diff options
Diffstat (limited to 'libseaudit/src/seaudit_internal.h')
-rw-r--r-- | libseaudit/src/seaudit_internal.h | 664 |
1 files changed, 664 insertions, 0 deletions
diff --git a/libseaudit/src/seaudit_internal.h b/libseaudit/src/seaudit_internal.h new file mode 100644 index 0000000..272dfbd --- /dev/null +++ b/libseaudit/src/seaudit_internal.h @@ -0,0 +1,664 @@ +/** + * @file + * Protected interface seaudit library. + * + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Jason Tang jtang@tresys.com + * @author Jeremy Solt jsolt@tresys.com + * + * Copyright (C) 2006-2007 Tresys Technology, LLC + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef SEAUDIT_SEAUDIT_INTERNAL_H +#define SEAUDIT_SEAUDIT_INTERNAL_H + +#include <config.h> + +#include <seaudit/avc_message.h> +#include <seaudit/bool_message.h> +#include <seaudit/filter.h> +#include <seaudit/load_message.h> +#include <seaudit/log.h> +#include <seaudit/message.h> +#include <seaudit/model.h> +#include <seaudit/sort.h> + +#include <apol/bst.h> +#include <apol/vector.h> + +#include <libxml/uri.h> + +#define FILTER_FILE_FORMAT_VERSION "1.3" + +/*************** master seaudit log object (defined in log.c) ***************/ + +struct seaudit_log +{ + /** vector of seaudit_message_t pointers */ + apol_vector_t *messages; + /** vector of strings, corresponding to log messages that did + * not parse cleanly */ + apol_vector_t *malformed_msgs; + /** vector of seaudit_model_t that are watching this log */ + apol_vector_t *models; + apol_bst_t *types, *classes, *roles, *users; + apol_bst_t *perms, *hosts, *bools, *managers; + apol_bst_t *mls_lvl, *mls_clr; + seaudit_log_type_e logtype; + seaudit_handle_fn_t fn; + void *handle_arg; + /** non-zero if tzset() has been called */ + int tz_initialized; + /** non-zero if the parser is in the middle of a line */ + int next_line; +}; + +/** + * Notify a log that model is now watching it. + * + * @param log Log to append model. + * @param model Model that is watching. + * + * @return 0 on success, < 0 on error. + */ +int log_append_model(seaudit_log_t * log, seaudit_model_t * model); + +/** + * Notify a log that model is no longer watching it. + * + * @param log Log to append model. + * @param model Model that stopped watching. + */ +void log_remove_model(seaudit_log_t * log, seaudit_model_t * model); + +/** + * Get a vector of all messages from this seaudit log object. + * + * @param log Log object containing messages. + * + * @return Vector of seaudit_message_t pointers. Do not free() or + * otherwise modify this vector or its contents. + */ +const apol_vector_t *log_get_messages(const seaudit_log_t * log); + +/** + * Get a vector of all malformed messages from this seaudit log + * object. These are SELinux messages that did not parse cleanly for + * some reason. They will be returned in the same order in which they + * were read from the log file. + * + * @param log Log object containing malformed messages. + * + * @return Vector of strings. Do not free() or otherwise modify this + * vector or its contents. + */ +const apol_vector_t *log_get_malformed_messages(const seaudit_log_t * log); + +/*************** messages (defined in message.c) ***************/ + +struct seaudit_message +{ + /** when this message was generated */ + struct tm *date_stamp; + /** pointer into log->hosts for the hostname that generated + * this message, or NULL if none found */ + char *host; + /** pointer intor log->managers for the object manager that + * generated this message, or NULL if none found */ + char *manager; + /** type of message this really is */ + seaudit_message_type_e type; + /** fake polymorphism by having a union of possible subclasses */ + union + { + seaudit_avc_message_t *avc; + seaudit_bool_message_t *boolm; + seaudit_load_message_t *load; + } data; +}; + +/** + * Allocate a new seaudit message, append the message to the log, and + * return the message. + * + * @param log Log to which append the message. + * @param type Message type for the newly constructed message. + * + * @return A newly allocated message. The caller must not free the + * value. + */ +seaudit_message_t *message_create(seaudit_log_t * log, seaudit_message_type_e type); + +/** + * Deallocate