1 /* SPDX-License-Identifier: GPL-2.0-only */ 2 /* 3 * AppArmor security module 4 * 5 * This file contains AppArmor auditing function definitions. 6 * 7 * Copyright (C) 1998-2008 Novell/SUSE 8 * Copyright 2009-2010 Canonical Ltd. 9 */ 10 11 #ifndef __AA_AUDIT_H 12 #define __AA_AUDIT_H 13 14 #include <linux/audit.h> 15 #include <linux/fs.h> 16 #include <linux/lsm_audit.h> 17 #include <linux/sched.h> 18 #include <linux/slab.h> 19 20 #include "file.h" 21 #include "label.h" 22 23 extern const char *const audit_mode_names[]; 24 #define AUDIT_MAX_INDEX 5 25 enum audit_mode { 26 AUDIT_NORMAL, /* follow normal auditing of accesses */ 27 AUDIT_QUIET_DENIED, /* quiet all denied access messages */ 28 AUDIT_QUIET, /* quiet all messages */ 29 AUDIT_NOQUIET, /* do not quiet audit messages */ 30 AUDIT_ALL /* audit all accesses */ 31 }; 32 33 enum audit_type { 34 AUDIT_APPARMOR_AUDIT, 35 AUDIT_APPARMOR_ALLOWED, 36 AUDIT_APPARMOR_DENIED, 37 AUDIT_APPARMOR_HINT, 38 AUDIT_APPARMOR_STATUS, 39 AUDIT_APPARMOR_ERROR, 40 AUDIT_APPARMOR_KILL, 41 AUDIT_APPARMOR_AUTO 42 }; 43 44 #define OP_NULL NULL 45 46 #define OP_SYSCTL "sysctl" 47 #define OP_CAPABLE "capable" 48 49 #define OP_UNLINK "unlink" 50 #define OP_MKDIR "mkdir" 51 #define OP_RMDIR "rmdir" 52 #define OP_MKNOD "mknod" 53 #define OP_TRUNC "truncate" 54 #define OP_LINK "link" 55 #define OP_SYMLINK "symlink" 56 #define OP_RENAME_SRC "rename_src" 57 #define OP_RENAME_DEST "rename_dest" 58 #define OP_CHMOD "chmod" 59 #define OP_CHOWN "chown" 60 #define OP_GETATTR "getattr" 61 #define OP_OPEN "open" 62 63 #define OP_FRECEIVE "file_receive" 64 #define OP_FPERM "file_perm" 65 #define OP_FLOCK "file_lock" 66 #define OP_FMMAP "file_mmap" 67 #define OP_FMPROT "file_mprotect" 68 #define OP_INHERIT "file_inherit" 69 70 #define OP_PIVOTROOT "pivotroot" 71 #define OP_MOUNT "mount" 72 #define OP_UMOUNT "umount" 73 74 #define OP_CREATE "create" 75 #define OP_POST_CREATE "post_create" 76 #define OP_BIND "bind" 77 #define OP_CONNECT "connect" 78 #define OP_LISTEN "listen" 79 #define OP_ACCEPT "accept" 80 #define OP_SENDMSG "sendmsg" 81 #define OP_RECVMSG "recvmsg" 82 #define OP_GETSOCKNAME "getsockname" 83 #define OP_GETPEERNAME "getpeername" 84 #define OP_GETSOCKOPT "getsockopt" 85 #define OP_SETSOCKOPT "setsockopt" 86 #define OP_SHUTDOWN "socket_shutdown" 87 88 #define OP_PTRACE "ptrace" 89 #define OP_SIGNAL "signal" 90 91 #define OP_EXEC "exec" 92 93 #define OP_CHANGE_HAT "change_hat" 94 #define OP_CHANGE_PROFILE "change_profile" 95 #define OP_CHANGE_ONEXEC "change_onexec" 96 #define OP_STACK "stack" 97 #define OP_STACK_ONEXEC "stack_onexec" 98 99 #define OP_SETPROCATTR "setprocattr" 100 #define OP_SETRLIMIT "setrlimit" 101 102 #define OP_PROF_REPL "profile_replace" 103 #define OP_PROF_LOAD "profile_load" 104 #define OP_PROF_RM "profile_remove" 105 106 107 struct apparmor_audit_data { 108 int error; 109 int type; 110 u16 class; 111 const char *op; 112 const struct cred *subj_cred; 113 struct aa_label *subj_label; 114 const char *name; 115 const char *info; 116 u32 request; 117 u32 denied; 118 union { 119 /* these entries require a custom callback fn */ 120 struct { 121 struct aa_label *peer; 122 union { 123 struct { 124 const char *target; 125 kuid_t ouid; 126 } fs; 127 struct { 128 int rlim; 129 unsigned long max; 130 } rlim; 131 struct { 132 int signal; 133 int unmappedsig; 134 }; 135 struct { 136 int type, protocol; 137 struct sock *peer_sk; 138 void *addr; 139 int addrlen; 140 } net; 141 }; 142 }; 143 struct { 144 struct aa_profile *profile; 145 const char *ns; 146 long pos; 147 } iface; 148 struct { 149 const char *src_name; 150 const char *type; 151 const char *trans; 152 const char *data; 153 unsigned long flags; 154 } mnt; 155 }; 156 157 struct common_audit_data common; 158 }; 159 160 /* macros for dealing with apparmor_audit_data structure */ 161 #define aad(SA) (container_of(SA, struct apparmor_audit_data, common)) 162 #define aad_of_va(VA) aad((struct common_audit_data *)(VA)) 163 164 #define DEFINE_AUDIT_DATA(NAME, T, C, X) \ 165 /* TODO: cleanup audit init so we don't need _aad = {0,} */ \ 166 struct apparmor_audit_data NAME = { \ 167 .class = (C), \ 168 .op = (X), \ 169 .common.type = (T), \ 170 .common.u.tsk = NULL, \ 171 .common.apparmor_audit_data = &NAME, \ 172 }; 173 174 void aa_audit_msg(int type, struct apparmor_audit_data *ad, 175 void (*cb) (struct audit_buffer *, void *)); 176 int aa_audit(int type, struct aa_profile *profile, 177 struct apparmor_audit_data *ad, 178 void (*cb) (struct audit_buffer *, void *)); 179 180 #define aa_audit_error(ERROR, AD, CB) \ 181 ({ \ 182 (AD)->error = (ERROR); \ 183 aa_audit_msg(AUDIT_APPARMOR_ERROR, (AD), (CB)); \ 184 (AD)->error; \ 185 }) 186 187 188 static inline int complain_error(int error) 189 { 190 if (error == -EPERM || error == -EACCES) 191 return 0; 192 return error; 193 } 194 195 void aa_audit_rule_free(void *vrule); 196 int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule); 197 int aa_audit_rule_known(struct audit_krule *rule); 198 int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule); 199 200 #endif /* __AA_AUDIT_H */ 201