diff options
Diffstat (limited to 'libseaudit/include')
-rw-r--r-- | libseaudit/include/Makefile.am | 1 | ||||
-rw-r--r-- | libseaudit/include/seaudit/Makefile.am | 14 | ||||
-rw-r--r-- | libseaudit/include/seaudit/avc_message.h | 374 | ||||
-rw-r--r-- | libseaudit/include/seaudit/bool_message.h | 43 | ||||
-rw-r--r-- | libseaudit/include/seaudit/filter.h | 1025 | ||||
-rw-r--r-- | libseaudit/include/seaudit/load_message.h | 41 | ||||
-rw-r--r-- | libseaudit/include/seaudit/log.h | 162 | ||||
-rw-r--r-- | libseaudit/include/seaudit/message.h | 133 | ||||
-rw-r--r-- | libseaudit/include/seaudit/model.h | 362 | ||||
-rw-r--r-- | libseaudit/include/seaudit/parse.h | 72 | ||||
-rw-r--r-- | libseaudit/include/seaudit/report.h | 140 | ||||
-rw-r--r-- | libseaudit/include/seaudit/sort.h | 491 | ||||
-rw-r--r-- | libseaudit/include/seaudit/util.h | 44 |
13 files changed, 2902 insertions, 0 deletions
diff --git a/libseaudit/include/Makefile.am b/libseaudit/include/Makefile.am new file mode 100644 index 0000000..e922703 --- /dev/null +++ b/libseaudit/include/Makefile.am @@ -0,0 +1 @@ +SUBDIRS = seaudit
\ No newline at end of file diff --git a/libseaudit/include/seaudit/Makefile.am b/libseaudit/include/seaudit/Makefile.am new file mode 100644 index 0000000..7f11f38 --- /dev/null +++ b/libseaudit/include/seaudit/Makefile.am @@ -0,0 +1,14 @@ +seauditdir = $(includedir)/seaudit + +seaudit_HEADERS = \ + avc_message.h \ + bool_message.h \ + filter.h \ + load_message.h \ + log.h \ + message.h \ + model.h \ + parse.h \ + report.h \ + sort.h \ + util.h diff --git a/libseaudit/include/seaudit/avc_message.h b/libseaudit/include/seaudit/avc_message.h new file mode 100644 index 0000000..b7263ea --- /dev/null +++ b/libseaudit/include/seaudit/avc_message.h @@ -0,0 +1,374 @@ +/** + * @file + * Public interface for a single AVC log message. This is a subclass + * of seaudit_message. + * + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * @author Jeremy Solt jsolt@tresys.com + * + * Copyright (C) 2006-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef SEAUDIT_AVC_MESSAGE_H +#define SEAUDIT_AVC_MESSAGE_H + +#include <apol/vector.h> + +#ifdef __cplusplus +extern "C" +{ +#endif + + typedef struct seaudit_avc_message seaudit_avc_message_t; + +/** + * AVC messages may be either a granted (i.e., an allow) or a denied. + */ + typedef enum seaudit_avc_message_type + { + SEAUDIT_AVC_UNKNOWN = 0, + SEAUDIT_AVC_DENIED, + SEAUDIT_AVC_GRANTED + } seaudit_avc_message_type_e; + +/** + * Return the type of avc message this is, either a granted (i.e., an + * allow) or a denied. + * + * @param avc AVC message to check. + * + * @return One of SEAUDIT_AVC_DENIED or SEAUDIT_AVC_GRANTED, or + * SEAUDIT_AVC_UNKNOWN upon error or if unknown. + */ + extern seaudit_avc_message_type_e seaudit_avc_message_get_message_type(const seaudit_avc_message_t * avc); + +/** + * Return the avc message's timestamp, measured in nanoseconds. + * + * @param avc AVC message to check. + * + * @return Timestamp, in nanoseconds, or 0 upon error or if unknown. + */ + extern long seaudit_avc_message_get_timestamp_nano(const seaudit_avc_message_t * avc); + +/** + * Return the source context's user of an avc message. + * + * @param avc AVC message to check. + * + * @return Source user, or NULL upon error or if unknown. Do not + * free() this string. + */ + extern const char *seaudit_avc_message_get_source_user(const seaudit_avc_message_t * avc); + +/** + * Return the source context's role of an avc message. + * + * @param avc AVC message to check. + * + * @return Source role, or NULL upon error or if unknown. Do not + * free() this string. + */ + extern const char *seaudit_avc_message_get_source_role(const seaudit_avc_message_t * avc); + +/** + * Return the source context's type of an avc message. + * + * @param avc AVC message to check. + * + * @return Source target, or NULL upon error or if unknown. Do not + * free() this string. + */ + extern const char *seaudit_avc_message_get_source_type(const seaudit_avc_message_t * avc); + +/** + * Return the source context's mls level of an avc message. + * + * @param avc AVC message to check. + * + * @return Source target, or NULL upon error or if unknown. Do not + * free() this string. + */ + extern const char *seaudit_avc_message_get_source_mls_lvl(const seaudit_avc_message_t * avc); + +/** + * Return the source context's mls clearance of an avc message. + * + * @param avc AVC message to check. + * + * @return Source target, or NULL upon error or if unknown. Do not + * free() this string. + */ + extern const char *seaudit_avc_message_get_source_mls_clr(const seaudit_avc_message_t * avc); + +/** + * Return the target context's user of an avc message. + * + * @param avc AVC message to check. + * + * @return Target user, or NULL upon error or if unknown. Do not + * free() this string. + */ + extern const char *seaudit_avc_message_get_target_user(const seaudit_avc_message_t * avc); + +/** + * Return the target context's role of an avc message. + * + * @param avc AVC message to check. + * + * @return Target role, or NULL upon error or if unknown. Do not + * free() this string. + */ + extern const char *seaudit_avc_message_get_target_role(const seaudit_avc_message_t * avc); + +/** + * Return the target context's type of an avc message. + * + * @param avc AVC message to check. + * + * @return Target type, or NULL upon error or if unknown. Do not + * free() this string. + */ + extern const char *seaudit_avc_message_get_target_type(const seaudit_avc_message_t * avc); + +/** + * Return the target context's mls level of an avc message. + * + * @param avc AVC message to check. + * + * @return Target type, or NULL upon error or if unknown. Do not + * free() this string. + */ + extern const char *seaudit_avc_message_get_target_mls_lvl(const seaudit_avc_message_t * avc); + +/** + * Return the target context's mls clearance of an avc message. + * + * @param avc AVC message to check. + * + * @return Target type, or NULL upon error or if unknown. Do not + * free() this string. + */ + extern const char *seaudit_avc_message_get_target_mls_clr(const seaudit_avc_message_t * avc); + +/** + * Return the object class from an avc message. + * + * @param avc AVC message to check. + * + * @return Object class, or NULL upon error or if unknown. Do not + * free() this string. + */ + extern const char *seaudit_avc_message_get_object_class(const seaudit_avc_message_t * avc); + +/** + * Return a vector of permissions (type char *) from an avc message. + * + * @param avc AVC message to check. + * + * @return Vector of permission strings, or NULL upon error or if + * unknown. Do not modify the vector in any way. + */ + extern const apol_vector_t *seaudit_avc_message_get_perm(const seaudit_avc_message_t * avc); + +/** + * Return the executable and path from an avc message. + * + * @param avc AVC message to check. + * + * @return Executable string, or NULL upon error or if unknown. Do + * not free() this string. + */ + extern const char *seaudit_avc_message_get_exe(const seaudit_avc_message_t * avc); + +/** + * Return the command from an avc message. + * + * @param avc AVC message to check. + * + * @return Command, or NULL upon error or if unknown. Do not free() + * this string. + */ + extern const char *seaudit_avc_message_get_comm(const seaudit_avc_message_t * avc); + +/** + * Return the name from an avc message. + * + * @param avc AVC message to check. + * + * @return Name, or NULL upon error or if unknown. Do not free() this + * string. + */ + extern const char *seaudit_avc_message_get_name(const seaudit_avc_message_t * avc); + +/** + * Return the process ID from an avc message. + * + * @param avc AVC message to check. + * + * @return Process's PID, or 0 upon error or if unknown. + */ + extern unsigned int seaudit_avc_message_get_pid(const seaudit_avc_message_t * avc); + +/** + * Return the inode from an avc message. + * + * @param avc AVC message to check. + * + * @return Process's PID, or 0 upon error or if unknown. + */ + extern unsigned long seaudit_avc_message_get_inode(const seaudit_avc_message_t * avc); + +/** + * Return the path of the object from an avc message. + * + * @param avc AVC message to check. + * + * @return Object's path, or NULL upon error or if unknown. Do not + * free() this string. + */ + extern const char *seaudit_avc_message_get_path(const seaudit_avc_message_t * avc); + +/** + * Return the device for the object from an avc message. + * + * @param avc AVC message to check. + * + * @return Object's device, or NULL upon error or if unknown. Do not + * free() this string. + */ + extern const char *seaudit_avc_message_get_dev(const seaudit_avc_message_t * avc); + +/** + * Return the network interface for the object from an avc message. + * + * @param avc AVC message to check. + * + * @return Network interface, or NULL upon error or if unknown. Do + * not free() this string. + */ + extern const char *seaudit_avc_message_get_netif(const seaudit_avc_message_t * avc); + +/** + * Return the port number from an avc message. + * + * @param avc AVC message to check. + * + * @return Port, or 0 upon error or if unknown. + */ + extern int seaudit_avc_message_get_port(const seaudit_avc_message_t * avc); + +/** + * Return the local address from an avc message. + * + * @param avc AVC message to check. + * + * @return Local address, or NULL upon error or if unknown. Do not + * free() this string. + */ + extern const char *seaudit_avc_message_get_laddr(const seaudit_avc_message_t * avc); + +/** + * Return the local port from an avc message. + * + * @param avc AVC message to check. + * + * @return Local port, or 0 upon error or if unknown. + */ + extern int seaudit_avc_message_get_lport(const seaudit_avc_message_t * avc); + +/** + * Return the foreign address from an avc message. + * + * @param avc AVC message to check. + * + * @return Foreign address, or NULL upon error or if unknown. Do not + * free() this string. + */ + extern const char *seaudit_avc_message_get_faddr(const seaudit_avc_message_t * avc); + +/** + * Return the foreign port from an avc message. + * + * @param avc AVC message to check. + * + * @return Foreign port, or 0 upon error or if unknown. + */ + extern int seaudit_avc_message_get_fport(const seaudit_avc_message_t * avc); + +/** + * Return the source address from an avc message. + * + * @param avc AVC message to check. + * + * @return Source address, or NULL upon error or if unknown. Do not + * free() this string. + */ + extern const char *seaudit_avc_message_get_saddr(const seaudit_avc_message_t * avc); + +/** + * Return the source port from an avc message. + * + * @param avc AVC message to check. + * + * @return Source port, or 0 upon error or if unknown. + */ + extern int seaudit_avc_message_get_sport(const seaudit_avc_message_t * avc); + +/** + * Return the destination address from an avc message. + * + * @param avc AVC message to check. + * + * @return Destination address, or NULL upon error or if unknown. Do + * not free() this string. + */ + extern const char *seaudit_avc_message_get_daddr(const seaudit_avc_message_t * avc); + +/** + * Return the destination port from an avc message. + * + * @param avc AVC message to check. + * + * @return Destination port, or 0 upon error or if unknown. + */ + extern int seaudit_avc_message_get_dport(const seaudit_avc_message_t * avc); + +/** + * Return the IPC key from an avc message. + * + * @param avc AVC message to check. + * + * @return Key, or -1 upon error or if unknown. + */ + extern int