xref: /linux/security/apparmor/include/audit.h (revision 69050f8d6d075dc01af7a5f2f550a8067510366f) 
1 /* SPDX-License-Identifier: GPL-2.0-only */
2 /*
3  * AppArmor security module
4  *
5  * This file contains AppArmor auditing function definitions.
6  *
7  * Copyright (C) 1998-2008 Novell/SUSE
8  * Copyright 2009-2010 Canonical Ltd.
9  */
10 
11 #ifndef __AA_AUDIT_H
12 #define __AA_AUDIT_H
13 
14 #include <linux/audit.h>
15 #include <linux/fs.h>
16 #include <linux/lsm_audit.h>
17 #include <linux/sched.h>
18 #include <linux/slab.h>
19 
20 #include "file.h"
21 #include "label.h"
22 
23 extern const char *const audit_mode_names[];
24 #define AUDIT_MAX_INDEX 5
25 enum audit_mode {
26 	AUDIT_NORMAL,		/* follow normal auditing of accesses */
27 	AUDIT_QUIET_DENIED,	/* quiet all denied access messages */
28 	AUDIT_QUIET,		/* quiet all messages */
29 	AUDIT_NOQUIET,		/* do not quiet audit messages */
30 	AUDIT_ALL		/* audit all accesses */
31 };
32 
33 enum audit_type {
34 	AUDIT_APPARMOR_AUDIT,
35 	AUDIT_APPARMOR_ALLOWED,
36 	AUDIT_APPARMOR_DENIED,
37 	AUDIT_APPARMOR_HINT,
38 	AUDIT_APPARMOR_STATUS,
39 	AUDIT_APPARMOR_ERROR,
40 	AUDIT_APPARMOR_KILL,
41 	AUDIT_APPARMOR_AUTO
42 };
43 
44 #define OP_NULL NULL
45 
46 #define OP_SYSCTL "sysctl"
47 #define OP_CAPABLE "capable"
48 
49 #define OP_UNLINK "unlink"
50 #define OP_MKDIR "mkdir"
51 #define OP_RMDIR "rmdir"
52 #define OP_MKNOD "mknod"
53 #define OP_TRUNC "truncate"
54 #define OP_LINK "link"
55 #define OP_SYMLINK "symlink"
56 #define OP_RENAME_SRC "rename_src"
57 #define OP_RENAME_DEST "rename_dest"
58 #define OP_CHMOD "chmod"
59 #define OP_CHOWN "chown"
60 #define OP_GETATTR "getattr"
61 #define OP_OPEN "open"
62 
63 #define OP_FRECEIVE "file_receive"
64 #define OP_FPERM "file_perm"
65 #define OP_FLOCK "file_lock"
66 #define OP_FMMAP "file_mmap"
67 #define OP_FMPROT "file_mprotect"
68 #define OP_INHERIT "file_inherit"
69 
70 #define OP_PIVOTROOT "pivotroot"
71 #define OP_MOUNT "mount"
72 #define OP_UMOUNT "umount"
73 
74 #define OP_CREATE "create"
75 #define OP_POST_CREATE "post_create"
76 #define OP_BIND "bind"
77 #define OP_CONNECT "connect"
78 #define OP_LISTEN "listen"
79 #define OP_ACCEPT "accept"
80 #define OP_SENDMSG "sendmsg"
81 #define OP_RECVMSG "recvmsg"
82 #define OP_GETSOCKNAME "getsockname"
83 #define OP_GETPEERNAME "getpeername"
84 #define OP_GETSOCKOPT "getsockopt"
85 #define OP_SETSOCKOPT "setsockopt"
86 #define OP_SHUTDOWN "socket_shutdown"
87 
88 #define OP_PTRACE "ptrace"
89 #define OP_SIGNAL "signal"
90 
91 #define OP_EXEC "exec"
92 
93 #define OP_CHANGE_HAT "change_hat"
94 #define OP_CHANGE_PROFILE "change_profile"
95 #define OP_CHANGE_ONEXEC "change_onexec"
96 #define OP_STACK "stack"
97 #define OP_STACK_ONEXEC "stack_onexec"
98 
99 #define OP_SETPROCATTR "setprocattr"
100 #define OP_SETRLIMIT "setrlimit"
101 
102 #define OP_PROF_REPL "profile_replace"
103 #define OP_PROF_LOAD "profile_load"