all space associated with a message, recursing into the + * message's data field. + * + * @param msg If not NULL, message to free. + */ +void message_free(void *msg); + +/*************** avc messages (defined in avc_message.c) ***************/ + +typedef enum seaudit_avc_message_class +{ + SEAUDIT_AVC_DATA_INVALID = 0, + SEAUDIT_AVC_DATA_MALFORMED, + SEAUDIT_AVC_DATA_IPC, + SEAUDIT_AVC_DATA_CAP, /* capability */ + SEAUDIT_AVC_DATA_FS, + SEAUDIT_AVC_DATA_NET, +} seaudit_avc_message_class_e; + +/** + * Definition of an avc message. Note that unless stated otherwise, + * character pointers are into the message's log's respective BST. + */ +struct seaudit_avc_message +{ + seaudit_avc_message_type_e msg; + /** type of avc message this is, either a deny or a granted + * (i.e., auditallow) */ + seaudit_avc_message_class_e avc_type; + /** executable and path - free() this */ + char *exe; + /** command - free() this */ + char *comm; + /** path of the OBJECT - free() this */ + char *path; + /** device for the object - free() this */ + char *dev; + /** network interface - free() this */ + char *netif; + /** local address - free() this */ + char *laddr; + /** foreign address - free() this */ + char *faddr; + /** source address - free() this */ + char *saddr; + /** destination address - free() this */ + char *daddr; + /** free() this */ + char *name; + /** free() this */ + char *ipaddr; + /** source context's user */ + char *suser; + /** source context's role */ + char *srole; + /** source context's type */ + char *stype; + /** source context's mls level */ + char *smls_lvl; + /** source context's mls clearance */ + char *smls_clr; + /** target context's user */ + char *tuser; + /** target context's role */ + char *trole; + /** target context's type */ + char *ttype; + /** target context's mls level */ + char *tmls_lvl; + /** target context's mls clearance */ + char *tmls_clr; + /** target class */ + char *tclass; + /** audit header timestamp (seconds) */ + time_t tm_stmp_sec; + /** audit header timestamp (nanoseconds) */ + long tm_stmp_nano; + /** audit header serial number */ + unsigned int serial; + /** pointers into log->perms BST (hence char *) */ + apol_vector_t *perms; + /** key for an IPC call */ + int key; + int is_key; + /** process capability (corresponds with class 'capability') */ + int capability; + int is_capability; + /** inode of the object */ + unsigned long inode; + int is_inode; + /** source port */ + int source; + /** destination port */ + int dest; + /** local port */ + int lport; + /** foreign port */ + int fport; + int port; + /** source sid */ + unsigned int src_sid; + int is_src_sid; + /** target sid */ + unsigned int tgt_sid; + int is_tgt_sid; + /** process ID of the subject */ + unsigned int pid; + int is_pid; +}; + +/** + * Allocate and return a new seaudit AVC message. + * + * @return A newly allocated AVC message. The caller must not call + * avc_message_free() upon the returned value afterwards. + */ +seaudit_avc_message_t *avc_message_create(void); + +/** + * Deallocate all space associated with an AVC message. + * + * @param msg If not NULL, message to free. + */ +void avc_message_free(seaudit_avc_message_t * avc); + +/** + * Given an avc message, allocate and return a string that + * approximates the message as it had appeared within the log file. + * + * @param msg Message whose string representation to get. + * @param date Date and time when message was generated. + * + * @return String representation for message, or NULL upon error. The + * caller is responsible for free()ing the string afterwards. + */ +char *avc_message_to_string(const seaudit_message_t * msg, const char *date); + +/** + * Given an avc change message, allocate and return a string, + * formatted in HTML, that approximates the message as it had appeared + * within the log file. + * + * @param msg Message whose string representation to get. + * @param date Date and time when message was generated. + * + * @return String representation for message, or NULL upon error. The + * caller is responsible for free()ing the string afterwards. + */ +char *avc_message_to_string_html(const seaudit_message_t * msg, const char *date); + +/** + * Given