[linux.git] / kernel / audit.h

/* SPDX-License-Identifier: GPL-2.0-or-later */
/* audit -- definition of audit_context structure and supporting types
 *
 * Copyright 2003-2004 Red Hat, Inc.
 * Copyright 2005 Hewlett-Packard Development Company, L.P.
 * Copyright 2005 IBM Corporation
 */

#ifndef _KERNEL_AUDIT_H_
#define _KERNEL_AUDIT_H_

#include <linux/fs.h>
#include <linux/audit.h>
#include <linux/security.h>
#include <linux/skbuff.h>
#include <uapi/linux/mqueue.h>
#include <linux/tty.h>
#include <uapi/linux/openat2.h> // struct open_how

/* AUDIT_NAMES is the number of slots we reserve in the audit_context
 * for saving names from getname().  If we get more names we will allocate
 * a name dynamically and also add those to the list anchored by names_list. */
#define AUDIT_NAMES	5

/* At task start time, the audit_state is set in the audit_context using
   a per-task filter.  At syscall entry, the audit_state is augmented by
   the syscall filter. */
enum audit_state {
	AUDIT_STATE_DISABLED,	/* Do not create per-task audit_context.
				 * No syscall-specific audit records can
				 * be generated. */
	AUDIT_STATE_BUILD,	/* Create the per-task audit_context,
				 * and fill it in at syscall
				 * entry time.  This makes a full
				 * syscall record available if some
				 * other part of the kernel decides it
				 * should be recorded. */
	AUDIT_STATE_RECORD	/* Create the per-task audit_context,
				 * always fill it in at syscall entry
				 * time, and always write out the audit
				 * record at syscall exit time.  */
};

/* Rule lists */
struct audit_watch;
struct audit_fsnotify_mark;
struct audit_tree;
struct audit_chunk;

struct audit_entry {
	struct list_head	list;
	struct rcu_head		rcu;
	struct audit_krule	rule;
};

struct audit_cap_data {
	kernel_cap_t		permitted;
	kernel_cap_t		inheritable;
	union {
		unsigned int	fE;		/* effective bit of file cap */
		kernel_cap_t	effective;	/* effective set of process */
	};
	kernel_cap_t		ambient;
	kuid_t			rootid;
};

/* When fs/namei.c:getname() is called, we store the pointer in name and bump
 * the refcnt in the associated filename struct.
 *
 * Further, in fs/namei.c:path_lookup() we store the inode and device.
 */
struct audit_names {
	struct list_head	list;		/* audit_context->names_list */

	struct filename		*name;
	int			name_len;	/* number of chars to log */
	bool			hidden;		/* don't log this record */

	unsigned long		ino;
	dev_t			dev;
	umode_t			mode;
	kuid_t			uid;
	kgid_t			gid;
	dev_t			rdev;
	struct lsm_prop		oprop;
	struct audit_cap_data	fcap;
	unsigned int		fcap_ver;
	unsigned char		type;		/* record type */
	/*
	 * This was an allocated audit_names and not from the array of
	 * names allocated in the task audit context.  Thus this name
	 * should be freed on syscall exit.
	 */
	bool			should_free;
};

struct audit_proctitle {
	int	len;	/* length of the cmdline field. */
	char	*value;	/* the cmdline field */
};

/* The per-task audit context. */
struct audit_context {
	int		    dummy;	/* must be the first element */
	enum {
		AUDIT_CTX_UNUSED,	/* audit_context is currently unused */
		AUDIT_CTX_SYSCALL,	/* in use by syscall */
		AUDIT_CTX_URING,	/* in use by io_uring */
	} context;
	enum audit_state    state, current_state;
	unsigned int	    serial;     /* serial number for record */
	int		    major;      /* syscall number */
	int		    uring_op;   /* uring operation */
	struct timespec64   ctime;      /* time of syscall entry */
	unsigned long	    argv[4];    /* syscall arguments */
	long		    return_code;/* syscall return code */
	u64		    prio;
	int		    return_valid; /* return code is valid */
	/*
	 * The names_list is the list of all audit_names collected during this
	 * syscall.  The first AUDIT_NAMES entries in the names_list will
	 * actually be from the preallocated_names array for performance
	 * reasons.  Except during allocation they should never be referenced
	 * through the preallocated_names array and should only be found/used
	 * by running the names_list.
	 */
	struct audit_names  preallocated_names[AUDIT_NAMES];
	int		    name_count; /* total records in names_list */
	struct list_head    names_list;	/* struct audit_names->list anchor */
	char		    *filterkey;	/* key for rule that triggered record */
	struct path	    pwd;
	struct audit_aux_data *aux;
	struct audit_aux_data *aux_pids;
	struct sockaddr_storage *sockaddr;
	size_t sockaddr_len;
				/* Save things to print about task_struct */
	pid_t		    ppid;
	kuid_t		    uid, euid, suid, fsuid;
	kgid_t		    gid, egid, sgid, fsgid;
	unsigned long	    personality;
	int		    arch;