seaudit_avc_message_get_key(const seaudit_avc_message_t * avc); + +/** + * Return the process capability from an avc message. + * + * @param avc AVC message to check. + * + * @return Capability, or -1 upon error or if unknown. + */ + extern int seaudit_avc_message_get_cap(const seaudit_avc_message_t * avc); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/libseaudit/include/seaudit/bool_message.h b/libseaudit/include/seaudit/bool_message.h new file mode 100644 index 0000000..4ff9df3 --- /dev/null +++ b/libseaudit/include/seaudit/bool_message.h @@ -0,0 +1,43 @@ +/** + * @file + * Public interface for a single boolean change log message. This is + * a subclass of seaudit_message; it has no publicly accessible + * functions. + * + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2006-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef SEAUDIT_BOOL_MESSAGE_H +#define SEAUDIT_BOOL_MESSAGE_H + +#include <apol/vector.h> + +#ifdef __cplusplus +extern "C" +{ +#endif + + typedef struct seaudit_bool_message seaudit_bool_message_t; + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/libseaudit/include/seaudit/filter.h b/libseaudit/include/seaudit/filter.h new file mode 100644 index 0000000..ce40b5e --- /dev/null +++ b/libseaudit/include/seaudit/filter.h @@ -0,0 +1,1025 @@ +/** + * @file + * + * Public interface to a seaudit_filter. A filter is used to modify + * the list of messages returned from a seaudit_model. + * + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * @author Jeremy Solt jsolt@tresys.com + * + * Copyright (C) 2004-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef SEAUDIT_FILTER_H +#define SEAUDIT_FILTER_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <seaudit/avc_message.h> + +#include <apol/vector.h> +#include <stdbool.h> +#include <stdio.h> +#include <time.h> + + typedef struct seaudit_filter seaudit_filter_t; + +/** + * By default, all criteria of a filter must be met for a message to + * be accepted. This behavior can be changed such that a message is + * accepted if any of the criteria pass. + */ + typedef enum seaudit_filter_match + { + SEAUDIT_FILTER_MATCH_ALL = 0, + SEAUDIT_FILTER_MATCH_ANY + } seaudit_filter_match_e; + +/** + * By default, only messages accepted by filters will be shown by the + * model. This behavior can be changed such that filters are used to + * select messages to hide. + */ + typedef enum seaudit_filter_visible + { + SEAUDIT_FILTER_VISIBLE_SHOW = 0, + SEAUDIT_FILTER_VISIBLE_HIDE + } seaudit_filter_visible_e; + +/** + * When specifying a date/time for the filter, one must also give how + * to match the date and time. + */ + typedef enum seaudit_filter_date_match + { + SEAUDIT_FILTER_DATE_MATCH_BEFORE = 0, + SEAUDIT_FILTER_DATE_MATCH_AFTER, + SEAUDIT_FILTER_DATE_MATCH_BETWEEN + } seaudit_filter_date_match_e; + +/** + * Create a new filter object. The default matching behavior is to + * accept all messages. + * + * @param name Name for the filter; the string will be duplicated. If + * NULL then the filter will be assigned a default name. + * + * @return A newly allocated filter. The caller is responsible for + * calling seaudit_filter_destroy() afterwards. + */ + extern seaudit_filter_t *seaudit_filter_create(const char *name); + +/** + * Create a new filter object, initialized with the data from an + * existing filter. This will do a deep copy of the original filter. + * The new filter will not be attached to any model. + * + * @param filter Filter to clone. + * + * @return A cloned filter, or NULL upon error. The caller is + * responsible for calling seaudit_filter_destroy() afterwards. + */ + extern seaudit_filter_t *seaudit_filter_create_from_filter(const seaudit_filter_t * filter); + +/** + * Create and return a vector of filters (type seaudit_filter), + * initialized from the contents of a XML configuration file. + * + * @param filename File containing one or more filter data. + * + * @return Vector of filters created from that file, or NULL upon + * error. The caller is responsible for apol_vector_destroy(). + * + * @see seaudit_filter_save_to_file() + */ + extern apol_vector_t *seaudit_filter_create_from_file(const char *filename); + +/** + * Destroy the referenced seaudit_filter object. + * + * @param filter Filter object to destroy. The pointer will be set to + * NULL afterwards. (If pointer is already NULL then do nothing.) + */ + extern void seaudit_filter_destroy(seaudit_filter_t ** filter); + +/** + * Save to disk, in XML format, the given filter's values. This + * includes the filter's criteria. + * + * @param filter Filter to save. + * @param filename Name of the file to write. If the file already + * exists it will be overwritten. + * + * @return 0 on success, < 0 on error. + * + * @see seaudit_filter_create_from_file() + */ + extern int seaudit_filter_save_to_file(const seaudit_filter_t * filter, const char *filename); + +/** + * Set a filter to accept a message if all criteria are met (default + * behavior) or if any criterion is met. + * + * @param filter Filter to modify. + * @param match Matching behavior if filter has multiple criteria. + * + * @return 0 on success, < 0 on error. + */ + extern int seaudit_filter_set_match(seaudit_filter_t * filter, seaudit_filter_match_e match); + +/** + * Get the current match value for a filter. + * + * @param filter Filter containing match value. + * + * @return One of SEAUDIT_FILTER_MATCH_ALL or SEAUDIT_FILTER_MATCH_ANY. + */ + extern seaudit_filter_match_e seaudit_filter_get_match(const seaudit_filter_t * filter); + +/** + * Set the name of this filter, overwriting any previous name. + * + * @param filter Filter to modify. + * @param name New name for this filter. This function will duplicate + * the string. If this is NULL then clear the existing name. + * + * @return 0 on success, < 0 on error. + */ + extern int seaudit_filter_set_name(seaudit_filter_t * filter, const char *name); + +/** + * Get the name of this filter. + * + * @param filter Filter from which to get name. + * + * @return Name of the filter, or NULL if no name has been set. Do + * not free() or otherwise modify this string. + */ + extern const char *seaudit_filter_get_name(const seaudit_filter_t * filter); + +/** + * Set the description of this filter, overwriting any previous + * description. + * + * @param filter Filter to modify. + * @param desc New description for this filter. This function will + * duplicate the string. If this is NULL then clear the existing + * description. + * + * @return 0 on success, < 0 on error. + */ + extern int seaudit_filter_set_description(seaudit_filter_t * filter, const char *desc); + +/** + * Get the description of this filter. + * + * @param filter Filter from which to get description. + * + * @return Description of the filter, or NULL if no description has + * been set. Do not free() or otherwise modify this string. + */ + extern const char *seaudit_filter_get_description(const seaudit_filter_t * filter); + +/** + * Set the strictness of this filter. By default, the filter's + * criteria are not "strict", meaning if a message does not have a + * field then the criterion will match it. For example, an AVC denied + * message might not have an 'laddr' field in it. If a filter was + * created with seaudit_filter_set_laddr(), the filter would still + * accept the message. + * + * If instead a filter is set as strict, then messages that do not + * have the field in question will be rejected. For the example + * above, a strict filter would eliminate that AVC message. In + * addition, an empty filter (i.e., one without any criterion set) + * does not match any messages if it is set to strict. + * + * @param filter Filter to modify. + * @param strict If true, enable strict matching. + * + * @return Always 0. + */ + extern int seaudit_filter_set_strict(seaudit_filter_t * filter, bool is_strict); + +/** + * Get the strictness of this filter. + * + * @param filter Filter from which to get strictness. + * + * @return True if the filter will reject messages that do not contain + * fields being filtered, false if they are accepted. + */ + extern bool seaudit_filter_get_strict(const seaudit_filter_t * filter); + +/** + * Set the list of source users. A message is accepted if its source + * user is within this list. The filter will duplicate the vector and + * the strings within. + * + * @param filter Filter to modify. + * @param v Vector of strings, or NULL to clear current settings. + * + * @return 0 on success, < 0 on error. + */ + extern int seaudit_filter_set_source_user(seaudit_filter_t * filter, const apol_vector_t * v); + +/** + * Return the current list of source users for a filter. This will be + * a vector of strings. Treat the vector and its contents as const. + * + * @param filter Filter to get values. + * + * @return Vector of strings, or NULL if no value has been set. + */ + extern const apol_vector_t *seaudit_filter_get_source_user(const seaudit_filter_t * filter); + +/** + * Set the list of source roles. A message is accepted if its source + * role is within this list. The filter will duplicate the vector and + * the strings within. + * + * @param filter Filter to modify. + * @param v Vector of strings, or NULL to clear current settings. + * + * @return 0 on success, < 0 on error. + */ + extern int seaudit_filter_set_source_role(seaudit_filter_t * filter, const apol_vector_t * v); + +/** + * Return the current list of source roles for a filter. This will be + * a vector of strings. Treat the vector and its contents as const. + * + * @param filter Filter to get values. + * + * @return Vector of strings, or NULL if no value has been set. + */ + extern const apol_vector_t *seaudit_filter_get_source_role(const seaudit_filter_t * filter); + +/** + * Set the list of source types. A message is accepted if its source + * type is within this list. The filter will duplicate the vector and + * the strings within. + * + * @param filter Filter to modify. + * @param v Vector of strings, or NULL to clear current settings. + * + * @return 0 on success, < 0 on error. + */ + extern int seaudit_filter_set_source_type(seaudit_filter_t * filter, const apol_vector_t * v); + +/** + * Return the current list of source types for a filter. This will be + * a vector of strings. Treat the vector and its contents as const. + * + * @param filter Filter to get values. + * + * @return Vector of strings, or NULL if no value has been set. + */ + extern const apol_vector_t *seaudit_filter_get_source_type(const seaudit_filter_t * filter); + +/** + * Set the list of source mls levels. A message is accepted if its source + * mls level is within this list. The filter will duplicate the vector and + * the strings within. + * + * @param filter Filter to modify. + * @param v Vector of strings, or NULL to clear current settings. + * + * @return 0 on success, < 0 on error. + */ + extern int seaudit_filter_set_source_mls_lvl(seaudit_filter_t * filter, const apol_vector_t * v); + +/** + * Return the current list of source mls levels for a filter. This will be + * a vector of strings. Treat the vector and its contents as const. + * + * @param filter Filter to get values. + * + * @return Vector of strings, or NULL if no value has been set. + */ + extern const apol_vector_t *seaudit_filter_get_source_mls_lvl(const seaudit_filter_t * filter); + +/** + * Set the list of source mls clearance. A message is accepted if its source + * mls clearance is within this list. The filter will duplicate the vector and + * the strings within. + * + * @param