2 * Copyright 2004-2015 Red Hat Inc., Durham, North Carolina.
5 * This library is free software; you can redistribute it and/or
6 * modify it under the terms of the GNU Lesser General Public
7 * License as published by the Free Software Foundation; either
8 * version 2.1 of the License, or (at your option) any later version.
10 * This library is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 * Lesser General Public License for more details.
15 * You should have received a copy of the GNU Lesser General Public
16 * License along with this library; if not, write to the Free Software
17 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20 * Steve Grubb <sgrubb@redhat.com>
21 * Rickard E. (Rik) Faith <faith@redhat.com>
31 #include <asm/types.h>
33 #include <sys/socket.h>
34 #include <linux/netlink.h>
35 #include <linux/audit.h>
40 /* Audit message types as of 2.6.29 kernel:
41 * 1000 - 1099 are for commanding the audit system
42 * 1100 - 1199 user space trusted application messages
43 * 1200 - 1299 messages internal to the audit daemon
44 * 1300 - 1399 audit event messages
45 * 1400 - 1499 kernel SE Linux use
46 * 1500 - 1599 AppArmor events
47 * 1600 - 1699 kernel crypto events
48 * 1700 - 1799 kernel anomaly records
49 * 1800 - 1899 kernel integrity labels and related events
50 * 1800 - 1999 future kernel use
51 * 2001 - 2099 unused (kernel)
52 * 2100 - 2199 user space anomaly records
53 * 2200 - 2299 user space actions taken in response to anomalies
54 * 2300 - 2399 user space generated LSPP events
55 * 2400 - 2499 user space crypto events
56 * 2500 - 2599 user space virtualization management events
57 * 2600 - 2999 future user space (maybe integrity labels and related events)
60 #define AUDIT_FIRST_USER_MSG 1100 /* First user space message */
61 #define AUDIT_LAST_USER_MSG 1199 /* Last user space message */
62 #define AUDIT_USER_AUTH 1100 /* User system access authentication */
63 #define AUDIT_USER_ACCT 1101 /* User system access authorization */
64 #define AUDIT_USER_MGMT 1102 /* User acct attribute change */
65 #define AUDIT_CRED_ACQ 1103 /* User credential acquired */
66 #define AUDIT_CRED_DISP 1104 /* User credential disposed */
67 #define AUDIT_USER_START 1105 /* User session start */
68 #define AUDIT_USER_END 1106 /* User session end */
69 #define AUDIT_USER_AVC 1107 /* User space avc message */
70 #define AUDIT_USER_CHAUTHTOK 1108 /* User acct password or pin changed */
71 #define AUDIT_USER_ERR 1109 /* User acct state error */
72 #define AUDIT_CRED_REFR 1110 /* User credential refreshed */
73 #define AUDIT_USYS_CONFIG 1111 /* User space system config change */
74 #define AUDIT_USER_LOGIN 1112 /* User has logged in */
75 #define AUDIT_USER_LOGOUT 1113 /* User has logged out */
76 #define AUDIT_ADD_USER 1114 /* User account added */
77 #define AUDIT_DEL_USER 1115 /* User account deleted */
78 #define AUDIT_ADD_GROUP 1116 /* Group account added */
79 #define AUDIT_DEL_GROUP 1117 /* Group account deleted */
80 #define AUDIT_DAC_CHECK 1118 /* User space DAC check results */