	pid_t		    target_pid;
	kuid_t		    target_auid;
	kuid_t		    target_uid;
	unsigned int	    target_sessionid;
	struct lsm_prop	    target_ref;
	char		    target_comm[TASK_COMM_LEN];

	struct audit_tree_refs *trees, *first_trees;
	struct list_head killed_trees;
	int tree_count;

	int type;
	union {
		struct {
			int nargs;
			long args[6];
		} socketcall;
		struct {
			kuid_t			uid;
			kgid_t			gid;
			umode_t			mode;
			struct lsm_prop		oprop;
			int			has_perm;
			uid_t			perm_uid;
			gid_t			perm_gid;
			umode_t			perm_mode;
			unsigned long		qbytes;
		} ipc;
		struct {
			mqd_t			mqdes;
			struct mq_attr		mqstat;
		} mq_getsetattr;
		struct {
			mqd_t			mqdes;
			int			sigev_signo;
		} mq_notify;
		struct {
			mqd_t			mqdes;
			size_t			msg_len;
			unsigned int		msg_prio;
			struct timespec64	abs_timeout;
		} mq_sendrecv;
		struct {
			int			oflag;
			umode_t			mode;
			struct mq_attr		attr;
		} mq_open;
		struct {
			pid_t			pid;
			struct audit_cap_data	cap;
		} capset;
		struct {
			int			fd;
			int			flags;
		} mmap;
		struct open_how openat2;
		struct {
			int			argc;
		} execve;
		struct {
			char			*name;
		} module;
		struct {
			struct audit_ntp_data	ntp_data;
			struct timespec64	tk_injoffset;
		} time;
	};
	int fds[2];
	struct audit_proctitle proctitle;
};

extern bool audit_ever_enabled;

extern void audit_log_session_info(struct audit_buffer *ab);

extern int auditd_test_task(struct task_struct *task);

#define AUDIT_INODE_BUCKETS	32
extern struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS];

static inline int audit_hash_ino(u32 ino)
{
	return (ino & (AUDIT_INODE_BUCKETS-1));
}

/* Indicates that audit should log the full pathname. */
#define AUDIT_NAME_FULL -1

extern int audit_match_class(int class, unsigned syscall);
extern int audit_comparator(const u32 left, const u32 op, const u32 right);
extern int audit_uid_comparator(kuid_t left, u32 op, kuid_t right);
extern int audit_gid_comparator(kgid_t left, u32 op, kgid_t right);
extern int parent_len(const char *path);
extern int audit_compare_dname_path(const struct qstr *dname, const char *path, int plen);
extern struct sk_buff *audit_make_reply(int seq, int type, int done, int multi,
					const void *payload, int size);
extern void		    audit_panic(const char *message);

struct audit_netlink_list {
	__u32 portid;
	struct net *net;
	struct sk_buff_head q;
};

int audit_send_list_thread(void *_dest);

extern struct mutex audit_filter_mutex;
extern int audit_del_rule(struct audit_entry *entry);
extern void audit_free_rule_rcu(struct rcu_head *head);
extern struct list_head audit_filter_list[];

extern struct audit_entry *audit_dupe_rule(struct audit_krule *old);

extern void audit_log_d_path_exe(struct audit_buffer *ab,
				 struct mm_struct *mm);

extern struct tty_struct *audit_get_tty(void);
extern void audit_put_tty(struct tty_struct *tty);

