URL https://opencores.org/ocsvn/hf-risc/hf-risc/trunk

Subversion Repositories hf-risc

[/] [hf-risc/] [trunk/] [tools/] [riscv-gnu-toolchain-master/] [linux-headers/] [include/] [linux/] [audit.h] - Blame information for rev 13

Details | Compare with Previous | View Log


/* audit.h -- Auditing support
 *
 * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
 * All Rights Reserved.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 *
 * Written by Rickard E. (Rik) Faith <faith@redhat.com>
 *
 */
 
#ifndef _LINUX_AUDIT_H_
#define _LINUX_AUDIT_H_
 
#include <linux/types.h>
#include <linux/elf-em.h>
 
/* The netlink messages for the audit system is divided into blocks:
 * 1000 - 1099 are for commanding the audit system
 * 1100 - 1199 user space trusted application messages
 * 1200 - 1299 messages internal to the audit daemon
 * 1300 - 1399 audit event messages
 * 1400 - 1499 SE Linux use
 * 1500 - 1599 kernel LSPP events
 * 1600 - 1699 kernel crypto events
 * 1700 - 1799 kernel anomaly records
 * 1800 - 1899 kernel integrity events
 * 1900 - 1999 future kernel use
 * 2000 is for otherwise unclassified kernel audit messages (legacy)
 * 2001 - 2099 unused (kernel)
 * 2100 - 2199 user space anomaly records
 * 2200 - 2299 user space actions taken in response to anomalies
 * 2300 - 2399 user space generated LSPP events
 * 2400 - 2499 user space crypto events
 * 2500 - 2999 future user space (maybe integrity labels and related events)
 *
 * Messages from 1000-1199 are bi-directional. 1200-1299 & 2100 - 2999 are
 * exclusively user space. 1300-2099 is kernel --> user space
 * communication.
 */
#define AUDIT_GET               1000    /* Get status */
#define AUDIT_SET               1001    /* Set status (enable/disable/auditd) */
#define AUDIT_LIST              1002    /* List syscall rules -- deprecated */
#define AUDIT_ADD               1003    /* Add syscall rule -- deprecated */
#define AUDIT_DEL               1004    /* Delete syscall rule -- deprecated */
#define AUDIT_USER              1005    /* Message from userspace -- deprecated */
#define AUDIT_LOGIN             1006    /* Define the login id and information */
#define AUDIT_WATCH_INS         1007    /* Insert file/dir watch entry */
#define AUDIT_WATCH_REM         1008    /* Remove file/dir watch entry */
#define AUDIT_WATCH_LIST        1009    /* List all file/dir watches */
#define AUDIT_SIGNAL_INFO       1010    /* Get info about sender of signal to auditd */
#define AUDIT_ADD_RULE          1011    /* Add syscall filtering rule */
#define AUDIT_DEL_RULE          1012    /* Delete syscall filtering rule */
#define AUDIT_LIST_RULES        1013    /* List syscall filtering rules */
#define AUDIT_TRIM              1014    /* Trim junk from watched tree */
#define AUDIT_MAKE_EQUIV        1015    /* Append to watched tree */
#define AUDIT_TTY_GET           1016    /* Get TTY auditing status */
#define AUDIT_TTY_SET           1017    /* Set TTY auditing status */
#define AUDIT_SET_FEATURE       1018    /* Turn an audit feature on or off */
#define AUDIT_GET_FEATURE       1019    /* Get which features are enabled */
#define AUDIT_FEATURE_CHANGE    1020    /* audit log listing feature changes */
 
#define AUDIT_FIRST_USER_MSG    1100    /* Userspace messages mostly uninteresting to kernel */
#define AUDIT_USER_AVC          1107    /* We filter this differently */
#define AUDIT_USER_TTY          1124    /* Non-ICANON TTY input meaning */
#define AUDIT_LAST_USER_MSG     1199
#define AUDIT_FIRST_USER_MSG2   2100    /* More user space messages */
#define AUDIT_LAST_USER_MSG2    2999
 
#define AUDIT_DAEMON_START      1200    /* Daemon startup record */
#define AUDIT_DAEMON_END        1201    /* Daemon normal stop record */
#define AUDIT_DAEMON_ABORT      1202    /* Daemon error stop record */
#define AUDIT_DAEMON_CONFIG     1203    /* Daemon config change */
 
#define AUDIT_SYSCALL           1300    /* Syscall event */
/* #define AUDIT_FS_WATCH       1301     * Deprecated */
#define AUDIT_PATH              1302    /* Filename path information */
#define AUDIT_IPC               1303    /* IPC record */
#define AUDIT_SOCKETCALL        1304    /* sys_socketcall arguments */
#define AUDIT_CONFIG_CHANGE     1305    /* Audit system configuration change */
#define AUDIT_SOCKADDR          1306    /* sockaddr copied as syscall arg */
#define AUDIT_CWD               1307    /* Current working directory */
#define AUDIT_EXECVE            1309    /* execve arguments */
#define AUDIT_IPC_SET_PERM      1311    /* IPC new permissions record type */
#define AUDIT_MQ_OPEN           1312    /* POSIX MQ open record type */
#define AUDIT_MQ_SENDRECV       1313    /* POSIX MQ send/receive record type */
#define AUDIT_MQ_NOTIFY         1314    /* POSIX MQ notify record type */
#define AUDIT_MQ_GETSETATTR     1315    /* POSIX MQ get/set attribute record type */
#define AUDIT_KERNEL_OTHER      1316    /* For use by 3rd party modules */
#define AUDIT_FD_PAIR           1317    /* audit record for pipe/socketpair */
#define AUDIT_OBJ_PID           1318    /* ptrace target */
#define AUDIT_TTY               1319    /* Input on an administrative TTY */
#define AUDIT_EOE               1320    /* End of multi-record event */
#define AUDIT_BPRM_FCAPS        1321    /* Information about fcaps increasing perms */
#define AUDIT_CAPSET            1322    /* Record showing argument to sys_capset */
#define AUDIT_MMAP              1323    /* Record showing descriptor and flags in mmap */
#define AUDIT_NETFILTER_PKT     1324    /* Packets traversing netfilter chains */
#define AUDIT_NETFILTER_CFG     1325    /* Netfilter chain modifications */
#define AUDIT_SECCOMP           1326    /* Secure Computing event */
 
