/* libaudit.h --
 * Copyright 2004-2018,2021-23 Red Hat Inc.
 * All Rights Reserved.
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 *
 * Authors:
 *	Steve Grubb <sgrubb@redhat.com>
 *	Rickard E. (Rik) Faith <faith@redhat.com>
 */
#ifndef _LIBAUDIT_H_
#define _LIBAUDIT_H_

#include <asm/types.h>
#include <stdint.h>
#include <sys/socket.h>
#include <linux/netlink.h>
#include <linux/audit.h>
#include <stdarg.h>
#include <syslog.h>
#ifndef __attr_access
#  define __attr_access(x)
#endif
#ifndef __attr_dealloc
# define __attr_dealloc(dealloc, argno)
# define __attr_dealloc_free
#endif

#ifdef __cplusplus
extern "C" {
#endif


/* Audit message types as of 2.6.29 kernel:
 * 1000 - 1099 are for commanding the audit system
 * 1100 - 1199 user space trusted application messages
 * 1200 - 1299 messages internal to the audit daemon
 * 1300 - 1399 audit event messages
 * 1400 - 1499 kernel SE Linux use
 * 1500 - 1599 AppArmor events
 * 1600 - 1699 kernel crypto events
 * 1700 - 1799 kernel anomaly records
 * 1800 - 1899 kernel integrity labels and related events
 * 1800 - 1999 future kernel use
 * 2001 - 2099 unused (kernel)
 * 2100 - 2199 user space anomaly records
 * 2200 - 2299 user space actions taken in response to anomalies
 * 2300 - 2399 user space generated LSPP events
 * 2400 - 2499 user space crypto events
 * 2500 - 2599 user space virtualization management events
 * 2600 - 2999 future user space (maybe integrity labels and related events)
 */

#define AUDIT_FIRST_USER_MSG    1100    /* First user space message */
#define AUDIT_LAST_USER_MSG     1199    /* Last user space message */
#define AUDIT_USER_AUTH         1100    /* User system access authentication */
#define AUDIT_USER_ACCT         1101    /* User system access authorization */
#define AUDIT_USER_MGMT         1102    /* User acct attribute change */
#define AUDIT_CRED_ACQ          1103    /* User credential acquired */
#define AUDIT_CRED_DISP         1104    /* User credential disposed */
#define AUDIT_USER_START        1105    /* User session start */
#define AUDIT_USER_END          1106    /* User session end */
#define AUDIT_USER_AVC          1107    /* User space avc message */
#define AUDIT_USER_CHAUTHTOK	1108	/* User acct password or pin changed */
#define AUDIT_USER_ERR		1109	/* User acct state error */
#define AUDIT_CRED_REFR         1110    /* User credential refreshed */
#define AUDIT_USYS_CONFIG       1111    /* User space system config change */
#define AUDIT_USER_LOGIN	1112    /* User has logged in */
#define AUDIT_USER_LOGOUT	1113    /* User has logged out */
#define AUDIT_ADD_USER		1114    /* User account added */
#define AUDIT_DEL_USER		1115    /* User account deleted */
#define AUDIT_ADD_GROUP		1116    /* Group account added */
#define AUDIT_DEL_GROUP		1117    /* Group account deleted */
#define AUDIT_DAC_CHECK		1118    /* User space DAC check results */
#define AUDIT_CHGRP_ID		1119    /* User space group ID changed */
#define AUDIT_TEST		1120	/* Used for test success messages */
#define AUDIT_TRUSTED_APP	1121	/* Trusted app msg - freestyle text */
#define AUDIT_USER_SELINUX_ERR	1122	/* SE Linux user space error */
#define AUDIT_USER_CMD		1123	/* User shell command and args */
#define AUDIT_USER_TTY		1124	/* Non-ICANON TTY input meaning */
#define AUDIT_CHUSER_ID		1125	/* Changed user ID supplemental data */
#define AUDIT_GRP_AUTH		1126	/* Authentication for group password */
#define AUDIT_SYSTEM_BOOT	1127	/* System boot */
#define AUDIT_SYSTEM_SHUTDOWN	1128	/* System shutdown */
#define AUDIT_SYSTEM_RUNLEVEL	1129	/* System runlevel change */
#define AUDIT_SERVICE_START	1130	/* Service (daemon) start */
#define AUDIT_SERVICE_STOP	1131	/* Service (daemon) stop */
#define AUDIT_GRP_MGMT		1132	/* Group account attr was modified */
#define AUDIT_GRP_CHAUTHTOK	1133	/* Group acct password or pin changed */
#define AUDIT_MAC_CHECK		1134    /* User space MAC decision results */
#define AUDIT_ACCT_LOCK		1135    /* User's account locked by admin */
#define AUDIT_ACCT_UNLOCK	1136    /* User's account unlocked by admin */
#define AUDIT_USER_DEVICE	1137	/* User space hotplug device changes */
#define AUDIT_SOFTWARE_UPDATE	1138	/* Software update event */