filter Filter to modify. + * @param v Vector of strings, or NULL to clear current settings. + * + * @return 0 on success, < 0 on error. + */ + extern int seaudit_filter_set_source_mls_clr(seaudit_filter_t * filter, const apol_vector_t * v); + +/** + * Return the current list of source mls clearance for a filter. This will be + * a vector of strings. Treat the vector and its contents as const. + * + * @param filter Filter to get values. + * + * @return Vector of strings, or NULL if no value has been set. + */ + extern const apol_vector_t *seaudit_filter_get_source_mls_clr(const seaudit_filter_t * filter); + +/** + * Set the list of target users. A message is accepted if its target + * user is within this list. The filter will duplicate the vector and + * the strings within. + * + * @param filter Filter to modify. + * @param v Vector of strings, or NULL to clear current settings. + * + * @return 0 on success, < 0 on error. + */ + extern int seaudit_filter_set_target_user(seaudit_filter_t * filter, const apol_vector_t * v); + +/** + * Return the current list of target users for a filter. This will be + * a vector of strings. Treat the vector and its contents as const. + * + * @param filter Filter to get values. + * + * @return Vector of strings, or NULL if no value has been set. + */ + extern const apol_vector_t *seaudit_filter_get_target_user(const seaudit_filter_t * filter); + +/** + * Set the list of target roles. A message is accepted if its target + * role is within this list. The filter will duplicate the vector and + * the strings within. + * + * @param filter Filter to modify. + * @param v Vector of strings, or NULL to clear current settings. + * + * @return 0 on success, < 0 on error. + */ + extern int seaudit_filter_set_target_role(seaudit_filter_t * filter, const apol_vector_t * v); + +/** + * Return the current list of target roles for a filter. This will be + * a vector of strings. Treat the vector and its contents as const. + * + * @param filter Filter to get values. + * + * @return Vector of strings, or NULL if no value has been set. + */ + extern const apol_vector_t *seaudit_filter_get_target_role(const seaudit_filter_t * filter); + +/** + * Set the list of target types. A message is accepted if its target + * type is within this list. The filter will duplicate the vector and + * the strings within. + * + * @param filter Filter to modify. + * @param v Vector of strings, or NULL to clear current settings. + * + * @return 0 on success, < 0 on error. + */ + extern int seaudit_filter_set_target_type(seaudit_filter_t * filter, const apol_vector_t * v); + +/** + * Return the current list of target types for a filter. This will be + * a vector of strings. Treat the vector and its contents as const. + * + * @param filter Filter to get values. + * + * @return Vector of strings, or NULL if no value has been set. + */ + extern const apol_vector_t *seaudit_filter_get_target_type(const seaudit_filter_t * filter); + +/** + * Set the list of target mls levels. A message is accepted if its target + * mls level is within this list. The filter will duplicate the vector and + * the strings within. + * + * @param filter Filter to modify. + * @param v Vector of strings, or NULL to clear current settings. + * + * @return 0 on success, < 0 on error. + */ + extern int seaudit_filter_set_target_mls_lvl(seaudit_filter_t * filter, const apol_vector_t * v); + +/** + * Return the current list of target mls levels for a filter. This will be + * a vector of strings. Treat the vector and its contents as const. + * + * @param filter Filter to get values. + * + * @return Vector of strings, or NULL if no value has been set. + */ + extern const apol_vector_t *seaudit_filter_get_target_mls_lvl(const seaudit_filter_t * filter); + + /** + * Set the list of target mls clearance. A message is accepted if its target + * mls clearance is within this list. The filter will duplicate the vector and + * the strings within. + * + * @param filter Filter to modify. + * @param v Vector of strings, or NULL to clear current settings. + * + * @return 0 on success, < 0 on error. + */ + extern int seaudit_filter_set_target_mls_clr(seaudit_filter_t * filter, const apol_vector_t * v); + +/** + * Return the current list of target mls clearance for a filter. This will be + * a vector of strings. Treat the vector and its contents as const. + * + * @param filter Filter to get values. + * + * @return Vector of strings, or NULL if no value has been set. + */ + extern const apol_vector_t *seaudit_filter_get_target_mls_clr(const seaudit_filter_t * filter); + +/** + * Set the list of target object classes. A message is accepted if + * its target class is within this list. The filter will duplicate + * the vector and the strings within. + * + * @param filter Filter to modify. + * @param v Vector of strings, or NULL to clear current settings. + * + * @return 0 on success, < 0 on error. + */ + extern int seaudit_filter_set_target_class(seaudit_filter_t * filter, const apol_vector_t * v); + +/** + * Return the current list of target object classes for a filter. + * This will be a vector of strings. Treat the vector and its + * contents as const. + * + * @param filter Filter to get values. + * + * @return Vector of strings, or NULL if no value has been set. + */ + extern const apol_vector_t *seaudit_filter_get_target_class(const seaudit_filter_t * filter); + +/** + * Set the permission criterion, as a glob expression. A message is + * accepted if at least one of its AVC permissions match the + * criterion. + * + * @param filter Filter to modify. + * @param perm Glob expression for permission. This function will + * duplicate the string. If this is NULL then clear the existing + * permission. + * + * @return 0 on success, < 0 on error. + */ + extern int seaudit_filter_set_permission(seaudit_filter_t * filter, const char *perm); + +/** + * Return the current permission for a filter. Treat this string as + * const. + * + * @param filter Filter to get value. + * + * @return Glob expression for permission, or NULL if none set. + */ + extern const char *seaudit_filter_get_permission(const seaudit_filter_t * filter); + +/** + * Set the executable criterion, as a glob expression. A message is + * accepted if its executable matches this expression. + * + * @param filter Filter to modify. + * @param exe Glob expression for executable. This function will + * duplicate the string. If this is NULL then clear the existing + * executable. + * + * @return 0 on success, < 0 on error. + */ + extern int seaudit_filter_set_executable(seaudit_filter_t * filter, const char *exe); + +/** + * Return the current executable for a filter. Treat this string as + * const. + * + * @param filter Filter to get value. + * + * @return Glob expression for executable, or NULL if none set. + */ + extern const char *seaudit_filter_get_executable(const seaudit_filter_t * filter); + +/** + * Set the host criterion, as a glob expression. A message is + * accepted if its host matches this expression. + * + * @param filter Filter to modify. + * @param host Glob expression for host. This function will duplicate + * the string. If this is NULL then clear the existing host. + * + * @return 0 on success, < 0 on error. + */ + extern int seaudit_filter_set_host(seaudit_filter_t * filter, const char *host); + +/** + * Return the current host for a filter. Treat this string as const. + * + * @param filter Filter to get value. + * + * @return Glob expression for host, or NULL if none set. + */ + extern const char *seaudit_filter_get_host(const seaudit_filter_t * filter); + +/** + * Set the path criterion, as a glob expression. A message is + * accepted if its path matches this expression. + * + * @param filter Filter to modify. + * @param path Glob expression for path. This function will duplicate + * the string. If this is NULL then clear the existing path. + * + * @return 0 on success, < 0 on error. + */ + extern int seaudit_filter_set_path(seaudit_filter_t * filter, const char *path); + +/** + * Return the current path for a filter. Treat this string as const. + * + * @param filter Filter to get value. + * + * @return Glob expression for path, or NULL if none set. + */ + extern const char *seaudit_filter_get_path(const seaudit_filter_t * filter); + +/** + * Set the inode criterion. A message is accepted if its inode + * exactly matches this inode value. + * + * @param filter Filter to modify. + * @param inode inode value to match. If this is 0 then clear the + * existing inode. + * + * @return Always 0. + */ + extern int seaudit_filter_set_inode(seaudit_filter_t * filter, unsigned long inode); + +/** + * Return the current inode for a filter. + * + * @param filter Filter to get value. + * + * @return Current inode value, or 0 if none set. + */ + extern unsigned long seaudit_filter_get_inode(const seaudit_filter_t * filter); + +/** + * Set the pid criterion. A message is accepted if its pid value + * exactly matches this pid value. + * + * @param filter Filter to modify. + * @param pid value to match. If this is 0 then clear the existing pid. + * + * @return Always 0. + */ + extern int seaudit_filter_set_pid(seaudit_filter_t * filter, unsigned int pid); + +/** + * Return the current pid for a filter. + * + * @param filter Filter to get value. + * + * @return Current pid value, or 0 if none set. + */ + extern unsigned int seaudit_filter_get_pid(const seaudit_filter_t * filter); + +/** + * Set the command criterion, as a glob expression. A message is + * accepted if its command matches this expression. + * + * @param filter Filter to modify. + * @param command Glob expression for command. This function will + * duplicate the string. If this is NULL then clear the existing + * command. + * + * @return 0 on success, < 0 on error. + */ + extern int seaudit_filter_set_command(seaudit_filter_t * filter, const char *command); + +/** + * Return the current command for a filter. Treat this string as const. + * + * @param filter Filter to get value. + * + * @return Glob expression for command, or NULL if none set. + */ + extern const char *seaudit_filter_get_command(const seaudit_filter_t * filter); + +/** + * Set the IP address criterion, as a glob expression. A message is + * accepted if any of its IP addresses (ipaddr, saddr, daddr, faddr, + * or laddr) matches this expression. + * + * @param filter Filter to modify. + * @param ipaddr Glob expression for IP address. This function will + * duplicate the string. If this is NULL then clear the existing + * address. + * + * @return 0 on success, < 0 on error. + */ + extern int seaudit_filter_set_anyaddr(seaudit_filter_t * filter, const char *ipaddr); + +/** + * Return the current IP address for a filter. Treat this string as + * const. + * + * @param filter Filter to get value. + * + * @return Glob expression for address, or NULL if none set. + */ + extern const char *seaudit_filter_get_anyaddr(const seaudit_filter_t * filter); + +/** + * Set the port criterion. A message is accepted if any of its ports + * (port, source, dest, fport, or lport) matches this port. + * + * @param filter Filter to modify. + * @param port Port criterion. If this is zero or negative then clear + * the existing port. + * + * @return 0 on success, < 0 on error. + */ + extern int seaudit_filter_set_anyport(seaudit_filter_t * filter, const int port); + +/** + * Return the current port for a filter. + * + * @param filter Filter to get value. + * + * @return Current port criterion, or 0 if none