#define AUDIT_AVC               1400    /* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR       1401    /* Internal SE Linux Errors */
#define AUDIT_AVC_PATH          1402    /* dentry, vfsmount pair from avc */
#define AUDIT_MAC_POLICY_LOAD   1403    /* Policy file load */
#define AUDIT_MAC_STATUS        1404    /* Changed enforcing,permissive,off */
#define AUDIT_MAC_CONFIG_CHANGE 1405    /* Changes to booleans */
#define AUDIT_MAC_UNLBL_ALLOW   1406    /* NetLabel: allow unlabeled traffic */
#define AUDIT_MAC_CIPSOV4_ADD   1407    /* NetLabel: add CIPSOv4 DOI entry */
#define AUDIT_MAC_CIPSOV4_DEL   1408    /* NetLabel: del CIPSOv4 DOI entry */
#define AUDIT_MAC_MAP_ADD       1409    /* NetLabel: add LSM domain mapping */
#define AUDIT_MAC_MAP_DEL       1410    /* NetLabel: del LSM domain mapping */
#define AUDIT_MAC_IPSEC_ADDSA   1411    /* Not used */
#define AUDIT_MAC_IPSEC_DELSA   1412    /* Not used  */
#define AUDIT_MAC_IPSEC_ADDSPD  1413    /* Not used */
#define AUDIT_MAC_IPSEC_DELSPD  1414    /* Not used */
#define AUDIT_MAC_IPSEC_EVENT   1415    /* Audit an IPSec event */
#define AUDIT_MAC_UNLBL_STCADD  1416    /* NetLabel: add a static label */
#define AUDIT_MAC_UNLBL_STCDEL  1417    /* NetLabel: del a static label */
 
#define AUDIT_FIRST_KERN_ANOM_MSG   1700
#define AUDIT_LAST_KERN_ANOM_MSG    1799
#define AUDIT_ANOM_PROMISCUOUS      1700 /* Device changed promiscuous mode */
#define AUDIT_ANOM_ABEND            1701 /* Process ended abnormally */
#define AUDIT_ANOM_LINK             1702 /* Suspicious use of file links */
#define AUDIT_INTEGRITY_DATA        1800 /* Data integrity verification */
#define AUDIT_INTEGRITY_METADATA    1801 /* Metadata integrity verification */
#define AUDIT_INTEGRITY_STATUS      1802 /* Integrity enable status */
#define AUDIT_INTEGRITY_HASH        1803 /* Integrity HASH type */
#define AUDIT_INTEGRITY_PCR         1804 /* PCR invalidation msgs */
#define AUDIT_INTEGRITY_RULE        1805 /* policy rule */
 
#define AUDIT_KERNEL            2000    /* Asynchronous audit record. NOT A REQUEST. */
 
/* Rule flags */
#define AUDIT_FILTER_USER       0x00    /* Apply rule to user-generated messages */
#define AUDIT_FILTER_TASK       0x01    /* Apply rule at task creation (not syscall) */
#define AUDIT_FILTER_ENTRY      0x02    /* Apply rule at syscall entry */
#define AUDIT_FILTER_WATCH      0x03    /* Apply rule to file system watches */
#define AUDIT_FILTER_EXIT       0x04    /* Apply rule at syscall exit */
#define AUDIT_FILTER_TYPE       0x05    /* Apply rule at audit_log_start */
 
#define AUDIT_NR_FILTERS        6
 
#define AUDIT_FILTER_PREPEND    0x10    /* Prepend to front of list */
 
/* Rule actions */
#define AUDIT_NEVER    0        /* Do not build context if rule matches */
#define AUDIT_POSSIBLE 1        /* Build context if rule matches  */
#define AUDIT_ALWAYS   2        /* Generate audit record if rule matches */
 
/* Rule structure sizes -- if these change, different AUDIT_ADD and
 * AUDIT_LIST commands must be implemented. */
#define AUDIT_MAX_FIELDS   64
#define AUDIT_MAX_KEY_LEN  256
#define AUDIT_BITMASK_SIZE 64
#define AUDIT_WORD(nr) ((__u32)((nr)/32))
#define AUDIT_BIT(nr)  (1 << ((nr) - AUDIT_WORD(nr)*32))
 
#define AUDIT_SYSCALL_CLASSES 16
#define AUDIT_CLASS_DIR_WRITE 0
#define AUDIT_CLASS_DIR_WRITE_32 1
#define AUDIT_CLASS_CHATTR 2
#define AUDIT_CLASS_CHATTR_32 3
#define AUDIT_CLASS_READ 4
#define AUDIT_CLASS_READ_32 5
#define AUDIT_CLASS_WRITE 6
#define AUDIT_CLASS_WRITE_32 7
#define AUDIT_CLASS_SIGNAL 8
#define AUDIT_CLASS_SIGNAL_32 9
 
/* This bitmask is used to validate user input.  It represents all bits that
 * are currently used in an audit field constant understood by the kernel.
 * If you are adding a new #define AUDIT_<whatever>, please ensure that
 * AUDIT_UNUSED_BITS is updated if need be. */
#define AUDIT_UNUSED_BITS       0x07FFFC00
 
/* AUDIT_FIELD_COMPARE rule list */
#define AUDIT_COMPARE_UID_TO_OBJ_UID    1
#define AUDIT_COMPARE_GID_TO_OBJ_GID    2
#define AUDIT_COMPARE_EUID_TO_OBJ_UID   3
#define AUDIT_COMPARE_EGID_TO_OBJ_GID   4
#define AUDIT_COMPARE_AUID_TO_OBJ_UID   5
#define AUDIT_COMPARE_SUID_TO_OBJ_UID   6
#define AUDIT_COMPARE_SGID_TO_OBJ_GID   7
#define AUDIT_COMPARE_FSUID_TO_OBJ_UID  8
#define AUDIT_COMPARE_FSGID_TO_OBJ_GID  9
 
#define AUDIT_COMPARE_UID_TO_AUID       10
#define AUDIT_COMPARE_UID_TO_EUID       11
#define AUDIT_COMPARE_UID_TO_FSUID      12
#define AUDIT_COMPARE_UID_TO_SUID       13
 
#define AUDIT_COMPARE_AUID_TO_FSUID     14
#define AUDIT_COMPARE_AUID_TO_SUID      15
#define AUDIT_COMPARE_AUID_TO_EUID      16
 
#define AUDIT_COMPARE_EUID_TO_SUID      17
#define AUDIT_COMPARE_EUID_TO_FSUID     18
 
#define AUDIT_COMPARE_SUID_TO_FSUID     19
 
#define AUDIT_COMPARE_GID_TO_EGID       20
#define AUDIT_COMPARE_GID_TO_FSGID      21
#define AUDIT_COMPARE_GID_TO_SGID       22
 
#define AUDIT_COMPARE_EGID_TO_FSGID     23
#define AUDIT_COMPARE_EGID_TO_SGID      24
#define AUDIT_COMPARE_SGID_TO_FSGID     25
 
