[mirror_ubuntu-hirsute-kernel.git] / security / apparmor / include / audit.h

/*
 * AppArmor security module
 *
 * This file contains AppArmor auditing function definitions.
 *
 * Copyright (C) 1998-2008 Novell/SUSE
 * Copyright 2009-2010 Canonical Ltd.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License as
 * published by the Free Software Foundation, version 2 of the
 * License.
 */

#ifndef __AA_AUDIT_H
#define __AA_AUDIT_H

#include <linux/audit.h>
#include <linux/fs.h>
#include <linux/lsm_audit.h>
#include <linux/sched.h>
#include <linux/slab.h>

#include "file.h"
#include "label.h"

extern const char *const audit_mode_names[];
#define AUDIT_MAX_INDEX 5
enum audit_mode {
	AUDIT_NORMAL,		/* follow normal auditing of accesses */
	AUDIT_QUIET_DENIED,	/* quiet all denied access messages */
	AUDIT_QUIET,		/* quiet all messages */
	AUDIT_NOQUIET,		/* do not quiet audit messages */
	AUDIT_ALL		/* audit all accesses */
};

enum audit_type {
	AUDIT_APPARMOR_AUDIT,
	AUDIT_APPARMOR_ALLOWED,
	AUDIT_APPARMOR_DENIED,
	AUDIT_APPARMOR_HINT,
	AUDIT_APPARMOR_STATUS,
	AUDIT_APPARMOR_ERROR,
	AUDIT_APPARMOR_KILL,
	AUDIT_APPARMOR_AUTO
};

#define OP_NULL NULL

#define OP_SYSCTL "sysctl"
#define OP_CAPABLE "capable"

#define OP_UNLINK "unlink"
#define OP_MKDIR "mkdir"
#define OP_RMDIR "rmdir"
#define OP_MKNOD "mknod"
#define OP_TRUNC "truncate"
#define OP_LINK "link"
#define OP_SYMLINK "symlink"
#define OP_RENAME_SRC "rename_src"
#define OP_RENAME_DEST "rename_dest"
#define OP_CHMOD "chmod"
#define OP_CHOWN "chown"
#define OP_GETATTR "getattr"
#define OP_OPEN "open"

#define OP_FRECEIVE "file_receive"
#define OP_FPERM "file_perm"
#define OP_FLOCK "file_lock"
#define OP_FMMAP "file_mmap"
#define OP_FMPROT "file_mprotect"
#define OP_INHERIT "file_inherit"

#define OP_PIVOTROOT "pivotroot"
#define OP_MOUNT "mount"
#define OP_UMOUNT "umount"

#define OP_CREATE "create"
#define OP_POST_CREATE "post_create"
#define OP_BIND "bind"
#define OP_CONNECT "connect"
#define OP_LISTEN "listen"
#define OP_ACCEPT "accept"
#define OP_SENDMSG "sendmsg"
#define OP_RECVMSG "recvmsg"
#define OP_GETSOCKNAME "getsockname"
#define OP_GETPEERNAME "getpeername"
#define OP_GETSOCKOPT "getsockopt"
#define OP_SETSOCKOPT "setsockopt"
#define OP_SHUTDOWN "socket_shutdown"

#define OP_PTRACE "ptrace"
#define OP_SIGNAL "signal"

#define OP_EXEC "exec"

#define OP_CHANGE_HAT "change_hat"
#define OP_CHANGE_PROFILE "change_profile"
#define OP_CHANGE_ONEXEC "change_onexec"
#define OP_STACK "stack"
#define OP_STACK_ONEXEC "stack_onexec"

#define OP_SETPROCATTR "setprocattr"
#define OP_SETRLIMIT "setrlimit"

#define OP_PROF_REPL "profile_replace"
#define OP_PROF_LOAD "profile_load"
#define OP_PROF_RM "profile_remove"


struct apparmor_audit_data {
	int error;
	int type;
	const char *op;
	struct aa_label *label;
	const char *name;
	const char *info;
	u32 request;
	u32 denied;
	union {
		/* these entries require a custom callback fn */
		struct {
			struct aa_label *peer;
			union {
				struct {
					const char *target;
					kuid_t ouid;
				} fs;
				int signal;
			};
		};
		struct {
			struct aa_profile *profile;
			const char *ns;
			long pos;
		} iface;
		struct {
			int rlim;
			unsigned long max;
		} rlim;
		struct {
			const char *src_name;
			const char *type;
			const char *trans;
			const char *data;
			unsigned long flags;
		} mnt;
	};
};