set. + */ + extern int seaudit_filter_get_anyport(const seaudit_filter_t * filter); + +/** + * Set the local address criterion, as a glob expression. A message + * is accepted if its local address (laddr) matches this expression. + * Note that if seaudit_filter_set_anyaddr() is also set, then the + * message must match both ipaddr and laddr for it to be accepted + * (assuming that the match is set to SEAUDIT_FILTER_MATCH_ALL). + * + * @param filter Filter to modify. + * @param laddr Glob expression for local address. This function will + * duplicate the string. If this is NULL then clear the existing + * address. + * + * @return 0 on success, < 0 on error. + */ + extern int seaudit_filter_set_laddr(seaudit_filter_t * filter, const char *laddr); + +/** + * Return the current local address for a filter. Treat this string + * as const. + * + * @param filter Filter to get value. + * + * @return Glob expression for address, or NULL if none set. + */ + extern const char *seaudit_filter_get_laddr(const seaudit_filter_t * filter); + +/** + * Set the local port criterion. A message is accepted if its local + * port (lport) matches this port. Note that if + * seaudit_filter_set_anyport() is also set, then the message must + * match both anyport and lport for it to be accepted (assuming that + * the match is set to SEAUDIT_FILTER_MATCH_ALL). + * + * @param filter Filter to modify. + * @param lport Local port criterion. If this is zero or negative + * then clear the existing port. + * + * @return Always 0. + */ + extern int seaudit_filter_set_lport(seaudit_filter_t * filter, const int lport); + +/** + * Return the current local port for a filter. + * + * @param filter Filter to get value. + * + * @return Current port criterion, or 0 if none set. + */ + extern int seaudit_filter_get_lport(const seaudit_filter_t * filter); + +/** + * Set the foreign address criterion, as a glob expression. A message + * is accepted if its foreign address (faddr) matches this expression. + * Note that if seaudit_filter_set_anyaddr() is also set, then the + * message must match both ipaddr and faddr for it to be accepted + * (assuming that the match is set to SEAUDIT_FILTER_MATCH_ALL). + * + * @param filter Filter to modify. + * @param faddr Glob expression for foreign address. This function + * will duplicate the string. If this is NULL then clear the existing + * address. + * + * @return 0 on success, < 0 on error. + */ + extern int seaudit_filter_set_faddr(seaudit_filter_t * filter, const char *faddr); + +/** + * Return the current foreign address for a filter. Treat this string + * as const. + * + * @param filter Filter to get value. + * + * @return Glob expression for address, or NULL if none set. + */ + extern const char *seaudit_filter_get_faddr(const seaudit_filter_t * filter); + +/** + * Set the foreign port criterion. A message is accepted if its + * foreign port (fport) matches this port. Note that if + * seaudit_filter_set_anyport() is also set, then the message must + * match both anyport and fport for it to be accepted (assuming that + * the match is set to SEAUDIT_FILTER_MATCH_ALL). + * + * @param filter Filter to modify. + * @param fport Foreign port criterion. If this is zero or negative + * then clear the existing port. + * + * @return Always 0. + */ + extern int seaudit_filter_set_fport(seaudit_filter_t * filter, const int fport); + +/** + * Return the current foreign port for a filter. + * + * @param filter Filter to get value. + * + * @return Current port criterion, or 0 if none set. + */ + extern int seaudit_filter_get_fport(const seaudit_filter_t * filter); + +/** + * Set the source address criterion, as a glob expression. A message + * is accepted if its source address (saddr) matches this expression. + * Note that if seaudit_filter_set_anyaddr() is also set, then the + * message must match both ipaddr and saddr for it to be accepted + * (assuming that the match is set to SEAUDIT_FILTER_MATCH_ALL). + * + * @param filter Filter to modify. + * @param saddr Glob expression for source address. This function + * will duplicate the string. If this is NULL then clear the existing + * address. + * + * @return 0 on success, < 0 on error. + */ + extern int seaudit_filter_set_saddr(seaudit_filter_t * filter, const char *saddr); + +/** + * Return the current source address for a filter. Treat this string + * as const. + * + * @param filter Filter to get value. + * + * @return Glob expression for address, or NULL if none set. + */ + extern const char *seaudit_filter_get_saddr(const seaudit_filter_t * filter); + +/** + * Set the source port criterion. A message is accepted if its source + * port (sport) matches this port. Note that if + * seaudit_filter_set_anyport() is also set, then the message must + * match both anyport and sport for it to be accepted (assuming that + * the match is set to SEAUDIT_FILTER_MATCH_ALL). + * + * @param filter Filter to modify. + * @param sport Source port criterion. If this is zero or negative + * then clear the existing port. + * + * @return Always 0. + */ + extern int seaudit_filter_set_sport(seaudit_filter_t * filter, const int sport); + +/** + * Return the current source port for a filter. + * + * @param filter Filter to get value. + * + * @return Current port criterion, or 0 if none set. + */ + extern int seaudit_filter_get_sport(const seaudit_filter_t * filter); + +/** + * Set the destination address criterion, as a glob expression. A + * message is accepted if its destination address (daddr) matches this + * expression. Note that if seaudit_filter_set_anyaddr() is also set, + * then the message must match both ipaddr and daddr for it to be + * accepted (assuming that the match is set to + * SEAUDIT_FILTER_MATCH_ALL). + * + * @param filter Filter to modify. + * @param daddr Glob expression for destination address. This + * function will duplicate the string. If this is NULL then clear the + * existing address. + * + * @return 0 on success, < 0 on error. + */ + extern int seaudit_filter_set_daddr(seaudit_filter_t * filter, const char *daddr); + +/** + * Return the current destination address for a filter. Treat this + * string as const. + * + * @param filter Filter to get value. + * + * @return Glob expression for address, or NULL if none set. + */ + extern const char *seaudit_filter_get_daddr(const seaudit_filter_t * filter); + +/** + * Set the destination port criterion. A message is accepted if its + * destination port (dport) matches this port. Note that if + * seaudit_filter_set_anyport() is also set, then the message must + * match both anyport and dport for it to be accepted (assuming that + * the match is set to SEAUDIT_FILTER_MATCH_ALL). + * + * @param filter Filter to modify. + * @param dport Destination port criterion. If this is zero or + * negative then clear the existing port. + * + * @return Always 0. + */ + extern int seaudit_filter_set_dport(seaudit_filter_t * filter, const int dport); + +/** + * Return the current destination port for a filter. + * + * @param filter Filter to get value. + * + * @return Current port criterion, or 0 if none set. + */ + extern int seaudit_filter_get_dport(const seaudit_filter_t * filter); + +/** + * Set the port criterion. A message is accepted if its port matches + * this port value exactly. Note that if seaudit_filter_set_anyport() + * is also set, then the message must match both anyport and port for + * it to be accepted (assuming that the match is set to + * SEAUDIT_FILTER_MATCH_ALL). + * + * @param filter Filter to modify. + * @param port Port criterion. If this is zero or negative then clear + * the existing port. + * + * @return Always 0. + */ + extern int seaudit_filter_set_port(seaudit_filter_t * filter, const int port); + +/** + * Return the current port for a filter. + * + * @param filter Filter to get value. + * + * @return Current port criterion, or 0 if none set. + */ + extern int seaudit_filter_get_port(const seaudit_filter_t * filter); + +/** + * Set the network interface criterion. A message is accepted if its + * interface matches exactly with this string. + * + * @param filter Filter to modify. + * @param netif Network interface criterion. This function will + * duplicate the string. If this is NULL then clear the existing + * criterion. + * + * @return 0 on success, < 0 on error. + */ + extern int seaudit_filter_set_netif(seaudit_filter_t * filter, const char *netif); + +/** + * Return the current network interface for a filter. Treat this + * string as const. + * + * @param filter Filter to get value. + * + * @return String for netif, or NULL if none set. + */ + extern const char *seaudit_filter_get_netif(const seaudit_filter_t * filter); + +/** + * Set the key criterion. A message is accepted if its IPC key + * matches exactly with this value. + * + * @param filter Filter to modify. + * @param key Key criterion. If this is zero or negative then clear + * the existing key. + * + * @return Always 0. + */ + extern int seaudit_filter_set_key(seaudit_filter_t * filter, const int key); + +/** + * Return the current key for a filter. + * + * @param filter Filter to get value. + * + * @return Current key criterion, or 0 if none set. + */ + extern int seaudit_filter_get_key(const seaudit_filter_t * filter); + +/** + * Set the capability criterion. A message is accepted if its + * capability matches exactly with this value. + * + * @param filter Filter to modify. + * @param cap Capability criterion. If this is zero or negative then + * clear the existing capability. + * + * @return Always 0. + */ + extern int seaudit_filter_set_cap(seaudit_filter_t * filter, const int cap); + +/** + * Return the current capability for a filter. + * + * @param filter Filter to get value. + * + * @return Current capability criterion, or 0 if none set. + */ + extern int seaudit_filter_get_cap(const seaudit_filter_t * filter); + +/** + * Set the type of AVC criterion. A message is accepted if it matches + * this value exactly. If the message type is not SEAUDIT_AVC_UNKNOWN + * and the message is not an AVC then it will be rejected. + * + * @param filter Filter to modify. + * @param message_type One of SEAUDIT_AVC_DENIED, SEAUDIT_AVC_GRANTED, + * SEAUDIT_AVC_UNKNOWN. If SEAUDIT_AVC_UNKNOWN then unset this + * criterion. + * + * @return 0 on success, < 0 on error. + */ + extern int seaudit_filter_set_message_type(seaudit_filter_t * filter, const seaudit_avc_message_type_e message_type); + +/** + * Return the current message type for a filter. + * + * @param filter Filter to get value. + * + * @return Type of AVC message to filter, or SEAUDIT_AVC_UNKNOWN if + * none set. + */ + extern seaudit_avc_message_type_e seaudit_filter_get_message_type(const seaudit_filter_t * filter); + +/** + * Set the date/time criterion. A message is accepted if its + * date/time falls within the allowable range. + * + * @param filter Filter to modify. + * @param start Starting time. This structure will be duplicated. If + * NULL, then do not filter by dates. + * @param end Ending time. This structure will be duplicated. It + * will be ignored (and hence may be NULL) if date_match is not + * SEAUDIT_FILTER_DATE_MATCH_BETWEEN. + * @param date_match How to match dates, either ones falling before + * start, ones falling after start, or ones between start and end. + * + * @return 0 on success, < 0 on error. + */ + extern int seaudit_filter_set_date(seaudit_filter_t * filter, const struct tm *start, const struct tm *end, + seaudit_filter_date_match_e match); + +/** + * Return the current