#define AUDIT_MAX_FIELD_COMPARE         AUDIT_COMPARE_SGID_TO_FSGID
 
/* Rule fields */
                                /* These are useful when checking the
                                 * task structure at task creation time
                                 * (AUDIT_PER_TASK).  */
#define AUDIT_PID       0
#define AUDIT_UID       1
#define AUDIT_EUID      2
#define AUDIT_SUID      3
#define AUDIT_FSUID     4
#define AUDIT_GID       5
#define AUDIT_EGID      6
#define AUDIT_SGID      7
#define AUDIT_FSGID     8
#define AUDIT_LOGINUID  9
#define AUDIT_PERS      10
#define AUDIT_ARCH      11
#define AUDIT_MSGTYPE   12
#define AUDIT_SUBJ_USER 13      /* security label user */
#define AUDIT_SUBJ_ROLE 14      /* security label role */
#define AUDIT_SUBJ_TYPE 15      /* security label type */
#define AUDIT_SUBJ_SEN  16      /* security label sensitivity label */
#define AUDIT_SUBJ_CLR  17      /* security label clearance label */
#define AUDIT_PPID      18
#define AUDIT_OBJ_USER  19
#define AUDIT_OBJ_ROLE  20
#define AUDIT_OBJ_TYPE  21
#define AUDIT_OBJ_LEV_LOW       22
#define AUDIT_OBJ_LEV_HIGH      23
#define AUDIT_LOGINUID_SET      24
 
                                /* These are ONLY useful when checking
                                 * at syscall exit time (AUDIT_AT_EXIT). */
#define AUDIT_DEVMAJOR  100
#define AUDIT_DEVMINOR  101
#define AUDIT_INODE     102
#define AUDIT_EXIT      103
#define AUDIT_SUCCESS   104     /* exit >= 0; value ignored */
#define AUDIT_WATCH     105
#define AUDIT_PERM      106
#define AUDIT_DIR       107
#define AUDIT_FILETYPE  108
#define AUDIT_OBJ_UID   109
#define AUDIT_OBJ_GID   110
#define AUDIT_FIELD_COMPARE     111
 
#define AUDIT_ARG0      200
#define AUDIT_ARG1      (AUDIT_ARG0+1)
#define AUDIT_ARG2      (AUDIT_ARG0+2)
#define AUDIT_ARG3      (AUDIT_ARG0+3)
 
#define AUDIT_FILTERKEY 210
 
#define AUDIT_NEGATE                    0x80000000
 
/* These are the supported operators.
 *      4  2  1  8
 *      =  >  <  ?
 *      ----------
 *      0  0  0  0      00      nonsense
 *      0  0  0  1      08      &  bit mask
 *      0  0  1  0      10      <
 *      0  1  0  0      20      >
 *      0  1  1  0      30      !=
 *      1  0  0  0      40      =
 *      1  0  0  1      48      &=  bit test
 *      1  0  1  0      50      <=
 *      1  1  0  0      60      >=
 *      1  1  1  1      78      all operators
 */
#define AUDIT_BIT_MASK                  0x08000000
#define AUDIT_LESS_THAN                 0x10000000
#define AUDIT_GREATER_THAN              0x20000000
#define AUDIT_NOT_EQUAL                 0x30000000
#define AUDIT_EQUAL                     0x40000000
#define AUDIT_BIT_TEST                  (AUDIT_BIT_MASK|AUDIT_EQUAL)
#define AUDIT_LESS_THAN_OR_EQUAL        (AUDIT_LESS_THAN|AUDIT_EQUAL)
#define AUDIT_GREATER_THAN_OR_EQUAL     (AUDIT_GREATER_THAN|AUDIT_EQUAL)
#define AUDIT_OPERATORS                 (AUDIT_EQUAL|AUDIT_NOT_EQUAL|AUDIT_BIT_MASK)
 
enum {
        Audit_equal,
        Audit_not_equal,
        Audit_bitmask,
        Audit_bittest,
        Audit_lt,
        Audit_gt,
        Audit_le,
        Audit_ge,
        Audit_bad
};
 
/* Status symbols */
                                /* Mask values */
#define AUDIT_STATUS_ENABLED            0x0001
#define AUDIT_STATUS_FAILURE            0x0002
#define AUDIT_STATUS_PID                0x0004
#define AUDIT_STATUS_RATE_LIMIT         0x0008
#define AUDIT_STATUS_BACKLOG_LIMIT      0x0010
#define AUDIT_STATUS_BACKLOG_WAIT_TIME  0x0020
 
#define AUDIT_VERSION_BACKLOG_LIMIT     1
#define AUDIT_VERSION_BACKLOG_WAIT_TIME 2
#define AUDIT_VERSION_LATEST AUDIT_VERSION_BACKLOG_WAIT_TIME
 
                                /* Failure-to-log actions */
#define AUDIT_FAIL_SILENT       0
#define AUDIT_FAIL_PRINTK       1
#define AUDIT_FAIL_PANIC        2
 
/* distinguish syscall tables */
#define __AUDIT_ARCH_64BIT 0x80000000
#define __AUDIT_ARCH_LE    0x40000000
#define AUDIT_ARCH_ALPHA        (EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
#define AUDIT_ARCH_ARM          (EM_ARM|__AUDIT_ARCH_LE)
#define AUDIT_ARCH_ARMEB        (EM_ARM)
#define AUDIT_ARCH_CRIS         (EM_CRIS|__AUDIT_ARCH_LE)
#define AUDIT_ARCH_FRV          (EM_FRV)
#define AUDIT_ARCH_I386         (EM_386|__AUDIT_ARCH_LE)
#define AUDIT_ARCH_IA64         (EM_IA_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
#define AUDIT_ARCH_M32R         (EM_M32R)
#define AUDIT_ARCH_M68K         (EM_68K)
#define AUDIT_ARCH_MIPS         (EM_MIPS)
#define AUDIT_ARCH_MIPSEL       (EM_MIPS|__AUDIT_ARCH_LE)
#define AUDIT_ARCH_MIPS64       (EM_MIPS|__AUDIT_ARCH_64BIT)
#define AUDIT_ARCH_MIPSEL64     (EM_MIPS|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
#define AUDIT_ARCH_OPENRISC     (EM_OPENRISC)
#define AUDIT_ARCH_PARISC       (EM_PARISC)
#define AUDIT_ARCH_PARISC64     (EM_PARISC|__AUDIT_ARCH_64BIT)
#define AUDIT_ARCH_PPC          (EM_PPC)
#define AUDIT_ARCH_PPC64        (EM_PPC64|__AUDIT_ARCH_64BIT)
#define AUDIT_ARCH_S390         (EM_S390)
#define AUDIT_ARCH_S390X        (EM_S390|__AUDIT_ARCH_64BIT)
#define AUDIT_ARCH_SH           (EM_SH)
#define AUDIT_ARCH_SHEL         (EM_SH|__AUDIT_ARCH_LE)
#define AUDIT_ARCH_SH64         (EM_SH|__AUDIT_ARCH_64BIT)
#define AUDIT_ARCH_SHEL64       (EM_SH|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
#define AUDIT_ARCH_SPARC        (EM_SPARC)
#define AUDIT_ARCH_SPARC64      (EM_SPARCV9|__AUDIT_ARCH_64BIT)
#define AUDIT_ARCH_X86_64       (EM_X86_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 
#define AUDIT_PERM_EXEC         1
#define AUDIT_PERM_WRITE        2
#define AUDIT_PERM_READ         4
#define AUDIT_PERM_ATTR         8
 