#define AUDIT_FIRST_DAEMON	1200
#define AUDIT_LAST_DAEMON	1299
#define AUDIT_DAEMON_RECONFIG	1204	/* Auditd should reconfigure */
#define AUDIT_DAEMON_ROTATE	1205	/* Auditd should rotate logs */
#define AUDIT_DAEMON_RESUME	1206	/* Auditd should resume logging */
#define AUDIT_DAEMON_ACCEPT	1207    /* Auditd accepted remote connection */
#define AUDIT_DAEMON_CLOSE	1208    /* Auditd closed remote connection */
#define AUDIT_DAEMON_ERR	1209    /* Auditd internal error */

#define AUDIT_FIRST_EVENT	1300
#define AUDIT_LAST_EVENT	1399

#define AUDIT_FIRST_SELINUX	1400
#define AUDIT_LAST_SELINUX	1499

#define AUDIT_FIRST_APPARMOR		1500
#define AUDIT_LAST_APPARMOR		1599
#ifndef AUDIT_AA
#define AUDIT_AA			1500	/* Not upstream yet */
#define AUDIT_APPARMOR_AUDIT		1501
#define AUDIT_APPARMOR_ALLOWED		1502
#define AUDIT_APPARMOR_DENIED		1503
#define AUDIT_APPARMOR_HINT		1504
#define AUDIT_APPARMOR_STATUS		1505
#define AUDIT_APPARMOR_ERROR		1506
#define AUDIT_APPARMOR_KILL		1507
#endif

#define AUDIT_FIRST_KERN_CRYPTO_MSG	1600
#define AUDIT_LAST_KERN_CRYPTO_MSG	1699

#define AUDIT_FIRST_KERN_ANOM_MSG	1700
#define AUDIT_LAST_KERN_ANOM_MSG	1799

#define AUDIT_INTEGRITY_FIRST_MSG	1800
#define AUDIT_INTEGRITY_LAST_MSG	1899
#ifndef AUDIT_INTEGRITY_DATA
#define AUDIT_INTEGRITY_DATA		1800 /* Data integrity verification */
#define AUDIT_INTEGRITY_METADATA	1801 // Metadata integrity verification
#define AUDIT_INTEGRITY_STATUS		1802 /* Integrity enable status */
#define AUDIT_INTEGRITY_HASH		1803 /* Integrity HASH type */
#define AUDIT_INTEGRITY_PCR		1804 /* PCR invalidation msgs */
#define AUDIT_INTEGRITY_RULE		1805 /* Policy rule */
#endif
#ifndef AUDIT_INTEGRITY_EVM_XATTR
#define AUDIT_INTEGRITY_EVM_XATTR	1806 /* New EVM-covered xattr */
#endif
#ifndef AUDIT_INTEGRITY_POLICY_RULE
#define AUDIT_INTEGRITY_POLICY_RULE	1807 /* Integrity Policy rule */
#endif

