diff options
| author | Paul Moore <paul.moore@hp.com> | 2006-11-17 17:38:55 -0500 |
|---|---|---|
| committer | David S. Miller <davem@sunset.davemloft.net> | 2006-12-03 00:24:15 -0500 |
| commit | de64688ffb952a65ddbc5295ccd235d35f292593 (patch) | |
| tree | f15714858c974bb4b86023d38639a39a539901e2 /net/netlabel | |
| parent | 3de4bab5b9f8848a0c16a4b1ffe0452f0d670237 (diff) | |
NetLabel: honor the audit_enabled flag
The audit_enabled flag is used to signal when syscall auditing is to be
performed. While NetLabel uses a Netlink interface instead of syscalls, it is
reasonable to consider the NetLabel Netlink interface as a form of syscall so
pay attention to the audit_enabled flag when generating audit messages in
NetLabel.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'net/netlabel')
| -rw-r--r-- | net/netlabel/netlabel_cipso_v4.c | 26 | ||||
| -rw-r--r-- | net/netlabel/netlabel_domainhash.c | 48 | ||||
| -rw-r--r-- | net/netlabel/netlabel_unlabeled.c | 8 | ||||
| -rw-r--r-- | net/netlabel/netlabel_user.c | 7 |
4 files changed, 50 insertions, 39 deletions
diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c index fe9851fac85..743b05734a4 100644 --- a/net/netlabel/netlabel_cipso_v4.c +++ b/net/netlabel/netlabel_cipso_v4.c | |||
| @@ -407,12 +407,14 @@ static int netlbl_cipsov4_add(struct sk_buff *skb, struct genl_info *info) | |||
| 407 | 407 | ||
| 408 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD, | 408 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD, |
| 409 | &audit_info); | 409 | &audit_info); |
| 410 | audit_log_format(audit_buf, | 410 | if (audit_buf != NULL) { |
| 411 | " cipso_doi=%u cipso_type=%s res=%u", | 411 | audit_log_format(audit_buf, |
| 412 | doi, | 412 | " cipso_doi=%u cipso_type=%s res=%u", |
| 413 | type_str, | 413 | doi, |
| 414 | ret_val == 0 ? 1 : 0); | 414 | type_str, |
| 415 | audit_log_end(audit_buf); | 415 | ret_val == 0 ? 1 : 0); |
| 416 | audit_log_end(audit_buf); | ||
| 417 | } | ||
| 416 | 418 | ||
| 417 | return ret_val; | 419 | return ret_val; |
| 418 | } | 420 | } |
| @@ -680,11 +682,13 @@ static int netlbl_cipsov4_remove(struct sk_buff *skb, struct genl_info *info) | |||
| 680 | 682 | ||
| 681 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_DEL, | 683 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_DEL, |
| 682 | &audit_info); | 684 | &audit_info); |
| 683 | audit_log_format(audit_buf, | 685 | if (audit_buf != NULL) { |
| 684 | " cipso_doi=%u res=%u", | 686 | audit_log_format(audit_buf, |
| 685 | doi, | 687 | " cipso_doi=%u res=%u", |
| 686 | ret_val == 0 ? 1 : 0); | 688 | doi, |
| 687 | audit_log_end(audit_buf); | 689 | ret_val == 0 ? 1 : 0); |
| 690 | audit_log_end(audit_buf); | ||
| 691 | } | ||
| 688 | 692 | ||
| 689 | return ret_val; | 693 | return ret_val; |
| 690 | } | 694 | } |
diff --git a/net/netlabel/netlabel_domainhash.c b/net/netlabel/netlabel_domainhash.c index af4371d3b45..f46a0aeec44 100644 --- a/net/netlabel/netlabel_domainhash.c +++ b/net/netlabel/netlabel_domainhash.c | |||
| @@ -202,7 +202,6 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry, | |||
| 202 | int ret_val; | 202 | int ret_val; |
| 203 | u32 bkt; | 203 | u32 bkt; |
| 204 | struct audit_buffer *audit_buf; | 204 | struct audit_buffer *audit_buf; |
| 205 | char *audit_domain; | ||
| 206 | 205 | ||
| 207 | switch (entry->type) { | 206 | switch (entry->type) { |
| 208 | case NETLBL_NLTYPE_UNLABELED: | 207 | case NETLBL_NLTYPE_UNLABELED: |
| @@ -243,24 +242,24 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry, | |||
| 243 | } else | 242 | } else |
| 244 | ret_val = -EINVAL; | 243 | ret_val = -EINVAL; |
| 245 | 244 | ||
| 246 | if (entry->domain != NULL) | ||
| 247 | audit_domain = entry->domain; | ||
| 248 | else | ||
| 249 | audit_domain = "(default)"; | ||
| 250 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_ADD, audit_info); | 245 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_ADD, audit_info); |
| 251 | audit_log_format(audit_buf, " nlbl_domain=%s", audit_domain); | 246 | if (audit_buf != NULL) { |
| 252 | switch (entry->type) { | ||
| 253 | case NETLBL_NLTYPE_UNLABELED: | ||
| 254 | audit_log_format(audit_buf, " nlbl_protocol=unlbl"); | ||
| 255 | break; | ||
| 256 | case NETLBL_NLTYPE_CIPSOV4: | ||
| 257 | audit_log_format(audit_buf, | 247 | audit_log_format(audit_buf, |
| 258 | " nlbl_protocol=cipsov4 cipso_doi=%u", | 248 | " nlbl_domain=%s", |
| 259 | entry->type_def.cipsov4->doi); | 249 | entry->domain ? entry->domain : "(default)"); |
| 260 | break; | 250 | switch (entry->type) { |
| 251 | case NETLBL_NLTYPE_UNLABELED: | ||