/* MAX_AUDIT_MESSAGE_LENGTH is set in audit:lib/libaudit.h as:
 * 8970 // PATH_MAX*2+CONTEXT_SIZE*2+11+256+1
 * max header+body+tailer: 44 + 29 + 32 + 262 + 7 + pad
 */
#define AUDIT_MESSAGE_TEXT_MAX  8560
 
struct audit_status {
        __u32           mask;           /* Bit mask for valid entries */
        __u32           enabled;        /* 1 = enabled, 0 = disabled */
        __u32           failure;        /* Failure-to-log action */
        __u32           pid;            /* pid of auditd process */
        __u32           rate_limit;     /* messages rate limit (per second) */
        __u32           backlog_limit;  /* waiting messages limit */
        __u32           lost;           /* messages lost */
        __u32           backlog;        /* messages waiting in queue */
        __u32           version;        /* audit api version number */
        __u32           backlog_wait_time;/* message queue wait timeout */
};
 
struct audit_features {
#define AUDIT_FEATURE_VERSION   1
        __u32   vers;
        __u32   mask;           /* which bits we are dealing with */
        __u32   features;       /* which feature to enable/disable */
        __u32   lock;           /* which features to lock */
};
 
#define AUDIT_FEATURE_ONLY_UNSET_LOGINUID       0
#define AUDIT_FEATURE_LOGINUID_IMMUTABLE        1
#define AUDIT_LAST_FEATURE                      AUDIT_FEATURE_LOGINUID_IMMUTABLE
 
#define audit_feature_valid(x)          ((x) >= 0 && (x) <= AUDIT_LAST_FEATURE)
#define AUDIT_FEATURE_TO_MASK(x)        (1 << ((x) & 31)) /* mask for __u32 */
 
struct audit_tty_status {
        __u32           enabled;        /* 1 = enabled, 0 = disabled */
        __u32           log_passwd;     /* 1 = enabled, 0 = disabled */
};
 
#define AUDIT_UID_UNSET (unsigned int)-1
 
/* audit_rule_data supports filter rules with both integer and string
 * fields.  It corresponds with AUDIT_ADD_RULE, AUDIT_DEL_RULE and
 * AUDIT_LIST_RULES requests.
 */
struct audit_rule_data {
        __u32           flags;  /* AUDIT_PER_{TASK,CALL}, AUDIT_PREPEND */
        __u32           action; /* AUDIT_NEVER, AUDIT_POSSIBLE, AUDIT_ALWAYS */
        __u32           field_count;
        __u32           mask[AUDIT_BITMASK_SIZE]; /* syscall(s) affected */
        __u32           fields[AUDIT_MAX_FIELDS];
        __u32           values[AUDIT_MAX_FIELDS];
        __u32           fieldflags[AUDIT_MAX_FIELDS];
        __u32           buflen; /* total length of string fields */
        char            buf[0];  /* string fields buffer */
};
 
/* audit_rule is supported to maintain backward compatibility with
 * userspace.  It supports integer fields only and corresponds to
 * AUDIT_ADD, AUDIT_DEL and AUDIT_LIST requests.
 */
struct audit_rule {             /* for AUDIT_LIST, AUDIT_ADD, and AUDIT_DEL */
        __u32           flags;  /* AUDIT_PER_{TASK,CALL}, AUDIT_PREPEND */
        __u32           action; /* AUDIT_NEVER, AUDIT_POSSIBLE, AUDIT_ALWAYS */
        __u32           field_count;
        __u32           mask[AUDIT_BITMASK_SIZE];
        __u32           fields[AUDIT_MAX_FIELDS];
        __u32           values[AUDIT_MAX_FIELDS];
};
 
#endif /* _LINUX_AUDIT_H_ */

Browse

Tools

Subversion Repositories hf-risc

[/] [hf-risc/] [trunk/] [tools/] [riscv-gnu-toolchain-master/] [linux-headers/] [include/] [linux/] [audit.h] - Blame information for rev 13

