT_TEST … #define AUDIT_LESS_THAN_OR_EQUAL … #define AUDIT_GREATER_THAN_OR_EQUAL … #define AUDIT_OPERATORS … enum { … }; /* Status symbols */ /* Mask values */ #define AUDIT_STATUS_ENABLED … #define AUDIT_STATUS_FAILURE … #define AUDIT_STATUS_PID … #define AUDIT_STATUS_RATE_LIMIT … #define AUDIT_STATUS_BACKLOG_LIMIT … #define AUDIT_STATUS_BACKLOG_WAIT_TIME … #define AUDIT_STATUS_LOST … #define AUDIT_STATUS_BACKLOG_WAIT_TIME_ACTUAL … #define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT … #define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME … #define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH … #define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND … #define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER … #define AUDIT_FEATURE_BITMAP_LOST_RESET … #define AUDIT_FEATURE_BITMAP_FILTER_FS … #define AUDIT_FEATURE_BITMAP_ALL … /* deprecated: AUDIT_VERSION_* */ #define AUDIT_VERSION_LATEST … #define AUDIT_VERSION_BACKLOG_LIMIT … #define AUDIT_VERSION_BACKLOG_WAIT_TIME … /* Failure-to-log actions */ #define AUDIT_FAIL_SILENT … #define AUDIT_FAIL_PRINTK … #define AUDIT_FAIL_PANIC … /* * These bits disambiguate different calling conventions that share an * ELF machine type, bitness, and endianness */ #define __AUDIT_ARCH_CONVENTION_MASK … #define __AUDIT_ARCH_CONVENTION_MIPS64_N32 … /* distinguish syscall tables */ #define __AUDIT_ARCH_64BIT … #define __AUDIT_ARCH_LE … #define AUDIT_ARCH_AARCH64 … #define AUDIT_ARCH_ALPHA … #define AUDIT_ARCH_ARCOMPACT … #define AUDIT_ARCH_ARCOMPACTBE … #define AUDIT_ARCH_ARCV2 … #define AUDIT_ARCH_ARCV2BE … #define AUDIT_ARCH_ARM … #define AUDIT_ARCH_ARMEB … #define AUDIT_ARCH_C6X … #define AUDIT_ARCH_C6XBE … #define AUDIT_ARCH_CRIS … #define AUDIT_ARCH_CSKY … #define AUDIT_ARCH_FRV … #define AUDIT_ARCH_H8300 … #define AUDIT_ARCH_HEXAGON … #define AUDIT_ARCH_I386 … #define AUDIT_ARCH_IA64 … #define AUDIT_ARCH_M32R … #define AUDIT_ARCH_M68K … #define AUDIT_ARCH_MICROBLAZE … #define AUDIT_ARCH_MIPS … #define AUDIT_ARCH_MIPSEL … #define AUDIT_ARCH_MIPS64 … #define AUDIT_ARCH_MIPS64N32 … #define AUDIT_ARCH_MIPSEL64 … #define AUDIT_ARCH_MIPSEL64N32 … #define AUDIT_ARCH_NDS32 … #define AUDIT_ARCH_NDS32BE … #define AUDIT_ARCH_NIOS2 … #define AUDIT_ARCH_OPENRISC … #define AUDIT_ARCH_PARISC … #define AUDIT_ARCH_PARISC64 … #define AUDIT_ARCH_PPC … /* do not define AUDIT_ARCH_PPCLE since it is not supported by audit */ #define AUDIT_ARCH_PPC64 … #define AUDIT_ARCH_PPC64LE … #define AUDIT_ARCH_RISCV32 … #define AUDIT_ARCH_RISCV64 … #define AUDIT_ARCH_S390 … #define AUDIT_ARCH_S390X … #define AUDIT_ARCH_SH … #define AUDIT_ARCH_SHEL … #define AUDIT_ARCH_SH64 … #define AUDIT_ARCH_SHEL64 … #define AUDIT_ARCH_SPARC … #define AUDIT_ARCH_SPARC64 … #define AUDIT_ARCH_TILEGX … #define AUDIT_ARCH_TILEGX32 … #define AUDIT_ARCH_TILEPRO … #define AUDIT_ARCH_UNICORE … #define AUDIT_ARCH_X86_64 … #define AUDIT_ARCH_XTENSA … #define AUDIT_ARCH_LOONGARCH32 … #define AUDIT_ARCH_LOONGARCH64 … #define AUDIT_PERM_EXEC … #define AUDIT_PERM_WRITE … #define AUDIT_PERM_READ … #define AUDIT_PERM_ATTR … /* MAX_AUDIT_MESSAGE_LENGTH is set in audit:lib/libaudit.h as: * 8970 // PATH_MAX*2+CONTEXT_SIZE*2+11+256+1 * max header+body+tailer: 44 + 29 + 32 + 262 + 7 + pad */ #define AUDIT_MESSAGE_TEXT_MAX … /* Multicast Netlink socket groups (default up to 32) */ enum audit_nlgrps { … }; #define AUDIT_NLGRP_MAX … struct audit_status { … }; struct audit_features { … }; #define AUDIT_FEATURE_ONLY_UNSET_LOGINUID … #define AUDIT_FEATURE_LOGINUID_IMMUTABLE … #define AUDIT_LAST_FEATURE … #define audit_feature_valid(x) … #define AUDIT_FEATURE_TO_MASK(x) … struct audit_tty_status { … }; #define AUDIT_UID_UNSET … #define AUDIT_SID_UNSET … /* audit_rule_data supports filter rules with both integer and string * fields. It corresponds with AUDIT_ADD_RULE, AUDIT_DEL_RULE and * AUDIT_LIST_RULES requests. */ struct audit_rule_data { … }; #endif /* _UAPI_LINUX_AUDIT_H_ */
Codebase Browser
linux