1 | /* SPDX-License-Identifier: GPL-2.0-only */ |
2 | /* |
3 | * AppArmor security module |
4 | * |
5 | * This file contains AppArmor auditing function definitions. |
6 | * |
7 | * Copyright (C) 1998-2008 Novell/SUSE |
8 | * Copyright 2009-2010 Canonical Ltd. |
9 | */ |
10 | |
11 | #ifndef __AA_AUDIT_H |
12 | #define __AA_AUDIT_H |
13 | |
14 | #include <linux/audit.h> |
15 | #include <linux/fs.h> |
16 | #include <linux/lsm_audit.h> |
17 | #include <linux/sched.h> |
18 | #include <linux/slab.h> |
19 | |
20 | #include "file.h" |
21 | #include "label.h" |
22 | |
23 | extern const char *const audit_mode_names[]; |
24 | #define AUDIT_MAX_INDEX 5 |
25 | enum audit_mode { |
26 | AUDIT_NORMAL, /* follow normal auditing of accesses */ |
27 | AUDIT_QUIET_DENIED, /* quiet all denied access messages */ |
28 | AUDIT_QUIET, /* quiet all messages */ |
29 | AUDIT_NOQUIET, /* do not quiet audit messages */ |
30 | AUDIT_ALL /* audit all accesses */ |
31 | }; |
32 | |
33 | enum audit_type { |
34 | AUDIT_APPARMOR_AUDIT, |
35 | AUDIT_APPARMOR_ALLOWED, |
36 | AUDIT_APPARMOR_DENIED, |
37 | AUDIT_APPARMOR_HINT, |
38 | AUDIT_APPARMOR_STATUS, |
39 | AUDIT_APPARMOR_ERROR, |
40 | AUDIT_APPARMOR_KILL, |
41 | AUDIT_APPARMOR_AUTO |
42 | }; |
43 | |
44 | #define OP_NULL NULL |
45 | |
46 | #define OP_SYSCTL "sysctl" |
47 | #define OP_CAPABLE "capable" |
48 | |
49 | #define OP_UNLINK "unlink" |
50 | #define OP_MKDIR "mkdir" |
51 | #define OP_RMDIR "rmdir" |
52 | #define OP_MKNOD "mknod" |
53 | #define OP_TRUNC "truncate" |
54 | #define OP_LINK "link" |
55 | #define OP_SYMLINK "symlink" |
56 | #define OP_RENAME_SRC "rename_src" |
57 | #define OP_RENAME_DEST "rename_dest" |
58 | #define OP_CHMOD "chmod" |
59 | #define OP_CHOWN "chown" |
60 | #define OP_GETATTR "getattr" |
61 | #define OP_OPEN "open" |
62 | |
63 | #define OP_FRECEIVE "file_receive" |
64 | #define OP_FPERM "file_perm" |
65 | #define OP_FLOCK "file_lock" |
66 | #define OP_FMMAP "file_mmap" |
67 | #define OP_FMPROT "file_mprotect" |
68 | #define OP_INHERIT "file_inherit" |
69 | |
70 | #define OP_PIVOTROOT "pivotroot" |
71 | #define OP_MOUNT "mount" |
72 | #define OP_UMOUNT "umount" |
73 | |
74 | #define OP_CREATE "create" |
75 | #define OP_POST_CREATE "post_create" |
76 | #define OP_BIND "bind" |
77 | #define OP_CONNECT "connect" |
78 | #define OP_LISTEN "listen" |
79 | #define OP_ACCEPT "accept" |
80 | #define OP_SENDMSG "sendmsg" |
81 | #define OP_RECVMSG "recvmsg" |
82 | #define OP_GETSOCKNAME "getsockname" |
83 | #define OP_GETPEERNAME "getpeername" |
84 | #define OP_GETSOCKOPT "getsockopt" |
85 | #define OP_SETSOCKOPT "setsockopt" |
86 | #define OP_SHUTDOWN "socket_shutdown" |
87 | |
88 | #define OP_PTRACE "ptrace" |
89 | #define OP_SIGNAL "signal" |
90 | |
91 | #define OP_EXEC "exec" |
92 | |
93 | #define OP_CHANGE_HAT "change_hat" |
94 | #define OP_CHANGE_PROFILE "change_profile" |
95 | #define OP_CHANGE_ONEXEC "change_onexec" |
96 | #define OP_STACK "stack" |
97 | #define OP_STACK_ONEXEC "stack_onexec" |
98 | |
99 | #define OP_SETPROCATTR "setprocattr" |
100 | #define OP_SETRLIMIT "setrlimit" |
