diff options
| author |   Ashlee Young <ashlee@wildernessvoice.com> | 2015-11-29 08:22:13 -0800 |
|---|---|---|
| committer | Ashlee Young <ashlee@wildernessvoice.com> | 2015-11-29 08:22:13 -0800 |
| commit | df5afa4fcd9725380f94ca6476248d4cc24f889a (patch) | |
| tree | 65456f62397305febf7f40778c5a413a35d094ef /framework/src/audit/lib | |
| parent | 76f6bf922552c00546e6e85ca471eab28f56986c (diff) | |
v2.4.4 audit sources
Change-Id: I9315a7408817db51edf084fb4d27fbb492785084
Signed-off-by: Ashlee Young <ashlee@wildernessvoice.com>
Diffstat (limited to 'framework/src/audit/lib')
35 files changed, 9197 insertions, 0 deletions
diff --git a/framework/src/audit/lib/Makefile.am b/framework/src/audit/lib/Makefile.am new file mode 100644 index 00000000..e2ed1019 --- /dev/null +++ b/framework/src/audit/lib/Makefile.am @@ -0,0 +1,265 @@ +# Makefile.am -- +# Copyright 2004-2009,2013-15 Red Hat Inc., Durham, North Carolina. +# All Rights Reserved. +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# +# Authors: +# Steve Grubb <sgrubb@redhat.com> +# + +SUBDIRS = test +CLEANFILES = $(BUILT_SOURCES) +CONFIG_CLEAN_FILES = *.loT *.rej *.orig +EXTRA_DIST = syscall-update.txt +VERSION_INFO = 1:0 +AM_CFLAGS = -fPIC -DPIC -D_GNU_SOURCE +AM_CPPFLAGS = -I. -I${top_srcdir} -I${top_srcdir}/auparse + +pkgconfigdir = $(libdir)/pkgconfig +pkgconfig_DATA = audit.pc +DISTCLEANFILES = $(pkgconfig_DATA) + +lib_LTLIBRARIES = libaudit.la +include_HEADERS = libaudit.h +libaudit_la_SOURCES = libaudit.c message.c netlink.c \ + lookup_table.c audit_logging.c deprecated.c \ + strsplit.c dso.h private.h errormsg.h +libaudit_la_LIBADD = +libaudit_la_DEPENDENCIES = $(libaudit_la_SOURCES) ../config.h +libaudit_la_LDFLAGS = -Wl,-z,relro -version-info $(VERSION_INFO) +nodist_libaudit_la_SOURCES = $(BUILT_SOURCES) + +BUILT_SOURCES = actiontabs.h errtabs.h fieldtabs.h flagtabs.h \ + ftypetabs.h i386_tables.h ia64_tables.h machinetabs.h \ + msg_typetabs.h optabs.h ppc_tables.h s390_tables.h \ + s390x_tables.h x86_64_tables.h +if USE_ALPHA +BUILT_SOURCES += alpha_tables.h +endif +if USE_ARM +BUILT_SOURCES += arm_tables.h +endif +if USE_AARCH64 +BUILT_SOURCES += aarch64_tables.h +endif +noinst_PROGRAMS = gen_actiontabs_h gen_errtabs_h gen_fieldtabs_h \ + gen_flagtabs_h gen_ftypetabs_h gen_i386_tables_h \ + gen_ia64_tables_h gen_machinetabs_h gen_msg_typetabs_h \ + gen_optabs_h gen_ppc_tables_h gen_s390_tables_h \ + gen_s390x_tables_h gen_x86_64_tables_h +if USE_ALPHA +noinst_PROGRAMS += gen_alpha_tables_h +endif +if USE_ARM +noinst_PROGRAMS += gen_arm_tables_h +endif +if USE_AARCH64 +noinst_PROGRAMS += gen_aarch64_tables_h +endif +gen_actiontabs_h_SOURCES = gen_tables.c gen_tables.h actiontab.h +gen_actiontabs_h_CFLAGS = '-DTABLE_H="actiontab.h"' +$(gen_actiontabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_actiontabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_actiontabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_actiontabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_actiontabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_actiontabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +actiontabs.h: gen_actiontabs_h Makefile + ./gen_actiontabs_h --lowercase --i2s --s2i action > $@ + +if USE_ALPHA +gen_alpha_tables_h_SOURCES = gen_tables.c gen_tables.h alpha_table.h +gen_alpha_tables_h_CFLAGS = '-DTABLE_H="alpha_table.h"' +$(gen_alpha_tables_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_alpha_tables_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_alpha_tables_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_alpha_tables_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_alpha_tables_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_alpha_tables_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +alpha_tables.h: gen_alpha_tables_h Makefile + ./gen_alpha_tables_h --lowercase --i2s --s2i alpha_syscall > $@ +endif + +if USE_ARM +gen_arm_tables_h_SOURCES = gen_tables.c gen_tables.h arm_table.h +gen_arm_tables_h_CFLAGS = '-DTABLE_H="arm_table.h"' +$(gen_arm_tables_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_arm_tables_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_arm_tables_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_arm_tables_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_arm_tables_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_arm_tables_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +arm_tables.h: gen_arm_tables_h Makefile + ./gen_arm_tables_h --lowercase --i2s --s2i arm_syscall > $@ +endif + +if USE_AARCH64 +gen_aarch64_tables_h_SOURCES = gen_tables.c gen_tables.h aarch64_table.h +gen_aarch64_tables_h_CFLAGS = '-DTABLE_H="aarch64_table.h"' +$(gen_aarch64_tables_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_aarch64_tables_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_aarch64_tables_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_aarch64_tables_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_aarch64_tables_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_aarch64_tables_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +aarch64_tables.h: gen_aarch64_tables_h Makefile + ./gen_aarch64_tables_h --lowercase --i2s --s2i aarch64_syscall > $@ +endif + +gen_errtabs_h_SOURCES = gen_tables.c gen_tables.h errtab.h +gen_errtabs_h_CFLAGS = '-DTABLE_H="errtab.h"' +$(gen_errtabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_errtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_errtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_errtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_errtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_errtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +errtabs.h: gen_errtabs_h Makefile + ./gen_errtabs_h --duplicate-ints --uppercase --i2s --s2i err > $@ + +gen_fieldtabs_h_SOURCES = gen_tables.c gen_tables.h fieldtab.h +gen_fieldtabs_h_CFLAGS = '-DTABLE_H="fieldtab.h"' +$(gen_fieldtabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_fieldtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_fieldtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_fieldtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_fieldtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_fieldtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +fieldtabs.h: gen_fieldtabs_h Makefile + ./gen_fieldtabs_h --duplicate-ints --lowercase --i2s --s2i field > $@ + +gen_flagtabs_h_SOURCES = gen_tables.c gen_tables.h flagtab.h +gen_flagtabs_h_CFLAGS = '-DTABLE_H="flagtab.h"' +$(gen_flagtabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_flagtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_flagtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_flagtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_flagtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_flagtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +flagtabs.h: gen_flagtabs_h Makefile + ./gen_flagtabs_h --lowercase --i2s --s2i flag > $@ + +gen_ftypetabs_h_SOURCES = gen_tables.c gen_tables.h ftypetab.h +gen_ftypetabs_h_CFLAGS = '-DTABLE_H="ftypetab.h"' +$(gen_ftypetabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_ftypetabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_ftypetabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_ftypetabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_ftypetabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_ftypetabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +ftypetabs.h: gen_ftypetabs_h Makefile + ./gen_ftypetabs_h --lowercase --i2s --s2i ftype > $@ + +gen_i386_tables_h_SOURCES = gen_tables.c gen_tables.h i386_table.h +gen_i386_tables_h_CFLAGS = '-DTABLE_H="i386_table.h"' +$(gen_i386_tables_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_i386_tables_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_i386_tables_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_i386_tables_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_i386_tables_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_i386_tables_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +i386_tables.h: gen_i386_tables_h Makefile + ./gen_i386_tables_h --duplicate-ints --lowercase --i2s --s2i \ + i386_syscall > $@ + +gen_ia64_tables_h_SOURCES = gen_tables.c gen_tables.h ia64_table.h +gen_ia64_tables_h_CFLAGS = '-DTABLE_H="ia64_table.h"' +$(gen_ia64_tables_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_ia64_tables_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_ia64_tables_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_ia64_tables_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_ia64_tables_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_ia64_tables_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +ia64_tables.h: gen_ia64_tables_h Makefile + ./gen_ia64_tables_h --lowercase --i2s --s2i ia64_syscall > $@ + +gen_machinetabs_h_SOURCES = gen_tables.c gen_tables.h machinetab.h +gen_machinetabs_h_CFLAGS = '-DTABLE_H="machinetab.h"' +$(gen_machinetabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_machinetabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_machinetabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_machinetabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_machinetabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_machinetabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +machinetabs.h: gen_machinetabs_h Makefile + ./gen_machinetabs_h --duplicate-ints --lowercase --i2s --s2i machine \ + > $@ + +gen_msg_typetabs_h_SOURCES = gen_tables.c gen_tables.h msg_typetab.h +gen_msg_typetabs_h_CFLAGS = '-DTABLE_H="msg_typetab.h"' +$(gen_msg_typetabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_msg_typetabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_msg_typetabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_msg_typetabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_msg_typetabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_msg_typetabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +msg_typetabs.h: gen_msg_typetabs_h Makefile + ./gen_msg_typetabs_h --uppercase --i2s --s2i msg_type > $@ + +gen_optabs_h_SOURCES = gen_tables.c gen_tables.h optab.h +gen_optabs_h_CFLAGS = '-DTABLE_H="optab.h"' +$(gen_optabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_optabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_optabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_optabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_optabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_optabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +optabs.h: gen_optabs_h Makefile + ./gen_optabs_h --i2s op > $@ + +gen_ppc_tables_h_SOURCES = gen_tables.c gen_tables.h ppc_table.h +gen_ppc_tables_h_CFLAGS = '-DTABLE_H="ppc_table.h"' +$(gen_ppc_tables_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_ppc_tables_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_ppc_tables_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_ppc_tables_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_ppc_tables_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_ppc_tables_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +ppc_tables.h: gen_ppc_tables_h Makefile + ./gen_ppc_tables_h --lowercase --i2s --s2i ppc_syscall > $@ + +gen_s390_tables_h_SOURCES = gen_tables.c gen_tables.h s390_table.h +gen_s390_tables_h_CFLAGS = '-DTABLE_H="s390_table.h"' +$(gen_s390_tables_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_s390_tables_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_s390_tables_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_s390_tables_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_s390_tables_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_s390_tables_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +s390_tables.h: gen_s390_tables_h Makefile + ./gen_s390_tables_h --lowercase --i2s --s2i s390_syscall > $@ + +gen_s390x_tables_h_SOURCES = gen_tables.c gen_tables.h s390x_table.h +gen_s390x_tables_h_CFLAGS = '-DTABLE_H="s390x_table.h"' +$(gen_s390x_tables_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_s390x_tables_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_s390x_tables_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_s390x_tables_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_s390x_tables_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_s390x_tables_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +s390x_tables.h: gen_s390x_tables_h Makefile + ./gen_s390x_tables_h --lowercase --i2s --s2i s390x_syscall > $@ + +gen_x86_64_tables_h_SOURCES = gen_tables.c gen_tables.h x86_64_table.h +gen_x86_64_tables_h_CFLAGS = '-DTABLE_H="x86_64_table.h"' +$(gen_x86_64_tables_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_x86_64_tables_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_x86_64_tables_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_x86_64_tables_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_x86_64_tables_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_x86_64_tables_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +x86_64_tables.h: gen_x86_64_tables_h Makefile + ./gen_x86_64_tables_h --lowercase --i2s --s2i x86_64_syscall > $@ diff --git a/framework/src/audit/lib/aarch64_table.h b/framework/src/audit/lib/aarch64_table.h new file mode 100644 index 00000000..bf64b98a --- /dev/null +++ b/framework/src/audit/lib/aarch64_table.h @@ -0,0 +1,288 @@ +/* aarch64_table.h -- + * Copyright 2013-15 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + */ + +_S(0, "io_setup") +_S(1, "io_destroy") +_S(2, "io_submit") +_S(3, "io_cancel") +_S(4, "io_getevents") +_S(5, "setxattr") +_S(6, "lsetxattr") +_S(7, "fsetxattr") +_S(8, "getxattr") +_S(9, "lgetxattr") +_S(10, "fgetxattr") +_S(11, "listxattr") +_S(12, "llistxattr") +_S(13, "flistxattr") +_S(14, "removexattr") +_S(15, "lremovexattr") +_S(16, "fremovexattr") +_S(17, "getcwd") +_S(18, "lookup_dcookie") +_S(19, "eventfd2") +_S(20, "epoll_create1") +_S(21, "epoll_ctl") +_S(22, "epoll_pwait") +_S(23, "dup") +_S(24, "dup3") +_S(25, "fcntl") +_S(26, "inotify_init1") +_S(27, "inotify_add_watch") +_S(28, "inotify_rm_watch") +_S(29, "ioctl") +_S(30, "ioprio_set") +_S(31, "ioprio_get") +_S(32, "flock") +_S(33, "mknodat") +_S(34, "mkdirat") +_S(35, "unlinkat") +_S(36, "symlinkat") +_S(37, "linkat") +_S(38, "renameat") +_S(39, "umount2") +_S(40, "mount") +_S(41, "pivot_root") +_S(42, "nfsservctl") +_S(43, "statfs") +_S(44, "fstatfs") +_S(45, "truncate") +_S(46, "ftruncate") +_S(47, "fallocate") +_S(48, "faccessat") +_S(49, "chdir") +_S(50, "fchdir") +_S(51, "chroot") +_S(52, "fchmod") +_S(53, "fchmodat") +_S(54, "fchownat") +_S(55, "fchown") +_S(56, "openat") +_S(57, "close") +_S(58, "vhangup") +_S(59, "pipe2") +_S(60, "quotactl") +_S(61, "getdents") +_S(62, "lseek") +_S(63, "read") +_S(64, "write") +_S(65, "readv") +_S(66, "writev") +_S(67, "pread") +_S(68, "pwrite") +_S(69, "preadv") +_S(70, "pwritev") +_S(71, "sendfile") +_S(72, "pselect6") +_S(73, "ppoll") +_S(74, "signalfd4") +_S(75, "vmsplice") +_S(76, "splice") +_S(77, "tee") +_S(78, "readlinkat") +_S(79, "newfstatat") +_S(80, "newfstat") +_S(81, "sync") +_S(82, "fsync") +_S(83, "fdatasync") +_S(84, "sync_file_range") +_S(85, "timerfd_create") +_S(86, "timerfd_settime") +_S(87, "timerfd_gettime") +_S(88, "utimensat") +_S(89, "acct") +_S(90, "capget") +_S(91, "capset") +_S(92, "personality") +_S(93, "exit") +_S(94, "exit_group") +_S(95, "waitid") +_S(96, "set_tid_address") +_S(97, "unshare") +_S(98, "futex") +_S(99, "set_robust_list") +_S(100, "get_robust_list") +_S(101, "nanosleep") +_S(102, "getitimer") +_S(103, "setitimer") +_S(104, "kexec_load") +_S(105, "init_module") +_S(106, "delete_module") +_S(107, "timer_create") +_S(108, "timer_gettime") +_S(109, "timer_getoverrun") +_S(110, "timer_settime") +_S(111, "timer_delete") +_S(112, "clock_settime") +_S(113, "clock_gettime") +_S(114, "clock_getres") +_S(115, "clock_nanosleep") +_S(116, "syslog") +_S(117, "ptrace") +_S(118, "sched_setparam") +_S(119, "sched_setscheduler") +_S(120, "sched_getscheduler") +_S(121, "sched_getparam") +_S(122, "sched_setaffinity") +_S(123, "sched_getaffinity") +_S(124, "sched_yield") +_S(125, "sched_get_priority_max") +_S(126, "sched_get_priority_min") +_S(127, "sched_rr_get_interval") +_S(128, "restart_syscall") +_S(129, "kill") +_S(130, "tkill") +_S(131, "tgkill") +_S(132, "sigaltstack") +_S(133, "rt_sigsuspend") +_S(134, "rt_sigaction") +_S(135, "rt_sigprocmask") +_S(136, "rt_sigpending") +_S(137, "rt_sigtimedwait") +_S(138, "rt_sigqueueinfo") +_S(139, "rt_sigreturn") +_S(140, "setpriority") +_S(141, "getpriority") +_S(142, "reboot") +_S(143, "setregid") +_S(144, "setgid") +_S(145, "setreuid") +_S(146, "setuid") +_S(147, "setresuid") +_S(148, "getresuid") +_S(149, "setresgid") +_S(150, "getresgid") +_S(151, "setfsuid") +_S(152, "setfsgid") +_S(153, "times") +_S(154, "setpgid") +_S(155, "getpgid") +_S(156, "getsid") +_S(157, "setsid") +_S(158, "getgroups") +_S(159, "setgroups") +_S(160, "uname") +_S(161, "sethostname") +_S(162, "setdomainname") +_S(163, "getrlimit") +_S(164, "setrlimit") +_S(165, "getrusage") +_S(166, "umask") +_S(167, "prctl") +_S(168, "getcpu") +_S(169, "gettimeofday") +_S(170, "settimeofday") +_S(171, "adjtimex") +_S(172, "getpid") +_S(173, "getppid") +_S(174, "getuid") +_S(175, "geteuid") +_S(176, "getgid") +_S(177, "getegid") +_S(178, "gettid") +_S(179, "sysinfo") +_S(180, "mq_open") +_S(181, "mq_unlink") +_S(182, "mq_timedsend") +_S(183, "mq_timedreceive") +_S(184, "mq_notify") +_S(185, "mq_getsetattr") +_S(186, "msgget") +_S(187, "msgctl") +_S(188, "msgrcv") +_S(189, "msgsnd") +_S(190, "semget") +_S(191, "semctl") +_S(192, "semtimedop") +_S(193, "semop") +_S(194, "shmget") +_S(195, "shmctl") +_S(196, "shmat") +_S(197, "shmdt") +_S(198, "socket") +_S(199, "socketpair") +_S(200, "bind") +_S(201, "listen") +_S(202, "accept") +_S(203, "connect") +_S(204, "getsockname") +_S(205, "getpeername") +_S(206, "sendto") +_S(207, "recvfrom") +_S(208, "setsockopt") +_S(209, "getsockopt") +_S(210, "shutdown") +_S(211, "sendmsg") +_S(212, "recvmsg") +_S(213, "readahead") +_S(214, "brk") +_S(215, "munmap") +_S(216, "mremap") +_S(217, "add_key") +_S(218, "request_key") +_S(219, "keyctl") +_S(220, "clone") +_S(221, "execve") +_S(222, "mmap") +_S(223, "fadvise64") +_S(224, "swapon") +_S(225, "swapoff") +_S(226, "mprotect") +_S(227, "msync") +_S(228, "mlock") +_S(229, "munlock") +_S(230, "mlockall") +_S(231, "munlockall") +_S(232, "mincore") +_S(233, "madvise") +_S(234, "remap_file_pages") +_S(235, "mbind") +_S(236, "get_mempolicy") +_S(237, "set_mempolicy") +_S(238, "migrate_pages") +_S(239, "move_pages") +_S(240, "rt_tgsigqueueinfo") +_S(241, "perf_event_open") +_S(242, "accept4") +_S(243, "recvmmsg") +_S(260, "wait4") +_S(261, "prlimit64") +_S(262, "fanotify_init") +_S(263, "fanotify_mark") +_S(264, "name_to_handle_at") +_S(265, "open_by_handle_at") +_S(266, "clock_adjtime") +_S(267, "syncfs") +_S(268, "setns") +_S(269, "sendmmsg") +_S(270, "process_vm_readv") +_S(271, "process_vm_writev") +_S(272, "kcmp") +_S(273, "finit_module") +_S(274, "sched_setattr") +_S(275, "sched_getattr") +_S(276, "renameat2") +_S(277, "seccomp") +_S(278, "getrandom") +_S(279, "memfd_create") +_S(280, "bpf") +_S(281, "execveat") diff --git a/framework/src/audit/lib/actiontab.h b/framework/src/audit/lib/actiontab.h new file mode 100644 index 00000000..12744229 --- /dev/null +++ b/framework/src/audit/lib/actiontab.h @@ -0,0 +1,25 @@ +/* actiontab.h -- + * Copyright 2005,2006 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + */ + +_S(AUDIT_NEVER, "never" ) +_S(AUDIT_POSSIBLE, "possible" ) +_S(AUDIT_ALWAYS, "always" ) diff --git a/framework/src/audit/lib/alpha_table.h b/framework/src/audit/lib/alpha_table.h new file mode 100644 index 00000000..c798f834 --- /dev/null +++ b/framework/src/audit/lib/alpha_table.h @@ -0,0 +1,453 @@ +/* alpha_table.h -- + * Copyright 2005-07,2010-12,2014 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + */ + +_S(0, "osf_syscall") +_S(1, "exit") +_S(2, "fork") +_S(3, "read") +_S(4, "write") +_S(5, "osf_old_open") +_S(6, "close") +_S(7, "osf_wait4") +_S(8, "osf_old_creat") +_S(9, "link") +_S(10, "unlink") +_S(11, "osf_execve") +_S(12, "chdir") +_S(13, "fchdir") +_S(14, "mknod") +_S(15, "chmod") +_S(16, "chown") +_S(17, "brk") +_S(18, "osf_getfsstat") +_S(19, "lseek") +_S(20, "getxpid") +_S(21, "osf_mount") +_S(22, "umount") +_S(23, "setuid") +_S(24, "getxuid") +_S(25, "exec_with_loader") +_S(26, "ptrace") +_S(27, "osf_nrecvmsg") +_S(28, "osf_nsendmsg") +_S(29, "osf_nrecvfrom") +_S(30, "osf_naccept") +_S(31, "osf_ngetpeername") +_S(32, "osf_ngetsockname") +_S(33, "access") +_S(34, "osf_chflags") +_S(35, "osf_fchflags") +_S(36, "sync") +_S(37, "kill") +_S(38, "osf_old_stat") +_S(39, "setpgid") +_S(40, "osf_old_lstat") +_S(41, "dup") +_S(42, "pipe") +_S(43, "osf_set_program_attributes") +_S(44, "osf_profil") +_S(45, "open") +_S(46, "osf_old_sigaction") +_S(47, "getxgid") +_S(48, "osf_sigprocmask") +_S(49, "osf_getlogin") +_S(50, "osf_setlogin") +_S(51, "acct") +_S(52, "sigpending") + +_S(54, "ioctl") +_S(55, "osf_reboot") +_S(56, "osf_revoke") +_S(57, "symlink") +_S(58, "readlink") +_S(59, "execve") +_S(60, "umask") +_S(61, "chroot") +_S(62, "osf_old_fstat") +_S(63, "getpgrp") +_S(64, "getpagesize") +_S(65, "osf_mremap") +_S(66, "vfork") +_S(67, "stat") +_S(68, "lstat") +_S(69, "osf_sbrk") +_S(70, "osf_sstk") +_S(71, "mmap") +_S(72, "osf_old_vadvise") +_S(73, "munmap") +_S(74, "mprotect") +_S(75, "madvise") +_S(76, "vhangup") +_S(77, "osf_kmodcall") +_S(78, "osf_mincore") +_S(79, "getgroups") +_S(80, "setgroups") +_S(81, "osf_old_getpgrp") +_S(82, "setpgrp") +_S(83, "osf_setitimer") +_S(84, "osf_old_wait") +_S(85, "osf_table") +_S(86, "osf_getitimer") +_S(87, "gethostname") +_S(88, "sethostname") +_S(89, "getdtablesize") +_S(90, "dup2") +_S(91, "fstat") +_S(92, "fcntl") +_S(93, "osf_select") +_S(94, "poll") +_S(95, "fsync") +_S(96, "setpriority") +_S(97, "socket") +_S(98, "connect") +_S(99, "accept") +_S(100, "getpriority") +_S(101, "send") +_S(102, "recv") +_S(103, "sigreturn") +_S(104, "bind") +_S(105, "setsockopt") +_S(106, "listen") +_S(107, "osf_plock") +_S(108, "osf_old_sigvec") +_S(109, "osf_old_sigblock") +_S(110, "osf_old_sigsetmask") +_S(111, "sigsuspend") +_S(112, "osf_sigstack") +_S(113, "recvmsg") +_S(114, "sendmsg") +_S(115, "osf_old_vtrace") +_S(116, "osf_gettimeofday") +_S(117, "osf_getrusage") +_S(118, "getsockopt") + +_S(120, "readv") +_S(121, "writev") +_S(122, "osf_settimeofday") +_S(123, "fchown") +_S(124, "fchmod") +_S(125, "recvfrom") +_S(126, "setreuid") +_S(127, "setregid") +_S(128, "rename") +_S(129, "truncate") +_S(130, "ftruncate") +_S(131, "flock") +_S(132, "setgid") +_S(133, "sendto") +_S(134, "shutdown") +_S(135, "socketpair") +_S(136, "mkdir") +_S(137, "rmdir") +_S(138, "osf_utimes") +_S(139, "osf_old_sigreturn") +_S(140, "osf_adjtime") +_S(141, "getpeername") +_S(142, "osf_gethostid") +_S(143, "osf_sethostid") +_S(144, "getrlimit") +_S(145, "setrlimit") +_S(146, "osf_old_killpg") +_S(147, "setsid") +_S(148, "quotactl") +_S(149, "osf_oldquota") +_S(150, "getsockname") + +_S(153, "osf_pid_block") +_S(154, "osf_pid_unblock") + +_S(156, "sigaction") +_S(157, "osf_sigwaitprim") +_S(158, "osf_nfssvc") +_S(159, "osf_getdirentries") +_S(160, "osf_statfs") +_S(161, "osf_fstatfs") + +_S(163, "osf_asynch_daemon") +_S(164, "osf_getfh") +_S(165, "osf_getdomainname") +_S(166, "setdomainname") + +_S(169, "osf_exportfs") + +_S(181, "osf_alt_plock") + +_S(184, "osf_getmnt") + +_S(187, "osf_alt_sigpending") +_S(188, "osf_alt_setsid") + +_S(199, "osf_swapon") +_S(200, "msgctl") +_S(201, "msgget") +_S(202, "msgrcv") +_S(203, "msgsnd") +_S(204, "semctl") +_S(205, "semget") +_S(206, "semop") +_S(207, "osf_utsname") +_S(208, "lchown") +_S(209, "osf_shmat") +_S(210, "shmctl") +_S(211, "shmdt") +_S(212, "shmget") +_S(213, "osf_mvalid") +_S(214, "osf_getaddressconf") +_S(215, "osf_msleep") +_S(216, "osf_mwakeup") +_S(217, "msync") +_S(218, "osf_signal") +_S(219, "osf_utc_gettime") +_S(220, "osf_utc_adjtime") + +_S(222, "osf_security") +_S(223, "osf_kloadcall") + +_S(233, "getpgid") +_S(234, "getsid") +_S(235, "sigaltstack") +_S(236, "osf_waitid") +_S(237, "osf_priocntlset") +_S(238, "osf_sigsendset") +_S(239, "osf_set_speculative") +_S(240, "osf_msfs_syscall") +_S(241, "osf_sysinfo") +_S(242, "osf_uadmin") +_S(243, "osf_fuser") +_S(244, "osf_proplist_syscall") +_S(245, "osf_ntp_adjtime") +_S(246, "osf_ntp_gettime") +_S(247, "osf_pathconf") +_S(248, "osf_fpathconf") + +_S(250, "osf_uswitch") +_S(251, "osf_usleep_thread") +_S(252, "osf_audcntl") +_S(253, "osf_audgen") +_S(254, "sysfs") +_S(255, "osf_subsys_info") +_S(256, "osf_getsysinfo") +_S(257, "osf_setsysinfo") +_S(258, "osf_afs_syscall") +_S(259, "osf_swapctl") +_S(260, "osf_memcntl") +_S(261, "osf_fdatasync") + +_S(300, "bdflush") +_S(301, "sethae") +_S(302, "mount") +_S(303, "old_adjtimex") +_S(304, "swapoff") +_S(305, "getdents") +_S(306, "create_module") +_S(307, "init_module") +_S(308, "delete_module") +_S(309, "get_kernel_syms") +_S(310, "syslog") +_S(311, "reboot") +_S(312, "clone") +_S(313, "uselib") +_S(314, "mlock") +_S(315, "munlock") +_S(316, "mlockall") +_S(317, "munlockall") +_S(318, "sysinfo") +_S(319, "_sysctl") +/* 320 was sys_idle. */ +_S(321, "oldumount") +_S(322, "swapon") +_S(323, "times") +_S(324, "personality") +_S(325, "setfsuid") +_S(326, "setfsgid") +_S(327, "ustat") +_S(328, "statfs") +_S(329, "fstatfs") +_S(330, "sched_setparam") +_S(331, "sched_getparam") +_S(332, "sched_setscheduler") +_S(333, "sched_getscheduler") +_S(334, "sched_yield") +_S(335, "sched_get_priority_max") +_S(336, "sched_get_priority_min") +_S(337, "sched_rr_get_interval") +_S(338, "afs_syscall") +_S(339, "uname") +_S(340, "nanosleep") +_S(341, "mremap") +_S(342, "nfsservctl") +_S(343, "setresuid") +_S(344, "getresuid") +_S(345, "pciconfig_read") +_S(346, "pciconfig_write") +_S(347, "query_module") +_S(348, "prctl") +_S(349, "pread") +_S(350, "pwrite") +_S(351, "rt_sigreturn") +_S(352, "rt_sigaction") +_S(353, "rt_sigprocmask") +_S(354, "rt_sigpending") +_S(355, "rt_sigtimedwait") +_S(356, "rt_sigqueueinfo") +_S(357, "rt_sigsuspend") +_S(358, "select") +_S(359, "gettimeofday") +_S(360, "settimeofday") +_S(361, "getitimer") +_S(362, "setitimer") +_S(363, "utimes") +_S(364, "getrusage") +_S(365, "wait4") +_S(366, "adjtimex") +_S(367, "getcwd") +_S(368, "capget") +_S(369, "capset") +_S(370, "sendfile") +_S(371, "setresgid") +_S(372, "getresgid") +_S(373, "dipc") +_S(374, "pivot_root") +_S(375, "mincore") +_S(376, "pciconfig_iobase") +_S(377, "getdents64") +_S(378, "gettid") +_S(379, "readahead") +/* 380 is unused */ +_S(381, "tkill") +_S(382, "setxattr") +_S(383, "lsetxattr") +_S(384, "fsetxattr") +_S(385, "getxattr") +_S(386, "lgetxattr") +_S(387, "fgetxattr") +_S(388, "listxattr") +_S(389, "llistxattr") +_S(390, "flistxattr") +_S(391, "removexattr") +_S(392, "lremovexattr") +_S(393, "fremovexattr") +_S(394, "futex") +_S(395, "sched_setaffinity") +_S(396, "sched_getaffinity") +_S(397, "tuxcall") +_S(398, "io_setup") +_S(399, "io_destroy") +_S(400, "io_getevents") +_S(401, "io_submit") +_S(402, "io_cancel") +_S(405, "exit_group") +_S(406, "lookup_dcookie") +_S(407, "epoll_create") +_S(408, "epoll_ctl") +_S(409, "epoll_wait") +_S(410, "remap_file_pages") +_S(411, "set_tid_address") +_S(412, "restart_syscall") +_S(413, "fadvise64") +_S(424, "tgkill") +_S(425, "stat64") +_S(426, "lstat64") +_S(427, "fstat64") +_S(428, "vserver") +_S(429, "mbind") +_S(430, "get_mempolicy") +_S(431, "set_mempolicy") +_S(432, "mq_open") +_S(433, "mq_unlink") +_S(434, "mq_timedsend") +_S(435, "mq_timedreceive") +_S(436, "mq_notify") +_S(437, "mq_getsetattr") +_S(438, "waitid") +_S(439, "add_key") +_S(440, "request_key") +_S(441, "keyctl") +_S(442, "ioprio_set") +_S(443, "ioprio_get") +_S(444, "inotify_init") +_S(445, "inotify_add_watch") +_S(446, "inotify_rm_watch") +_S(447, "fdatasync") +_S(448, "kexec_load") +_S(449, "migrate_pages") +_S(450, "openat") +_S(451, "mkdirat") +_S(452, "mknodat") +_S(453, "fchownat") +_S(454, "futimesat") +_S(455, "fstatat64") +_S(456, "unlinkat") +_S(457, "renameat") +_S(458, "linkat") +_S(459, "symlinkat") +_S(460, "readlinkat") +_S(461, "fchmodat") +_S(462, "faccessat") +_S(463, "pselect6") +_S(464, "ppoll") +_S(465, "unshare") +_S(466, "set_robust_list") +_S(467, "get_robust_list") +_S(468, "splice") +_S(469, "sync_file_range") +_S(470, "tee") +_S(471, "vmsplice") +_S(472, "move_pages") +_S(473, "getcpu") +_S(474, "epoll_pwait") +_S(475, "utimensat") +_S(476, "signalfd") +_S(477, "timerfd") +_S(478, "eventfd") +_S(479, "recvmmsg") +_S(480, "fallocate") +_S(481, "timerfd_create") +_S(482, "timerfd_settime") +_S(483, "timerfd_gettime") +_S(484, "signalfd4") +_S(485, "eventfd2") +_S(486, "epoll_create1") +_S(487, "dup3") +_S(488, "pipe2") +_S(489, "inotify_init1") +_S(490, "preadv") +_S(491, "pwritev") +_S(492, "rt_tgsigqueueinfo") +_S(493, "perf_event_open") +_S(494, "fanotify_init") +_S(495, "fanotify_mark") +_S(496, "prlimit64") +_S(497, "name_to_handle_at") +_S(498, "open_by_handle_at") +_S(499, "clock_adjtime") +_S(500, "syncfs") +_S(501, "setns") +_S(502, "accept4") +_S(503, "sendmmsg") +_S(504, "process_vm_readv") +_S(505, "process_vm_writev") +_S(506, "kcmp") +_S(507, "finit_module") +_S(508, "sched_setattr") +_S(509, "sched_getattr") +_S(510, "renameat2") diff --git a/framework/src/audit/lib/arm_table.h b/framework/src/audit/lib/arm_table.h new file mode 100644 index 00000000..56a1c9fc --- /dev/null +++ b/framework/src/audit/lib/arm_table.h @@ -0,0 +1,373 @@ +/* arm_table.h -- + * Copyright 2009-10,2013-15 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + */ +_S(0, "restart_syscall") +_S(1, "exit") +_S(2, "fork") +_S(3, "read") +_S(4, "write") +_S(5, "open") +_S(6, "close") +_S(8, "creat") +_S(9, "link") +_S(10, "unlink") +_S(11, "execve") +_S(12, "chdir") +_S(13, "time") +_S(14, "mknod") +_S(15, "chmod") +_S(16, "lchown") +_S(19, "lseek") +_S(20, "getpid") +_S(21, "mount") +_S(22, "umount") +_S(23, "setuid") +_S(24, "getuid") +_S(25, "stime") +_S(26, "ptrace") +_S(27, "alarm") +_S(29, "pause") +_S(30, "utime") +_S(33, "access") +_S(34, "nice") +_S(36, "sync") +_S(37, "kill") +_S(38, "rename") +_S(39, "mkdir") +_S(40, "rmdir") +_S(41, "dup") +_S(42, "pipe") +_S(43, "times") +_S(45, "brk") +_S(46, "setgid") +_S(47, "getgid") +_S(49, "geteuid") +_S(50, "getegid") +_S(51, "acct") +_S(52, "umount2") +_S(54, "ioctl") +_S(55, "fcntl") +_S(57, "setpgid") +_S(60, "umask") +_S(61, "chroot") +_S(62, "ustat") +_S(63, "dup2") +_S(64, "getppid") +_S(65, "getpgrp") +_S(66, "setsid") +_S(67, "sigaction") +_S(70, "setreuid") +_S(71, "setregid") +_S(72, "sigsuspend") +_S(73, "sigpending") +_S(74, "sethostname") +_S(75, "setrlimit") +_S(76, "getrlimit") +_S(77, "getrusage") +_S(78, "gettimeofday") +_S(79, "settimeofday") +_S(80, "getgroups") +_S(81, "setgroups") +_S(82, "select") +_S(83, "symlink") +_S(85, "readlink") +_S(86, "uselib") +_S(87, "swapon") +_S(88, "reboot") +_S(89, "readdir") +_S(90, "mmap") +_S(91, "munmap") +_S(92, "truncate") +_S(93, "ftruncate") +_S(94, "fchmod") +_S(95, "fchown") +_S(96, "getpriority") +_S(97, "setpriority") +_S(99, "statfs") +_S(100, "fstatfs") +_S(102, "socketcall") +_S(103, "syslog") +_S(104, "setitimer") +_S(105, "getitimer") +_S(106, "stat") +_S(107, "lstat") +_S(108, "fstat") +_S(111, "vhangup") +_S(113, "syscall") +_S(114, "wait4") +_S(115, "swapoff") +_S(116, "sysinfo") +_S(117, "ipc") +_S(118, "fsync") +_S(119, "sigreturn") +_S(120, "clone") +_S(121, "setdomainname") +_S(122, "uname") +_S(124, "adjtimex") +_S(125, "mprotect") +_S(126, "sigprocmask") +_S(128, "init_module") +_S(129, "delete_module") +_S(131, "quotactl") +_S(132, "getpgid") +_S(133, "fchdir") +_S(134, "bdflush") +_S(135, "sysfs") +_S(136, "personality") +_S(138, "setfsuid") +_S(139, "setfsgid") +_S(140, "llseek") +_S(141, "getdents") +_S(142, "newselect") +_S(143, "flock") +_S(144, "msync") +_S(145, "readv") +_S(146, "writev") +_S(147, "getsid") +_S(148, "fdatasync") +_S(149, "sysctl") +_S(150, "mlock") +_S(151, "munlock") +_S(152, "mlockall") +_S(153, "munlockall") +_S(154, "sched_setparam") +_S(155, "sched_getparam") +_S(156, "sched_setscheduler") +_S(157, "sched_getscheduler") +_S(158, "sched_yield") +_S(159, "sched_get_priority_max") +_S(160, "sched_get_priority_min") +_S(161, "sched_rr_get_interval") +_S(162, "nanosleep") +_S(163, "mremap") +_S(164, "setresuid") +_S(165, "getresuid") +_S(168, "poll") +_S(169, "nfsservctl") +_S(170, "setresgid") +_S(171, "getresgid") +_S(172, "prctl") +_S(173, "rt_sigreturn") +_S(174, "rt_sigaction") +_S(175, "rt_sigprocmask") +_S(176, "rt_sigpending") +_S(177, "rt_sigtimedwait") +_S(178, "rt_sigqueueinfo") +_S(179, "rt_sigsuspend") +_S(180, "pread64") +_S(181, "pwrite64") +_S(182, "chown") +_S(183, "getcwd") +_S(184, "capget") +_S(185, "capset") +_S(186, "sigaltstack") +_S(187, "sendfile") +_S(190, "vfork") +_S(191, "ugetrlimit") +_S(192, "mmap2") +_S(193, "truncate64") +_S(194, "ftruncate64") +_S(195, "stat64") +_S(196, "lstat64") +_S(197, "fstat64") +_S(198, "lchown32") +_S(199, "getuid32") +_S(200, "getgid32") +_S(201, "geteuid32") +_S(202, "getegid32") +_S(203, "setreuid32") +_S(204, "setregid32") +_S(205, "getgroups32") +_S(206, "setgroups32") +_S(207, "fchown32") +_S(208, "setresuid32") +_S(209, "getresuid32") +_S(210, "setresgid32") +_S(211, "getresgid32") +_S(212, "chown32") +_S(213, "setuid32") +_S(214, "setgid32") +_S(215, "setfsuid32") +_S(216, "setfsgid32") +_S(217, "getdents64") +_S(218, "pivot_root") +_S(219, "mincore") +_S(220, "madvise") +_S(221, "fcntl64") +_S(224, "gettid") +_S(225, "readahead") +_S(226, "setxattr") +_S(227, "lsetxattr") +_S(228, "fsetxattr") +_S(229, "getxattr") +_S(230, "lgetxattr") +_S(231, "fgetxattr") +_S(232, "listxattr") +_S(233, "llistxattr") +_S(234, "flistxattr") +_S(235, "removexattr") +_S(236, "lremovexattr") +_S(237, "fremovexattr") +_S(238, "tkill") +_S(239, "sendfile64") +_S(240, "futex") +_S(241, "sched_setaffinity") +_S(242, "sched_getaffinity") +_S(243, "io_setup") +_S(244, "io_destroy") +_S(245, "io_getevents") +_S(246, "io_submit") +_S(247, "io_cancel") +_S(248, "exit_group") +_S(249, "lookup_dcookie") +_S(250, "epoll_create") +_S(251, "epoll_ctl") +_S(252, "epoll_wait") +_S(253, "remap_file_pages") +_S(256, "set_tid_address") +_S(257, "timer_create") +_S(258, "timer_settime") +_S(259, "timer_gettime") +_S(260, "timer_getoverrun") +_S(261, "timer_delete") +_S(262, "clock_settime") +_S(263, "clock_gettime") +_S(264, "clock_getres") +_S(265, "clock_nanosleep") +_S(266, "statfs64") +_S(267, "fstatfs64") +_S(268, "tgkill") +_S(269, "utimes") +_S(270, "fadvise64_64") +_S(271, "pciconfig_iobase") +_S(272, "pciconfig_read") +_S(273, "pciconfig_write") +_S(274, "mq_open") +_S(275, "mq_unlink") +_S(276, "mq_timedsend") +_S(277, "mq_timedreceive") +_S(278, "mq_notify") +_S(279, "mq_getsetattr") +_S(280, "waitid") +_S(281, "socket") +_S(282, "bind") +_S(283, "connect") +_S(284, "listen") +_S(285, "accept") +_S(286, "getsockname") +_S(287, "getpeername") +_S(288, "socketpair") +_S(289, "send") +_S(290, "sendto") +_S(291, "recv") +_S(292, "recvfrom") +_S(293, "shutdown") +_S(294, "setsockopt") +_S(295, "getsockopt") +_S(296, "sendmsg") +_S(297, "recvmsg") +_S(298, "semop") +_S(299, "semget") +_S(300, "semctl") +_S(301, "msgsnd") +_S(302, "msgrcv") +_S(303, "msgget") +_S(304, "msgctl") +_S(305, "shmat") +_S(306, "shmdt") +_S(307, "shmget") +_S(308, "shmctl") +_S(309, "add_key") +_S(310, "request_key") +_S(311, "keyctl") +_S(312, "semtimedop") +_S(313, "vserver") +_S(314, "ioprio_set") +_S(315, "ioprio_get") +_S(316, "inotify_init") +_S(317, "inotify_add_watch") +_S(318, "inotify_rm_watch") +_S(319, "mbind") +_S(320, "get_mempolicy") +_S(321, "set_mempolicy") +_S(322, "openat") +_S(323, "mkdirat") +_S(324, "mknodat") +_S(325, "fchownat") +_S(326, "futimesat") +_S(327, "fstatat64") +_S(328, "unlinkat") +_S(329, "renameat") +_S(330, "linkat") +_S(331, "symlinkat") +_S(332, "readlinkat") +_S(333, "fchmodat") +_S(334, "faccessat") +_S(337, "unshare") +_S(338, "set_robust_list") +_S(339, "get_robust_list") +_S(340, "splice") +_S(341, "sync_file_range") +_S(342, "tee") +_S(343, "vmsplice") +_S(344, "move_pages") +_S(345, "getcpu") +_S(347, "kexec_load") +_S(348, "utimensat") +_S(349, "signalfd") +_S(350, "timerfd_create") +_S(351, "eventfd") +_S(352, "fallocate") +_S(353, "timerfd_settime") +_S(354, "timerfd_gettime") +_S(355, "signalfd4") +_S(356, "eventfd2") +_S(357, "epoll_create1") +_S(358, "dup3") +_S(359, "pipe2") +_S(360, "inotify_init1") +_S(361, "preadv") +_S(362, "pwritev") +_S(363, "rt_tgsigqueueinfo") +_S(364, "perf_event_open") +_S(365, "recvmmsg") +_S(366, "accept4") +_S(367, "fanotify_init") +_S(368, "fanotify_mark") +_S(369, "prlimit64") +_S(370, "name_to_handle_at") +_S(371, "open_by_handle_at") +_S(372, "clock_adjtime") +_S(373, "syncfs") +_S(374, "sendmmsg") +_S(375, "setns") +_S(376, "process_vm_readv") +_S(377, "process_vm_writev") +_S(378, "kcmp") +_S(379, "finit_module") +_S(380, "sched_setattr") +_S(381, "sched_getattr") +_S(382, "renameat2") +_S(383, "seccomp") +_S(384, "getrandom") +_S(385, "memfd_create") +_S(386, "bpf") +_S(387, "execveat") diff --git a/framework/src/audit/lib/audit.pc.in b/framework/src/audit/lib/audit.pc.in new file mode 100644 index 00000000..140c919c --- /dev/null +++ b/framework/src/audit/lib/audit.pc.in @@ -0,0 +1,10 @@ +prefix=@prefix@ +exec_prefix=@exec_prefix@ +libdir=@libdir@ +includedir=@includedir@ + +Name: libaudit +Description: Libraries needed for apps that use the kernel audit framework +Version: @VERSION@ +Libs: -L${libdir} -laudit +Cflags: -I${includedir} diff --git a/framework/src/audit/lib/audit_logging.c b/framework/src/audit/lib/audit_logging.c new file mode 100644 index 00000000..c9461061 --- /dev/null +++ b/framework/src/audit/lib/audit_logging.c @@ -0,0 +1,746 @@ +/* audit_logging.c -- + * Copyright 2005-2008,2010,2011,2013 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + */ + +#include "config.h" +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <unistd.h> +#include <sys/stat.h> +#include <errno.h> +#include <netinet/in.h> // inet6 addrlen +#include <netdb.h> // gethostbyname +#include <arpa/inet.h> // inet_ntop +#include <utmp.h> +#include <limits.h> // PATH_MAX + +#include "libaudit.h" +#include "private.h" + +#define TTY_PATH 32 +#define MAX_USER (UT_NAMESIZE * 2) + 8 + +// NOTE: The kernel fills in pid, uid, and loginuid of sender. Therefore, +// these routines do not need to send them. + +/* + * resolve's the hostname - caller must pass a INET6_ADDRSTRLEN byte buffer + * Returns string w/ numerical address, or "?" on failure + */ +static void _resolve_addr(char buf[], const char *host) +{ + struct addrinfo *ai; + struct addrinfo hints; + int e; + + buf[0] = '?'; + buf[1] = 0; + /* Short circuit this lookup if NULL, or empty */ + if (host == NULL || *host == 0) + return; + + memset(&hints, 0, sizeof(hints)); + hints.ai_flags = AI_ADDRCONFIG; + hints.ai_socktype = SOCK_STREAM; + + e = getaddrinfo(host, NULL, &hints, &ai); + if (e != 0) { + audit_msg(LOG_ERR, + "resolve_addr: cannot resolve hostname %s (%s)", + host, gai_strerror(e)); + return; + } + // What to do if more than 1 addr? + inet_ntop(ai->ai_family, ai->ai_family == AF_INET ? + (void *) &((struct sockaddr_in *)ai->ai_addr)->sin_addr : + (void *) &((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr, + buf, INET6_ADDRSTRLEN); + freeaddrinfo(ai); +} + +/* + * This function checks a string to see if it needs encoding. It + * return 1 if needed and 0 if not + */ +int audit_value_needs_encoding(const char *str, unsigned int size) +{ + unsigned int i; + + if (str == NULL) + return 0; + + for (i=0; i<size; i++) { + // we don't test for > 0x7f because str[] is signed. + if (str[i] == '"' || str[i] < 0x21 || str[i] == 0x7F) + return 1; + } + return 0; +} + +/* + * This function does encoding of "untrusted" names just like the kernel + */ +char *audit_encode_value(char *final, const char *buf, unsigned int size) +{ + unsigned int i; + char *ptr = final; + const char *hex = "0123456789ABCDEF"; + + if (final == NULL) + return NULL; + + if (buf == NULL) { + *final = 0; + return final; + } + + for (i=0; i<size; i++) { + *ptr++ = hex[(buf[i] & 0xF0)>>4]; /* Upper nibble */ + *ptr++ = hex[buf[i] & 0x0F]; /* Lower nibble */ + } + *ptr = 0; + return final; +} + +char *audit_encode_nv_string(const char *name, const char *value, + unsigned int vlen) +{ + char *str; + + if (vlen == 0 && value) + vlen = strlen(value); + + if (value && audit_value_needs_encoding(value, vlen)) { + char *tmp = malloc(2*vlen + 1); + if (tmp) { + audit_encode_value(tmp, value, vlen); + if (asprintf(&str, "%s=%s", name, tmp) < 0) + str = NULL; + free(tmp); + } else + str = NULL; + } else + if (asprintf(&str, "%s=\"%s\"", name, value ? value : "?") < 0) + str = NULL; + return str; +} + +/* + * Get the executable's name + */ +static char *_get_exename(char *exename, int size) +{ + int res; + char tmp[PATH_MAX+1]; + + /* get the name of the current executable */ + if ((res = readlink("/proc/self/exe", tmp, PATH_MAX)) == -1) { + strcpy(exename, "\"?\""); + audit_msg(LOG_ERR, "get_exename: cannot determine executable"); + } else { + tmp[res] = '\0'; + if (audit_value_needs_encoding(tmp, res)) + return audit_encode_value(exename, tmp, res); + snprintf(exename, size, "\"%s\"", tmp); + } + return exename; +} + +/* + * Get the command line name + * NOTE: at the moment, this only escapes what the user sent + */ +static char *_get_commname(const char *comm, char *commname, unsigned int size) +{ + unsigned int len; + + if (comm == NULL) { + strcpy(commname, "\"?\""); + return commname; + } + + len = strlen(comm); + if (audit_value_needs_encoding(comm, len)) + audit_encode_value(commname, comm, len); + else + snprintf(commname, size, "\"%s\"", comm); + + return commname; +} + +static int check_ttyname(const char *ttyn) +{ + struct stat statbuf; + + if (lstat(ttyn, &statbuf) + || !S_ISCHR(statbuf.st_mode) + || (statbuf.st_nlink > 1 && strncmp(ttyn, "/dev/", 5))) { + audit_msg(LOG_ERR, "FATAL: bad tty %s", ttyn); + return 1; + } + return 0; +} + +static const char *_get_tty(char *tname, int size) +{ + int rc, i, found = 0; + + for (i=0; i<3 && !found; i++) { + rc = ttyname_r(i, tname, size); + if (rc == 0 && tname[0] != '\0') + found = 1; + } + + if (!found) + return NULL; + + if (check_ttyname(tname)) + return NULL; + + if (strncmp(tname, "/dev/", 5) == 0) + return &tname[5]; + + return tname; +} + +/* + * This function will log a message to the audit system using a predefined + * message format. This function should be used by all console apps that do + * not manipulate accounts or groups. + * + * audit_fd - The fd returned by audit_open + * type - type of message, ex: AUDIT_USER, AUDIT_USYS_CONFIG, AUDIT_USER_LOGIN + * message - the message being sent + * hostname - the hostname if known + * addr - The network address of the user + * tty - The tty of the user + * result - 1 is "success" and 0 is "failed" + * + * It returns the sequence number which is > 0 on success or <= 0 on error. + */ +int audit_log_user_message(int audit_fd, int type, const char *message, + const char *hostname, const char *addr, const char *tty, int result) +{ + char buf[MAX_AUDIT_MESSAGE_LENGTH]; + char addrbuf[INET6_ADDRSTRLEN]; + static char exename[PATH_MAX*2]=""; + char ttyname[TTY_PATH]; + const char *success; + int ret; + + if (audit_fd < 0) + return 0; + + if (result) + success = "success"; + else + success = "failed"; + + /* If hostname is empty string, make it NULL ptr */ + if (hostname && *hostname == 0) + hostname = NULL; + addrbuf[0] = 0; + if (addr == NULL || strlen(addr) == 0) + _resolve_addr(addrbuf, hostname); + else + strncat(addrbuf, addr, sizeof(addrbuf)-1); + + if (exename[0] == 0) + _get_exename(exename, sizeof(exename)); + if (tty == NULL) + tty = _get_tty(ttyname, TTY_PATH); + else if (*tty == 0) + tty = NULL; + + snprintf(buf, sizeof(buf), + "%s exe=%s hostname=%s addr=%s terminal=%s res=%s", + message, exename, + hostname ? hostname : "?", + addrbuf, + tty ? tty : "?", + success + ); + + errno = 0; + ret = audit_send_user_message( audit_fd, type, HIDE_IT, buf ); + if ((ret < 1) && errno == 0) + errno = ret; + return ret; +} + +/* + * This function will log a message to the audit system using a predefined + * message format. This function should be used by all console apps that do + * not manipulate accounts or groups and are executing a script. An example + * would be python or crond wanting to say what they are executing. + * + * audit_fd - The fd returned by audit_open + * type - type of message, ex: AUDIT_USER, AUDIT_USYS_CONFIG, AUDIT_USER_LOGIN + * message - the message being sent + * comm - the program command line name + * hostname - the hostname if known + * addr - The network address of the user + * tty - The tty of the user + * result - 1 is "success" and 0 is "failed" + * + * It returns the sequence number which is > 0 on success or <= 0 on error. + */ +int audit_log_user_comm_message(int audit_fd, int type, const char *message, + const char *comm, const char *hostname, const char *addr, + const char *tty, int result) +{ + char buf[MAX_AUDIT_MESSAGE_LENGTH]; + char addrbuf[INET6_ADDRSTRLEN]; + static char exename[PATH_MAX*2]=""; + char commname[PATH_MAX*2]; + char ttyname[TTY_PATH]; + const char *success; + int ret; + + if (audit_fd < 0) + return 0; + + if (result) + success = "success"; + else + success = "failed"; + + /* If hostname is empty string, make it NULL ptr */ + if (hostname && *hostname == 0) + hostname = NULL; + addrbuf[0] = 0; + if (addr == NULL || strlen(addr) == 0) + _resolve_addr(addrbuf, hostname); + else + strncat(addrbuf, addr, sizeof(addrbuf)-1); + if (exename[0] == 0) + _get_exename(exename, sizeof(exename)); + if (tty == NULL) + tty = _get_tty(ttyname, TTY_PATH); + else if (*tty == 0) + tty = NULL; + + _get_commname(comm, commname, sizeof(commname)); + + snprintf(buf, sizeof(buf), + "%s comm=%s exe=%s hostname=%s addr=%s terminal=%s res=%s", + message, commname, exename, + hostname ? hostname : "?", + addrbuf, + tty ? tty : "?", + success + ); + + errno = 0; + ret = audit_send_user_message( audit_fd, type, HIDE_IT, buf ); + if ((ret < 1) && errno == 0) + errno = ret; + return ret; +} + + +/* + * This function will log a message to the audit system using a predefined + * message format. It should be used for all account manipulation operations. + * Parameter usage is as follows: + * + * audit_fd - The fd returned by audit_open + * type - type of message: AUDIT_USER_CHAUTHTOK for changing any account + * attributes. + * pgname - program's name + * op - operation. "adding user", "changing finger info", "deleting group" + * name - user's account or group name. If not available use NULL. + * id - uid or gid that the operation is being performed on. This is used + * only when user is NULL. + * host - The hostname if known + * addr - The network address of the user + * tty - The tty of the user + * result - 1 is "success" and 0 is "failed" + * + * It returns the sequence number which is > 0 on success or <= 0 on error. + */ +int audit_log_acct_message(int audit_fd, int type, const char *pgname, + const char *op, const char *name, unsigned int id, + const char *host, const char *addr, const char *tty, int result) +{ + const char *success; + char buf[MAX_AUDIT_MESSAGE_LENGTH]; + char addrbuf[INET6_ADDRSTRLEN]; + static char exename[PATH_MAX*2] = ""; + char ttyname[TTY_PATH]; + int ret; + + if (audit_fd < 0) + return 0; + + if (result) + success = "success"; + else + success = "failed"; + + /* If hostname is empty string, make it NULL ptr */ + if (host && *host == 0) + host = NULL; + addrbuf[0] = 0; + if (addr == NULL || strlen(addr) == 0) + _resolve_addr(addrbuf, host); + else + strncat(addrbuf, addr, sizeof(addrbuf)-1); + + if (pgname == NULL) { + if (exename[0] == 0) + _get_exename(exename, sizeof(exename)); + } else if (pgname[0] != '"') + snprintf(exename, sizeof(exename), "\"%s\"", pgname); + else + snprintf(exename, sizeof(exename), "%s", pgname); + + if (tty == NULL) + tty = _get_tty(ttyname, TTY_PATH); + else if (*tty == 0) + tty = NULL; + + if (name && id == -1) { + char user[MAX_USER]; + const char *format; + size_t len; + + user[0] = 0; + strncat(user, name, MAX_USER-1); + len = strnlen(user, UT_NAMESIZE); + user[len] = 0; + if (audit_value_needs_encoding(name, len)) { + audit_encode_value(user, name, len); + format = + "op=%s acct=%s exe=%s hostname=%s addr=%s terminal=%s res=%s"; + } else + format = + "op=%s acct=\"%s\" exe=%s hostname=%s addr=%s terminal=%s res=%s"; + + snprintf(buf, sizeof(buf), format, + op, user, exename, + host ? host : "?", + addrbuf, + tty ? tty : "?", + success + ); + } else + snprintf(buf, sizeof(buf), + "op=%s id=%u exe=%s hostname=%s addr=%s terminal=%s res=%s", + op, id, exename, + host ? host : "?", + addrbuf, + tty ? tty : "?", + success + ); + + errno = 0; + ret = audit_send_user_message(audit_fd, type, REAL_ERR, buf); + if ((ret < 1) && errno == 0) + errno = ret; + return ret; +} + +/* + * This function will log a message to the audit system using a predefined + * message format. This function should be used by all apps that are SE Linux + * object managers. + * + * audit_fd - The fd returned by audit_open + * type - type of message, ex: AUDIT_USER, AUDIT_USYS_CONFIG, AUDIT_USER_LOGIN + * message - the message being sent + * hostname - the hostname if known + * addr - The network address of the user + * tty - The tty of the user + * uid - The auid of the person related to the avc message + * + * It returns the sequence number which is > 0 on success or <= 0 on error. + */ +int audit_log_user_avc_message(int audit_fd, int type, const char *message, + const char *hostname, const char *addr, const char *tty, uid_t uid) +{ + char buf[MAX_AUDIT_MESSAGE_LENGTH]; + char addrbuf[INET6_ADDRSTRLEN]; + static char exename[PATH_MAX*2] = ""; + char ttyname[TTY_PATH]; + int retval; + + if (audit_fd < 0) + return 0; + + /* If hostname is empty string, make it NULL ptr */ + if (hostname && *hostname == 0) + hostname = NULL; + addrbuf[0] = 0; + if (addr == NULL || strlen(addr) == 0) + _resolve_addr(addrbuf, hostname); + else + strncat(addrbuf, addr, sizeof(addrbuf)-1); + if (exename[0] == 0) + _get_exename(exename, sizeof(exename)); + if (tty == NULL) + tty = _get_tty(ttyname, TTY_PATH); + else if (*tty == 0) + tty = NULL; + + snprintf(buf, sizeof(buf), + "%s exe=%s sauid=%d hostname=%s addr=%s terminal=%s", + message, exename, uid, + hostname ? hostname : "?", + addrbuf, + tty ? tty : "?" + ); + + errno = 0; + retval = audit_send_user_message( audit_fd, type, REAL_ERR, buf ); + if (retval == -EPERM && getuid() != 0) { + syslog(LOG_ERR, "Can't send to audit system: %s %s", + audit_msg_type_to_name(type), buf); + return 0; + } + if ((retval < 1) && errno == 0) + errno = retval; + return retval; +} + +/* + * This function will log a message to the audit system using a predefined + * message format. It should be used for all SE linux user and role + * manipulation operations. + * Parameter usage is as follows: + * + * type - type of message: AUDIT_ROLE_ASSIGN/REMOVE for changing any SE Linux + * user or role attributes. + * pgname - program's name + * op - operation. "adding-user", "adding-role", "deleting-user", "deleting-role" + * name - user's account. If not available use NULL. + * id - uid that the operation is being performed on. This is used + * only when name is NULL. + * new_seuser - the new seuser that the login user is getting + * new_role - the new_role that the login user is getting + * new_range - the new mls range that the login user is getting + * old_seuser - the old seuser that the login usr had + * old_role - the old role that the login user had + * old_range - the old mls range that the login usr had + * host - The hostname if known + * addr - The network address of the user + * tty - The tty of the user + * result - 1 is "success" and 0 is "failed" + * + * It returns the sequence number which is > 0 on success or <= 0 on error. + */ +int audit_log_semanage_message(int audit_fd, int type, const char *pgname, + const char *op, const char *name, unsigned int id, + const char *new_seuser, const char *new_role, const char *new_range, + const char *old_seuser, const char *old_role, const char *old_range, + const char *host, const char *addr, + const char *tty, int result) +{ + const char *success; + char buf[MAX_AUDIT_MESSAGE_LENGTH]; + char addrbuf[INET6_ADDRSTRLEN]; + static char exename[PATH_MAX*2] = ""; + char ttyname[TTY_PATH]; + int ret; + + if (audit_fd < 0) + return 0; + + if (result) + success = "success"; + else + success = "failed"; + + /* If hostname is empty string, make it NULL ptr */ + if (host && *host == 0) + host = NULL; + addrbuf[0] = 0; + if (addr == NULL || strlen(addr) == 0) + _resolve_addr(addrbuf, host); + else + strncat(addrbuf, addr, sizeof(addrbuf)-1); + + if (pgname == NULL || strlen(pgname) == 0) { + if (exename[0] == 0) + _get_exename(exename, sizeof(exename)); + pgname = exename; + } + if (tty == NULL || strlen(tty) == 0) + tty = _get_tty(ttyname, TTY_PATH); + else if (*tty == 0) + tty = NULL; + + if (name && strlen(name) > 0) { + size_t len; + const char *format; + char user[MAX_USER]; + + user[0] = 0; + strncat(user, name, MAX_USER-1); + len = strnlen(user, UT_NAMESIZE); + user[len] = 0; + if (audit_value_needs_encoding(name, len)) { + audit_encode_value(user, name, len); + format = "op=%s acct=%s old-seuser=%s old-role=%s old-range=%s new-seuser=%s new-role=%s new-range=%s exe=%s hostname=%s addr=%s terminal=%s res=%s"; + } else + format = "op=%s acct=\"%s\" old-seuser=%s old-role=%s old-range=%s new-seuser=%s new-role=%s new-range=%s exe=%s hostname=%s addr=%s terminal=%s res=%s"; + snprintf(buf, sizeof(buf), format, op, user, + old_seuser && strlen(old_seuser) ? old_seuser : "?", + old_role && strlen(old_role) ? old_role : "?", + old_range && strlen(old_range) ? old_range : "?", + new_seuser && strlen(new_seuser) ? new_seuser : "?", + new_role && strlen(new_role) ? new_role : "?", + new_range && strlen(new_range) ? new_range : "?", + pgname, + host && strlen(host) ? host : "?", + addrbuf, + tty && strlen(tty) ? tty : "?", + success + ); + } else + snprintf(buf, sizeof(buf), + "op=%s id=%u old-seuser=%s old-role=%s old-range=%s new-seuser=%s new-role=%s new-range=%s exe=%s hostname=%s addr=%s terminal=%s res=%s", + op, id, + old_seuser && strlen(old_seuser) ? old_seuser : "?", + old_role && strlen(old_role) ? old_role : "?", + old_range && strlen(old_range) ? old_range : "?", + new_seuser && strlen(new_seuser) ? new_seuser : "?", + new_role && strlen(new_role) ? new_role : "?", + new_range && strlen(new_range) ? new_range : "?", + pgname, + host && strlen(host) ? host : "?", + addrbuf, + tty && strlen(tty) ? tty : "?", + success + ); + + errno = 0; + ret = audit_send_user_message(audit_fd, type, REAL_ERR, buf); + if ((ret < 1) && errno == 0) + errno = ret; + return ret; +} + +/* + * This function will log a message to the audit system using a predefined + * message format. This function should be used by all console apps that do + * not manipulate accounts or groups. + * + * audit_fd - The fd returned by audit_open + * type - type of message, ex: AUDIT_USER_CMD + * command - the command line being logged + * tty - The tty of the user + * result - 1 is "success" and 0 is "failed" + * + * It returns the sequence number which is > 0 on success or <= 0 on error. + */ +int audit_log_user_command(int audit_fd, int type, const char *command, + const char *tty, int result) +{ + char *p; + char buf[MAX_AUDIT_MESSAGE_LENGTH]; + char commname[PATH_MAX*2]; + char cwdname[PATH_MAX*2]; + char ttyname[TTY_PATH]; + char format[64]; + const char *success; + char *cmd; + int ret, cwdenc=0, cmdenc=0; + unsigned int len; + + if (audit_fd < 0) + return 