Line No.	Rev	Author	Line
1	13	serginhofr	`/* audit.h -- Auditing support`
2			`*`
3			`* Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.`
4			`* All Rights Reserved.`
5			`*`
6			`* This program is free software; you can redistribute it and/or modify`
7			`* it under the terms of the GNU General Public License as published by`
8			`* the Free Software Foundation; either version 2 of the License, or`
9			`* (at your option) any later version.`
10			`*`
11			`* This program is distributed in the hope that it will be useful,`
12			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
13			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
14			`* GNU General Public License for more details.`
15			`*`
16			`* You should have received a copy of the GNU General Public License`
17			`* along with this program; if not, write to the Free Software`
18			`* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA`
19			`*`
20			`* Written by Rickard E. (Rik) Faith <faith@redhat.com>`
21			`*`
22			`*/`
23
24			`#ifndef _LINUX_AUDIT_H_`
25			`#define _LINUX_AUDIT_H_`
26
27			`#include <linux/types.h>`
28			`#include <linux/elf-em.h>`
29
30			`/* The netlink messages for the audit system is divided into blocks:`
31			`* 1000 - 1099 are for commanding the audit system`
32			`* 1100 - 1199 user space trusted application messages`
33			`* 1200 - 1299 messages internal to the audit daemon`
34			`* 1300 - 1399 audit event messages`
35			`* 1400 - 1499 SE Linux use`
36			`* 1500 - 1599 kernel LSPP events`
37			`* 1600 - 1699 kernel crypto events`
38			`* 1700 - 1799 kernel anomaly records`
39			`* 1800 - 1899 kernel integrity events`
40			`* 1900 - 1999 future kernel use`
41			`* 2000 is for otherwise unclassified kernel audit messages (legacy)`
42			`* 2001 - 2099 unused (kernel)`
43			`* 2100 - 2199 user space anomaly records`
44			`* 2200 - 2299 user space actions taken in response to anomalies`
45			`* 2300 - 2399 user space generated LSPP events`
46			`* 2400 - 2499 user space crypto events`
47			`* 2500 - 2999 future user space (maybe integrity labels and related events)`
48			`*`
49			`* Messages from 1000-1199 are bi-directional. 1200-1299 & 2100 - 2999 are`
50			`* exclusively user space. 1300-2099 is kernel --> user space`
51			`* communication.`
52			`*/`
53			`#define AUDIT_GET 1000 /* Get status */`
54			`#define AUDIT_SET 1001 /* Set status (enable/disable/auditd) */`
55			`#define AUDIT_LIST 1002 /* List syscall rules -- deprecated */`
56			`#define AUDIT_ADD 1003 /* Add syscall rule -- deprecated */`
57			`#define AUDIT_DEL 1004 /* Delete syscall rule -- deprecated */`
58			`#define AUDIT_USER 1005 /* Message from userspace -- deprecated */`
59			`#define AUDIT_LOGIN 1006 /* Define the login id and information */`
60			`#define AUDIT_WATCH_INS 1007 /* Insert file/dir watch entry */`
61			`#define AUDIT_WATCH_REM 1008 /* Remove file/dir watch entry */`
62			`#define AUDIT_WATCH_LIST 1009 /* List all file/dir watches */`
63			`#define AUDIT_SIGNAL_INFO 1010 /* Get info about sender of signal to auditd */`
64			`#define AUDIT_ADD_RULE 1011 /* Add syscall filtering rule */`
65			`#define AUDIT_DEL_RULE 1012 /* Delete syscall filtering rule */`
66			`#define AUDIT_LIST_RULES 1013 /* List syscall filtering rules */`
67			`#define AUDIT_TRIM 1014 /* Trim junk from watched tree */`
68			`#define AUDIT_MAKE_EQUIV 1015 /* Append to watched tree */`
69			`#define AUDIT_TTY_GET 1016 /* Get TTY auditing status */`
70			`#define AUDIT_TTY_SET 1017 /* Set TTY auditing status */`
71			`#define AUDIT_SET_FEATURE 1018 /* Turn an audit feature on or off */`
72			`#define AUDIT_GET_FEATURE 1019 /* Get which features are enabled */`
73			`#define AUDIT_FEATURE_CHANGE 1020 /* audit log listing feature changes */`
74
75			`#define AUDIT_FIRST_USER_MSG 1100 /* Userspace messages mostly uninteresting to kernel */`
76			`#define AUDIT_USER_AVC 1107 /* We filter this differently */`
77			`#define AUDIT_USER_TTY 1124 /* Non-ICANON TTY input meaning */`
78			`#define AUDIT_LAST_USER_MSG 1199`
79			`#define AUDIT_FIRST_USER_MSG2 2100 /* More user space messages */`
80			`#define AUDIT_LAST_USER_MSG2 2999`
81
82			`#define AUDIT_DAEMON_START 1200 /* Daemon startup record */`
83			`#define AUDIT_DAEMON_END 1201 /* Daemon normal stop record */`
84			`#define AUDIT_DAEMON_ABORT 1202 /* Daemon error stop record */`
85			`#define AUDIT_DAEMON_CONFIG 1203 /* Daemon config change */`
86
87			`#define AUDIT_SYSCALL 1300 /* Syscall event */`
88			`/* #define AUDIT_FS_WATCH 1301 * Deprecated */`
89			`#define AUDIT_PATH 1302 /* Filename path information */`
90			`#define AUDIT_IPC 1303 /* IPC record */`
91			`#define AUDIT_SOCKETCALL 1304 /* sys_socketcall arguments */`
92			`#define AUDIT_CONFIG_CHANGE 1305 /* Audit system configuration change */`
93			`#define AUDIT_SOCKADDR 1306 /* sockaddr copied as syscall arg */`
94			`#define AUDIT_CWD 1307 /* Current working directory */`
95			`#define AUDIT_EXECVE 1309 /* execve arguments */`