/* audit watch/mark/tree functions */
extern unsigned int audit_serial(void);
#ifdef CONFIG_AUDITSYSCALL
extern int auditsc_get_stamp(struct audit_context *ctx,
			      struct timespec64 *t, unsigned int *serial);

extern void audit_put_watch(struct audit_watch *watch);
extern void audit_get_watch(struct audit_watch *watch);
extern int audit_to_watch(struct audit_krule *krule, char *path, int len,
			  u32 op);
extern int audit_add_watch(struct audit_krule *krule, struct list_head **list);
extern void audit_remove_watch_rule(struct audit_krule *krule);
extern char *audit_watch_path(struct audit_watch *watch);
extern int audit_watch_compare(struct audit_watch *watch, unsigned long ino,
			       dev_t dev);

extern struct audit_fsnotify_mark *audit_alloc_mark(struct audit_krule *krule,
						    char *pathname, int len);
extern char *audit_mark_path(struct audit_fsnotify_mark *mark);
extern void audit_remove_mark(struct audit_fsnotify_mark *audit_mark);
extern void audit_remove_mark_rule(struct audit_krule *krule);
extern int audit_mark_compare(struct audit_fsnotify_mark *mark,
			      unsigned long ino, dev_t dev);
extern int audit_dupe_exe(struct audit_krule *new, struct audit_krule *old);
extern int audit_exe_compare(struct task_struct *tsk,
			     struct audit_fsnotify_mark *mark);

extern struct audit_chunk *audit_tree_lookup(const struct inode *inode);
extern void audit_put_chunk(struct audit_chunk *chunk);
extern bool audit_tree_match(struct audit_chunk *chunk,
			     struct audit_tree *tree);
extern int audit_make_tree(struct audit_krule *rule, char *pathname, u32 op);
extern int audit_add_tree_rule(struct audit_krule *rule);
extern int audit_remove_tree_rule(struct audit_krule *rule);
extern void audit_trim_trees(void);
extern int audit_tag_tree(char *old, char *new);
extern const char *audit_tree_path(struct audit_tree *tree);
extern void audit_put_tree(struct audit_tree *tree);
extern void audit_kill_trees(struct audit_context *context);

extern int audit_signal_info_syscall(struct task_struct *t);
extern void audit_filter_inodes(struct task_struct *tsk,
				struct audit_context *ctx);
extern struct list_head *audit_killed_trees(void);
#else /* CONFIG_AUDITSYSCALL */
#define auditsc_get_stamp(c, t, s) 0
#define audit_put_watch(w) do { } while (0)
#define audit_get_watch(w) do { } while (0)
#define audit_to_watch(k, p, l, o) (-EINVAL)
#define audit_add_watch(k, l) (-EINVAL)
#define audit_remove_watch_rule(k) BUG()
#define audit_watch_path(w) ""
#define audit_watch_compare(w, i, d) 0

#define audit_alloc_mark(k, p, l) (ERR_PTR(-EINVAL))
#define audit_mark_path(m) ""
#define audit_remove_mark(m) do { } while (0)
#define audit_remove_mark_rule(k) do { } while (0)
#define audit_mark_compare(m, i, d) 0
#define audit_exe_compare(t, m) (-EINVAL)
#define audit_dupe_exe(n, o) (-EINVAL)

#define audit_remove_tree_rule(rule) BUG()
#define audit_add_tree_rule(rule) -EINVAL
#define audit_make_tree(rule, str, op) -EINVAL
#define audit_trim_trees() do { } while (0)
#define audit_put_tree(tree) do { } while (0)
#define audit_tag_tree(old, new) -EINVAL
#define audit_tree_path(rule) ""	/* never called */
#define audit_kill_trees(context) BUG()

static inline int audit_signal_info_syscall(struct task_struct *t)
{
	return 0;
}

#define audit_filter_inodes(t, c) do { } while (0)
#endif /* CONFIG_AUDITSYSCALL */

extern char *audit_unpack_string(void **bufp, size_t *remain, size_t len);

extern int audit_filter(int msgtype, unsigned int listtype);

extern void audit_ctl_lock(void);
extern void audit_ctl_unlock(void);