0; + + if (result) + success = "success"; + else + success = "failed"; + + if (tty == NULL) + tty = _get_tty(ttyname, TTY_PATH); + else if (*tty == 0) + tty = NULL; + + /* Trim leading spaces */ + while (*command == ' ') + command++; + + cmd = strdup(command); + if (cmd == NULL) + return -1; + + // We borrow the commname buffer + if (getcwd(commname, PATH_MAX) == NULL) + strcpy(commname, "?"); + len = strlen(commname); + if (audit_value_needs_encoding(commname, len)) { + audit_encode_value(cwdname, commname, len); + cwdenc = 1; + } else + strcpy(cwdname, commname); + + len = strlen(cmd); + // Trim the trailing carriage return and spaces + while (len && (cmd[len-1] == 0x0A || cmd[len-1] == ' ')) { + cmd[len-1] = 0; + len--; + } + + if (len >= PATH_MAX) { + cmd[PATH_MAX] = 0; + len = PATH_MAX-1; + } + if (audit_value_needs_encoding(cmd, len)) { + audit_encode_value(commname, cmd, len); + cmdenc = 1; + } + if (cmdenc == 0) + strcpy(commname, cmd); + free(cmd); + + // Make the format string + if (cwdenc) + p=stpcpy(format, "cwd=%s "); + else + p=stpcpy(format, "cwd=\"%s\" "); + + if (cmdenc) + p = stpcpy(p, "cmd=%s "); + else + p = stpcpy(p, "cmd=\"%s\" "); + + strcpy(p, "terminal=%s res=%s"); + + // now use the format string to make the event + snprintf(buf, sizeof(buf), format, + cwdname, commname, + tty ? tty : "?", + success + ); + + errno = 0; + ret = audit_send_user_message( audit_fd, type, HIDE_IT, buf ); + if ((ret < 1) && errno == 0) + errno = ret; + return ret; +} + diff --git a/framework/src/audit/lib/deprecated.c b/framework/src/audit/lib/deprecated.c new file mode 100644 index 00000000..2238e791 --- /dev/null +++ b/framework/src/audit/lib/deprecated.c @@ -0,0 +1,77 @@ +/* deprecated.c -- This file is the trash heap of things about to leave + * Copyright 2006-07,2009 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + */ + +#include "config.h" +#include <errno.h> +#include <string.h> +#include <pwd.h> +#include <grp.h> +#include <ctype.h> +#include <stdlib.h> +#include <unistd.h> + +#include "libaudit.h" +#include "private.h" + +/* + * This function will send a user space message to the kernel. + * It returns the sequence number which is > 0 on success + * or <= 0 on error. (pam uses this) This is the main audit sending + * function now. + */ +int audit_send_user_message(int fd, int type, hide_t hide_error, + const char *message) +{ + int retry_cnt = 0; + int rc; +retry: + rc = audit_send(fd, type, message, strlen(message)+1); + if (rc == -ECONNREFUSED) { + /* This is here to let people that build their own kernel + and disable the audit system get in. ECONNREFUSED is + issued by the kernel when there is "no on listening". */ + return 0; + } else if (rc == -EPERM && getuid() != 0 && hide_error == HIDE_IT) { + /* If we get this, then the kernel supports auditing + * but we don't have enough privilege to write to the + * socket. Therefore, we have already been authenticated + * and we are a common user. Just act as though auditing + * is not enabled. Any other error we take seriously. + * This is here basically to satisfy Xscreensaver. */ + return 0; + } else if (rc == -EINVAL) { + /* If we get this, the kernel doesn't understand the + * netlink message type. This is most likely due to + * being an old kernel. Use the old message type. */ + if (type >= AUDIT_FIRST_USER_MSG && + type <= AUDIT_LAST_USER_MSG && !retry_cnt) { + + /* do retry */ + type = AUDIT_USER; + retry_cnt++; + goto retry; + } + } + return rc; +} +hidden_def(audit_send_user_message) + diff --git a/framework/src/audit/lib/dso.h b/framework/src/audit/lib/dso.h new file mode 100644 index 00000000..662b521b --- /dev/null +++ b/framework/src/audit/lib/dso.h @@ -0,0 +1,45 @@ +/* dso.h -- + * Copyright 2005,2006,2009 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + */ +#ifndef _DSO_H_ +#define _DSO_H_ + +#ifdef PIC +# define hidden __attribute__ ((visibility ("hidden"))) +# define hidden_proto(fct) __hidden_proto (fct, fct##_internal) +# define __hidden_proto(fct, internal) \ + extern __typeof (fct) internal; \ + extern __typeof (fct) fct __asm (#internal) hidden; +# if defined(__alpha__) || defined(__mips__) +# define hidden_def(fct) \ + asm (".globl " #fct "\n" #fct " = " #fct "_internal"); +# else +# define hidden_def(fct) \ + asm (".globl " #fct "\n.set " #fct ", " #fct "_internal"); +#endif +#else +# define hidden +# define hidden_proto(fct) +# define hidden_def(fct) +#endif + +#endif + diff --git a/framework/src/audit/lib/errormsg.h b/framework/src/audit/lib/errormsg.h new file mode 100644 index 00000000..a4fea664 --- /dev/null +++ b/framework/src/audit/lib/errormsg.h @@ -0,0 +1,66 @@ +/* errormsg.h -- + * Copyright 2008 FUJITSU Inc. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Zhang Xiliang <zhangxiliang@cn.fujitsu.com> + */ + +struct msg_tab { + int key; /* error number */ + /* + * the field string position in the error message + * 0: don't output field string + * 1: output field string before error message + * 2: output field string after error message + */ + int position; + const char *cvalue; +}; + +#ifndef NO_TABLES +static const struct msg_tab err_msgtab[] = { + { -1, 2, "-F missing operation for" }, + { -2, 2, "-F unknown field:" }, + { -3, 1, "must be before -S" }, + { -4, 1, "machine type not found" }, + { -5, 1, "elf mapping not found" }, + { -6, 1, "requested bit level not supported by machine" }, + { -7, 1, "can only be used with exit filter list" }, + { -8, 2, "-F unknown message type -" }, + { -9, 0, "msgtype field can only be used with exclude filter list" }, + { -10, 0, "Failed upgrading rule" }, + { -11, 0, "String value too long" }, + { -12, 0, "Only msgtype field can be used with exclude filter" }, + { -13, 1, "only takes = or != operators" }, + { -14, 0, "Permission can only contain \'rwxa\'" }, + { -15, 2, "-F unknown errno -"}, + { -16, 2, "-F unknown file type - " }, + { -17, 1, "can only be used with exit and entry filter list" }, + { -18, 1, "" }, // Unused + { -19, 0, "Key field needs a watch or syscall given prior to it" }, + { -20, 2, "-F missing value after operation for" }, + { -21, 2, "-F value should be number for" }, + { -22, 2, "-F missing field name before operator for" }, + { -23, 2, "" }, // Unused + { -24, 2, "-C missing field name before operator for" }, + { -25, 2, "-C missing value after operation for "}, + { -26, 2, "-C unknown field:" }, + { -27, 2, "-C unknown right hand value for comparison with:" }, + { -28, 2, "Too many fields in rule" }, +}; +#endif diff --git a/framework/src/audit/lib/errtab.h b/framework/src/audit/lib/errtab.h new file mode 100644 index 00000000..f777d79d --- /dev/null +++ b/framework/src/audit/lib/errtab.h @@ -0,0 +1,154 @@ +/* errtab.h -- + * Copyright 2007 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + */ + +_S(EPERM, "EPERM" ) +_S(ENOENT, "ENOENT" ) +_S(ESRCH, "ESRCH" ) +_S(EINTR, "EINTR" ) +_S(EIO, "EIO" ) +_S(ENXIO, "ENXIO" ) +_S(E2BIG, "E2BIG" ) +_S(ENOEXEC, "ENOEXEC" ) +_S(EBADF, "EBADF" ) +_S(ECHILD, "ECHILD" ) +_S(EAGAIN, "EAGAIN" ) +_S(ENOMEM, "ENOMEM" ) +_S(EACCES, "EACCES" ) +_S(EFAULT, "EFAULT" ) +_S(ENOTBLK, "ENOTBLK" ) +_S(EBUSY, "EBUSY" ) +_S(EEXIST, "EEXIST" ) +_S(EXDEV, "EXDEV" ) +_S(ENODEV, "ENODEV" ) +_S(ENOTDIR, "ENOTDIR" ) +_S(EISDIR, "EISDIR" ) +_S(EINVAL, "EINVAL" ) +_S(ENFILE, "ENFILE" ) +_S(EMFILE, "EMFILE" ) +_S(ENOTTY, "ENOTTY" ) +_S(ETXTBSY, "ETXTBSY" ) +_S(EFBIG, "EFBIG" ) +_S(ENOSPC, "ENOSPC" ) +_S(ESPIPE, "ESPIPE" ) +_S(EROFS, "EROFS" ) +_S(EMLINK, "EMLINK" ) +_S(EPIPE, "EPIPE" ) +_S(EDOM, "EDOM" ) +_S(ERANGE, "ERANGE" ) +_S(EDEADLK, "EDEADLK" ) +_S(ENAMETOOLONG, "ENAMETOOLONG" ) +_S(ENOLCK, "ENOLCK" ) +_S(ENOSYS, "ENOSYS" ) +_S(ENOTEMPTY, "ENOTEMPTY" ) +_S(ELOOP, "ELOOP" ) +_S(EWOULDBLOCK, "EWOULDBLOCK" ) +_S(ENOMSG, "ENOMSG" ) +_S(EIDRM, "EIDRM" ) +_S(ECHRNG, "ECHRNG" ) +_S(EL2NSYNC, "EL2NSYNC" ) +_S(EL3HLT, "EL3HLT" ) +_S(EL3RST, "EL3RST" ) +_S(ELNRNG, "ELNRNG" ) +_S(EUNATCH, "EUNATCH" ) +_S(ENOCSI, "ENOCSI" ) +_S(EL2HLT, "EL2HLT" ) +_S(EBADE, "EBADE" ) +_S(EBADR, "EBADR" ) +_S(EXFULL, "EXFULL" ) +_S(ENOANO, "ENOANO" ) +_S(EBADRQC, "EBADRQC" ) +_S(EBADSLT, "EBADSLT" ) +_S(EDEADLOCK, "EDEADLOCK" ) +_S(EBFONT, "EBFONT" ) +_S(ENOSTR, "ENOSTR" ) +_S(ENODATA, "ENODATA" ) +_S(ETIME, "ETIME" ) +_S(ENOSR, "ENOSR" ) +_S(ENONET, "ENONET" ) +_S(ENOPKG, "ENOPKG" ) +_S(EREMOTE, "EREMOTE" ) +_S(ENOLINK, "ENOLINK" ) +_S(EADV, "EADV" ) +_S(ESRMNT, "ESRMNT" ) +_S(ECOMM, "ECOMM" ) +_S(EPROTO, "EPROTO" ) +_S(EMULTIHOP, "EMULTIHOP" ) +_S(EDOTDOT, "EDOTDOT" ) +_S(EBADMSG, "EBADMSG" ) +_S(EOVERFLOW, "EOVERFLOW" ) +_S(ENOTUNIQ, "ENOTUNIQ" ) +_S(EBADFD, "EBADFD" ) +_S(EREMCHG, "EREMCHG" ) +_S(ELIBACC, "ELIBACC" ) +_S(ELIBBAD, "ELIBBAD" ) +_S(ELIBSCN, "ELIBSCN" ) +_S(ELIBMAX, "ELIBMAX" ) +_S(ELIBEXEC, "ELIBEXEC" ) +_S(EILSEQ, "EILSEQ" ) +_S(ERESTART, "ERESTART" ) +_S(ESTRPIPE, "ESTRPIPE" ) +_S(EUSERS, "EUSERS" ) +_S(ENOTSOCK, "ENOTSOCK" ) +_S(EDESTADDRREQ, "EDESTADDRREQ" ) +_S(EMSGSIZE, "EMSGSIZE" ) +_S(EPROTOTYPE, "EPROTOTYPE" ) +_S(ENOPROTOOPT, "ENOPROTOOPT" ) +_S(EPROTONOSUPPORT, "EPROTONOSUPPORT" ) +_S(ESOCKTNOSUPPORT, "ESOCKTNOSUPPORT" ) +_S(EOPNOTSUPP, "EOPNOTSUPP" ) +_S(EPFNOSUPPORT, "EPFNOSUPPORT" ) +_S(EAFNOSUPPORT, "EAFNOSUPPORT" ) +_S(EADDRINUSE, "EADDRINUSE" ) +_S(EADDRNOTAVAIL, "EADDRNOTAVAIL" ) +_S(ENETDOWN, "ENETDOWN" ) +_S(ENETUNREACH, "ENETUNREACH" ) +_S(ENETRESET, "ENETRESET" ) +_S(ECONNABORTED, "ECONNABORTED" ) +_S(ECONNRESET, "ECONNRESET" ) +_S(ENOBUFS, "ENOBUFS" ) +_S(EISCONN, "EISCONN" ) +_S(ENOTCONN, "ENOTCONN" ) +_S(ESHUTDOWN, "ESHUTDOWN" ) +_S(ETOOMANYREFS, "ETOOMANYREFS" ) +_S(ETIMEDOUT, "ETIMEDOUT" ) +_S(ECONNREFUSED, "ECONNREFUSED" ) +_S(EHOSTDOWN, "EHOSTDOWN" ) +_S(EHOSTUNREACH, "EHOSTUNREACH" ) +_S(EALREADY, "EALREADY" ) +_S(EINPROGRESS, "EINPROGRESS" ) +_S(ESTALE, "ESTALE" ) +_S(EUCLEAN, "EUCLEAN" ) +_S(ENOTNAM, "ENOTNAM" ) +_S(ENAVAIL, "ENAVAIL" ) +_S(EISNAM, "EISNAM" ) +_S(EREMOTEIO, "EREMOTEIO" ) +_S(EDQUOT, "EDQUOT" ) +_S(ENOMEDIUM, "ENOMEDIUM" ) +_S(EMEDIUMTYPE, "EMEDIUMTYPE" ) +_S(ECANCELED, "ECANCELED" ) +_S(ENOKEY, "ENOKEY" ) +_S(EKEYEXPIRED, "EKEYEXPIRED" ) +_S(EKEYREVOKED, "EKEYREVOKED" ) +_S(EKEYREJECTED, "EKEYREJECTED" ) +_S(EOWNERDEAD, "EOWNERDEAD" ) +_S(ENOTRECOVERABLE, "ENOTRECOVERABLE" ) + diff --git a/framework/src/audit/lib/fieldtab.h b/framework/src/audit/lib/fieldtab.h new file mode 100644 index 00000000..dd7474c1 --- /dev/null +++ b/framework/src/audit/lib/fieldtab.h @@ -0,0 +1,68 @@ +/* fieldtab.h -- + * Copyright 2005-07 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + */ + +_S(AUDIT_PID, "pid" ) +_S(AUDIT_UID, "uid" ) +_S(AUDIT_EUID, "euid" ) +_S(AUDIT_SUID, "suid" ) +_S(AUDIT_FSUID, "fsuid" ) +_S(AUDIT_GID, "gid" ) +_S(AUDIT_EGID, "egid" ) +_S(AUDIT_SGID, "sgid" ) +_S(AUDIT_FSGID, "fsgid" ) +_S(AUDIT_LOGINUID, "auid" ) +_S(AUDIT_LOGINUID, "loginuid" ) +_S(AUDIT_PERS, "pers" ) +_S(AUDIT_ARCH, "arch" ) +_S(AUDIT_MSGTYPE, "msgtype" ) +_S(AUDIT_SUBJ_USER, "subj_user" ) +_S(AUDIT_SUBJ_ROLE, "subj_role" ) +_S(AUDIT_SUBJ_TYPE, "subj_type" ) +_S(AUDIT_SUBJ_SEN, "subj_sen" ) +_S(AUDIT_SUBJ_CLR, "subj_clr" ) +_S(AUDIT_PPID, "ppid" ) +_S(AUDIT_OBJ_USER, "obj_user" ) +_S(AUDIT_OBJ_ROLE, "obj_role" ) +_S(AUDIT_OBJ_TYPE, "obj_type" ) +_S(AUDIT_OBJ_LEV_LOW, "obj_lev_low" ) +_S(AUDIT_OBJ_LEV_HIGH, "obj_lev_high" ) + +_S(AUDIT_DEVMAJOR, "devmajor" ) +_S(AUDIT_DEVMINOR, "devminor" ) +_S(AUDIT_INODE, "inode" ) +_S(AUDIT_EXIT, "exit" ) +_S(AUDIT_SUCCESS, "success" ) +_S(AUDIT_WATCH, "path" ) +_S(AUDIT_PERM, "perm" ) +_S(AUDIT_DIR, "dir" ) +_S(AUDIT_FILETYPE, "filetype" ) +_S(AUDIT_OBJ_UID, "obj_uid" ) +_S(AUDIT_OBJ_GID, "obj_gid" ) +_S(AUDIT_FIELD_COMPARE, "field_compare" ) + +_S(AUDIT_ARG0, "a0" ) +_S(AUDIT_ARG1, "a1" ) +_S(AUDIT_ARG2, "a2" ) +_S(AUDIT_ARG3, "a3" ) + +_S(AUDIT_FILTERKEY, "key" ) + diff --git a/framework/src/audit/lib/flagtab.h b/framework/src/audit/lib/flagtab.h new file mode 100644 index 00000000..e08d9bca --- /dev/null +++ b/framework/src/audit/lib/flagtab.h @@ -0,0 +1,26 @@ +/* flagtab.h -- + * Copyright 2005,2006 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + */ +_S(AUDIT_FILTER_TASK, "task" ) +_S(AUDIT_FILTER_ENTRY, "entry" ) +_S(AUDIT_FILTER_EXIT, "exit" ) +_S(AUDIT_FILTER_USER, "user" ) +_S(AUDIT_FILTER_EXCLUDE, "exclude" ) diff --git a/framework/src/audit/lib/ftypetab.h b/framework/src/audit/lib/ftypetab.h new file mode 100644 index 00000000..e1dc2676 --- /dev/null +++ b/framework/src/audit/lib/ftypetab.h @@ -0,0 +1,30 @@ +/* actiontab.h -- + * Copyright 2008 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + */ + +_S(S_IFSOCK, "socket" ) +_S(S_IFLNK, "link" ) +_S(S_IFREG, "file" ) +_S(S_IFBLK, "block" ) +_S(S_IFDIR, "dir" ) +_S(S_IFCHR, "character" ) +_S(S_IFIFO, "fifo" ) + diff --git a/framework/src/audit/lib/gen_tables.c b/framework/src/audit/lib/gen_tables.c new file mode 100644 index 00000000..9f25b506 --- /dev/null +++ b/framework/src/audit/lib/gen_tables.c @@ -0,0 +1,418 @@ +/* gen_tables.c -- Generator of lookup tables. + * Copyright 2008 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Miloslav Trmač <mitr@redhat.com> + */ + +#include "config.h" +#include <assert.h> +#include <ctype.h> +#include <errno.h> +#include <limits.h> +#include <linux/net.h> +#include <stdbool.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/stat.h> +#include <sys/personality.h> +#include <sys/mount.h> +#ifndef MS_DIRSYNC +#include <linux/fs.h> +#endif +#include "gen_tables.h" +#include "libaudit.h" +#include "interpret.h" + +/* This is from asm/ipc.h. Copying it for now as some platforms + * * have broken headers. */ +#define SEMOP 1 +#define SEMGET 2 +#define SEMCTL 3 +#define SEMTIMEDOP 4 +#define MSGSND 11 +#define MSGRCV 12 +#define MSGGET 13 +#define MSGCTL 14 +#define SHMAT 21 +#define SHMDT 22 +#define SHMGET 23 +#define SHMCTL 24 + + +/* The ratio of table size to number of non-empty elements allowed for a + "direct" s2i table; if the ratio would be bigger, bsearch tables are used + instead. + + 2 looks like a lot at a first glance, but the bsearch tables need twice as + much space per element, so with the ratio equal to 2 the direct table uses + no more memory and is faster. */ +#define DIRECT_THRESHOLD 2 + +/* Allow more than one string defined for a single integer value */ +static bool allow_duplicate_ints; /* = false; */ + +struct value { + int val; + const char *s; + size_t s_offset; + size_t orig_index; +}; + +/* The mapping to store. */ +static struct value values[] = { +#define _S(VAL, S) { (VAL), (S), 0, 0 }, +#include TABLE_H +#undef _S +}; + +#define NUM_VALUES (sizeof(values) / sizeof(*values)) + +/* Compare two "struct value" members by name. */ +static int +cmp_value_strings(const void *xa, const void *xb) +{ + const struct value *a, *b; + + a = xa; + b = xb; + return strcmp(a->s, b->s); +} + +/* Compare two "struct value" members by value. */ +static int +cmp_value_vals(const void *xa, const void *xb) +{ + const struct value *a, *b; + + a = xa; + b = xb; + if (a->val > b->val) + return 1; + if (a->val < b->val) + return -1; + /* Preserve the original order if there is an ambiguity, to always use + the first specified value. */ + if (a->orig_index > b->orig_index) + return 1; + if (a->orig_index < b->orig_index) + return -1; + return 0; +} + +/* Compare two "struct value" members by orig_index. */ +static int +cmp_value_orig_index(const void *xa, const void *xb) +{ + const struct value *a, *b; + + a = xa; + b = xb; + if (a->orig_index > b->orig_index) + return 1; + if (a->orig_index < b->orig_index) + return -1; + return 0; +} + +/* Output the string table, initialize values[*]->s_offset. */ +static void +output_strings(const char *prefix) +{ + size_t i, offset; + + offset = 0; + for (i = 0; i < NUM_VALUES; i++) { + values[i].s_offset = offset; + offset += strlen(values[i].s) + 1; + } + printf("static const char %s_strings[] = \"", prefix); + assert(NUM_VALUES > 0); + for (i = 0; i < NUM_VALUES; i++) { + const char *c; + + if (i != 0 && i % 10 == 0) + fputs("\"\n" + "\t\"", stdout); + for (c = values[i].s; *c != '\0'; c++) { + assert(*c != '"' && *c != '\\' + && isprint((unsigned char)*c)); + putc(*c, stdout); + } + if (i != NUM_VALUES - 1) + fputs("\\0", stdout); + } + fputs("\";\n", stdout); +} + +/* Output the string to integer mapping code. + Assume strings are all uppsercase or all lowercase if specified by + parameters; in that case, make the search case-insensitive. + values must be sorted by strings. */ +static void +output_s2i(const char *prefix, bool uppercase, bool lowercase) +{ + size_t i; + + for (i = 0; i < NUM_VALUES - 1; i++) { + assert(strcmp(values[i].s, values[i + 1].s) <= 0); + if (strcmp(values[i].s, values[i + 1].s) == 0) { + fprintf(stderr, "Duplicate value `%s': %d, %d\n", + values[i].s, values[i].val, values[i + 1].val); + abort(); + } + } + printf("static const unsigned %s_s2i_s[] = {", prefix); + for (i = 0; i < NUM_VALUES; i++) { + if (i % 10 == 0) + fputs("\n\t", stdout); + assert(values[i].s_offset <= UINT_MAX); + printf("%zu,", values[i].s_offset); + } + printf("\n" + "};\n" + "static const int %s_s2i_i[] = {", prefix); + for (i = 0; i < NUM_VALUES; i++) { + if (i % 10 == 0) + fputs("\n\t", stdout); + printf("%d,", values[i].val); + } + fputs("\n" + "};\n", stdout); + assert(!(uppercase && lowercase)); + if (uppercase) { + for (i = 0; i < NUM_VALUES; i++) { + const char *c; + + for (c = values[i].s; *c != '\0'; c++) + assert(isascii((unsigned char)*c) + && !GT_ISLOWER(*c)); + } + } else if (lowercase) { + for (i = 0; i < NUM_VALUES; i++) { + const char *c; + + for (c = values[i].s; *c != '\0'; c++) + assert(isascii((unsigned char)*c) + && !GT_ISUPPER(*c)); + } + } + if (uppercase || lowercase) { + printf("static int %s_s2i(const char *s, int *value) {\n" + "\tsize_t len, i;\n" + "\tlen = strlen(s);\n" + "\t{ char copy[len + 1];\n" + "\tfor (i = 0; i < len; i++) {\n" + "\t\tchar c = s[i];\n", prefix); + if (uppercase) + fputs("\t\tcopy[i] = GT_ISLOWER(c) ? c - 'a' + 'A' " + ": c;\n", stdout); + else + fputs("\t\tcopy[i] = GT_ISUPPER(c) ? c - 'A' + 'a' " + ": c;\n", stdout); + printf("\t}\n" + "\tcopy[i] = 0;\n" + "\treturn s2i__(%s_strings, %s_s2i_s, %s_s2i_i, %zu, " + "copy, value);\n" + "\t}\n" + "}\n", prefix, prefix, prefix, NUM_VALUES); + } else + printf("static int %s_s2i(const char *s, int *value) {\n" + "\treturn s2i__(%s_strings, %s_s2i_s, %s_s2i_i, %zu, s, " + "value);\n" + "}\n", prefix, prefix, prefix, prefix, NUM_VALUES); +} + +/* Output the string to integer mapping table. + values must be sorted by strings. */ +static void +output_i2s(const char *prefix) +{ + struct value *unique_values; + int min_val, max_val; + size_t i, n; + + assert(NUM_VALUES > 0); + for (i = 0; i < NUM_VALUES - 1; i++) { + assert(values[i].val <= values[i + 1].val); + if (!allow_duplicate_ints + && values[i].val == values[i + 1].val) { + fprintf(stderr, "Duplicate value %d: `%s', `%s'\n", + values[i].val, values[i].s, values[i + 1].s); + abort(); + } + } + + unique_values = malloc(NUM_VALUES * sizeof(*unique_values)); + assert(unique_values != NULL); + n = 0; + for (i = 0; i < NUM_VALUES; i++) { + if (n == 0 || unique_values[n - 1].val != values[i].val) { + unique_values[n] = values[i]; + n++; + } + } + + min_val = unique_values[0].val; + max_val = unique_values[n - 1].val; + if (((double)max_val - (double)min_val) / n <= DIRECT_THRESHOLD) { + int next_index; + + printf("static const unsigned %s_i2s_direct[] = {", prefix); + next_index = min_val; + i = 0; + for (;;) { + if ((next_index - min_val) % 10 == 0) + fputs("\n\t", stdout); + while (unique_values[i].val < next_index) + /* This can happen if (allow_duplicate_ints) */ + i++; + if (unique_values[i].val == next_index) { + assert(unique_values[i].s_offset <= UINT_MAX); + printf("%zu,", unique_values[i].s_offset); + } else + fputs("-1u,", stdout); + if (next_index == max_val) + /* Done like this to avoid integer overflow */ + break; + next_index++; + } + printf("\n" + "};\n" + "static const char *%s_i2s(int v) {\n" + "\treturn i2s_direct__(%s_strings, %s_i2s_direct, %d, " + "%d, v);\n" + "}\n", prefix, prefix, prefix, min_val, max_val); + } else { + printf("static const int %s_i2s_i[] = {", prefix); + for (i = 0; i < n; i++) { + if (i % 10 == 0) + fputs("\n\t", stdout); + printf("%d,", unique_values[i].val); + } + printf("\n" + "};\n" + "static const unsigned %s_i2s_s[] = {", prefix); + for (i = 0; i < n; i++) { + if (i % 10 == 0) + fputs("\n\t", stdout); + assert(unique_values[i].s_offset <= UINT_MAX); + printf("%zu,", unique_values[i].s_offset); + } + printf("\n" + "};\n" + "static const char *%s_i2s(int v) {\n" + "\treturn i2s_bsearch__(%s_strings, %s_i2s_i, %s_i2s_s, " + "%zu, v);\n" + "}\n", prefix, prefix, prefix, prefix, n); + } + free(unique_values); +} + +/* Output the string to integer mapping table as a transtab[]. + values must be sorted in the desired order. */ +static void +output_i2s_transtab(const char *prefix) +{ + size_t i; + char *uc_prefix; + + printf("static const struct transtab %s_table[] = {", prefix); + for (i = 0; i < NUM_VALUES; i++) { + if (i % 10 == 0) + fputs("\n\t", stdout); + printf("{%d,%zu},", values[i].val, values[i].s_offset); + } + uc_prefix = strdup(prefix); + assert(uc_prefix != NULL); + for (i = 0; uc_prefix[i] != '\0'; i++) + uc_prefix[i] = toupper((unsigned char)uc_prefix[i]); + printf("\n" + "};\n" + "#define %s_NUM_ENTRIES " + "(sizeof(%s_table) / sizeof(*%s_table))\n", uc_prefix, prefix, + prefix); + free(uc_prefix); +} + +int +main(int argc, char **argv) +{ + bool gen_i2s, gen_i2s_transtab, gen_s2i, uppercase, lowercase; + char *prefix; + size_t i; + + /* This is required by gen_tables.h */ + assert(NUM_VALUES <= (SSIZE_MAX / 2 + 1)); + + /* To make sure GT_ISUPPER and GT_ISLOWER work. */ + assert('Z' == 'A' + 25 && 'z' == 'a' + 25); + gen_i2s = false; + gen_i2s_transtab = false; + gen_s2i = false; + uppercase = false; + lowercase = false; + prefix = NULL; + assert (argc > 1); + for (i = 1; i < (size_t)argc; i++) { + if (strcmp(argv[i], "--i2s") == 0) + gen_i2s = true; + else if (strcmp(argv[i], "--i2s-transtab") == 0) + gen_i2s_transtab = true; + else if (strcmp(argv[i], "--s2i") == 0) + gen_s2i = true; + else if (strcmp(argv[i], "--uppercase") == 0) + uppercase = true; + else if (strcmp(argv[i], "--lowercase") == 0) + lowercase = true; + else if (strcmp(argv[i], "--duplicate-ints") == 0) + allow_duplicate_ints = true; + else { + assert(*argv[i] != '-'); + assert(prefix == NULL); + prefix = argv[i]; + } + } + assert(prefix != NULL); + assert(!(uppercase && lowercase)); + + printf("/* This is a generated file, see Makefile.am for its " + "inputs. */\n"); + for (i = 0; i < NUM_VALUES; i++) + values[i].orig_index = i; + qsort(values, NUM_VALUES, sizeof(*values), cmp_value_strings); + /* FIXME? if (gen_s2i), sort the strings in some other order + (e.g. "first 4 nodes in BFS of the bsearch tree first") to use the + cache better. */ + /* FIXME? If the only thing generated is a transtab, keep the strings + in the original order to use the cache better. */ + output_strings(prefix); + if (gen_s2i) + output_s2i(prefix, uppercase, lowercase); + if (gen_i2s) { + qsort(values, NUM_VALUES, sizeof(*values), cmp_value_vals); + output_i2s(prefix); + } + if (gen_i2s_transtab) { + qsort(values, NUM_VALUES, sizeof(*values), + cmp_value_orig_index); + output_i2s_transtab(prefix); + } + return EXIT_SUCCESS; +} diff --git a/framework/src/audit/lib/gen_tables.h b/framework/src/audit/lib/gen_tables.h new file mode 100644 index 00000000..84237a28 --- /dev/null +++ b/framework/src/audit/lib/gen_tables.h @@ -0,0 +1,102 @@ +/* gen_tables.h -- Declarations used for lookup tables. + * Copyright 2008 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Miloslav Trmač <mitr@redhat.com> + */ +#ifndef GEN_TABLES_H__ +#define GEN_TABLES_H__ + +#include <stddef.h> +#include <stdint.h> + +/* Assumes ASCII; verified in gen_tables.c. */ +#define GT_ISUPPER(X) ((X) >= 'A' && (X) <= 'Z') +#define GT_ISLOWER(X) ((X) >= 'a' && (X) <= 'z') + +inline static int s2i__(const char *strings, const unsigned *s_table, + const int *i_table, size_t n, const char *s, int *value) +{ + ssize_t left, right; + + left = 0; + right = n - 1; + while (left <= right) { /* invariant: left <= x <= right */ + size_t mid; + int r; + + mid = (left + right) / 2; + /* FIXME? avoid recomparing a common prefix */ + r = strcmp(s, strings + s_table[mid]); + if (r == 0) { + *value = i_table[mid]; + return 1; + } + if (r < 0) + right = mid - 1; + else + left = mid + 1; + } + return 0; +} + +inline static const char *i2s_direct__(const char *strings, + const unsigned *table, int min, int max, + int v) +{ + unsigned off; + + if (v < min || v > max) + return NULL; + off = table[v - min]; + if (off != -1u) + return strings + off; + return NULL; +} + +inline static const char *i2s_bsearch__(const char *strings, + const int *i_table, + const unsigned *s_table, size_t n, + int v) +{ + ssize_t left, right; + + left = 0; + right = n - 1; + while (left <= right) { /* invariant: left <= x <= right */ + size_t mid; + int mid_val; + + mid = (left + right) / 2; + mid_val = i_table[mid]; + if (v == mid_val) + return strings + s_table[mid]; + if (v < mid_val) + right = mid - 1; + else + left = mid + 1; + } + return NULL; +} + +struct transtab { + int value; + unsigned offset; +}; + +#endif diff --git a/framework/src/audit/lib/i386_table.h b/framework/src/audit/lib/i386_table.h new file mode 100644 index 00000000..208310cf --- /dev/null +++ b/framework/src/audit/lib/i386_table.h @@ -0,0 +1,379 @@ +/* i386_table.h -- + * Copyright 2005-15 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + */ + +_S(0, "restart_syscall") +_S(1, "exit") +_S(2, "fork") +_S(3, "read") +_S(4, "write") +_S(5, "open") +_S(6, "close") +_S(7, "waitpid") +_S(8, "creat") +_S(9, "link") +_S(10, "unlink") +_S(11, "execve") +_S(12, "chdir") +_S(13, "time") +_S(14, "mknod") +_S(15, "chmod") +_S(16, "lchown") +_S(17, "break") +_S(18, "oldstat") +_S(19, "lseek") +_S(20, "getpid") +_S(21, "mount") +_S(22, "umount") +_S(23, "setuid") +_S(24, "getuid") +_S(25, "stime") +_S(26, "ptrace") +_S(27, "alarm") +_S(28, "oldfstat") +_S(29, "pause") +_S(30, "utime") +_S(31, "stty") +_S(32, "gtty") +_S(33, "access") +_S(34, "nice") +_S(35, "ftime") +_S(36, "sync") +_S(37, "kill") +_S(38, "rename") +_S(39, "mkdir") +_S(40, "rmdir") +_S(41, "dup") +_S(42, "pipe") +_S(43, "times") +_S(44, "prof") +_S(45, "brk") +_S(46, "setgid") +_S(47, "getgid") +_S(48, "signal") +_S(49, "geteuid") +_S(50, "getegid") +_S(51, "acct") +_S(52, "umount2") +_S(53, "lock") +_S(54, "ioctl") +_S(55, "fcntl") +_S(56, "mpx") +_S(57, "setpgid") +_S(58, "ulimit") +_S(59, "oldolduname") +_S(60, "umask") +_S(61, "chroot") +_S(62, "ustat") +_S(63, "dup2") +_S(64, "getppid") +_S(65, "getpgrp") +_S(66, "setsid") +_S(67, "sigaction") +_S(68, "sgetmask") +_S(69, "ssetmask") +_S(70, "setreuid") +_S(71, "setregid") +_S(72, "sigsuspend") +_S(73, "sigpending") +_S(74, "sethostname") +_S(75, "setrlimit") +_S(76, "getrlimit") +_S(77, "getrusage") +_S(78, "gettimeofday") +_S(79, "settimeofday") +_S(80, "getgroups") +_S(81, "setgroups") +_S(82, "select") +_S(83, "symlink") +_S(84, "oldlstat") +_S(85, "readlink") +_S(86, "uselib") +_S(87, "swapon") +_S(88, "reboot") +_S(89, "readdir") +_S(90, "mmap") +_S(91, "munmap") +_S(92, "truncate") +_S(93, "ftruncate") +_S(94, "fchmod") +_S(95, "fchown") +_S(96, "getpriority") +_S(97, "setpriority") +_S(98, "profil") +_S(99, "statfs") +_S(100, "fstatfs") +_S(101, "ioperm") +_S(102, "socketcall") +_S(103, "syslog") +_S(104, "setitimer") +_S(105, "getitimer") +_S(106, "stat") +_S(107, "lstat") +_S(108, "fstat") +_S(109, "olduname") +_S(110, "iopl") +_S(111, "vhangup") +_S(112, "idle") +_S(113, "vm86old") +_S(114, "wait4") +_S(115, "swapoff") +_S(116, "sysinfo") +_S(117, "ipc") +_S(118, "fsync") +_S(119, "sigreturn") +_S(120, "clone") +_S(121, "setdomainname") +_S(122, "uname") +_S(123, "modify_ldt") +_S(124, "adjtimex") +_S(125, "mprotect") +_S(126, "sigprocmask") +_S(127, "create_module") +_S(128, "init_module") +_S(129, "delete_module") +_S(130, "get_kernel_syms") +_S(131, "quotactl") +_S(132, "getpgid") +_S(133, "fchdir") +_S(134, "bdflush") +_S(135, "sysfs") +_S(136, "personality") +_S(137, "afs_syscall") +_S(138, "setfsuid") +_S(139, "setfsgid") +_S(140, "_llseek") +_S(141, "getdents") +_S(142, "_newselect") +_S(143, "flock") +_S(144, "msync") +_S(145, "readv") +_S(146, "writev") +_S(147, "getsid") +_S(148, "fdatasync") +_S(149, "_sysctl") +_S(150, "mlock") +_S(151, "munlock") +_S(152, "mlockall") +_S(153, "munlockall") +_S(154, "sched_setparam") +_S(155, "sched_getparam") +_S(156, "sched_setscheduler") +_S(157, "sched_getscheduler") +_S(158, "sched_yield") +_S(159, "sched_get_priority_max") +_S(160, "sched_get_priority_min") +_S(161, "sched_rr_get_interval") +_S(162, "nanosleep") +_S(163, "mremap") +_S(164, "setresuid") +_S(165, "getresuid") +_S(166, "vm86") +_S(167, "query_module") +_S(168, "poll") +_S(169, "nfsservctl") +_S(170, "setresgid") +_S(171, "getresgid") +_S(172, "prctl") +_S(173, "rt_sigreturn") +_S(174, "rt_sigaction") +_S(175, "rt_sigprocmask") +_S(176, "rt_sigpending") +_S(177, "rt_sigtimedwait") +_S(178, "rt_sigqueueinfo") +_S(179, "rt_sigsuspend") +_S(180, "pread64") +_S(181, "pwrite64") +_S(182, "chown") +_S(183, "getcwd") +_S(184, "capget") +_S(185, "capset") +_S(186, "sigaltstack") +_S(187, "sendfile") +_S(188, "getpmsg") +_S(189, "putpmsg") +_S(190, "vfork") +_S(191, "ugetrlimit") +_S(192, "mmap2") +_S(193, "truncate64") +_S(194, "ftruncate64") +_S(195, "stat64") +_S(196, "lstat64") +_S(197, "fstat64") +_S(198, "lchown32") +_S(199, "getuid32") +_S(200, "getgid32") +_S(201, "geteuid32") +_S(202, "getegid32") +_S(203, "setreuid32") +_S(204, "setregid32") +_S(205, "getgroups32") +_S(206, "setgroups32") +_S(207, "fchown32") +_S(208, "setresuid32") +_S(209, "getresuid32") +_S(210, "setresgid32") +_S(211, "getresgid32") +_S(212, "chown32") +_S(213, "setuid32") +_S(214, "setgid32") +_S(215, "setfsuid32") +_S(216, "setfsgid32") +_S(217, "pivot_root") +_S(218, "mincore") +_S(219, "madvise") +_S(219, "madvise1") +_S(220, "getdents64") +_S(221, "fcntl64") +_S(224, "gettid") +_S(225, "readahead") +_S(226, "setxattr") +_S(227, "lsetxattr") +_S(228, "fsetxattr") +_S(229, "getxattr") +_S(230, "lgetxattr") +_S(231, "fgetxattr") +_S(232, "listxattr") +_S(233, "llistxattr") +_S(234, "flistxattr") +_S(235, "removexattr") +_S(236, "lremovexattr") +_S(237, "fremovexattr") +_S(238, "tkill") +_S(239, "sendfile64") +_S(240, "futex") +_S(241, "sched_setaffinity") +_S(242, "sched_getaffinity") +_S(243, "set_thread_area") +_S(244, "get_thread_area") +_S(245, "io_setup") +_S(246, "io_destroy") +_S(247, "io_getevents") +_S(248, "io_submit") +_S(249, "io_cancel") +_S(250, "fadvise64") +_S(252, "exit_group") +_S(253, "lookup_dcookie") +_S(254, "epoll_create") +_S(255, "epoll_ctl") +_S(256, "epoll_wait") +_S(257, "remap_file_pages") +_S(258, "set_tid_address") +_S(259, "timer_create") +_S(260, "timer_settime") +_S(261, "timer_gettime") +_S(262, "timer_getoverrun") +_S(263, "timer_delete") +_S(264, "clock_settime") +_S(265, "clock_gettime") +_S(266, "clock_getres") +_S(267, "clock_nanosleep") +_S(268, "statfs64") +_S(269, "fstatfs64") +_S(270, "tgkill") +_S(271, "utimes") +_S(272, "fadvise64_64") +_S(273, "vserver") +_S(274, "mbind") +_S(275, "get_mempolicy") +_S(276, "set_mempolicy") +_S(277, "mq_open") +_S(278, "mq_unlink") +_S(279, "mq_timedsend") +_S(280, "mq_timedreceive") +_S(281, "mq_notify") +_S(282, "mq_getsetattr") +_S(283, "sys_kexec_load") +_S(284, "waitid") +// 285 is setaltroot but it is not defined (yet) +_S(286, "add_key") +_S(287, "request_key") +_S(288, "keyctl") +_S(289, "ioprio_set") +_S(290, "ioprio_get") +_S(291, "inotify_init") +_S(292, "inotify_add_watch") +_S(293, "inotify_rm_watch") +_S(294, "migrate_pages") +_S(295, "openat") +_S(296, "mkdirat") +_S(297, "mknodat") +_S(298, "fchownat") +_S(299, "futimesat") +_S(300, "fstatat64") +_S(301, "unlinkat") +_S(302, "renameat") +_S(303, "linkat") +_S(304, "symlinkat") +_S(305, "readlinkat") +_S(306, "fchmodat") +_S(307, "faccessat") +_S(308, "pselect6") +_S(309, "ppoll") +_S(310, "unshare") +_S(311, "set_robust_list") +_S(312, "get_robust_list") +_S(313, "splice") +_S(314, "sync_file_range") +_S(315, "tee") +_S(316, "vmsplice") +_S(317, "move_pages") +_S(318, "getcpu") +_S(319, "epoll_pwait") +_S(320, "utimensat") +_S(321, "signalfd") +_S(322, "timerfd") +_S(323, "eventfd") +_S(324, "fallocate") +_S(325, "timerfd_settime") +_S(326, "timerfd_gettime") +_S(327, "signalfd4") +_S(328, "eventfd2") +_S(329, "epoll_create1") +_S(330, "dup3") +_S(331, "pipe2") +_S(332, "inotify_init1") +_S(333, "preadv") +_S(334, "pwritev") +_S(335, "rt_tgsigqueueinfo") +_S(336, "perf_event_open") +_S(337, "recvmmsg") +_S(338, "fanotify_init") +_S(339, "fanotify_mark") +_S(340, "prlimit64") +_S(341, "name_to_handle_at") +_S(342, "open_by_handle_at") +_S(343, "clock_adjtime") +_S(344, "syncfs") +_S(345, "sendmmsg") +_S(346, "setns") +_S(347, "process_vm_readv") +_S(348, "process_vm_writev") +_S(349, "kcmp") +_S(350, "finit_module") +_S(351, "sched_setattr") +_S(352, "sched_getattr") +_S(353, "renameat2") +_S(354, "seccomp") +_S(355, "getrandom") +_S(356, "memfd_create") +_S(357, "bpf") +_S(358, "execveat") diff --git a/framework/src/audit/lib/ia64_table.h b/framework/src/audit/lib/ia64_table.h new file mode 100644 index 00000000..4a154670 --- /dev/null +++ b/framework/src/audit/lib/ia64_table.h @@ -0,0 +1,335 @@ +/* ia64_table.h -- + * Copyright 2005-15 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + */ + +_S(1024, "ni_syscall") +_S(1025, "exit") +_S(1026, "read") +_S(1027, "write") +_S(1028, "open") +_S(1029, "close") +_S(1030, "creat") +_S(1031, "link") +_S(1032, "unlink") +_S(1033, "execve") +_S(1034, "chdir") +_S(1035, "fchdir") +_S(1036, "utimes") +_S(1037, "mknod") +_S(1038, "chmod") +_S(1039, "chown") +_S(1040, "lseek") +_S(1041, "getpid") +_S(1042, "getppid") +_S(1043, "mount") +_S(1044, "umount") +_S(1045, "setuid") +_S(1046, "getuid") +_S(1047, "geteuid") +_S(1048, "ptrace") +_S(1049, "access") +_S(1050, "sync") +_S(1051, "fsync") +_S(1052, "fdatasync") +_S(1053, "kill") +_S(1054, "rename") +_S(1055, "mkdir") +_S(1056, "rmdir") +_S(1057, "dup") +_S(1058, "pipe") +_S(1059, "times") +_S(1060, "brk") +_S(1061, "setgid") +_S(1062, "getgid") +_S(1063, "getegid") +_S(1064, "acct") +_S(1065, "ioctl") +_S(1066, "fcntl") +_S(1067, "umask") +_S(1068, "chroot") +_S(1069, "ustat") +_S(1070, "dup2") +_S(1071, "setreuid") +_S(1072, "setregid") +_S(1073, "getresuid") +_S(1074, "setresuid") +_S(1075, "getresgid") +_S(1076, "setresgid") +_S(1077, "getgroups") +_S(1078, "setgroups") +_S(1079, "getpgid") +_S(1080, "setpgid") +_S(1081, "setsid") +_S(1082, "getsid") +_S(1083, "sethostname") +_S(1084, "setrlimit") +_S(1085, "getrlimit") +_S(1086, "getrusage") +_S(1087, "gettimeofday") +_S(1088, "settimeofday") +_S(1089, "select") +_S(1090, "poll") +_S(1091, "symlink") +_S(1092, "readlink") +_S(1093, "uselib") +_S(1094, "swapon") +_S(1095, "swapoff") +_S(1096, "reboot") +_S(1097, "truncate") +_S(1098, "ftruncate") +_S(1099, "fchmod") +_S(1100, "fchown") +_S(1101, "getpriority") +_S(1102, "setpriority") +_S(1103, "statfs") +_S(1104, "fstatfs") +_S(1105, "gettid") +_S(1106, "semget") +_S(1107, "semop") +_S(1108, "semctl") +_S(1109, "msgget") +_S(1110, "msgsnd") +_S(1111, "msgrcv") +_S(1112, "msgctl") +_S(1113, "shmget") +_S(1114, "shmat") +_S(1115, "shmdt") +_S(1116, "shmctl") +_S(1117, "syslog") +_S(1118, "setitimer") +_S(1119, "getitimer") +_S(1120, "tux") +_S(1123, "vhangup") +_S(1124, "lchown") +_S(1125, "remap_file_pages") +_S(1126, "wait4") +_S(1127, "sysinfo") +_S(1128, "clone") +_S(1129, "setdomainname") +_S(1130, "uname") +_S(1131, "adjtimex") +_S(1133, "init_module") +_S(1134, "delete_module") +_S(1137, "quotactl") +_S(1138, "bdflush") +_S(1139, "sysfs") +_S(1140, "personality") +_S(1141, "afs_syscall") +_S(1142, "setfsuid") +_S(1143, "setfsgid") +_S(1144, "getdents") +_S(1145, "flock") +_S(1146, "readv") +_S(1147, "writev") +_S(1148, "pread64") +_S(1149, "pwrite64") +_S(1150, "_sysctl") +_S(1151, "mmap") +_S(1152, "munmap") +_S(1153, "mlock") +_S(1154, "mlockall") +_S(1155, "mprotect") +_S(1156, "mremap") +_S(1157, "msync") +_S(1158, "munlock") +_S(1159, "munlockall") +_S(1160, "sched_getparam") +_S(1161, "sched_setparam") +_S(1162, "sched_getscheduler") +_S(1163, "sched_setscheduler") +_S(1164, "sched_yield") +_S(1165, "sched_get_priority_max") +_S(1166, "sched_get_priority_min") +_S(1167, "sched_rr_get_interval") +_S(1168, "nanosleep") +_S(1169, "nfsservctl") +_S(1170, "prctl") +_S(1172, "mmap2") +_S(1173, "pciconfig_read") +_S(1174, "pciconfig_write") +_S(1175, "perfmonctl") +_S(1176, "sigaltstack") +_S(1177, "rt_sigaction") +_S(1178, "rt_sigpending") +_S(1179, "rt_sigprocmask") +_S(1180, "rt_sigqueueinfo") +_S(1181, "rt_sigreturn") +_S(1182, "rt_sigsuspend") +_S(1183, "rt_sigtimedwait") +_S(1184, "getcwd") +_S(1185, "capget") +_S(1186, "capset") +_S(1187, "sendfile") +_S(1188, "getpmsg") +_S(1189, "putpmsg") +_S(1190, "socket") +_S(1191, "bind") +_S(1192, "connect") +_S(1193, "listen") +_S(1194, "accept") +_S(1195, "getsockname") +_S(1196, "getpeername") +_S(1197, "socketpair") +_S(1198, "send") +_S(1199, "sendto") +_S(1200, "recv") +_S(1201, "recvfrom") +_S(1202, "shutdown") +_S(1203, "setsockopt") +_S(1204, "getsockopt") +_S(1205, "sendmsg") +_S(1206, "recvmsg") +_S(1207, "pivot_root") +_S(1208, "mincore") +_S(1209, "madvise") +_S(1210, "stat") +_S(1211, "lstat") +_S(1212, "fstat") +_S(1213, "clone2") +_S(1214, "getdents64") +_S(1215, "getunwind") +_S(1216, "readahead") +_S(1217, "setxattr") +_S(1218, "lsetxattr") +_S(1219, "fsetxattr") +_S(1220, "getxattr") +_S(1221, "lgetxattr") +_S(1222, "fgetxattr") +_S(1223, "listxattr") +_S(1224, "llistxattr") +_S(1225, "flistxattr") +_S(1226, "removexattr") +_S(1227, "lremovexattr") +_S(1228, "fremovexattr") +_S(1229, "tkill") +_S(1230, "futex") +_S(1231, "sched_setaffinity") +_S(1232, "sched_getaffinity") +_S(1233, "set_tid_address") +_S(1234, "fadvise64") +_S(1235, "tgkill") +_S(1236, "exit_group") +_S(1237, "lookup_dcookie") +_S(1238, "io_setup") +_S(1239, "io_destroy") +_S(1240, "io_getevents") +_S(1241, "io_submit") +_S(1242, "io_cancel") +_S(1243, "epoll_create") +_S(1244, "epoll_ctl") +_S(1245, "epoll_wait") +_S(1246, "restart_syscall") +_S(1247, "semtimedop") +_S(1248, "timer_create") +_S(1249, "timer_settime") +_S(1250, "timer_gettime") +_S(1251, "timer_getoverrun") +_S(1252, "timer_delete") +_S(1253, "clock_settime") +_S(1254, "clock_gettime") +_S(1255, "clock_getres") +_S(1256, "clock_nanosleep") +_S(1257, "fstatfs64") +_S(1258, "statfs64") +_S(1259, "mbind") +_S(1260, "get_mempolicy") +_S(1261, "set_mempolicy") +_S(1262, "mq_open") +_S(1263, "mq_unlink") +_S(1264, "mq_timedsend") +_S(1265, "mq_timedreceive") +_S(1266, "mq_notify") +_S(1267, "mq_getsetattr") +_S(1268, "kexec_load") +_S(1269, "vserver") +_S(1270, "waitid") +_S(1271, "add_key") +_S(1272, "request_key") +_S(1273, "keyctl") +_S(1274, "ioprio_set") +_S(1275, "ioprio_get") +_S(1276, "set_zone_reclaim") +_S(1277, "inotify_init") +_S(1278, "inotify_add_watch") +_S(1279, "inotify_rm_watch") +_S(1280, "migrate_pages") +_S(1281, "openat") +_S(1282, "mkdirat") +_S(1283, "mknodat") +_S(1284, "fchownat") +_S(1285, "futimesat") +_S(1286, "newfstatat") +_S(1287, "unlinkat") +_S(1288, "renameat") +_S(1289, "linkat") +_S(1290, "symlinkat") +_S(1291, "readlinkat") +_S(1292, "fchmodat") +_S(1293, "faccessat") +_S(1294, "pselect") +_S(1295, "ppoll") +_S(1296, "unshare") +_S(1297, "splice") +_S(1298, "set_robust_list") +_S(1299, "get_robust_list") +_S(1300, "sync_file_range") +_S(1301, "tee") +_S(1302, "vmsplice") +_S(1303, "fallocate") +_S(1304, "getcpu") +_S(1305, "epoll_pwait") +_S(1306, "utimensat") +_S(1307, "signalfd") +_S(1308, "timerfd") +_S(1309, "eventfd") +_S(1310, "timerfd_create") +_S(1311, "timerfd_settime") +_S(1312, "timerfd_gettime") +_S(1313, "signalfd4") +_S(1314, "eventfd2") +_S(1315, "epoll_create1") +_S(1316, "dup3") +_S(1317, "pipe2") +_S(1318, "inotify_init1") +_S(1319, "preadv") +_S(1320, "pwritev") +_S(1321, "rt_tgsigqueueinfo") +_S(1322, "recvmmsg") +_S(1323, "fanotify_init") +_S(1324, "fanotify_mark") +_S(1325, "prlimit64") +_S(1326, "name_to_handle_at") +_S(1327, "open_by_handle_at") +_S(1328, "clock_adjtime") +_S(1329, "syncfs") +_S(1330, "setns") +_S(1331, "sendmmsg") +_S(1332, "process_vm_readv") +_S(1333, "process_vm_writev") +_S(1334, "accept4") +_S(1335, "finit_module") +_S(1336, "sched_setattr") +_S(1337, "sched_getattr") +_S(1338, "renameat2") +_S(1339, "getrandom") +_S(1340, "memfd_create") +_S(1341, "bpf") +_S(1342, "execveat") diff --git a/framework/src/audit/lib/libaudit.c b/framework/src/audit/lib/libaudit.c new file mode 100644 index 00000000..6311b813 --- /dev/null +++ b/framework/src/audit/lib/libaudit.c @@ -0,0 +1,1606 @@ +/* libaudit.c -- + * Copyright 2004-2009,2012,2014 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * Rickard E. (Rik) Faith <faith@redhat.com> + */ + +#include "config.h" +#include <stdio.h> +#include <stdarg.h> +#include <string.h> +#include <stdlib.h> +#include <unistd.h> +#include <ctype.h> +#include <time.h> +#include <pwd.h> +#include <grp.h> +#include <errno.h> +#include <sys/poll.h> +#include <sys/utsname.h> +#include <sys/stat.h> +#include <fcntl.h> /* O_NOFOLLOW needs gnu defined */ +#include <limits.h> /* for PATH_MAX */ +#include <sys/stat.h> +#include <sys/types.h> + +#include "libaudit.h" +#include "private.h" +#include "errormsg.h" + +/* #defines for the audit failure query */ +#define CONFIG_FILE "/etc/libaudit.conf" + +/* Local prototypes */ +struct nv_pair +{ + const char *name; + const char *value; +}; + +struct kw_pair +{ + const char *name; + int (*parser)(const char *, int); +}; + +struct nv_list +{ + const char *name; + int option; +}; + +struct libaudit_conf +{ + auditfail_t failure_action; +}; + +static const struct nv_list failure_actions[] = +{ + {"ignore", FAIL_IGNORE }, + {"log", FAIL_LOG }, + {"terminate", FAIL_TERMINATE }, + { NULL, 0 } +}; + +int _audit_permadded = 0; +int _audit_archadded = 0; +int _audit_syscalladded = 0; +unsigned int _audit_elf = 0U; +static struct libaudit_conf config; + +static int audit_failure_parser(const char *val, int line); +static int audit_name_to_uid(const char *name, uid_t *uid); +static int audit_name_to_gid(const char *name, gid_t *gid); + +static const struct kw_pair keywords[] = +{ + {"failure_action", audit_failure_parser }, + { NULL, NULL } +}; + +static int audit_priority(int xerrno) +{ + /* If they've compiled their own kernel and did not include + * the audit susbsystem, they will get ECONNREFUSED. We'll + * demote the message to debug so its not lost entirely. */ + if (xerrno == ECONNREFUSED) + return LOG_DEBUG; + else + return LOG_WARNING; +} + +int audit_request_status(int fd) +{ + int rc = audit_send(fd, AUDIT_GET, NULL, 0); + if (rc < 0) + audit_msg(audit_priority(errno), + "Error sending status request (%s)", strerror(-rc)); + return rc; +} +hidden_def(audit_request_status) + +/* + * Set everything to its default value + */ +static void clear_config(void) +{ + config.failure_action = FAIL_IGNORE; +} + +/* Get 1 line from file */ +static char *get_line(FILE *f, char *buf, size_t len) +{ + if (fgets(buf, len, f)) { + /* remove newline */ + char *ptr = strchr(buf, 0x0a); + if (ptr) + *ptr = 0; + return buf; + } + return NULL; +} + +static int nv_split(char *buf, struct nv_pair *nv) +{ + /* Get the name part */ + char *ptr, *saved=NULL; + + nv->name = NULL; + nv->value = NULL; + ptr = audit_strsplit_r(buf, &saved); + if (ptr == NULL) + return 0; /* If there's nothing, go to next line */ + if (ptr[0] == '#') + return 0; /* If there's a comment, go to next line */ + nv->name = ptr; + + /* Check for a '=' */ + ptr = audit_strsplit_r(NULL, &saved); + if (ptr == NULL) + return 1; + if (strcmp(ptr, "=") != 0) + return 2; + + /* get the value */ + ptr = audit_strsplit_r(NULL, &saved); + if (ptr == NULL) + return 1; + nv->value = ptr; + + /* Make sure there's nothing else */ + ptr = audit_strsplit_r(NULL, &saved); + if (ptr) + return 1; + + /* Everything is OK */ + return 0; +} + +static const struct kw_pair *kw_lookup(const char *val) +{ + int i = 0; + while (keywords[i].name != NULL) { + if (strcasecmp(keywords[i].name, val) == 0) + break; + i++; + } + return &keywords[i]; +} + +static int audit_failure_parser(const char *val, int line) +{ + int i; + + audit_msg(LOG_DEBUG, "audit_failure_parser called with: %s", val); + for (i=0; failure_actions[i].name != NULL; i++) { + if (strcasecmp(val, failure_actions[i].name) == 0) { + config.failure_action = failure_actions[i].option; + return 0; + } + } + audit_msg(LOG_ERR, "Option %s not found - line %d", val, line); + return 1; +} + +/* + * Read the /etc/libaudit.conf file and all tunables. + */ +static int load_libaudit_config(const char *path) +{ + int fd, rc, lineno = 1; + struct stat st; + FILE *f; + char buf[128]; + + /* open the file */ + rc = open(path, O_NOFOLLOW|O_RDONLY); + if (rc < 0) { + if (errno != ENOENT) { + audit_msg(LOG_ERR, "Error opening %s (%s)", + path, strerror(errno)); + return 1; + } + audit_msg(LOG_WARNING, + "Config file %s doesn't exist, skipping", path); + return 0; + } + fd = rc; + + /* check the file's permissions: owned by root, not world writable, + * not symlink. + */ + audit_msg(LOG_DEBUG, "Config file %s opened for parsing", path); + if (fstat(fd, &st) < 0) { + audit_msg(LOG_ERR, "Error fstat'ing %s (%s)", + path, strerror(errno)); + close(fd); + return 1; + } + if (st.st_uid != 0) { + audit_msg(LOG_ERR, "Error - %s isn't owned by root", path); + close(fd); + return 1; + } + if ((st.st_mode & S_IWOTH) == S_IWOTH) { + audit_msg(LOG_ERR, "Error - %s is world writable", path); + close(fd); + return 1; + } + if (!S_ISREG(st.st_mode)) { + audit_msg(LOG_ERR, "Error - %s is not a regular file", path); + close(fd); + return 1; + } + + /* it's ok, read line by line */ + f = fdopen(fd, "rm"); + if (f == NULL) { + audit_msg(LOG_ERR, "Error - fdopen failed (%s)", + strerror(errno)); + close(fd); + return 1; + } + + while (get_line(f, buf, sizeof(buf))) { + // convert line into name-value pair + const struct kw_pair *kw; + struct nv_pair nv; + rc = nv_split(buf, &nv); + switch (rc) { + case 0: // fine + break; + case 1: // not the right number of tokens. + audit_msg(LOG_ERR, + "Wrong number of arguments for line %d in %s", + lineno, path); + break; + case 2: // no '=' sign + audit_msg(LOG_ERR, + "Missing equal sign for line %d in %s", + lineno, path); + break; + default: // something else went wrong... + audit_msg(LOG_ERR, + "Unknown error for line %d in %s", + lineno, path); + break; + } + if (nv.name == NULL) { + lineno++; + continue; + } + if (nv.value == NULL) { + fclose(f); + return 1; + } + + /* identify keyword or error */ + kw = kw_lookup(nv.name); + if (kw->name == NULL) { + audit_msg(LOG_ERR, + "Unknown keyword \"%s\" in line %d of %s", + nv.name, lineno, path); + fclose(f); + return 1; + } + + /* dispatch to keyword's local parser */ + rc = kw->parser(nv.value, lineno); + if (rc != 0) { + fclose(f); + return 1; // local parser puts message out + } + + lineno++; + } + + fclose(f); + return 0; +} + + +/* + * This function is called to get the value of the failure_action + * tunable stored in /etc/libaudit.conf. The function returns 1 if + * the tunable is not found or there is an error. If the tunable is found, + * 0 is returned the the tunable value is saved in the failmode parameter. + */ +int get_auditfail_action(auditfail_t *failmode) +{ + clear_config(); + + if (load_libaudit_config(CONFIG_FILE)) { + *failmode = config.failure_action; + return 1; + } + + *failmode = config.failure_action; + return 0; +} + +int audit_set_enabled(int fd, uint32_t enabled) +{ + int rc; + struct audit_status s; + + memset(&s, 0, sizeof(s)); + s.mask = AUDIT_STATUS_ENABLED; + s.enabled = enabled; + rc = audit_send(fd, AUDIT_SET, &s, sizeof(s)); + if (rc < 0) + audit_msg(audit_priority(errno), + "Error sending enable request (%s)", strerror(-rc)); + return rc; +} + +/* + * This function will return 0 if auditing is NOT enabled and + * 1 if enabled, and -1 on error. + */ +int audit_is_enabled(int fd) +{ + int rc; + + if (fd < 0) + return 0; + + if ((rc = audit_request_status(fd)) > 0) { + struct audit_reply rep; + int i; + int timeout = 40; /* tenths of seconds */ + struct pollfd pfd[1]; + + pfd[0].fd = fd; + pfd[0].events = POLLIN; + + for (i = 0; i < timeout; i++) { + do { + rc = poll(pfd, 1, 100); + } while (rc < 0 && errno == EINTR); + + rc = audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING,0); + if (rc > 0) { + /* If we get done or error, break out */ + if (rep.type == NLMSG_DONE || + rep.type == NLMSG_ERROR) + break; + + /* If its not status, keep looping */ + if (rep.type != AUDIT_GET) + continue; + + /* Found it... */ + return rep.status->enabled; + } + } + } + if (rc == -ECONNREFUSED) { + /* This is here to let people that build their own kernel + and disable the audit system get in. ECONNREFUSED is + issued by the kernel when there is "no on listening". */ + return 0; + } else if (rc == -EPERM && getuid() != 0) { + /* If we get this, then the kernel supports auditing + * but we don't have enough privilege to write to the + * socket. Therefore, we have already been authenticated + * and we are a common user. Just act as though auditing + * is not enabled. Any other error we take seriously. + * This is here basically to satisfy Xscreensaver. */ + return 0; + } + return -1; +} + +int audit_set_failure(int fd, uint32_t failure) +{ + int rc; + struct audit_status s; + + memset(&s, 0, sizeof(s)); + s.mask = AUDIT_STATUS_FAILURE; + s.failure = failure; + rc = audit_send(fd, AUDIT_SET, &s, sizeof(s)); + if (rc < 0) + audit_msg(audit_priority(errno), + "Error sending failure mode request (%s)", + strerror(-rc)); + return rc; +} + +/* + * This function returns -1 on error and 1 on success. + */ +int audit_set_pid(int fd, uint32_t pid, rep_wait_t wmode) +{ + struct audit_status s; + struct audit_reply rep; + struct pollfd pfd[1]; + int rc; + + memset(&s, 0, sizeof(s)); + s.mask = AUDIT_STATUS_PID; + s.pid = pid; + rc = audit_send(fd, AUDIT_SET, &s, sizeof(s)); + if (rc < 0) { + audit_msg(audit_priority(errno), + "Error setting audit daemon pid (%s)", + strerror(-rc)); + return rc; + } + if (wmode == WAIT_NO) + return 1; + + /* Now we'll see if there's any reply message. This only + happens on error. It is not fatal if there is no message. + As a matter of fact, we don't do anything with the message + besides gobble it. */ + pfd[0].fd = fd; + pfd[0].events = POLLIN; + do { + rc = poll(pfd, 1, 100); /* .1 second */ + } while (rc < 0 && errno == EINTR); + + (void)audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING, 0); + return 1; +} + +int audit_set_rate_limit(int fd, uint32_t limit) +{ + int rc; + struct audit_status s; + + memset(&s, 0, sizeof(s)); + s.mask = AUDIT_STATUS_RATE_LIMIT; + s.rate_limit = limit; + rc = audit_send(fd, AUDIT_SET, &s, sizeof(s)); + if (rc < 0) + audit_msg(audit_priority(errno), + "Error sending rate limit request (%s)", + strerror(-rc)); + return rc; +} + +int audit_set_backlog_limit(int fd, uint32_t limit) +{ + int rc; + struct audit_status s; + + memset(&s, 0, sizeof(s)); + s.mask = AUDIT_STATUS_BACKLOG_LIMIT; + s.backlog_limit = limit; + rc = audit_send(fd, AUDIT_SET, &s, sizeof(s)); + if (rc < 0) + audit_msg(audit_priority(errno), + "Error sending backlog limit request (%s)", + strerror(-rc)); + return rc; +} + +int audit_set_backlog_wait_time(int fd, uint32_t bwt) +{ + int rc = -1; +#if HAVE_DECL_AUDIT_VERSION_BACKLOG_WAIT_TIME + struct audit_status s; + + memset(&s, 0, sizeof(s)); + s.mask = AUDIT_STATUS_BACKLOG_WAIT_TIME; + s.backlog_wait_time = bwt; + rc = audit_send(fd, AUDIT_SET, &s, sizeof(s)); + if (rc < 0) + audit_msg(audit_priority(errno), + "Error sending backlog limit request (%s)", + strerror(-rc)); +#endif + return rc; +} + +int audit_set_feature(int fd, unsigned feature, unsigned value, unsigned lock) +{ +#if HAVE_DECL_AUDIT_FEATURE_VERSION + int rc; + struct audit_features f; + + memset(&f, 0, sizeof(f)); + f.mask = AUDIT_FEATURE_TO_MASK(feature); + if (value) + f.features = AUDIT_FEATURE_TO_MASK(feature); + if (lock) + f.lock = AUDIT_FEATURE_TO_MASK(feature); + rc = audit_send(fd, AUDIT_SET_FEATURE, &f, sizeof(f)); + if (rc < 0) + audit_msg(audit_priority(errno), + "Error setting feature (%s)", + strerror(-rc)); + return rc; +#else + errno = EINVAL; + return -1; +#endif +} +hidden_def(audit_set_feature) + +int audit_request_features(int fd) +{ +#if HAVE_DECL_AUDIT_FEATURE_VERSION + int rc; + struct audit_features f; + + memset(&f, 0, sizeof(f)); + rc = audit_send(fd, AUDIT_GET_FEATURE, &f, sizeof(f)); + if (rc < 0) + audit_msg(audit_priority(errno), + "Error getting feature (%s)", + strerror(-rc)); + return rc; +#else + errno = EINVAL; + return -1; +#endif +} +hidden_def(audit_request_features) + +extern int audit_set_loginuid_immutable(int fd) +{ +#if HAVE_DECL_AUDIT_FEATURE_VERSION + return audit_set_feature(fd, AUDIT_FEATURE_LOGINUID_IMMUTABLE, 1, 1); +#else + errno = EINVAL; + return -1; +#endif +} + +int audit_request_rules_list_data(int fd) +{ + int rc = audit_send(fd, AUDIT_LIST_RULES, NULL, 0); + if (rc < 0 && rc != -EINVAL) + audit_msg(audit_priority(errno), + "Error sending rule list data request (%s)", + strerror(-rc)); + return rc; +} + +int audit_request_signal_info(int fd) +{ + int rc = audit_send(fd, AUDIT_SIGNAL_INFO, NULL, 0); + if (rc < 0) + audit_msg(LOG_WARNING, + "Error sending signal_info request (%s)", + strerror(-rc)); + return rc; +} + +int audit_update_watch_perms(struct audit_rule_data *rule, int perms) +{ + int i, done=0; + + if (rule->field_count < 1) + return -1; + + // First see if we have an entry we are updating + for (i=0; i< rule->field_count; i++) { + if (rule->fields[i] == AUDIT_PERM) { + rule->values[i] = perms; + done = 1; + } + } + if (!done) { + // If not check to see if we have room to add a field + if (rule->field_count >= (AUDIT_MAX_FIELDS - 1)) + return -2; + + // Add the perm + rule->fields[rule->field_count] = AUDIT_PERM; + rule->fieldflags[rule->field_count] = AUDIT_EQUAL; + rule->values[rule->field_count] = perms; + rule->field_count++; + } + return 0; +} + +int audit_add_watch(struct audit_rule_data **rulep, const char *path) +{ + return audit_add_watch_dir(AUDIT_WATCH, rulep, path); +} + +int audit_add_dir(struct audit_rule_data **rulep, const char *path) +{ + return audit_add_watch_dir(AUDIT_DIR, rulep, path); +} + +int audit_add_watch_dir(int type, struct audit_rule_data **rulep, + const char *path) +{ + size_t len = strlen(path); + struct audit_rule_data *rule = *rulep; + + if (rule && rule->field_count) { + audit_msg(LOG_ERR, "Rule is not empty\n"); + return -1; + } + if (type != AUDIT_WATCH && type != AUDIT_DIR) { + audit_msg(LOG_ERR, "Invalid type used\n"); + return -1; + } + + *rulep = realloc(rule, len + sizeof(*rule)); + if (*rulep == NULL) { + free(rule); + audit_msg(LOG_ERR, "Cannot realloc memory!\n"); + return -1; + } + rule = *rulep; + memset(rule, 0, len + sizeof(*rule)); + + rule->flags = AUDIT_FILTER_EXIT; + rule->action = AUDIT_ALWAYS; + audit_rule_syscallbyname_data(rule, "all"); + rule->field_count = 2; + rule->fields[0] = type; + rule->values[0] = len; + rule->fieldflags[0] = AUDIT_EQUAL; + rule->buflen = len; + memcpy(&rule->buf[0], path, len); + + // Default to all permissions + rule->fields[1] = AUDIT_PERM; + rule->fieldflags[1] = AUDIT_EQUAL; + rule->values[1] = AUDIT_PERM_READ | AUDIT_PERM_WRITE | + AUDIT_PERM_EXEC | AUDIT_PERM_ATTR; + + _audit_permadded = 1; + + return 0; +} +hidden_def(audit_add_watch_dir) + +int audit_add_rule_data(int fd, struct audit_rule_data *rule, + int flags, int action) +{ + int rc; + + if (flags == AUDIT_FILTER_ENTRY) { + audit_msg(LOG_WARNING, "Use of entry filter is deprecated"); + return -2; + } + rule->flags = flags; + rule->action = action; + rc = audit_send(fd, AUDIT_ADD_RULE, rule, + sizeof(struct audit_rule_data) + rule->buflen); + if (rc < 0) + audit_msg(audit_priority(errno), + "Error sending add rule data request (%s)", + errno == EEXIST ? + "Rule exists" : strerror(-rc)); + return rc; +} + +int audit_delete_rule_data(int fd, struct audit_rule_data *rule, + int flags, int action) +{ + int rc; + + if (flags == AUDIT_FILTER_ENTRY) { + audit_msg(LOG_WARNING, "Use of entry filter is deprecated"); + return -2; + } + rule->flags = flags; + rule->action = action; + rc = audit_send(fd, AUDIT_DEL_RULE, rule, + sizeof(struct audit_rule_data) + rule->buflen); + if (rc < 0) { + if (rc == -ENOENT) + audit_msg(LOG_WARNING, + "Error sending delete rule request (No rule matches)"); + else + audit_msg(audit_priority(errno), + "Error sending delete rule data request (%s)", + strerror(-rc)); + } + return rc; +} + +/* + * This function is part of the directory auditing code + */ +int audit_trim_subtrees(int fd) +{ + int rc = audit_send(fd, AUDIT_TRIM, NULL, 0); + if (rc < 0) + audit_msg(audit_priority(errno), + "Error sending trim subtrees command (%s)", + strerror(-rc)); + return rc; +} + +/* + * This function is part of the directory auditing code + */ +int audit_make_equivalent(int fd, const char *mount_point, + const char *subtree) +{ + int rc; + size_t len1 = strlen(mount_point); + size_t len2 = strlen(subtree); + struct { + uint32_t sizes[2]; + unsigned char buf[]; + } *cmd = malloc(sizeof(*cmd) + len1 + len2); + + memset(cmd, 0, sizeof(*cmd) + len1 + len2); + + cmd->sizes[0] = len1; + cmd->sizes[1] = len2; + memcpy(&cmd->buf[0], mount_point, len1); + memcpy(&cmd->buf[len1], subtree, len2); + + rc = audit_send(fd, AUDIT_MAKE_EQUIV, cmd, sizeof(*cmd) + len1 + len2); + if (rc < 0) + audit_msg(audit_priority(errno), + "Error sending make_equivalent command (%s)", + strerror(-rc)); + free(cmd); + return rc; +} + +/* + * This function will retreive the loginuid or -1 if there + * is an error. + */ +uid_t audit_getloginuid(void) +{ + uid_t uid; + int len, in; + char buf[16]; + + errno = 0; + in = open("/proc/self/loginuid", O_NOFOLLOW|O_RDONLY); + if (in < 0) + return -1; + do { + len = read(in, buf, sizeof(buf)); + } while (len < 0 && errno == EINTR); + close(in); + if (len < 0 || len >= sizeof(buf)) + return -1; + buf[len] = 0; + errno = 0; + uid = strtol(buf, 0, 10); + if (errno) + return -1; + else + return uid; +} + +/* + * This function returns 0 on success and 1 on failure + */ +int audit_setloginuid(uid_t uid) +{ + char loginuid[16]; + int o, count, rc = 0; + + errno = 0; + count = snprintf(loginuid, sizeof(loginuid), "%u", uid); + o = open("/proc/self/loginuid", O_NOFOLLOW|O_WRONLY|O_TRUNC); + if (o >= 0) { + int block, offset = 0; + + while (count > 0) { + block = write(o, &loginuid[offset], (unsigned)count); + + if (block < 0) { + if (errno == EINTR) + continue; + audit_msg(LOG_ERR, "Error writing loginuid"); + close(o); + return 1; + } + offset += block; + count -= block; + } + close(o); + } else { + audit_msg(LOG_ERR, "Error opening /proc/self/loginuid"); + rc = 1; + } + return rc; +} + +int audit_rule_syscall_data(struct audit_rule_data *rule, int scall) +{ + int word = AUDIT_WORD(scall); + int bit = AUDIT_BIT(scall); + + if (word >= (AUDIT_BITMASK_SIZE-1)) + return -1; + rule->mask[word] |= bit; + return 0; +} +hidden_def(audit_rule_syscall_data) + +int audit_rule_syscallbyname_data(struct audit_rule_data *rule, + const char *scall) +{ + int nr, i; + int machine; + + if (!strcmp(scall, "all")) { + for (i = 0; i < (AUDIT_BITMASK_SIZE-1); i++) + rule->mask[i] = ~0; + return 0; + } + if (!_audit_elf) + machine = audit_detect_machine(); + else + machine = audit_elf_to_machine(_audit_elf); + if (machine < 0) + return -2; + nr = audit_name_to_syscall(scall, machine); + if (nr < 0) { + if (isdigit(scall[0])) + nr = strtol(scall, NULL, 0); + } + if (nr >= 0) + return audit_rule_syscall_data(rule, nr); + return -1; +} +hidden_def(audit_rule_syscallbyname_data) + +int audit_rule_interfield_comp_data(struct audit_rule_data **rulep, + const char *pair, + int flags) { + const char *f = pair; + char *v; + int op; + int field1, field2; + struct audit_rule_data *rule = *rulep; + + if (f == NULL) + return -1; + + if (rule->field_count >= (AUDIT_MAX_FIELDS - 1)) + return -28; + + /* look for 2-char operators first + then look for 1-char operators afterwards + when found, null out the bytes under the operators to split + and set value pointer just past operator bytes + */ + if ( (v = strstr(pair, "!=")) ) { + *v++ = '\0'; + *v++ = '\0'; + op = AUDIT_NOT_EQUAL; + } else if ( (v = strstr(pair, "=")) ) { + *v++ = '\0'; + op = AUDIT_EQUAL; + } else { + return -13; + } + + if (*f == 0) + return -24; + + if (*v == 0) + return -25; + + if ((field1 = audit_name_to_field(f)) < 0) + return -26; + + if ((field2 = audit_name_to_field(v)) < 0) + return -27; + + /* Interfield comparison can only be in exit filter */ + if (flags != AUDIT_FILTER_EXIT) + return -7; + + // It should always be AUDIT_FIELD_COMPARE + rule->fields[rule->field_count] = AUDIT_FIELD_COMPARE; + rule->fieldflags[rule->field_count] = op; + /* oh god, so many permutations */ + switch (field1) + { + /* UID comparison */ + case AUDIT_EUID: + switch(field2) { + case AUDIT_LOGINUID: + rule->values[rule->field_count] = AUDIT_COMPARE_AUID_TO_EUID; + break; + case AUDIT_FSUID: + rule->values[rule->field_count] = AUDIT_COMPARE_EUID_TO_FSUID; + break; + case AUDIT_OBJ_UID: + rule->values[rule->field_count] = AUDIT_COMPARE_EUID_TO_OBJ_UID; + break; + case AUDIT_SUID: + rule->values[rule->field_count] = AUDIT_COMPARE_EUID_TO_SUID; + break; + case AUDIT_UID: + rule->values[rule->field_count] = AUDIT_COMPARE_UID_TO_EUID; + break; + default: + return -1; + } + break; + case AUDIT_FSUID: + switch(field2) { + case AUDIT_LOGINUID: + rule->values[rule->field_count] = AUDIT_COMPARE_AUID_TO_FSUID; + break; + case AUDIT_EUID: + rule->values[rule->field_count] = AUDIT_COMPARE_EUID_TO_FSUID; + break; + case AUDIT_OBJ_UID: + rule->values[rule->field_count] = AUDIT_COMPARE_FSUID_TO_OBJ_UID; + break; + case AUDIT_SUID: + rule->values[rule->field_count] = AUDIT_COMPARE_SUID_TO_FSUID; + break; + case AUDIT_UID: + rule->values[rule->field_count] = AUDIT_COMPARE_UID_TO_FSUID; + break; + default: + return -1; + } + break; + case AUDIT_LOGINUID: + switch(field2) { + case AUDIT_EUID: + rule->values[rule->field_count] = AUDIT_COMPARE_AUID_TO_EUID; + break; + case AUDIT_FSUID: + rule->values[rule->field_count] = AUDIT_COMPARE_AUID_TO_FSUID; + break; + case AUDIT_OBJ_UID: + rule->values[rule->field_count] = AUDIT_COMPARE_AUID_TO_OBJ_UID; + break; + case AUDIT_SUID: + rule->values[rule->field_count] = AUDIT_COMPARE_AUID_TO_SUID; + break; + case AUDIT_UID: + rule->values[rule->field_count] = AUDIT_COMPARE_UID_TO_AUID; + break; + default: + return -1; + } + break; + case AUDIT_SUID: + switch(field2) { + case AUDIT_LOGINUID: + rule->values[rule->field_count] = AUDIT_COMPARE_AUID_TO_SUID; + break; + case AUDIT_EUID: + rule->values[rule->field_count] = AUDIT_COMPARE_EUID_TO_SUID; + break; + case AUDIT_FSUID: + rule->values[rule->field_count] = AUDIT_COMPARE_SUID_TO_FSUID; + break; + case AUDIT_OBJ_UID: + rule->values[rule->field_count] = AUDIT_COMPARE_SUID_TO_OBJ_UID; + break; + case AUDIT_UID: + rule->values[rule->field_count] = AUDIT_COMPARE_UID_TO_SUID; + break; + default: + return -1; + } + break; + case AUDIT_OBJ_UID: + switch(field2) { + case AUDIT_LOGINUID: + rule->values[rule->field_count] = AUDIT_COMPARE_AUID_TO_OBJ_UID; + break; + case AUDIT_EUID: + rule->values[rule->field_count] = AUDIT_COMPARE_EUID_TO_OBJ_UID; + break; + case AUDIT_FSUID: + rule->values[rule->field_count] = AUDIT_COMPARE_FSUID_TO_OBJ_UID; + break; + case AUDIT_UID: + rule->values[rule->field_count] = AUDIT_COMPARE_UID_TO_OBJ_UID; + break; + case AUDIT_SUID: + rule->values[rule->field_count] = AUDIT_COMPARE_SUID_TO_OBJ_UID; + break; + default: + return -1; + } + break; + case AUDIT_UID: + switch(field2) { + case AUDIT_LOGINUID: + rule->values[rule->field_count] = AUDIT_COMPARE_UID_TO_AUID; + break; + case AUDIT_EUID: + rule->values[rule->field_count] = AUDIT_COMPARE_UID_TO_EUID; + break; + case AUDIT_FSUID: + rule->values[rule->field_count] = AUDIT_COMPARE_UID_TO_FSUID; + break; + case AUDIT_OBJ_UID: + rule->values[rule->field_count] = AUDIT_COMPARE_UID_TO_OBJ_UID; + break; + case AUDIT_SUID: + rule->values[rule->field_count] = AUDIT_COMPARE_UID_TO_SUID; + break; + default: + return -1; + } + break; + + /* GID comparisons */ + case AUDIT_EGID: + switch(field2) { + case AUDIT_FSGID: + rule->values[rule->field_count] = AUDIT_COMPARE_EGID_TO_FSGID; + break; + case AUDIT_GID: + rule->values[rule->field_count] = AUDIT_COMPARE_GID_TO_EGID; + break; + case AUDIT_OBJ_GID: + rule->values[rule->field_count] = AUDIT_COMPARE_EGID_TO_OBJ_GID; + break; + case AUDIT_SGID: + rule->values[rule->field_count] = AUDIT_COMPARE_EGID_TO_SGID; + break; + default: + return -1; + } + break; + case AUDIT_FSGID: + switch(field2) { + case AUDIT_SGID: + rule->values[rule->field_count] = AUDIT_COMPARE_SGID_TO_FSGID; + break; + case AUDIT_GID: + rule->values[rule->field_count] = AUDIT_COMPARE_GID_TO_FSGID; + break; + case AUDIT_OBJ_GID: + rule->values[rule->field_count] = AUDIT_COMPARE_FSGID_TO_OBJ_GID; + break; + case AUDIT_EGID: + rule->values[rule->field_count] = AUDIT_COMPARE_EGID_TO_FSGID; + break; + default: + return -1; + } + break; + case AUDIT_GID: + switch(field2) { + case AUDIT_EGID: + rule->values[rule->field_count] = AUDIT_COMPARE_GID_TO_EGID; + break; + case AUDIT_FSGID: + rule->values[rule->field_count] = AUDIT_COMPARE_GID_TO_FSGID; + break; + case AUDIT_OBJ_GID: + rule->values[rule->field_count] = AUDIT_COMPARE_GID_TO_OBJ_GID; + break; + case AUDIT_SGID: + rule->values[rule->field_count] = AUDIT_COMPARE_GID_TO_SGID; + break; + default: + return -1; + } + break; + case AUDIT_OBJ_GID: + switch(field2) { + case AUDIT_EGID: + rule->values[rule->field_count] = AUDIT_COMPARE_EGID_TO_OBJ_GID; + break; + case AUDIT_FSGID: + rule->values[rule->field_count] = AUDIT_COMPARE_FSGID_TO_OBJ_GID; + break; + case AUDIT_GID: + rule->values[rule->field_count] = AUDIT_COMPARE_GID_TO_OBJ_GID; + break; + case AUDIT_SGID: + rule->values[rule->field_count] = AUDIT_COMPARE_SGID_TO_OBJ_GID; + break; + default: + return -1; + } + break; + case AUDIT_SGID: + switch(field2) { + case AUDIT_FSGID: + rule->values[rule->field_count] = AUDIT_COMPARE_SGID_TO_FSGID; + break; + case AUDIT_GID: + rule->values[rule->field_count] = AUDIT_COMPARE_GID_TO_SGID; + break; + case AUDIT_OBJ_GID: + rule->values[rule->field_count] = AUDIT_COMPARE_SGID_TO_OBJ_GID; + break; + case AUDIT_EGID: + rule->values[rule->field_count] = AUDIT_COMPARE_EGID_TO_SGID; + break; + default: + return -1; + } + break; + default: + return -1; + break; + } + rule->field_count++; + return 0; +} + +int audit_determine_machine(const char *arch) +{ // What do we want? i686, x86_64, ia64 or b64, b32 + int machine; + unsigned int bits = 0; + + if (strcasecmp("b64", arch) == 0) { + bits = __AUDIT_ARCH_64BIT; + machine = audit_detect_machine(); + } else if (strcasecmp("b32", arch) == 0) { + bits = ~__AUDIT_ARCH_64BIT; + machine = audit_detect_machine(); + } else { + machine = audit_name_to_machine(arch); + if (machine < 0) { + // See if its numeric + unsigned int ival; + errno = 0; + ival = strtoul(arch, NULL, 16); + if (errno) + return -4; + machine = audit_elf_to_machine(ival); + } + } + + if (machine < 0) + return -4; + + /* Here's where we fixup the machine. For example, they give + * x86_64 & want 32 bits we translate that to i686. */ + if (bits == ~__AUDIT_ARCH_64BIT && machine == MACH_86_64) + machine = MACH_X86; + else if (bits == ~__AUDIT_ARCH_64BIT && machine == MACH_PPC64) + machine = MACH_PPC; + else if (bits == ~__AUDIT_ARCH_64BIT && machine == MACH_S390X) + machine = MACH_S390; + else if (bits == ~__AUDIT_ARCH_64BIT && machine == MACH_AARCH64) + machine = MACH_ARM; + + /* Check for errors - return -6 + * We don't allow 32 bit machines to specify 64 bit. */ + switch (machine) + { + case MACH_X86: + if (bits == __AUDIT_ARCH_64BIT) + return -6; + break; + case MACH_IA64: + if (bits == ~__AUDIT_ARCH_64BIT) + return -6; + break; + case MACH_PPC: + if (bits == __AUDIT_ARCH_64BIT) + return -6; + break; + case MACH_S390: + if (bits == __AUDIT_ARCH_64BIT) + return -6; + break; +#ifdef WITH_ARM + case MACH_ARM: + if (bits == __AUDIT_ARCH_64BIT) + return -6; // Deadcode - just incase of mistake + break; +#endif +#ifdef WITH_AARCH64 + case MACH_AARCH64: + if (bits && bits != __AUDIT_ARCH_64BIT) + return -6; + break; +#endif + case MACH_86_64: /* fallthrough */ + case MACH_PPC64: /* fallthrough */ + case MACH_PPC64LE: /* fallthrough */ + case MACH_S390X: /* fallthrough */ + break; + default: + return -6; + } + return machine; +} + +int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair, + int flags) +{ + const char *f = pair; + char *v; + int op; + int field; + int vlen; + int offset; + struct audit_rule_data *rule = *rulep; + + if (f == NULL) + return -1; + + if (rule->field_count >= (AUDIT_MAX_FIELDS - 1)) + return -28; + + /* look for 2-char operators first + then look for 1-char operators afterwards + when found, null out the bytes under the operators to split + and set value pointer just past operator bytes + */ + if ( (v = strstr(pair, "!=")) ) { + *v++ = '\0'; + *v++ = '\0'; + op = AUDIT_NOT_EQUAL; + } else if ( (v = strstr(pair, ">=")) ) { + *v++ = '\0'; + *v++ = '\0'; + op = AUDIT_GREATER_THAN_OR_EQUAL; + } else if ( (v = strstr(pair, "<=")) ) { + *v++ = '\0'; + *v++ = '\0'; + op = AUDIT_LESS_THAN_OR_EQUAL; + } else if ( (v = strstr(pair, "&=")) ) { + *v++ = '\0'; + *v++ = '\0'; + op = AUDIT_BIT_TEST; + } else if ( (v = strstr(pair, "=")) ) { + *v++ = '\0'; + op = AUDIT_EQUAL; + } else if ( (v = strstr(pair, ">")) ) { + *v++ = '\0'; + op = AUDIT_GREATER_THAN; + } else if ( (v = strstr(pair, "<")) ) { + *v++ = '\0'; + op = AUDIT_LESS_THAN; + } else if ( (v = strstr(pair, "&")) ) { + *v++ = '\0'; + op = AUDIT_BIT_MASK; + } + + if (v == NULL) + return -1; + + if (*f == 0) + return -22; + + if (*v == 0) + return -20; + + if ((field = audit_name_to_field(f)) < 0) + return -2; + + /* Exclude filter can be used only with MSGTYPE field */ + if (flags == AUDIT_FILTER_EXCLUDE && field != AUDIT_MSGTYPE) + return -12; + + rule->fields[rule->field_count] = field; + rule->fieldflags[rule->field_count] = op; + switch (field) + { + case AUDIT_UID: + case AUDIT_EUID: + case AUDIT_SUID: + case AUDIT_FSUID: + case AUDIT_LOGINUID: + case AUDIT_OBJ_UID: + // Do positive & negative separate for 32 bit systems + vlen = strlen(v); + if (isdigit((char)*(v))) + rule->values[rule->field_count] = + strtoul(v, NULL, 0); + else if (vlen >= 2 && *(v)=='-' && + (isdigit((char)*(v+1)))) + rule->values[rule->field_count] = + strtol(v, NULL, 0); + else { + if (strcmp(v, "unset") == 0) + rule->values[rule->field_count] = + 4294967295; + else if (audit_name_to_uid(v, + &rule->values[rule->field_count])) { + audit_msg(LOG_ERR, "Unknown user: %s", + v); + return -2; + } + } + break; + case AUDIT_GID: + case AUDIT_EGID: + case AUDIT_SGID: + case AUDIT_FSGID: + case AUDIT_OBJ_GID: + if (isdigit((char)*(v))) + rule->values[rule->field_count] = + strtol(v, NULL, 0); + else { + if (audit_name_to_gid(v, + &rule->values[rule->field_count])) { + audit_msg(LOG_ERR, "Unknown group: %s", + v); + return -2; + } + } + break; + case AUDIT_EXIT: + if (flags != AUDIT_FILTER_EXIT) + return -7; + vlen = strlen(v); + if (isdigit((char)*(v))) + rule->values[rule->field_count] = + strtol(v, NULL, 0); + else if (vlen >= 2 && *(v)=='-' && + (isdigit((char)*(v+1)))) + rule->values[rule->field_count] = + strtol(v, NULL, 0); + else { + rule->values[rule->field_count] = + audit_name_to_errno(v); + if (rule->values[rule->field_count] == 0) + return -15; + } + break; + case AUDIT_MSGTYPE: + if (flags != AUDIT_FILTER_EXCLUDE && + flags != AUDIT_FILTER_USER) + return -9; + + if (isdigit((char)*(v))) + rule->values[rule->field_count] = + strtol(v, NULL, 0); + else + if (audit_name_to_msg_type(v) > 0) + rule->values[rule->field_count] = + audit_name_to_msg_type(v); + else + return -8; + break; + /* These next few are strings */ + case AUDIT_OBJ_USER: + case AUDIT_OBJ_ROLE: + case AUDIT_OBJ_TYPE: + case AUDIT_OBJ_LEV_LOW: + case AUDIT_OBJ_LEV_HIGH: + case AUDIT_WATCH: + case AUDIT_DIR: + /* Watch & object filtering is invalid on anything + * but exit */ + if (flags != AUDIT_FILTER_EXIT) + return -7; + if (field == AUDIT_WATCH || field == AUDIT_DIR) + _audit_permadded = 1; + + /* fallthrough */ + case AUDIT_SUBJ_USER: + case AUDIT_SUBJ_ROLE: + case AUDIT_SUBJ_TYPE: + case AUDIT_SUBJ_SEN: + case AUDIT_SUBJ_CLR: + case AUDIT_FILTERKEY: + if (field == AUDIT_FILTERKEY && !(_audit_syscalladded || _audit_permadded)) + return -19; + vlen = strlen(v); + if (field == AUDIT_FILTERKEY && + vlen > AUDIT_MAX_KEY_LEN) + return -11; + else if (vlen > PATH_MAX) + return -11; + rule->values[rule->field_count] = vlen; + offset = rule->buflen; + rule->buflen += vlen; + *rulep = realloc(rule, sizeof(*rule) + rule->buflen); + if (*rulep == NULL) { + free(rule); + audit_msg(LOG_ERR, "Cannot realloc memory!\n"); + return -3; + } else { + rule = *rulep; + } + strncpy(&rule->buf[offset], v, vlen); + + break; + case AUDIT_ARCH: + if (_audit_syscalladded) + return -3; + if (!(op == AUDIT_NOT_EQUAL || op == AUDIT_EQUAL)) + return -13; + if (isdigit((char)*(v))) { + int machine; + + errno = 0; + _audit_elf = strtoul(v, NULL, 0); + if (errno) + return -5; + + // Make sure we have a valid mapping + machine = audit_elf_to_machine(_audit_elf); + if (machine < 0) + return -5; + } + else { + const char *arch=v; + unsigned int machine, elf; + machine = audit_determine_machine(arch); + /* OK, we have the machine type, now convert + to elf. */ + elf = audit_machine_to_elf(machine); + if (elf == 0) + return -5; + + _audit_elf = elf; + } + rule->values[rule->field_count] = _audit_elf; + _audit_archadded = 1; + break; + case AUDIT_PERM: + if (flags != AUDIT_FILTER_EXIT) + return -7; + else if (op != AUDIT_EQUAL) + return -13; + else { + unsigned int i, len, val = 0; + + len = strlen(v); + if (len > 4) + return -11; + + for (i = 0; i < len; i++) { + switch (tolower(v[i])) { + case 'r': + val |= AUDIT_PERM_READ; + break; + case 'w': + val |= AUDIT_PERM_WRITE; + break; + case 'x': + val |= AUDIT_PERM_EXEC; + break; + case 'a': + val |= AUDIT_PERM_ATTR; + break; + default: + return -14; + } + } + rule->values[rule->field_count] = val; + } + break; + case AUDIT_FILETYPE: + if (!(flags == AUDIT_FILTER_EXIT || flags == AUDIT_FILTER_ENTRY)) + return -17; + rule->values[rule->field_count] = + audit_name_to_ftype(v); + if ((int)rule->values[rule->field_count] < 0) { + return -16; + } + break; + case AUDIT_ARG0...AUDIT_ARG3: + vlen = strlen(v); + if (isdigit((char)*(v))) + rule->values[rule->field_count] = + strtoul(v, NULL, 0); + else if (vlen >= 2 && *(v)=='-' && + (isdigit((char)*(v+1)))) + rule->values[rule->field_count] = + strtol(v, NULL, 0); + else + return -21; + break; + case AUDIT_DEVMAJOR...AUDIT_INODE: + case AUDIT_SUCCESS: + if (flags != AUDIT_FILTER_EXIT) + return -7; + /* fallthrough */ + default: + if (field == AUDIT_INODE) { + if (!(op == AUDIT_NOT_EQUAL || + op == AUDIT_EQUAL)) + return -13; + } + + if (field == AUDIT_PPID && !(flags == AUDIT_FILTER_EXIT + || flags == AUDIT_FILTER_ENTRY)) + return -17; + + if (!isdigit((char)*(v))) + return -21; + + if (field == AUDIT_INODE) + rule->values[rule->field_count] = + strtoul(v, NULL, 0); + else + rule->values[rule->field_count] = + strtol(v, NULL, 0); + break; + } + rule->field_count++; + return 0; +} + +void audit_rule_free_data(struct audit_rule_data *rule) +{ + free(rule); +} + +static int audit_name_to_uid(const char *name, uid_t *uid) +{ + struct passwd *pw; + + pw = getpwnam(name); + if (pw == NULL) + return 1; + + memset(pw->pw_passwd, ' ', strlen(pw->pw_passwd)); + *uid = pw->pw_uid; + return 0; +} + +static int audit_name_to_gid(const char *name, gid_t *gid) +{ + struct group *gr; + + gr = getgrnam(name); + if (gr == NULL) + return 1; + + *gid = gr->gr_gid; + return 0; +} + +int audit_detect_machine(void) +{ + struct utsname uts; + if (uname(&uts) == 0) +// strcpy(uts.machine, "x86_64"); + return audit_name_to_machine(uts.machine); + return -1; +} +hidden_def(audit_detect_machine) + +#ifndef NO_TABLES +void audit_number_to_errmsg(int errnumber, const char *opt) +{ + unsigned int i; + + for (i = 0; i < sizeof(err_msgtab)/sizeof(struct msg_tab); i++) { + if (err_msgtab[i].key == errnumber) { + switch (err_msgtab[i].position) + { + case 0: + fprintf(stderr, "%s\n", + err_msgtab[i].cvalue); + break; + case 1: + fprintf(stderr, "%s %s\n", opt, + err_msgtab[i].cvalue); + break; + case 2: + fprintf(stderr, "%s %s\n", + err_msgtab[i].cvalue, opt); + break; + default: + break; + } + return; + } + } +} +#endif diff --git a/framework/src/audit/lib/libaudit.h b/framework/src/audit/lib/libaudit.h new file mode 100644 index 00000000..8f96c5db --- /dev/null +++ b/framework/src/audit/lib/libaudit.h @@ -0,0 +1,584 @@ +/* libaudit.h -- + * Copyright 2004-2015 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * Rickard E. (Rik) Faith <faith@redhat.com> + */ +#ifndef _LIBAUDIT_H_ +#define _LIBAUDIT_H_ + +#ifdef __cplusplus +extern "C" { +#endif + + +#include <asm/types.h> +#include <stdint.h> +#include <sys/socket.h> +#include <linux/netlink.h> +#include <linux/audit.h> +#include <stdarg.h> +#include <syslog.h> + + +/* Audit message types as of 2.6.29 kernel: + * 1000 - 1099 are for commanding the audit system + * 1100 - 1199 user space trusted application messages + * 1200 - 1299 messages internal to the audit daemon + * 1300 - 1399 audit event messages + * 1400 - 1499 kernel SE Linux use + * 1500 - 1599 AppArmor events + * 1600 - 1699 kernel crypto events + * 1700 - 1799 kernel anomaly records + * 1800 - 1899 kernel integrity labels and related events + * 1800 - 1999 future kernel use + * 2001 - 2099 unused (kernel) + * 2100 - 2199 user space anomaly records + * 2200 - 2299 user space actions taken in response to anomalies + * 2300 - 2399 user space generated LSPP events + * 2400 - 2499 user space crypto events + * 2500 - 2599 user space virtualization management events + * 2600 - 2999 future user space (maybe integrity labels and related events) + */ + +#define AUDIT_FIRST_USER_MSG 1100 /* First user space message */ +#define AUDIT_LAST_USER_MSG 1199 /* Last user space message */ +#define AUDIT_USER_AUTH 1100 /* User system access authentication */ +#define AUDIT_USER_ACCT 1101 /* User system access authorization */ +#define AUDIT_USER_MGMT 1102 /* User acct attribute change */ +#define AUDIT_CRED_ACQ 1103 /* User credential acquired */ +#define AUDIT_CRED_DISP 1104 /* User credential disposed */ +#define AUDIT_USER_START 1105 /* User session start */ +#define AUDIT_USER_END 1106 /* User session end */ +#define AUDIT_USER_AVC 1107 /* User space avc message */ +#define AUDIT_USER_CHAUTHTOK 1108 /* User acct password or pin changed */ +#define AUDIT_USER_ERR 1109 /* User acct state error */ +#define AUDIT_CRED_REFR 1110 /* User credential refreshed */ +#define AUDIT_USYS_CONFIG 1111 /* User space system config change */ +#define AUDIT_USER_LOGIN 1112 /* User has logged in */ +#define AUDIT_USER_LOGOUT 1113 /* User has logged out */ +#define AUDIT_ADD_USER 1114 /* User account added */ +#define AUDIT_DEL_USER 1115 /* User account deleted */ +#define AUDIT_ADD_GROUP 1116 /* Group account added */ +#define AUDIT_DEL_GROUP 1117 /* Group account deleted */ +#define AUDIT_DAC_CHECK 1118 /* User space DAC check results */ +#define AUDIT_CHGRP_ID 1119 /* User space group ID changed */ +#define AUDIT_TEST 1120 /* Used for test success messages */ +#define AUDIT_TRUSTED_APP 1121 /* Trusted app msg - freestyle text */ +#define AUDIT_USER_SELINUX_ERR 1122 /* SE Linux user space error */ +#define AUDIT_USER_CMD 1123 /* User shell command and args */ +#define AUDIT_USER_TTY 1124 /* Non-ICANON TTY input meaning */ +#define AUDIT_CHUSER_ID 1125 /* Changed user ID supplemental data */ +#define AUDIT_GRP_AUTH 1126 /* Authentication for group password */ +#define AUDIT_SYSTEM_BOOT 1127 /* System boot */ +#define AUDIT_SYSTEM_SHUTDOWN 1128 /* System shutdown */ +#define AUDIT_SYSTEM_RUNLEVEL 1129 /* System runlevel change */ +#define AUDIT_SERVICE_START 1130 /* Service (daemon) start */ +#define AUDIT_SERVICE_STOP 1131 /* Service (daemon) stop */ +#define AUDIT_GRP_MGMT 1132 /* Group account attr was modified */ +#define AUDIT_GRP_CHAUTHTOK 1133 /* Group acct password or pin changed */ +#define AUDIT_MAC_CHECK 1134 /* User space MAC decision results */ + +#define AUDIT_FIRST_DAEMON 1200 +#define AUDIT_LAST_DAEMON 1299 +#define AUDIT_DAEMON_RECONFIG 1204 /* Auditd should reconfigure */ +#define AUDIT_DAEMON_ROTATE 1205 /* Auditd should rotate logs */ +#define AUDIT_DAEMON_RESUME 1206 /* Auditd should resume logging */ +#define AUDIT_DAEMON_ACCEPT 1207 /* Auditd accepted remote connection */ +#define AUDIT_DAEMON_CLOSE 1208 /* Auditd closed remote connection */ + +#define AUDIT_FIRST_EVENT 1300 +#define AUDIT_LAST_EVENT 1399 + +#define AUDIT_FIRST_SELINUX 1400 +#define AUDIT_LAST_SELINUX 1499 + +#define AUDIT_FIRST_APPARMOR 1500 +#define AUDIT_LAST_APPARMOR 1599 +#ifndef AUDIT_AA +#define AUDIT_AA 1500 /* Not upstream yet */ +#define AUDIT_APPARMOR_AUDIT 1501 +#define AUDIT_APPARMOR_ALLOWED 1502 +#define AUDIT_APPARMOR_DENIED 1503 +#define AUDIT_APPARMOR_HINT 1504 +#define AUDIT_APPARMOR_STATUS 1505 +#define AUDIT_APPARMOR_ERROR 1506 +#endif + +#define AUDIT_FIRST_KERN_CRYPTO_MSG 1600 +#define AUDIT_LAST_KERN_CRYPTO_MSG 1699 + +#define AUDIT_FIRST_KERN_ANOM_MSG 1700 +#define AUDIT_LAST_KERN_ANOM_MSG 1799 + +#define AUDIT_INTEGRITY_FIRST_MSG 1800 +#define AUDIT_INTEGRITY_LAST_MSG 1899 +#ifndef AUDIT_INTEGRITY_DATA +#define AUDIT_INTEGRITY_DATA 1800 /* Data integrity verification */ +#define AUDIT_INTEGRITY_METADATA 1801 // Metadata integrity verification +#define AUDIT_INTEGRITY_STATUS 1802 /* Integrity enable status */ +#define AUDIT_INTEGRITY_HASH 1803 /* Integrity HASH type */ +#define AUDIT_INTEGRITY_PCR 1804 /* PCR invalidation msgs */ +#define AUDIT_INTEGRITY_RULE 1805 /* Policy rule */ +#endif + +#define AUDIT_FIRST_ANOM_MSG 2100 +#define AUDIT_LAST_ANOM_MSG 2199 +#define AUDIT_ANOM_LOGIN_FAILURES 2100 // Failed login limit reached +#define AUDIT_ANOM_LOGIN_TIME 2101 // Login attempted at bad time +#define AUDIT_ANOM_LOGIN_SESSIONS 2102 // Max concurrent sessions reached +#define AUDIT_ANOM_LOGIN_ACCT 2103 // Login attempted to watched acct +#define AUDIT_ANOM_LOGIN_LOCATION 2104 // Login from forbidden location +#define AUDIT_ANOM_MAX_DAC 2105 // Max DAC failures reached +#define AUDIT_ANOM_MAX_MAC 2106 // Max MAC failures reached +#define AUDIT_ANOM_AMTU_FAIL 2107 // AMTU failure +#define AUDIT_ANOM_RBAC_FAIL 2108 // RBAC self test failure +#define AUDIT_ANOM_RBAC_INTEGRITY_FAIL 2109 // RBAC file integrity failure +#define AUDIT_ANOM_CRYPTO_FAIL 2110 // Crypto system test failure +#define AUDIT_ANOM_ACCESS_FS 2111 // Access of file or dir +#define AUDIT_ANOM_EXEC 2112 // Execution of file +#define AUDIT_ANOM_MK_EXEC 2113 // Make an executable +#define AUDIT_ANOM_ADD_ACCT 2114 // Adding an acct +#define AUDIT_ANOM_DEL_ACCT 2115 // Deleting an acct +#define AUDIT_ANOM_MOD_ACCT 2116 // Changing an acct +#define AUDIT_ANOM_ROOT_TRANS 2117 // User became root + +#define AUDIT_FIRST_ANOM_RESP 2200 +#define AUDIT_LAST_ANOM_RESP 2299 +#define AUDIT_RESP_ANOMALY 2200 /* Anomaly not reacted to */ +#define AUDIT_RESP_ALERT 2201 /* Alert email was sent */ +#define AUDIT_RESP_KILL_PROC 2202 /* Kill program */ +#define AUDIT_RESP_TERM_ACCESS 2203 /* Terminate session */ +#define AUDIT_RESP_ACCT_REMOTE 2204 /* Acct locked from remote access*/ +#define AUDIT_RESP_ACCT_LOCK_TIMED 2205 /* User acct locked for time */ +#define AUDIT_RESP_ACCT_UNLOCK_TIMED 