date/time for a filter. Note that if no + * date/time has been set then both reference pointers will be set to + * NULL (match will be set to an invalid value). + * + * @param filter Filter to get value. + * @param start Pointer to location to store starting time. Do not + * free() or otherwise modify this pointer. + * @param end Pointer to location to store ending time. Do not free() + * or otherwise modify this pointer. If match is not + * SEAUDIT_FILTER_DATE_MATCH_BETWEEN then the contents of this + * structure are invalid. + * @param date_match Pointer to location to set date matching option. + */ + extern void seaudit_filter_get_date(const seaudit_filter_t * filter, const struct tm **start, const struct tm **end, + seaudit_filter_date_match_e * match); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/libseaudit/include/seaudit/load_message.h b/libseaudit/include/seaudit/load_message.h new file mode 100644 index 0000000..52cedd6 --- /dev/null +++ b/libseaudit/include/seaudit/load_message.h @@ -0,0 +1,41 @@ +/** + * @file + * Public interface for a single loaded policy log message. This is + * a subclass of seaudit_message; it has no publicly accessible + * functions. + * + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2006-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef SEAUDIT_LOAD_MESSAGE_H +#define SEAUDIT_LOAD_MESSAGE_H + +#ifdef __cplusplus +extern "C" +{ +#endif + + typedef struct seaudit_load_message seaudit_load_message_t; + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/libseaudit/include/seaudit/log.h b/libseaudit/include/seaudit/log.h new file mode 100644 index 0000000..b94a2a1 --- /dev/null +++ b/libseaudit/include/seaudit/log.h @@ -0,0 +1,162 @@ +/** + * @file + * + * Public interface for the main libseaudit object, seaudit_log. + * Note that there is no public way to get at the messages stored + * within a model. For that, the caller must create a seaudit_model + * and then access messages through the model. + * + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * @author Jeremy Solt jsolt@tresys.com + * + * Copyright (C) 2003-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef SEAUDIT_LOG_H +#define SEAUDIT_LOG_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <stdarg.h> +#include <apol/vector.h> + + typedef struct seaudit_log seaudit_log_t; + typedef void (*seaudit_handle_fn_t) (void *arg, const seaudit_log_t * log, int level, const char *fmt, va_list va_args); + +/** + * Define the types of logs that this library can parse. + */ + typedef enum seaudit_log_type + { + SEAUDIT_LOG_TYPE_INVALID = 0, + SEAUDIT_LOG_TYPE_SYSLOG, + SEAUDIT_LOG_TYPE_AUDITD + } seaudit_log_type_e; + +/** + * Allocate and initialize a new seaudit log structure. This + * structure holds log messages from one or more files; call + * seaudit_log_parse() to actually add messages to this log. + * + * @param fn Function to be called by the error handler. If NULL + * then write messages to standard error. + * @param callback_arg Argument for the callback. + * + * @return A newly allocated and initialized seaudit log structure or + * NULL on error; if the call fails, errno will be set. The caller is + * responsible for calling seaudit_log_destroy() to free memory used + * by this structure. + */ + extern seaudit_log_t *seaudit_log_create(seaudit_handle_fn_t fn, void *callback_arg); + +/** + * Free all memory used by an seaudit log structure and set it to + * NULL. + * + * @param log Reference pointer to the log structure to destroy. This + * pointer will be set to NULL. (If already NULL, function is a + * no-op.) + */ + extern void seaudit_log_destroy(seaudit_log_t ** log); + +/** + * Remove all messages from the log. The next time the model(s) that + * are watching this log are accessed, they will be refreshed. Note + * that any existing pointers to messages within this log will become + * invalid. (This function does not actually delete the log file from + * disk; it just removes them from memory.) + * + * @param log Log to clear. + */ + extern void seaudit_log_clear(seaudit_log_t * log); + +/** + * Return a vector of strings corresponding to all users found within + * the log file. The vector will be sorted alphabetically. + * + * @param log Log file to access. + * + * @return Vector of sorted users, or NULL upon error. The caller + * must call apol_vector_destroy() upon the return value. + */ + apol_vector_t *seaudit_log_get_users(const seaudit_log_t * log); + +/** + * Return a vector of strings corresponding to all roles found within + * the log file. The vector will be sorted alphabetically. + * + * @param log Log file to access. + * + * @return Vector of sorted roles, or NULL upon error. The caller + * must call apol_vector_destroy() upon the return value. + */ + apol_vector_t *seaudit_log_get_roles(const seaudit_log_t * log); + +/** + * Return a vector of strings corresponding to all types found within + * the log file. The vector will be sorted alphabetically. + * + * @param log Log file to access. + * + * @return Vector of sorted types, or NULL upon error. The caller + * must call apol_vector_destroy() upon the return value. + */ + apol_vector_t *seaudit_log_get_types(const seaudit_log_t * log); + +/** + * Return a vector of strings corresponding to all mls levels found within + * the log file. The vector will be sorted alphabetically. + * + * @param log Log file to access. + * + * @return Vector of sorted types, or NULL upon error. The caller + * must call apol_vector_destroy() upon the return value. + */ + apol_vector_t *seaudit_log_get_mls_lvl(const seaudit_log_t * log); + +/** + * Return a vector of strings corresponding to all mls clearance found within + * the log file. The vector will be sorted alphabetically. + * + * @param log Log file to access. + * + * @return Vector of sorted types, or NULL upon error. The caller + * must call apol_vector_destroy() upon the return value. + */ + apol_vector_t *seaudit_log_get_mls_clr(const seaudit_log_t * log); + +/** + * Return a vector of strings corresponding to all object classes + * found within the log file. The vector will be sorted + * alphabetically. + * + * @param log Log file to access. + * + * @return Vector of sorted classes, or NULL upon error. The caller + * must call apol_vector_destroy() upon the return value. + */ + apol_vector_t *seaudit_log_get_classes(const seaudit_log_t * log); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/libseaudit/include/seaudit/message.h b/libseaudit/include/seaudit/message.h new file mode 100644 index 0000000..2266ee8 --- /dev/null +++ b/libseaudit/include/seaudit/message.h @@ -0,0 +1,133 @@ +/** + * @file + * Public interface for a single seaudit log message. Note that this + * is an abstract class. + * + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2006-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef SEAUDIT_MESSAGE_H +#define SEAUDIT_MESSAGE_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include <time.h> + + typedef struct seaudit_message seaudit_message_t; + +/** + * This enum defines the different types of audit messages this + * library will handle. Message types are put in alphabetical order + * to make msg_field_compare() in sort.c easier. + */ + typedef enum seaudit_message_type + { + SEAUDIT_MESSAGE_TYPE_INVALID = 0, + /** BOOL is the message that results when changing + booleans in a conditional policy. */ + SEAUDIT_MESSAGE_TYPE_BOOL, + /** AVC is a standard 'allowed' or 'denied' type + message. */ + SEAUDIT_MESSAGE_TYPE_AVC, + /** LOAD is the message that results when a policy is + loaded into the system. */ + SEAUDIT_MESSAGE_TYPE_LOAD + } seaudit_message_type_e; + +/** + * Get a pointer to a message's specific data. This returns a void + * pointer; the caller must cast it to one of seaudit_avc_message_t, + * seaudit_bool_message_t, or seaudit_load_message_t. Use the + * returned value from the second parameter to determine which type + * this message really is. + * + * @param msg Message from which to get data. + * @param type Reference to the message specific type. + * + * @return Pointer to message's specific type, or NULL upon error. + */ + extern void *seaudit_message_get_data(const seaudit_message_t * msg, seaudit_message_type_e * type); + +/** + * Return the time that this audit message was generated. + * + * @param msg Message from which to get its time. + * + * @return Time of the message. Treat the contents of this struct as + * const. + * + * @see localtime(3) + */ + extern const struct tm *seaudit_message_get_time(const seaudit_message_t * msg); + +/** + * Return the name of the host that generated this audit message. + * + * @param msg Message from which to get its time. + * + * @return Host of the message. Do not modify this string. + */ + extern const char *seaudit_message_get_host(const seaudit_message_t * msg); + +/** + * Given a message, allocate and return a string that approximates the + * message as it had appeared within the original log file. + * + * @param msg Message to convert. + * + * @return String representation for message, or NULL upon error. The + * caller is responsible for free()ing the string afterwards. + */ + extern char *seaudit_message_to_string(const seaudit_message_t * msg); + +/** + * Given a message, allocate and return a string, formatted in HTML, + * that approximates the message as it had appeared within the + * original log file. + * + * @param msg Message to convert. + * + * @return HTML String representation for message, or NULL upon error. + * The caller is responsible for free()ing the string afterwards. + */ + extern char *seaudit_message_to_string_html(const seaudit_message_t * msg); + +/** + * Given a message, allocate and return a string that gives + * miscellaneous (i.e., uncategorized) information about the message. + * To get the more important values you will need to use more specific + * accessor methods. + * + * @param msg Message from which to get miscellaneous information. + * + * @return Miscellaneous message string representation, or NULL upon + * error. The caller is responsible for free()ing the string + * afterwards. + */ + extern char *seaudit_message_to_misc_string(const seaudit_message_t * msg); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/libseaudit/include/seaudit/model.h b/libseaudit/include/seaudit/model.h new file mode 100644 index 0000000..e5daacf --- /dev/null +++ b/libseaudit/include/seaudit/model.h @@ -0,0 +1,362 @@ +/** + * @file + * + * Public interface to a seaudit_model. This represents a subset of + * log messages from one or more seaudit_log, where the subset is + * defined by a finite set of seaudit_filter and sorted by some + * criterion or criteria. + * + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2004-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef SEAUDIT_MODEL_H +#define SEAUDIT_MODEL_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include "filter.h" +#include "log.h" +#include "message.h" +#include "sort.h" + +#include <stdlib.h> + + typedef struct seaudit_model seaudit_model_t; + +/** + * Create a seaudit_model based upon the messages from some particular + * seaudit_log. The model will be initialized with the default filter + * (i.e., accept all of the messages from the log). + * + * @param name Name for the model; the string will be duplicated. If + * NULL then the model will be assigned a non-unique default name. + * @param log Initial log for this model to watch. If NULL then do + * not watch any log files. + * + * @return An