diff options
| author | Richard Guy Briggs <rgb@redhat.com> | 2019-01-31 11:52:11 -0500 |
|---|---|---|
| committer | Paul Moore <paul@paul-moore.com> | 2019-01-31 23:00:15 -0500 |
| commit | 90462a5bd30c6ed91c6758e59537d047d7878ff9 (patch) | |
| tree | 19dac5d6a368d626695ee639c29a2ac18490043e | |
| parent | 57d4657716aca81ef4d7ec23e8123d26e3d28954 (diff) | |
audit: remove unused actx param from audit_rule_match
The audit_rule_match() struct audit_context *actx parameter is not used
by any in-tree consumers (selinux, apparmour, integrity, smack).
The audit context is an internal audit structure that should only be
accessed by audit accessor functions.
It was part of commit 03d37d25e0f9 ("LSM/Audit: Introduce generic
Audit LSM hooks") but appears to have never been used.
Remove it.
Please see the github issue
https://github.com/linux-audit/audit-kernel/issues/107
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
[PM: fixed the referenced commit title]
Signed-off-by: Paul Moore <paul@paul-moore.com>
| -rw-r--r-- | include/linux/lsm_hooks.h | 4 | ||||
| -rw-r--r-- | include/linux/security.h | 5 | ||||
| -rw-r--r-- | kernel/auditfilter.c | 2 | ||||
| -rw-r--r-- | kernel/auditsc.c | 21 | ||||
| -rw-r--r-- | security/apparmor/audit.c | 3 | ||||
| -rw-r--r-- | security/apparmor/include/audit.h | 3 | ||||
| -rw-r--r-- | security/integrity/ima/ima.h | 3 | ||||
| -rw-r--r-- | security/integrity/ima/ima_policy.c | 6 | ||||
| -rw-r--r-- | security/security.c | 6 | ||||
| -rw-r--r-- | security/selinux/include/audit.h | 4 | ||||
| -rw-r--r-- | security/selinux/ss/services.c | 3 | ||||
| -rw-r--r-- | security/smack/smack_lsm.c | 4 |
12 files changed, 26 insertions, 38 deletions
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 9a0bdf91e646..d0b5c7a05832 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h | |||
| @@ -1344,7 +1344,6 @@ | |||
| 1344 | * @field contains the field which relates to current LSM. | 1344 | * @field contains the field which relates to current LSM. |
| 1345 | * @op contains the operator that will be used for matching. | 1345 | * @op contains the operator that will be used for matching. |
| 1346 | * @rule points to the audit rule that will be checked against. | 1346 | * @rule points to the audit rule that will be checked against. |
| 1347 | * @actx points to the audit context associated with the check. | ||
| 1348 | * Return 1 if secid matches the rule, 0 if it does not, -ERRNO on failure. | 1347 | * Return 1 if secid matches the rule, 0 if it does not, -ERRNO on failure. |
| 1349 | * | 1348 | * |
| 1350 | * @audit_rule_free: | 1349 | * @audit_rule_free: |
| @@ -1764,8 +1763,7 @@ union security_list_options { | |||
| 1764 | int (*audit_rule_init)(u32 field, u32 op, char *rulestr, | 1763 | int (*audit_rule_init)(u32 field, u32 op, char *rulestr, |
| 1765 | void **lsmrule); | 1764 | void **lsmrule); |
| 1766 | int (*audit_rule_known)(struct audit_krule *krule); | 1765 | int (*audit_rule_known)(struct audit_krule *krule); |
| 1767 | int (*audit_rule_match)(u32 secid, u32 field, u32 op, void *lsmrule, | 1766 | int (*audit_rule_match)(u32 secid, u32 field, u32 op, void *lsmrule); |
| 1768 | struct audit_context *actx); | ||
| 1769 | void (*audit_rule_free)(void *lsmrule); | 1767 | void (*audit_rule_free)(void *lsmrule); |
| 1770 | #endif /* CONFIG_AUDIT */ | 1768 | #endif /* CONFIG_AUDIT */ |
| 1771 | 1769 | ||
diff --git a/include/linux/security.h b/include/linux/security.h index dbfb5a66babb..e8febec62ffb 100644 --- a/include/linux/security.h +++ b/include/linux/security.h | |||
| @@ -1674,8 +1674,7 @@ static inline int security_key_getsecurity(struct key *key, char **_buffer) | |||