#endif
Commit	Line	Data
1a59d1b8	1	/* SPDX-License-Identifier: GPL-2.0-or-later */
6ddb5680	2	/* audit -- definition of audit_context structure and supporting types
fe7752ba DW	3	*
	4	* Copyright 2003-2004 Red Hat, Inc.
	5	* Copyright 2005 Hewlett-Packard Development Company, L.P.
	6	* Copyright 2005 IBM Corporation
fe7752ba DW	7	*/
fe7752ba DW	8
d97e9938 M	9	#ifndef _KERNEL_AUDIT_H_
	10	#define _KERNEL_AUDIT_H_
	11
fe7752ba DW	12	#include <linux/fs.h>
fe7752ba DW	13	#include <linux/audit.h>
7183abcc	14	#include <linux/security.h>
9044e6bc	15	#include <linux/skbuff.h>
b24a30a7	16	#include <uapi/linux/mqueue.h>
3f5be2da	17	#include <linux/tty.h>
571e5c0e	18	#include <uapi/linux/openat2.h> // struct open_how
fe7752ba	19
b24a30a7 EP	20	/* AUDIT_NAMES is the number of slots we reserve in the audit_context
	21	* for saving names from getname(). If we get more names we will allocate
	22	* a name dynamically and also add those to the list anchored by names_list. */
	23	#define AUDIT_NAMES 5
	24
fe7752ba DW	25	/* At task start time, the audit_state is set in the audit_context using
	26	a per-task filter. At syscall entry, the audit_state is augmented by
	27	the syscall filter. */
	28	enum audit_state {
619ed58a	29	AUDIT_STATE_DISABLED, /* Do not create per-task audit_context.
fe7752ba DW	30	* No syscall-specific audit records can
fe7752ba DW	31	* be generated. */
619ed58a	32	AUDIT_STATE_BUILD, /* Create the per-task audit_context,
997f5b64	33	* and fill it in at syscall
fe7752ba DW	34	* entry time. This makes a full
	35	* syscall record available if some
	36	* other part of the kernel decides it
	37	* should be recorded. */
619ed58a	38	AUDIT_STATE_RECORD /* Create the per-task audit_context,
fe7752ba DW	39	* always fill it in at syscall entry
	40	* time, and always write out the audit
	41	* record at syscall exit time. */
	42	};
	43
	44	/* Rule lists */
cfcad62c	45	struct audit_watch;
7f492942	46	struct audit_fsnotify_mark;
74c3cbe3 AV	47	struct audit_tree;
	48	struct audit_chunk;
	49
fe7752ba	50	struct audit_entry {
93315ed6 AG	51	struct list_head list;
	52	struct rcu_head rcu;
	53	struct audit_krule rule;
fe7752ba DW	54	};
fe7752ba DW	55
b24a30a7 EP	56	struct audit_cap_data {
	57	kernel_cap_t permitted;
	58	kernel_cap_t inheritable;
	59	union {
	60	unsigned int fE; /* effective bit of file cap */
	61	kernel_cap_t effective; /* effective set of process */
	62	};
7786f6b6	63	kernel_cap_t ambient;
2fec30e2	64	kuid_t rootid;
b24a30a7 EP	65	};
b24a30a7 EP	66
55422d0b PM	67	/* When fs/namei.c:getname() is called, we store the pointer in name and bump
55422d0b PM	68	* the refcnt in the associated filename struct.
b24a30a7 EP	69	*
	70	* Further, in fs/namei.c:path_lookup() we store the inode and device.
	71	*/
	72	struct audit_names {
	73	struct list_head list; /* audit_context->names_list */
	74
	75	struct filename *name;
	76	int name_len; /* number of chars to log */
79f6530c	77	bool hidden; /* don't log this record */
b24a30a7 EP	78
	79	unsigned long ino;
	80	dev_t dev;
	81	umode_t mode;
	82	kuid_t uid;
	83	kgid_t gid;
	84	dev_t rdev;
e0a8dcbd	85	struct lsm_prop oprop;
b24a30a7 EP	86	struct audit_cap_data fcap;
	87	unsigned int fcap_ver;
	88	unsigned char type; /* record type */
	89	/*
	90	* This was an allocated audit_names and not from the array of
	91	* names allocated in the task audit context. Thus this name
	92	* should be freed on syscall exit.