2206 /* User acct unlocked from time */ +#define AUDIT_RESP_ACCT_LOCK 2207 /* User acct was locked */ +#define AUDIT_RESP_TERM_LOCK 2208 /* Terminal was locked */ +#define AUDIT_RESP_SEBOOL 2209 /* Set an SE Linux boolean */ +#define AUDIT_RESP_EXEC 2210 /* Execute a script */ +#define AUDIT_RESP_SINGLE 2211 /* Go to single user mode */ +#define AUDIT_RESP_HALT 2212 /* take the system down */ + +#define AUDIT_FIRST_USER_LSPP_MSG 2300 +#define AUDIT_LAST_USER_LSPP_MSG 2399 +#define AUDIT_USER_ROLE_CHANGE 2300 /* User changed to a new role */ +#define AUDIT_ROLE_ASSIGN 2301 /* Admin assigned user to role */ +#define AUDIT_ROLE_REMOVE 2302 /* Admin removed user from role */ +#define AUDIT_LABEL_OVERRIDE 2303 /* Admin is overriding a label */ +#define AUDIT_LABEL_LEVEL_CHANGE 2304 /* Object's level was changed */ +#define AUDIT_USER_LABELED_EXPORT 2305 /* Object exported with label */ +#define AUDIT_USER_UNLABELED_EXPORT 2306 /* Object exported without label */ +#define AUDIT_DEV_ALLOC 2307 /* Device was allocated */ +#define AUDIT_DEV_DEALLOC 2308 /* Device was deallocated */ +#define AUDIT_FS_RELABEL 2309 /* Filesystem relabeled */ +#define AUDIT_USER_MAC_POLICY_LOAD 2310 /* Userspc daemon loaded policy */ +#define AUDIT_ROLE_MODIFY 2311 /* Admin modified a role */ +#define AUDIT_USER_MAC_CONFIG_CHANGE 2312 /* Change made to MAC policy */ + +#define AUDIT_FIRST_CRYPTO_MSG 2400 +#define AUDIT_CRYPTO_TEST_USER 2400 /* Crypto test results */ +#define AUDIT_CRYPTO_PARAM_CHANGE_USER 2401 /* Crypto attribute change */ +#define AUDIT_CRYPTO_LOGIN 2402 /* Logged in as crypto officer */ +#define AUDIT_CRYPTO_LOGOUT 2403 /* Logged out from crypto */ +#define AUDIT_CRYPTO_KEY_USER 2404 /* Create,delete,negotiate */ +#define AUDIT_CRYPTO_FAILURE_USER 2405 /* Fail decrypt,encrypt,randomiz */ +#define AUDIT_CRYPTO_REPLAY_USER 2406 /* Crypto replay detected */ +#define AUDIT_CRYPTO_SESSION 2407 /* Record parameters set during + TLS session establishment */ +#define AUDIT_CRYPTO_IKE_SA 2408 /* Record parameters related to + IKE SA */ +#define AUDIT_CRYPTO_IPSEC_SA 2409 /* Record parameters related to + IPSEC SA */ + +#define AUDIT_LAST_CRYPTO_MSG 2499 + +#define AUDIT_FIRST_VIRT_MSG 2500 +#define AUDIT_VIRT_CONTROL 2500 /* Start, Pause, Stop VM */ +#define AUDIT_VIRT_RESOURCE 2501 /* Resource assignment */ +#define AUDIT_VIRT_MACHINE_ID 2502 /* Binding of label to VM */ + +#define AUDIT_LAST_VIRT_MSG 2599 + +#ifndef AUDIT_FIRST_USER_MSG2 +#define AUDIT_FIRST_USER_MSG2 2100 /* More userspace messages */ +#define AUDIT_LAST_USER_MSG2 2999 +#endif + +/* New kernel event definitions since 2.6.30 */ +#ifndef AUDIT_SET_FEATURE +#define AUDIT_SET_FEATURE 1018 /* Turn an audit feature on or off */ +#endif + +#ifndef AUDIT_GET_FEATURE +#define AUDIT_GET_FEATURE 1019 /* Get which features are enabled */ +#endif + +#ifndef AUDIT_MMAP +#define AUDIT_MMAP 1323 /* Descriptor and flags in mmap */ +#endif + +#ifndef AUDIT_NETFILTER_PKT +#define AUDIT_NETFILTER_PKT 1324 /* Packets traversing netfilter chains */ +#endif +#ifndef AUDIT_NETFILTER_CFG +#define AUDIT_NETFILTER_CFG 1325 /* Netfilter chain modifications */ +#endif + +#ifndef AUDIT_SECCOMP +#define AUDIT_SECCOMP 1326 /* Secure Computing event */ +#endif + +#ifndef AUDIT_PROCTITLE +#define AUDIT_PROCTITLE 1327 /* Process Title info */ +#endif + +#undef AUDIT_FEATURE_CHANGE +#ifndef AUDIT_FEATURE_CHANGE +#define AUDIT_FEATURE_CHANGE 1328 /* Audit feature changed value */ +#endif + +#ifndef AUDIT_ANOM_LINK +#define AUDIT_ANOM_LINK 1702 /* Suspicious use of file links */ +#endif + +/* This is related to the filterkey patch */ +#define AUDIT_KEY_SEPARATOR 0x01 + +/* These are used in filter control */ +#define AUDIT_FILTER_EXCLUDE AUDIT_FILTER_TYPE +#define AUDIT_FILTER_MASK 0x07 /* Mask to get actual filter */ +#define AUDIT_FILTER_UNSET 0x80 /* This value means filter is unset */ + +/* Defines for interfield comparison update */ +#ifndef AUDIT_OBJ_UID +#define AUDIT_OBJ_UID 109 +#endif +#ifndef AUDIT_OBJ_GID +#define AUDIT_OBJ_GID 110 +#endif +#ifndef AUDIT_FIELD_COMPARE +#define AUDIT_FIELD_COMPARE 111 +#endif + +#ifndef AUDIT_COMPARE_UID_TO_OBJ_UID +#define AUDIT_COMPARE_UID_TO_OBJ_UID 1 +#endif +#ifndef AUDIT_COMPARE_GID_TO_OBJ_GID +#define AUDIT_COMPARE_GID_TO_OBJ_GID 2 +#endif +#ifndef AUDIT_COMPARE_EUID_TO_OBJ_UID +#define AUDIT_COMPARE_EUID_TO_OBJ_UID 3 +#endif +#ifndef AUDIT_COMPARE_EGID_TO_OBJ_GID +#define AUDIT_COMPARE_EGID_TO_OBJ_GID 4 +#endif +#ifndef AUDIT_COMPARE_AUID_TO_OBJ_UID +#define AUDIT_COMPARE_AUID_TO_OBJ_UID 5 +#endif +#ifndef AUDIT_COMPARE_SUID_TO_OBJ_UID +#define AUDIT_COMPARE_SUID_TO_OBJ_UID 6 +#endif +#ifndef AUDIT_COMPARE_SGID_TO_OBJ_GID +#define AUDIT_COMPARE_SGID_TO_OBJ_GID 7 +#endif +#ifndef AUDIT_COMPARE_FSUID_TO_OBJ_UID +#define AUDIT_COMPARE_FSUID_TO_OBJ_UID 8 +#endif +#ifndef AUDIT_COMPARE_FSGID_TO_OBJ_GID +#define AUDIT_COMPARE_FSGID_TO_OBJ_GID 9 +#endif +#ifndef AUDIT_COMPARE_UID_TO_AUID +#define AUDIT_COMPARE_UID_TO_AUID 10 +#endif +#ifndef AUDIT_COMPARE_UID_TO_EUID +#define AUDIT_COMPARE_UID_TO_EUID 11 +#endif +#ifndef AUDIT_COMPARE_UID_TO_FSUID +#define AUDIT_COMPARE_UID_TO_FSUID 12 +#endif +#ifndef AUDIT_COMPARE_UID_TO_SUID +#define AUDIT_COMPARE_UID_TO_SUID 13 +#endif +#ifndef AUDIT_COMPARE_AUID_TO_FSUID +#define AUDIT_COMPARE_AUID_TO_FSUID 14 +#endif +#ifndef AUDIT_COMPARE_AUID_TO_SUID +#define AUDIT_COMPARE_AUID_TO_SUID 15 +#endif +#ifndef AUDIT_COMPARE_AUID_TO_EUID +#define AUDIT_COMPARE_AUID_TO_EUID 16 +#endif +#ifndef AUDIT_COMPARE_EUID_TO_SUID +#define AUDIT_COMPARE_EUID_TO_SUID 17 +#endif +#ifndef AUDIT_COMPARE_EUID_TO_FSUID +#define AUDIT_COMPARE_EUID_TO_FSUID 18 +#endif +#ifndef AUDIT_COMPARE_SUID_TO_FSUID +#define AUDIT_COMPARE_SUID_TO_FSUID 19 +#endif +#ifndef AUDIT_COMPARE_GID_TO_EGID +#define AUDIT_COMPARE_GID_TO_EGID 20 +#endif +#ifndef AUDIT_COMPARE_GID_TO_FSGID +#define AUDIT_COMPARE_GID_TO_FSGID 21 +#endif +#ifndef AUDIT_COMPARE_GID_TO_SGID +#define AUDIT_COMPARE_GID_TO_SGID 22 +#endif +#ifndef AUDIT_COMPARE_EGID_TO_FSGID +#define AUDIT_COMPARE_EGID_TO_FSGID 23 +#endif +#ifndef AUDIT_COMPARE_EGID_TO_SGID +#define AUDIT_COMPARE_EGID_TO_SGID 24 +#endif +#ifndef AUDIT_COMPARE_SGID_TO_FSGID +#define AUDIT_COMPARE_SGID_TO_FSGID 25 +#endif + +#ifndef EM_ARM +#define EM_ARM 40 +#endif +#ifndef EM_AARCH64 +#define EM_AARCH64 183 +#endif + +#ifndef AUDIT_ARCH_AARCH64 +#define AUDIT_ARCH_AARCH64 (EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) +#endif + +#ifndef AUDIT_ARCH_PPC64LE +#define AUDIT_ARCH_PPC64LE (EM_PPC64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) +#endif + +////////////////////////////////////////////////////// +// This is an external ABI. Any changes in here will +// likely affect pam_loginuid. There might be other +// apps that use this low level interface, but I don't +// know of any. +// +/* data structure for who signaled the audit daemon */ +struct audit_sig_info { + uid_t uid; + pid_t pid; + char ctx[0]; +}; + +/* defines for audit subsystem */ +#define MAX_AUDIT_MESSAGE_LENGTH 8970 // PATH_MAX*2+CONTEXT_SIZE*2+11+256+1 +struct audit_message { + struct nlmsghdr nlh; + char data[MAX_AUDIT_MESSAGE_LENGTH]; +}; + +// internal - forward declaration +struct daemon_conf; + +struct audit_reply { + int type; + int len; + struct nlmsghdr *nlh; + struct audit_message msg; + + /* Using a union to compress this structure since only one of + * the following should be valid for any packet. */ + union { + struct audit_status *status; + struct audit_rule_data *ruledata; + struct audit_login *login; + char *message; + struct nlmsgerr *error; + struct audit_sig_info *signal_info; + struct daemon_conf *conf; +#if HAVE_DECL_AUDIT_FEATURE_VERSION + struct audit_features *features; +#endif + }; +}; + +// +// End of ABI control +////////////////////////////////////////////////////// + +////////////////////////////////////////////////////// +// audit dispatcher interface +// +/* audit_dispatcher_header: This header is versioned. If anything gets + * added to it, it must go at the end and the version number bumped. + * This MUST BE fixed size for compatibility. If you are going to add + * new member then add them into _structure_ part. + */ +struct audit_dispatcher_header { + uint32_t ver; /* The version of this protocol */ + uint32_t hlen; /* Header length */ + uint32_t type; /* Message type */ + uint32_t size; /* Size of data following the header */ +}; + +#define AUDISP_PROTOCOL_VER 0 + +/////////////////////////////////////////////////// +// Libaudit API +// + +/* This is the machine type list */ +typedef enum { + MACH_X86=0, + MACH_86_64, + MACH_IA64, + MACH_PPC64, + MACH_PPC, + MACH_S390X, + MACH_S390, + MACH_ALPHA, + MACH_ARM, + MACH_AARCH64, + MACH_PPC64LE +} machine_t; + +/* These are the valid audit failure tunable enum values */ +typedef enum { + FAIL_IGNORE=0, + FAIL_LOG, + FAIL_TERMINATE +} auditfail_t; + +/* Messages */ +typedef enum { MSG_STDERR, MSG_SYSLOG, MSG_QUIET } message_t; +typedef enum { DBG_NO, DBG_YES } debug_message_t; +void set_aumessage_mode(message_t mode, debug_message_t debug); + +/* General */ +typedef enum { GET_REPLY_BLOCKING=0, GET_REPLY_NONBLOCKING } reply_t; +extern int audit_open(void); +extern void audit_close(int fd); +extern int audit_get_reply(int fd, struct audit_reply *rep, reply_t block, + int peek); +extern uid_t audit_getloginuid(void); +extern int audit_setloginuid(uid_t uid); +extern int audit_detect_machine(void); +extern int audit_determine_machine(const char *arch); + +/* Translation functions */ +extern int audit_name_to_field(const char *field); +extern const char *audit_field_to_name(int field); +extern int audit_name_to_syscall(const char *sc, int machine); +extern const char *audit_syscall_to_name(int sc, int machine); +extern int audit_name_to_flag(const char *flag); +extern const char *audit_flag_to_name(int flag); +extern int audit_name_to_action(const char *action); +extern const char *audit_action_to_name(int action); +extern int audit_name_to_msg_type(const char *msg_type); +extern const char *audit_msg_type_to_name(int msg_type); +extern int audit_name_to_machine(const char *machine); +extern const char *audit_machine_to_name(int machine); +extern unsigned int audit_machine_to_elf(int machine); +extern int audit_elf_to_machine(unsigned int elf); +extern const char *audit_operator_to_symbol(int op); +extern int audit_name_to_errno(const char *error); +extern const char *audit_errno_to_name(int error); +extern int audit_name_to_ftype(const char *name); +extern const char *audit_ftype_to_name(int ftype); +extern void audit_number_to_errmsg(int errnumber, const char *opt); + +/* AUDIT_GET */ +extern int audit_request_status(int fd); +extern int audit_is_enabled(int fd); +extern int get_auditfail_action(auditfail_t *failmode); +extern int audit_request_features(int fd); + +/* AUDIT_SET */ +typedef enum { WAIT_NO, WAIT_YES } rep_wait_t; +extern int audit_set_pid(int fd, uint32_t pid, rep_wait_t wmode); +extern int audit_set_enabled(int fd, uint32_t enabled); +extern int audit_set_failure(int fd, uint32_t failure); +extern int audit_set_rate_limit(int fd, uint32_t limit); +extern int audit_set_backlog_limit(int fd, uint32_t limit); +int audit_set_backlog_wait_time(int fd, uint32_t bwt); +extern int audit_set_feature(int fd, unsigned feature, unsigned value, unsigned lock); +extern int audit_set_loginuid_immutable(int fd); + +/* AUDIT_LIST_RULES */ +extern int audit_request_rules_list_data(int fd); + +/* SIGNAL_INFO */ +extern int audit_request_signal_info(int fd); + +/* AUDIT_WATCH */ +extern int audit_update_watch_perms(struct audit_rule_data *rule, int perms); +extern int audit_add_watch(struct audit_rule_data **rulep, const char *path); +extern int audit_add_dir(struct audit_rule_data **rulep, const char *path); +extern int audit_add_watch_dir(int type, struct audit_rule_data **rulep, + const char *path); +extern int audit_trim_subtrees(int fd); +extern int audit_make_equivalent(int fd, const char *mount_point, + const char *subtree); + +/* AUDIT_ADD_RULE */ +extern int audit_add_rule_data(int fd, struct audit_rule_data *rule, + int flags, int action); + +/* AUDIT_DEL_RULE */ +extern int audit_delete_rule_data(int fd, struct audit_rule_data *rule, + int flags, int action); + +/* The following are for standard formatting of messages */ +extern int audit_value_needs_encoding(const char *str, unsigned int len); +extern char *audit_encode_value(char *final,const char *buf,unsigned int size); +extern char *audit_encode_nv_string(const char *name, const char *value, + unsigned int vlen); +extern int audit_log_user_message(int audit_fd, int type, const char *message, + const char *hostname, const char *addr, const char *tty, int result); +extern int audit_log_user_comm_message(int audit_fd, int type, + const char *message, const char *comm, const char *hostname, + const char *addr, const char *tty, int result); +extern int audit_log_acct_message(int audit_fd, int type, const char *pgname, + const char *op, const char *name, unsigned int id, + const char *host, const char *addr, const char *tty, int result); +extern int audit_log_user_avc_message(int audit_fd, int type, + const char *message, const char *hostname, const char *addr, + const char *tty, uid_t uid); +extern int audit_log_semanage_message(int audit_fd, int type, + const char *pgname, const char *op, const char *name, unsigned int id, + const char *new_seuser, const char *new_role, const char *new_range, + const char *old_seuser, const char *old_role, const char *old_range, + const char *host, const char *addr, + const char *tty, int result); +extern int audit_log_user_command(int audit_fd, int type, const char *command, + const char *tty, int result); + +/* Rule-building helper functions */ +extern int audit_rule_syscall_data(struct audit_rule_data *rule, int scall); +extern int audit_rule_syscallbyname_data(struct audit_rule_data *rule, + const char *scall); +/* Note that the following function takes a **, where audit_rule_fieldpair() + * takes just a *. That structure may need to be reallocated as a result of + * adding new fields */ +extern int audit_rule_fieldpair_data(struct audit_rule_data **rulep, + const char *pair, int flags); +extern int audit_rule_interfield_comp_data(struct audit_rule_data **rulep, + const char *pair, int flags); +extern void audit_rule_free_data(struct audit_rule_data *rule); + +#ifdef __cplusplus +} +#endif + +#endif + diff --git a/framework/src/audit/lib/lookup_table.c b/framework/src/audit/lib/lookup_table.c new file mode 100644 index 00000000..6dc63d4b --- /dev/null +++ b/framework/src/audit/lib/lookup_table.c @@ -0,0 +1,359 @@ +/* lookup_table.c -- + * Copyright 2004-2008,2012-13 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * Rickard E. (Rik) Faith <faith@redhat.com> + */ + +#include "config.h" +#include <stddef.h> +#include <stdint.h> +#include <string.h> +#include <unistd.h> +#include <stdlib.h> +#include <ctype.h> +#include <errno.h> + +#include "libaudit.h" +#include "gen_tables.h" +#include "private.h" + +#ifndef NO_TABLES +#ifdef WITH_ALPHA +#include "alpha_tables.h" +#endif +#ifdef WITH_ARM +#include "arm_tables.h" +#endif +#ifdef WITH_AARCH64 +#include "aarch64_tables.h" +#endif +#include "i386_tables.h" +#include "ia64_tables.h" +#include "ppc_tables.h" +#include "s390_tables.h" +#include "s390x_tables.h" +#include "x86_64_tables.h" +#include "errtabs.h" +#include "ftypetabs.h" +#include "fieldtabs.h" +#endif +#include "msg_typetabs.h" +#include "actiontabs.h" +#include "flagtabs.h" +#include "machinetabs.h" +#include "optabs.h" + +struct int_transtab { + int key; + unsigned int lvalue; +}; + +static const struct int_transtab elftab[] = { + { MACH_X86, AUDIT_ARCH_I386 }, + { MACH_86_64, AUDIT_ARCH_X86_64 }, + { MACH_IA64, AUDIT_ARCH_IA64 }, + { MACH_PPC64, AUDIT_ARCH_PPC64 }, + { MACH_PPC64LE, AUDIT_ARCH_PPC64LE}, + { MACH_PPC, AUDIT_ARCH_PPC }, + { MACH_S390X, AUDIT_ARCH_S390X }, + { MACH_S390, AUDIT_ARCH_S390 }, +#ifdef WITH_ALPHA + { MACH_ALPHA, AUDIT_ARCH_ALPHA }, +#endif +#ifdef WITH_ARM + { MACH_ARM, AUDIT_ARCH_ARM }, +#endif +#ifdef WITH_AARCH64 + { MACH_AARCH64, AUDIT_ARCH_AARCH64}, +#endif +}; +#define AUDIT_ELF_NAMES (sizeof(elftab)/sizeof(elftab[0])) + +int audit_name_to_field(const char *field) +{ +#ifndef NO_TABLES + int res; + + if (field_s2i(field, &res) != 0) + return res; +#endif + return -1; +} +hidden_def(audit_name_to_field) + +const char *audit_field_to_name(int field) +{ +#ifndef NO_TABLES + return field_i2s(field); +#else + return NULL; +#endif +} + +int audit_name_to_syscall(const char *sc, int machine) +{ + int res, found = 0; + + switch (machine) + { +#ifndef NO_TABLES + case MACH_X86: + found = i386_syscall_s2i(sc, &res); + break; + case MACH_86_64: + found = x86_64_syscall_s2i(sc, &res); + break; + case MACH_IA64: + found = ia64_syscall_s2i(sc, &res); + break; + case MACH_PPC64: + case MACH_PPC64LE: + case MACH_PPC: + found = ppc_syscall_s2i(sc, &res); + break; + case MACH_S390X: + found = s390x_syscall_s2i(sc, &res); + break; + case MACH_S390: + found = s390_syscall_s2i(sc, &res); + break; +#ifdef WITH_ALPHA + case MACH_ALPHA: + found = alpha_syscall_s2i(sc, &res); + break; +#endif +#ifdef WITH_ARM + case MACH_ARM: + found = arm_syscall_s2i(sc, &res); + break; +#endif +#ifdef WITH_AARCH64 + case MACH_AARCH64: + found = aarch64_syscall_s2i(sc, &res); + break; +#endif +#endif + default: + return -1; + } + if (found) + return res; + return -1; +} +hidden_def(audit_name_to_syscall) + +const char *audit_syscall_to_name(int sc, int machine) +{ +#ifndef NO_TABLES + switch (machine) + { + case MACH_X86: + return i386_syscall_i2s(sc); + case MACH_86_64: + return x86_64_syscall_i2s(sc); + case MACH_IA64: + return ia64_syscall_i2s(sc); + case MACH_PPC64: + case MACH_PPC64LE: + case MACH_PPC: + return ppc_syscall_i2s(sc); + case MACH_S390X: + return s390x_syscall_i2s(sc); + case MACH_S390: + return s390_syscall_i2s(sc); +#ifdef WITH_ALPHA + case MACH_ALPHA: + return alpha_syscall_i2s(sc); +#endif +#ifdef WITH_ARM + case MACH_ARM: + return arm_syscall_i2s(sc); +#endif +#ifdef WITH_AARCH64 + case MACH_AARCH64: + return aarch64_syscall_i2s(sc); +#endif + } +#endif + return NULL; +} + +int audit_name_to_flag(const char *flag) +{ + int res; + + if (flag_s2i(flag, &res) != 0) + return res; + return -1; +} + +const char *audit_flag_to_name(int flag) +{ + return flag_i2s(flag); +} + +int audit_name_to_action(const char *action) +{ + int res; + + if (action_s2i(action, &res) != 0) + return res; + return -1; +} + +const char *audit_action_to_name(int action) +{ + return action_i2s(action); +} + +// On the critical path for ausearch parser +int audit_name_to_msg_type(const char *msg_type) +{ + int rc; + + if (msg_type_s2i(msg_type, &rc) != 0) + return rc; + + /* Take a stab at converting */ + if (strncmp(msg_type, "UNKNOWN[", 8) == 0) { + int len; + char buf[8]; + const char *end = strchr(msg_type + 8, ']'); + if (end == NULL) + return -1; + + len = end - (msg_type + 8); + if (len > 7) + len = 7; + memset(buf, 0, sizeof(buf)); + strncpy(buf, msg_type + 8, len); + errno = 0; + return strtol(buf, NULL, 10); + } else if (isdigit(*msg_type)) { + errno = 0; + return strtol(msg_type, NULL, 10); + } + + return -1; +} +hidden_def(audit_name_to_msg_type) + +const char *audit_msg_type_to_name(int msg_type) +{ + return msg_type_i2s(msg_type); +} +hidden_def(audit_msg_type_to_name) + +int audit_name_to_machine(const char *machine) +{ + int res; + + if (machine_s2i(machine, &res) != 0) + return res; + return -1; +} +hidden_def(audit_name_to_machine) + +const char *audit_machine_to_name(int machine) +{ + return machine_i2s(machine); +} + +unsigned int audit_machine_to_elf(int machine) +{ + unsigned int i; + + for (i = 0; i < AUDIT_ELF_NAMES; i++) + if (elftab[i].key == machine) + return elftab[i].lvalue; + return 0; +} +hidden_def(audit_machine_to_elf) + +int audit_elf_to_machine(unsigned int elf) +{ + unsigned int i; + + for (i = 0; i < AUDIT_ELF_NAMES; i++) + if (elftab[i].lvalue == elf) return elftab[i].key; + return -1; +} +hidden_def(audit_elf_to_machine) + +const char *audit_operator_to_symbol(int op) +{ + return op_i2s(op); +} +hidden_def(audit_operator_to_symbol) + +/* This function returns 0 on error, otherwise the converted value */ +int audit_name_to_errno(const char *error) +{ +#ifndef NO_TABLES + int rc, minus = 1; + + if (*error == '-') { + minus = -1; + error++; + } + if (err_s2i(error, &rc) == 0) + rc = 0; + + return rc*minus; +#else + return 0; +#endif +} +hidden_def(audit_name_to_errno) + +/* This function does not handle negative numbers yet */ +const char *audit_errno_to_name(int error) +{ +#ifndef NO_TABLES + if (error < 0) + return NULL; + + return err_i2s(error); +#else + return NULL; +#endif +} + +int audit_name_to_ftype(const char *name) +{ + int res; + +#ifndef NO_TABLES + if (ftype_s2i(name, &res) != 0) + return res; +#endif + return -1; +} +hidden_def(audit_name_to_ftype) + +const char *audit_ftype_to_name(int ftype) +{ +#ifndef NO_TABLES + return ftype_i2s(ftype); +#else + return NULL; +#endif +} + diff --git a/framework/src/audit/lib/machinetab.h b/framework/src/audit/lib/machinetab.h new file mode 100644 index 00000000..27c69420 --- /dev/null +++ b/framework/src/audit/lib/machinetab.h @@ -0,0 +1,47 @@ +/* machine.h -- + * Copyright 2005,2006,2009,2012,2013 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + */ + +_S(MACH_X86, "i386" ) +_S(MACH_X86, "i486" ) +_S(MACH_X86, "i586" ) +_S(MACH_X86, "i686" ) +_S(MACH_86_64, "x86_64" ) +_S(MACH_IA64, "ia64" ) +_S(MACH_PPC64, "ppc64" ) +_S(MACH_PPC64LE, "ppc64le") +_S(MACH_PPC, "ppc" ) +_S(MACH_S390X, "s390x" ) +_S(MACH_S390, "s390" ) +#ifdef WITH_ALPHA +_S(MACH_ALPHA, "alpha" ) +#endif +#ifdef WITH_ARM +_S(MACH_ARM, "armeb" ) +_S(MACH_ARM, "arm" ) +_S(MACH_ARM, "armv5tejl") +_S(MACH_ARM, "armv5tel") +_S(MACH_ARM, "armv6l") +_S(MACH_ARM, "armv7l") +#endif +#ifdef WITH_AARCH64 +_S(MACH_AARCH64, "aarch64" ) +#endif diff --git a/framework/src/audit/lib/message.c b/framework/src/audit/lib/message.c new file mode 100644 index 00000000..85e9e64b --- /dev/null +++ b/framework/src/audit/lib/message.c @@ -0,0 +1,59 @@ +/* message.c -- + * Copyright 2004, 2005 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + */ + +#include "config.h" +#include <stdio.h> +#include <stdarg.h> +#include "libaudit.h" +#include "private.h" + +/* The message mode refers to where informational messages go + 0 - stderr, 1 - syslog, 2 - quiet. The default is quiet. */ +static message_t message_mode = MSG_QUIET; +static debug_message_t debug_message = DBG_NO; + +void set_aumessage_mode(message_t mode, debug_message_t debug) +{ + message_mode = mode; + debug_message = debug; +} + +void audit_msg(int priority, const char *fmt, ...) +{ + va_list ap; + + if (message_mode == MSG_QUIET) + return; + + if (priority == LOG_DEBUG && debug_message == DBG_NO) + return; + + va_start(ap, fmt); + if (message_mode == MSG_SYSLOG) + vsyslog(priority, fmt, ap); + else { + vfprintf(stderr, fmt, ap); + fputc('\n', stderr); + } + va_end( ap ); +} +hidden_def(audit_msg) diff --git a/framework/src/audit/lib/msg_typetab.h b/framework/src/audit/lib/msg_typetab.h new file mode 100644 index 00000000..c8e47564 --- /dev/null +++ b/framework/src/audit/lib/msg_typetab.h @@ -0,0 +1,214 @@ +/* msg_typetab.h -- + * Copyright 2005-07,2009-15 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + */ + +/* + * This table is arranged from lowest number to highest number. The + * items that are commented out are for completeness. The audit + * daemon filters these and they never show up in the logs, therefore + * they are not needed for reporting. Or they have been deprecated for + * a long time. + */ +//_S(AUDIT_GET, "GET" ) +//_S(AUDIT_SET, "SET" ) +//_S(AUDIT_LIST, "LIST" ) +//_S(AUDIT_ADD, "ADD" ) +//_S(AUDIT_DEL, "DEL" ) +_S(AUDIT_USER, "USER" ) +_S(AUDIT_LOGIN, "LOGIN" ) +//_S(AUDIT_SIGNAL_INFO, "SIGNAL_INFO" ) +//_S(AUDIT_ADD_RULE, "ADD_RULE" ) +//_S(AUDIT_DEL_RULE, "DEL_RULE" ) +//_S(AUDIT_LIST_RULES, "LIST_RULES" ) +//_S(AUDIT_TRIM, "TRIM" ) +//_S(AUDIT_MAKE_EQUIV, "MAKE_EQUIV" ) +//_S(AUDIT_TTY_GET, "TTY_GET" ) +//_S(AUDIT_TTY_SET, "TTY_SET" ) +//_S(AUDIT_SET_FEATURE, "SET_FEATURE" ) +//_S(AUDIT_GET_FEATURE, "GET_FEATURE" ) +_S(AUDIT_USER_AUTH, "USER_AUTH" ) +_S(AUDIT_USER_ACCT, "USER_ACCT" ) +_S(AUDIT_USER_MGMT, "USER_MGMT" ) +_S(AUDIT_CRED_ACQ, "CRED_ACQ" ) +_S(AUDIT_CRED_DISP, "CRED_DISP" ) +_S(AUDIT_USER_START, "USER_START" ) +_S(AUDIT_USER_END, "USER_END" ) +_S(AUDIT_USER_AVC, "USER_AVC" ) +_S(AUDIT_USER_CHAUTHTOK, "USER_CHAUTHTOK" ) +_S(AUDIT_USER_ERR, "USER_ERR" ) +_S(AUDIT_CRED_REFR, "CRED_REFR" ) +_S(AUDIT_USYS_CONFIG, "USYS_CONFIG" ) +_S(AUDIT_USER_LOGIN, "USER_LOGIN" ) +_S(AUDIT_USER_LOGOUT, "USER_LOGOUT" ) +_S(AUDIT_ADD_USER, "ADD_USER" ) +_S(AUDIT_DEL_USER, "DEL_USER" ) +_S(AUDIT_ADD_GROUP, "ADD_GROUP" ) +_S(AUDIT_DEL_GROUP, "DEL_GROUP" ) +_S(AUDIT_DAC_CHECK, "DAC_CHECK" ) +_S(AUDIT_CHGRP_ID, "CHGRP_ID" ) +_S(AUDIT_TEST, "TEST" ) +_S(AUDIT_TRUSTED_APP, "TRUSTED_APP" ) +_S(AUDIT_USER_SELINUX_ERR, "USER_SELINUX_ERR" ) +_S(AUDIT_USER_CMD, "USER_CMD" ) +_S(AUDIT_USER_TTY, "USER_TTY" ) +_S(AUDIT_CHUSER_ID, "CHUSER_ID" ) +_S(AUDIT_GRP_AUTH, "GRP_AUTH" ) +_S(AUDIT_MAC_CHECK, "MAC_CHECK" ) +_S(AUDIT_SYSTEM_BOOT, "SYSTEM_BOOT" ) +_S(AUDIT_SYSTEM_SHUTDOWN, "SYSTEM_SHUTDOWN" ) +_S(AUDIT_SYSTEM_RUNLEVEL, "SYSTEM_RUNLEVEL" ) +_S(AUDIT_SERVICE_START, "SERVICE_START" ) +_S(AUDIT_SERVICE_STOP, "SERVICE_STOP" ) +_S(AUDIT_GRP_MGMT, "GRP_MGMT" ) +_S(AUDIT_GRP_CHAUTHTOK, "GRP_CHAUTHTOK" ) +_S(AUDIT_DAEMON_START, "DAEMON_START" ) +_S(AUDIT_DAEMON_END, "DAEMON_END" ) +_S(AUDIT_DAEMON_ABORT, "DAEMON_ABORT" ) +_S(AUDIT_DAEMON_CONFIG, "DAEMON_CONFIG" ) +//_S(AUDIT_DAEMON_RECONFIG, "DAEMON_RECONFIG" ) +_S(AUDIT_DAEMON_ROTATE, "DAEMON_ROTATE" ) +_S(AUDIT_DAEMON_RESUME, "DAEMON_RESUME" ) +_S(AUDIT_DAEMON_ACCEPT, "DAEMON_ACCEPT" ) +_S(AUDIT_DAEMON_CLOSE, "DAEMON_CLOSE" ) +_S(AUDIT_SYSCALL, "SYSCALL" ) +//_S(AUDIT_FS_WATCH, "FS_WATCH" ) +_S(AUDIT_PATH, "PATH" ) +_S(AUDIT_IPC, "IPC" ) +_S(AUDIT_SOCKETCALL, "SOCKETCALL" ) +_S(AUDIT_CONFIG_CHANGE, "CONFIG_CHANGE" ) +_S(AUDIT_SOCKADDR, "SOCKADDR" ) +_S(AUDIT_CWD, "CWD" ) +//_S(AUDIT_FS_INODE, "FS_INODE" ) +_S(AUDIT_EXECVE, "EXECVE" ) +_S(AUDIT_IPC_SET_PERM, "IPC_SET_PERM" ) +_S(AUDIT_MQ_OPEN, "MQ_OPEN" ) +_S(AUDIT_MQ_SENDRECV, "MQ_SENDRECV" ) +_S(AUDIT_MQ_NOTIFY, "MQ_NOTIFY" ) +_S(AUDIT_MQ_GETSETATTR, "MQ_GETSETATTR" ) +_S(AUDIT_KERNEL_OTHER, "KERNEL_OTHER" ) +_S(AUDIT_FD_PAIR, "FD_PAIR" ) +_S(AUDIT_OBJ_PID, "OBJ_PID" ) +_S(AUDIT_TTY, "TTY" ) +_S(AUDIT_EOE, "EOE" ) +_S(AUDIT_BPRM_FCAPS, "BPRM_FCAPS" ) +_S(AUDIT_CAPSET, "CAPSET" ) +_S(AUDIT_MMAP, "MMAP" ) +_S(AUDIT_NETFILTER_PKT, "NETFILTER_PKT" ) +_S(AUDIT_NETFILTER_CFG, "NETFILTER_CFG" ) +_S(AUDIT_SECCOMP, "SECCOMP" ) +_S(AUDIT_PROCTITLE, "PROCTITLE" ) +_S(AUDIT_FEATURE_CHANGE, "FEATURE_CHANGE" ) +_S(AUDIT_AVC, "AVC" ) +_S(AUDIT_SELINUX_ERR, "SELINUX_ERR" ) +_S(AUDIT_AVC_PATH, "AVC_PATH" ) +_S(AUDIT_MAC_POLICY_LOAD, "MAC_POLICY_LOAD" ) +_S(AUDIT_MAC_STATUS, "MAC_STATUS" ) +_S(AUDIT_MAC_CONFIG_CHANGE, "MAC_CONFIG_CHANGE" ) +_S(AUDIT_MAC_UNLBL_ALLOW, "MAC_UNLBL_ALLOW" ) +_S(AUDIT_MAC_CIPSOV4_ADD, "MAC_CIPSOV4_ADD" ) +_S(AUDIT_MAC_CIPSOV4_DEL, "MAC_CIPSOV4_DEL" ) +_S(AUDIT_MAC_MAP_ADD, "MAC_MAP_ADD" ) +_S(AUDIT_MAC_MAP_DEL, "MAC_MAP_DEL" ) +_S(AUDIT_MAC_IPSEC_ADDSA, "MAC_IPSEC_ADDSA" ) +_S(AUDIT_MAC_IPSEC_DELSA, "MAC_IPSEC_DELSA" ) +_S(AUDIT_MAC_IPSEC_ADDSPD, "MAC_IPSEC_ADDSPD" ) +_S(AUDIT_MAC_IPSEC_DELSPD, "MAC_IPSEC_DELSPD" ) +_S(AUDIT_MAC_IPSEC_EVENT, "MAC_IPSEC_EVENT" ) +_S(AUDIT_MAC_UNLBL_STCADD, "MAC_UNLBL_STCADD" ) +_S(AUDIT_MAC_UNLBL_STCDEL, "MAC_UNLBL_STCDEL" ) +_S(AUDIT_ANOM_PROMISCUOUS, "ANOM_PROMISCUOUS" ) +_S(AUDIT_ANOM_ABEND, "ANOM_ABEND" ) +_S(AUDIT_ANOM_LINK, "ANOM_LINK" ) +_S(AUDIT_INTEGRITY_DATA, "INTEGRITY_DATA" ) +_S(AUDIT_INTEGRITY_METADATA, "INTEGRITY_METADATA" ) +_S(AUDIT_INTEGRITY_STATUS, "INTEGRITY_STATUS" ) +_S(AUDIT_INTEGRITY_HASH, "INTEGRITY_HASH" ) +_S(AUDIT_INTEGRITY_PCR, "INTEGRITY_PCR" ) +_S(AUDIT_INTEGRITY_RULE, "INTEGRITY_RULE" ) + +#ifdef