81 #define AUDIT_CHGRP_ID 1119 /* User space group ID changed */
82 #define AUDIT_TEST 1120 /* Used for test success messages */
83 #define AUDIT_TRUSTED_APP 1121 /* Trusted app msg - freestyle text */
84 #define AUDIT_USER_SELINUX_ERR 1122 /* SE Linux user space error */
85 #define AUDIT_USER_CMD 1123 /* User shell command and args */
86 #define AUDIT_USER_TTY 1124 /* Non-ICANON TTY input meaning */
87 #define AUDIT_CHUSER_ID 1125 /* Changed user ID supplemental data */
88 #define AUDIT_GRP_AUTH 1126 /* Authentication for group password */
89 #define AUDIT_SYSTEM_BOOT 1127 /* System boot */
90 #define AUDIT_SYSTEM_SHUTDOWN 1128 /* System shutdown */
91 #define AUDIT_SYSTEM_RUNLEVEL 1129 /* System runlevel change */
92 #define AUDIT_SERVICE_START 1130 /* Service (daemon) start */
93 #define AUDIT_SERVICE_STOP 1131 /* Service (daemon) stop */
94 #define AUDIT_GRP_MGMT 1132 /* Group account attr was modified */
95 #define AUDIT_GRP_CHAUTHTOK 1133 /* Group acct password or pin changed */
96 #define AUDIT_MAC_CHECK 1134 /* User space MAC decision results */
98 #define AUDIT_FIRST_DAEMON 1200
99 #define AUDIT_LAST_DAEMON 1299
100 #define AUDIT_DAEMON_RECONFIG 1204 /* Auditd should reconfigure */
101 #define AUDIT_DAEMON_ROTATE 1205 /* Auditd should rotate logs */
102 #define AUDIT_DAEMON_RESUME 1206 /* Auditd should resume logging */
103 #define AUDIT_DAEMON_ACCEPT 1207 /* Auditd accepted remote connection */
104 #define AUDIT_DAEMON_CLOSE 1208 /* Auditd closed remote connection */
106 #define AUDIT_FIRST_EVENT 1300
107 #define AUDIT_LAST_EVENT 1399
109 #define AUDIT_FIRST_SELINUX 1400
110 #define AUDIT_LAST_SELINUX 1499
112 #define AUDIT_FIRST_APPARMOR 1500
113 #define AUDIT_LAST_APPARMOR 1599
115 #define AUDIT_AA 1500 /* Not upstream yet */
116 #define AUDIT_APPARMOR_AUDIT 1501
117 #define AUDIT_APPARMOR_ALLOWED 1502
118 #define AUDIT_APPARMOR_DENIED 1503
119 #define AUDIT_APPARMOR_HINT 1504
120 #define AUDIT_APPARMOR_STATUS 1505
121 #define AUDIT_APPARMOR_ERROR 1506
124 #define AUDIT_FIRST_KERN_CRYPTO_MSG 1600
125 #define AUDIT_LAST_KERN_CRYPTO_MSG 1699
127 #define AUDIT_FIRST_KERN_ANOM_MSG 1700
128 #define AUDIT_LAST_KERN_ANOM_MSG 1799
130 #define AUDIT_INTEGRITY_FIRST_MSG 1800
131 #define AUDIT_INTEGRITY_LAST_MSG 1899
132 #ifndef AUDIT_INTEGRITY_DATA
133 #define AUDIT_INTEGRITY_DATA 1800 /* Data integrity verification */
134 #define AUDIT_INTEGRITY_METADATA 1801 // Metadata integrity verification
135 #define AUDIT_INTEGRITY_STATUS 1802 /* Integrity enable status */
136 #define AUDIT_INTEGRITY_HASH 1803 /* Integrity HASH type */
137 #define AUDIT_INTEGRITY_PCR 1804 /* PCR invalidation msgs */
138 #define AUDIT_INTEGRITY_RULE 1805 /* Policy rule */
141 #define AUDIT_FIRST_ANOM_MSG 2100
142 #define AUDIT_LAST_ANOM_MSG 2199
143 #define AUDIT_ANOM_LOGIN_FAILURES 2100 // Failed login limit reached
144 #define AUDIT_ANOM_LOGIN_TIME 2101 // Login attempted at bad time
145 #define AUDIT_ANOM_LOGIN_SESSIONS 2102 // Max concurrent sessions reached
146 #define AUDIT_ANOM_LOGIN_ACCT 2103 // Login attempted to watched acct
