mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-08 18:31:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor/management/libaalogparse/src/aalogparse.h
Matt Barringer 06faae5ec6 Added an audit_id field to the aa_log_record struct.
2007-07-09 19:08:02 +00:00

154 lines
4.2 KiB
C
Raw Blame History

/*
* Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
* NOVELL (All rights reserved)
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of version 2 of the GNU General Public
* License published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, contact Novell, Inc.
*/
#ifndef __LIBAALOGPARSE_H_
#define __LIBAALOGPARSE_H_
#define AA_RECORD_EXEC_MMAP 1
#define AA_RECORD_READ 2
#define AA_RECORD_WRITE 4
#define AA_RECORD_EXEC 8
#define AA_RECORD_LINK 16
/**
* This is just for convenience now that we have two
* wildly different grammars.
*/
typedef enum
{
AA_RECORD_SYNTAX_V1,
AA_RECORD_SYNTAX_V2,
AA_RECORD_SYNTAX_UNKNOWN
} aa_record_syntax_version;
typedef enum
{
AA_RECORD_INVALID, /* Default event type */
AA_RECORD_ERROR, /* Internal AA error */
AA_RECORD_AUDIT, /* Audited event */
AA_RECORD_ALLOWED, /* Complain mode event */
AA_RECORD_DENIED, /* Denied access event */
AA_RECORD_HINT, /* Process tracking info */
AA_RECORD_STATUS /* Configuration change */
} aa_record_event_type;
/**
* With the sole exception of active_hat, this is a 1:1
* mapping from the keys that the new syntax uses.
*
* Some examples of the old syntax and how they're mapped with the aa_log_record struct:
*
* "PERMITTING r access to /path (program_name(12345) profile /profile active hat)"
* - operation: access
* - requested_mask: r
* - pid: 12345
* - profile: /profile
* - name: /path
* - info: program_name
* - active_hat: hat
*
* "REJECTING mkdir on /path/to/something (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out"
* - operation: mkdir
* - name: /path/to/something
* - info: bash
* - pid: 23415
* - profile: /bin/freak-aa-out
* - active_hat: /bin/freak-aa-out
*
* "REJECTING xattr set on /path/to/something (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out)"
* - operation: xattr
* - attribute: set
* - name: /path/to/something
* - info: bash
* - pid: 23415
* - profile: /bin/freak-aa-out
* - active_hat: /bin/freak-aa-out
*
* "PERMITTING attribute (something) change to /else (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out)"
* - operation: setattr
* - attribute: something
* - name: /else
* - info: bash
* - pid: 23415
* - profile: /bin/freak-aa-out
* - active_hat: /bin/freak-aa-out
*
* "PERMITTING access to capability 'cap' (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out)"
* - operation: capability
* - name: cap
* - info: bash
* - pid: 23415
* - profile: /bin/freak-aa-out
* - active_hat: /bin/freak-aa-out
*
* "LOGPROF-HINT unknown_hat TESTHAT pid=27764 profile=/change_hat_test/test_hat active=/change_hat_test/test_hat"
* - operation: change_hat
* - name: TESTHAT
* - info: unknown_hat
* - pid: 27764
* - profile: /change_hat_test/test_hat
* - active_hat: /change_hat_test/test_hat
*
* "LOGPROF-HINT fork pid=27764 child=38229"
* - operation: clone
* - task: 38229
* - pid: 27764
**/
typedef struct
{
aa_record_syntax_version version;
aa_record_event_type event; /* Event type */
long pid; /* PID of the program logging the message */
long task;
int bitmask; /* Bitmask containing "r" "w" "x" etc */
char *audit_id;
char *operation; /* "Exec" "Ptrace", etc. */
char *denied_mask; /* "r", "w", etc. */
char *requested_mask;
char *profile; /* The name of the profile */
char *name;
char *name2;
char *attribute;
char *parent;
char *magic_token;
char *info;
char *active_hat;
} aa_log_record;
/**
* Parses a single log record string and returns a pointer to the parsed
* data. It is the calling program's responsibility to free that struct
* with free_record();
* @param[in] Record to parse.
* @return Parsed data.
*/
aa_log_record *
parse_record(char *str);
/**
* Frees all struct data.
* @param[in] Data to free.
*/
void
free_record(aa_log_record *record);
#endif
Reference in a new issue View git blame Copy permalink