96			`#define AUDIT_IPC_SET_PERM 1311 /* IPC new permissions record type */`
97			`#define AUDIT_MQ_OPEN 1312 /* POSIX MQ open record type */`
98			`#define AUDIT_MQ_SENDRECV 1313 /* POSIX MQ send/receive record type */`
99			`#define AUDIT_MQ_NOTIFY 1314 /* POSIX MQ notify record type */`
100			`#define AUDIT_MQ_GETSETATTR 1315 /* POSIX MQ get/set attribute record type */`
101			`#define AUDIT_KERNEL_OTHER 1316 /* For use by 3rd party modules */`
102			`#define AUDIT_FD_PAIR 1317 /* audit record for pipe/socketpair */`
103			`#define AUDIT_OBJ_PID 1318 /* ptrace target */`
104			`#define AUDIT_TTY 1319 /* Input on an administrative TTY */`
105			`#define AUDIT_EOE 1320 /* End of multi-record event */`
106			`#define AUDIT_BPRM_FCAPS 1321 /* Information about fcaps increasing perms */`
107			`#define AUDIT_CAPSET 1322 /* Record showing argument to sys_capset */`
108			`#define AUDIT_MMAP 1323 /* Record showing descriptor and flags in mmap */`
109			`#define AUDIT_NETFILTER_PKT 1324 /* Packets traversing netfilter chains */`
110			`#define AUDIT_NETFILTER_CFG 1325 /* Netfilter chain modifications */`
111			`#define AUDIT_SECCOMP 1326 /* Secure Computing event */`
112
113			`#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */`
114			`#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */`
115			`#define AUDIT_AVC_PATH 1402 /* dentry, vfsmount pair from avc */`
116			`#define AUDIT_MAC_POLICY_LOAD 1403 /* Policy file load */`
117			`#define AUDIT_MAC_STATUS 1404 /* Changed enforcing,permissive,off */`
118			`#define AUDIT_MAC_CONFIG_CHANGE 1405 /* Changes to booleans */`
119			`#define AUDIT_MAC_UNLBL_ALLOW 1406 /* NetLabel: allow unlabeled traffic */`
120			`#define AUDIT_MAC_CIPSOV4_ADD 1407 /* NetLabel: add CIPSOv4 DOI entry */`
121			`#define AUDIT_MAC_CIPSOV4_DEL 1408 /* NetLabel: del CIPSOv4 DOI entry */`
122			`#define AUDIT_MAC_MAP_ADD 1409 /* NetLabel: add LSM domain mapping */`
123			`#define AUDIT_MAC_MAP_DEL 1410 /* NetLabel: del LSM domain mapping */`
124			`#define AUDIT_MAC_IPSEC_ADDSA 1411 /* Not used */`
125			`#define AUDIT_MAC_IPSEC_DELSA 1412 /* Not used */`
126			`#define AUDIT_MAC_IPSEC_ADDSPD 1413 /* Not used */`
127			`#define AUDIT_MAC_IPSEC_DELSPD 1414 /* Not used */`
128			`#define AUDIT_MAC_IPSEC_EVENT 1415 /* Audit an IPSec event */`
129			`#define AUDIT_MAC_UNLBL_STCADD 1416 /* NetLabel: add a static label */`
130			`#define AUDIT_MAC_UNLBL_STCDEL 1417 /* NetLabel: del a static label */`
131
132			`#define AUDIT_FIRST_KERN_ANOM_MSG 1700`
133			`#define AUDIT_LAST_KERN_ANOM_MSG 1799`
134			`#define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */`
135			`#define AUDIT_ANOM_ABEND 1701 /* Process ended abnormally */`
136			`#define AUDIT_ANOM_LINK 1702 /* Suspicious use of file links */`
137			`#define AUDIT_INTEGRITY_DATA 1800 /* Data integrity verification */`
138			`#define AUDIT_INTEGRITY_METADATA 1801 /* Metadata integrity verification */`
139			`#define AUDIT_INTEGRITY_STATUS 1802 /* Integrity enable status */`
140			`#define AUDIT_INTEGRITY_HASH 1803 /* Integrity HASH type */`
141			`#define AUDIT_INTEGRITY_PCR 1804 /* PCR invalidation msgs */`
142			`#define AUDIT_INTEGRITY_RULE 1805 /* policy rule */`
143
144			`#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */`
145
146			`/* Rule flags */`
147			`#define AUDIT_FILTER_USER 0x00 /* Apply rule to user-generated messages */`
148			`#define AUDIT_FILTER_TASK 0x01 /* Apply rule at task creation (not syscall) */`
149			`#define AUDIT_FILTER_ENTRY 0x02 /* Apply rule at syscall entry */`
150			`#define AUDIT_FILTER_WATCH 0x03 /* Apply rule to file system watches */`
151			`#define AUDIT_FILTER_EXIT 0x04 /* Apply rule at syscall exit */`
152			`#define AUDIT_FILTER_TYPE 0x05 /* Apply rule at audit_log_start */`
153
154			`#define AUDIT_NR_FILTERS 6`
155
156			`#define AUDIT_FILTER_PREPEND 0x10 /* Prepend to front of list */`
157
158			`/* Rule actions */`
159			`#define AUDIT_NEVER 0 /* Do not build context if rule matches */`
160			`#define AUDIT_POSSIBLE 1 /* Build context if rule matches */`
161			`#define AUDIT_ALWAYS 2 /* Generate audit record if rule matches */`
162
163			`/* Rule structure sizes -- if these change, different AUDIT_ADD and`
164			`* AUDIT_LIST commands must be implemented. */`
165			`#define AUDIT_MAX_FIELDS 64`
166			`#define AUDIT_MAX_KEY_LEN 256`
167			`#define AUDIT_BITMASK_SIZE 64`
168			`#define AUDIT_WORD(nr) ((__u32)((nr)/32))`
169			`#define AUDIT_BIT(nr) (1 << ((nr) - AUDIT_WORD(nr)*32))`
170
171			`#define AUDIT_SYSCALL_CLASSES 16`
172			`#define AUDIT_CLASS_DIR_WRITE 0`
173			`#define AUDIT_CLASS_DIR_WRITE_32 1`
174			`#define AUDIT_CLASS_CHATTR 2`
175			`#define AUDIT_CLASS_CHATTR_32 3`
176			`#define AUDIT_CLASS_READ 4`
177			`#define AUDIT_CLASS_READ_32 5`
178			`#define AUDIT_CLASS_WRITE 6`
179			`#define AUDIT_CLASS_WRITE_32 7`
180			`#define AUDIT_CLASS_SIGNAL 8`
181			`#define AUDIT_CLASS_SIGNAL_32 9`
182
183			`/* This bitmask is used to validate user input. It represents all bits that`
