Loading...
1/*
2 * AppArmor security module
3 *
4 * This file contains AppArmor auditing function definitions.
5 *
6 * Copyright (C) 1998-2008 Novell/SUSE
7 * Copyright 2009-2010 Canonical Ltd.
8 *
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as
11 * published by the Free Software Foundation, version 2 of the
12 * License.
13 */
14
15#ifndef __AA_AUDIT_H
16#define __AA_AUDIT_H
17
18#include <linux/audit.h>
19#include <linux/fs.h>
20#include <linux/lsm_audit.h>
21#include <linux/sched.h>
22#include <linux/slab.h>
23
24#include "file.h"
25
26struct aa_profile;
27
28extern const char *const audit_mode_names[];
29#define AUDIT_MAX_INDEX 5
30enum audit_mode {
31 AUDIT_NORMAL, /* follow normal auditing of accesses */
32 AUDIT_QUIET_DENIED, /* quiet all denied access messages */
33 AUDIT_QUIET, /* quiet all messages */
34 AUDIT_NOQUIET, /* do not quiet audit messages */
35 AUDIT_ALL /* audit all accesses */
36};
37
38enum audit_type {
39 AUDIT_APPARMOR_AUDIT,
40 AUDIT_APPARMOR_ALLOWED,
41 AUDIT_APPARMOR_DENIED,
42 AUDIT_APPARMOR_HINT,
43 AUDIT_APPARMOR_STATUS,
44 AUDIT_APPARMOR_ERROR,
45 AUDIT_APPARMOR_KILL,
46 AUDIT_APPARMOR_AUTO
47};
48
49extern const char *const op_table[];
50enum aa_ops {
51 OP_NULL,
52
53 OP_SYSCTL,
54 OP_CAPABLE,
55
56 OP_UNLINK,
57 OP_MKDIR,
58 OP_RMDIR,
59 OP_MKNOD,
60 OP_TRUNC,
61 OP_LINK,
62 OP_SYMLINK,
63 OP_RENAME_SRC,
64 OP_RENAME_DEST,
65 OP_CHMOD,
66 OP_CHOWN,
67 OP_GETATTR,
68 OP_OPEN,
69
70 OP_FPERM,
71 OP_FLOCK,
72 OP_FMMAP,
73 OP_FMPROT,
74
75 OP_CREATE,
76 OP_POST_CREATE,
77 OP_BIND,
78 OP_CONNECT,
79 OP_LISTEN,
80 OP_ACCEPT,
81 OP_SENDMSG,
82 OP_RECVMSG,
83 OP_GETSOCKNAME,
84 OP_GETPEERNAME,
85 OP_GETSOCKOPT,
86 OP_SETSOCKOPT,
87 OP_SOCK_SHUTDOWN,
88
89 OP_PTRACE,
90
91 OP_EXEC,
92 OP_CHANGE_HAT,
93 OP_CHANGE_PROFILE,
94 OP_CHANGE_ONEXEC,
95
96 OP_SETPROCATTR,
97 OP_SETRLIMIT,
98
99 OP_PROF_REPL,
100 OP_PROF_LOAD,
101 OP_PROF_RM,
102};
103
104
105struct apparmor_audit_data {
106 int error;
107 int op;
108 int type;
109 void *profile;
110 const char *name;
111 const char *info;
112 union {
113 void *target;
114 struct {
115 long pos;
116 void *target;
117 } iface;
118 struct {
119 int rlim;
120 unsigned long max;
121 } rlim;
122 struct {
123 const char *target;
124 u32 request;
125 u32 denied;
126 kuid_t ouid;
127 } fs;
128 };
129};
130
131/* define a short hand for apparmor_audit_data structure */
132#define aad apparmor_audit_data
133
134void aa_audit_msg(int type, struct common_audit_data *sa,
135 void (*cb) (struct audit_buffer *, void *));
136int aa_audit(int type, struct aa_profile *profile, gfp_t gfp,
137 struct common_audit_data *sa,
138 void (*cb) (struct audit_buffer *, void *));
139
140static inline int complain_error(int error)
141{
142 if (error == -EPERM || error == -EACCES)
143 return 0;
144 return error;
145}
146
147#endif /* __AA_AUDIT_H */
1/* SPDX-License-Identifier: GPL-2.0-only */
2/*
3 * AppArmor security module
4 *
5 * This file contains AppArmor auditing function definitions.
6 *
7 * Copyright (C) 1998-2008 Novell/SUSE
8 * Copyright 2009-2010 Canonical Ltd.
