mirror of
git://git.yoctoproject.org/linux-yocto.git
synced 2025-07-05 13:25:20 +02:00
90c436a64a
The cred is needed to properly audit some messages, and will be needed in the future for uid conditional mediation. So pass it through to where the apparmor_audit_data struct gets defined. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
201 lines
4.6 KiB
C
201 lines
4.6 KiB
C
/* SPDX-License-Identifier: GPL-2.0-only */
|
|
/*
|
|
* AppArmor security module
|
|
*
|
|
* This file contains AppArmor auditing function definitions.
|
|
*
|
|
* Copyright (C) 1998-2008 Novell/SUSE
|
|
* Copyright 2009-2010 Canonical Ltd.
|
|
*/
|
|
|
|
#ifndef __AA_AUDIT_H
|
|
#define __AA_AUDIT_H
|
|
|
|
#include <linux/audit.h>
|
|
#include <linux/fs.h>
|
|
#include <linux/lsm_audit.h>
|
|
#include <linux/sched.h>
|
|
#include <linux/slab.h>
|
|
|
|
#include "file.h"
|
|
#include "label.h"
|
|
|
|
extern const char *const audit_mode_names[];
|
|
#define AUDIT_MAX_INDEX 5
|
|
enum audit_mode {
|
|
AUDIT_NORMAL, /* follow normal auditing of accesses */
|
|
AUDIT_QUIET_DENIED, /* quiet all denied access messages */
|
|
AUDIT_QUIET, /* quiet all messages */
|
|
AUDIT_NOQUIET, /* do not quiet audit messages */
|
|
AUDIT_ALL /* audit all accesses */
|
|
};
|
|
|
|
enum audit_type {
|
|
AUDIT_APPARMOR_AUDIT,
|
|
AUDIT_APPARMOR_ALLOWED,
|
|
AUDIT_APPARMOR_DENIED,
|
|
AUDIT_APPARMOR_HINT,
|
|
AUDIT_APPARMOR_STATUS,
|
|
AUDIT_APPARMOR_ERROR,
|
|
AUDIT_APPARMOR_KILL,
|
|
AUDIT_APPARMOR_AUTO
|
|
};
|
|
|
|
#define OP_NULL NULL
|
|
|
|
#define OP_SYSCTL "sysctl"
|
|
#define OP_CAPABLE "capable"
|
|
|
|
#define OP_UNLINK "unlink"
|
|
#define OP_MKDIR "mkdir"
|
|
#define OP_RMDIR "rmdir"
|
|
#define OP_MKNOD "mknod"
|
|
#define OP_TRUNC "truncate"
|
|
#define OP_LINK "link"
|
|
#define OP_SYMLINK "symlink"
|
|
#define OP_RENAME_SRC "rename_src"
|
|
#define OP_RENAME_DEST "rename_dest"
|
|
#define OP_CHMOD "chmod"
|
|
#define OP_CHOWN "chown"
|
|
#define OP_GETATTR "getattr"
|
|
#define OP_OPEN "open"
|
|
|
|
#define OP_FRECEIVE "file_receive"
|
|
#define OP_FPERM "file_perm"
|
|
#define OP_FLOCK "file_lock"
|
|
#define OP_FMMAP "file_mmap"
|
|
#define OP_FMPROT "file_mprotect"
|
|
#define OP_INHERIT "file_inherit"
|
|
|
|
#define OP_PIVOTROOT "pivotroot"
|
|
#define OP_MOUNT "mount"
|
|
#define OP_UMOUNT "umount"
|
|
|
|
#define OP_CREATE "create"
|
|
#define OP_POST_CREATE "post_create"
|
|
#define OP_BIND "bind"
|
|
#define OP_CONNECT "connect"
|
|
#define OP_LISTEN "listen"
|
|
#define OP_ACCEPT "accept"
|
|
#define OP_SENDMSG "sendmsg"
|
|
#define OP_RECVMSG "recvmsg"
|
|
#define OP_GETSOCKNAME "getsockname"
|
|
#define OP_GETPEERNAME "getpeername"
|
|
#define OP_GETSOCKOPT "getsockopt"
|
|
#define OP_SETSOCKOPT "setsockopt"
|
|
#define OP_SHUTDOWN "socket_shutdown"
|
|
|
|