	93	*/
	94	bool should_free;
	95	};
	96
3f1c8250 WR	97	struct audit_proctitle {
	98	int len; /* length of the cmdline field. */
	99	char value; / the cmdline field */
	100	};
	101
b24a30a7 EP	102	/* The per-task audit context. */
	103	struct audit_context {
	104	int dummy; /* must be the first element */
12c5e81d PM	105	enum {
	106	AUDIT_CTX_UNUSED, /* audit_context is currently unused */
	107	AUDIT_CTX_SYSCALL, /* in use by syscall */
5bd2182d	108	AUDIT_CTX_URING, /* in use by io_uring */
12c5e81d	109	} context;
b24a30a7 EP	110	enum audit_state state, current_state;
	111	unsigned int serial; /* serial number for record */
	112	int major; /* syscall number */
5bd2182d	113	int uring_op; /* uring operation */
2115bb25	114	struct timespec64 ctime; /* time of syscall entry */
b24a30a7 EP	115	unsigned long argv[4]; /* syscall arguments */
	116	long return_code;/* syscall return code */
	117	u64 prio;
	118	int return_valid; /* return code is valid */
	119	/*
	120	* The names_list is the list of all audit_names collected during this
	121	* syscall. The first AUDIT_NAMES entries in the names_list will
	122	* actually be from the preallocated_names array for performance
	123	* reasons. Except during allocation they should never be referenced
	124	* through the preallocated_names array and should only be found/used
	125	* by running the names_list.
	126	*/
	127	struct audit_names preallocated_names[AUDIT_NAMES];
	128	int name_count; /* total records in names_list */
	129	struct list_head names_list; /* struct audit_names->list anchor */
	130	char filterkey; / key for rule that triggered record */
	131	struct path pwd;
	132	struct audit_aux_data *aux;
	133	struct audit_aux_data *aux_pids;
	134	struct sockaddr_storage *sockaddr;
	135	size_t sockaddr_len;
	136	/* Save things to print about task_struct */
e84d9f52	137	pid_t ppid;
b24a30a7 EP	138	kuid_t uid, euid, suid, fsuid;
	139	kgid_t gid, egid, sgid, fsgid;
	140	unsigned long personality;
	141	int arch;
	142
	143	pid_t target_pid;
	144	kuid_t target_auid;
	145	kuid_t target_uid;
	146	unsigned int target_sessionid;
13d826e5	147	struct lsm_prop target_ref;
b24a30a7 EP	148	char target_comm[TASK_COMM_LEN];
	149
	150	struct audit_tree_refs trees, first_trees;
	151	struct list_head killed_trees;
	152	int tree_count;
	153
	154	int type;
	155	union {
	156	struct {
	157	int nargs;
	158	long args[6];
	159	} socketcall;
	160	struct {
	161	kuid_t uid;
	162	kgid_t gid;
	163	umode_t mode;
7183abcc	164	struct lsm_prop oprop;
b24a30a7 EP	165	int has_perm;
	166	uid_t perm_uid;
	167	gid_t perm_gid;
	168	umode_t perm_mode;
	169	unsigned long qbytes;
	170	} ipc;
	171	struct {
	172	mqd_t mqdes;
	173	struct mq_attr mqstat;
	174	} mq_getsetattr;
	175	struct {
	176	mqd_t mqdes;
	177	int sigev_signo;
	178	} mq_notify;
	179	struct {
	180	mqd_t mqdes;
	181	size_t msg_len;
	182	unsigned int msg_prio;
b9047726	183	struct timespec64 abs_timeout;
b24a30a7 EP	184	} mq_sendrecv;
	185	struct {
	186	int oflag;
	187	umode_t mode;
	188	struct mq_attr attr;
	189	} mq_open;
	190	struct {
	191	pid_t pid;
	192	struct audit_cap_data cap;
	193	} capset;
	194	struct {
	195	int fd;
	196	int flags;
	197	} mmap;
571e5c0e	198	struct open_how openat2;
d9cfea91 RGB	199	struct {
d9cfea91 RGB	200	int argc;
d9cfea91	201	} execve;
ca86cad7 RGB	202	struct {
	203	char *name;
	204	} module;
272ceeae RGB	205	struct {
	206	struct audit_ntp_data ntp_data;