WITH_APPARMOR +_S(AUDIT_AA, "APPARMOR" ) +_S(AUDIT_APPARMOR_AUDIT, "APPARMOR_AUDIT" ) +_S(AUDIT_APPARMOR_ALLOWED, "APPARMOR_ALLOWED" ) +_S(AUDIT_APPARMOR_DENIED, "APPARMOR_DENIED" ) +_S(AUDIT_APPARMOR_HINT, "APPARMOR_HINT" ) +_S(AUDIT_APPARMOR_STATUS, "APPARMOR_STATUS" ) +_S(AUDIT_APPARMOR_ERROR, "APPARMOR_ERROR" ) +#endif +_S(AUDIT_KERNEL, "KERNEL" ) +_S(AUDIT_ANOM_LOGIN_FAILURES, "ANOM_LOGIN_FAILURES" ) +_S(AUDIT_ANOM_LOGIN_TIME, "ANOM_LOGIN_TIME" ) +_S(AUDIT_ANOM_LOGIN_SESSIONS, "ANOM_LOGIN_SESSIONS" ) +_S(AUDIT_ANOM_LOGIN_ACCT, "ANOM_LOGIN_ACCT" ) +_S(AUDIT_ANOM_LOGIN_LOCATION, "ANOM_LOGIN_LOCATION" ) +_S(AUDIT_ANOM_MAX_DAC, "ANOM_MAX_DAC" ) +_S(AUDIT_ANOM_MAX_MAC, "ANOM_MAX_MAC" ) +_S(AUDIT_ANOM_AMTU_FAIL, "ANOM_AMTU_FAIL" ) +_S(AUDIT_ANOM_RBAC_FAIL, "ANOM_RBAC_FAIL" ) +_S(AUDIT_ANOM_RBAC_INTEGRITY_FAIL, "ANOM_RBAC_INTEGRITY_FAIL" ) +_S(AUDIT_ANOM_CRYPTO_FAIL, "ANOM_CRYPTO_FAIL" ) +_S(AUDIT_ANOM_ACCESS_FS, "ANOM_ACCESS_FS" ) +_S(AUDIT_ANOM_EXEC, "ANOM_EXEC" ) +_S(AUDIT_ANOM_MK_EXEC, "ANOM_MK_EXEC" ) +_S(AUDIT_ANOM_ADD_ACCT, "ANOM_ADD_ACCT" ) +_S(AUDIT_ANOM_DEL_ACCT, "ANOM_DEL_ACCT" ) +_S(AUDIT_ANOM_MOD_ACCT, "ANOM_MOD_ACCT" ) +_S(AUDIT_ANOM_ROOT_TRANS, "ANOM_ROOT_TRANS" ) +_S(AUDIT_RESP_ANOMALY, "RESP_ANOMALY" ) +_S(AUDIT_RESP_ALERT, "RESP_ALERT" ) +_S(AUDIT_RESP_KILL_PROC, "RESP_KILL_PROC" ) +_S(AUDIT_RESP_TERM_ACCESS, "RESP_TERM_ACCESS" ) +_S(AUDIT_RESP_ACCT_REMOTE, "RESP_ACCT_REMOTE" ) +_S(AUDIT_RESP_ACCT_LOCK_TIMED, "RESP_ACCT_LOCK_TIMED" ) +_S(AUDIT_RESP_ACCT_UNLOCK_TIMED, "RESP_ACCT_UNLOCK_TIMED" ) +_S(AUDIT_RESP_ACCT_LOCK, "RESP_ACCT_LOCK" ) +_S(AUDIT_RESP_TERM_LOCK, "RESP_TERM_LOCK" ) +_S(AUDIT_RESP_SEBOOL, "RESP_SEBOOL" ) +_S(AUDIT_RESP_EXEC, "RESP_EXEC" ) +_S(AUDIT_RESP_SINGLE, "RESP_SINGLE" ) +_S(AUDIT_RESP_HALT, "RESP_HALT" ) +_S(AUDIT_USER_ROLE_CHANGE, "USER_ROLE_CHANGE" ) +_S(AUDIT_ROLE_ASSIGN, "ROLE_ASSIGN" ) +_S(AUDIT_ROLE_REMOVE, "ROLE_REMOVE" ) +_S(AUDIT_LABEL_OVERRIDE, "LABEL_OVERRIDE" ) +_S(AUDIT_LABEL_LEVEL_CHANGE, "LABEL_LEVEL_CHANGE" ) +_S(AUDIT_USER_LABELED_EXPORT, "USER_LABELED_EXPORT" ) +_S(AUDIT_USER_UNLABELED_EXPORT, "USER_UNLABELED_EXPORT" ) +_S(AUDIT_DEV_ALLOC, "DEV_ALLOC" ) +_S(AUDIT_DEV_DEALLOC, "DEV_DEALLOC" ) +_S(AUDIT_FS_RELABEL, "FS_RELABEL" ) +_S(AUDIT_USER_MAC_POLICY_LOAD, "USER_MAC_POLICY_LOAD" ) +_S(AUDIT_ROLE_MODIFY, "ROLE_MODIFY" ) +_S(AUDIT_USER_MAC_CONFIG_CHANGE, "USER_MAC_CONFIG_CHANGE" ) +_S(AUDIT_CRYPTO_TEST_USER, "CRYPTO_TEST_USER" ) +_S(AUDIT_CRYPTO_PARAM_CHANGE_USER, "CRYPTO_PARAM_CHANGE_USER" ) +_S(AUDIT_CRYPTO_LOGIN, "CRYPTO_LOGIN" ) +_S(AUDIT_CRYPTO_LOGOUT, "CRYPTO_LOGOUT" ) +_S(AUDIT_CRYPTO_KEY_USER, "CRYPTO_KEY_USER" ) +_S(AUDIT_CRYPTO_FAILURE_USER, "CRYPTO_FAILURE_USER" ) +_S(AUDIT_CRYPTO_REPLAY_USER, "CRYPTO_REPLAY_USER" ) +_S(AUDIT_CRYPTO_SESSION, "CRYPTO_SESSION" ) +_S(AUDIT_CRYPTO_IKE_SA, "CRYPTO_IKE_SA" ) +_S(AUDIT_CRYPTO_IPSEC_SA, "CRYPTO_IPSEC_SA" ) +_S(AUDIT_VIRT_CONTROL, "VIRT_CONTROL" ) +_S(AUDIT_VIRT_RESOURCE, "VIRT_RESOURCE" ) +_S(AUDIT_VIRT_MACHINE_ID, "VIRT_MACHINE_ID" ) + diff --git a/framework/src/audit/lib/netlink.c b/framework/src/audit/lib/netlink.c new file mode 100644 index 00000000..6c80c30c --- /dev/null +++ b/framework/src/audit/lib/netlink.c @@ -0,0 +1,299 @@ +/* netlink.c -- + * Copyright 2004, 2005, 2009, 2013 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * Rickard E. (Rik) Faith <faith@redhat.com> + */ + +#include "config.h" +#include <unistd.h> +#include <string.h> +#include <errno.h> +#include <fcntl.h> +#include <time.h> +#include <sys/poll.h> +#include "libaudit.h" +#include "private.h" + +#ifndef NETLINK_AUDIT +#define NETLINK_AUDIT 9 +#endif + +static int adjust_reply(struct audit_reply *rep, int len); +static int check_ack(int fd, int seq); + +/* + * This function opens a connection to the kernel's audit + * subsystem. You must be root for the call to succeed. On error, + * a negative value is returned. On success, the file descriptor is + * returned - which can be 0 or higher. + */ +int audit_open(void) +{ + int saved_errno; + int fd = socket(PF_NETLINK, SOCK_RAW, NETLINK_AUDIT); + + if (fd < 0) { + saved_errno = errno; + if (errno == EINVAL || errno == EPROTONOSUPPORT || + errno == EAFNOSUPPORT) + audit_msg(LOG_ERR, + "Error - audit support not in kernel"); + else + audit_msg(LOG_ERR, + "Error opening audit netlink socket (%s)", + strerror(errno)); + errno = saved_errno; + return fd; + } + if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1) { + saved_errno = errno; + close(fd); + audit_msg(LOG_ERR, + "Error setting audit netlink socket CLOEXEC flag (%s)", + strerror(errno)); + errno = saved_errno; + return -1; + } + return fd; +} + + +void audit_close(int fd) +{ + if (fd >= 0) + close(fd); +} + + +/* + * This function returns -1 on error, 0 if error response received, + * and > 0 if packet OK. + */ +int audit_get_reply(int fd, struct audit_reply *rep, reply_t block, int peek) +{ + int len; + struct sockaddr_nl nladdr; + socklen_t nladdrlen = sizeof(nladdr); + + if (fd < 0) + return -EBADF; + + if (block == GET_REPLY_NONBLOCKING) + block = MSG_DONTWAIT; + +retry: + len = recvfrom(fd, &rep->msg, sizeof(rep->msg), block|peek, + (struct sockaddr*)&nladdr, &nladdrlen); + + if (len < 0) { + if (errno == EINTR) + goto retry; + if (errno != EAGAIN) { + int saved_errno = errno; + audit_msg(LOG_ERR, + "Error receiving audit netlink packet (%s)", + strerror(errno)); + errno = saved_errno; + } + return -errno; + } + if (nladdrlen != sizeof(nladdr)) { + audit_msg(LOG_ERR, + "Bad address size reading audit netlink socket"); + return -EPROTO; + } + if (nladdr.nl_pid) { + audit_msg(LOG_ERR, + "Spoofed packet received on audit netlink socket"); + return -EINVAL; + } + + len = adjust_reply(rep, len); + if (len == 0) + len = -errno; + return len; +} +hidden_def(audit_get_reply) + + +/* + * This function returns 0 on error and len on success. + */ +static int adjust_reply(struct audit_reply *rep, int len) +{ + rep->type = rep->msg.nlh.nlmsg_type; + rep->len = rep->msg.nlh.nlmsg_len; + rep->nlh = &rep->msg.nlh; + rep->status = NULL; + rep->ruledata = NULL; + rep->login = NULL; + rep->message = NULL; + rep->error = NULL; + rep->signal_info = NULL; + rep->conf = NULL; +#if HAVE_DECL_AUDIT_FEATURE_VERSION + rep->features = NULL; +#endif + if (!NLMSG_OK(rep->nlh, (unsigned int)len)) { + if (len == sizeof(rep->msg)) { + audit_msg(LOG_ERR, + "Netlink event from kernel is too big"); + errno = EFBIG; + } else { + audit_msg(LOG_ERR, + "Netlink message from kernel was not OK"); + errno = EBADE; + } + return 0; + } + + /* Next we'll set the data structure to point to msg.data. This is + * to avoid having to use casts later. */ + switch (rep->type) { + case NLMSG_ERROR: + rep->error = NLMSG_DATA(rep->nlh); + break; + case AUDIT_GET: + rep->status = NLMSG_DATA(rep->nlh); + break; +#if HAVE_DECL_AUDIT_FEATURE_VERSION + case AUDIT_GET_FEATURE: + rep->features = NLMSG_DATA(rep->nlh); + break; +#endif + case AUDIT_LIST_RULES: + rep->ruledata = NLMSG_DATA(rep->nlh); + break; + case AUDIT_USER: + case AUDIT_LOGIN: + case AUDIT_KERNEL: + case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG: + case AUDIT_FIRST_USER_MSG2...AUDIT_LAST_USER_MSG2: + case AUDIT_FIRST_EVENT...AUDIT_INTEGRITY_LAST_MSG: + rep->message = NLMSG_DATA(rep->nlh); + break; + case AUDIT_SIGNAL_INFO: + rep->signal_info = NLMSG_DATA(rep->nlh); + break; + } + return len; +} + + +/* + * Return values: success: positive non-zero sequence number + * error: -errno + * short: 0 + */ +int audit_send(int fd, int type, const void *data, unsigned int size) +{ + static int sequence = 0; + struct audit_message req; + int retval; + struct sockaddr_nl addr; + + /* Due to user space library callbacks, there's a chance that + a -1 for the fd could be passed. Just check for and handle it. */ + if (fd < 0) { + errno = EBADF; + return -errno; + } + + if (NLMSG_SPACE(size) > MAX_AUDIT_MESSAGE_LENGTH) { + errno = EINVAL; + return -errno; + } + + if (++sequence < 0) + sequence = 1; + + memset(&req, 0, sizeof(req)); + req.nlh.nlmsg_len = NLMSG_SPACE(size); + req.nlh.nlmsg_type = type; + req.nlh.nlmsg_flags = NLM_F_REQUEST|NLM_F_ACK; + req.nlh.nlmsg_seq = sequence; + if (size && data) + memcpy(NLMSG_DATA(&req.nlh), data, size); + memset(&addr, 0, sizeof(addr)); + addr.nl_family = AF_NETLINK; + addr.nl_pid = 0; + addr.nl_groups = 0; + + do { + retval = sendto(fd, &req, req.nlh.nlmsg_len, 0, + (struct sockaddr*)&addr, sizeof(addr)); + } while (retval < 0 && errno == EINTR); + if (retval == (int)req.nlh.nlmsg_len) { + if ((retval = check_ack(fd, sequence)) == 0) + return sequence; + else + return retval; + } + if (retval < 0) + return -errno; + + return 0; +} +hidden_def(audit_send) + +/* + * This function will take a peek into the next packet and see if there's + * an error. If so, the error is returned and its non-zero. Otherwise a + * zero is returned indicating that we don't know of any problems. + */ +static int check_ack(int fd, int seq) +{ + int rc, retries = 80; + struct audit_reply rep; + struct pollfd pfd[1]; + +retry: + pfd[0].fd = fd; + pfd[0].events = POLLIN; + do { + rc = poll(pfd, 1, 500); /* .5 second */ + } while (rc < 0 && errno == EINTR); + + /* We don't look at rc from above as it doesn't matter. We are + * going to try to read nonblocking just in case packet shows up. */ + + /* NOTE: whatever is returned is treated as the errno */ + rc = audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING, MSG_PEEK); + if (rc == -EAGAIN && retries) { + retries--; + goto retry; + } else if (rc < 0) + return rc; + else if (rc == 0) + return -EINVAL; /* This can't happen anymore */ + else if (rc > 0 && rep.type == NLMSG_ERROR) { + int error = rep.error->error; + /* Eat the message */ + (void)audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING, 0); + + /* NLMSG_ERROR can indicate success, only report nonzero */ + if (error) { + errno = -error; + return error; + } + } + return 0; +} + diff --git a/framework/src/audit/lib/optab.h b/framework/src/audit/lib/optab.h new file mode 100644 index 00000000..bddac253 --- /dev/null +++ b/framework/src/audit/lib/optab.h @@ -0,0 +1,31 @@ +/* optab.h -- + * Copyright 2005-07 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + */ + +_S(AUDIT_EQUAL, "=" ) +_S(AUDIT_NOT_EQUAL, "!=" ) +_S(AUDIT_GREATER_THAN, ">" ) +_S(AUDIT_GREATER_THAN_OR_EQUAL, ">=" ) +_S(AUDIT_LESS_THAN, "<" ) +_S(AUDIT_LESS_THAN_OR_EQUAL, "<=" ) +_S(AUDIT_BIT_MASK, "&" ) +_S(AUDIT_BIT_TEST, "&=" ) + diff --git a/framework/src/audit/lib/ppc_table.h b/framework/src/audit/lib/ppc_table.h new file mode 100644 index 00000000..5a22f8bc --- /dev/null +++ b/framework/src/audit/lib/ppc_table.h @@ -0,0 +1,379 @@ +/* ppc_table.h -- + * Copyright 2005-09,2011-15 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * Note from include/powerpc/unistd.h + */ + +_S(1, "exit") +_S(2, "fork") +_S(3, "read") +_S(4, "write") +_S(5, "open") +_S(6, "close") +_S(7, "waitpid") +_S(8, "creat") +_S(9, "link") +_S(10, "unlink") +_S(11, "execve") +_S(12, "chdir") +_S(13, "time") +_S(14, "mknod") +_S(15, "chmod") +_S(16, "lchown") +_S(17, "break") +_S(18, "oldstat") +_S(19, "lseek") +_S(20, "getpid") +_S(21, "mount") +_S(22, "umount") +_S(23, "setuid") +_S(24, "getuid") +_S(25, "stime") +_S(26, "ptrace") +_S(27, "alarm") +_S(28, "oldfstat") +_S(29, "pause") +_S(30, "utime") +_S(31, "stty") +_S(32, "gtty") +_S(33, "access") +_S(34, "nice") +_S(35, "ftime") +_S(36, "sync") +_S(37, "kill") +_S(38, "rename") +_S(39, "mkdir") +_S(40, "rmdir") +_S(41, "dup") +_S(42, "pipe") +_S(43, "times") +_S(44, "prof") +_S(45, "brk") +_S(46, "setgid") +_S(47, "getgid") +_S(48, "signal") +_S(49, "geteuid") +_S(50, "getegid") +_S(51, "acct") +_S(52, "umount2") +_S(53, "lock") +_S(54, "ioctl") +_S(55, "fcntl") +_S(56, "mpx") +_S(57, "setpgid") +_S(58, "ulimit") +_S(59, "oldolduname") +_S(60, "umask") +_S(61, "chroot") +_S(62, "ustat") +_S(63, "dup2") +_S(64, "getppid") +_S(65, "getpgrp") +_S(66, "setsid") +_S(67, "sigaction") +_S(68, "sgetmask") +_S(69, "ssetmask") +_S(70, "setreuid") +_S(71, "setregid") +_S(72, "sigsuspend") +_S(73, "sigpending") +_S(74, "sethostname") +_S(75, "setrlimit") +_S(76, "getrlimit") +_S(77, "getrusage") +_S(78, "gettimeofday") +_S(79, "settimeofday") +_S(80, "getgroups") +_S(81, "setgroups") +_S(82, "select") +_S(83, "symlink") +_S(84, "oldlstat") +_S(85, "readlink") +_S(86, "uselib") +_S(87, "swapon") +_S(88, "reboot") +_S(89, "readdir") +_S(90, "mmap") +_S(91, "munmap") +_S(92, "truncate") +_S(93, "ftruncate") +_S(94, "fchmod") +_S(95, "fchown") +_S(96, "getpriority") +_S(97, "setpriority") +_S(98, "profil") +_S(99, "statfs") +_S(100, "fstatfs") +_S(101, "ioperm") +_S(102, "socketcall") +_S(103, "syslog") +_S(104, "setitimer") +_S(105, "getitimer") +_S(106, "stat") +_S(107, "lstat") +_S(108, "fstat") +_S(109, "olduname") +_S(110, "iopl") +_S(111, "vhangup") +_S(112, "idle") +_S(113, "vm86") +_S(114, "wait4") +_S(115, "swapoff") +_S(116, "sysinfo") +_S(117, "ipc") +_S(118, "fsync") +_S(119, "sigreturn") +_S(120, "clone") +_S(121, "setdomainname") +_S(122, "uname") +_S(123, "modify_ldt") +_S(124, "adjtimex") +_S(125, "mprotect") +_S(126, "sigprocmask") +_S(127, "create_module") +_S(128, "init_module") +_S(129, "delete_module") +_S(130, "get_kernel_syms") +_S(131, "quotactl") +_S(132, "getpgid") +_S(133, "fchdir") +_S(134, "bdflush") +_S(135, "sysfs") +_S(136, "personality") +_S(137, "afs_syscall") +_S(138, "setfsuid") +_S(139, "setfsgid") +_S(140, "_llseek") +_S(141, "getdents") +_S(142, "_newselect") +_S(143, "flock") +_S(144, "msync") +_S(145, "readv") +_S(146, "writev") +_S(147, "getsid") +_S(148, "fdatasync") +_S(149, "_sysctl") +_S(150, "mlock") +_S(151, "munlock") +_S(152, "mlockall") +_S(153, "munlockall") +_S(154, "sched_setparam") +_S(155, "sched_getparam") +_S(156, "sched_setscheduler") +_S(157, "sched_getscheduler") +_S(158, "sched_yield") +_S(159, "sched_get_priority_max") +_S(160, "sched_get_priority_min") +_S(161, "sched_rr_get_interval") +_S(162, "nanosleep") +_S(163, "mremap") +_S(164, "setresuid") +_S(165, "getresuid") +_S(166, "query_module") +_S(167, "poll") +_S(168, "nfsservctl") +_S(169, "setresgid") +_S(170, "getresgid") +_S(171, "prctl") +_S(172, "rt_sigreturn") +_S(173, "rt_sigaction") +_S(174, "rt_sigprocmask") +_S(175, "rt_sigpending") +_S(176, "rt_sigtimedwait") +_S(177, "rt_sigqueueinfo") +_S(178, "rt_sigsuspend") +_S(179, "pread") +_S(180, "pwrite") +_S(181, "chown") +_S(182, "getcwd") +_S(183, "capget") +_S(184, "capset") +_S(185, "sigaltstack") +_S(186, "sendfile") +_S(187, "getpmsg") +_S(188, "putpmsg") +_S(189, "vfork") +_S(190, "ugetrlimit") +_S(191, "readahead") +_S(192, "mmap2") +_S(193, "truncate64") +_S(194, "ftruncate64") +_S(195, "stat64") +_S(196, "lstat64") +_S(197, "fstat64") +_S(198, "pciconfig_read") +_S(199, "pciconfig_write") +_S(200, "pciconfig_iobase") +_S(201, "multiplexer") +_S(202, "getdents64") +_S(203, "pivot_root") +_S(204, "fcntl64") +_S(205, "madvise") +_S(206, "mincore") +_S(207, "gettid") +_S(208, "tkill") +_S(209, "setxattr") +_S(210, "lsetxattr") +_S(211, "fsetxattr") +_S(212, "getxattr") +_S(213, "lgetxattr") +_S(214, "fgetxattr") +_S(215, "listxattr") +_S(216, "llistxattr") +_S(217, "flistxattr") +_S(218, "removexattr") +_S(219, "lremovexattr") +_S(220, "fremovexattr") +_S(221, "futex") +_S(222, "sched_setaffinity") +_S(223, "sched_getaffinity") +_S(225, "tuxcall") +_S(226, "sendfile64") +_S(227, "io_setup") +_S(228, "io_destroy") +_S(229, "io_getevents") +_S(230, "io_submit") +_S(231, "io_cancel") +_S(232, "set_tid_address") +_S(233, "fadvise64") +_S(234, "exit_group") +_S(235, "lookup_dcookie") +_S(236, "epoll_create") +_S(237, "epoll_ctl") +_S(238, "epoll_wait") +_S(239, "remap_file_pages") +_S(240, "timer_create") +_S(241, "timer_settime") +_S(242, "timer_gettime") +_S(243, "timer_getoverrun") +_S(244, "timer_delete") +_S(245, "clock_settime") +_S(246, "clock_gettime") +_S(247, "clock_getres") +_S(248, "clock_nanosleep") +_S(249, "swapcontext") +_S(250, "tgkill") +_S(251, "utimes") +_S(252, "statfs64") +_S(253, "fstatfs64") +_S(254, "fadvise64_64") +_S(255, "rtas") +_S(262, "mq_open") +_S(263, "mq_unlink") +_S(264, "mq_timedsend") +_S(265, "mq_timedreceive") +_S(266, "mq_notify") +_S(267, "mq_getsetattr") +_S(268, "kexec_load") +_S(269, "add_key") +_S(270, "request_key") +_S(271, "keyctl") +_S(272, "waitid") +_S(273, "ioprio_set") +_S(274, "ioprio_get") +_S(275, "inotify_init") +_S(276, "inotify_add_watch") +_S(277, "inotify_rm_watch") +_S(278, "spu_run") +_S(279, "spu_create") +_S(280, "pselect6") +_S(281, "ppoll") +_S(282, "unshare") +_S(283, "splice") +_S(284, "tee") +_S(285, "vmsplice") +_S(286, "openat") +_S(287, "mkdirat") +_S(288, "mknodat") +_S(289, "fchownat") +_S(290, "futimesat") +_S(291, "fstatat64") +_S(292, "unlinkat") +_S(293, "renameat") +_S(294, "linkat") +_S(295, "symlinkat") +_S(296, "readlinkat") +_S(297, "fchmodat") +_S(298, "faccessat") +_S(299, "get_robust_list") +_S(300, "set_robust_list") +_S(301, "move_pages") +_S(302, "getcpu") +_S(303, "epoll_pwait") +_S(304, "utimensat") +_S(305, "signalfd") +_S(306, "timerfd") +_S(307, "eventfd") +_S(308, "sync_file_range2") +_S(309, "fallocate") +_S(310, "subpage_prot") +_S(311, "timerfd_settime") +_S(312, "timerfd_gettime") +_S(313, "signalfd4") +_S(314, "eventfd2") +_S(315, "epoll_create1") +_S(316, "dup3") +_S(317, "pipe2") +_S(318, "inotify_init1") +_S(319, "perf_counter_open") +_S(320, "preadv") +_S(321, "pwritev") +_S(322, "rt_tgsigqueueinfo") +_S(323, "fanotify_init") +_S(324, "fanotify_mark") +_S(325, "prlimit64") +_S(326, "socket") +_S(327, "bind") +_S(328, "connect") +_S(329, "listen") +_S(330, "accept") +_S(331, "getsockname") +_S(332, "getpeername") +_S(333, "socketpair") +_S(334, "send") +_S(335, "sendto") +_S(336, "recv") +_S(337, "recvfrom") +_S(338, "shutdown") +_S(339, "setsockopt") +_S(340, "getsockopt") +_S(341, "sendmsg") +_S(342, "recvmsg") +_S(343, "recvmmsg") +_S(344, "accept4") +_S(345, "name_to_handle_at") +_S(346, "open_by_handle_at") +_S(347, "clock_adjtime") +_S(348, "syncfs") +_S(349, "sendmmsg") +_S(350, "setns") +_S(351, "process_vm_readv") +_S(352, "process_vm_writev") +_S(353, "finit_module") +_S(354, "kcmp") +_S(355, "sched_setattr") +_S(356, "sched_getattr") +_S(357, "renameat2") +_S(358, "seccomp") +_S(359, "getrandom") +_S(360, "memfd_create") +_S(361, "bpf") +_S(362, "execveat") +_S(363, "switch_endian") diff --git a/framework/src/audit/lib/private.h b/framework/src/audit/lib/private.h new file mode 100644 index 00000000..a0e3e35c --- /dev/null +++ b/framework/src/audit/lib/private.h @@ -0,0 +1,175 @@ +/* private.h -- + * Copyright 2005,2006,2009,2013-14 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + */ +#ifndef _PRIVATE_H_ +#define _PRIVATE_H_ + +#include "dso.h" + +#ifdef __cplusplus +extern "C" { +#endif + +typedef enum { REAL_ERR, HIDE_IT } hide_t; + +/* Internal syslog messaging */ +void audit_msg(int priority, const char *fmt, ...) +#ifdef __GNUC__ + __attribute__ ((format (printf, 2, 3))); +#else + ; +#endif + +/* This structure is for protocol reference only. All fields are + packed and in network order (LSB first). */ +struct auditd_remote_message_wrapper { + /* The magic number shall never have LF (0x0a) as one of its bytes. */ + uint32_t magic; + /* Bumped when the layout of this structure changes. */ + uint8_t header_version; + /* The minimum support needed to understand this message type. + * Normally zero. */ + uint8_t message_version; + /* Upper 8 bits are generic type, see below. */ + uint32_t type; + /* Number of bytes that follow this header Must be 0..MAX_AUDIT_MESSAGE_LENGTH. */ + uint16_t length; + /* Copied from message to its reply. */ + uint32_t sequence_id; + /* The message follows for LENGTH bytes. */ +}; + +#define AUDIT_RMW_HEADER_SIZE 16 +/* The magic number shall never have LF (0x0a) as one of its bytes. */ +#define AUDIT_RMW_MAGIC 0xff0000feUL + +#define AUDIT_RMW_HEADER_VERSION 0 + +/* If set, this is a reply. */ +#define AUDIT_RMW_TYPE_REPLYMASK 0x40000000 +/* If set, this reply indicates a fatal error of some sort. */ +#define AUDIT_RMW_TYPE_FATALMASK 0x20000000 +/* If set, this reply indicates success but with some warnings. */ +#define AUDIT_RMW_TYPE_WARNMASK 0x10000000 +/* This part of the message type is the details for the above. */ +#define AUDIT_RMW_TYPE_DETAILMASK 0x0fffffff + +/* Version 0 messages. */ +#define AUDIT_RMW_TYPE_MESSAGE 0x00000000 +#define AUDIT_RMW_TYPE_HEARTBEAT 0x00000001 +#define AUDIT_RMW_TYPE_ACK 0x40000000 +#define AUDIT_RMW_TYPE_ENDING 0x40000001 +#define AUDIT_RMW_TYPE_DISKLOW 0x50000001 +#define AUDIT_RMW_TYPE_DISKFULL 0x60000001 +#define AUDIT_RMW_TYPE_DISKERROR 0x60000002 + +/* These next four should not be called directly. */ +#define _AUDIT_RMW_PUTN32(header,i,v) \ + header[i] = v & 0xff; \ + header[i+1] = (v>>8) & 0xff; \ + header[i+2] = (v>>16) & 0xff; \ + header[i+3] = (v>>24) & 0xff; +#define _AUDIT_RMW_PUTN16(header,i,v) \ + header[i] = v & 0xff; \ + header[i+1] = (v>>8) & 0xff; +#define _AUDIT_RMW_GETN32(header,i) \ + (((uint32_t)(header[i] & 0xFF)) | \ + (((uint32_t)(header[i+1] & 0xFF))<<8) | \ + (((uint32_t)(header[i+2] & 0xFF ))<<16) | \ + (((uint32_t)(header[i+3] & 0xFF))<<24)) +#define _AUDIT_RMW_GETN16(header,i) \ + ((uint32_t)(header[i] & 0xFF) | ((uint32_t)(header[i+1] & 0xFF)<<8)) + +/* For these, HEADER must by of type "unsigned char *" or "unsigned + char []" */ + +#define AUDIT_RMW_PACK_HEADER(header,mver,type,len,seq) \ + _AUDIT_RMW_PUTN32 (header,0, AUDIT_RMW_MAGIC); \ + header[4] = AUDIT_RMW_HEADER_VERSION; \ + header[5] = mver; \ + _AUDIT_RMW_PUTN32 (header,6, type); \ + _AUDIT_RMW_PUTN16 (header,10, len); \ + _AUDIT_RMW_PUTN32 (header,12, seq); + +#define AUDIT_RMW_IS_MAGIC(header,length) \ + (length >= 4 && _AUDIT_RMW_GETN32 (header,0) == AUDIT_RMW_MAGIC) + +#define AUDIT_RMW_UNPACK_HEADER(header,hver,mver,type,len,seq) \ + hver = header[4]; \ + mver = header[5]; \ + type = _AUDIT_RMW_GETN32 (header,6); \ + len = _AUDIT_RMW_GETN16 (header,10); \ + seq = _AUDIT_RMW_GETN32 (header,12); + +/* General */ +extern int audit_send(int fd, int type, const void *data, unsigned int size); + +// This is the main messaging function used internally +// Don't hide it, it used to be a part of the public API! +extern int audit_send_user_message(int fd, int type, hide_t hide_err, + const char *message); + +// libaudit.c +extern int _audit_permadded; +extern int _audit_archadded; +extern int _audit_syscalladded; +extern unsigned int _audit_elf; + +hidden_proto(audit_send_user_message); +hidden_proto(audit_add_watch_dir); +hidden_proto(audit_detect_machine); +hidden_proto(audit_request_status); +hidden_proto(audit_rule_syscall_data); +hidden_proto(audit_rule_syscallbyname_data); +hidden_proto(audit_set_feature); +hidden_proto(audit_request_features); + +// lookup_table.c +hidden_proto(audit_elf_to_machine); +hidden_proto(audit_machine_to_elf); +hidden_proto(audit_msg_type_to_name); +hidden_proto(audit_name_to_errno); +hidden_proto(audit_name_to_field); +hidden_proto(audit_name_to_machine); +hidden_proto(audit_name_to_msg_type); +hidden_proto(audit_name_to_syscall); +hidden_proto(audit_operator_to_symbol); +hidden_proto(audit_name_to_ftype); + +// netlink.c +hidden_proto(audit_get_reply); +hidden_proto(audit_send) + +// message.c +hidden_proto(audit_msg) + +// strsplit.c +char *audit_strsplit_r(char *s, char **savedpp); +char *audit_strsplit(char *s); +hidden_proto(audit_strsplit_r) +hidden_proto(audit_strsplit) + +#ifdef __cplusplus +} +#endif + +#endif + diff --git a/framework/src/audit/lib/s390_table.h b/framework/src/audit/lib/s390_table.h new file mode 100644 index 00000000..d3cec4fb --- /dev/null +++ b/framework/src/audit/lib/s390_table.h @@ -0,0 +1,354 @@ +/* s390_table.h -- + * Copyright 2005-15 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + */ + +_S(1, "exit") +_S(2, "fork") +_S(3, "read") +_S(4, "write") +_S(5, "open") +_S(6, "close") +_S(8, "creat") +_S(9, "link") +_S(10, "unlink") +_S(11, "execve") +_S(12, "chdir") +_S(13, "time") +_S(14, "mknod") +_S(15, "chmod") +_S(16, "lchown") +_S(19, "lseek") +_S(20, "getpid") +_S(21, "mount") +_S(22, "umount") +_S(23, "setuid") +_S(24, "getuid") +_S(25, "stime") +_S(26, "ptrace") +_S(27, "alarm") +_S(29, "pause") +_S(30, "utime") +_S(33, "access") +_S(34, "nice") +_S(36, "sync") +_S(37, "kill") +_S(38, "rename") +_S(39, "mkdir") +_S(40, "rmdir") +_S(41, "dup") +_S(42, "pipe") +_S(43, "times") +_S(45, "brk") +_S(46, "setgid") +_S(47, "getgid") +_S(48, "signal") +_S(49, "geteuid") +_S(50, "getegid") +_S(51, "acct") +_S(52, "umount2") +_S(54, "ioctl") +_S(55, "fcntl") +_S(57, "setpgid") +_S(60, "umask") +_S(61, "chroot") +_S(62, "ustat") +_S(63, "dup2") +_S(64, "getppid") +_S(65, "getpgrp") +_S(66, "setsid") +_S(67, "sigaction") +_S(70, "setreuid") +_S(71, "setregid") +_S(72, "sigsuspend") +_S(73, "sigpending") +_S(74, "sethostname") +_S(75, "setrlimit") +_S(76, "getrlimit") +_S(77, "getrusage") +_S(78, "gettimeofday") +_S(79, "settimeofday") +_S(80, "getgroups") +_S(81, "setgroups") +_S(83, "symlink") +_S(85, "readlink") +_S(86, "uselib") +_S(87, "swapon") +_S(88, "reboot") +_S(89, "readdir") +_S(90, "mmap") +_S(91, "munmap") +_S(92, "truncate") +_S(93, "ftruncate") +_S(94, "fchmod") +_S(95, "fchown") +_S(96, "getpriority") +_S(97, "setpriority") +_S(99, "statfs") +_S(100, "fstatfs") +_S(101, "ioperm") +_S(102, "socketcall") +_S(103, "syslog") +_S(104, "setitimer") +_S(105, "getitimer") +_S(106, "stat") +_S(107, "lstat") +_S(108, "fstat") +_S(111, "vhangup") +_S(112, "idle") +_S(114, "wait4") +_S(115, "swapoff") +_S(116, "sysinfo") +_S(117, "ipc") +_S(118, "fsync") +_S(119, "sigreturn") +_S(120, "clone") +_S(121, "setdomainname") +_S(122, "uname") +_S(124, "adjtimex") +_S(125, "mprotect") +_S(126, "sigprocmask") +_S(127, "create_module") +_S(128, "init_module") +_S(129, "delete_module") +_S(130, "get_kernel_syms") +_S(131, "quotactl") +_S(132, "getpgid") +_S(133, "fchdir") +_S(134, "bdflush") +_S(135, "sysfs") +_S(136, "personality") +_S(137, "afs_syscall") +_S(138, "setfsuid") +_S(139, "setfsgid") +_S(140, "_llseek") +_S(141, "getdents") +_S(142, "_newselect") +_S(143, "flock") +_S(144, "msync") +_S(145, "readv") +_S(146, "writev") +_S(147, "getsid") +_S(148, "fdatasync") +_S(149, "_sysctl") +_S(150, "mlock") +_S(151, "munlock") +_S(152, "mlockall") +_S(153, "munlockall") +_S(154, "sched_setparam") +_S(155, "sched_getparam") +_S(156, "sched_setscheduler") +_S(157, "sched_getscheduler") +_S(158, "sched_yield") +_S(159, "sched_get_priority_max") +_S(160, "sched_get_priority_min") +_S(161, "sched_rr_get_interval") +_S(162, "nanosleep") +_S(163, "mremap") +_S(164, "setresuid") +_S(165, "getresuid") +_S(167, "query_module") +_S(168, "poll") +_S(169, "nfsservctl") +_S(170, "setresgid") +_S(171, "getresgid") +_S(172, "prctl") +_S(173, "rt_sigreturn") +_S(174, "rt_sigaction") +_S(175, "rt_sigprocmask") +_S(176, "rt_sigpending") +_S(177, "rt_sigtimedwait") +_S(178, "rt_sigqueueinfo") +_S(179, "rt_sigsuspend") +_S(180, "pread") +_S(181, "pwrite") +_S(182, "chown") +_S(183, "getcwd") +_S(184, "capget") +_S(185, "capset") +_S(186, "sigaltstack") +_S(187, "sendfile") +_S(188, "getpmsg") +_S(189, "putpmsg") +_S(190, "vfork") +_S(191, "ugetrlimit") +_S(192, "mmap2") +_S(193, "truncate64") +_S(194, "ftruncate64") +_S(195, "stat64") +_S(196, "lstat64") +_S(197, "fstat64") +_S(198, "lchown32") +_S(199, "getuid32") +_S(200, "getgid32") +_S(201, "geteuid32") +_S(202, "getegid32") +_S(203, "setreuid32") +_S(204, "setregid32") +_S(205, "getgroups32") +_S(206, "setgroups32") +_S(207, "fchown32") +_S(208, "setresuid32") +_S(209, "getresuid32") +_S(210, "setresgid32") +_S(211, "getresgid32") +_S(212, "chown32") +_S(213, "setuid32") +_S(214, "setgid32") +_S(215, "setfsuid32") +_S(216, "setfsgid32") +_S(217, "pivot_root") +_S(218, "mincore") +_S(219, "madvise") +_S(220, "getdents64") +_S(221, "fcntl64") +_S(222, "readahead") +_S(223, "sendfile64") +_S(224, "setxattr") +_S(225, "lsetxattr") +_S(226, "fsetxattr") +_S(227, "getxattr") +_S(228, "lgetxattr") +_S(229, "fgetxattr") +_S(230, "listxattr") +_S(231, "llistxattr") +_S(232, "flistxattr") +_S(233, "removexattr") +_S(234, "lremovexattr") +_S(235, "fremovexattr") +_S(236, "gettid") +_S(237, "tkill") +_S(238, "futex") +_S(239, "sched_setaffinity") +_S(240, "sched_getaffinity") +_S(241, "tgkill") +//_S(242, "") +_S(243, "io_setup") +_S(244, "io_destroy") +_S(245, "io_getevents") +_S(246, "io_submit") +_S(247, "io_cancel") +_S(248, "exit_group") +_S(249, "epoll_create") +_S(250, "epoll_ctl") +_S(251, "epoll_wait") +_S(252, "set_tid_address") +_S(253, "fadvise64") +_S(254, "timer_create") +_S(255, "timer_settime") +_S(256, "timer_gettime") +_S(257, "timer_getoverrun") +_S(258, "timer_delete") +_S(259, "clock_settime") +_S(260, "clock_gettime") +_S(261, "clock_getres") +_S(262, "clock_nanosleep") +//_S(263, "") +_S(264, "fadvise64_64") +_S(265, "statfs64") +_S(266, "fstatfs64") +_S(267, "remap_file_pages") +//_S(268, "") +//_S(269, "") +//_S(270, "") +_S(271, "mq_open") +_S(272, "mq_unlink") +_S(273, "mq_timedsend") +_S(274, "mq_timedreceive") +_S(275, "mq_notify") +_S(276, "mq_getsetattr") +_S(277, "kexec_load") +_S(278, "add_key") +_S(279, "request_key") +_S(280, "keyctl") +_S(281, "waitid") +_S(282, "ioprio_set") +_S(283, "ioprio_get") +_S(284, "inotify_init") +_S(285, "inotify_add_watch") +_S(286, "inotify_rm_watch") +//_S(287, "") +_S(288, "openat") +_S(289, "mkdirat") +_S(290, "mknodat") +_S(291, "fchownat") +_S(292, "futimesat") +_S(293, "fstatat64") +_S(294, "unlinkat") +_S(295, "renameat") +_S(296, "linkat") +_S(297, "symlinkat") +_S(298, "readlinkat") +_S(299, "fchmodat") +_S(300, "faccessat") +_S(301, "pselect6") +_S(302, "ppoll") +_S(303, "unshare") +_S(304, "set_robust_list") +_S(305, "get_robust_list") +_S(306, "splice") +_S(307, "sync_file_range") +_S(308, "tee") +_S(309, "vmsplice") +//_S(310, "") +_S(311, "getcpu") +_S(312, "epoll_pwait") +_S(313, "utimes") +_S(314, "fallocate") +_S(315, "utimensat") +_S(316, "signalfd") +_S(317, "timerfd") +_S(318, "eventfd") +_S(319, "timerfd_create") +_S(320, "timerfd_settime") +_S(321, "timerfd_gettime") +_S(322, "signalfd4") +_S(323, "eventfd2") +_S(324, "inotify_init1") +_S(325, "pipe2") +_S(326, "dup3") +_S(327, "epoll_create1") +_S(328, "preadv") +_S(329, "pwritev") +_S(330, "rt_tgsigqueueinfo") +_S(331, "perf_event_open") +_S(332, "fanotify_init") +_S(333, "fanotify_mark") +_S(334, "prlimit64") +_S(335, "name_to_handle_at") +_S(336, "open_by_handle_at") +_S(337, "clock_adjtime") +_S(338, "syncfs") +_S(339, "setns") +_S(340, "process_vm_readv") +_S(341, "process_vm_writev") +_S(342, "s390_runtime_instr") +_S(343, "kcmp") +_S(344, "finit_module") +_S(345, "sched_setattr") +_S(346, "sched_getattr") +_S(347, "renameat2") +_S(348, "seccomp") +_S(349, "getrandom") +_S(350, "memfd_create") +_S(351, "bpf") +_S(352, "s390_pci_mmio_write") +_S(353, "s390_pci_mmio_read") +_S(354, "execveat") diff --git a/framework/src/audit/lib/s390x_table.h b/framework/src/audit/lib/s390x_table.h new file mode 100644 index 00000000..73ba0ec0 --- /dev/null +++ b/framework/src/audit/lib/s390x_table.h @@ -0,0 +1,319 @@ +/* s390x_table.h -- + * Copyright 2005-06,2008-15 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + */ + +_S(1, "exit") +_S(2, "fork") +_S(3, "read") +_S(4, "write") +_S(5, "open") +_S(6, "close") +_S(8, "creat") +_S(9, "link") +_S(10, "unlink") +_S(11, "execve") +_S(12, "chdir") +_S(14, "mknod") +_S(15, "chmod") +_S(19, "lseek") +_S(20, "getpid") +_S(21, "mount") +_S(22, "umount") +_S(26, "ptrace") +_S(27, "alarm") +_S(29, "pause") +_S(30, "utime") +_S(33, "access") +_S(34, "nice") +_S(36, "sync") +_S(37, "kill") +_S(38, "rename") +_S(39, "mkdir") +_S(40, "rmdir") +_S(41, "dup") +_S(42, "pipe") +_S(43, "times") +_S(45, "brk") +_S(48, "signal") +_S(51, "acct") +_S(52, "umount2") +_S(54, "ioctl") +_S(55, "fcntl") +_S(57, "setpgid") +_S(60, "umask") +_S(61, "chroot") +_S(62, "ustat") +_S(63, "dup2") +_S(64, "getppid") +_S(65, "getpgrp") +_S(66, "setsid") +_S(67, "sigaction") +_S(72, "sigsuspend") +_S(73, "sigpending") +_S(74, "sethostname") +_S(75, "setrlimit") +_S(77, "getrusage") +_S(78, "gettimeofday") +_S(79, "settimeofday") +_S(83, "symlink") +_S(85, "readlink") +_S(86, "uselib") +_S(87, "swapon") +_S(88, "reboot") +_S(89, "readdir") +_S(90, "mmap") +_S(91, "munmap") +_S(92, "truncate") +_S(93, "ftruncate") +_S(94, "fchmod") +_S(96, "getpriority") +_S(97, "setpriority") +_S(99, "statfs") +_S(100, "fstatfs") +_S(102, "socketcall") +_S(103, "syslog") +_S(104, "setitimer") +_S(105, "getitimer") +_S(106, "stat") +_S(107, "lstat") +_S(108, "fstat") +_S(111, "vhangup") +_S(112, "idle") +_S(114, "wait4") +_S(115, "swapoff") +_S(116, "sysinfo") +_S(117, "ipc") +_S(118, "fsync") +_S(119, "sigreturn") +_S(120, "clone") +_S(121, "setdomainname") +_S(122, "uname") +_S(124, "adjtimex") +_S(125, "mprotect") +_S(126, "sigprocmask") +_S(127, "create_module") +_S(128, "init_module") +_S(129, "delete_module") +_S(130, "get_kernel_syms") +_S(131, "quotactl") +_S(132, "getpgid") +_S(133, "fchdir") +_S(134, "bdflush") +_S(135, "sysfs") +_S(136, "personality") +_S(137, "afs_syscall") +_S(141, "getdents") +_S(142, "select") +_S(143, "flock") +_S(144, "msync") +_S(145, "readv") +_S(146, "writev") +_S(147, "getsid") +_S(148, "fdatasync") +_S(149, "_sysctl") +_S(150, "mlock") +_S(151, "munlock") +_S(152, "mlockall") +_S(153, "munlockall") +_S(154, "sched_setparam") +_S(155, "sched_getparam") +_S(156, "sched_setscheduler") +_S(157, "sched_getscheduler") +_S(158, "sched_yield") +_S(159, "sched_get_priority_max") +_S(160, "sched_get_priority_min") +_S(161, "sched_rr_get_interval") +_S(162, "nanosleep") +_S(163, "mremap") +_S(167, "query_module") +_S(168, "poll") +_S(169, "nfsservctl") +_S(172, "prctl") +_S(173, "rt_sigreturn") +_S(174, "rt_sigaction") +_S(175, "rt_sigprocmask") +_S(176, "rt_sigpending") +_S(177, "rt_sigtimedwait") +_S(178, "rt_sigqueueinfo") +_S(179, "rt_sigsuspend") +_S(180, "pread") +_S(181, "pwrite") +_S(183, "getcwd") +_S(184, "capget") +_S(185, "capset") +_S(186, "sigaltstack") +_S(187, "sendfile") +_S(188, "getpmsg") +_S(189, "putpmsg") +_S(190, "vfork") +_S(191, "getrlimit") +_S(198, "lchown") +_S(199, "getuid") +_S(200, "getgid") +_S(201, "geteuid") +_S(202, "getegid") +_S(203, "setreuid") +_S(204, "setregid") +_S(205, "getgroups") +_S(206, "setgroups") +_S(207, "fchown") +_S(208, "setresuid") +_S(209, "getresuid") +_S(210, "setresgid") +_S(211, "getresgid") +_S(212, "chown") +_S(213, "setuid") +_S(214, "setgid") +_S(215, "setfsuid") +_S(216, "setfsgid") +_S(217, "pivot_root") +_S(218, "mincore") +_S(219, "madvise") +_S(222, "readahead") +_S(224, "setxattr") +_S(225, "lsetxattr") +_S(226, "fsetxattr") +_S(227, "getxattr") +_S(228, "lgetxattr") +_S(229, "fgetxattr") +_S(230, "listxattr") +_S(231, "llistxattr") +_S(232, "flistxattr") +_S(233, "removexattr") +_S(234, "lremovexattr") +_S(235, "fremovexattr") +_S(236, "gettid") +_S(237, "tkill") +_S(238, "futex") +_S(239, "sched_setaffinity") +_S(240, "sched_getaffinity") +_S(241, "tgkill") +_S(243, "io_setup") +_S(244, "io_destroy") +_S(245, "io_getevents") +_S(246, "io_submit") +_S(247, "io_cancel") +_S(248, "exit_group") +_S(249, "epoll_create") +_S(250, "epoll_ctl") +_S(251, "epoll_wait") +_S(252, "set_tid_address") +_S(253, "fadvise64") +_S(254, "timer_create") +_S(255, "timer_settime") +_S(256, "timer_gettime") +_S(257, "timer_getoverrun") +_S(258, "timer_delete") +_S(259, "clock_settime") +_S(260, "clock_gettime") +_S(261, "clock_getres") +_S(262, "clock_nanosleep") +_S(265, "statfs64") +_S(266, "fstatfs64") +_S(267, "remap_file_pages") +//_S(268, "") +//_S(269, "") +//_S(270, "") +_S(271, "mq_open") +_S(272, "mq_unlink") +_S(273, "mq_timedsend") +_S(274, "mq_timedreceive") +_S(275, "mq_notify") +_S(276, "mq_getsetattr") +_S(277, "kexec_load") +_S(278, "add_key") +_S(279, "request_key") +_S(280, "keyctl") +_S(281, "waitid") +_S(282, "ioprio_set") +_S(283, "ioprio_get") +_S(284, "inotify_init") +_S(285, "inotify_add_watch") +_S(286, "inotify_rm_watch") +//_S(287, "") +_S(288, "openat") +_S(289, "mkdirat") +_S(290, "mknodat") +_S(291, "fchownat") +_S(292, "futimesat") +_S(293, "newfstatat") +_S(294, "unlinkat") +_S(295, "renameat") +_S(296, "linkat") +_S(297, "symlinkat") +_S(298, "readlinkat") +_S(299, "fchmodat") +_S(300, "faccessat") +_S(301, "pselect6") +_S(302, "ppoll") +_S(303, "unshare") +_S(304, "set_robust_list") +_S(305, "get_robust_list") +_S(306, "splice") +_S(307, "sync_file_range") +_S(308, "tee") +_S(309, "vmsplice") +//_S(310, "") +_S(311, "getcpu") +_S(312, "epoll_pwait") +_S(313, "utimes") +_S(314, "fallocate") +_S(315, "utimensat") +_S(316, "signalfd") +_S(317, "timerfd") +_S(318, "eventfd") +_S(319, "timerfd_create") +_S(320, "timerfd_settime") +_S(321, "timerfd_gettime") +_S(322, "signalfd4") +_S(323, "eventfd2") +_S(324, "inotify_init1") +_S(325, "pipe2") +_S(326, "dup3") +_S(327, "epoll_create1") +_S(328, "preadv") +_S(329, "pwritev") +_S(330, "rt_tgsigqueueinfo") +_S(331, "perf_event_open") +_S(332, "fanotify_init") +_S(333, "fanotify_mark") +_S(334, "prlimit64") +_S(335, "name_to_handle_at") +_S(336, "open_by_handle_at") +_S(337, "clock_adjtime") +_S(338, "syncfs") +_S(339, "setns") +_S(340, "process_vm_readv") +_S(341, "process_vm_writev") +_S(342, "s390_runtime_instr") +_S(343, "kcmp") +_S(344, "finit_module") +_S(345, "sched_setattr") +_S(346, "sched_getattr") +_S(347, "renameat2") +_S(348, "seccomp") +_S(349, "getrandom") +_S(350, "memfd_create") +_S(351, "bpf") +_S(352, "s390_pci_mmio_write") +_S(353, "s390_pci_mmio_read") +_S(354, "execveat") + diff --git a/framework/src/audit/lib/strsplit.c b/framework/src/audit/lib/strsplit.c new file mode 100644 index 00000000..8337e6da --- /dev/null +++ b/framework/src/audit/lib/strsplit.c @@ -0,0 +1,91 @@ +/* strsplit.c -- + * Copyright 2014 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * + */ + +#include <string.h> +#include "libaudit.h" +#include "private.h" + +char *audit_strsplit_r(char *s, char **savedpp) +{ + char *ptr; + + if (s) + *savedpp = s; + else { + if (*savedpp == NULL) + return NULL; + *savedpp += 1; + } +retry: + ptr = strchr(*savedpp, ' '); + if (ptr) { + if (ptr == *savedpp) { + *savedpp += 1; + goto retry; + } + s = *savedpp; + *ptr = 0; + *savedpp = ptr; + return s; + } else { + s = *savedpp; + *savedpp = NULL; + if (*s == 0) + return NULL; + return s; + } +} +hidden_def(audit_strsplit_r) + +char *audit_strsplit(char *s) +{ + static char *str = NULL; + char *ptr; + + if (s) + str = s; + else { + if (str == NULL) + return NULL; + str++; + } +retry: + ptr = strchr(str, ' '); + if (ptr) { + if (ptr == str) { + str++; + goto retry; + } + s = str; + *ptr = 0; + str = ptr; + return s; + } else { + s = str; + str = NULL; + if (*s == 0) + return NULL; + return s; + } +} +hidden_def(audit_strsplit) diff --git a/framework/src/audit/lib/syscall-update.txt b/framework/src/audit/lib/syscall-update.txt new file mode 100644 index 00000000..89d63717 --- /dev/null +++ b/framework/src/audit/lib/syscall-update.txt @@ -0,0 +1,20 @@ +The place where syscall information is gathered is: + +arch/alpha/include/uapi/asm/unistd.h +arch/arm/include/uapi/asm/unistd.h +arch/ia64/include/uapi/asm/unistd.h +arch/powerpc/include/uapi/asm/unistd.h +arch/s390/include/uapi/asm/unistd.h +arch/x86/syscalls/syscall_32.tbl +arch/x86/syscalls/syscall_64.tbl +include/uapi/asm-generic/unistd.h (aarch64) + +For src/ausearch-lookup.c: +Inspect include/linux/net.h for socketcall updates +Inspect include/linux/ipc.h for ipccall updates + +For adding new arches, the following might be useful to get a first pass file: + +cat unistd.h | grep '^#define __NR_' | tr -d ')' | tr 'NR+' ' ' | awk '{ printf "_S(%s, \"%s\")\n", $6, $3 }; ' + +it will still need hand editing diff --git a/framework/src/audit/lib/test/Makefile.am b/framework/src/audit/lib/test/Makefile.am new file mode 100644 index 00000000..706fd051 --- /dev/null +++ b/framework/src/audit/lib/test/Makefile.am @@ -0,0 +1,25 @@ +# Copyright 2008 Red Hat Inc., Durham, North Carolina. +# All Rights Reserved. +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# +# Authors: +# Miloslav Trmač <mitr@redhat.com> +# + +check_PROGRAMS = lookup_test +TESTS = $(check_PROGRAMS) + +lookup_test_LDADD = ${top_builddir}/lib/libaudit.la diff --git a/framework/src/audit/lib/test/lookup_test.c b/framework/src/audit/lib/test/lookup_test.c new file mode 100644 index 00000000..5cd00429 --- /dev/null +++ b/framework/src/audit/lib/test/lookup_test.c @@ -0,0 +1,430 @@ +/* lookup_test.c -- A test of table lookups. + * Copyright 2008 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Miloslav Trmač <mitr@redhat.com> + */ + +#include "config.h" +#include <assert.h> +#include <errno.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/stat.h> + +#include "../libaudit.h" + +/* Number of lookups of random strings */ +#define RAND_ITERATIONS 1000 + +/* Maximum size of randomly generated strings, including the terminating NUL. */ +#define S_LEN 8 + +struct entry { + int val; + const char *s; +}; +#define _S(V, S) { (V), (S) }, + +/* Generate a random string into DEST[S_LEN]. */ +static void +gen_id(char *dest) +{ + size_t i, len; + + assert(S_LEN >= 2); + len = 1 + rand() % (S_LEN - 1); + assert('A' == 0x41 && 'a' == 0x61); /* ASCII */ + for (i = 0; i < len; i++) { + /* Don't start with a digit, audit_name_to_msg_type() interprets + those strings specially. */ + do { + dest[i] = 0x21 + rand() % (0x7F - 0x21); + } while (i == 0 && dest[i] >= '0' && dest[i] <= '9'); + } + dest[i] = '\0'; +} + +#define TEST_I2S(EXCL) \ + do { \ + size_t i; \ + \ + for (i = 0; i < sizeof(t) / sizeof(*t); i++) { \ + const char *s; \ + \ + if (EXCL) \ + continue; \ + s = I2S(t[i].val); \ + if (s == NULL) { \ + fprintf(stderr, \ + "%d -> `%s' not found\n", \ + t[i].val, t[i].s); \ + abort(); \ + } \ + if (strcmp(t[i].s, s) != 0) { \ + fprintf(stderr, \ + "%d -> `%s' mismatch `%s'\n", \ + t[i].val, t[i].s, s); \ + abort(); \ + } \ + } \ + for (i = 0; i < RAND_ITERATIONS; i++) { \ + int val; \ + size_t j; \ + val = rand(); \ + for (j = 0; j < sizeof(t) / sizeof(*t); j++) { \ + if (t[j].val == val) \ + goto test_i2s_found; \ + } \ + assert(I2S(val) == NULL); \ + test_i2s_found: \ + ; \ + } \ + } while (0) + +#define TEST_S2I(ERR_VALUE) \ + do { \ + size_t i; \ + char buf[S_LEN]; \ + \ + for (i = 0; i < sizeof(t) / sizeof(*t); i++) \ + assert(S2I(t[i].s) == t[i].val); \ + for (i = 0; i < RAND_ITERATIONS; i++) { \ + /* Blindly assuming this will not generate a \ + meaningful identifier. */ \ + gen_id(buf); \ + if (S2I(buf) != (ERR_VALUE)) { \ + fprintf(stderr, \ + "Unexpected match `%s'\n", \ + buf); \ + abort(); \ + } \ + } \ + } while (0) + +#ifdef WITH_ALPHA +static void +test_alpha_table(void) +{ + static const struct entry t[] = { +#include "../alpha_table.h" + }; + + printf("Testing alpha_table...\n"); +#define I2S(I) audit_syscall_to_name((I), MACH_ALPHA) +#define S2I(S) audit_name_to_syscall((S), MACH_ALPHA) + TEST_I2S(0); + TEST_S2I(-1); +#undef I2S +#undef S2I +} +#endif + +#ifdef WITH_ARM +static void +test_arm_table(void) +{ + static const struct entry t[] = { +#include "../arm_table.h" + }; + + printf("Testing arm_table...\n"); +#define I2S(I) audit_syscall_to_name((I), MACH_ARM) +#define S2I(S) audit_name_to_syscall((S), MACH_ARM) + TEST_I2S(0); + TEST_S2I(-1); +#undef I2S +#undef S2I +} +#endif + +#ifdef WITH_AARCH64 +static void +test_aarch64_table(void) +{ + static const struct entry t[] = { +#include "../aarch64_table.h" + }; + + printf("Testing aarch64_table...\n"); +#define I2S(I) audit_syscall_to_name((I), MACH_AARCH64) +#define S2I(S) audit_name_to_syscall((S), MACH_AARCH64) + TEST_I2S(0); + TEST_S2I(-1); +#undef I2S +#undef S2I +} +#endif + +static void +test_i386_table(void) +{ + static const struct entry t[] = { +#include "../i386_table.h" + }; + + printf("Testing i386_table...\n"); +#define I2S(I) audit_syscall_to_name((I), MACH_X86) +#define S2I(S) audit_name_to_syscall((S), MACH_X86) + TEST_I2S(strcmp(t[i].s, "madvise1") == 0); + TEST_S2I(-1); +#undef I2S +#undef S2I +} + +static void +test_ia64_table(void) +{ + static const struct entry t[] = { +#include "../ia64_table.h" + }; + + printf("Testing ia64_table...\n"); +#define I2S(I) audit_syscall_to_name((I), MACH_IA64) +#define S2I(S) audit_name_to_syscall((S), MACH_IA64) + TEST_I2S(0); + TEST_S2I(-1); +#undef I2S +#undef S2I +} + +static void +test_ppc_table(void) +{ + static const struct entry t[] = { +#include "../ppc_table.h" + }; + + printf("Testing ppc_table...\n"); +#define I2S(I) audit_syscall_to_name((I), MACH_PPC) +#define S2I(S) audit_name_to_syscall((S), MACH_PPC) + TEST_I2S(0); + TEST_S2I(-1); +#undef I2S +#undef S2I +} + +static void +test_s390_table(void) +{ + static const struct entry t[] = { +#include "../s390_table.h" + }; + + printf("Testing s390_table...\n"); +#define I2S(I) audit_syscall_to_name((I), MACH_S390) +#define S2I(S) audit_name_to_syscall((S), MACH_S390) + TEST_I2S(0); + TEST_S2I(-1); +#undef I2S +#undef S2I +} + +static void +test_s390x_table(void) +{ + static const struct entry t[] = { +#include "../s390x_table.h" + }; + + printf("Testing s390x_table...\n"); +#define I2S(I) audit_syscall_to_name((I), MACH_S390X) +#define S2I(S) audit_name_to_syscall((S), MACH_S390X) + TEST_I2S(0); + TEST_S2I(-1); +#undef I2S +#undef S2I +} + +static void +test_x86_64_table(void) +{ + static const struct entry t[] = { +#include "../x86_64_table.h" + }; + + printf("Testing x86_64_table...\n"); +#define I2S(I) audit_syscall_to_name((I), MACH_86_64) +#define S2I(S) audit_name_to_syscall((S), MACH_86_64) + TEST_I2S(0); + TEST_S2I(-1); +#undef I2S +#undef S2I +} + +static void +test_actiontab(void) +{ + static const struct entry t[] = { +#include "../actiontab.h" + }; + + printf("Testing actiontab...\n"); +#define I2S(I) audit_action_to_name(I) +#define S2I(S) audit_name_to_action(S) + TEST_I2S(0); + TEST_S2I(-1); +#undef I2S +#undef S2I +} + +static void +test_errtab(void) +{ + static const struct entry t[] = { +#include "../errtab.h" + }; + + printf("Testing errtab...\n"); +#define I2S(I) audit_errno_to_name(I) +#define S2I(S) audit_name_to_errno(S) + TEST_I2S(strcmp(t[i].s, "EWOULDBLOCK") == 0 + || strcmp(t[i].s, "EDEADLOCK") == 0); + TEST_S2I(0); +#undef I2S +#undef S2I +} + +static void +test_fieldtab(void) +{ + static const struct entry t[] = { +#include "../fieldtab.h" + }; + + printf("Testing fieldtab...\n"); +#define I2S(I) audit_field_to_name(I) +#define S2I(S) audit_name_to_field(S) + TEST_I2S(strcmp(t[i].s, "loginuid") == 0); + TEST_S2I(-1); +#undef I2S +#undef S2I +} + +static void +test_flagtab(void) +{ + static const struct entry t[] = { +#include "../flagtab.h" + }; + + printf("Testing flagtab...\n"); +#define I2S(I) audit_flag_to_name(I) +#define S2I(S) audit_name_to_flag(S) + TEST_I2S(0); + TEST_S2I(-1); +#undef I2S +#undef S2I +} + +static void +test_ftypetab(void) +{ + static const struct entry t[] = { +#include "../ftypetab.h" + }; + + printf("Testing ftypetab...\n"); +#define I2S(I) audit_ftype_to_name(I) +#define S2I(S) audit_name_to_ftype(S) + TEST_I2S(0); + TEST_S2I(-1); +#undef I2S +#undef S2I +} + +static void +test_machinetab(void) +{ + static const struct entry t[] = { +#include "../machinetab.h" + }; + + printf("Testing machinetab...\n"); +#define I2S(I) audit_machine_to_name(I) +#define S2I(S) audit_name_to_machine(S) + TEST_I2S((t[i].s[0] == 'i' && t[i].s[1] >= '4' && t[i].s[1] <= '6' + && strcmp(t[i].s + 2, "86") == 0) || + (strncmp(t[i].s, "arm", 3) == 0)); + TEST_S2I(-1); +#undef I2S +#undef S2I +} + +static void +test_msg_typetab(void) +{ + static const struct entry t[] = { +#include "../msg_typetab.h" + }; + + printf("Testing msg_typetab...\n"); +#define I2S(I) audit_msg_type_to_name(I) +#define S2I(S) audit_name_to_msg_type(S) + TEST_I2S(0); + TEST_S2I(-1); +#undef I2S +#undef S2I +} + +static void +test_optab(void) +{ + static const struct entry t[] = { +#include "../optab.h" + }; + + printf("Testing optab...\n"); +#define I2S(I) audit_operator_to_symbol(I) + TEST_I2S(0); +#undef I2S +} + +int +main(void) +{ + // This is only for preventing collisions in s2i tests. + // If collisions are found in future, change the number. + srand(3); +#ifdef WITH_ALPHA + test_alpha_table(); +#endif +#ifdef WITH_ARM + test_arm_table(); +#endif +#ifdef WITH_AARCH64 + test_aarch64_table(); +#endif + test_i386_table(); + test_ia64_table(); + test_ppc_table(); + test_s390_table(); + test_s390x_table(); + test_x86_64_table(); + test_actiontab(); + test_errtab(); + test_fieldtab(); + test_flagtab(); + test_ftypetab(); + test_machinetab(); + test_msg_typetab(); + test_optab(); + return EXIT_SUCCESS; +} + diff --git a/framework/src/audit/lib/x86_64_table.h b/framework/src/audit/lib/x86_64_table.h new file mode 100644 index 00000000..0c8d41ad --- /dev/null +++ b/framework/src/audit/lib/x86_64_table.h @@ -0,0 +1,345 @@ +/* x86_64_table.h -- + * Copyright 2005-15 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + */ + +_S(0, "read") +_S(1, "write") +_S(2, "open") +_S(3, "close") +_S(4, "stat") +_S(5, "fstat") +_S(6, "lstat") +_S(7, "poll") +_S(8, "lseek") +_S(9, "mmap") +_S(10, "mprotect") +_S(11, "munmap") +_S(12, "brk") +_S(13, "rt_sigaction") +_S(14, "rt_sigprocmask") +_S(15, "rt_sigreturn") +_S(16, "ioctl") +_S(17, "pread") +_S(18, "pwrite") +_S(19, "readv") +_S(20, "writev") +_S(21, "access") +_S(22, "pipe") +_S(23, "select") +_S(24, "sched_yield") +_S(25, "mremap") +_S(26, "msync") +_S(27, "mincore") +_S(28, "madvise") +_S(29, "shmget") +_S(30, "shmat") +_S(31, "shmctl") +_S(32, "dup") +_S(33, "dup2") +_S(34, "pause") +_S(35, "nanosleep") +_S(36, "getitimer") +_S(37, "alarm") +_S(38, "setitimer") +_S(39, "getpid") +_S(40, "sendfile") +_S(41, "socket") +_S(42, "connect") +_S(43, "accept") +_S(44, "sendto") +_S(45, "recvfrom") +_S(46, "sendmsg") +_S(47, "recvmsg") +_S(48, "shutdown") +_S(49, "bind") +_S(50, "listen") +_S(51, "getsockname") +_S(52, "getpeername") +_S(53, "socketpair") +_S(54, "setsockopt") +_S(55, "getsockopt") +_S(56, "clone") +_S(57, "fork") +_S(58, "vfork") +_S(59, "execve") +_S(60, "exit") +_S(61, "wait4") +_S(62, "kill") +_S(63, "uname") +_S(64, "semget") +_S(65, "semop") +_S(66, "semctl") +_S(67, "shmdt") +_S(68, "msgget") +_S(69, "msgsnd") +_S(70, "msgrcv") +_S(71, "msgctl") +_S(72, "fcntl") +_S(73, "flock") +_S(74, "fsync") +_S(75, "fdatasync") +_S(76, "truncate") +_S(77, "ftruncate") +_S(78, "getdents") +_S(79, "getcwd") +_S(80, "chdir") +_S(81, "fchdir") +_S(82, "rename") +_S(83, "mkdir") +_S(84, "rmdir") +_S(85, "creat") +_S(86, "link") +_S(87, "unlink") +_S(88, "symlink") +_S(89, "readlink") +_S(90, "chmod") +_S(91, "fchmod") +_S(92, "chown") +_S(93, "fchown") +_S(94, "lchown") +_S(95, "umask") +_S(96, "gettimeofday") +_S(97, "getrlimit") +_S(98, "getrusage") +_S(99, "sysinfo") +_S(100, "times") +_S(101, "ptrace") +_S(102, "getuid") +_S(103, "syslog") +_S(104, "getgid") +_S(105, "setuid") +_S(106, "setgid") +_S(107, "geteuid") +_S(108, "getegid") +_S(109, "setpgid") +_S(110, "getppid") +_S(111, "getpgrp") +_S(112, "setsid") +_S(113, "setreuid") +_S(114, "setregid") +_S(115, "getgroups") +_S(116, "setgroups") +_S(117, "setresuid") +_S(118, "getresuid") +_S(119, "setresgid") +_S(120, "getresgid") +_S(121, "getpgid") +_S(122, "setfsuid") +_S(123, "setfsgid") +_S(124, "getsid") +_S(125, "capget") +_S(126, "capset") +_S(127, "rt_sigpending") +_S(128, "rt_sigtimedwait") +_S(129, "rt_sigqueueinfo") +_S(130, "rt_sigsuspend") +_S(131, "sigaltstack") +_S(132, "utime") +_S(133, "mknod") +_S(134, "uselib") +_S(135, "personality") +_S(136, "ustat") +_S(137, "statfs") +_S(138, "fstatfs") +_S(139, "sysfs") +_S(140, "getpriority") +_S(141, "setpriority") +_S(142, "sched_setparam") +_S(143, "sched_getparam") +_S(144, "sched_setscheduler") +_S(145, "sched_getscheduler") +_S(146, "sched_get_priority_max") +_S(147, "sched_get_priority_min") +_S(148, "sched_rr_get_interval") +_S(149, "mlock") +_S(150, "munlock") +_S(151, "mlockall") +_S(152, "munlockall") +_S(153, "vhangup") +_S(154, "modify_ldt") +_S(155, "pivot_root") +_S(156, "_sysctl") +_S(157, "prctl") +_S(158, "arch_prctl") +_S(159, "adjtimex") +_S(160, "setrlimit") +_S(161, "chroot") +_S(162, "sync") +_S(163, "acct") +_S(164, "settimeofday") +_S(165, "mount") +_S(166, "umount2") +_S(167, "swapon") +_S(168, "swapoff") +_S(169, "reboot") +_S(170, "sethostname") +_S(171, "setdomainname") +_S(172, "iopl") +_S(173, "ioperm") +_S(174, "create_module") +_S(175, "init_module") +_S(176, "delete_module") +_S(177, "get_kernel_syms") +_S(178, "query_module") +_S(179, "quotactl") +_S(180, "nfsservctl") +_S(181, "getpmsg") +_S(182, "putpmsg") +_S(183, "afs_syscall") +_S(184, "tuxcall") +_S(185, "security") +_S(186, "gettid") +_S(187, "readahead") +_S(188, "setxattr") +_S(189, "lsetxattr") +_S(190, "fsetxattr") +_S(191, "getxattr") +_S(192, "lgetxattr") +_S(193, "fgetxattr") +_S(194, "listxattr") +_S(195, "llistxattr") +_S(196, "flistxattr") +_S(197, "removexattr") +_S(198, "lremovexattr") +_S(199, "fremovexattr") +_S(200, "tkill") +_S(201, "time") +_S(202, "futex") +_S(203, "sched_setaffinity") +_S(204, "sched_getaffinity") +_S(205, "set_thread_area") +_S(206, "io_setup") +_S(207, "io_destroy") +_S(208, "io_getevents") +_S(209, "io_submit") +_S(210, "io_cancel") +_S(211, "get_thread_area") +_S(212, "lookup_dcookie") +_S(213, "epoll_create") +_S(214, "epoll_ctl_old") +_S(215, "epoll_wait_old") +_S(216, "remap_file_pages") +_S(217, "getdents64") +_S(218, "set_tid_address") +_S(219, "restart_syscall") +_S(220, "semtimedop") +_S(221, "fadvise64") +_S(222, "timer_create") +_S(223, "timer_settime") +_S(224, "timer_gettime") +_S(225, "timer_getoverrun") +_S(226, "timer_delete") +_S(227, "clock_settime") +_S(228, "clock_gettime") +_S(229, "clock_getres") +_S(230, "clock_nanosleep") +_S(231, "exit_group") +_S(232, "epoll_wait") +_S(233, "epoll_ctl") +_S(234, "tgkill") +_S(235, "utimes") +_S(236, "vserver") +_S(237, "mbind") +_S(238, "set_mempolicy") +_S(239, "get_mempolicy") +_S(240, "mq_open") +_S(241, "mq_unlink") +_S(242, "mq_timedsend") +_S(243, "mq_timedreceive") +_S(244, "mq_notify") +_S(245, "mq_getsetattr") +_S(246, "kexec_load") +_S(247, "waitid") +_S(248, "add_key") +_S(249, "request_key") +_S(250, "keyctl") +_S(251, "ioprio_set") +_S(252, "ioprio_get") +_S(253, "inotify_init") +_S(254, "inotify_add_watch") +_S(255, "inotify_rm_watch") +_S(256, "migrate_pages") +_S(257, "openat") +_S(258, "mkdirat") +_S(259, "mknodat") +_S(260, "fchownat") +_S(261, "futimesat") +_S(262, "newfstatat") +_S(263, "unlinkat") +_S(264, "renameat") +_S(265, "linkat") +_S(266, "symlinkat") +_S(267, "readlinkat") +_S(268, "fchmodat") +_S(269, "faccessat") +_S(270, "pselect6") +_S(271, "ppoll") +_S(272, "unshare") +_S(273, "set_robust_list") +_S(274, "get_robust_list") +_S(275, "splice") +_S(276, "tee") +_S(277, "sync_file_range") +_S(278, "vmsplice") +_S(279, "move_pages") +_S(280, "utimensat") +_S(281, "epoll_pwait") +_S(282, "signalfd") +_S(283, "timerfd") +_S(284, "eventfd") +_S(285, "fallocate") +_S(286, "timerfd_settime") +_S(287, "timerfd_gettime") +_S(288, "accept4") +_S(289, "signalfd4") +_S(290, "eventfd2") +_S(291, "epoll_create1") +_S(292, "dup3") +_S(293, "pipe2") +_S(294, "inotify_init1") +_S(295, "preadv") +_S(296, "pwritev") +_S(297, "rt_tgsigqueueinfo") +_S(298, "perf_event_open") +_S(299, "recvmmsg") +_S(300, "fanotify_init") +_S(301, "fanotify_mark") +_S(302, "prlimit64") +_S(303, "name_to_handle_at") +_S(304, "open_by_handle_at") +_S(305, "clock_adjtime") +_S(306, "syncfs") +_S(307, "sendmmsg") +_S(308, "setns") +_S(309, "getcpu") +_S(310, "process_vm_readv") +_S(311, "process_vm_writev") +_S(312, "kcmp") +_S(313, "finit_module") +_S(314, "sched_setattr") +_S(315, "sched_getattr") +_S(316, "renameat2") +_S(317, "seccomp") +_S(318, "getrandom") +_S(319, "memfd_create") +_S(320, "kexec_file_load") +_S(321, "bpf") +_S(322, "execveat") |