#define OP_PTRACE "ptrace"
|
|
#define OP_SIGNAL "signal"
|
|
|
|
#define OP_EXEC "exec"
|
|
|
|
#define OP_CHANGE_HAT "change_hat"
|
|
#define OP_CHANGE_PROFILE "change_profile"
|
|
#define OP_CHANGE_ONEXEC "change_onexec"
|
|
#define OP_STACK "stack"
|
|
#define OP_STACK_ONEXEC "stack_onexec"
|
|
|
|
#define OP_SETPROCATTR "setprocattr"
|
|
#define OP_SETRLIMIT "setrlimit"
|
|
|
|
#define OP_PROF_REPL "profile_replace"
|
|
#define OP_PROF_LOAD "profile_load"
|
|
#define OP_PROF_RM "profile_remove"
|
|
|
|
|
|
struct apparmor_audit_data {
|
|
int error;
|
|
int type;
|
|
u16 class;
|
|
const char *op;
|
|
const struct cred *subj_cred;
|
|
struct aa_label *subj_label;
|
|
const char *name;
|
|
const char *info;
|
|
u32 request;
|
|
u32 denied;
|
|
union {
|
|
/* these entries require a custom callback fn */
|
|
struct {
|
|
struct aa_label *peer;
|
|
union {
|
|
struct {
|
|
const char *target;
|
|
kuid_t ouid;
|
|
} fs;
|
|
struct {
|
|
int rlim;
|
|
unsigned long max;
|
|
} rlim;
|
|
struct {
|
|
int signal;
|
|
int unmappedsig;
|
|
};
|
|
struct {
|
|
int type, protocol;
|
|
struct sock *peer_sk;
|
|
void *addr;
|
|
int addrlen;
|
|
} net;
|
|
};
|
|
};
|
|
struct {
|
|
struct aa_profile *profile;
|
|
const char *ns;
|
|
long pos;
|
|
} iface;
|
|
struct {
|
|
const char *src_name;
|
|
const char *type;
|
|
const char *trans;
|
|
const char *data;
|
|
unsigned long flags;
|
|
} mnt;
|
|
};
|
|
|
|
struct common_audit_data common;
|
|
};
|
|
|
|
/* macros for dealing with apparmor_audit_data structure */
|
|
#define aad(SA) (container_of(SA, struct apparmor_audit_data, common))
|
|
#define aad_of_va(VA) aad((struct common_audit_data *)(VA))
|
|
|
|
#define DEFINE_AUDIT_DATA(NAME, T, C, X) \
|
|
/* TODO: cleanup audit init so we don't need _aad = {0,} */ \
|
|
struct apparmor_audit_data NAME = { \
|
|
.class = (C), \
|
|
.op = (X), \
|
|
.common.type = (T), \
|
|
.common.u.tsk = NULL, \
|
|
.common.apparmor_audit_data = &NAME, \
|
|
};
|
|
|
|
void aa_audit_msg(int type, struct apparmor_audit_data *ad,
|
|
void (*cb) (struct audit_buffer *, void *));
|
|
int aa_audit(int type, struct aa_profile *profile,
|
|
struct apparmor_audit_data *ad,
|
|
void (*cb) (struct audit_buffer *, void *));
|
|
|
|
#define aa_audit_error(ERROR, AD, CB) \
|
|
({ \
|
|
(AD)->error = (ERROR); \
|
|
aa_audit_msg(AUDIT_APPARMOR_ERROR, (AD), (CB)); \
|
|
(AD)->error; \
|
|
})
|
|
|
|
|
|
static inline int complain_error(int error)
|
|
{
|
|
if (error == -EPERM || error == -EACCES)
|
|
return 0;
|
|
return error;
|
|
}
|
|
|
|
void aa_audit_rule_free(void *vrule);
|
|
int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule);
|
|
int aa_audit_rule_known(struct audit_krule *rule);
|
|
int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule);
|
|
|
|
#endif /* __AA_AUDIT_H */
|