#define AUDIT_FIRST_ANOM_MSG		2100
#define AUDIT_LAST_ANOM_MSG		2199
#define AUDIT_ANOM_LOGIN_FAILURES	2100 // Failed login limit reached
#define AUDIT_ANOM_LOGIN_TIME		2101 // Login attempted at bad time
#define AUDIT_ANOM_LOGIN_SESSIONS	2102 // Max concurrent sessions reached
#define AUDIT_ANOM_LOGIN_ACCT		2103 // Login attempted to watched acct
#define AUDIT_ANOM_LOGIN_LOCATION	2104 // Login from forbidden location
#define AUDIT_ANOM_MAX_DAC		2105 // Max DAC failures reached
#define AUDIT_ANOM_MAX_MAC		2106 // Max MAC failures reached
#define AUDIT_ANOM_AMTU_FAIL		2107 // AMTU failure
#define AUDIT_ANOM_RBAC_FAIL		2108 // RBAC self test failure
#define AUDIT_ANOM_RBAC_INTEGRITY_FAIL	2109 // RBAC file integrity failure
#define AUDIT_ANOM_CRYPTO_FAIL		2110 // Crypto system test failure
#define AUDIT_ANOM_ACCESS_FS		2111 // Access of file or dir
#define AUDIT_ANOM_EXEC			2112 // Execution of file
#define AUDIT_ANOM_MK_EXEC		2113 // Make an executable
#define AUDIT_ANOM_ADD_ACCT		2114 // Adding an acct
#define AUDIT_ANOM_DEL_ACCT		2115 // Deleting an acct
#define AUDIT_ANOM_MOD_ACCT		2116 // Changing an acct
#define AUDIT_ANOM_ROOT_TRANS		2117 // User became root
#define AUDIT_ANOM_LOGIN_SERVICE	2118 // Service acct attempted login
#define AUDIT_ANOM_LOGIN_ROOT		2119 // Root login attempted
#define AUDIT_ANOM_ORIGIN_FAILURES	2120 // Origin has too many failed login
#define AUDIT_ANOM_SESSION		2121 // The user session is bad

#define AUDIT_FIRST_ANOM_RESP		2200
#define AUDIT_LAST_ANOM_RESP		2299
#define AUDIT_RESP_ANOMALY		2200 /* Anomaly not reacted to */
#define AUDIT_RESP_ALERT		2201 /* Alert email was sent */
#define AUDIT_RESP_KILL_PROC		2202 /* Kill program */
#define AUDIT_RESP_TERM_ACCESS		2203 /* Terminate session */
#define AUDIT_RESP_ACCT_REMOTE		2204 /* Acct locked from remote access*/
#define AUDIT_RESP_ACCT_LOCK_TIMED	2205 /* User acct locked for time */
#define AUDIT_RESP_ACCT_UNLOCK_TIMED	2206 /* User acct unlocked from time */
#define AUDIT_RESP_ACCT_LOCK		2207 /* User acct was locked */
#define AUDIT_RESP_TERM_LOCK		2208 /* Terminal was locked */
#define AUDIT_RESP_SEBOOL		2209 /* Set an SE Linux boolean */
#define AUDIT_RESP_EXEC			2210 /* Execute a script */
#define AUDIT_RESP_SINGLE		2211 /* Go to single user mode */
#define AUDIT_RESP_HALT			2212 /* take the system down */
#define AUDIT_RESP_ORIGIN_BLOCK		2213 /* Address blocked by iptables */
#define AUDIT_RESP_ORIGIN_BLOCK_TIMED	2214 /* Address blocked for time */
#define AUDIT_RESP_ORIGIN_UNBLOCK_TIMED	2215 /* Address unblocked from timed */

#define AUDIT_FIRST_USER_LSPP_MSG	2300
#define AUDIT_LAST_USER_LSPP_MSG	2399
#define AUDIT_USER_ROLE_CHANGE		2300 /* User changed to a new role */
#define AUDIT_ROLE_ASSIGN		2301 /* Admin assigned user to role */
#define AUDIT_ROLE_REMOVE		2302 /* Admin removed user from role */
#define AUDIT_LABEL_OVERRIDE		2303 /* Admin is overriding a label */
#define AUDIT_LABEL_LEVEL_CHANGE	2304 /* Object's level was changed */
#define AUDIT_USER_LABELED_EXPORT	2305 /* Object exported with label */
#define AUDIT_USER_UNLABELED_EXPORT	2306 /* Object exported without label */
#define AUDIT_DEV_ALLOC			2307 /* Device was allocated */
#define AUDIT_DEV_DEALLOC		2308 /* Device was deallocated */
#define AUDIT_FS_RELABEL		2309 /* Filesystem relabeled */
#define AUDIT_USER_MAC_POLICY_LOAD	2310 /* Userspc daemon loaded policy */
#define AUDIT_ROLE_MODIFY		2311 /* Admin modified a role */
#define AUDIT_USER_MAC_CONFIG_CHANGE	2312 /* Change made to MAC policy */
#define AUDIT_USER_MAC_STATUS		2313 /* Userspc daemon enforcing change */