| 1674 | #ifdef CONFIG_SECURITY | 1674 | #ifdef CONFIG_SECURITY |
| 1675 | int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule); | 1675 | int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule); |
| 1676 | int security_audit_rule_known(struct audit_krule *krule); | 1676 | int security_audit_rule_known(struct audit_krule *krule); |
| 1677 | int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule, | 1677 | int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule); |
| 1678 | struct audit_context *actx); | ||
| 1679 | void security_audit_rule_free(void *lsmrule); | 1678 | void security_audit_rule_free(void *lsmrule); |
| 1680 | 1679 | ||
| 1681 | #else | 1680 | #else |
| @@ -1692,7 +1691,7 @@ static inline int security_audit_rule_known(struct audit_krule *krule) | |||
| 1692 | } | 1691 | } |
| 1693 | 1692 | ||
| 1694 | static inline int security_audit_rule_match(u32 secid, u32 field, u32 op, | 1693 | static inline int security_audit_rule_match(u32 secid, u32 field, u32 op, |
| 1695 | void *lsmrule, struct audit_context *actx) | 1694 | void *lsmrule) |
| 1696 | { | 1695 | { |
| 1697 | return 0; | 1696 | return 0; |
| 1698 | } | 1697 | } |
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 26a80a9d43a9..add360b46b38 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c | |||
| @@ -1355,7 +1355,7 @@ int audit_filter(int msgtype, unsigned int listtype) | |||
| 1355 | if (f->lsm_rule) { | 1355 | if (f->lsm_rule) { |
| 1356 | security_task_getsecid(current, &sid); | 1356 | security_task_getsecid(current, &sid); |
| 1357 | result = security_audit_rule_match(sid, | 1357 | result = security_audit_rule_match(sid, |
| 1358 | f->type, f->op, f->lsm_rule, NULL); | 1358 | f->type, f->op, f->lsm_rule); |
| 1359 | } | 1359 | } |
| 1360 | break; | 1360 | break; |
| 1361 | case AUDIT_EXE: | 1361 | case AUDIT_EXE: |
diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 68da71001096..7d37cb1e4aef 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c | |||
| @@ -631,9 +631,8 @@ static int audit_filter_rules(struct task_struct *tsk, | |||
| 631 | need_sid = 0; | 631 | need_sid = 0; |
| 632 | } | 632 | } |
| 633 | result = security_audit_rule_match(sid, f->type, | 633 | result = security_audit_rule_match(sid, f->type, |
| 634 | f->op, | 634 | f->op, |
| 635 | f->lsm_rule, | 635 | f->lsm_rule); |
| 636 | ctx); | ||
| 637 | } | 636 | } |
| 638 | break; | 637 | break; |
| 639 | case AUDIT_OBJ_USER: | 638 | case AUDIT_OBJ_USER: |
| @@ -647,13 +646,17 @@ static int audit_filter_rules(struct task_struct *tsk, | |||
| 647 | /* Find files that match */ | 646 | /* Find files that match */ |
| 648 | if (name) { | 647 | if (name) { |
| 649 | result = security_audit_rule_match( | 648 | result = security_audit_rule_match( |
| 650 | name->osid, f->type, f->op, | 649 | name->osid, |
| 651 | f->lsm_rule, ctx); | 650 | f->type, |
| 651 | f->op, | ||
| 652 | f->lsm_rule); | ||
| 652 | } else if (ctx) { | 653 | } else if (ctx) { |
| 653 | list_for_each_entry(n, &ctx->names_list, list) { | 654 | list_for_each_entry(n, &ctx->names_list, list) { |
| 654 | if (security_audit_rule_match(n->osid, f->type, | 655 | if (security_audit_rule_match( |
| 655 | f->op, f->lsm_rule, | 656 | n->osid, |
| 656 | ctx)) { | 657 | f->type, |
| 658 | f->op, | ||
| 659 | f->lsm_rule)) { | ||
| 657 | ++result; | 660 | ++result; |
| 658 | break; | 661 | break; |
| 659 | } | 662 | } |
| @@ -664,7 +667,7 @@ static int audit_filter_rules(struct task_struct *tsk, | |||
| 664 | break; | 667 | break; |
| 665 | if (security_audit_rule_match(ctx->ipc.osid, | 668 | if (security_audit_rule_match(ctx->ipc.osid, |
| 666 | f->type, f->op, | 669 | f->type, f->op, |
| 667 | f->lsm_rule, ctx)) | 670 | f->lsm_rule)) |
