xref: /linux/security/apparmor/include/audit.h (revision e5c86679d5e864947a52fb31e45a425dea3e7fa9)
1 /*
2  * AppArmor security module
3  *
4  * This file contains AppArmor auditing function definitions.
5  *
6  * Copyright (C) 1998-2008 Novell/SUSE
7  * Copyright 2009-2010 Canonical Ltd.
8  *
9  * This program is free software; you can redistribute it and/or
10  * modify it under the terms of the GNU General Public License as
11  * published by the Free Software Foundation, version 2 of the
12  * License.
13  */
14 
15 #ifndef __AA_AUDIT_H
16 #define __AA_AUDIT_H
17 
18 #include <linux/audit.h>
19 #include <linux/fs.h>
20 #include <linux/lsm_audit.h>
21 #include <linux/sched.h>
22 #include <linux/slab.h>
23 
24 #include "file.h"
25 
26 struct aa_profile;
27 
28 extern const char *const audit_mode_names[];
29 #define AUDIT_MAX_INDEX 5
30 enum audit_mode {
31 	AUDIT_NORMAL,		/* follow normal auditing of accesses */
32 	AUDIT_QUIET_DENIED,	/* quiet all denied access messages */
33 	AUDIT_QUIET,		/* quiet all messages */
34 	AUDIT_NOQUIET,		/* do not quiet audit messages */
35 	AUDIT_ALL		/* audit all accesses */
36 };
37 
38 enum audit_type {
39 	AUDIT_APPARMOR_AUDIT,
40 	AUDIT_APPARMOR_ALLOWED,
41 	AUDIT_APPARMOR_DENIED,
42 	AUDIT_APPARMOR_HINT,
43 	AUDIT_APPARMOR_STATUS,
44 	AUDIT_APPARMOR_ERROR,
45 	AUDIT_APPARMOR_KILL,
46 	AUDIT_APPARMOR_AUTO
47 };
48 
49 #define OP_NULL NULL
50 
51 #define OP_SYSCTL "sysctl"
52 #define OP_CAPABLE "capable"
53 
54 #define OP_UNLINK "unlink"
55 #define OP_MKDIR "mkdir"
56 #define OP_RMDIR "rmdir"
57 #define OP_MKNOD "mknod"
58 #define OP_TRUNC "truncate"
59 #define OP_LINK "link"
60 #define OP_SYMLINK "symlink"
61 #define OP_RENAME_SRC "rename_src"
62 #define OP_RENAME_DEST "rename_dest"
63 #define OP_CHMOD "chmod"
64 #define OP_CHOWN "chown"
65 #define OP_GETATTR "getattr"
66 #define OP_OPEN "open"
67 
68 #define OP_FPERM "file_perm"
69 #define OP_FLOCK "file_lock"
70 #define OP_FMMAP "file_mmap"
71 #define OP_FMPROT "file_mprotect"
72 
73 #define OP_CREATE "create"
74 #define OP_POST_CREATE "post_create"
75 #define OP_BIND "bind"
76 #define OP_CONNECT "connect"
77 #define OP_LISTEN "listen"
78 #define OP_ACCEPT "accept"
79 #define OP_SENDMSG "sendmsg"
80 #define OP_RECVMSG "recvmsg"
81 #define OP_GETSOCKNAME "getsockname"
82 #define OP_GETPEERNAME "getpeername"
83 #define OP_GETSOCKOPT "getsockopt"
84 #define OP_SETSOCKOPT "setsockopt"
85 #define OP_SHUTDOWN "socket_shutdown"
86 
87 #define OP_PTRACE "ptrace"
88 
89 #define OP_EXEC "exec"
90 
91 #define OP_CHANGE_HAT "change_hat"
92 #define OP_CHANGE_PROFILE "change_profile"
93 #define OP_CHANGE_ONEXEC "change_onexec"
94 
95 #define OP_SETPROCATTR "setprocattr"
96 #define OP_SETRLIMIT "setrlimit"
97 
98 #define OP_PROF_REPL "profile_replace"
99 #define OP_PROF_LOAD "profile_load"
100 #define OP_PROF_RM "profile_remove"
101 
102 
103 struct apparmor_audit_data {
104 	int error;
105 	const char *op;
106 	int type;
107 	void *profile;
108 	const char *name;
109 	const char *info;
110 	union {
111 		/* these entries require a custom callback fn */
112 		struct {
113 			struct aa_profile *peer;
114 			struct {
115 				const char *target;
116 				u32 request;
117 				u32 denied;
118 				kuid_t ouid;
119 			} fs;
120 		};
121 		struct {
122 			const char *name;
123 			long pos;
124 			const char *ns;
125 		} iface;
126 		struct {
127 			int rlim;
128 			unsigned long max;
129 		} rlim;
130 	};
131 };
132 
133 /* macros for dealing with  apparmor_audit_data structure */
134 #define aad(SA) ((SA)->apparmor_audit_data)
135 #define DEFINE_AUDIT_DATA(NAME, T, X)					\
136 	/* TODO: cleanup audit init so we don't need _aad = {0,} */	\
137 	struct apparmor_audit_data NAME ## _aad = { .op = (X), };	\
138 	struct common_audit_data NAME =					\
139 	{								\
140 	.type = (T),							\
141 	.u.tsk = NULL,							\
142 	};								\
143 	NAME.apparmor_audit_data = &(NAME ## _aad)
144 
145 void aa_audit_msg(int type, struct common_audit_data *sa,
146 		  void (*cb) (struct audit_buffer *, void *));
147 int aa_audit(int type, struct aa_profile *profile, struct common_audit_data *sa,
148 	     void (*cb) (struct audit_buffer *, void *));
149 
150 #define aa_audit_error(ERROR, SA, CB)				\
151 ({								\
152 	aad((SA))->error = (ERROR);				\
153 	aa_audit_msg(AUDIT_APPARMOR_ERROR, (SA), (CB));		\
154 	aad((SA))->error;					\
155 })
156 
157 
158 static inline int complain_error(int error)
159 {
160 	if (error == -EPERM || error == -EACCES)
161 		return 0;
162 	return error;
163 }
164 
165 #endif /* __AA_AUDIT_H */
166