include/uapi/linux/audit.h

Source file repositories/reference/linux-study-clean/include/uapi/linux/audit.h

File Facts

System
Linux kernel
Corpus path
include/uapi/linux/audit.h
Extension
.h
Size
22117 bytes
Lines
531
Domain
Core OS
Bucket
Core Kernel Interface
Inferred role
Core OS: implementation source
Status
source implementation candidate

Why This File Exists

Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.

Dependency Surface

Detected Declarations

Annotated Snippet

struct audit_status {
	__u32		mask;		/* Bit mask for valid entries */
	__u32		enabled;	/* 1 = enabled, 0 = disabled */
	__u32		failure;	/* Failure-to-log action */
	__u32		pid;		/* pid of auditd process */
	__u32		rate_limit;	/* messages rate limit (per second) */
	__u32		backlog_limit;	/* waiting messages limit */
	__u32		lost;		/* messages lost */
	__u32		backlog;	/* messages waiting in queue */
	union {
		__u32	version;	/* deprecated: audit api version num */
		__u32	feature_bitmap;	/* bitmap of kernel audit features */
	};
	__u32		backlog_wait_time;/* message queue wait timeout */
	__u32           backlog_wait_time_actual;/* time spent waiting while
						  * message limit exceeded
						  */
};

struct audit_features {
#define AUDIT_FEATURE_VERSION	1
	__u32	vers;
	__u32	mask;		/* which bits we are dealing with */
	__u32	features;	/* which feature to enable/disable */
	__u32	lock;		/* which features to lock */
};

#define AUDIT_FEATURE_ONLY_UNSET_LOGINUID	0
#define AUDIT_FEATURE_LOGINUID_IMMUTABLE	1
#define AUDIT_LAST_FEATURE			AUDIT_FEATURE_LOGINUID_IMMUTABLE

#define audit_feature_valid(x)		((x) >= 0 && (x) <= AUDIT_LAST_FEATURE)
#define AUDIT_FEATURE_TO_MASK(x)	(1 << ((x) & 31)) /* mask for __u32 */

struct audit_tty_status {
	__u32		enabled;	/* 1 = enabled, 0 = disabled */
	__u32		log_passwd;	/* 1 = enabled, 0 = disabled */
};

#define AUDIT_UID_UNSET ((unsigned int)-1)
#define AUDIT_SID_UNSET ((unsigned int)-1)

/* audit_rule_data supports filter rules with both integer and string
 * fields.  It corresponds with AUDIT_ADD_RULE, AUDIT_DEL_RULE and
 * AUDIT_LIST_RULES requests.
 */
struct audit_rule_data {
	__u32		flags;	/* AUDIT_PER_{TASK,CALL}, AUDIT_PREPEND */
	__u32		action;	/* AUDIT_NEVER, AUDIT_POSSIBLE, AUDIT_ALWAYS */
	__u32		field_count;
	__u32		mask[AUDIT_BITMASK_SIZE]; /* syscall(s) affected */
	__u32		fields[AUDIT_MAX_FIELDS];
	__u32		values[AUDIT_MAX_FIELDS];
	__u32		fieldflags[AUDIT_MAX_FIELDS];
	__u32		buflen;	/* total length of string fields */
	char		buf[];	/* string fields buffer */
};

#endif /* _UAPI_LINUX_AUDIT_H_ */

Annotation

Implementation Notes