an avc change message, allocate and return a string that + * gives miscellaneous info (e.g., ports, IP addresses). + * + * @param avc Message from which to get miscellaneous information. + * + * @return Miscellaneous message string representation, or NULL upon + * error. The caller is responsible for free()ing the string + * afterwards. + */ +char *avc_message_to_misc_string(const seaudit_avc_message_t * avc); + +/*************** bool messages (defined in bool_message.c) ***************/ + +typedef struct seaudit_bool_message_change +{ + /** pointer into log's bools BST */ + char *boolean; + /** new value for the boolean */ + int value; +} seaudit_bool_message_change_t; + +struct seaudit_bool_message +{ + /** vector of seaudit_bool_change_t pointers; vector owns objects. */ + apol_vector_t *changes; +}; + +/** + * Allocate and return a new seaudit boolean change message. + * + * @return A newly allocated boolean change message. The caller must + * not call bool_message_free() upon the returned value afterwards. + */ +seaudit_bool_message_t *bool_message_create(void); + +/** + * Append a boolean change to a particular boolean message. This will + * add the boolean name to the log's BST as needed. + * + * @param log Log containing boolean name BST. + * @param bool Boolean message to change. + * @param name Name of the boolean that was changed. This function + * will dup the incoming name. + * @param value New value for the boolean. + * + * @return 0 on success, < 0 on error. + */ +int bool_change_append(seaudit_log_t * log, seaudit_bool_message_t * boolm, const char *name, int value); + +/** + * Deallocate all space associated with a boolean change message. + * + * @param msg If not NULL, message to free. + */ +void bool_message_free(seaudit_bool_message_t * boolm); + +/** + * Given a boolean change message, allocate and return a string that + * approximates the message as it had appeared within the log file. + * + * @param msg Message whose string representation to get. + * @param date Date and time when message was generated. + * + * @return String representation for message, or NULL upon error. The + * caller is responsible for free()ing the string afterwards. + */ +char *bool_message_to_string(const seaudit_message_t * msg, const char *date); + +/** + * Given a boolean change message, allocate and return a string, + * formatted in HTML, that approximates the message as it had appeared + * within the log file. + * + * @param msg Message whose string representation to get. + * @param date Date and time when message was generated. + * + * @return String representation for message, or NULL upon error. The + * caller is responsible for free()ing the string afterwards. + */ +char *bool_message_to_string_html(const seaudit_message_t * msg, const char *date); + +/** + * Given a boolean change message, allocate and return a string that + * gives miscellaneous info (i.e., list of boolean names and their new + * values.) + * + * @param bool Message from which to get miscellaneous information. + * + * @return Miscellaneous message string representation, or NULL upon + * error. The caller is responsible for free()ing the string + * afterwards. + */ +char *bool_message_to_misc_string(const seaudit_bool_message_t * boolm); + +/*************** load messages (defined in load_message.c) ***************/ + +struct seaudit_load_message +{ + unsigned int users; /* number of users */ + unsigned int roles; /* number of roles */ + unsigned int types; /* number of types */ + unsigned int classes; /* number of classes */ + unsigned int rules; /* number of rules */ + unsigned int bools; /* number of bools */ + char *binary; /* path for binary that was loaded */ +}; + +/** + * Allocate and return a new seaudit policy load message. + * + * @return A newly allocated policy load message. The caller must + * not call load_message_free() upon the returned value afterwards. + */ +seaudit_load_message_t *load_message_create(void); + +/** + * Deallocate all space associated with a policy load message. + * + * @param msg If not NULL, message to free. + */ +void load_message_free(seaudit_load_message_t * msg); + +/** + * Given a load message, allocate and return a string