147 #define AUDIT_ANOM_LOGIN_LOCATION 2104 // Login from forbidden location
148 #define AUDIT_ANOM_MAX_DAC 2105 // Max DAC failures reached
149 #define AUDIT_ANOM_MAX_MAC 2106 // Max MAC failures reached
150 #define AUDIT_ANOM_AMTU_FAIL 2107 // AMTU failure
151 #define AUDIT_ANOM_RBAC_FAIL 2108 // RBAC self test failure
152 #define AUDIT_ANOM_RBAC_INTEGRITY_FAIL 2109 // RBAC file integrity failure
153 #define AUDIT_ANOM_CRYPTO_FAIL 2110 // Crypto system test failure
154 #define AUDIT_ANOM_ACCESS_FS 2111 // Access of file or dir
155 #define AUDIT_ANOM_EXEC 2112 // Execution of file
156 #define AUDIT_ANOM_MK_EXEC 2113 // Make an executable
157 #define AUDIT_ANOM_ADD_ACCT 2114 // Adding an acct
158 #define AUDIT_ANOM_DEL_ACCT 2115 // Deleting an acct
159 #define AUDIT_ANOM_MOD_ACCT 2116 // Changing an acct
160 #define AUDIT_ANOM_ROOT_TRANS 2117 // User became root
162 #define AUDIT_FIRST_ANOM_RESP 2200
163 #define AUDIT_LAST_ANOM_RESP 2299
164 #define AUDIT_RESP_ANOMALY 2200 /* Anomaly not reacted to */
165 #define AUDIT_RESP_ALERT 2201 /* Alert email was sent */
166 #define AUDIT_RESP_KILL_PROC 2202 /* Kill program */
167 #define AUDIT_RESP_TERM_ACCESS 2203 /* Terminate session */
168 #define AUDIT_RESP_ACCT_REMOTE 2204 /* Acct locked from remote access*/
169 #define AUDIT_RESP_ACCT_LOCK_TIMED 2205 /* User acct locked for time */
170 #define AUDIT_RESP_ACCT_UNLOCK_TIMED 2206 /* User acct unlocked from time */
171 #define AUDIT_RESP_ACCT_LOCK 2207 /* User acct was locked */
172 #define AUDIT_RESP_TERM_LOCK 2208 /* Terminal was locked */
173 #define AUDIT_RESP_SEBOOL 2209 /* Set an SE Linux boolean */
174 #define AUDIT_RESP_EXEC 2210 /* Execute a script */
175 #define AUDIT_RESP_SINGLE 2211 /* Go to single user mode */
176 #define AUDIT_RESP_HALT 2212 /* take the system down */
178 #define AUDIT_FIRST_USER_LSPP_MSG 2300
179 #define AUDIT_LAST_USER_LSPP_MSG 2399
180 #define AUDIT_USER_ROLE_CHANGE 2300 /* User changed to a new role */
181 #define AUDIT_ROLE_ASSIGN 2301 /* Admin assigned user to role */
182 #define AUDIT_ROLE_REMOVE 2302 /* Admin removed user from role */
183 #define AUDIT_LABEL_OVERRIDE 2303 /* Admin is overriding a label */
184 #define AUDIT_LABEL_LEVEL_CHANGE 2304 /* Object's level was changed */
185 #define AUDIT_USER_LABELED_EXPORT 2305 /* Object exported with label */
186 #define AUDIT_USER_UNLABELED_EXPORT 2306 /* Object exported without label */
187 #define AUDIT_DEV_ALLOC 2307 /* Device was allocated */
188 #define AUDIT_DEV_DEALLOC 2308 /* Device was deallocated */
189 #define AUDIT_FS_RELABEL 2309 /* Filesystem relabeled */
190 #define AUDIT_USER_MAC_POLICY_LOAD 2310 /* Userspc daemon loaded policy */
191 #define AUDIT_ROLE_MODIFY 2311 /* Admin modified a role */
192 #define AUDIT_USER_MAC_CONFIG_CHANGE 2312 /* Change made to MAC policy */
194 #define AUDIT_FIRST_CRYPTO_MSG 2400
195 #define AUDIT_CRYPTO_TEST_USER 2400 /* Crypto test results */
196 #define AUDIT_CRYPTO_PARAM_CHANGE_USER 2401 /* Crypto attribute change */
197 #define AUDIT_CRYPTO_LOGIN 2402 /* Logged in as crypto officer */
