2007-07-28 15:41:04 +00:00
|
|
|
/*
|
2011-02-22 03:51:16 -08:00
|
|
|
* Copyright (c) 1999-2008 NOVELL (All rights reserved)
|
|
|
|
|
* Copyright 2009-2010 Canonical Ltd.
|
2007-07-28 15:41:04 +00:00
|
|
|
*
|
2011-02-22 03:51:16 -08:00
|
|
|
* This program is free software; you can redistribute it and/or
|
2011-02-23 14:02:45 -08:00
|
|
|
* modify it under the terms of version 2.1 of the GNU Lesser General
|
|
|
|
|
* Public License published by the Free Software Foundation.
|
2007-07-28 15:41:04 +00:00
|
|
|
*
|
2011-02-22 03:51:16 -08:00
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
2011-02-23 14:02:45 -08:00
|
|
|
* GNU Lesser General Public License for more details.
|
2007-07-28 15:41:04 +00:00
|
|
|
*
|
2011-02-22 03:51:16 -08:00
|
|
|
* You should have received a copy of the GNU Lesser General Public License
|
|
|
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
2007-07-28 15:41:04 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#ifndef __LIBAALOGPARSE_H_
|
|
|
|
|
#define __LIBAALOGPARSE_H_
|
|
|
|
|
|
|
|
|
|
#define AA_RECORD_EXEC_MMAP 1
|
|
|
|
|
#define AA_RECORD_READ 2
|
|
|
|
|
#define AA_RECORD_WRITE 4
|
|
|
|
|
#define AA_RECORD_EXEC 8
|
|
|
|
|
#define AA_RECORD_LINK 16
|
|
|
|
|
|
|
|
|
|
/**
|
2024-09-05 11:11:49 -07:00
|
|
|
* Enum representing which syntax version the log entry used.
|
|
|
|
|
* Support for V1 parsing was completely removed in 2011 and that enum entry
|
|
|
|
|
* is only still there for API compatibility reasons.
|
2007-07-28 15:41:04 +00:00
|
|
|
*/
|
|
|
|
|
typedef enum
|
|
|
|
|
{
|
|
|
|
|
AA_RECORD_SYNTAX_V1,
|
|
|
|
|
AA_RECORD_SYNTAX_V2,
|
|
|
|
|
AA_RECORD_SYNTAX_UNKNOWN
|
|
|
|
|
} aa_record_syntax_version;
|
|
|
|
|
|
|
|
|
|
typedef enum
|
|
|
|
|
{
|
|
|
|
|
AA_RECORD_INVALID, /* Default event type */
|
|
|
|
|
AA_RECORD_ERROR, /* Internal AA error */
|
|
|
|
|
AA_RECORD_AUDIT, /* Audited event */
|
|
|
|
|
AA_RECORD_ALLOWED, /* Complain mode event */
|
|
|
|
|
AA_RECORD_DENIED, /* Denied access event */
|
|
|
|
|
AA_RECORD_HINT, /* Process tracking info */
|
|
|
|
|
AA_RECORD_STATUS /* Configuration change */
|
|
|
|
|
} aa_record_event_type;
|
|
|
|
|
|
|
|
|
|
typedef struct
|
|
|
|
|
{
|
|
|
|
|
aa_record_syntax_version version;
|
|
|
|
|
aa_record_event_type event; /* Event type */
|
2008-03-11 14:37:40 +00:00
|
|
|
unsigned long pid; /* PID of the program logging the message */
|
2013-08-09 11:02:41 -07:00
|
|
|
unsigned long peer_pid;
|
2007-09-17 22:38:22 +00:00
|
|
|
unsigned long task;
|
2007-08-21 17:28:34 +00:00
|
|
|
unsigned long magic_token;
|
2007-08-15 20:07:48 +00:00
|
|
|
long epoch; /* example: 12345679 */
|
2008-03-11 14:37:40 +00:00
|
|
|
unsigned int audit_sub_id; /* example: 12 */
|
2007-07-28 15:41:04 +00:00
|
|
|
|
|
|
|
|