184			`* are currently used in an audit field constant understood by the kernel.`
185			`* If you are adding a new #define AUDIT_<whatever>, please ensure that`
186			`* AUDIT_UNUSED_BITS is updated if need be. */`
187			`#define AUDIT_UNUSED_BITS 0x07FFFC00`
188
189			`/* AUDIT_FIELD_COMPARE rule list */`
190			`#define AUDIT_COMPARE_UID_TO_OBJ_UID 1`
191			`#define AUDIT_COMPARE_GID_TO_OBJ_GID 2`
192			`#define AUDIT_COMPARE_EUID_TO_OBJ_UID 3`
193			`#define AUDIT_COMPARE_EGID_TO_OBJ_GID 4`
194			`#define AUDIT_COMPARE_AUID_TO_OBJ_UID 5`
195			`#define AUDIT_COMPARE_SUID_TO_OBJ_UID 6`
196			`#define AUDIT_COMPARE_SGID_TO_OBJ_GID 7`
197			`#define AUDIT_COMPARE_FSUID_TO_OBJ_UID 8`
198			`#define AUDIT_COMPARE_FSGID_TO_OBJ_GID 9`
199
200			`#define AUDIT_COMPARE_UID_TO_AUID 10`
201			`#define AUDIT_COMPARE_UID_TO_EUID 11`
202			`#define AUDIT_COMPARE_UID_TO_FSUID 12`
203			`#define AUDIT_COMPARE_UID_TO_SUID 13`
204
205			`#define AUDIT_COMPARE_AUID_TO_FSUID 14`
206			`#define AUDIT_COMPARE_AUID_TO_SUID 15`
207			`#define AUDIT_COMPARE_AUID_TO_EUID 16`
208
209			`#define AUDIT_COMPARE_EUID_TO_SUID 17`
210			`#define AUDIT_COMPARE_EUID_TO_FSUID 18`
211
212			`#define AUDIT_COMPARE_SUID_TO_FSUID 19`
213
214			`#define AUDIT_COMPARE_GID_TO_EGID 20`
215			`#define AUDIT_COMPARE_GID_TO_FSGID 21`
216			`#define AUDIT_COMPARE_GID_TO_SGID 22`
217
218			`#define AUDIT_COMPARE_EGID_TO_FSGID 23`
219			`#define AUDIT_COMPARE_EGID_TO_SGID 24`
220			`#define AUDIT_COMPARE_SGID_TO_FSGID 25`
221
222			`#define AUDIT_MAX_FIELD_COMPARE AUDIT_COMPARE_SGID_TO_FSGID`
223
224			`/* Rule fields */`
225			`/* These are useful when checking the`
226			`* task structure at task creation time`
227			`* (AUDIT_PER_TASK). */`
228			`#define AUDIT_PID 0`
229			`#define AUDIT_UID 1`
230			`#define AUDIT_EUID 2`
231			`#define AUDIT_SUID 3`
232			`#define AUDIT_FSUID 4`
233			`#define AUDIT_GID 5`
234			`#define AUDIT_EGID 6`
235			`#define AUDIT_SGID 7`
236			`#define AUDIT_FSGID 8`
237			`#define AUDIT_LOGINUID 9`
238			`#define AUDIT_PERS 10`
239			`#define AUDIT_ARCH 11`
240			`#define AUDIT_MSGTYPE 12`
241			`#define AUDIT_SUBJ_USER 13 /* security label user */`
242			`#define AUDIT_SUBJ_ROLE 14 /* security label role */`
243			`#define AUDIT_SUBJ_TYPE 15 /* security label type */`
244			`#define AUDIT_SUBJ_SEN 16 /* security label sensitivity label */`
245			`#define AUDIT_SUBJ_CLR 17 /* security label clearance label */`
246			`#define AUDIT_PPID 18`
247			`#define AUDIT_OBJ_USER 19`
248			`#define AUDIT_OBJ_ROLE 20`
249			`#define AUDIT_OBJ_TYPE 21`
250			`#define AUDIT_OBJ_LEV_LOW 22`
251			`#define AUDIT_OBJ_LEV_HIGH 23`
252			`#define AUDIT_LOGINUID_SET 24`
253
254			`/* These are ONLY useful when checking`
255			`* at syscall exit time (AUDIT_AT_EXIT). */`
256			`#define AUDIT_DEVMAJOR 100`
257			`#define AUDIT_DEVMINOR 101`
258			`#define AUDIT_INODE 102`
259			`#define AUDIT_EXIT 103`
260			`#define AUDIT_SUCCESS 104 /* exit >= 0; value ignored */`
261			`#define AUDIT_WATCH 105`
262			`#define AUDIT_PERM 106`
263			`#define AUDIT_DIR 107`
264			`#define AUDIT_FILETYPE 108`
265			`#define AUDIT_OBJ_UID 109`
266			`#define AUDIT_OBJ_GID 110`
267			`#define AUDIT_FIELD_COMPARE 111`
268
269			`#define AUDIT_ARG0 200`
270			`#define AUDIT_ARG1 (AUDIT_ARG0+1)`
271			`#define AUDIT_ARG2 (AUDIT_ARG0+2)`
272			`#define AUDIT_ARG3 (AUDIT_ARG0+3)`
273
274			`#define AUDIT_FILTERKEY 210`
275
276			`#define AUDIT_NEGATE 0x80000000`
277
278			`/* These are the supported operators.`
279			`* 4 2 1 8`
280			`* = > < ?`
281			`* ----------`
282			`* 0 0 0 0 00 nonsense`
283			`* 0 0 0 1 08 & bit mask`
284			`* 0 0 1 0 10 <`
285			`* 0 1 0 0 20 >`
286			`* 0 1 1 0 30 !=`
287			`* 1 0 0 0 40 =`
288			`* 1 0 0 1 48 &= bit test`
289			`* 1 0 1 0 50 <=`
290			`* 1 1 0 0 60 >=`
291			`* 1 1 1 1 78 all operators`
292			`*/`
293			`#define AUDIT_BIT_MASK 0x08000000`
294			`#define AUDIT_LESS_THAN 0x10000000`
295			`#define AUDIT_GREATER_THAN 0x20000000`
296			`#define AUDIT_NOT_EQUAL 0x30000000`
297			`#define AUDIT_EQUAL 0x40000000`
298			`#define AUDIT_BIT_TEST (AUDIT_BIT_MASK\|AUDIT_EQUAL)`
299			`#define AUDIT_LESS_THAN_OR_EQUAL (AUDIT_LESS_THAN\|AUDIT_EQUAL)`
300			`#define AUDIT_GREATER_THAN_OR_EQUAL (AUDIT_GREATER_THAN\|AUDIT_EQUAL)`
301			`#define AUDIT_OPERATORS (AUDIT_EQUAL\|AUDIT_NOT_EQUAL\|AUDIT_BIT_MASK)`
302
303			`enum {`
304			`Audit_equal,`
305			`Audit_not_equal,`
306			`Audit_bitmask,`
307			`Audit_bittest,`
308			`Audit_lt,`
309			`Audit_gt,`
310			`Audit_le,`
311			`Audit_ge,`
312			`Audit_bad`
313			`};`
314
315			`/* Status symbols */`
316			`/* Mask values */`
317			`#define AUDIT_STATUS_ENABLED 0x0001`
318			`#define AUDIT_STATUS_FAILURE 0x0002`
319			`#define AUDIT_STATUS_PID 0x0004`
320			`#define AUDIT_STATUS_RATE_LIMIT 0x0008`
321			`#define AUDIT_STATUS_BACKLOG_LIMIT 0x0010`
322			`#define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020`
323
324			`#define AUDIT_VERSION_BACKLOG_LIMIT 1`
325			`#define AUDIT_VERSION_BACKLOG_WAIT_TIME 2`
