1b886d83cSThomas Gleixner /* SPDX-License-Identifier: GPL-2.0-only */ 267012e82SJohn Johansen /* 367012e82SJohn Johansen * AppArmor security module 467012e82SJohn Johansen * 567012e82SJohn Johansen * This file contains AppArmor auditing function definitions. 667012e82SJohn Johansen * 767012e82SJohn Johansen * Copyright (C) 1998-2008 Novell/SUSE 867012e82SJohn Johansen * Copyright 2009-2010 Canonical Ltd. 967012e82SJohn Johansen */ 1067012e82SJohn Johansen 1167012e82SJohn Johansen #ifndef __AA_AUDIT_H 1267012e82SJohn Johansen #define __AA_AUDIT_H 1367012e82SJohn Johansen 1467012e82SJohn Johansen #include <linux/audit.h> 1567012e82SJohn Johansen #include <linux/fs.h> 1667012e82SJohn Johansen #include <linux/lsm_audit.h> 1767012e82SJohn Johansen #include <linux/sched.h> 1867012e82SJohn Johansen #include <linux/slab.h> 1967012e82SJohn Johansen 2067012e82SJohn Johansen #include "file.h" 21637f688dSJohn Johansen #include "label.h" 2267012e82SJohn Johansen 232d4cee7eSJan Engelhardt extern const char *const audit_mode_names[]; 2467012e82SJohn Johansen #define AUDIT_MAX_INDEX 5 2567012e82SJohn Johansen enum audit_mode { 2667012e82SJohn Johansen AUDIT_NORMAL, /* follow normal auditing of accesses */ 2767012e82SJohn Johansen AUDIT_QUIET_DENIED, /* quiet all denied access messages */ 2867012e82SJohn Johansen AUDIT_QUIET, /* quiet all messages */ 2967012e82SJohn Johansen AUDIT_NOQUIET, /* do not quiet audit messages */ 3067012e82SJohn Johansen AUDIT_ALL /* audit all accesses */ 3167012e82SJohn Johansen }; 3267012e82SJohn Johansen 3367012e82SJohn Johansen enum audit_type { 3467012e82SJohn Johansen AUDIT_APPARMOR_AUDIT, 3567012e82SJohn Johansen AUDIT_APPARMOR_ALLOWED, 3667012e82SJohn Johansen AUDIT_APPARMOR_DENIED, 3767012e82SJohn Johansen AUDIT_APPARMOR_HINT, 3867012e82SJohn Johansen AUDIT_APPARMOR_STATUS, 3967012e82SJohn Johansen AUDIT_APPARMOR_ERROR, 40ade3ddc0SJohn Johansen AUDIT_APPARMOR_KILL, 41ade3ddc0SJohn Johansen AUDIT_APPARMOR_AUTO 4267012e82SJohn Johansen }; 4367012e82SJohn Johansen 4447f6e5ccSJohn Johansen #define OP_NULL NULL 4567012e82SJohn Johansen 4647f6e5ccSJohn Johansen #define OP_SYSCTL "sysctl" 4747f6e5ccSJohn Johansen #define OP_CAPABLE "capable" 4867012e82SJohn Johansen 4947f6e5ccSJohn Johansen #define OP_UNLINK "unlink" 5047f6e5ccSJohn Johansen #define OP_MKDIR "mkdir" 5147f6e5ccSJohn Johansen #define OP_RMDIR "rmdir" 5247f6e5ccSJohn Johansen #define OP_MKNOD "mknod" 5347f6e5ccSJohn Johansen #define OP_TRUNC "truncate" 5447f6e5ccSJohn Johansen #define OP_LINK "link" 5547f6e5ccSJohn Johansen #define OP_SYMLINK "symlink" 5647f6e5ccSJohn Johansen #define OP_RENAME_SRC "rename_src" 5747f6e5ccSJohn Johansen #define OP_RENAME_DEST "rename_dest" 5847f6e5ccSJohn Johansen #define OP_CHMOD "chmod" 5947f6e5ccSJohn Johansen #define OP_CHOWN "chown" 6047f6e5ccSJohn Johansen #define OP_GETATTR "getattr" 6147f6e5ccSJohn Johansen #define OP_OPEN "open" 6267012e82SJohn Johansen 63064dc947SJohn Johansen #define OP_FRECEIVE "file_receive" 6447f6e5ccSJohn Johansen #define OP_FPERM "file_perm" 6547f6e5ccSJohn Johansen #define OP_FLOCK "file_lock" 6647f6e5ccSJohn Johansen #define OP_FMMAP "file_mmap" 6747f6e5ccSJohn Johansen #define OP_FMPROT "file_mprotect" 68192ca6b5SJohn Johansen #define OP_INHERIT "file_inherit" 6967012e82SJohn Johansen 702ea3ffb7SJohn Johansen #define OP_PIVOTROOT "pivotroot" 712ea3ffb7SJohn Johansen #define OP_MOUNT "mount" 722ea3ffb7SJohn Johansen #define OP_UMOUNT "umount" 732ea3ffb7SJohn Johansen 7447f6e5ccSJohn Johansen #define OP_CREATE "create" 7547f6e5ccSJohn Johansen #define OP_POST_CREATE "post_create" 7647f6e5ccSJohn Johansen #define OP_BIND "bind" 7747f6e5ccSJohn Johansen #define OP_CONNECT "connect" 7847f6e5ccSJohn Johansen #define OP_LISTEN "listen" 7947f6e5ccSJohn Johansen #define OP_ACCEPT "accept" 8047f6e5ccSJohn Johansen #define OP_SENDMSG "sendmsg" 8147f6e5ccSJohn Johansen #define OP_RECVMSG "recvmsg" 8247f6e5ccSJohn Johansen #define OP_GETSOCKNAME "getsockname" 8347f6e5ccSJohn Johansen #define OP_GETPEERNAME "getpeername" 8447f6e5ccSJohn Johansen #define OP_GETSOCKOPT "getsockopt" 8547f6e5ccSJohn Johansen #define OP_SETSOCKOPT "setsockopt" 8647f6e5ccSJohn Johansen #define OP_SHUTDOWN "socket_shutdown" 8767012e82SJohn Johansen 8847f6e5ccSJohn Johansen #define OP_PTRACE "ptrace" 89cd1dbf76SJohn Johansen #define OP_SIGNAL "signal" 9067012e82SJohn Johansen 9147f6e5ccSJohn Johansen #define OP_EXEC "exec" 9267012e82SJohn Johansen 9347f6e5ccSJohn Johansen #define OP_CHANGE_HAT "change_hat" 9447f6e5ccSJohn Johansen #define OP_CHANGE_PROFILE "change_profile" 9547f6e5ccSJohn Johansen #define OP_CHANGE_ONEXEC "change_onexec" 9640cde7fcSJohn Johansen #define OP_STACK "stack" 9740cde7fcSJohn Johansen #define OP_STACK_ONEXEC "stack_onexec" 9867012e82SJohn Johansen 9947f6e5ccSJohn Johansen #define OP_SETPROCATTR "setprocattr" 10047f6e5ccSJohn Johansen #define OP_SETRLIMIT "setrlimit" 10147f6e5ccSJohn Johansen 10247f6e5ccSJohn Johansen #define OP_PROF_REPL "profile_replace" 10347f6e5ccSJohn Johansen #define OP_PROF_LOAD "profile_load" 10447f6e5ccSJohn Johansen #define OP_PROF_RM "profile_remove" 10567012e82SJohn Johansen 10667012e82SJohn Johansen 1073b3b0e4fSEric Paris struct apparmor_audit_data { 1083b3b0e4fSEric Paris int error; 1093b3b0e4fSEric Paris int type; 110637f688dSJohn Johansen const char *op; 111637f688dSJohn Johansen struct aa_label *label; 1123b3b0e4fSEric Paris const char *name; 1133b3b0e4fSEric Paris const char *info; 114aa9aeea8SJohn Johansen u32 request; 115aa9aeea8SJohn Johansen u32 denied; 1163b3b0e4fSEric Paris union { 117ef88a7acSJohn Johansen /* these entries require a custom callback fn */ 1183b3b0e4fSEric Paris struct { 119637f688dSJohn Johansen struct aa_label *peer; 120b12cbb21SJohn Johansen union { 1213b3b0e4fSEric Paris struct { 122651e28c5SJohn Johansen const char *target; 12380c094a4SLinus Torvalds kuid_t ouid; 1243b3b0e4fSEric Paris } fs; 125b5beb07aSJohn Johansen struct { 126b5beb07aSJohn Johansen int rlim; 127b5beb07aSJohn Johansen unsigned long max; 128b5beb07aSJohn Johansen } rlim; 1293acfd5f5SJohn Johansen struct { 130b12cbb21SJohn Johansen int signal; 