]>
Commit | Line | Data |
---|---|---|
67012e82 JJ |
1 | /* |
2 | * AppArmor security module | |
3 | * | |
4 | * This file contains AppArmor auditing function definitions. | |
5 | * | |
6 | * Copyright (C) 1998-2008 Novell/SUSE | |
7 | * Copyright 2009-2010 Canonical Ltd. | |
8 | * | |
9 | * This program is free software; you can redistribute it and/or | |
10 | * modify it under the terms of the GNU General Public License as | |
11 | * published by the Free Software Foundation, version 2 of the | |
12 | * License. | |
13 | */ | |
14 | ||
15 | #ifndef __AA_AUDIT_H | |
16 | #define __AA_AUDIT_H | |
17 | ||
18 | #include <linux/audit.h> | |
19 | #include <linux/fs.h> | |
20 | #include <linux/lsm_audit.h> | |
21 | #include <linux/sched.h> | |
22 | #include <linux/slab.h> | |
23 | ||
24 | #include "file.h" | |
637f688d | 25 | #include "label.h" |
67012e82 | 26 | |
2d4cee7e | 27 | extern const char *const audit_mode_names[]; |
67012e82 | 28 | #define AUDIT_MAX_INDEX 5 |
67012e82 JJ |
29 | enum audit_mode { |
30 | AUDIT_NORMAL, /* follow normal auditing of accesses */ | |
31 | AUDIT_QUIET_DENIED, /* quiet all denied access messages */ | |
32 | AUDIT_QUIET, /* quiet all messages */ | |
33 | AUDIT_NOQUIET, /* do not quiet audit messages */ | |
34 | AUDIT_ALL /* audit all accesses */ | |
35 | }; | |
36 | ||
37 | enum audit_type { | |
38 | AUDIT_APPARMOR_AUDIT, | |
39 | AUDIT_APPARMOR_ALLOWED, | |
40 | AUDIT_APPARMOR_DENIED, | |
41 | AUDIT_APPARMOR_HINT, | |
42 | AUDIT_APPARMOR_STATUS, | |
43 | AUDIT_APPARMOR_ERROR, | |
ade3ddc0 JJ |
44 | AUDIT_APPARMOR_KILL, |
45 | AUDIT_APPARMOR_AUTO | |
67012e82 JJ |
46 | }; |
47 | ||
47f6e5cc JJ |
48 | #define OP_NULL NULL |
49 | ||
50 | #define OP_SYSCTL "sysctl" | |
51 | #define OP_CAPABLE "capable" | |
52 | ||
53 | #define OP_UNLINK "unlink" | |
54 | #define OP_MKDIR "mkdir" | |
55 | #define OP_RMDIR "rmdir" | |
56 | #define OP_MKNOD "mknod" | |
57 | #define OP_TRUNC "truncate" | |
58 | #define OP_LINK "link" | |
59 | #define OP_SYMLINK "symlink" | |
60 | #define OP_RENAME_SRC "rename_src" | |
61 | #define OP_RENAME_DEST "rename_dest" | |
62 | #define OP_CHMOD "chmod" | |
63 | #define OP_CHOWN "chown" | |
64 | #define OP_GETATTR "getattr" | |
65 | #define OP_OPEN "open" | |
66 | ||
064dc947 | 67 | #define OP_FRECEIVE "file_receive" |
47f6e5cc JJ |
68 | #define OP_FPERM "file_perm" |
69 | #define OP_FLOCK "file_lock" | |
70 | #define OP_FMMAP "file_mmap" | |
71 | #define OP_FMPROT "file_mprotect" | |
192ca6b5 | 72 | #define OP_INHERIT "file_inherit" |
47f6e5cc | 73 | |
2ea3ffb7 JJ |
74 | #define OP_PIVOTROOT "pivotroot" |
75 | #define OP_MOUNT "mount" | |
76 | #define OP_UMOUNT "umount" | |
77 | ||
47f6e5cc JJ |
78 | #define OP_CREATE "create" |
79 | #define OP_POST_CREATE "post_create" | |
80 | #define OP_BIND "bind" | |
81 | #define OP_CONNECT "connect" | |
82 | #define OP_LISTEN "listen" | |
83 | #define OP_ACCEPT "accept" | |
84 | #define OP_SENDMSG "sendmsg" | |
85 | #define OP_RECVMSG "recvmsg" | |
86 | #define OP_GETSOCKNAME "getsockname" | |
87 | #define OP_GETPEERNAME "getpeername" | |
88 | #define OP_GETSOCKOPT "getsockopt" | |
89 | #define OP_SETSOCKOPT "setsockopt" | |