#define AUDIT_FIRST_CRYPTO_MSG		2400
#define AUDIT_CRYPTO_TEST_USER		2400 /* Crypto test results */
#define AUDIT_CRYPTO_PARAM_CHANGE_USER	2401 /* Crypto attribute change */
#define AUDIT_CRYPTO_LOGIN		2402 /* Logged in as crypto officer */
#define AUDIT_CRYPTO_LOGOUT		2403 /* Logged out from crypto */
#define AUDIT_CRYPTO_KEY_USER		2404 /* Create,delete,negotiate */
#define AUDIT_CRYPTO_FAILURE_USER	2405 /* Fail decrypt,encrypt,randomiz */
#define AUDIT_CRYPTO_REPLAY_USER	2406 /* Crypto replay detected */
#define AUDIT_CRYPTO_SESSION		2407 /* Record parameters set during
						TLS session establishment */
#define AUDIT_CRYPTO_IKE_SA		2408 /* Record parameters related to
						IKE SA */
#define AUDIT_CRYPTO_IPSEC_SA		2409 /* Record parameters related to
						IPSEC SA */

#define AUDIT_LAST_CRYPTO_MSG		2499

/* Events for both VMs and container orchestration software */
#define AUDIT_FIRST_VIRT_MSG		2500
#define AUDIT_VIRT_CONTROL		2500 /* Start,Pause,Stop VM/container */
#define AUDIT_VIRT_RESOURCE		2501 /* Resource assignment */
#define AUDIT_VIRT_MACHINE_ID		2502 /* Binding of label to VM/cont */
#define AUDIT_VIRT_INTEGRITY_CHECK	2503 /* Guest integrity results */
#define AUDIT_VIRT_CREATE		2504 /* Creation of guest image */
#define AUDIT_VIRT_DESTROY		2505 /* Destruction of guest image */
#define AUDIT_VIRT_MIGRATE_IN		2506 /* Inbound guest migration info */
#define AUDIT_VIRT_MIGRATE_OUT		2507 /* Outbound guest migration info */

#define AUDIT_LAST_VIRT_MSG		2599

#ifndef AUDIT_FIRST_USER_MSG2
#define AUDIT_FIRST_USER_MSG2  2100    /* More userspace messages */
#define AUDIT_LAST_USER_MSG2   2999
#endif

/* New kernel event definitions since 2.6.30 */
#ifndef AUDIT_SET_FEATURE
#define AUDIT_SET_FEATURE       1018    /* Turn an audit feature on or off */
#endif

#ifndef AUDIT_GET_FEATURE
#define AUDIT_GET_FEATURE       1019    /* Get which features are enabled */
#endif

#ifndef AUDIT_MMAP
#define AUDIT_MMAP		1323 /* Descriptor and flags in mmap */
#endif

#ifndef AUDIT_NETFILTER_PKT
#define AUDIT_NETFILTER_PKT	1324 /* Packets traversing netfilter chains */
#endif
#ifndef AUDIT_NETFILTER_CFG
#define AUDIT_NETFILTER_CFG	1325 /* Netfilter chain modifications */
#endif

#ifndef AUDIT_SECCOMP
#define AUDIT_SECCOMP		1326 /* Secure Computing event */
#endif

#ifndef AUDIT_PROCTITLE
#define AUDIT_PROCTITLE		1327 /* Process Title info */
#endif

#undef AUDIT_FEATURE_CHANGE
#ifndef AUDIT_FEATURE_CHANGE
#define AUDIT_FEATURE_CHANGE	1328 /* Audit feature changed value */
#endif

#ifndef AUDIT_REPLACE
#define AUDIT_REPLACE           1329 /* Auditd replaced because probe failed */
#endif

#ifndef AUDIT_KERN_MODULE
#define AUDIT_KERN_MODULE	1330 /* Kernel Module events */
#endif

#ifndef AUDIT_FANOTIFY
#define AUDIT_FANOTIFY		1331 /* Fanotify access decision */
#endif

#ifndef AUDIT_TIME_INJOFFSET
#define AUDIT_TIME_INJOFFSET	1332 /* Timekeeping offset injected */
#endif

#ifndef AUDIT_TIME_ADJNTPVAL
#define AUDIT_TIME_ADJNTPVAL	1333 /* NTP value adjustment */
#endif

#ifndef AUDIT_BPF
#define AUDIT_BPF		1334 /* BPF load/unload */
#endif

#ifndef AUDIT_EVENT_LISTENER
#define AUDIT_EVENT_LISTENER	1335 /* audit mcast sock join/part */
#endif

#ifndef AUDIT_URINGOP
#define AUDIT_URINGOP		1336 /* io_uring operations */
#endif