198 #define AUDIT_CRYPTO_LOGOUT 2403 /* Logged out from crypto */
199 #define AUDIT_CRYPTO_KEY_USER 2404 /* Create,delete,negotiate */
200 #define AUDIT_CRYPTO_FAILURE_USER 2405 /* Fail decrypt,encrypt,randomiz */
201 #define AUDIT_CRYPTO_REPLAY_USER 2406 /* Crypto replay detected */
202 #define AUDIT_CRYPTO_SESSION 2407 /* Record parameters set during
203 TLS session establishment */
204 #define AUDIT_CRYPTO_IKE_SA 2408 /* Record parameters related to
206 #define AUDIT_CRYPTO_IPSEC_SA 2409 /* Record parameters related to
209 #define AUDIT_LAST_CRYPTO_MSG 2499
211 #define AUDIT_FIRST_VIRT_MSG 2500
212 #define AUDIT_VIRT_CONTROL 2500 /* Start, Pause, Stop VM */
213 #define AUDIT_VIRT_RESOURCE 2501 /* Resource assignment */
214 #define AUDIT_VIRT_MACHINE_ID 2502 /* Binding of label to VM */
216 #define AUDIT_LAST_VIRT_MSG 2599
218 #ifndef AUDIT_FIRST_USER_MSG2
219 #define AUDIT_FIRST_USER_MSG2 2100 /* More userspace messages */
220 #define AUDIT_LAST_USER_MSG2 2999
223 /* New kernel event definitions since 2.6.30 */
224 #ifndef AUDIT_SET_FEATURE
225 #define AUDIT_SET_FEATURE 1018 /* Turn an audit feature on or off */
228 #ifndef AUDIT_GET_FEATURE
229 #define AUDIT_GET_FEATURE 1019 /* Get which features are enabled */
233 #define AUDIT_MMAP 1323 /* Descriptor and flags in mmap */
236 #ifndef AUDIT_NETFILTER_PKT
237 #define AUDIT_NETFILTER_PKT 1324 /* Packets traversing netfilter chains */
239 #ifndef AUDIT_NETFILTER_CFG
240 #define AUDIT_NETFILTER_CFG 1325 /* Netfilter chain modifications */
243 #ifndef AUDIT_SECCOMP
244 #define AUDIT_SECCOMP 1326 /* Secure Computing event */
247 #ifndef AUDIT_PROCTITLE
248 #define AUDIT_PROCTITLE 1327 /* Process Title info */
251 #undef AUDIT_FEATURE_CHANGE
252 #ifndef AUDIT_FEATURE_CHANGE
253 #define AUDIT_FEATURE_CHANGE 1328 /* Audit feature changed value */
256 #ifndef AUDIT_ANOM_LINK
257 #define AUDIT_ANOM_LINK 1702 /* Suspicious use of file links */
260 /* This is related to the filterkey patch */
261 #define AUDIT_KEY_SEPARATOR 0x01
263 /* These are used in filter control */
264 #define AUDIT_FILTER_EXCLUDE AUDIT_FILTER_TYPE
265 #define AUDIT_FILTER_MASK 0x07 /* Mask to get actual filter */
266 #define AUDIT_FILTER_UNSET 0x80 /* This value means filter is unset */
268 /* Defines for interfield comparison update */
269 #ifndef AUDIT_OBJ_UID
270 #define AUDIT_OBJ_UID 109
272 #ifndef AUDIT_OBJ_GID
273 #define AUDIT_OBJ_GID 110
275 #ifndef AUDIT_FIELD_COMPARE
276 #define AUDIT_FIELD_COMPARE 111
279 #ifndef AUDIT_COMPARE_UID_TO_OBJ_UID
280 #define AUDIT_COMPARE_UID_TO_OBJ_UID 1
282 #ifndef AUDIT_COMPARE_GID_TO_OBJ_GID
283 #define AUDIT_COMPARE_GID_TO_OBJ_GID 2
285 #ifndef AUDIT_COMPARE_EUID_TO_OBJ_UID
286 #define AUDIT_COMPARE_EUID_TO_OBJ_UID 3
288 #ifndef AUDIT_COMPARE_EGID_TO_OBJ_GID
289 #define AUDIT_COMPARE_EGID_TO_OBJ_GID 4
291 #ifndef AUDIT_COMPARE_AUID_TO_OBJ_UID
292 #define AUDIT_COMPARE_AUID_TO_OBJ_UID 5
294 #ifndef AUDIT_COMPARE_SUID_TO_OBJ_UID
295 #define AUDIT_COMPARE_SUID_TO_OBJ_UID 6
297 #ifndef AUDIT_COMPARE_SGID_TO_OBJ_GID