	207	struct timespec64 tk_injoffset;
	208	} time;
b24a30a7 EP	209	};
b24a30a7 EP	210	int fds[2];
3f1c8250	211	struct audit_proctitle proctitle;
b24a30a7 EP	212	};
b24a30a7 EP	213
b3b4fdf6	214	extern bool audit_ever_enabled;
c782f242	215
0fe3c7fc RGB	216	extern void audit_log_session_info(struct audit_buffer *ab);
0fe3c7fc RGB	217
b6c7c115	218	extern int auditd_test_task(struct task_struct *task);
fe7752ba	219
f368c07d AG	220	#define AUDIT_INODE_BUCKETS 32
	221	extern struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS];
	222
	223	static inline int audit_hash_ino(u32 ino)
	224	{
	225	return (ino & (AUDIT_INODE_BUCKETS-1));
	226	}
	227
e3d6b07b JL	228	/* Indicates that audit should log the full pathname. */
	229	#define AUDIT_NAME_FULL -1
	230
55669bfa	231	extern int audit_match_class(int class, unsigned syscall);
f368c07d	232	extern int audit_comparator(const u32 left, const u32 op, const u32 right);
ca57ec0f EB	233	extern int audit_uid_comparator(kuid_t left, u32 op, kuid_t right);
ca57ec0f EB	234	extern int audit_gid_comparator(kgid_t left, u32 op, kgid_t right);
bfcec708	235	extern int parent_len(const char *path);
795d673a	236	extern int audit_compare_dname_path(const struct qstr dname, const char path, int plen);
45a0642b	237	extern struct sk_buff *audit_make_reply(int seq, int type, int done, int multi,
f9441639	238	const void *payload, int size);
fe7752ba	239	extern void audit_panic(const char *message);
3dc7e315	240
9044e6bc	241	struct audit_netlink_list {
f9441639	242	__u32 portid;
638a0fd2	243	struct net *net;
9044e6bc AV	244	struct sk_buff_head q;
	245	};
	246
3054d067	247	int audit_send_list_thread(void *_dest);
9044e6bc	248
74c3cbe3	249	extern struct mutex audit_filter_mutex;
e4c1a0d1 DR	250	extern int audit_del_rule(struct audit_entry *entry);
e4c1a0d1 DR	251	extern void audit_free_rule_rcu(struct rcu_head *head);
c782f242	252	extern struct list_head audit_filter_list[];
74c3cbe3	253
939a67fc EP	254	extern struct audit_entry audit_dupe_rule(struct audit_krule old);
939a67fc EP	255
4766b199 DB	256	extern void audit_log_d_path_exe(struct audit_buffer *ab,
	257	struct mm_struct *mm);
	258
2a1fe215	259	extern struct tty_struct *audit_get_tty(void);
3f5be2da RGB	260	extern void audit_put_tty(struct tty_struct *tty);
3f5be2da RGB	261
05c7a9cb	262	/* audit watch/mark/tree functions */
cd108b5c	263	extern unsigned int audit_serial(void);
e455ca40	264	#ifdef CONFIG_AUDITSYSCALL
cd108b5c RGB	265	extern int auditsc_get_stamp(struct audit_context *ctx,
	266	struct timespec64 t, unsigned int serial);
	267
cfcad62c EP	268	extern void audit_put_watch(struct audit_watch *watch);
cfcad62c EP	269	extern void audit_get_watch(struct audit_watch *watch);
05c7a9cb RGB	270	extern int audit_to_watch(struct audit_krule krule, char path, int len,
05c7a9cb RGB	271	u32 op);
ae7b8f41	272	extern int audit_add_watch(struct audit_krule krule, struct list_head *list);
a05fb6cc	273	extern void audit_remove_watch_rule(struct audit_krule *krule);
cfcad62c	274	extern char audit_watch_path(struct audit_watch watch);
05c7a9cb RGB	275	extern int audit_watch_compare(struct audit_watch *watch, unsigned long ino,
05c7a9cb RGB	276	dev_t dev);
7f492942	277
05c7a9cb RGB	278	extern struct audit_fsnotify_mark audit_alloc_mark(struct audit_krule krule,
05c7a9cb RGB	279	char *pathname, int len);
7f492942 RGB	280	extern char audit_mark_path(struct audit_fsnotify_mark mark);