90 | #define OP_SHUTDOWN "socket_shutdown" | |
91 | ||
92 | #define OP_PTRACE "ptrace" | |
cd1dbf76 | 93 | #define OP_SIGNAL "signal" |
47f6e5cc JJ |
94 | |
95 | #define OP_EXEC "exec" | |
96 | ||
97 | #define OP_CHANGE_HAT "change_hat" | |
98 | #define OP_CHANGE_PROFILE "change_profile" | |
99 | #define OP_CHANGE_ONEXEC "change_onexec" | |
40cde7fc JJ |
100 | #define OP_STACK "stack" |
101 | #define OP_STACK_ONEXEC "stack_onexec" | |
47f6e5cc JJ |
102 | |
103 | #define OP_SETPROCATTR "setprocattr" | |
104 | #define OP_SETRLIMIT "setrlimit" | |
105 | ||
106 | #define OP_PROF_REPL "profile_replace" | |
107 | #define OP_PROF_LOAD "profile_load" | |
108 | #define OP_PROF_RM "profile_remove" | |
67012e82 JJ |
109 | |
110 | ||
3b3b0e4f EP |
111 | struct apparmor_audit_data { |
112 | int error; | |
3b3b0e4f | 113 | int type; |
637f688d JJ |
114 | const char *op; |
115 | struct aa_label *label; | |
3b3b0e4f EP |
116 | const char *name; |
117 | const char *info; | |
aa9aeea8 JJ |
118 | u32 request; |
119 | u32 denied; | |
3b3b0e4f | 120 | union { |
ef88a7ac | 121 | /* these entries require a custom callback fn */ |
3b3b0e4f | 122 | struct { |
637f688d | 123 | struct aa_label *peer; |
b12cbb21 JJ |
124 | union { |
125 | struct { | |
126 | const char *target; | |
127 | kuid_t ouid; | |
128 | } fs; | |
129 | int signal; | |
130 | }; | |
ef88a7ac JJ |
131 | }; |
132 | struct { | |
2410aa96 | 133 | struct aa_profile *profile; |
fc1c9fd1 | 134 | const char *ns; |
2410aa96 | 135 | long pos; |
3b3b0e4f | 136 | } iface; |
80c094a4 LT |
137 | struct { |
138 | int rlim; | |
139 | unsigned long max; | |
140 | } rlim; | |
2ea3ffb7 JJ |
141 | struct { |
142 | const char *src_name; | |
143 | const char *type; | |
144 | const char *trans; | |
145 | const char *data; | |
146 | unsigned long flags; | |
147 | } mnt; | |
3b3b0e4f EP |
148 | }; |
149 | }; | |
150 | ||
ef88a7ac JJ |
151 | /* macros for dealing with apparmor_audit_data structure */ |
152 | #define aad(SA) ((SA)->apparmor_audit_data) | |
153 | #define DEFINE_AUDIT_DATA(NAME, T, X) \ | |
154 | /* TODO: cleanup audit init so we don't need _aad = {0,} */ \ | |
155 | struct apparmor_audit_data NAME ## _aad = { .op = (X), }; \ | |
156 | struct common_audit_data NAME = \ | |
157 | { \ | |
158 | .type = (T), \ | |
159 | .u.tsk = NULL, \ | |
160 | }; \ | |
161 | NAME.apparmor_audit_data = &(NAME ## _aad) | |
67012e82 JJ |
162 | |
163 | void aa_audit_msg(int type, struct common_audit_data *sa, | |
164 | void (*cb) (struct audit_buffer *, void *)); | |
ef88a7ac | 165 | int aa_audit(int type, struct aa_profile *profile, struct common_audit_data *sa, |
67012e82 JJ |
166 | void (*cb) (struct audit_buffer *, void *)); |
167 | ||
ef88a7ac JJ |
168 | #define aa_audit_error(ERROR, SA, CB) \ |
169 | ({ \ | |
170 | aad((SA))->error = (ERROR); \ | |
171 | aa_audit_msg(AUDIT_APPARMOR_ERROR, (SA), (CB)); \ | |
172 | aad((SA))->error; \ | |
173 | }) | |
174 | ||
175 | ||
67012e82 JJ |
176 | static inline int complain_error(int error) |
177 | { | |
178 | if (error == -EPERM || error == -EACCES) | |
179 | return 0; | |
180 | return error; | |
181 | } | |
182 | ||
183 | #endif /* __AA_AUDIT_H */ |