int bitmask; /* Bitmask containing "r" "w" "x" etc */
|
2007-08-15 20:07:48 +00:00
|
|
|
char *audit_id; /* example: 12345679.1234:12 */
|
2007-07-28 15:41:04 +00:00
|
|
|
char *operation; /* "Exec" "Ptrace", etc. */
|
|
|
|
|
char *denied_mask; /* "r", "w", etc. */
|
|
|
|
|
char *requested_mask;
|
2008-03-11 14:37:40 +00:00
|
|
|
unsigned long fsuid; /* fsuid of task - if logged */
|
2009-09-18 21:13:04 +00:00
|
|
|
unsigned long ouid; /* ouid of task - if logged */
|
2007-07-28 15:41:04 +00:00
|
|
|
char *profile; /* The name of the profile */
|
2013-08-09 11:02:41 -07:00
|
|
|
char *peer_profile;
|
2010-07-26 09:20:02 -07:00
|
|
|
char *comm; /* Command that triggered msg */
|
2007-07-28 15:41:04 +00:00
|
|
|
char *name;
|
|
|
|
|
char *name2;
|
2008-02-26 04:39:31 +00:00
|
|
|
char *namespace;
|
2007-07-28 15:41:04 +00:00
|
|
|
char *attribute;
|
2007-09-17 22:38:22 +00:00
|
|
|
unsigned long parent;
|
2007-07-28 15:41:04 +00:00
|
|
|
char *info;
|
2013-08-09 11:02:41 -07:00
|
|
|
char *peer_info;
|
2008-03-11 14:37:40 +00:00
|
|
|
int error_code; /* error_code returned if logged */
|
2007-07-28 15:41:04 +00:00
|
|
|
char *active_hat;
|
2007-08-06 02:38:30 +00:00
|
|
|
char *net_family;
|
|
|
|
|
char *net_protocol;
|
|
|
|
|
char *net_sock_type;
|
2012-04-06 15:59:04 -07:00
|
|
|
char *net_local_addr;
|
|
|
|
|
unsigned long net_local_port;
|
|
|
|
|
char *net_foreign_addr;
|
|
|
|
|
unsigned long net_foreign_port;
|
2024-06-09 17:40:34 +02:00
|
|
|
|
2013-08-09 11:02:41 -07:00
|
|
|
char *dbus_bus;
|
|
|
|
|
char *dbus_path;
|
|
|
|
|
char *dbus_interface;
|
|
|
|
|
char *dbus_member;
|
2014-09-04 09:57:32 -07:00
|
|
|
char *signal; /* signal name */
|
|
|
|
|
char *peer;
|
2014-09-04 10:10:56 -07:00
|
|
|
|
|
|
|
|
/* mount et al specific bits */
|
|
|
|
|
char *fs_type;
|
|
|
|
|
char *flags;
|
|
|
|
|
char *src_name;
|
2022-04-06 17:09:01 +00:00
|
|
|
|
|
|
|
|
char *class;
|
2024-03-29 13:09:06 +00:00
|
|
|
|
|
|
|
|
char *net_addr;
|
|
|
|
|
char *peer_addr;
|
2024-10-01 22:06:45 +00:00
|
|
|
char *execpath;
|
2007-07-28 15:41:04 +00:00
|
|
|
} aa_log_record;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Parses a single log record string and returns a pointer to the parsed
|
|
|
|
|
* data. It is the calling program's responsibility to free that struct
|
|
|
|
|
* with free_record();
|
|
|
|
|
* @param[in] Record to parse.
|
|
|
|
|
* @return Parsed data.
|
|
|
|
|
*/
|
|
|
|
|
aa_log_record *
|
2024-09-05 10:40:53 -07:00
|
|
|
parse_record(const char *str);
|
2007-07-28 15:41:04 +00:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Frees all struct data.
|
|
|
|
|
* @param[in] Data to free.
|
|
|
|
|
*/
|
|
|
|
|
void
|
|
|
|
|
free_record(aa_log_record *record);
|
|
|
|
|
|
|
|
|
|
#endif
|
|
|
|
|
|