326			`#define AUDIT_VERSION_LATEST AUDIT_VERSION_BACKLOG_WAIT_TIME`
327
328			`/* Failure-to-log actions */`
329			`#define AUDIT_FAIL_SILENT 0`
330			`#define AUDIT_FAIL_PRINTK 1`
331			`#define AUDIT_FAIL_PANIC 2`
332
333			`/* distinguish syscall tables */`
334			`#define __AUDIT_ARCH_64BIT 0x80000000`
335			`#define __AUDIT_ARCH_LE 0x40000000`
336			`#define AUDIT_ARCH_ALPHA (EM_ALPHA\|__AUDIT_ARCH_64BIT\|__AUDIT_ARCH_LE)`
337			`#define AUDIT_ARCH_ARM (EM_ARM\|__AUDIT_ARCH_LE)`
338			`#define AUDIT_ARCH_ARMEB (EM_ARM)`
339			`#define AUDIT_ARCH_CRIS (EM_CRIS\|__AUDIT_ARCH_LE)`
340			`#define AUDIT_ARCH_FRV (EM_FRV)`
341			`#define AUDIT_ARCH_I386 (EM_386\|__AUDIT_ARCH_LE)`
342			`#define AUDIT_ARCH_IA64 (EM_IA_64\|__AUDIT_ARCH_64BIT\|__AUDIT_ARCH_LE)`
343			`#define AUDIT_ARCH_M32R (EM_M32R)`
344			`#define AUDIT_ARCH_M68K (EM_68K)`
345			`#define AUDIT_ARCH_MIPS (EM_MIPS)`
346			`#define AUDIT_ARCH_MIPSEL (EM_MIPS\|__AUDIT_ARCH_LE)`
347			`#define AUDIT_ARCH_MIPS64 (EM_MIPS\|__AUDIT_ARCH_64BIT)`
348			`#define AUDIT_ARCH_MIPSEL64 (EM_MIPS\|__AUDIT_ARCH_64BIT\|__AUDIT_ARCH_LE)`
349			`#define AUDIT_ARCH_OPENRISC (EM_OPENRISC)`
350			`#define AUDIT_ARCH_PARISC (EM_PARISC)`
351			`#define AUDIT_ARCH_PARISC64 (EM_PARISC\|__AUDIT_ARCH_64BIT)`
352			`#define AUDIT_ARCH_PPC (EM_PPC)`
353			`#define AUDIT_ARCH_PPC64 (EM_PPC64\|__AUDIT_ARCH_64BIT)`
354			`#define AUDIT_ARCH_S390 (EM_S390)`
355			`#define AUDIT_ARCH_S390X (EM_S390\|__AUDIT_ARCH_64BIT)`
356			`#define AUDIT_ARCH_SH (EM_SH)`
357			`#define AUDIT_ARCH_SHEL (EM_SH\|__AUDIT_ARCH_LE)`
358			`#define AUDIT_ARCH_SH64 (EM_SH\|__AUDIT_ARCH_64BIT)`
359			`#define AUDIT_ARCH_SHEL64 (EM_SH\|__AUDIT_ARCH_64BIT\|__AUDIT_ARCH_LE)`
360			`#define AUDIT_ARCH_SPARC (EM_SPARC)`
361			`#define AUDIT_ARCH_SPARC64 (EM_SPARCV9\|__AUDIT_ARCH_64BIT)`
362			`#define AUDIT_ARCH_X86_64 (EM_X86_64\|__AUDIT_ARCH_64BIT\|__AUDIT_ARCH_LE)`
363
364			`#define AUDIT_PERM_EXEC 1`
365			`#define AUDIT_PERM_WRITE 2`
366			`#define AUDIT_PERM_READ 4`
367			`#define AUDIT_PERM_ATTR 8`
368
369			`/* MAX_AUDIT_MESSAGE_LENGTH is set in audit:lib/libaudit.h as:`
370			`* 8970 // PATH_MAX2+CONTEXT_SIZE2+11+256+1`
371			`* max header+body+tailer: 44 + 29 + 32 + 262 + 7 + pad`
372			`*/`
373			`#define AUDIT_MESSAGE_TEXT_MAX 8560`
374
375			`struct audit_status {`
376			`__u32 mask; /* Bit mask for valid entries */`
377			`__u32 enabled; /* 1 = enabled, 0 = disabled */`
378			`__u32 failure; /* Failure-to-log action */`
379			`__u32 pid; /* pid of auditd process */`
380			`__u32 rate_limit; /* messages rate limit (per second) */`
381			`__u32 backlog_limit; /* waiting messages limit */`
382			`__u32 lost; /* messages lost */`
383			`__u32 backlog; /* messages waiting in queue */`
384			`__u32 version; /* audit api version number */`
385			`__u32 backlog_wait_time;/* message queue wait timeout */`
386			`};`
387
388			`struct audit_features {`
389			`#define AUDIT_FEATURE_VERSION 1`
390			`__u32 vers;`
391			`__u32 mask; /* which bits we are dealing with */`
392			`__u32 features; /* which feature to enable/disable */`
393			`__u32 lock; /* which features to lock */`
394			`};`
395
396			`#define AUDIT_FEATURE_ONLY_UNSET_LOGINUID 0`
397			`#define AUDIT_FEATURE_LOGINUID_IMMUTABLE 1`
398			`#define AUDIT_LAST_FEATURE AUDIT_FEATURE_LOGINUID_IMMUTABLE`
399
400			`#define audit_feature_valid(x) ((x) >= 0 && (x) <= AUDIT_LAST_FEATURE)`
401			`#define AUDIT_FEATURE_TO_MASK(x) (1 << ((x) & 31)) /* mask for __u32 */`
402
403			`struct audit_tty_status {`
404			`__u32 enabled; /* 1 = enabled, 0 = disabled */`
405			`__u32 log_passwd; /* 1 = enabled, 0 = disabled */`
406			`};`
407
408			`#define AUDIT_UID_UNSET (unsigned int)-1`
409
410			`/* audit_rule_data supports filter rules with both integer and string`
411			`* fields. It corresponds with AUDIT_ADD_RULE, AUDIT_DEL_RULE and`
412			`* AUDIT_LIST_RULES requests.`
413			`*/`
414			`struct audit_rule_data {`
415			`__u32 flags; /* AUDIT_PER_{TASK,CALL}, AUDIT_PREPEND */`
416			`__u32 action; /* AUDIT_NEVER, AUDIT_POSSIBLE, AUDIT_ALWAYS */`
417			`__u32 field_count;`
418			`__u32 mask[AUDIT_BITMASK_SIZE]; /* syscall(s) affected */`
419			`__u32 fields[AUDIT_MAX_FIELDS];`
420			`__u32 values[AUDIT_MAX_FIELDS];`
421			`__u32 fieldflags[AUDIT_MAX_FIELDS];`
422			`__u32 buflen; /* total length of string fields */`
423			`char buf[0]; /* string fields buffer */`
424			`};`
425
426			`/* audit_rule is supported to maintain backward compatibility with`
427			`* userspace. It supports integer fields only and corresponds to`
428			`* AUDIT_ADD, AUDIT_DEL and AUDIT_LIST requests.`
429			`*/`
430			`struct audit_rule { /* for AUDIT_LIST, AUDIT_ADD, and AUDIT_DEL */`
431			`__u32 flags; /* AUDIT_PER_{TASK,CALL}, AUDIT_PREPEND */`
432			`__u32 action; /* AUDIT_NEVER, AUDIT_POSSIBLE, AUDIT_ALWAYS */`
433			`__u32 field_count;`
434			`__u32 mask[AUDIT_BITMASK_SIZE];`
435			`__u32 fields[AUDIT_MAX_FIELDS];`
436			`__u32 values[AUDIT_MAX_FIELDS];`
437			`};`
438
439			`#endif /* _LINUX_AUDIT_H_ */`