Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
Data Structures | Macros | Functions | Variables
audit.c File Reference
#include <linux/init.h>
#include <asm/types.h>
#include <linux/atomic.h>
#include <linux/mm.h>
#include <linux/export.h>
#include <linux/slab.h>
#include <linux/err.h>
#include <linux/kthread.h>
#include <linux/audit.h>
#include <net/sock.h>
#include <net/netlink.h>
#include <linux/skbuff.h>
#include <linux/netlink.h>
#include <linux/freezer.h>
#include <linux/tty.h>
#include <linux/pid_namespace.h>
#include "audit.h"

Go to the source code of this file.

Data Structures

struct  audit_buffer
 
struct  audit_reply
 

Macros

#define AUDIT_DISABLED   -1
 
#define AUDIT_UNINITIALIZED   0
 
#define AUDIT_INITIALIZED   1
 
#define AUDIT_OFF   0
 
#define AUDIT_ON   1
 
#define AUDIT_LOCKED   2
 
#define AUDIT_BUFSIZ   1024
 
#define AUDIT_MAXFREE   (2*NR_CPUS)
 

Functions

 EXPORT_SYMBOL_GPL (audit_enabled)
 
 DEFINE_MUTEX (audit_cmd_mutex)
 
void audit_panic (const char *message)
 
void audit_log_lost (const char *message)
 
int audit_send_list (void *_dest)
 
struct sk_buffaudit_make_reply (int pid, int seq, int type, int done, int multi, const void *payload, int size)
 
 __initcall (audit_init)
 
 __setup ("audit=", audit_enable)
 
unsigned int audit_serial (void)
 
struct audit_bufferaudit_log_start (struct audit_context *ctx, gfp_t gfp_mask, int type)
 
void audit_log_format (struct audit_buffer *ab, const char *fmt,...)
 
void audit_log_n_hex (struct audit_buffer *ab, const unsigned char *buf, size_t len)
 
void audit_log_n_string (struct audit_buffer *ab, const char *string, size_t slen)
 
int audit_string_contains_control (const char *string, size_t len)
 
void audit_log_n_untrustedstring (struct audit_buffer *ab, const char *string, size_t len)
 
void audit_log_untrustedstring (struct audit_buffer *ab, const char *string)
 
void audit_log_d_path (struct audit_buffer *ab, const char *prefix, const struct path *path)
 
void audit_log_key (struct audit_buffer *ab, char *key)
 
void audit_log_link_denied (const char *operation, struct path *link)
 
void audit_log_end (struct audit_buffer *ab)
 
void audit_log (struct audit_context *ctx, gfp_t gfp_mask, int type, const char *fmt,...)
 
 EXPORT_SYMBOL (audit_log_start)
 
 EXPORT_SYMBOL (audit_log_end)
 
 EXPORT_SYMBOL (audit_log_format)
 
 EXPORT_SYMBOL (audit_log)
 

Variables

int audit_enabled
 
int audit_ever_enabled
 
int audit_pid
 
kuid_t audit_sig_uid = INVALID_UID
 
pid_t audit_sig_pid = -1
 
u32 audit_sig_sid = 0
 
struct list_head audit_inode_hash [AUDIT_INODE_BUCKETS]
 

Macro Definition Documentation

#define AUDIT_BUFSIZ   1024

Definition at line 147 of file audit.c.

#define AUDIT_DISABLED   -1

Definition at line 70 of file audit.c.

#define AUDIT_INITIALIZED   1

Definition at line 72 of file audit.c.

#define AUDIT_LOCKED   2

Definition at line 77 of file audit.c.

#define AUDIT_MAXFREE   (2*NR_CPUS)

Definition at line 151 of file audit.c.

#define AUDIT_OFF   0

Definition at line 75 of file audit.c.

#define AUDIT_ON   1

Definition at line 76 of file audit.c.

#define AUDIT_UNINITIALIZED   0

Definition at line 71 of file audit.c.

Function Documentation

__initcall ( audit_init  )
__setup ( )
void audit_log ( struct audit_context ctx,
gfp_t  gfp_mask,
int  type,
const char fmt,
  ... 
)

audit_log - Log an audit record : audit context : type of allocation : audit message type : format string to use ..: variable parameters matching the format string

This is a convenience function that calls audit_log_start, audit_log_vformat, and audit_log_end. It may be called in any context.

Definition at line 1497 of file audit.c.

void audit_log_d_path ( struct audit_buffer ab,
const char prefix,
const struct path path 
)

Definition at line 1400 of file audit.c.

void audit_log_end ( struct audit_buffer ab)

audit_log_end - end one audit record : the audit_buffer

The netlink_* functions cannot be called inside an irq context, so the audit buffer is placed on a queue and a tasklet is scheduled to remove them from the queue outside the irq context. May be called in any context.