298 #define AUDIT_COMPARE_SGID_TO_OBJ_GID 7
300 #ifndef AUDIT_COMPARE_FSUID_TO_OBJ_UID
301 #define AUDIT_COMPARE_FSUID_TO_OBJ_UID 8
303 #ifndef AUDIT_COMPARE_FSGID_TO_OBJ_GID
304 #define AUDIT_COMPARE_FSGID_TO_OBJ_GID 9
306 #ifndef AUDIT_COMPARE_UID_TO_AUID
307 #define AUDIT_COMPARE_UID_TO_AUID 10
309 #ifndef AUDIT_COMPARE_UID_TO_EUID
310 #define AUDIT_COMPARE_UID_TO_EUID 11
312 #ifndef AUDIT_COMPARE_UID_TO_FSUID
313 #define AUDIT_COMPARE_UID_TO_FSUID 12
315 #ifndef AUDIT_COMPARE_UID_TO_SUID
316 #define AUDIT_COMPARE_UID_TO_SUID 13
318 #ifndef AUDIT_COMPARE_AUID_TO_FSUID
319 #define AUDIT_COMPARE_AUID_TO_FSUID 14
321 #ifndef AUDIT_COMPARE_AUID_TO_SUID
322 #define AUDIT_COMPARE_AUID_TO_SUID 15
324 #ifndef AUDIT_COMPARE_AUID_TO_EUID
325 #define AUDIT_COMPARE_AUID_TO_EUID 16
327 #ifndef AUDIT_COMPARE_EUID_TO_SUID
328 #define AUDIT_COMPARE_EUID_TO_SUID 17
330 #ifndef AUDIT_COMPARE_EUID_TO_FSUID
331 #define AUDIT_COMPARE_EUID_TO_FSUID 18
333 #ifndef AUDIT_COMPARE_SUID_TO_FSUID
334 #define AUDIT_COMPARE_SUID_TO_FSUID 19
336 #ifndef AUDIT_COMPARE_GID_TO_EGID
337 #define AUDIT_COMPARE_GID_TO_EGID 20
339 #ifndef AUDIT_COMPARE_GID_TO_FSGID
340 #define AUDIT_COMPARE_GID_TO_FSGID 21
342 #ifndef AUDIT_COMPARE_GID_TO_SGID
343 #define AUDIT_COMPARE_GID_TO_SGID 22
345 #ifndef AUDIT_COMPARE_EGID_TO_FSGID
346 #define AUDIT_COMPARE_EGID_TO_FSGID 23
348 #ifndef AUDIT_COMPARE_EGID_TO_SGID
349 #define AUDIT_COMPARE_EGID_TO_SGID 24
351 #ifndef AUDIT_COMPARE_SGID_TO_FSGID
352 #define AUDIT_COMPARE_SGID_TO_FSGID 25
359 #define EM_AARCH64 183
362 #ifndef AUDIT_ARCH_AARCH64
363 #define AUDIT_ARCH_AARCH64 (EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
366 #ifndef AUDIT_ARCH_PPC64LE
367 #define AUDIT_ARCH_PPC64LE (EM_PPC64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
370 //////////////////////////////////////////////////////
371 // This is an external ABI. Any changes in here will
372 // likely affect pam_loginuid. There might be other
373 // apps that use this low level interface, but I don't
376 /* data structure for who signaled the audit daemon */
377 struct audit_sig_info {
383 /* defines for audit subsystem */
384 #define MAX_AUDIT_MESSAGE_LENGTH 8970 // PATH_MAX*2+CONTEXT_SIZE*2+11+256+1
385 struct audit_message {
387 char data[MAX_AUDIT_MESSAGE_LENGTH];
390 // internal - forward declaration
396 struct nlmsghdr *nlh;
397 struct audit_message msg;
399 /* Using a union to compress this structure since only one of
400 * the following should be valid for any packet. */
402 struct audit_status *status;
403 struct audit_rule_data *ruledata;
404 struct audit_login *login;
406 struct nlmsgerr *error;
407 struct audit_sig_info *signal_info;
408 struct daemon_conf *conf;
409 #if HAVE_DECL_AUDIT_FEATURE_VERSION
410 struct audit_features *features;
416 // End of ABI control
417 //////////////////////////////////////////////////////
419 //////////////////////////////////////////////////////
420 // audit dispatcher interface
422 /* audit_dispatcher_header: This header is versioned. If anything gets
