1/* SPDX-License-Identifier: GPL-2.0-only */ 2/* 3 * AppArmor security module 4 * 5 * This file contains AppArmor auditing function definitions. 6 * 7 * Copyright (C) 1998-2008 Novell/SUSE 8 * Copyright 2009-2010 Canonical Ltd. 9 */ 10 11#ifndef __AA_AUDIT_H 12#define __AA_AUDIT_H 13 14#include <linux/audit.h> 15#include <linux/fs.h> 16#include <linux/lsm_audit.h> 17#include <linux/sched.h> 18#include <linux/slab.h> 19 20#include "file.h" 21#include "label.h" 22 23extern const char *const audit_mode_names[]; 24#define AUDIT_MAX_INDEX 5 25enum audit_mode { 26 AUDIT_NORMAL, /* follow normal auditing of accesses */ 27 AUDIT_QUIET_DENIED, /* quiet all denied access messages */ 28 AUDIT_QUIET, /* quiet all messages */ 29 AUDIT_NOQUIET, /* do not quiet audit messages */ 30 AUDIT_ALL /* audit all accesses */ 31}; 32 33enum audit_type { 34 AUDIT_APPARMOR_AUDIT, 35 AUDIT_APPARMOR_ALLOWED, 36 AUDIT_APPARMOR_DENIED, 37 AUDIT_APPARMOR_HINT, 38 AUDIT_APPARMOR_STATUS, 39 AUDIT_APPARMOR_ERROR, 40 AUDIT_APPARMOR_KILL, 41 AUDIT_APPARMOR_AUTO 42}; 43 44#define OP_NULL NULL 45 46#define OP_SYSCTL "sysctl" 47#define OP_CAPABLE "capable" 48 49#define OP_UNLINK "unlink" 50#define OP_MKDIR "mkdir" 51#define OP_RMDIR "rmdir" 52#define OP_MKNOD "mknod" 53#define OP_TRUNC "truncate" 54#define OP_LINK "link" 55#define OP_SYMLINK "symlink" 56#define OP_RENAME_SRC "rename_src" 57#define OP_RENAME_DEST "rename_dest" 58#define OP_CHMOD "chmod" 59#define OP_CHOWN "chown" 60#define OP_GETATTR "getattr" 61#define OP_OPEN "open" 62 63#define OP_FRECEIVE "file_receive" 64#define OP_FPERM "file_perm" 65#define OP_FLOCK "file_lock" 66#define OP_FMMAP "file_mmap" 67#define OP_FMPROT "file_mprotect" 68#define OP_INHERIT "file_inherit" 69 70#define OP_PIVOTROOT "pivotroot" 71#define OP_MOUNT "mount" 72#define OP_UMOUNT "umount" 73 74#define OP_CREATE "create" 75#define OP_POST_CREATE "post_create" 76#define OP_BIND "bind" 77#define OP_CONNECT "connect" 78#define OP_LISTEN "listen" 79#define OP_ACCEPT "accept" 80#define OP_SENDMSG "sendmsg" 81#define OP_RECVMSG "recvmsg" 82#define OP_GETSOCKNAME "getsockname" 83#define OP_GETPEERNAME "getpeername" 84#define OP_GETSOCKOPT "getsockopt" 85#define OP_SETSOCKOPT "setsockopt" 86#define OP_SHUTDOWN "socket_shutdown" 87 88#define OP_PTRACE "ptrace" 89#define OP_SIGNAL "signal" 90 91#define OP_EXEC "exec" 92 93#define OP_CHANGE_HAT "change_hat" 94#define OP_CHANGE_PROFILE "change_profile" 95#define OP_CHANGE_ONEXEC "change_onexec" 96#define OP_STACK "stack" 97#define OP_STACK_ONEXEC "stack_onexec" 98 99#define OP_SETPROCATTR "setprocattr" 100#define OP_SETRLIMIT "setrlimit" 101 102#define OP_PROF_REPL "profile_replace" 103#define OP_PROF_LOAD "profile_load" 104#define OP_PROF_RM "profile_remove" 105 106#define OP_USERNS_CREATE "userns_create" 107 108#define OP_URING_OVERRIDE "uring_override" 109#define OP_URING_SQPOLL "uring_sqpoll" 110 111struct apparmor_audit_data { 112 int error; 113 int type; 114 u16 class; 115 const char *op; 116 const struct cred *subj_cred; 117 struct aa_label *subj_label; 118 const char *name; 119 const char *info; 120 u32 request; 121 u32 denied; 122 union { 123 /* these entries require a custom callback fn */ 124 struct { 125 struct aa_label *peer; 126 union { 127 struct { 128 const char *target; 129 kuid_t ouid; 130 } fs; 131 struct { 132 int rlim; 133 unsigned long max; 134 } rlim; 135 struct { 136 int signal; 137 int unmappedsig; 138 }; 139 struct { 140 int type, protocol; 141 struct sock *peer_sk; 142 void *addr; 143 int addrlen; 144 } net; 145 }; 146 }; 147 struct { 148 struct aa_profile *profile; 149 const char *ns; 150 long pos; 151 } iface; 152 struct { 153 const char *src_name; 154 const char *type; 155 const char *trans; 156 const char *data; 157 unsigned long flags; 158 } mnt; 159 struct { 160 struct aa_label *target; 161 } uring; 162 }; 163 164 struct common_audit_data common; 165}; 166 167/* macros for dealing with apparmor_audit_data structure */ 168#define aad(SA) (container_of(SA, struct apparmor_audit_data, common)) 169#define aad_of_va(VA) aad((struct common_audit_data *)(VA)) 170 171#define DEFINE_AUDIT_DATA(NAME, T, C, X) \ 172 /* TODO: cleanup audit init so we don't need _aad = {0,} */ \ 173 struct apparmor_audit_data NAME = { \ 174 .class = (C), \ 175 .op = (X), \ 176 .common.type = (T), \ 177 .common.u.tsk = NULL, \ 178 .common.apparmor_audit_data = &NAME, \ 179 }; 180 181void aa_audit_msg(int type, struct apparmor_audit_data *ad, 182 void (*cb) (struct audit_buffer *, void *)); 183int aa_audit(int type, struct aa_profile *profile, 184 struct apparmor_audit_data *ad, 185 void (*cb) (struct audit_buffer *, void *)); 186 187#define aa_audit_error(ERROR, AD, CB) \ 188({ \ 189 (AD)->error = (ERROR); \ 190 aa_audit_msg(AUDIT_APPARMOR_ERROR, (AD), (CB)); \ 191 (AD)->error; \ 192}) 193 194 195static inline int complain_error(int error) 196{ 197 if (error == -EPERM || error == -EACCES) 198 return 0; 199 return error; 200} 201 202void aa_audit_rule_free(void *vrule); 203int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule); 204int aa_audit_rule_known(struct audit_krule *rule); 205int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule); 206 207#endif /* __AA_AUDIT_H */ 208