mirror of
https://github.com/AuxXxilium/linux_dsm_epyc7002.git
synced 2024-11-26 00:40:55 +07:00
a269434d2f
This patch separates and audit message that only contains a dentry from one that contains a full path. This allows us to make it harder to misuse the interfaces or for the interfaces to be implemented wrong. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com>
153 lines
3.2 KiB
C
153 lines
3.2 KiB
C
/*
|
|
* Common LSM logging functions
|
|
* Heavily borrowed from selinux/avc.h
|
|
*
|
|
* Author : Etienne BASSET <etienne.basset@ensta.org>
|
|
*
|
|
* All credits to : Stephen Smalley, <sds@epoch.ncsc.mil>
|
|
* All BUGS to : Etienne BASSET <etienne.basset@ensta.org>
|
|
*/
|
|
#ifndef _LSM_COMMON_LOGGING_
|
|
#define _LSM_COMMON_LOGGING_
|
|
|
|
#include <linux/stddef.h>
|
|
#include <linux/errno.h>
|
|
#include <linux/kernel.h>
|
|
#include <linux/kdev_t.h>
|
|
#include <linux/spinlock.h>
|
|
#include <linux/init.h>
|
|
#include <linux/audit.h>
|
|
#include <linux/in6.h>
|
|
#include <linux/path.h>
|
|
#include <linux/key.h>
|
|
#include <linux/skbuff.h>
|
|
#include <asm/system.h>
|
|
|
|
|
|
/* Auxiliary data to use in generating the audit record. */
|
|
struct common_audit_data {
|
|
char type;
|
|
#define LSM_AUDIT_DATA_PATH 1
|
|
#define LSM_AUDIT_DATA_NET 2
|
|
#define LSM_AUDIT_DATA_CAP 3
|
|
#define LSM_AUDIT_DATA_IPC 4
|
|
#define LSM_AUDIT_DATA_TASK 5
|
|
#define LSM_AUDIT_DATA_KEY 6
|
|
#define LSM_AUDIT_DATA_NONE 7
|
|
#define LSM_AUDIT_DATA_KMOD 8
|
|
#define LSM_AUDIT_DATA_INODE 9
|
|
#define LSM_AUDIT_DATA_DENTRY 10
|
|
struct task_struct *tsk;
|
|
union {
|
|
struct path path;
|
|
struct dentry *dentry;
|
|
struct inode *inode;
|
|
struct {
|
|
int netif;
|
|
struct sock *sk;
|
|
u16 family;
|
|
__be16 dport;
|
|
__be16 sport;
|
|
union {
|
|
struct {
|
|
__be32 daddr;
|
|
__be32 saddr;
|
|
} v4;
|
|
struct {
|
|
struct in6_addr daddr;
|
|
struct in6_addr saddr;
|
|
} v6;
|
|
} fam;
|
|
} net;
|
|
int cap;
|
|
int ipc_id;
|
|
struct task_struct *tsk;
|
|
#ifdef CONFIG_KEYS
|
|
struct {
|
|
key_serial_t key;
|
|
char *key_desc;
|
|
} key_struct;
|
|
#endif
|
|
char *kmod_name;
|
|
} u;
|
|
/* this union contains LSM specific data */
|
|
union {
|
|
#ifdef CONFIG_SECURITY_SMACK
|
|
/* SMACK data */
|
|
struct smack_audit_data {
|
|
const char *function;
|
|
char *subject;
|
|
char *object;
|
|
char *request;
|
|
int result;
|
|
} smack_audit_data;
|
|
#endif
|
|
#ifdef CONFIG_SECURITY_SELINUX
|
|
/* SELinux data */
|
|
struct {
|
|
u32 ssid;
|
|
u32 tsid;
|
|
u16 tclass;
|
|
u32 requested;
|
|
u32 audited;
|
|
u32 denied;
|
|
/*
|
|
* auditdeny is a bit tricky and unintuitive. See the
|
|
* comments in avc.c for it's meaning and usage.
|
|
*/
|
|
u32 auditdeny;
|
|
struct av_decision *avd;
|
|
int result;
|
|
} selinux_audit_data;
|
|
#endif
|
|
#ifdef CONFIG_SECURITY_APPARMOR
|
|
struct {
|
|
int error;
|
|
int op;
|
|
int type;
|
|
void *profile;
|
|
const char *name;
|
|
const char *info;
|
|
union {
|
|
void *target;
|
|
struct {
|
|
long pos;
|
|
void *target;
|
|
} iface;
|
|
struct {
|
|
int rlim;
|
|
unsigned long max;
|
|
} rlim;
|
|
struct {
|
|
const char *target;
|
|
u32 request;
|
|
u32 denied;
|
|
uid_t ouid;
|
|
} fs;
|
|
};
|
|
} apparmor_audit_data;
|
|
#endif
|
|
};
|
|
/* these callback will be implemented by a specific LSM */
|
|
void (*lsm_pre_audit)(struct audit_buffer *, void *);
|
|
void (*lsm_post_audit)(struct audit_buffer *, void *);
|
|
};
|
|
|
|
#define v4info fam.v4
|
|
#define v6info fam.v6
|
|
|
|
int ipv4_skb_to_auditdata(struct sk_buff *skb,
|
|
struct common_audit_data *ad, u8 *proto);
|
|
|
|
int ipv6_skb_to_auditdata(struct sk_buff *skb,
|
|
struct common_audit_data *ad, u8 *proto);
|
|
|
|
/* Initialize an LSM audit data structure. */
|
|
#define COMMON_AUDIT_DATA_INIT(_d, _t) \
|
|
{ memset((_d), 0, sizeof(struct common_audit_data)); \
|
|
(_d)->type = LSM_AUDIT_DATA_##_t; }
|
|
|
|
void common_lsm_audit(struct common_audit_data *a);
|
|
|
|
#endif
|