| 252 | audit_log_format(audit_buf, " nlbl_protocol=unlbl"); | ||
| 253 | break; | ||
| 254 | case NETLBL_NLTYPE_CIPSOV4: | ||
| 255 | audit_log_format(audit_buf, | ||
| 256 | " nlbl_protocol=cipsov4 cipso_doi=%u", | ||
| 257 | entry->type_def.cipsov4->doi); | ||
| 258 | break; | ||
| 259 | } | ||
| 260 | audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0); | ||
| 261 | audit_log_end(audit_buf); | ||
| 261 | } | 262 | } |
| 262 | audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0); | ||
| 263 | audit_log_end(audit_buf); | ||
| 264 | 263 | ||
| 265 | rcu_read_unlock(); | 264 | rcu_read_unlock(); |
| 266 | 265 | ||
| @@ -310,7 +309,6 @@ int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info) | |||
| 310 | int ret_val = -ENOENT; | 309 | int ret_val = -ENOENT; |
| 311 | struct netlbl_dom_map *entry; | 310 | struct netlbl_dom_map *entry; |
| 312 | struct audit_buffer *audit_buf; | 311 | struct audit_buffer *audit_buf; |
| 313 | char *audit_domain; | ||
| 314 | 312 | ||
| 315 | rcu_read_lock(); | 313 | rcu_read_lock(); |
| 316 | if (domain != NULL) | 314 | if (domain != NULL) |
| @@ -348,16 +346,14 @@ int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info) | |||
| 348 | spin_unlock(&netlbl_domhsh_def_lock); | 346 | spin_unlock(&netlbl_domhsh_def_lock); |
| 349 | } | 347 | } |
| 350 | 348 | ||
| 351 | if (entry->domain != NULL) | ||
| 352 | audit_domain = entry->domain; | ||
| 353 | else | ||
| 354 | audit_domain = "(default)"; | ||
| 355 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_DEL, audit_info); | 349 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_DEL, audit_info); |
| 356 | audit_log_format(audit_buf, | 350 | if (audit_buf != NULL) { |
| 357 | " nlbl_domain=%s res=%u", | 351 | audit_log_format(audit_buf, |
| 358 | audit_domain, | 352 | " nlbl_domain=%s res=%u", |
| 359 | ret_val == 0 ? 1 : 0); | 353 | entry->domain ? entry->domain : "(default)", |
| 360 | audit_log_end(audit_buf); | 354 | ret_val == 0 ? 1 : 0); |
| 355 | audit_log_end(audit_buf); | ||
| 356 | } | ||
| 361 | 357 | ||
| 362 | if (ret_val == 0) | 358 | if (ret_val == 0) |
| 363 | call_rcu(&entry->rcu, netlbl_domhsh_free_entry); | 359 | call_rcu(&entry->rcu, netlbl_domhsh_free_entry); |
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index 07283e1dfad..5bc37181662 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c | |||
| @@ -35,6 +35,7 @@ | |||
| 35 | #include <linux/socket.h> | 35 | #include <linux/socket.h> |
| 36 | #include <linux/string.h> | 36 | #include <linux/string.h> |
| 37 | #include <linux/skbuff.h> | 37 | #include <linux/skbuff.h> |
| 38 | #include <linux/audit.h> | ||
| 38 | #include <net/sock.h> | 39 | #include <net/sock.h> |
| 39 | #include <net/netlink.h> | 40 | #include <net/netlink.h> |
| 40 | #include <net/genetlink.h> | 41 | #include <net/genetlink.h> |
| @@ -92,8 +93,11 @@ static void netlbl_unlabel_acceptflg_set(u8 value, | |||
| 92 | 93 | ||
| 93 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_ALLOW, | 94 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_ALLOW, |
| 94 | audit_info); | 95 | audit_info); |
| 95 | audit_log_format(audit_buf, " unlbl_accept=%u old=%u", value, old_val); | 96 | if (audit_buf != NULL) { |
| 96 | audit_log_end(audit_buf); | 97 | audit_log_format(audit_buf, |
| 98 | " unlbl_accept=%u old=%u", value, old_val); | ||
| 99 | audit_log_end(audit_buf); | ||
| 100 | } | ||
| 97 | } | 101 | } |
| 98 | 102 | ||
| 99 | /* | 103 | /* |
diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index 98a416381e6..42f12bd6596 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c | |||
| @@ -46,6 +46,10 @@ | |||
| 46 | #include "netlabel_cipso_v4.h" | 46 | #include "netlabel_cipso_v4.h" |
| 47 | #include "netlabel_user.h" | 47 | #include "netlabel_user.h" |
| 48 | 48 | ||
| 49 | /* do not do any auditing if audit_enabled == 0, see kernel/audit.c for | ||
| 50 | * details */ | ||
| 51 | extern int audit_enabled; | ||
| 52 | |||
| 49 | /* | 53 | /* |
| 50 | * NetLabel NETLINK Setup Functions | 54 | * NetLabel NETLINK Setup Functions |
| 51 | */ | 55 | */ |
| @@ -101,6 +105,9 @@ struct audit_buffer *netlbl_audit_start_common(int type, | |||
| 101 | char *secctx; | 105 | char *secctx; |
| 102 | u32 secctx_len; | 106 | u32 secctx_len; |
| 103 | 107 | ||
| 108 | if (audit_enabled == 0) | ||
| 109 | return NULL; | ||
| 110 | |||
| 104 | audit_buf = audit_log_start(audit_ctx, GFP_ATOMIC, type); | 111 | audit_buf = audit_log_start(audit_ctx, GFP_ATOMIC, type); |
| 105 | if (audit_buf == NULL) | 112 | if (audit_buf == NULL) |
| 106 | return NULL; | 113 | return NULL; |