	281	extern void audit_remove_mark(struct audit_fsnotify_mark *audit_mark);
	282	extern void audit_remove_mark_rule(struct audit_krule *krule);
05c7a9cb RGB	283	extern int audit_mark_compare(struct audit_fsnotify_mark *mark,
05c7a9cb RGB	284	unsigned long ino, dev_t dev);
34d99af5	285	extern int audit_dupe_exe(struct audit_krule new, struct audit_krule old);
05c7a9cb RGB	286	extern int audit_exe_compare(struct task_struct *tsk,
05c7a9cb RGB	287	struct audit_fsnotify_mark *mark);
7f492942	288
05c7a9cb RGB	289	extern struct audit_chunk audit_tree_lookup(const struct inode inode);
	290	extern void audit_put_chunk(struct audit_chunk *chunk);
	291	extern bool audit_tree_match(struct audit_chunk *chunk,
	292	struct audit_tree *tree);
	293	extern int audit_make_tree(struct audit_krule rule, char pathname, u32 op);
	294	extern int audit_add_tree_rule(struct audit_krule *rule);
	295	extern int audit_remove_tree_rule(struct audit_krule *rule);
	296	extern void audit_trim_trees(void);
	297	extern int audit_tag_tree(char old, char new);
	298	extern const char audit_tree_path(struct audit_tree tree);
	299	extern void audit_put_tree(struct audit_tree *tree);
	300	extern void audit_kill_trees(struct audit_context *context);
	301
b48345aa	302	extern int audit_signal_info_syscall(struct task_struct *t);
05c7a9cb RGB	303	extern void audit_filter_inodes(struct task_struct *tsk,
	304	struct audit_context *ctx);
	305	extern struct list_head *audit_killed_trees(void);
	306	#else /* CONFIG_AUDITSYSCALL */
cd108b5c	307	#define auditsc_get_stamp(c, t, s) 0
d4ceb1d6 AB	308	#define audit_put_watch(w) do { } while (0)
d4ceb1d6 AB	309	#define audit_get_watch(w) do { } while (0)
939a67fc EP	310	#define audit_to_watch(k, p, l, o) (-EINVAL)
	311	#define audit_add_watch(k, l) (-EINVAL)
	312	#define audit_remove_watch_rule(k) BUG()
	313	#define audit_watch_path(w) ""
	314	#define audit_watch_compare(w, i, d) 0
	315
7f492942 RGB	316	#define audit_alloc_mark(k, p, l) (ERR_PTR(-EINVAL))
7f492942 RGB	317	#define audit_mark_path(m) ""
d4ceb1d6 AB	318	#define audit_remove_mark(m) do { } while (0)
d4ceb1d6 AB	319	#define audit_remove_mark_rule(k) do { } while (0)
7f492942	320	#define audit_mark_compare(m, i, d) 0
34d99af5 RGB	321	#define audit_exe_compare(t, m) (-EINVAL)
34d99af5 RGB	322	#define audit_dupe_exe(n, o) (-EINVAL)
cfcad62c	323
74c3cbe3 AV	324	#define audit_remove_tree_rule(rule) BUG()
	325	#define audit_add_tree_rule(rule) -EINVAL
	326	#define audit_make_tree(rule, str, op) -EINVAL
d4ceb1d6 AB	327	#define audit_trim_trees() do { } while (0)
d4ceb1d6 AB	328	#define audit_put_tree(tree) do { } while (0)
74c3cbe3 AV	329	#define audit_tag_tree(old, new) -EINVAL
74c3cbe3 AV	330	#define audit_tree_path(rule) "" /* never called */
9e36a5d4	331	#define audit_kill_trees(context) BUG()
05c7a9cb	332
b48345aa RGB	333	static inline int audit_signal_info_syscall(struct task_struct *t)
	334	{
	335	return 0;
	336	}
	337
bf983542	338	#define audit_filter_inodes(t, c) do { } while (0)
05c7a9cb	339	#endif /* CONFIG_AUDITSYSCALL */
74c3cbe3	340
e4c1a0d1	341	extern char audit_unpack_string(void bufp, size_t remain, size_t len);
74c3cbe3	342
86b2efbe RGB	343	extern int audit_filter(int msgtype, unsigned int listtype);
86b2efbe RGB	344
ce423631 PM	345	extern void audit_ctl_lock(void);
ce423631 PM	346	extern void audit_ctl_unlock(void);
d97e9938 M	347
d97e9938 M	348	#endif