2
* Copyright (c) 1999-2008 NOVELL (All rights reserved)
3
* Copyright 2009-2010 Canonical Ltd.
5
* This program is free software; you can redistribute it and/or
6
* modify it under the terms of version 2.1 of the GNU Lesser General
7
* Public License published by the Free Software Foundation.
9
* This program is distributed in the hope that it will be useful,
10
* but WITHOUT ANY WARRANTY; without even the implied warranty of
11
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12
* GNU Lesser General Public License for more details.
14
* You should have received a copy of the GNU Lesser General Public License
15
* along with this program. If not, see <http://www.gnu.org/licenses/>.
19
#ifndef __LIBAALOGPARSE_H_
20
#define __LIBAALOGPARSE_H_
22
#define AA_RECORD_EXEC_MMAP 1
23
#define AA_RECORD_READ 2
24
#define AA_RECORD_WRITE 4
25
#define AA_RECORD_EXEC 8
26
#define AA_RECORD_LINK 16
29
* This is just for convenience now that we have two
30
* wildly different grammars.
37
AA_RECORD_SYNTAX_UNKNOWN
38
} aa_record_syntax_version;
42
AA_RECORD_INVALID, /* Default event type */
43
AA_RECORD_ERROR, /* Internal AA error */
44
AA_RECORD_AUDIT, /* Audited event */
45
AA_RECORD_ALLOWED, /* Complain mode event */
46
AA_RECORD_DENIED, /* Denied access event */
47
AA_RECORD_HINT, /* Process tracking info */
48
AA_RECORD_STATUS /* Configuration change */
49
} aa_record_event_type;
52
* With the sole exception of active_hat, this is a 1:1
53
* mapping from the keys that the new syntax uses.
55
* Some examples of the old syntax and how they're mapped with the aa_log_record struct:
57
* "PERMITTING r access to /path (program_name(12345) profile /profile active hat)"
63
* - info: program_name
66
* "REJECTING mkdir on /path/to/something (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out"
68
* - name: /path/to/something
71
* - profile: /bin/freak-aa-out
72
* - active_hat: /bin/freak-aa-out
74
* "REJECTING xattr set on /path/to/something (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out)"
77
* - name: /path/to/something
80
* - profile: /bin/freak-aa-out
81
* - active_hat: /bin/freak-aa-out
83
* "PERMITTING attribute (something) change to /else (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out)"
84
* - operation: setattr
85
* - attribute: something
89
* - profile: /bin/freak-aa-out
90
* - active_hat: /bin/freak-aa-out
92
* "PERMITTING access to capability 'cap' (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out)"
93
* - operation: capability
97
* - profile: /bin/freak-aa-out
98
* - active_hat: /bin/freak-aa-out
100
* "LOGPROF-HINT unknown_hat TESTHAT pid=27764 profile=/change_hat_test/test_hat active=/change_hat_test/test_hat"
101
* - operation: change_hat
103
* - info: unknown_hat
105
* - profile: /change_hat_test/test_hat
106
* - active_hat: /change_hat_test/test_hat
108
* "LOGPROF-HINT fork pid=27764 child=38229"
116
aa_record_syntax_version version;
117
aa_record_event_type event; /* Event type */
118
unsigned long pid; /* PID of the program logging the message */
120
unsigned long magic_token;
121
long epoch; /* example: 12345679 */
122
unsigned int audit_sub_id; /* example: 12 */
124
int bitmask; /* Bitmask containing "r" "w" "x" etc */
125
char *audit_id; /* example: 12345679.1234:12 */
126
char *operation; /* "Exec" "Ptrace", etc. */
127
char *denied_mask; /* "r", "w", etc. */
128
char *requested_mask;
129
unsigned long fsuid; /* fsuid of task - if logged */
130
unsigned long ouid; /* ouid of task - if logged */
131
char *profile; /* The name of the profile */
132
char *comm; /* Command that triggered msg */
137
unsigned long parent;
139
int error_code; /* error_code returned if logged */
147
* Parses a single log record string and returns a pointer to the parsed
148
* data. It is the calling program's responsibility to free that struct
149
* with free_record();
150
* @param[in] Record to parse.
151
* @return Parsed data.
154
parse_record(char *str);
157
* Frees all struct data.
158
* @param[in] Data to free.
161
free_record(aa_log_record *record);