/* macros for dealing with  apparmor_audit_data structure */
#define aad(SA) ((SA)->apparmor_audit_data)
#define DEFINE_AUDIT_DATA(NAME, T, X)					\
	/* TODO: cleanup audit init so we don't need _aad = {0,} */	\
	struct apparmor_audit_data NAME ## _aad = { .op = (X), };	\
	struct common_audit_data NAME =					\
	{								\
	.type = (T),							\
	.u.tsk = NULL,							\
	};								\
	NAME.apparmor_audit_data = &(NAME ## _aad)

void aa_audit_msg(int type, struct common_audit_data *sa,
		  void (*cb) (struct audit_buffer *, void *));
int aa_audit(int type, struct aa_profile *profile, struct common_audit_data *sa,
	     void (*cb) (struct audit_buffer *, void *));

#define aa_audit_error(ERROR, SA, CB)				\
({								\
	aad((SA))->error = (ERROR);				\
	aa_audit_msg(AUDIT_APPARMOR_ERROR, (SA), (CB));		\
	aad((SA))->error;					\
})


static inline int complain_error(int error)
{
	if (error == -EPERM || error == -EACCES)
		return 0;
	return error;
}

#endif /* __AA_AUDIT_H */
Commit	Line	Data
67012e82 JJ	1	/*
	2	* AppArmor security module
	3	*
	4	* This file contains AppArmor auditing function definitions.
	5	*
	6	* Copyright (C) 1998-2008 Novell/SUSE
	7	* Copyright 2009-2010 Canonical Ltd.
	8	*
	9	* This program is free software; you can redistribute it and/or
	10	* modify it under the terms of the GNU General Public License as
	11	* published by the Free Software Foundation, version 2 of the
	12	* License.
	13	*/
	14
	15	#ifndef __AA_AUDIT_H
	16	#define __AA_AUDIT_H
	17
	18	#include <linux/audit.h>
	19	#include <linux/fs.h>
	20	#include <linux/lsm_audit.h>
	21	#include <linux/sched.h>
	22	#include <linux/slab.h>
	23
	24	#include "file.h"
637f688d	25	#include "label.h"
67012e82	26
2d4cee7e	27	extern const char *const audit_mode_names[];
67012e82	28	#define AUDIT_MAX_INDEX 5
67012e82 JJ	29	enum audit_mode {
	30	AUDIT_NORMAL, /* follow normal auditing of accesses */
	31	AUDIT_QUIET_DENIED, /* quiet all denied access messages */
	32	AUDIT_QUIET, /* quiet all messages */
	33	AUDIT_NOQUIET, /* do not quiet audit messages */
	34	AUDIT_ALL /* audit all accesses */
	35	};
	36
	37	enum audit_type {
	38	AUDIT_APPARMOR_AUDIT,
	39	AUDIT_APPARMOR_ALLOWED,
	40	AUDIT_APPARMOR_DENIED,
	41	AUDIT_APPARMOR_HINT,
	42	AUDIT_APPARMOR_STATUS,
	43	AUDIT_APPARMOR_ERROR,
ade3ddc0 JJ	44	AUDIT_APPARMOR_KILL,
ade3ddc0 JJ	45	AUDIT_APPARMOR_AUTO
67012e82 JJ	46	};
67012e82 JJ	47
47f6e5cc JJ	48	#define OP_NULL NULL
	49
	50	#define OP_SYSCTL "sysctl"
	51	#define OP_CAPABLE "capable"
	52
	53	#define OP_UNLINK "unlink"
	54	#define OP_MKDIR "mkdir"
	55	#define OP_RMDIR "rmdir"
	56	#define OP_MKNOD "mknod"
	57	#define OP_TRUNC "truncate"
	58	#define OP_LINK "link"
	59	#define OP_SYMLINK "symlink"
	60	#define OP_RENAME_SRC "rename_src"
	61	#define OP_RENAME_DEST "rename_dest"
	62	#define OP_CHMOD "chmod"
	63	#define OP_CHOWN "chown"
	64	#define OP_GETATTR "getattr"
	65	#define OP_OPEN "open"
	66
064dc947	67	#define OP_FRECEIVE "file_receive"
47f6e5cc JJ	68	#define OP_FPERM "file_perm"
	69	#define OP_FLOCK "file_lock"
	70	#define OP_FMMAP "file_mmap"
	71	#define OP_FMPROT "file_mprotect"
192ca6b5	72	#define OP_INHERIT "file_inherit"
47f6e5cc	73
2ea3ffb7 JJ	74	#define OP_PIVOTROOT "pivotroot"
	75	#define OP_MOUNT "mount"