Definition at line 1464 of file audit.c.

void audit_log_format ( struct audit_buffer ab,
const char fmt,
  ... 
)

audit_log_format - format a message into the audit buffer. : audit_buffer : format string ..: optional parameters matching string

All the work is done in audit_log_vformat.

Definition at line 1262 of file audit.c.

void audit_log_key ( struct audit_buffer ab,
char key 
)

Definition at line 1423 of file audit.c.

void audit_log_link_denied ( const char operation,
struct path link 
)

audit_log_link_denied - report a link restriction denial : specific link opreation the path that triggered the restriction

Definition at line 1437 of file audit.c.

void audit_log_lost ( const char message)

audit_log_lost - conditionally log lost audit message event : the message stating reason for lost audit message

Emit at least 1 message per second, even if audit_rate_check is throttling. Always increment the lost messages counter.

Definition at line 233 of file audit.c.

void audit_log_n_hex ( struct audit_buffer ab,
const unsigned char buf,
size_t  len 
)

audit_log_hex - convert a buffer to hex and append it to the audit skb : the audit_buffer : buffer to convert to hex : length of to be converted

No return value; failure to expand is silently ignored.

This function will take the passed buf and convert it into a string of ascii hex digits. The new string is placed onto the skb.

Definition at line 1284 of file audit.c.

void audit_log_n_string ( struct audit_buffer ab,
const char string,
size_t  slen 
)

Definition at line 1320 of file audit.c.

void audit_log_n_untrustedstring ( struct audit_buffer ab,
const char string,
size_t  len 
)

audit_log_n_untrustedstring - log a string that may contain random characters : audit_buffer : length of string (not including trailing null) : string to be logged

This code will escape a string that is passed to it if the string contains a control character, unprintable character, double quote mark, or a space. Unescaped strings will start and end with a double quote mark. Strings that are escaped are printed in hex (2 digits per char).

The caller specifies the number of characters in the string to log, which may or may not be the entire string.

Definition at line 1377 of file audit.c.

struct audit_buffer* audit_log_start ( struct audit_context ctx,
gfp_t  gfp_mask,
int  type 
)
read

audit_log_start - obtain an audit buffer : audit_context (may be NULL) : type of allocation : audit message type

Returns audit_buffer pointer on success or NULL on error.

Obtain an audit buffer. This routine does locking to obtain the audit buffer, but then no locking is required for calls to audit_log_*format. If the task (ctx) is a task that is currently in a syscall, then the syscall is marked as auditable and an audit record will be written at syscall exit. If there is no associated task, then task context (ctx) should be NULL.

Definition at line 1122 of file audit.c.

void audit_log_untrustedstring ( struct audit_buffer ab,
const char string 
)

audit_log_untrustedstring - log a string that may contain random characters : audit_buffer : string to be logged

Same as audit_log_n_untrustedstring(), except that strlen is used to determine string length.

Definition at line 1394 of file audit.c.

struct sk_buff* audit_make_reply ( int  pid,
int  seq,
int  type,
int  done,
int  multi,
const void payload,
int  size 
)
read

Definition at line 489 of file audit.c.

void audit_panic ( const char message)

Definition at line 178 of file audit.c.

int audit_send_list ( void _dest)

Definition at line 471 of file audit.c.

unsigned int audit_serial ( void  )

audit_serial - compute a serial number for the audit record

Compute a serial number for the audit record. Audit records are written to user-space as soon as they are generated, so a complete audit record may be written in several pieces. The timestamp of the record and this serial number are used by the user-space tools to determine which pieces belong to the same audit record. The (timestamp,serial) tuple is unique for each syscall and is live from syscall entry to syscall exit.

NOTE: Another possibility is to store the formatted records off the audit context (for those records that have a context), and emit them all at syscall exit. However, this could delay the reporting of significant errors until syscall exit (or never, if the system halts).

Definition at line 1074 of file audit.c.

int audit_string_contains_control ( const char string,
size_t  len 
)

audit_string_contains_control - does a string need to be logged in hex : string to be checked : max length of the string to check

Definition at line 1353 of file audit.c.

DEFINE_MUTEX ( audit_cmd_mutex  )
EXPORT_SYMBOL ( audit_log_start  )
EXPORT_SYMBOL ( audit_log_end  )
EXPORT_SYMBOL ( audit_log_format  )
EXPORT_SYMBOL ( audit_log  )
EXPORT_SYMBOL_GPL ( audit_enabled  )

Variable Documentation

int audit_enabled

Definition at line 78 of file audit.c.

int audit_ever_enabled

Definition at line 79 of file audit.c.

Definition at line 125 of file audit.c.

int audit_pid

Definition at line 94 of file audit.c.

pid_t audit_sig_pid = -1

Definition at line 109 of file audit.c.

u32 audit_sig_sid = 0

Definition at line 110 of file audit.c.

kuid_t audit_sig_uid = INVALID_UID

Definition at line 108 of file audit.c.