#ifndef AUDIT_OPENAT2
#define AUDIT_OPENAT2		1337 /* openat2 open_how flags */
#endif

#ifndef AUDIT_DM_CTRL
#define AUDIT_DM_CTRL		1338 /* Device Mapper target control */
#endif

#ifndef AUDIT_DM_EVENT
#define AUDIT_DM_EVENT		1339 /* Device Mapper events */
#endif

#ifndef AUDIT_MAC_CALIPSO_ADD
#define AUDIT_MAC_CALIPSO_ADD	1418 /* NetLabel: add CALIPSO DOI entry */
#endif

#ifndef AUDIT_MAC_CALIPSO_DEL
#define AUDIT_MAC_CALIPSO_DEL	1419 /* NetLabel: del CALIPSO DOI entry */
#endif

#ifndef AUDIT_ANOM_LINK
#define AUDIT_ANOM_LINK		1702 /* Suspicious use of file links */
#endif

#ifndef AUDIT_ANOM_CREAT
#define AUDIT_ANOM_CREAT            1703 /* Suspicious file creation */
#endif

/* This is related to the filterkey patch */
#define AUDIT_KEY_SEPARATOR 0x01

/* These are used in filter control */
#ifndef AUDIT_FILTER_FS
#define AUDIT_FILTER_FS		0x06 /* FS record filter in __audit_inode_child */
#endif
#ifndef AUDIT_FILTER_URING_EXIT
#define AUDIT_FILTER_URING_EXIT 0x07 /* Apply rule at io_uring op exit */
#endif
#ifndef AUDIT_FILTER_EXCLUDE
#define AUDIT_FILTER_EXCLUDE	AUDIT_FILTER_TYPE
#endif
#define AUDIT_FILTER_MASK	0x07	/* Mask to get actual filter */
#define AUDIT_FILTER_UNSET	0x80	/* This value means filter is unset */

/* Status symbol mask values */
#ifndef AUDIT_STATUS_LOST
#define AUDIT_STATUS_LOST               0x0040
#endif

/* These defines describe what features are in the kernel */
#ifndef AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT
#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT      0x00000001
#endif
#ifndef AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME
#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME  0x00000002
#endif
#ifndef AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH
#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH    0x00000004
#endif
#ifndef AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND
#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND     0x00000008
#endif
#ifndef AUDIT_FEATURE_BITMAP_SESSIONID_FILTER
#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER   0x00000010
#endif
#ifndef AUDIT_FEATURE_BITMAP_LOST_RESET
#define AUDIT_FEATURE_BITMAP_LOST_RESET		0x00000020
#endif
#ifndef AUDIT_FEATURE_BITMAP_FILTER_FS
#define AUDIT_FEATURE_BITMAP_FILTER_FS		0x00000040
#endif

/* Defines for interfield comparison update */
#ifndef AUDIT_OBJ_UID
#define AUDIT_OBJ_UID  109
#endif
#ifndef AUDIT_OBJ_GID
#define AUDIT_OBJ_GID  110
#endif
#ifndef AUDIT_FIELD_COMPARE
#define AUDIT_FIELD_COMPARE 111
#endif
#ifndef AUDIT_EXE
#define AUDIT_EXE 112
#endif
#ifndef AUDIT_SADDR_FAM
#define AUDIT_SADDR_FAM 113
#endif