1313acfd5f5SJohn Johansen int unmappedsig; 1323acfd5f5SJohn Johansen }; 13356974a6fSJohn Johansen struct { 13456974a6fSJohn Johansen int type, protocol; 13556974a6fSJohn Johansen struct sock *peer_sk; 13656974a6fSJohn Johansen void *addr; 13756974a6fSJohn Johansen int addrlen; 13856974a6fSJohn Johansen } net; 139b12cbb21SJohn Johansen }; 1403b3b0e4fSEric Paris }; 141ef88a7acSJohn Johansen struct { 1422410aa96SJohn Johansen struct aa_profile *profile; 143ef88a7acSJohn Johansen const char *ns; 1442410aa96SJohn Johansen long pos; 145ef88a7acSJohn Johansen } iface; 14680c094a4SLinus Torvalds struct { 1472ea3ffb7SJohn Johansen const char *src_name; 1482ea3ffb7SJohn Johansen const char *type; 1492ea3ffb7SJohn Johansen const char *trans; 1502ea3ffb7SJohn Johansen const char *data; 1512ea3ffb7SJohn Johansen unsigned long flags; 1522ea3ffb7SJohn Johansen } mnt; 153ef88a7acSJohn Johansen }; 1543b3b0e4fSEric Paris }; 1553b3b0e4fSEric Paris 156ef88a7acSJohn Johansen /* macros for dealing with apparmor_audit_data structure */ 157ef88a7acSJohn Johansen #define aad(SA) ((SA)->apparmor_audit_data) 158ef88a7acSJohn Johansen #define DEFINE_AUDIT_DATA(NAME, T, X) \ 159ef88a7acSJohn Johansen /* TODO: cleanup audit init so we don't need _aad = {0,} */ \ 160ef88a7acSJohn Johansen struct apparmor_audit_data NAME ## _aad = { .op = (X), }; \ 161ef88a7acSJohn Johansen struct common_audit_data NAME = \ 162ef88a7acSJohn Johansen { \ 163ef88a7acSJohn Johansen .type = (T), \ 164ef88a7acSJohn Johansen .u.tsk = NULL, \ 165ef88a7acSJohn Johansen }; \ 166ef88a7acSJohn Johansen NAME.apparmor_audit_data = &(NAME ## _aad) 16767012e82SJohn Johansen 16867012e82SJohn Johansen void aa_audit_msg(int type, struct common_audit_data *sa, 16967012e82SJohn Johansen void (*cb) (struct audit_buffer *, void *)); 170ef88a7acSJohn Johansen int aa_audit(int type, struct aa_profile *profile, struct common_audit_data *sa, 17167012e82SJohn Johansen void (*cb) (struct audit_buffer *, void *)); 17267012e82SJohn Johansen 173ef88a7acSJohn Johansen #define aa_audit_error(ERROR, SA, CB) \ 174ef88a7acSJohn Johansen ({ \ 175ef88a7acSJohn Johansen aad((SA))->error = (ERROR); \ 176ef88a7acSJohn Johansen aa_audit_msg(AUDIT_APPARMOR_ERROR, (SA), (CB)); \ 177ef88a7acSJohn Johansen aad((SA))->error; \ 178ef88a7acSJohn Johansen }) 179ef88a7acSJohn Johansen 180ef88a7acSJohn Johansen 18167012e82SJohn Johansen static inline int complain_error(int error) 18267012e82SJohn Johansen { 18367012e82SJohn Johansen if (error == -EPERM || error == -EACCES) 18467012e82SJohn Johansen return 0; 18567012e82SJohn Johansen return error; 18667012e82SJohn Johansen } 18767012e82SJohn Johansen 188e79c26d0SMatthew Garrett void aa_audit_rule_free(void *vrule); 189e79c26d0SMatthew Garrett int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule); 190e79c26d0SMatthew Garrett int aa_audit_rule_known(struct audit_krule *rule); 19190462a5bSRichard Guy Briggs int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule); 192e79c26d0SMatthew Garrett 19367012e82SJohn Johansen #endif /* __AA_AUDIT_H */ 194