423 * added to it, it must go at the end and the version number bumped.
424 * This MUST BE fixed size for compatibility. If you are going to add
425 * new member then add them into _structure_ part.
427 struct audit_dispatcher_header {
428 uint32_t ver; /* The version of this protocol */
429 uint32_t hlen; /* Header length */
430 uint32_t type; /* Message type */
431 uint32_t size; /* Size of data following the header */
434 #define AUDISP_PROTOCOL_VER 0
436 ///////////////////////////////////////////////////
440 /* This is the machine type list */
455 /* These are the valid audit failure tunable enum values */
463 typedef enum { MSG_STDERR, MSG_SYSLOG, MSG_QUIET } message_t;
464 typedef enum { DBG_NO, DBG_YES } debug_message_t;
465 void set_aumessage_mode(message_t mode, debug_message_t debug);
468 typedef enum { GET_REPLY_BLOCKING=0, GET_REPLY_NONBLOCKING } reply_t;
469 extern int audit_open(void);
470 extern void audit_close(int fd);
471 extern int audit_get_reply(int fd, struct audit_reply *rep, reply_t block,
473 extern uid_t audit_getloginuid(void);
474 extern int audit_setloginuid(uid_t uid);
475 extern int audit_detect_machine(void);
476 extern int audit_determine_machine(const char *arch);
478 /* Translation functions */
479 extern int audit_name_to_field(const char *field);
480 extern const char *audit_field_to_name(int field);
481 extern int audit_name_to_syscall(const char *sc, int machine);
482 extern const char *audit_syscall_to_name(int sc, int machine);
483 extern int audit_name_to_flag(const char *flag);
484 extern const char *audit_flag_to_name(int flag);
485 extern int audit_name_to_action(const char *action);
486 extern const char *audit_action_to_name(int action);
487 extern int audit_name_to_msg_type(const char *msg_type);
488 extern const char *audit_msg_type_to_name(int msg_type);
489 extern int audit_name_to_machine(const char *machine);
490 extern const char *audit_machine_to_name(int machine);
491 extern unsigned int audit_machine_to_elf(int machine);
492 extern int audit_elf_to_machine(unsigned int elf);
493 extern const char *audit_operator_to_symbol(int op);
494 extern int audit_name_to_errno(const char *error);
495 extern const char *audit_errno_to_name(int error);
496 extern int audit_name_to_ftype(const char *name);
497 extern const char *audit_ftype_to_name(int ftype);
498 extern void audit_number_to_errmsg(int errnumber, const char *opt);
501 extern int audit_request_status(int fd);
502 extern int audit_is_enabled(int fd);
503 extern int get_auditfail_action(auditfail_t *failmode);
504 extern int audit_request_features(int fd);
507 typedef enum { WAIT_NO, WAIT_YES } rep_wait_t;
508 extern int audit_set_pid(int fd, uint32_t pid, rep_wait_t wmode);
509 extern int audit_set_enabled(int fd, uint32_t enabled);
510 extern int audit_set_failure(int fd, uint32_t failure);
511 extern int audit_set_rate_limit(int fd, uint32_t limit);
512 extern int audit_set_backlog_limit(int fd, uint32_t limit);
513 int audit_set_backlog_wait_time(int fd, uint32_t bwt);
514 extern int audit_set_feature(int fd, unsigned feature, unsigned value, unsigned lock);