initialized model, or NULL upon error. The caller must + * call seaudit_model_destroy() afterwards. + */ + extern seaudit_model_t *seaudit_model_create(const char *name, seaudit_log_t * log); + +/** + * Create a new seaudit_model object, initialized with the data from + * an existing model. This will do a deep copy of the original model. + * The new model will be watch the same logs that the original model + * was watching. + * + * @param model Model to clone. + * + * @return A cloned model, or NULL upon error. The caller must call + * seaudit_model_destroy() afterwards. + */ + extern seaudit_model_t *seaudit_model_create_from_model(const seaudit_model_t * model); + +/** + * Create and return a model initialized from the contents of a XML + * configuration file. This will also load filters into the model. + * The model will not be associated with any logs; for that call + * seaudit_model_append_log(). + * + * @param filename File containing model data. + * + * @return An initialized model, or NULL upon error. The caller must + * call seaudit_model_destroy() afterwards. + * + * @see seaudit_model_save_to_file() + */ + extern seaudit_model_t *seaudit_model_create_from_file(const char *filename); + +/** + * Destroy the referenced seadit_model object. + * + * @param model Model to destroy. The pointer will be set to NULL + * afterwards. (If pointer is already NULL then do nothing.) + */ + extern void seaudit_model_destroy(seaudit_model_t ** model); + +/** + * Save to disk, in XML format, the given model's values. This + * includes the filters contained within the model as well. Note that + * this does not save the messages within the model nor the associated + * logs. + * + * @param model Model to save. + * @param filename Name of the file to write. If the file already + * exists it will be overwritten. + * + * @return 0 on success, < 0 on error. + * + * @see seaudit_model_create_from_file() + */ + extern int seaudit_model_save_to_file(const seaudit_model_t * model, const char *filename); + +/** + * Get the name of this model. + * + * @param model Model whose name to get. + * + * @return Name of the model, or NULL upon error. Do not modify this + * string. + */ + extern const char *seaudit_model_get_name(const seaudit_model_t * model); + +/** + * Set the name of this model, overwriting any previous name. + * + * @param model Model whose name to set. + * @param name New name for the model; the string will be duplicated. + * If NULL then the model will be assigned a non-unique default name. + * + * @return 0 on success, < 0 on error. + */ + extern int seaudit_model_set_name(seaudit_model_t * model, const char *name); + +/** + * Have the given model start watching the given log file, in addition + * to any other log files the model was watching. + * + * @param model Model to modify. + * @param log Additional log file to watch. + * + * @return 0 on success, < 0 on error. + */ + extern int seaudit_model_append_log(seaudit_model_t * model, seaudit_log_t * log); + +/** + * Append a filter to a model. The next time the model's messages are + * retrieved only those messages that match this filter will be + * returned. Multiple filters may be applied to a model. Upon + * success, the model takes ownership of the filter. + * + * @param model Model to modify. + * @param filter Additional filter to be applied. + * + * @return 0 on success, < 0 on error. + */ + extern int seaudit_model_append_filter(seaudit_model_t * model, seaudit_filter_t * filter); + +/** + * Get the list of filters for a model. Whenever a filter is modified + * the model will be recomputed. Note: to remove a filter from the + * model use seaudit_model_remove_filter(). + * + * @param model Model containing filters. + * + * @return Vector of seaudit_filter objects, or NULL upon error. Note + * that the vector my be empty. Do not destroy or otherwise modify + * this vector. (It is safe to manipulate the elements within the + * vector.) + */ + extern const apol_vector_t *seaudit_model_get_filters(const seaudit_model_t * model); + +/** + * Remove a filter from a model. The given parameter must match one + * of the filters stored within the model; call + * seaudit_model_get_filters() to get a list of the model's filters. + * + * @param model Model to modify. + * @param filter Filter to remove. Upon success the pointer becomes + * invalid. + * + * @return 0 on success, < 0 on error. + */ + extern int seaudit_model_remove_filter(seaudit_model_t * model, seaudit_filter_t * filter); + +/** + * Set a model to accept a message if all filters are met (default + * behavior) or if any filter is met. Note that is independent from + * the setting given to seaudit_model_set_filter_visible(). + * + * @param model Model to modify. + * @param match Matching behavior if model has multiple filters. + * + * @return 0 on success, < 0 on error. + */ + extern int seaudit_model_set_filter_match(seaudit_model_t * model, seaudit_filter_match_e match); + +/** + * Get the current filter match value for a model. + * + * @param model Model containing filter match value. + * + * @return One of SEAUDIT_FILTER_MATCH_ALL or SEAUDIT_FILTER_MATCH_ANY. + */ + extern seaudit_filter_match_e seaudit_model_get_filter_match(const seaudit_model_t * model); + +/** + * Set a model to either show (default behavior) or hide messages + * accepted by the filters. Note that is independent from the setting + * given to seaudit_model_set_filter_match(). + * + * @param model Model to modify. + * @param visible Messages to show if model has any filters. + * + * @return 0 on success, < 0 on error. + */ + extern int seaudit_model_set_filter_visible(seaudit_model_t * model, seaudit_filter_visible_e visible); + +/** + * Get the current filter visibility value for a model. + * + * @param model Model containing filter visibility value. + * + * @return One of SEAUDIT_FILTER_VISIBLE_SHOW or + * SEAUDIT_FILTER_VISIBLE_HIDE. + */ + extern seaudit_filter_visible_e seaudit_model_get_filter_visible(const seaudit_model_t * model); + +/** + * Append a sort criterion to a model. The next time the model's + * messages are retrieved they will be sorted by this criterion. If + * the model already has sort criteria, they will have a higher + * priority than this new criterion. Upon success, the model takes + * ownership of the sort object + * + * @param model Model to modify. + * @param sort Additional sort criterion. + * + * @return 0 on success, < 0 on error. + */ + extern int seaudit_model_append_sort(seaudit_model_t * model, seaudit_sort_t * sort); + +/** + * Remove all sort criteria from this model. The next time the + * model's messages are retrieved they will be in the same order as + * provided by the model's log(s). + * + * @param model Model to modify. + * + * @return 0 on success, < 0 on error. + */ + extern int seaudit_model_clear_sorts(seaudit_model_t * model); + +/** + * Return a value indicating if this model has changed since the last + * time seaudit_model_get_messages() was called. Note that upon a + * non-zero return value, the vector returned by + * seaudit_model_get_messages() might contain the same messages. For + * example, the user could have removed all sorts but then re-inserted + * them in the same order. + * + * @param model Model to check. + * + * @return 0 if the model is unchanged, non-zero if it may have + * changed. + */ + extern int seaudit_model_is_changed(const seaudit_model_t * model); + +/** + * Return a sorted list of messages associated with this model. This + * will cause the model to recalculate, as necessary, all messages + * according to its filters and then sort them. + * + * @param log Log to which report error messages. + * @param model Model containing messages. + * + * @return A newly allocated vector of seaudit_message_t, pre-filtered + * and pre-sorted, or NULL upon error. The caller is responsible for + * calling apol_vector_destroy() upon this value. + */ + extern apol_vector_t *seaudit_model_get_messages(const seaudit_log_t * log, seaudit_model_t * model); + +/** + * Return a sorted list of malformed messages associated with this + * model. This is the union of all malformed messages from the + * model's logs. This will cause the model to recalculate, as + * necessary, all messages according to its filters. + * + * @param log Log to which report error messages. + * @param model Model containing malformed messages. + * + * @return A newly allocated vector of strings, or NULL upon error. + * Treat the contents of the vector as const char *. The caller is + * responsible for calling apol_vector_destroy() upon this value. + */ + extern apol_vector_t *seaudit_model_get_malformed_messages(const seaudit_log_t * log, seaudit_model_t * model); + +/** + * Hide a message from a model such that the next time + * seaudit_model_get_messages() is called, the given message will not + * be returned within the vector. + * + * @param model Model containing message to hide. + * @param message Message to be marked hidden. If NULL, then do + * nothing. It is safe to make duplicate calls to this function with + * the same message. + */ + extern void seaudit_model_hide_message(seaudit_model_t * model, const seaudit_message_t * message); + +/** + * Return the number of avc allow messages currently within the model. + * This will cause the model to recalculate, as necessary, all + * messages according to its filters. + * + * @param log Log to which report error messages. + * @param model Model to get statistics. + * + * @return Number of allow messages in the model. This could be zero. + */ + extern size_t seaudit_model_get_num_allows(const seaudit_log_t * log, seaudit_model_t * model); + +/** + * Return the number of avc deny messages currently within the model. + * This will cause the model to recalculate, as necessary, all + * messages according to its filters. + * + * @param log Log to which report error messages. + * @param model Model to get statistics. + * + * @return Number of deny messages in the model. This could be zero. + */ + extern size_t seaudit_model_get_num_denies(const seaudit_log_t * log, seaudit_model_t * model); + +/** + * Return the number of boolean change messages currently within the + * model. This will cause the model to recalculate, as necessary, all + * messages according to its filters. + * + * @param log Log to which report error messages. + * @param model Model to get statistics. + * + * @return Number of boolean messages in the model. This could be + * zero. + */ + extern size_t seaudit_model_get_num_bools(const seaudit_log_t * log, seaudit_model_t * model); + +/** + * Return the number of load messages currently within the model. + * This will cause the model to recalculate, as necessary, all + * messages according to its filters. + * + * @param log Log to which report error messages. + * @param model Model to get statistics. + * + * @return Number of load messages in the model. This could be zero. + */ + extern size_t seaudit_model_get_num_loads(const seaudit_log_t * log, seaudit_model_t * model); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/libseaudit/include/seaudit/parse.h b/libseaudit/include/seaudit/parse.h new file mode 100644 index 0000000..385f855 --- /dev/null +++ b/libseaudit/include/seaudit/parse.h @@ -0,0 +1,72 @@ +/** + * @file + * Public interface for parsing an audit log. + * + * @author Meggan Whalen mwhalen@tresys.com + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2003-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef SEAUDIT_PARSE_H +#define SEAUDIT_PARSE_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include "log.h" +#include <stdio.h> + +/** + * Parse the file specified by syslog and put all selinux audit + * messages into the log. It is assumed that log will be created + * before this function. If the log already has messages, new + * messages will be appended to it. Afterwards all models watching + * this log will be notified of the changes. + * + * @param log Audit log to which append messages. + * @param syslog Handler to an opened file containing audit messages. + * + * @return 0 on success, > 0 on warnings, < 0 on error and errno will + * be set. + */ + extern int seaudit_log_parse(seaudit_log_t * log, FILE * syslog); + +/** + * Parse a string buffer representing a syslog (or just lines from it) + * and put all selinux audit messages into the log. It is assumed + * that log will be created before this function. If the log already + * has messages, new messages will be appended to it. Afterwards all + * models watching this log will be notified of the changes. + * + * @param log Audit log to which append messages. + * @param buffer Buffer containing SELinux audit messages. + * @param bufsize Number of bytes in the buffer. + * + * @return 0 on success, > 0 on warnings, < 0 on error and errno will + * be set. + */ + extern int seaudit_log_parse_buffer(seaudit_log_t * log, const char *buffer, const size_t bufsize); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/libseaudit/include/seaudit/report.h b/libseaudit/include/seaudit/report.h new file mode 100644 index 0000000..3df4b43 --- /dev/null +++ b/libseaudit/include/seaudit/report.h @@ -0,0 +1,140 @@ +/** + * @file + * + * This is the interface for processing SELinux audit logs and/or + * seaudit views to generate concise reports containing standard + * information as well as customized information using seaudit views. + * Reports are rendered in either HTML or plain text. Future support + * will provide rendering into XML. The HTML report can be formatted + * by providing an alternate stylesheet file or by configuring the + * default stylesheet. + * + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2004-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef SEAUDIT_REPORT_H +#define SEAUDIT_REPORT_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include "model.h" + + typedef struct seaudit_report seaudit_report_t; + + typedef enum seaudit_report_format + { + SEAUDIT_REPORT_FORMAT_TEXT, SEAUDIT_REPORT_FORMAT_HTML + } seaudit_report_format_e; + +/** + * Allocate and return a new seaudit_report_t for a particular model. + * This will not actually write the report to disk; for that call + * seaudit_report_write(). + * + * @param model Model containing messages that will be written. + * + * @return A newly allocated report, or NULL upon error. The caller + * must call seaudit_report_destroy() afterwards. + */ + extern seaudit_report_t *seaudit_report_create(seaudit_model_t * model); + +/** + * Destroy the referenced seaudit_report_t object. + * + * @param report Report to destroy. The pointer will be set to NULL + * afterwards. (If pointer is already NULL then do nothing.) + */ + extern void seaudit_report_destroy(seaudit_report_t ** report); + +/** + * Write the report with the messages currently stored in the report's + * model. + * + * @param log Error handler. + * @param report Report to write. + * @param out_file File name for the report. If this is NULL then + * write to standard output. + * + * @return 0 on successful write, < 0 on error. + */ + extern int seaudit_report_write(const seaudit_log_t * log, const seaudit_report_t * report, const char *out_file); + +/** + * Set the output format of the report. The default format is plain + * text. + * + * @param log Error handler. + * @param report Report whose format to set. + * @param format Output formate. + * + * @return 0 on success, < 0 on error. + */ + extern int seaudit_report_set_format(const seaudit_log_t * log, seaudit_report_t * report, seaudit_report_format_e format); + +/** + * Set the report to use a particular report configuration file. + * + * @param log Error handler. + * @param report Report whose configuration to set. + * @param file Name of the configuration report. If NULL then use the + * default installed file. (The name will be duplicated by this + * function.) + * + * @return 0 on success, < 0 on error. + */ + extern int seaudit_report_set_configuration(const seaudit_log_t * log, seaudit_report_t * report, const char *file); + +/** + * Set the report to use a particular HTML stylesheet file. Note that + * this option is ignored if not generating an HTML report. + * + * @param log Error handler. + * @param report Report whose stylesheet to set. + * @param file Name of the stylesheet. If NULL then use the default + * installed file. (The name will be duplicated by this function.) + * @param use_stylesheet If non-zero, then use the stylesheet given by + * the parameter 'file'. Otherwise completely disable stylesheets. + * + * @return 0 on success, < 0 on error. + */ + extern int seaudit_report_set_stylesheet(const seaudit_log_t * log, seaudit_report_t * report, const char *file, + const int use_stylesheet); + +/** + * Set the report to print messages that did not parse cleanly (i.e., + * "malformed messages"). + * + * @param log Error handler. + * @param report Report whose malformed messagse to print. + * @param do_malformed If non-zero then print malformed messages. + * Otherwise do not print them. + * + * @return 0 on success, < 0 on error. + */ + extern int seaudit_report_set_malformed(const seaudit_log_t * log, seaudit_report_t * report, const int do_malformed); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/libseaudit/include/seaudit/sort.h b/libseaudit/include/seaudit/sort.h new file mode 100644 index 0000000..505ff60 --- /dev/null +++ b/libseaudit/include/seaudit/sort.h @@ -0,0 +1,491 @@ +/** + * @file + * + * Public interface to a seaudit_sort. This represents an abstract + * object that specifies how to sort messages within a particular + * seaudit_model. The caller obtains a specific sort object and + * appends it to a model via seaudit_model_append_sort(); the caller + * cannot get a "generic" sort object. + * + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * @author Jeremy Solt jsolt@tresys.com + * + * Copyright (C) 2003-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef SEAUDIT_SORT_H +#define SEAUDIT_SORT_H + +#ifdef __cplusplus +extern "C" +{ +#endif + + typedef struct seaudit_sort seaudit_sort_t; + +/** + * Create a new sort object, initialized with the data from an + * existing sort. The new sort will not be attached to any model. + * + * @param sort Sort to clone. + * + * @return A cloned sort object, or NULL upon error. The caller is + * responsible for calling seaudit_sort_destroy() afterwards. + */ + extern seaudit_sort_t *seaudit_sort_create_from_sort(const seaudit_sort_t * sort); + +/** + * Destroy the referenced seaudit_sort object. + * + * @param sort Sort object to destroy. The pointer will be set to + * NULL afterwards. (If pointer is already NULL then do nothing.) + */ + extern void seaudit_sort_destroy(seaudit_sort_t ** sort); + +/** + * Instruct a model to sort messages by message type: boolean changes, + * then avc denies, then avc allows, then policy load messages. + * + * @param direction Direction to sort. Non-negative for ascending, + * negative for descending. + * + * @return Sort object for this criterion, or NULL upon error. The + * caller is responsible for calling seaudit_sort_destroy() + * afterwards. + */ + extern seaudit_sort_t *seaudit_sort_by_message_type(const int direction); + +/** + * Instruct a model to sort messages by chronological order. + * + * @param direction Direction to sort. Non-negative for ascending, + * negative for descending. + * + * @return Sort object for this criterion, or NULL upon error. The + * caller is responsible for calling seaudit_sort_destroy() + * afterwards. + */ + extern seaudit_sort_t *seaudit_sort_by_date(const int direction); + +/** + * Instruct a model to sort messages by host name, alphabetically. + * + * @param direction Direction to sort. Non-negative for ascending, + * negative for descending. + * + * @return Sort object for this criterion, or NULL upon error. The + * caller is responsible for calling seaudit_sort_destroy() + * afterwards. + */ + extern seaudit_sort_t *seaudit_sort_by_host(const int direction); + +/** + * Instruct a model to sort AVC messages by permissions, + * alphabetically. Non-AVC messages will be placed below AVC ones. + * + * @param direction Direction to sort. Non-negative for ascending, + * negative for descending. + * + * @return Sort object for this criterion, or NULL upon error. The + * caller is responsible for calling seaudit_sort_destroy() + * afterwards. + */ + extern seaudit_sort_t *seaudit_sort_by_permission(const int direction); + +/** + * Instruct a model to sort AVC messages by source context's user, + * alphabetically. Non-AVC messages will be placed below AVC ones. + * + * @param direction Direction to sort. Non-negative for ascending, + * negative for descending. + * + * @return Sort object for this criterion, or NULL upon error. The + * caller is responsible for calling seaudit_sort_destroy() + * afterwards. + */ + extern seaudit_sort_t *seaudit_sort_by_source_user(const int direction); + +/** + * Instruct a model to sort AVC messages by source context's role, + * alphabetically. Non-AVC messages will be placed below AVC ones. + * + * @param direction Direction to sort. Non-negative for ascending, + * negative for descending. + * + * @return Sort object for this criterion, or NULL upon error. The + * caller is responsible for calling seaudit_sort_destroy() + * afterwards. + */ + extern seaudit_sort_t *seaudit_sort_by_source_role(const int direction); + +/** + * Instruct a model to sort AVC messages by source context's type, + * alphabetically. Non-AVC messages will be placed below AVC ones. + * + * @param direction Direction to sort. Non-negative for ascending, + * negative for descending. + * + * @return Sort object for this criterion, or NULL upon error. The + * caller is responsible for calling seaudit_sort_destroy() + * afterwards. + */ + extern seaudit_sort_t *seaudit_sort_by_source_type(const int direction); + +/** + * Instruct a model to sort AVC messages by source context's mls level. + * Non-AVC messages will be placed below AVC ones. + * + * @param direction Direction to sort. Non-negative for ascending, + * negative for descending. + * + * @return Sort object for this criterion, or NULL upon error. The + * caller is responsible for calling seaudit_sort_destroy() + * afterwards. + */ + extern seaudit_sort_t *seaudit_sort_by_source_mls_lvl(const int direction); + +/** + * Instruct a model to sort AVC messages by source context's mls clearance. + * Non-AVC messages will be placed below AVC ones. + * + * @param direction Direction to sort. Non-negative for ascending, + * negative for descending. + * + * @return Sort object for this criterion, or NULL upon error. The + * caller is responsible for calling seaudit_sort_destroy() + * afterwards. + */ + extern seaudit_sort_t *seaudit_sort_by_source_mls_clr(const int direction); + +/** + * Instruct a model to sort AVC messages by target context's user, + * alphabetically. Non-AVC messages will be placed below AVC ones. + * + * @param direction Direction to sort. Non-negative for ascending, + * negative