security/apparmor/include/audit.h

   1 /* SPDX-License-Identifier: GPL-2.0-only */
   2 /*
   3  * AppArmor security module
   4  *
   5  * This file contains AppArmor auditing function definitions.
   6  *
   7  * Copyright (C) 1998-2008 Novell/SUSE
   8  * Copyright 2009-2010 Canonical Ltd.
   9  */
  10
  11 #ifndef __AA_AUDIT_H
  12 #define __AA_AUDIT_H
  13
  14 #include <linux/audit.h>
  15 #include <linux/fs.h>
  16 #include <linux/lsm_audit.h>
  17 #include <linux/sched.h>
  18 #include <linux/slab.h>
  19
  20 #include "file.h"
  21 #include "label.h"
  22
  23 extern const char *const audit_mode_names[];
  24 #define AUDIT_MAX_INDEX 5
  25 enum audit_mode {
  26         AUDIT_NORMAL,           /* follow normal auditing of accesses */
  27         AUDIT_QUIET_DENIED,     /* quiet all denied access messages */
  28         AUDIT_QUIET,            /* quiet all messages */
  29         AUDIT_NOQUIET,          /* do not quiet audit messages */
  30         AUDIT_ALL               /* audit all accesses */
  31 };
  32
  33 enum audit_type {
  34         AUDIT_APPARMOR_AUDIT,
  35         AUDIT_APPARMOR_ALLOWED,
  36         AUDIT_APPARMOR_DENIED,
  37         AUDIT_APPARMOR_HINT,
  38         AUDIT_APPARMOR_STATUS,
  39         AUDIT_APPARMOR_ERROR,
  40         AUDIT_APPARMOR_KILL,
  41         AUDIT_APPARMOR_AUTO
  42 };
  43
  44 #define OP_NULL NULL
  45
  46 #define OP_SYSCTL "sysctl"
  47 #define OP_CAPABLE "capable"
  48
  49 #define OP_UNLINK "unlink"
  50 #define OP_MKDIR "mkdir"
  51 #define OP_RMDIR "rmdir"
  52 #define OP_MKNOD "mknod"
  53 #define OP_TRUNC "truncate"
  54 #define OP_LINK "link"
  55 #define OP_SYMLINK "symlink"
  56 #define OP_RENAME_SRC "rename_src"
  57 #define OP_RENAME_DEST "rename_dest"
  58 #define OP_CHMOD "chmod"
  59 #define OP_CHOWN "chown"
  60 #define OP_GETATTR "getattr"
  61 #define OP_OPEN "open"
  62
  63 #define OP_FRECEIVE "file_receive"
  64 #define OP_FPERM "file_perm"
  65 #define OP_FLOCK "file_lock"
  66 #define OP_FMMAP "file_mmap"
  67 #define OP_FMPROT "file_mprotect"
  68 #define OP_INHERIT "file_inherit"
  69
  70 #define OP_PIVOTROOT "pivotroot"
  71 #define OP_MOUNT "mount"
  72 #define OP_UMOUNT "umount"
  73
  74 #define OP_CREATE "create"
  75 #define OP_POST_CREATE "post_create"
  76 #define OP_BIND "bind"
  77 #define OP_CONNECT "connect"
  78 #define OP_LISTEN "listen"
  79 #define OP_ACCEPT "accept"
  80 #define OP_SENDMSG "sendmsg"
  81 #define OP_RECVMSG "recvmsg"
  82 #define OP_GETSOCKNAME "getsockname"
  83 #define OP_GETPEERNAME "getpeername"
  84 #define OP_GETSOCKOPT "getsockopt"
  85 #define OP_SETSOCKOPT "setsockopt"
  86 #define OP_SHUTDOWN "socket_shutdown"
  87
  88 #define OP_PTRACE "ptrace"
  89 #define OP_SIGNAL "signal"
  90
  91 #define OP_EXEC "exec"
  92
  93 #define OP_CHANGE_HAT "change_hat"
  94 #define OP_CHANGE_PROFILE "change_profile"
  95 #define OP_CHANGE_ONEXEC "change_onexec"
  96 #define OP_STACK "stack"
  97 #define OP_STACK_ONEXEC "stack_onexec"
  98
  99 #define OP_SETPROCATTR "setprocattr"
 100 #define OP_SETRLIMIT "setrlimit"
 101
 102 #define OP_PROF_REPL "profile_replace"
 103 #define OP_PROF_LOAD "profile_load"
 104 #define OP_PROF_RM "profile_remove"
 105
 106
 107 struct apparmor_audit_data {
 108         int error;
 109         int type;
 110         const char *op;
 111         struct aa_label *label;
 112         const char *name;
 113         const char *info;
 114         u32 request;
 115         u32 denied;
 116         union {
 117                 /* these entries require a custom callback fn */
 118                 struct {
 119                         struct aa_label *peer;
 120                         union {
 121                                 struct {
 122                                         const char *target;
 123                                         kuid_t ouid;
 124                                 } fs;
 125                                 struct {
 126                                         int rlim;
 127                                         unsigned long max;
 128                                 } rlim;
 129                                 struct {
 130                                         int signal;
 131                                         int unmappedsig;
 132                                 };
 133                                 struct {
 134                                         int type, protocol;
 135                                         struct sock *peer_sk;
 136                                         void *addr;
 137                                         int addrlen;
 138                                 } net;
 139                         };
 140                 };
 141                 struct {
 142                         struct aa_profile *profile;
 143                         const char *ns;
 144                         long pos;
 145                 } iface;
 146                 struct {
 147                         const char *src_name;
 148                         const char *type;
 149                         const char *trans;
 150                         const char *data;
 151                         unsigned long flags;
 152                 } mnt;
 153         };
 154 };
 155
 156 /* macros for dealing with  apparmor_audit_data structure */
 157 #define aad(SA) ((SA)->apparmor_audit_data)
 158 #define DEFINE_AUDIT_DATA(NAME, T, X)                                   \
 159         /* TODO: cleanup audit init so we don't need _aad = {0,} */     \
 160         struct apparmor_audit_data NAME ## _aad = { .op = (X), };       \
 161         struct common_audit_data NAME =                                 \
 162         {                                                               \
 163         .type = (T),                                                    \
 164         .u.tsk = NULL,                                                  \
 165         };                                                              \
 166         NAME.apparmor_audit_data = &(NAME ## _aad)
 167
 168 void aa_audit_msg(int type, struct common_audit_data *sa,
 169                   void (*cb) (struct audit_buffer *, void *));
 170 int aa_audit(int type, struct aa_profile *profile, struct common_audit_data *sa,
 171              void (*cb) (struct audit_buffer *, void *));
 172
 173 #define aa_audit_error(ERROR, SA, CB)                           \
 174 ({                                                              \
 175         aad((SA))->error = (ERROR);                             \
 176         aa_audit_msg(AUDIT_APPARMOR_ERROR, (SA), (CB));         \
 177         aad((SA))->error;                                       \
 178 })
 179
 180
 181 static inline int complain_error(int error)
 182 {
 183         if (error == -EPERM || error == -EACCES)
 184                 return 0;
 185         return error;
 186 }
 187
 188 void aa_audit_rule_free(void *vrule);
 189 int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule);
 190 int aa_audit_rule_known(struct audit_krule *rule);
 191 int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule);
 192
 193 #endif /* __AA_AUDIT_H */