104 #define OP_PROF_RM "profile_remove"
105 
106 #define OP_USERNS_CREATE "userns_create"
107 
108 #define OP_URING_OVERRIDE "uring_override"
109 #define OP_URING_SQPOLL "uring_sqpoll"
110 
111 struct apparmor_audit_data {
112 	int error;
113 	int type;
114 	u16 class;
115 	const char *op;
116 	const struct cred *subj_cred;
117 	struct aa_label *subj_label;
118 	const char *name;
119 	const char *info;
120 	u32 request;
121 	u32 denied;
122 	u32 tags;
123 
124 	union {
125 		/* these entries require a custom callback fn */
126 		struct {
127 			struct aa_label *peer;
128 			union {
129 				struct {
130 					const char *target;
131 					kuid_t ouid;
132 				} fs;
133 				struct {
134 					int rlim;
135 					unsigned long max;
136 				} rlim;
137 				struct {
138 					int signal;
139 					int unmappedsig;
140 				};
141 				struct {
142 					int type, protocol;
143 					void *addr;
144 					int addrlen;
145 					struct {
146 						void *addr;
147 						int addrlen;
148 					} peer;
149 				} net;
150 			};
151 		};
152 		struct {
153 			struct aa_profile *profile;
154 			const char *ns;
155 			long pos;
156 		} iface;
157 		struct {
158 			const char *src_name;
159 			const char *type;
160 			const char *trans;
161 			const char *data;
162 			unsigned long flags;
163 		} mnt;
164 		struct {
165 			struct aa_label *target;
166 		} uring;
167 	};
168 
169 	struct common_audit_data common;
170 };
171 
172 /* macros for dealing with  apparmor_audit_data structure */
173 #define aad(SA) (container_of(SA, struct apparmor_audit_data, common))
174 #define aad_of_va(VA) aad((struct common_audit_data *)(VA))
175 
176 #define DEFINE_AUDIT_DATA(NAME, T, C, X)				\
177 	/* TODO: cleanup audit init so we don't need _aad = {0,} */	\
178 	struct apparmor_audit_data NAME = {				\
179 		.class = (C),						\
180 		.op = (X),                                              \
181 		.common.type = (T),					\
182 		.common.u.tsk = NULL,					\
183 		.common.apparmor_audit_data = &NAME,			\
184 	};
185 
186 void aa_audit_msg(int type, struct apparmor_audit_data *ad,
187 		  void (*cb) (struct audit_buffer *, void *));
188 int aa_audit(int type, struct aa_profile *profile,
189 	     struct apparmor_audit_data *ad,
190 	     void (*cb) (struct audit_buffer *, void *));
191 
192 #define aa_audit_error(ERROR, AD, CB)				\
193 ({								\
194 	(AD)->error = (ERROR);					\
195 	aa_audit_msg(AUDIT_APPARMOR_ERROR, (AD), (CB));		\
196 	(AD)->error;					\
197 })
198 
199 
200 static inline int complain_error(int error)
201 {
202 	if (error == -EPERM || error == -EACCES)
203 		return 0;
204 	return error;
205 }
206 
207 void aa_audit_rule_free(void *vrule);
208 int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, gfp_t gfp);
209 int aa_audit_rule_known(struct audit_krule *rule);
210 int aa_audit_rule_match(struct lsm_prop *prop, u32 field, u32 op, void *vrule);
211 
212 #endif /* __AA_AUDIT_H */
213