	76	#define OP_UMOUNT "umount"
	77
47f6e5cc JJ	78	#define OP_CREATE "create"
	79	#define OP_POST_CREATE "post_create"
	80	#define OP_BIND "bind"
	81	#define OP_CONNECT "connect"
	82	#define OP_LISTEN "listen"
	83	#define OP_ACCEPT "accept"
	84	#define OP_SENDMSG "sendmsg"
	85	#define OP_RECVMSG "recvmsg"
	86	#define OP_GETSOCKNAME "getsockname"
	87	#define OP_GETPEERNAME "getpeername"
	88	#define OP_GETSOCKOPT "getsockopt"
	89	#define OP_SETSOCKOPT "setsockopt"
	90	#define OP_SHUTDOWN "socket_shutdown"
	91
	92	#define OP_PTRACE "ptrace"
cd1dbf76	93	#define OP_SIGNAL "signal"
47f6e5cc JJ	94
	95	#define OP_EXEC "exec"
	96
	97	#define OP_CHANGE_HAT "change_hat"
	98	#define OP_CHANGE_PROFILE "change_profile"
	99	#define OP_CHANGE_ONEXEC "change_onexec"
40cde7fc JJ	100	#define OP_STACK "stack"
40cde7fc JJ	101	#define OP_STACK_ONEXEC "stack_onexec"
47f6e5cc JJ	102
	103	#define OP_SETPROCATTR "setprocattr"
	104	#define OP_SETRLIMIT "setrlimit"
	105
	106	#define OP_PROF_REPL "profile_replace"
	107	#define OP_PROF_LOAD "profile_load"
	108	#define OP_PROF_RM "profile_remove"
67012e82 JJ	109
67012e82 JJ	110
3b3b0e4f EP	111	struct apparmor_audit_data {
3b3b0e4f EP	112	int error;
3b3b0e4f	113	int type;
637f688d JJ	114	const char *op;
637f688d JJ	115	struct aa_label *label;
3b3b0e4f EP	116	const char *name;
3b3b0e4f EP	117	const char *info;
aa9aeea8 JJ	118	u32 request;
aa9aeea8 JJ	119	u32 denied;
3b3b0e4f	120	union {
ef88a7ac	121	/* these entries require a custom callback fn */
3b3b0e4f	122	struct {
637f688d	123	struct aa_label *peer;
b12cbb21 JJ	124	union {
	125	struct {
	126	const char *target;
	127	kuid_t ouid;
	128	} fs;
	129	int signal;
	130	};
ef88a7ac JJ	131	};
ef88a7ac JJ	132	struct {
2410aa96	133	struct aa_profile *profile;
fc1c9fd1	134	const char *ns;
2410aa96	135	long pos;
3b3b0e4f	136	} iface;
80c094a4 LT	137	struct {
	138	int rlim;
	139	unsigned long max;
	140	} rlim;
2ea3ffb7 JJ	141	struct {
	142	const char *src_name;
	143	const char *type;
	144	const char *trans;
	145	const char *data;
	146	unsigned long flags;
	147	} mnt;
3b3b0e4f EP	148	};
	149	};
	150
ef88a7ac JJ	151	/* macros for dealing with apparmor_audit_data structure */
	152	#define aad(SA) ((SA)->apparmor_audit_data)
	153	#define DEFINE_AUDIT_DATA(NAME, T, X) \
	154	/* TODO: cleanup audit init so we don't need _aad = {0,} */ \
	155	struct apparmor_audit_data NAME ## _aad = { .op = (X), }; \
	156	struct common_audit_data NAME = \
	157	{ \
	158	.type = (T), \
	159	.u.tsk = NULL, \
	160	}; \
	161	NAME.apparmor_audit_data = &(NAME ## _aad)
67012e82 JJ	162
	163	void aa_audit_msg(int type, struct common_audit_data *sa,
	164	void (cb) (struct audit_buffer , void *));
ef88a7ac	165	int aa_audit(int type, struct aa_profile profile, struct common_audit_data sa,
67012e82 JJ	166	void (cb) (struct audit_buffer , void *));
67012e82 JJ	167
ef88a7ac JJ	168	#define aa_audit_error(ERROR, SA, CB) \
	169	({ \
	170	aad((SA))->error = (ERROR); \
	171	aa_audit_msg(AUDIT_APPARMOR_ERROR, (SA), (CB)); \
	172	aad((SA))->error; \
	173	})
	174
	175
67012e82 JJ	176	static inline int complain_error(int error)
	177	{
	178	if (error == -EPERM \|\| error == -EACCES)
	179	return 0;
	180	return error;
	181	}
	182
	183	#endif /* __AA_AUDIT_H */