9 */
10
11#ifndef __AA_AUDIT_H
12#define __AA_AUDIT_H
13
14#include <linux/audit.h>
15#include <linux/fs.h>
16#include <linux/lsm_audit.h>
17#include <linux/sched.h>
18#include <linux/slab.h>
19
20#include "file.h"
21#include "label.h"
22
23extern const char *const audit_mode_names[];
24#define AUDIT_MAX_INDEX 5
25enum audit_mode {
26 AUDIT_NORMAL, /* follow normal auditing of accesses */
27 AUDIT_QUIET_DENIED, /* quiet all denied access messages */
28 AUDIT_QUIET, /* quiet all messages */
29 AUDIT_NOQUIET, /* do not quiet audit messages */
30 AUDIT_ALL /* audit all accesses */
31};
32
33enum audit_type {
34 AUDIT_APPARMOR_AUDIT,
35 AUDIT_APPARMOR_ALLOWED,
36 AUDIT_APPARMOR_DENIED,
37 AUDIT_APPARMOR_HINT,
38 AUDIT_APPARMOR_STATUS,
39 AUDIT_APPARMOR_ERROR,
40 AUDIT_APPARMOR_KILL,
41 AUDIT_APPARMOR_AUTO
42};
43
44#define OP_NULL NULL
45
46#define OP_SYSCTL "sysctl"
47#define OP_CAPABLE "capable"
48
49#define OP_UNLINK "unlink"
50#define OP_MKDIR "mkdir"
51#define OP_RMDIR "rmdir"
52#define OP_MKNOD "mknod"
53#define OP_TRUNC "truncate"
54#define OP_LINK "link"
55#define OP_SYMLINK "symlink"
56#define OP_RENAME_SRC "rename_src"
57#define OP_RENAME_DEST "rename_dest"
58#define OP_CHMOD "chmod"
59#define OP_CHOWN "chown"
60#define OP_GETATTR "getattr"
61#define OP_OPEN "open"
62
63#define OP_FRECEIVE "file_receive"
64#define OP_FPERM "file_perm"
65#define OP_FLOCK "file_lock"
66#define OP_FMMAP "file_mmap"
67#define OP_FMPROT "file_mprotect"
68#define OP_INHERIT "file_inherit"
69
70#define OP_PIVOTROOT "pivotroot"
71#define OP_MOUNT "mount"
72#define OP_UMOUNT "umount"
73
74#define OP_CREATE "create"
75#define OP_POST_CREATE "post_create"
76#define OP_BIND "bind"
77#define OP_CONNECT "connect"
78#define OP_LISTEN "listen"
79#define OP_ACCEPT "accept"
80#define OP_SENDMSG "sendmsg"
81#define OP_RECVMSG "recvmsg"
82#define OP_GETSOCKNAME "getsockname"
83#define OP_GETPEERNAME "getpeername"
84#define OP_GETSOCKOPT "getsockopt"
85#define OP_SETSOCKOPT "setsockopt"
86#define OP_SHUTDOWN "socket_shutdown"
87
88#define OP_PTRACE "ptrace"
89#define OP_SIGNAL "signal"
90
91#define OP_EXEC "exec"
92
93#define OP_CHANGE_HAT "change_hat"
94#define OP_CHANGE_PROFILE "change_profile"
95#define OP_CHANGE_ONEXEC "change_onexec"
96#define OP_STACK "stack"
97#define OP_STACK_ONEXEC "stack_onexec"
98
99#define OP_SETPROCATTR "setprocattr"
100#define OP_SETRLIMIT "setrlimit"
101
102#define OP_PROF_REPL "profile_replace"
103#define OP_PROF_LOAD "profile_load"
104#define OP_PROF_RM "profile_remove"
105
106
107struct apparmor_audit_data {
108 int error;
109 int type;
110 u16 class;
111 const char *op;
112 struct aa_label *label;
113 const char *name;
114 const char *info;
115 u32 request;
116 u32 denied;
117 union {
118 /* these entries require a custom callback fn */
119 struct {
120 struct aa_label *peer;
121 union {
122 struct {
123 const char *target;
124 kuid_t ouid;
125 } fs;
126 struct {
127 int rlim;
128 unsigned long max;
129 } rlim;
130 struct {
131 int signal;
132 int unmappedsig;
133 };
134 struct {
135 int type, protocol;
136 struct sock *peer_sk;
137 void *addr;
138 int addrlen;
139 } net;
140 };
141 };
142 struct {
143 struct aa_profile *profile;
144 const char *ns;
145 long pos;
146 } iface;
147 struct {
148 const char *src_name;
149 const char *type;
150 const char *trans;
151 const char *data;
152 unsigned long flags;
153 } mnt;
154 };
155};
156
157/* macros for dealing with apparmor_audit_data structure */
158#define aad(SA) ((SA)->apparmor_audit_data)
159#define DEFINE_AUDIT_DATA(NAME, T, C, X) \
160 /* TODO: cleanup audit init so we don't need _aad = {0,} */ \
161 struct apparmor_audit_data NAME ## _aad = { \
162 .class = (C), \
163 .op = (X), \
164 }; \
165 struct common_audit_data NAME = \
166 { \
167 .type = (T), \
168 .u.tsk = NULL, \
169 }; \
170 NAME.apparmor_audit_data = &(NAME ## _aad)
171
172void aa_audit_msg(int type, struct common_audit_data *sa,
173 void (*cb) (struct audit_buffer *, void *));
174int aa_audit(int type, struct aa_profile *profile, struct common_audit_data *sa,
175 void (*cb) (struct audit_buffer *, void *));
176
177#define aa_audit_error(ERROR, SA, CB) \
178({ \
179 aad((SA))->error = (ERROR); \
180 aa_audit_msg(AUDIT_APPARMOR_ERROR, (SA), (CB)); \
181 aad((SA))->error; \
182})
183
184
185static inline int complain_error(int error)
186{
187 if (error == -EPERM || error == -EACCES)
188 return 0;
189 return error;
190}
191
192void aa_audit_rule_free(void *vrule);
193int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule);
194int aa_audit_rule_known(struct audit_krule *rule);
195int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule);
196
197#endif /* __AA_AUDIT_H */