#ifndef AUDIT_SESSIONID
#define AUDIT_SESSIONID 25
#endif

#ifndef AUDIT_FSTYPE
#define AUDIT_FSTYPE 26
#endif

#ifndef AUDIT_COMPARE_UID_TO_OBJ_UID
#define AUDIT_COMPARE_UID_TO_OBJ_UID   1
#endif
#ifndef AUDIT_COMPARE_GID_TO_OBJ_GID
#define AUDIT_COMPARE_GID_TO_OBJ_GID   2
#endif
#ifndef AUDIT_COMPARE_EUID_TO_OBJ_UID
#define AUDIT_COMPARE_EUID_TO_OBJ_UID  3
#endif
#ifndef AUDIT_COMPARE_EGID_TO_OBJ_GID
#define AUDIT_COMPARE_EGID_TO_OBJ_GID  4
#endif
#ifndef AUDIT_COMPARE_AUID_TO_OBJ_UID
#define AUDIT_COMPARE_AUID_TO_OBJ_UID  5
#endif
#ifndef AUDIT_COMPARE_SUID_TO_OBJ_UID
#define AUDIT_COMPARE_SUID_TO_OBJ_UID  6
#endif
#ifndef AUDIT_COMPARE_SGID_TO_OBJ_GID
#define AUDIT_COMPARE_SGID_TO_OBJ_GID  7
#endif
#ifndef AUDIT_COMPARE_FSUID_TO_OBJ_UID
#define AUDIT_COMPARE_FSUID_TO_OBJ_UID 8
#endif
#ifndef AUDIT_COMPARE_FSGID_TO_OBJ_GID
#define AUDIT_COMPARE_FSGID_TO_OBJ_GID 9
#endif
#ifndef AUDIT_COMPARE_UID_TO_AUID
#define AUDIT_COMPARE_UID_TO_AUID      10
#endif
#ifndef AUDIT_COMPARE_UID_TO_EUID
#define AUDIT_COMPARE_UID_TO_EUID      11
#endif
#ifndef AUDIT_COMPARE_UID_TO_FSUID
#define AUDIT_COMPARE_UID_TO_FSUID     12
#endif
#ifndef AUDIT_COMPARE_UID_TO_SUID
#define AUDIT_COMPARE_UID_TO_SUID      13
#endif
#ifndef AUDIT_COMPARE_AUID_TO_FSUID
#define AUDIT_COMPARE_AUID_TO_FSUID    14
#endif
#ifndef AUDIT_COMPARE_AUID_TO_SUID
#define AUDIT_COMPARE_AUID_TO_SUID     15
#endif
#ifndef AUDIT_COMPARE_AUID_TO_EUID
#define AUDIT_COMPARE_AUID_TO_EUID     16
#endif
#ifndef AUDIT_COMPARE_EUID_TO_SUID
#define AUDIT_COMPARE_EUID_TO_SUID     17
#endif
#ifndef AUDIT_COMPARE_EUID_TO_FSUID
#define AUDIT_COMPARE_EUID_TO_FSUID    18
#endif
#ifndef AUDIT_COMPARE_SUID_TO_FSUID
#define AUDIT_COMPARE_SUID_TO_FSUID    19
#endif
#ifndef AUDIT_COMPARE_GID_TO_EGID
#define AUDIT_COMPARE_GID_TO_EGID      20
#endif
#ifndef AUDIT_COMPARE_GID_TO_FSGID
#define AUDIT_COMPARE_GID_TO_FSGID     21
#endif
#ifndef AUDIT_COMPARE_GID_TO_SGID
#define AUDIT_COMPARE_GID_TO_SGID      22
#endif
#ifndef AUDIT_COMPARE_EGID_TO_FSGID
#define AUDIT_COMPARE_EGID_TO_FSGID    23
#endif
#ifndef AUDIT_COMPARE_EGID_TO_SGID
#define AUDIT_COMPARE_EGID_TO_SGID     24
#endif
#ifndef AUDIT_COMPARE_SGID_TO_FSGID
#define AUDIT_COMPARE_SGID_TO_FSGID    25
#endif

#ifndef EM_ARM
#define EM_ARM  40
#endif
#ifndef EM_AARCH64
#define EM_AARCH64 183
#endif

#ifndef AUDIT_ARCH_AARCH64
#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
#endif

#ifndef AUDIT_ARCH_PPC64LE
#define AUDIT_ARCH_PPC64LE	(EM_PPC64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
#endif

/* This is the character that separates event data from enrichment fields */
#define AUDIT_INTERP_SEPARATOR 0x1D

//////////////////////////////////////////////////////
// This is an external ABI. Any changes in here will
// likely affect pam_loginuid. There might be other
// apps that use this low level interface, but I don't
// know of any.
//
/* data structure for who signaled the audit daemon */
struct audit_sig_info {
        uid_t           uid;
        pid_t           pid;
	char		ctx[0];
};

/* defines for audit subsystem */
#define MAX_AUDIT_MESSAGE_LENGTH    8970 // PATH_MAX*2+CONTEXT_SIZE*2+11+256+1
struct audit_message {
	struct nlmsghdr nlh;
	char   data[MAX_AUDIT_MESSAGE_LENGTH];
};

// internal - forward declaration
struct daemon_conf;

struct audit_reply {
	int                      type;
	int                      len;
	struct nlmsghdr         *nlh;
	struct audit_message     msg;