for descending. + * + * @return Sort object for this criterion, or NULL upon error. The + * caller is responsible for calling seaudit_sort_destroy() + * afterwards. + */ + extern seaudit_sort_t *seaudit_sort_by_target_user(const int direction); + +/** + * Instruct a model to sort AVC messages by target context's role, + * alphabetically. Non-AVC messages will be placed below AVC ones. + * + * @param direction Direction to sort. Non-negative for ascending, + * negative for descending. + * + * @return Sort object for this criterion, or NULL upon error. The + * caller is responsible for calling seaudit_sort_destroy() + * afterwards. + */ + extern seaudit_sort_t *seaudit_sort_by_target_role(const int direction); + +/** + * Instruct a model to sort AVC messages by target context's type, + * alphabetically. Non-AVC messages will be placed below AVC ones. + * + * @param direction Direction to sort. Non-negative for ascending, + * negative for descending. + * + * @return Sort object for this criterion, or NULL upon error. The + * caller is responsible for calling seaudit_sort_destroy() + * afterwards. + */ + extern seaudit_sort_t *seaudit_sort_by_target_type(const int direction); + +/** + * Instruct a model to sort AVC messages by target context's mls level. + * Non-AVC messages will be placed below AVC ones. + * + * @param direction Direction to sort. Non-negative for ascending, + * negative for descending. + * + * @return Sort object for this criterion, or NULL upon error. The + * caller is responsible for calling seaudit_sort_destroy() + * afterwards. + */ + extern seaudit_sort_t *seaudit_sort_by_target_mls_lvl(const int direction); + +/** + * Instruct a model to sort AVC messages by target context's mls clearance. + * Non-AVC messages will be placed below AVC ones. + * + * @param direction Direction to sort. Non-negative for ascending, + * negative for descending. + * + * @return Sort object for this criterion, or NULL upon error. The + * caller is responsible for calling seaudit_sort_destroy() + * afterwards. + */ + extern seaudit_sort_t *seaudit_sort_by_target_mls_clr(const int direction); + +/** + * Instruct a model to sort AVC messages by object class, + * alphabetically. Non-AVC messages will be placed below AVC ones. + * + * @param direction Direction to sort. Non-negative for ascending, + * negative for descending. + * + * @return Sort object for this criterion, or NULL upon error. The + * caller is responsible for calling seaudit_sort_destroy() + * afterwards. + */ + extern seaudit_sort_t *seaudit_sort_by_object_class(const int direction); + +/** + * Instruct a model to sort AVC messages by the executable, + * alphabetically. Non-AVC messages will be placed below AVC ones. + * + * @param direction Direction to sort. Non-negative for ascending, + * negative for descending. + * + * @return Sort object for this criterion, or NULL upon error. The + * caller is responsible for calling seaudit_sort_destroy() + * afterwards. + */ + extern seaudit_sort_t *seaudit_sort_by_executable(const int direction); + +/** + * Instruct a model to sort AVC messages by the command, + * alphabetically. Non-AVC messages will be placed below AVC ones. + * + * @param direction Direction to sort. Non-negative for ascending, + * negative for descending. + * + * @return Sort object for this criterion, or NULL upon error. The + * caller is responsible for calling seaudit_sort_destroy() + * afterwards. + */ + extern seaudit_sort_t *seaudit_sort_by_command(const int direction); + +/** + * Instruct a model to sort AVC messages by the name, alphabetically. + * Non-AVC messages will be placed below AVC ones. + * + * @param direction Direction to sort. Non-negative for ascending, + * negative for descending. + * + * @return Sort object for this criterion, or NULL upon error. The + * caller is responsible for calling seaudit_sort_destroy() + * afterwards. + */ + extern seaudit_sort_t *seaudit_sort_by_name(const int direction); + +/** + * Instruct a model to sort AVC messages by the path, alphabetically. + * Non-AVC messages will be placed below AVC ones. + * + * @param direction Direction to sort. Non-negative for ascending, + * negative for descending. + * + * @return Sort object for this criterion, or NULL upon error. The + * caller is responsible for calling seaudit_sort_destroy() + * afterwards. + */ + extern seaudit_sort_t *seaudit_sort_by_path(const int direction); + +/** + * Instruct a model to sort AVC messages by the device, alphabetically. + * Non-AVC messages will be placed below AVC ones. + * + * @param direction Direction to sort. Non-negative for ascending, + * negative for descending. + * + * @return Sort object for this criterion, or NULL upon error. The + * caller is responsible for calling seaudit_sort_destroy() + * afterwards. + */ + extern seaudit_sort_t *seaudit_sort_by_device(const int direction); + +/** + * Instruct a model to sort AVC messages by the object's inode. + * Non-AVC messages will be placed below AVC ones. + * + * @param direction Direction to sort. Non-negative for ascending, + * negative for descending. + * + * @return Sort object for this criterion, or NULL upon error. The + * caller is responsible for calling seaudit_sort_destroy() + * afterwards. + */ + extern seaudit_sort_t *seaudit_sort_by_inode(const int direction); + +/** + * Instruct a model to sort AVC messages by the process ID. Non-AVC + * messages will be placed below AVC ones. + * + * @param direction Direction to sort. Non-negative for ascending, + * negative for descending. + * + * @return Sort object for this criterion, or NULL upon error. The + * caller is responsible for calling seaudit_sort_destroy() + * afterwards. + */ + extern seaudit_sort_t *seaudit_sort_by_pid(const int direction); + +/** + * Instruct a model to sort AVC messages by the port number. Non-AVC + * messages will be placed below AVC ones. + * + * @param direction Direction to sort. Non-negative for ascending, + * negative for descending. + * + * @return Sort object for this criterion, or NULL upon error. The + * caller is responsible for calling seaudit_sort_destroy() + * afterwards. + */ + extern seaudit_sort_t *seaudit_sort_by_port(const int direction); + +/** + * Instruct a model to sort AVC messages by local address, + * alphabetically. Non-AVC messages will be placed below AVC ones. + * + * @param direction Direction to sort. Non-negative for ascending, + * negative for descending. + * + * @return Sort object for this criterion, or NULL upon error. The + * caller is responsible for calling seaudit_sort_destroy() + * afterwards. + */ + extern seaudit_sort_t *seaudit_sort_by_laddr(const int direction); + +/** + * Instruct a model to sort AVC messages by the local port number. + * Non-AVC messages will be placed below AVC ones. + * + * @param direction Direction to sort. Non-negative for ascending, + * negative for descending. + * + * @return Sort object for this criterion, or NULL upon error. The + * caller is responsible for calling seaudit_sort_destroy() + * afterwards. + */ + extern seaudit_sort_t *seaudit_sort_by_lport(const int direction); + +/** + * Instruct a model to sort AVC messages by foreign address, + * alphabetically. Non-AVC messages will be placed below AVC ones. + * + * @param direction Direction to sort. Non-negative for ascending, + * negative for descending. + * + * @return Sort object for this criterion, or NULL upon error. The + * caller is responsible for calling seaudit_sort_destroy() + * afterwards. + */ + extern seaudit_sort_t *seaudit_sort_by_faddr(const int direction); + +/** + * Instruct a model to sort AVC messages by the foreign port number. + * Non-AVC messages will be placed below AVC ones. + * + * @param direction Direction to sort. Non-negative for ascending, + * negative for descending. + * + * @return Sort object for this criterion, or NULL upon error. The + * caller is responsible for calling seaudit_sort_destroy() + * afterwards. + */ + extern seaudit_sort_t *seaudit_sort_by_fport(const int direction); + +/** + * Instruct a model to sort AVC messages by source address, + * alphabetically. Non-AVC messages will be placed below AVC ones. + * + * @param direction Direction to sort. Non-negative for ascending, + * negative for descending. + * + * @return Sort object for this criterion, or NULL upon error. The + * caller is responsible for calling seaudit_sort_destroy() + * afterwards. + */ + extern seaudit_sort_t *seaudit_sort_by_saddr(const int direction); + +/** + * Instruct a model to sort AVC messages by the source port number. + * Non-AVC messages will be placed below AVC ones. + * + * @param direction Direction to sort. Non-negative for ascending, + * negative for descending. + * + * @return Sort object for this criterion, or NULL upon error. The + * caller is responsible for calling seaudit_sort_destroy() + * afterwards. + */ + extern seaudit_sort_t *seaudit_sort_by_sport(const int direction); + +/** + * Instruct a model to sort AVC messages by destination address, + * alphabetically. Non-AVC messages will be placed below AVC ones. + * + * @param direction Direction to sort. Non-negative for ascending, + * negative for descending. + * + * @return Sort object for this criterion, or NULL upon error. The + * caller is responsible for calling seaudit_sort_destroy() + * afterwards. + */ + extern seaudit_sort_t *seaudit_sort_by_daddr(const int direction); + +/** + * Instruct a model to sort AVC messages by the destination port + * number. Non-AVC messages will be placed below AVC ones. + * + * @param direction Direction to sort. Non-negative for ascending, + * negative for descending. + * + * @return Sort object for this criterion, or NULL upon error. The + * caller is responsible for calling seaudit_sort_destroy() + * afterwards. + */ + extern seaudit_sort_t *seaudit_sort_by_dport(const int direction); + +/** + * Instruct a model to sort AVC messages by the IPC call's key. + * Non-AVC messages will be placed below AVC ones. + * + * @param direction Direction to sort. Non-negative for ascending, + * negative for descending. + * + * @return Sort object for this criterion, or NULL upon error. The + * caller is responsible for calling seaudit_sort_destroy() + * afterwards. + */ + extern seaudit_sort_t *seaudit_sort_by_key(const int direction); + +/** + * Instruct a model to sort AVC messages by the process capability + * value. Non-AVC messages will be placed below AVC ones. + * + * @param direction Direction to sort. Non-negative for ascending, + * negative for descending. + * + * @return Sort object for this criterion, or NULL upon error. The + * caller is responsible for calling seaudit_sort_destroy() + * afterwards. + */ + extern seaudit_sort_t *seaudit_sort_by_cap(const int direction); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/libseaudit/include/seaudit/util.h b/libseaudit/include/seaudit/util.h new file mode 100644 index 0000000..dd0c031 --- /dev/null +++ b/libseaudit/include/seaudit/util.h @@ -0,0 +1,44 @@ +/** + * @file + * Miscellaneous, uncategorized functions for libseaudit. + * + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * + * Copyright (C) 2003-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef SEAUDIT_UTIL_H +#define SEAUDIT_UTIL_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +/** + * Return an immutable string describing this library's version. + * + * @return String describing this library. + */ + extern const char *libseaudit_get_version(void); + +#ifdef __cplusplus +} +#endif + +#endif |