| 668 | ++result; | 671 | ++result; |
| 669 | } | 672 | } |
| 670 | break; | 673 | break; |
diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c index eeaddfe0c0fb..5a8b9cded4f2 100644 --- a/security/apparmor/audit.c +++ b/security/apparmor/audit.c | |||
| @@ -225,8 +225,7 @@ int aa_audit_rule_known(struct audit_krule *rule) | |||
| 225 | return 0; | 225 | return 0; |
| 226 | } | 226 | } |
| 227 | 227 | ||
| 228 | int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, | 228 | int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule) |
| 229 | struct audit_context *actx) | ||
| 230 | { | 229 | { |
| 231 | struct aa_audit_rule *rule = vrule; | 230 | struct aa_audit_rule *rule = vrule; |
| 232 | struct aa_label *label; | 231 | struct aa_label *label; |
diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h index b8c8b1066b0a..ee559bc2acb8 100644 --- a/security/apparmor/include/audit.h +++ b/security/apparmor/include/audit.h | |||
| @@ -192,7 +192,6 @@ static inline int complain_error(int error) | |||
| 192 | void aa_audit_rule_free(void *vrule); | 192 | void aa_audit_rule_free(void *vrule); |
| 193 | int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule); | 193 | int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule); |
| 194 | int aa_audit_rule_known(struct audit_krule *rule); | 194 | int aa_audit_rule_known(struct audit_krule *rule); |
| 195 | int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, | 195 | int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule); |
| 196 | struct audit_context *actx); | ||
| 197 | 196 | ||
| 198 | #endif /* __AA_AUDIT_H */ | 197 | #endif /* __AA_AUDIT_H */ |
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index cc12f3449a72..026163f37ba1 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h | |||
| @@ -307,8 +307,7 @@ static inline int security_filter_rule_init(u32 field, u32 op, char *rulestr, | |||
| 307 | } | 307 | } |
| 308 | 308 | ||
| 309 | static inline int security_filter_rule_match(u32 secid, u32 field, u32 op, | 309 | static inline int security_filter_rule_match(u32 secid, u32 field, u32 op, |
| 310 | void *lsmrule, | 310 | void *lsmrule) |
| 311 | struct audit_context *actx) | ||
| 312 | { | 311 | { |
| 313 | return -EINVAL; | 312 | return -EINVAL; |
| 314 | } | 313 | } |
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 8bc8a1c8cb3f..26fa9d9723f6 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c | |||
| @@ -340,8 +340,7 @@ retry: | |||
| 340 | rc = security_filter_rule_match(osid, | 340 | rc = security_filter_rule_match(osid, |
| 341 | rule->lsm[i].type, | 341 | rule->lsm[i].type, |
| 342 | Audit_equal, | 342 | Audit_equal, |
| 343 | rule->lsm[i].rule, | 343 | rule->lsm[i].rule); |
| 344 | NULL); | ||
| 345 | break; | 344 | break; |
| 346 | case LSM_SUBJ_USER: | 345 | case LSM_SUBJ_USER: |
| 347 | case LSM_SUBJ_ROLE: | 346 | case LSM_SUBJ_ROLE: |
| @@ -349,8 +348,7 @@ retry: | |||
| 349 | rc = security_filter_rule_match(secid, | 348 | rc = security_filter_rule_match(secid, |
| 350 | rule->lsm[i].type, | 349 | rule->lsm[i].type, |
| 351 | Audit_equal, | 350 | Audit_equal, |
| 352 | rule->lsm[i].rule, | 351 | rule->lsm[i].rule); |
| 353 | NULL); | ||
| 354 | default: | 352 | default: |
| 355 | break; | 353 | break; |
| 356 | } | 354 | } |
diff --git a/security/security.c b/security/security.c index f1b8d2587639..5f954b179a8e 100644 --- a/security/security.c +++ b/security/security.c | |||
| @@ -1783,11 +1783,9 @@ void security_audit_rule_free(void *lsmrule) | |||
| 1783 | call_void_hook(audit_rule_free, lsmrule); | 1783 | call_void_hook(audit_rule_free, lsmrule); |
| 1784 | } | 1784 | } |
| 1785 | 1785 | ||