that + * approximates the message as it had appeared within the log file. + * + * @param msg Message whose string representation to get. + * @param date Date and time when message was generated. + * + * @return String representation for message, or NULL upon error. The + * caller is responsible for free()ing the string afterwards. + */ +char *load_message_to_string(const seaudit_message_t * msg, const char *date); + +/** + * Given a load message, allocate and return a string, formatted in + * HTML, that approximates the message as it had appeared within the + * log file. + * + * @param msg Message whose string representation to get. + * @param date Date and time when message was generated. + * + * @return String representation for message, or NULL upon error. The + * caller is responsible for free()ing the string afterwards. + */ +char *load_message_to_string_html(const seaudit_message_t * msg, const char *date); + +/** + * Given a load message, allocate and return a string that gives + * miscellaneous info (e.g., number of types in the new policy). + * + * @param load Message from which to get miscellaneous information. + * + * @return Miscellaneous message string representation, or NULL upon + * error. The caller is responsible for free()ing the string + * afterwards. + */ +char *load_message_to_misc_string(const seaudit_load_message_t * load); + +/*************** model functions (defined in model.h) ***************/ + +/** + * Notify a model to stop watching a log. + * + * @param model Model to notify. + * @param log Log to stop watching. + */ +void model_remove_log(seaudit_model_t * model, seaudit_log_t * log); + +/** + * Notify a model that a log has been changed; the model will need to + * recalculate its messages. + * + * @param model Model to notify. + * @param log Log that has been changed. + */ +void model_notify_log_changed(seaudit_model_t * model, seaudit_log_t * log); + +/** + * Notify a model that a filter has been changed; the model will need + * to recalculate its messages. + * + * @param model Model to notify. + * @param filter Filter that has been changed. + */ +void model_notify_filter_changed(seaudit_model_t * model, seaudit_filter_t * filter); + +/*************** filter functions (defined in filter.c) ***************/ + +/** + * Link a model to a filter. Whenever the filter changes, it should + * call model_notify_filter_changed(); that way the model will + * recalculate itself. + * + * @param filter Filter to be watched. + * @param model Model that is watching. + */ +void filter_set_model(seaudit_filter_t * filter, seaudit_model_t * model); + +/********** more filter functions (defined in filter-internal.c) **********/ + +typedef int (filter_read_func) (seaudit_filter_t * filter, const xmlChar * ch); + +struct filter_parse_state +{ + /** vector of filters created, appended to by <filter> tags; + caller must destroy this */ + apol_vector_t *filters; + /** string from name attribute in a <view> tag; caller must free() + this */ + char *view_name; + /** value from match attribute in a <view> tag */ + seaudit_filter_match_e view_match; + /** value form show attribute in a <view> tag */ + seaudit_filter_visible_e view_visible; + + /**** + The following are to be considered private data and may only + be used by filter-internal.c. + ****/ + /** the most recently read string that was not part of a tag */ + xmlChar *cur_string; + int warnings; + /** filter currently being parsed, set by most recent <filter> tag */ + seaudit_filter_t *cur_filter; + /** pointer to a filter parsing function, set by <criteria> tag */ + filter_read_func *cur_filter_read; +}; + +/** + * Given a filter and a message, return non-zero if the msg is + * accepted by the filter according to the filter's criteria. If the + * filter does not have enough information to decide (because the + * message is incomplete) then this should return 0. + * + * @param filter Filter to apply. + * @param msg Message to check. + * + * @return Non-zero if message is accepted, 0 if not. + */ +int filter_is_accepted(const seaudit_filter_t * filter, const seaudit_message_t * msg); + +/** + * Parse the given XML file and fill in the passed in struct. The + * caller must create