	/* Using a union to compress this structure since only one of
	 * the following should be valid for any packet. */
	union {
	struct audit_status     *status;
	struct audit_rule_data  *ruledata;
	struct audit_login      *login;
	char                    *message;
	struct nlmsgerr         *error;
	struct audit_sig_info   *signal_info;
	struct daemon_conf      *conf;
#ifdef AUDIT_FEATURE_VERSION
	struct audit_features	*features;
#endif
	};
};

//
// End of ABI control
//////////////////////////////////////////////////////

//////////////////////////////////////////////////////
// audit dispatcher interface
//
/* audit_dispatcher_header: This header is versioned. If anything gets
 * added to it, it must go at the end and the version number bumped.
 * This MUST BE fixed size for compatibility. If you are going to add
 * new member then add them into _structure_ part.
 */
struct audit_dispatcher_header {
	uint32_t	ver;	/* The version of this protocol */
	uint32_t	hlen;	/* Header length */
	uint32_t	type;	/* Message type */
	uint32_t	size;	/* Size of data following the header */
};

// Original protocol starts with msg='
#define AUDISP_PROTOCOL_VER  0

// Starts with node and/or type already in the text before msg=
// IOW, its preformatted in the audit daemon.
#define AUDISP_PROTOCOL_VER2 1


///////////////////////////////////////////////////
// Libaudit API
//

/* This is the machine type list */
typedef enum {
	MACH_X86=0,
	MACH_86_64,
	MACH_IA64,	// Deprecated but has to stay
	MACH_PPC64,
	MACH_PPC,
	MACH_S390X,
	MACH_S390,
	MACH_ALPHA,	// Deprecated but has to stay
	MACH_ARM,
	MACH_AARCH64,
	MACH_PPC64LE,
	MACH_IO_URING
} machine_t;

/* These are the valid audit failure tunable enum values */
typedef enum {
	FAIL_IGNORE=0,
	FAIL_LOG,
	FAIL_TERMINATE
} auditfail_t;

/* Messages */
typedef enum { MSG_STDERR, MSG_SYSLOG, MSG_QUIET } message_t;
typedef enum { DBG_NO, DBG_YES } debug_message_t;
void set_aumessage_mode(message_t mode, debug_message_t debug);

/* General */
typedef enum { GET_REPLY_BLOCKING=0, GET_REPLY_NONBLOCKING } reply_t;
extern int  audit_open(void);
extern void audit_close(int fd);
extern int  audit_get_reply(int fd, struct audit_reply *rep, reply_t block,
		int peek);
extern uid_t audit_getloginuid(void);
extern int  audit_setloginuid(uid_t uid);
extern uint32_t audit_get_session(void);
extern int  audit_detect_machine(void);
extern int audit_determine_machine(const char *arch);
extern char *audit_format_signal_info(char *buf, int len, char *op,
			struct audit_reply *rep, char *res)
			__attr_access ((__write_only__, 1, 2));

/* Translation functions */
extern int        audit_name_to_field(const char *field);
extern const char *audit_field_to_name(int field);
extern int        audit_name_to_syscall(const char *sc, int machine);
extern const char *audit_syscall_to_name(int sc, int machine);
extern const char *audit_uringop_to_name(int uringop);
extern int        audit_name_to_uringop(const char *uringop);
extern int        audit_name_to_flag(const char *flag);
extern const char *audit_flag_to_name(int flag);
extern int        audit_name_to_action(const char *action);
extern const char *audit_action_to_name(int action);
extern int        audit_name_to_msg_type(const char *msg_type);
extern const char *audit_msg_type_to_name(int msg_type);
extern int        audit_name_to_machine(const char *machine);
extern const char *audit_machine_to_name(int machine);
extern unsigned int audit_machine_to_elf(int machine);
extern int          audit_elf_to_machine(unsigned int elf);
extern const char *audit_operator_to_symbol(int op);
extern int        audit_name_to_errno(const char *error);
extern const char *audit_errno_to_name(int error);
extern int        audit_name_to_ftype(const char *name);
extern const char *audit_ftype_to_name(int ftype);
extern int        audit_name_to_fstype(const char *name);
extern const char *audit_fstype_to_name(int fstype);
extern void audit_number_to_errmsg(int errnumber, const char *opt);

/* AUDIT_GET */
extern int audit_request_status(int fd);
extern int audit_is_enabled(int fd);
extern int get_auditfail_action(auditfail_t *failmode);
extern int audit_request_features(int fd);
extern uint32_t audit_get_features(void);