| 1786 | int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule, | 1786 | int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule) |
| 1787 | struct audit_context *actx) | ||
| 1788 | { | 1787 | { |
| 1789 | return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule, | 1788 | return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule); |
| 1790 | actx); | ||
| 1791 | } | 1789 | } |
| 1792 | #endif /* CONFIG_AUDIT */ | 1790 | #endif /* CONFIG_AUDIT */ |
| 1793 | 1791 | ||
diff --git a/security/selinux/include/audit.h b/security/selinux/include/audit.h index 1bdf973433cc..e51a81ffb8c9 100644 --- a/security/selinux/include/audit.h +++ b/security/selinux/include/audit.h | |||
| @@ -46,13 +46,11 @@ void selinux_audit_rule_free(void *rule); | |||
| 46 | * @field: the field this rule refers to | 46 | * @field: the field this rule refers to |
| 47 | * @op: the operater the rule uses | 47 | * @op: the operater the rule uses |
| 48 | * @rule: pointer to the audit rule to check against | 48 | * @rule: pointer to the audit rule to check against |
| 49 | * @actx: the audit context (can be NULL) associated with the check | ||
| 50 | * | 49 | * |
| 51 | * Returns 1 if the context id matches the rule, 0 if it does not, and | 50 | * Returns 1 if the context id matches the rule, 0 if it does not, and |
| 52 | * -errno on failure. | 51 | * -errno on failure. |
| 53 | */ | 52 | */ |
| 54 | int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *rule, | 53 | int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *rule); |
| 55 | struct audit_context *actx); | ||
| 56 | 54 | ||
| 57 | /** | 55 | /** |
| 58 | * selinux_audit_rule_known - check to see if rule contains selinux fields. | 56 | * selinux_audit_rule_known - check to see if rule contains selinux fields. |
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index dd44126c8d14..0b7e33f6aa59 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
| @@ -3376,8 +3376,7 @@ int selinux_audit_rule_known(struct audit_krule *rule) | |||
| 3376 | return 0; | 3376 | return 0; |
| 3377 | } | 3377 | } |
| 3378 | 3378 | ||
| 3379 | int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, | 3379 | int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule) |
| 3380 | struct audit_context *actx) | ||
| 3381 | { | 3380 | { |
| 3382 | struct selinux_state *state = &selinux_state; | 3381 | struct selinux_state *state = &selinux_state; |
| 3383 | struct context *ctxt; | 3382 | struct context *ctxt; |
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 430d4f35e55c..403513df42fc 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c | |||
| @@ -4393,13 +4393,11 @@ static int smack_audit_rule_known(struct audit_krule *krule) | |||
| 4393 | * @field: audit rule flags given from user-space | 4393 | * @field: audit rule flags given from user-space |
| 4394 | * @op: required testing operator | 4394 | * @op: required testing operator |
| 4395 | * @vrule: smack internal rule presentation | 4395 | * @vrule: smack internal rule presentation |
| 4396 | * @actx: audit context associated with the check | ||
| 4397 | * | 4396 | * |
| 4398 | * The core Audit hook. It's used to take the decision of | 4397 | * The core Audit hook. It's used to take the decision of |
| 4399 | * whether to audit or not to audit a given object. | 4398 | * whether to audit or not to audit a given object. |
| 4400 | */ | 4399 | */ |
| 4401 | static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule, | 4400 | static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule) |
| 4402 | struct audit_context *actx) | ||
| 4403 | { | 4401 | { |
| 4404 | struct smack_known *skp; | 4402 | struct smack_known *skp; |
| 4405 | char *rule = vrule; | 4403 | char *rule = vrule; |