the struct and the vector within. Upon return, + * the caller must destroy the vector and free view_name. + * + * @param state An initialized state struct for parsing. + * @param filename Name of XML file to parse. + * + * @return 0 on success, > 0 if parse warnings, < 0 on error. + */ +int filter_parse_xml(struct filter_parse_state *state, const char *filename); + +/** + * Append the given filter's values, in XML format, to a file handler. + * This includes the filter's name and criteria. + * + * @param filter Filter to save. + * @param file File to which write. + * + * @see seaudit_filter_create_from_file() + */ +void filter_append_to_file(const seaudit_filter_t * filter, FILE * file, int tabs); + +/*************** sort functions (defined in sort.c) ***************/ + +/** + * Create and return a new sort object, initialized with the data from + * an existing sort object. The new sort object will not be attached + * to any models. + * + * @param sort Sort object to clone. + * + * @return A cloned sort object, or NULL upon error. The caller is + * responsible for calling seaudit_sort_destroy() afterwards. + */ +seaudit_sort_t *sort_create_from_sort(const seaudit_sort_t * sort); + +/** + * Create and return a new sort object based upon the name of the sort + * (as returned by sort_get_name()). The new sort object will not be + * attached to any models. + * + * @param name Name of the type of sort to create. + * @param direction Direction to sort, non-negative for ascending, + * negative for descending. + * + * @return A new sort object, or NULL upon error. The caller is + * responsible for calling seaudit_sort_destroy() afterwards. + */ +seaudit_sort_t *sort_create_from_name(const char *name, int direction); + +/** + * Given a sort object and a message, return non-zero if this sort + * object could operate on the message, 0 if not. (Messages may have + * incomplete information due to parser warnings.) + * + * @param sort Sort object to query. + * @param msg Message to check. + * + * @return Non-zero if sort supports the message, 0 if not. + */ +int sort_is_supported(const seaudit_sort_t * sort, const seaudit_message_t * msg); + +/** + * Invoke a sort object's comparison function. + * + * @param sort Sort object that contains a comparator. + * @param m1 First message to compare. + * @param m2 Second message to compare. + * + * @return 0 if the messages are equivalent, < 0 if a is first, > 0 if + * b is first. + */ +int sort_comp(const seaudit_sort_t * sort, const seaudit_message_t * a, const seaudit_message_t * b); + +/** + * Return the type of sort this sort object is. The name is valid for + * sort_create_from_name()'s first parameter. + * + * @param sort Sort object to query. + * + * @return Type of sort this object is. + */ +const char *sort_get_name(const seaudit_sort_t * sort); + +/** + * Return the sort direction for a sort object. + * + * @param sort Sort object to query. + * + * @return Non-negative for ascending, negative for descending. + */ +int sort_get_direction(const seaudit_sort_t * sort); + +/*************** error handling code (defined in log.c) ***************/ + +#define SEAUDIT_MSG_ERR 1 +#define SEAUDIT_MSG_WARN 2 +#define SEAUDIT_MSG_INFO 3 + +/** + * Write a message to the callback stored within a seaudit_log_t + * handler. If the msg_callback field is empty then suppress the + * message. + * + * @param log Error reporting handler. If NULL then write message to + * stderr. + * @param level Severity of message, one of SEAUDIT_MSG_ERR, + * SEAUDIT_MSG_WARN, or SEAUDIT_MSG_INFO. + * @param fmt Format string to print, using syntax of printf(3). + */ +extern void seaudit_handle_msg(const seaudit_log_t * log, int level, const char *fmt, ...); + +__attribute__ ((format(printf, 3, 4))) +extern void seaudit_handle_msg(const seaudit_log_t * log, int level, const char *fmt, ...); + +#undef ERR +#undef WARN +#undef INFO + +#define ERR(handle, format, ...) seaudit_handle_msg(handle, SEAUDIT_MSG_ERR, format, __VA_ARGS__) +#define WARN(handle, format, ...) seaudit_handle_msg(handle, SEAUDIT_MSG_WARN, format, __VA_ARGS__) +#define INFO(handle, format, ...) seaudit_handle_msg(handle, SEAUDIT_MSG_INFO, format, __VA_ARGS__) + +#endif |