^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) /* SPDX-License-Identifier: GPL-2.0-only */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) * AppArmor security module
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) * This file contains AppArmor auditing function definitions.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7) * Copyright (C) 1998-2008 Novell/SUSE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8) * Copyright 2009-2010 Canonical Ltd.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) #ifndef __AA_AUDIT_H
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) #define __AA_AUDIT_H
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) #include <linux/audit.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) #include <linux/fs.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) #include <linux/lsm_audit.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) #include <linux/sched.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) #include <linux/slab.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) #include "file.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) #include "label.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) extern const char *const audit_mode_names[];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) #define AUDIT_MAX_INDEX 5
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) enum audit_mode {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) AUDIT_NORMAL, /* follow normal auditing of accesses */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) AUDIT_QUIET_DENIED, /* quiet all denied access messages */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) AUDIT_QUIET, /* quiet all messages */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) AUDIT_NOQUIET, /* do not quiet audit messages */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) AUDIT_ALL /* audit all accesses */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) enum audit_type {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) AUDIT_APPARMOR_AUDIT,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) AUDIT_APPARMOR_ALLOWED,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) AUDIT_APPARMOR_DENIED,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) AUDIT_APPARMOR_HINT,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) AUDIT_APPARMOR_STATUS,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) AUDIT_APPARMOR_ERROR,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) AUDIT_APPARMOR_KILL,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) AUDIT_APPARMOR_AUTO
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) #define OP_NULL NULL
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) #define OP_SYSCTL "sysctl"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) #define OP_CAPABLE "capable"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) #define OP_UNLINK "unlink"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) #define OP_MKDIR "mkdir"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) #define OP_RMDIR "rmdir"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) #define OP_MKNOD "mknod"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) #define OP_TRUNC "truncate"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) #define OP_LINK "link"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) #define OP_SYMLINK "symlink"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) #define OP_RENAME_SRC "rename_src"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) #define OP_RENAME_DEST "rename_dest"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) #define OP_CHMOD "chmod"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) #define OP_CHOWN "chown"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) #define OP_GETATTR "getattr"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) #define OP_OPEN "open"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) #define OP_FRECEIVE "file_receive"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) #define OP_FPERM "file_perm"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) #define OP_FLOCK "file_lock"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) #define OP_FMMAP "file_mmap"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) #define OP_FMPROT "file_mprotect"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) #define OP_INHERIT "file_inherit"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) #define OP_PIVOTROOT "pivotroot"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) #define OP_MOUNT "mount"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) #define OP_UMOUNT "umount"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) #define OP_CREATE "create"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) #define OP_POST_CREATE "post_create"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) #define OP_BIND "bind"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) #define OP_CONNECT "connect"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) #define OP_LISTEN "listen"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) #define OP_ACCEPT "accept"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) #define OP_SENDMSG "sendmsg"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81) #define OP_RECVMSG "recvmsg"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) #define OP_GETSOCKNAME "getsockname"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) #define OP_GETPEERNAME "getpeername"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84) #define OP_GETSOCKOPT "getsockopt"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) #define OP_SETSOCKOPT "setsockopt"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86) #define OP_SHUTDOWN "socket_shutdown"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88) #define OP_PTRACE "ptrace"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89) #define OP_SIGNAL "signal"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) #define OP_EXEC "exec"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93) #define OP_CHANGE_HAT "change_hat"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) #define OP_CHANGE_PROFILE "change_profile"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95) #define OP_CHANGE_ONEXEC "change_onexec"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) #define OP_STACK "stack"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97) #define OP_STACK_ONEXEC "stack_onexec"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99) #define OP_SETPROCATTR "setprocattr"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) #define OP_SETRLIMIT "setrlimit"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) #define OP_PROF_REPL "profile_replace"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) #define OP_PROF_LOAD "profile_load"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) #define OP_PROF_RM "profile_remove"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) struct apparmor_audit_data {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) int error;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) int type;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) const char *op;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111) struct aa_label *label;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) const char *name;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) const char *info;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) u32 request;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115) u32 denied;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) union {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) /* these entries require a custom callback fn */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) struct {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) struct aa_label *peer;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) union {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) struct {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) const char *target;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) kuid_t ouid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) } fs;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) struct {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) int rlim;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) unsigned long max;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) } rlim;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) struct {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) int signal;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) int unmappedsig;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) struct {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) int type, protocol;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) struct sock *peer_sk;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) void *addr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) int addrlen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) } net;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) struct {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) struct aa_profile *profile;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143) const char *ns;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) long pos;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) } iface;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) struct {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) const char *src_name;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) const char *type;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) const char *trans;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) const char *data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) unsigned long flags;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152) } mnt;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) /* macros for dealing with apparmor_audit_data structure */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) #define aad(SA) ((SA)->apparmor_audit_data)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158) #define DEFINE_AUDIT_DATA(NAME, T, X) \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) /* TODO: cleanup audit init so we don't need _aad = {0,} */ \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) struct apparmor_audit_data NAME ## _aad = { .op = (X), }; \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) struct common_audit_data NAME = \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162) { \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) .type = (T), \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) .u.tsk = NULL, \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165) }; \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) NAME.apparmor_audit_data = &(NAME ## _aad)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) void aa_audit_msg(int type, struct common_audit_data *sa,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) void (*cb) (struct audit_buffer *, void *));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) int aa_audit(int type, struct aa_profile *profile, struct common_audit_data *sa,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171) void (*cb) (struct audit_buffer *, void *));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173) #define aa_audit_error(ERROR, SA, CB) \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) ({ \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175) aad((SA))->error = (ERROR); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) aa_audit_msg(AUDIT_APPARMOR_ERROR, (SA), (CB)); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) aad((SA))->error; \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) })
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) static inline int complain_error(int error)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183) if (error == -EPERM || error == -EACCES)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185) return error;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188) void aa_audit_rule_free(void *vrule);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189) int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190) int aa_audit_rule_known(struct audit_krule *rule);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191) int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193) #endif /* __AA_AUDIT_H */
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags