1/* SPDX-License-Identifier: GPL-2.0-only */
2/*
3 * AppArmor security module
4 *
5 * This file contains AppArmor auditing function definitions.
6 *
7 * Copyright (C) 1998-2008 Novell/SUSE
8 * Copyright 2009-2010 Canonical Ltd.
9 */
10
11#ifndef __AA_AUDIT_H
12#define __AA_AUDIT_H
13
14#include <linux/audit.h>
15#include <linux/fs.h>
16#include <linux/lsm_audit.h>
17#include <linux/sched.h>
18#include <linux/slab.h>
19
20#include "file.h"
21#include "label.h"
22
23extern const char *const audit_mode_names[];
24#define AUDIT_MAX_INDEX 5
25enum audit_mode {
26 AUDIT_NORMAL, /* follow normal auditing of accesses */
27 AUDIT_QUIET_DENIED, /* quiet all denied access messages */
28 AUDIT_QUIET, /* quiet all messages */
29 AUDIT_NOQUIET, /* do not quiet audit messages */
30 AUDIT_ALL /* audit all accesses */
31};
32
33enum audit_type {
34 AUDIT_APPARMOR_AUDIT,
35 AUDIT_APPARMOR_ALLOWED,
36 AUDIT_APPARMOR_DENIED,
37 AUDIT_APPARMOR_HINT,
38 AUDIT_APPARMOR_STATUS,
39 AUDIT_APPARMOR_ERROR,
40 AUDIT_APPARMOR_KILL,
41 AUDIT_APPARMOR_AUTO
42};
43
44#define OP_NULL NULL
45
46#define OP_SYSCTL "sysctl"
47#define OP_CAPABLE "capable"
48
49#define OP_UNLINK "unlink"
50#define OP_MKDIR "mkdir"
51#define OP_RMDIR "rmdir"
52#define OP_MKNOD "mknod"
53#define OP_TRUNC "truncate"
54#define OP_LINK "link"
55#define OP_SYMLINK "symlink"
56#define OP_RENAME_SRC "rename_src"
57#define OP_RENAME_DEST "rename_dest"
58#define OP_CHMOD "chmod"
59#define OP_CHOWN "chown"
60#define OP_GETATTR "getattr"
61#define OP_OPEN "open"
62
63#define OP_FRECEIVE "file_receive"
64#define OP_FPERM "file_perm"
65#define OP_FLOCK "file_lock"
66#define OP_FMMAP "file_mmap"
67#define OP_FMPROT "file_mprotect"
68#define OP_INHERIT "file_inherit"
69
70#define OP_PIVOTROOT "pivotroot"
71#define OP_MOUNT "mount"
72#define OP_UMOUNT "umount"
73
74#define OP_CREATE "create"
75#define OP_POST_CREATE "post_create"
76#define OP_BIND "bind"
77#define OP_CONNECT "connect"
78#define OP_LISTEN "listen"
79#define OP_ACCEPT "accept"
80#define OP_SENDMSG "sendmsg"
81#define OP_RECVMSG "recvmsg"
82#define OP_GETSOCKNAME "getsockname"
83#define OP_GETPEERNAME "getpeername"
84#define OP_GETSOCKOPT "getsockopt"
85#define OP_SETSOCKOPT "setsockopt"
86#define OP_SHUTDOWN "socket_shutdown"
87
88#define OP_PTRACE "ptrace"
89#define OP_SIGNAL "signal"
90
91#define OP_EXEC "exec"
92
93#define OP_CHANGE_HAT "change_hat"
94#define OP_CHANGE_PROFILE "change_profile"
95#define OP_CHANGE_ONEXEC "change_onexec"
96#define OP_STACK "stack"
97#define OP_STACK_ONEXEC "stack_onexec"
98
99#define OP_SETPROCATTR "setprocattr"
100#define OP_SETRLIMIT "setrlimit"
101
102#define OP_PROF_REPL "profile_replace"
103#define OP_PROF_LOAD "profile_load"
104#define OP_PROF_RM "profile_remove"
105
106#define OP_USERNS_CREATE "userns_create"
107
108#define OP_URING_OVERRIDE "uring_override"
109#define OP_URING_SQPOLL "uring_sqpoll"
110
111struct apparmor_audit_data {
112 int error;
113 int type;
114 u16 class;
115 const char *op;
116 const struct cred *subj_cred;
117 struct aa_label *subj_label;
118 const char *name;
119 const char *info;
120 u32 request;
121 u32 denied;
122 union {
123 /* these entries require a custom callback fn */
124 struct {
125 struct aa_label *peer;
126 union {
127 struct {
128 const char *target;
129 kuid_t ouid;
130 } fs;
131 struct {
132 int rlim;
133 unsigned long max;
134 } rlim;
135 struct {
136 int signal;
137 int unmappedsig;
138 };
139 struct {
140 int type, protocol;
141 struct sock *peer_sk;
142 void *addr;
143 int addrlen;
144 } net;
145 };
146 };
147 struct {
148 struct aa_profile *profile;
149 const char *ns;
150 long pos;
151 } iface;
152 struct {
153 const char *src_name;
154 const char *type;
155 const char *trans;
156 const char *data;
157 unsigned long flags;
158 } mnt;
159 struct {
160 struct aa_label *target;
161 } uring;
162 };
163
164 struct common_audit_data common;
165};
166
167/* macros for dealing with apparmor_audit_data structure */
168#define aad(SA) (container_of(SA, struct apparmor_audit_data, common))
169#define aad_of_va(VA) aad((struct common_audit_data *)(VA))
170
171#define DEFINE_AUDIT_DATA(NAME, T, C, X) \
172 /* TODO: cleanup audit init so we don't need _aad = {0,} */ \
173 struct apparmor_audit_data NAME = { \
174 .class = (C), \
175 .op = (X), \
176 .common.type = (T), \
177 .common.u.tsk = NULL, \
178 .common.apparmor_audit_data = &NAME, \
179 };
180
181void aa_audit_msg(int type, struct apparmor_audit_data *ad,
182 void (*cb) (struct audit_buffer *, void *));
183int aa_audit(int type, struct aa_profile *profile,
184 struct apparmor_audit_data *ad,
185 void (*cb) (struct audit_buffer *, void *));
186
187#define aa_audit_error(ERROR, AD, CB) \
188({ \
189 (AD)->error = (ERROR); \
190 aa_audit_msg(AUDIT_APPARMOR_ERROR, (AD), (CB)); \
191 (AD)->error; \
192})
193
194
195static inline int complain_error(int error)
196{
197 if (error == -EPERM || error == -EACCES)
198 return 0;
199 return error;
200}
201
202void aa_audit_rule_free(void *vrule);
203int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule);
204int aa_audit_rule_known(struct audit_krule *rule);
205int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule);
206
207#endif /* __AA_AUDIT_H */
208

source code of linux/security/apparmor/include/audit.h