1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
|
/*
* Copyright (c) 1999-2008 NOVELL (All rights reserved)
* Copyright 2009-2010 Canonical Ltd.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of version 2.1 of the GNU Lesser General
* Public License published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#ifndef __LIBAALOGPARSE_H_
#define __LIBAALOGPARSE_H_
#ifdef __cplusplus
extern "C" {
#endif
#define AA_RECORD_EXEC_MMAP 1
#define AA_RECORD_READ 2
#define AA_RECORD_WRITE 4
#define AA_RECORD_EXEC 8
#define AA_RECORD_LINK 16
/**
* Enum representing which syntax version the log entry used.
* Support for V1 parsing was completely removed in 2011 and that enum entry
* is only still there for API compatibility reasons.
*/
typedef enum
{
AA_RECORD_SYNTAX_V1,
AA_RECORD_SYNTAX_V2,
AA_RECORD_SYNTAX_UNKNOWN
} aa_record_syntax_version;
typedef enum
{
AA_RECORD_INVALID, /* Default event type */
AA_RECORD_ERROR, /* Internal AA error */
AA_RECORD_AUDIT, /* Audited event */
AA_RECORD_ALLOWED, /* Complain mode event */
AA_RECORD_DENIED, /* Denied access event */
AA_RECORD_HINT, /* Process tracking info */
AA_RECORD_STATUS /* Configuration change */
} aa_record_event_type;
/*
* Use this preprocessor dance to maintain backcompat for field names
* This will break C code that used the C++ reserved keywords "namespace"
* and "class" as identifiers, but this is bad practice anyways, and we
* hope that we are the only ones in a given C file that messed up this way
*
* TODO: document this in a man page for aalogparse?
*/
#if defined(SWIG) && defined(__cplusplus)
#error "SWIG and __cplusplus are defined together"
#elif !defined(SWIG) && !defined(__cplusplus)
/* Use SWIG's %rename feature to preserve backcompat */
#define class rule_class
#define namespace aa_namespace
#endif
typedef struct aa_log_record
{
aa_record_syntax_version version;
aa_record_event_type event; /* Event type */
unsigned long pid; /* PID of the program logging the message */
unsigned long peer_pid;
unsigned long task;
unsigned long magic_token;
long epoch; /* example: 12345679 */
unsigned int audit_sub_id; /* example: 12 */
int bitmask; /* Bitmask containing "r" "w" "x" etc */
char *audit_id; /* example: 12345679.1234:12 */
char *operation; /* "Exec" "Ptrace", etc. */
char *denied_mask; /* "r", "w", etc. */
char *requested_mask;
unsigned long fsuid; /* fsuid of task - if logged */
unsigned long ouid; /* ouid of task - if logged */
char *profile; /* The name of the profile */
char *peer_profile;
char *comm; /* Command that triggered msg */
char *name;
char *name2;
char *aa_namespace;
char *attribute;
unsigned long parent;
char *info;
char *peer_info;
int error_code; /* error_code returned if logged */
char *active_hat;
char *net_family;
char *net_protocol;
char *net_sock_type;
char *net_local_addr;
unsigned long net_local_port;
char *net_foreign_addr;
unsigned long net_foreign_port;
char *dbus_bus;
char *dbus_path;
char *dbus_interface;
char *dbus_member;
char *signal; /* signal name */
char *peer;
/* mount et al specific bits */
char *fs_type;
char *flags;
char *src_name;
char *rule_class;
char *net_addr;
char *peer_addr;
char *execpath;
} aa_log_record;
/**
* Parses a single log record string and returns a pointer to the parsed
* data. It is the calling program's responsibility to free that struct
* with free_record();
* @param[in] Record to parse.
* @return Parsed data.
*/
aa_log_record *
parse_record(const char *str);
/**
* Frees all struct data.
* @param[in] Data to free.
*/
void
free_record(aa_log_record *record);
#ifdef __cplusplus
}
#endif
#endif
|