/* AUDIT_SET */
typedef enum { WAIT_NO, WAIT_YES } rep_wait_t;
extern int  audit_set_pid(int fd, uint32_t pid, rep_wait_t wmode);
extern int  audit_set_enabled(int fd, uint32_t enabled);
extern int  audit_set_failure(int fd, uint32_t failure);
extern int  audit_set_rate_limit(int fd, uint32_t limit);
extern int  audit_set_backlog_limit(int fd, uint32_t limit);
int audit_set_backlog_wait_time(int fd, uint32_t bwt);
int audit_reset_lost(int fd);
int audit_reset_backlog_wait_time_actual(int fd);
extern int  audit_set_feature(int fd, unsigned feature, unsigned value,
			      unsigned lock);
extern int  audit_set_loginuid_immutable(int fd);

/* AUDIT_LIST_RULES */
extern int  audit_request_rules_list_data(int fd);

/* SIGNAL_INFO */
extern int audit_request_signal_info(int fd);

/* AUDIT_WATCH */
extern int audit_update_watch_perms(struct audit_rule_data *rule, int perms);
extern int audit_add_watch(struct audit_rule_data **rulep, const char *path);
extern int audit_add_watch_dir(int type, struct audit_rule_data **rulep,
				const char *path);
extern int audit_trim_subtrees(int fd);
extern int audit_make_equivalent(int fd, const char *mount_point,
				const char *subtree);

/* AUDIT_ADD_RULE */
extern int audit_add_rule_data(int fd, struct audit_rule_data *rule,
                               int flags, int action);

/* AUDIT_DEL_RULE */
extern int audit_delete_rule_data(int fd, struct audit_rule_data *rule,
                                  int flags, int action);

/* The following are for standard formatting of messages */
extern int audit_value_needs_encoding(const char *str, unsigned int size)
	__attr_access ((__read_only__, 1, 2));
extern char *audit_encode_value(char *final,const char *buf,unsigned int size)
	__attr_access ((__write_only__, 1))
	__attr_access ((__read_only__, 2, 3));
extern char *audit_encode_nv_string(const char *name, const char *value,
	unsigned int vlen)
	__attr_access ((__read_only__, 2, 3))
	__attr_dealloc_free;
extern int audit_log_user_message(int audit_fd, int type, const char *message,
        const char *hostname, const char *addr, const char *tty, int result);
extern int audit_log_user_comm_message(int audit_fd, int type,
	const char *message, const char *comm, const char *hostname,
	const char *addr, const char *tty, int result);
extern int audit_log_acct_message(int audit_fd, int type, const char *pgname,
        const char *op, const char *name, unsigned int id,
        const char *host, const char *addr, const char *tty, int result);
extern int audit_log_user_avc_message(int audit_fd, int type,
	const char *message, const char *hostname, const char *addr,
	const char *tty, uid_t auid);
extern int audit_log_semanage_message(int audit_fd, int type,
	const char *pgname, const char *op, const char *name, unsigned int id,
        const char *new_seuser, const char *new_role, const char *new_range,
	const char *old_seuser, const char *old_role, const char *old_range,
	const char *host, const char *addr,
        const char *tty, int result);
extern int audit_log_user_command(int audit_fd, int type, const char *command,
        const char *tty, int result);

/* Rule-building helper functions */
/* Heap-allocates and initializes an audit_rule_data */
extern struct audit_rule_data *audit_rule_create_data(void);
/* Initializes an existing audit_rule_data struct */
extern void audit_rule_init_data(struct audit_rule_data *rule);
extern int audit_rule_syscallbyname_data(struct audit_rule_data *rule,
                                          const char *scall);
extern int audit_rule_io_uringbyname_data(struct audit_rule_data *rule,
                                          const char *scall);

/* Note that the following function takes a **, where audit_rule_fieldpair()
 * takes just a *.  That structure may need to be reallocated as a result of
 * adding new fields */
extern int audit_rule_fieldpair_data(struct audit_rule_data **rulep,
                                      const char *pair, int flags);
extern int audit_rule_interfield_comp_data(struct audit_rule_data **rulep,
					 const char *pair, int flags);
/* Deallocates the audit_rule_rule object, and any associated resources */
extern void audit_rule_free_data(struct audit_rule_data *rule);

/* Capability testing functions */
int audit_can_control(void);
int audit_can_write(void);
int audit_can_read(void);

#ifdef __cplusplus
}
#endif

#endif