515 extern int audit_set_loginuid_immutable(int fd);
517 /* AUDIT_LIST_RULES */
518 extern int audit_request_rules_list_data(int fd);
521 extern int audit_request_signal_info(int fd);
524 extern int audit_update_watch_perms(struct audit_rule_data *rule, int perms);
525 extern int audit_add_watch(struct audit_rule_data **rulep, const char *path);
526 extern int audit_add_dir(struct audit_rule_data **rulep, const char *path);
527 extern int audit_add_watch_dir(int type, struct audit_rule_data **rulep,
529 extern int audit_trim_subtrees(int fd);
530 extern int audit_make_equivalent(int fd, const char *mount_point,
531 const char *subtree);
534 extern int audit_add_rule_data(int fd, struct audit_rule_data *rule,
535 int flags, int action);
538 extern int audit_delete_rule_data(int fd, struct audit_rule_data *rule,
539 int flags, int action);
541 /* The following are for standard formatting of messages */
542 extern int audit_value_needs_encoding(const char *str, unsigned int len);
543 extern char *audit_encode_value(char *final,const char *buf,unsigned int size);
544 extern char *audit_encode_nv_string(const char *name, const char *value,
546 extern int audit_log_user_message(int audit_fd, int type, const char *message,
547 const char *hostname, const char *addr, const char *tty, int result);
548 extern int audit_log_user_comm_message(int audit_fd, int type,
549 const char *message, const char *comm, const char *hostname,
550 const char *addr, const char *tty, int result);
551 extern int audit_log_acct_message(int audit_fd, int type, const char *pgname,
552 const char *op, const char *name, unsigned int id,
553 const char *host, const char *addr, const char *tty, int result);
554 extern int audit_log_user_avc_message(int audit_fd, int type,
555 const char *message, const char *hostname, const char *addr,
556 const char *tty, uid_t uid);
557 extern int audit_log_semanage_message(int audit_fd, int type,
558 const char *pgname, const char *op, const char *name, unsigned int id,
559 const char *new_seuser, const char *new_role, const char *new_range,
560 const char *old_seuser, const char *old_role, const char *old_range,
561 const char *host, const char *addr,
562 const char *tty, int result);
563 extern int audit_log_user_command(int audit_fd, int type, const char *command,
564 const char *tty, int result);
566 /* Rule-building helper functions */
567 extern int audit_rule_syscall_data(struct audit_rule_data *rule, int scall);
568 extern int audit_rule_syscallbyname_data(struct audit_rule_data *rule,
570 /* Note that the following function takes a **, where audit_rule_fieldpair()
571 * takes just a *. That structure may need to be reallocated as a result of
572 * adding new fields */
573 extern int audit_rule_fieldpair_data(struct audit_rule_data **rulep,
574 const char *pair, int flags);
575 extern int audit_rule_interfield_comp_data(struct audit_rule_data **rulep,
576 const char *pair, int flags);
577 extern void audit_rule_free_data(struct audit_rule_data *rule);