101 | |
102 | #define OP_PROF_REPL "profile_replace" |
103 | #define OP_PROF_LOAD "profile_load" |
104 | #define OP_PROF_RM "profile_remove" |
105 | |
106 | #define OP_USERNS_CREATE "userns_create" |
107 | |
108 | #define OP_URING_OVERRIDE "uring_override" |
109 | #define OP_URING_SQPOLL "uring_sqpoll" |
110 | |
111 | struct apparmor_audit_data { |
112 | int error; |
113 | int type; |
114 | u16 class; |
115 | const char *op; |
116 | const struct cred *subj_cred; |
117 | struct aa_label *subj_label; |
118 | const char *name; |
119 | const char *info; |
120 | u32 request; |
121 | u32 denied; |
122 | union { |
123 | /* these entries require a custom callback fn */ |
124 | struct { |
125 | struct aa_label *peer; |
126 | union { |
127 | struct { |
128 | const char *target; |
129 | kuid_t ouid; |
130 | } fs; |
131 | struct { |
132 | int rlim; |
133 | unsigned long max; |
134 | } rlim; |
135 | struct { |
136 | int signal; |
137 | int unmappedsig; |
138 | }; |
139 | struct { |
140 | int type, protocol; |
141 | struct sock *peer_sk; |
142 | void *addr; |
143 | int addrlen; |
144 | } net; |
145 | }; |
146 | }; |
147 | struct { |
148 | struct aa_profile *profile; |
149 | const char *ns; |
150 | long pos; |
151 | } iface; |
152 | struct { |
153 | const char *src_name; |
154 | const char *type; |
155 | const char *trans; |
156 | const char *data; |
157 | unsigned long flags; |
158 | } mnt; |
159 | struct { |
160 | struct aa_label *target; |
161 | } uring; |
162 | }; |
163 | |
164 | struct common_audit_data common; |
165 | }; |
166 | |
167 | /* macros for dealing with apparmor_audit_data structure */ |
168 | #define aad(SA) (container_of(SA, struct apparmor_audit_data, common)) |
169 | #define aad_of_va(VA) aad((struct common_audit_data *)(VA)) |
170 | |
171 | #define DEFINE_AUDIT_DATA(NAME, T, C, X) \ |
172 | /* TODO: cleanup audit init so we don't need _aad = {0,} */ \ |
173 | struct apparmor_audit_data NAME = { \ |
174 | .class = (C), \ |
175 | .op = (X), \ |
176 | .common.type = (T), \ |
177 | .common.u.tsk = NULL, \ |
178 | .common.apparmor_audit_data = &NAME, \ |
179 | }; |
180 | |
181 | void aa_audit_msg(int type, struct apparmor_audit_data *ad, |
182 | void (*cb) (struct audit_buffer *, void *)); |
183 | int aa_audit(int type, struct aa_profile *profile, |
184 | struct apparmor_audit_data *ad, |
185 | void (*cb) (struct audit_buffer *, void *)); |
186 | |
187 | #define aa_audit_error(ERROR, AD, CB) \ |
188 | ({ \ |
189 | (AD)->error = (ERROR); \ |
190 | aa_audit_msg(AUDIT_APPARMOR_ERROR, (AD), (CB)); \ |
191 | (AD)->error; \ |
192 | }) |
193 | |
194 | |
195 | static inline int complain_error(int error) |
196 | { |
197 | if (error == -EPERM || error == -EACCES) |
198 | return 0; |
199 | return error; |
200 | } |
201 | |
202 | void aa_audit_rule_free(void *vrule); |
203 | int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule); |
204 | int aa_audit_rule_known(struct audit_krule *rule); |
205 | int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule); |
206 | |
207 | #endif /* __AA_AUDIT_H */ |
208 | |