diff options
author | Thomas Liu <tliu@redhat.com> | 2009-07-14 12:14:09 -0400 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2009-08-16 18:37:18 -0400 |
commit | 2bf49690325b62480a42f7afed5e9f164173c570 (patch) | |
tree | bc8525f6a45ea3ffaed9449084df7644bcd4e3c2 /security/selinux/hooks.c | |
parent | f322abf83feddc3c37c3a91794e0c5aece4af18e (diff) |
SELinux: Convert avc_audit to use lsm_audit.h
Convert avc_audit in security/selinux/avc.c to use lsm_audit.h,
for better maintainability.
- changed selinux to use common_audit_data instead of
avc_audit_data
- eliminated code in avc.c and used code from lsm_audit.h instead.
Had to add a LSM_AUDIT_NO_AUDIT to lsm_audit.h so that avc_audit
can call common_lsm_audit and do the pre and post callbacks without
doing the actual dump. This makes it so that the patched version
behaves the same way as the unpatched version.
Also added a denied field to the selinux_audit_data private space,
once again to make it so that the patched version behaves like the
unpatched.
I've tested and confirmed that AVCs look the same before and after
this patch.
Signed-off-by: Thomas Liu <tliu@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/hooks.c')
-rw-r--r-- | security/selinux/hooks.c | 142 |
1 files changed, 71 insertions, 71 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 5aa45b16812..254b7983657 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -1478,14 +1478,14 @@ static int task_has_capability(struct task_struct *tsk, | |||
1478 | const struct cred *cred, | 1478 | const struct cred *cred, |
1479 | int cap, int audit) | 1479 | int cap, int audit) |
1480 | { | 1480 | { |
1481 | struct avc_audit_data ad; | 1481 | struct common_audit_data ad; |
1482 | struct av_decision avd; | 1482 | struct av_decision avd; |
1483 | u16 sclass; | 1483 | u16 sclass; |
1484 | u32 sid = cred_sid(cred); | 1484 | u32 sid = cred_sid(cred); |
1485 | u32 av = CAP_TO_MASK(cap); | 1485 | u32 av = CAP_TO_MASK(cap); |
1486 | int rc; | 1486 | int rc; |
1487 | 1487 | ||
1488 | AVC_AUDIT_DATA_INIT(&ad, CAP); | 1488 | COMMON_AUDIT_DATA_INIT(&ad, CAP); |
1489 | ad.tsk = tsk; | 1489 | ad.tsk = tsk; |
1490 | ad.u.cap = cap; | 1490 | ad.u.cap = cap; |
1491 | 1491 | ||
@@ -1524,10 +1524,10 @@ static int task_has_system(struct task_struct *tsk, | |||
1524 | static int inode_has_perm(const struct cred *cred, | 1524 | static int inode_has_perm(const struct cred *cred, |
1525 | struct inode *inode, | 1525 | struct inode *inode, |
1526 | u32 perms, | 1526 | u32 perms, |
1527 | struct avc_audit_data *adp) | 1527 | struct common_audit_data *adp) |
1528 | { | 1528 | { |
1529 | struct inode_security_struct *isec; | 1529 | struct inode_security_struct *isec; |
1530 | struct avc_audit_data ad; | 1530 | struct common_audit_data ad; |
1531 | u32 sid; | 1531 | u32 sid; |
1532 | 1532 | ||
1533 | if (unlikely(IS_PRIVATE(inode))) | 1533 | if (unlikely(IS_PRIVATE(inode))) |
@@ -1538,7 +1538,7 @@ static int inode_has_perm(const struct cred *cred, | |||
1538 | 1538 | ||
1539 | if (!adp) { | 1539 | if (!adp) { |
1540 | adp = &ad; | 1540 | adp = &ad; |
1541 | AVC_AUDIT_DATA_INIT(&ad, FS); | 1541 | COMMON_AUDIT_DATA_INIT(&ad, FS); |
1542 | ad.u.fs.inode = inode; | 1542 | ad.u.fs.inode = inode; |
1543 | } | 1543 | } |
1544 | 1544 | ||
@@ -1554,9 +1554,9 @@ static inline int dentry_has_perm(const struct cred *cred, | |||
1554 | u32 av) | 1554 | u32 av) |
1555 | { | 1555 | { |
1556 | struct inode *inode = dentry->d_inode; | 1556 | struct inode *inode = dentry->d_inode; |
1557 | struct avc_audit_data ad; | 1557 | struct common_audit_data ad; |
1558 | 1558 | ||
1559 | AVC_AUDIT_DATA_INIT(&ad, FS); | 1559 | COMMON_AUDIT_DATA_INIT(&ad, FS); |
1560 | ad.u.fs.path.mnt = mnt; | 1560 | ad.u.fs.path.mnt = mnt; |
1561 | ad.u.fs.path.dentry = dentry; | 1561 | ad.u.fs.path.dentry = dentry; |
1562 | return inode_has_perm(cred, inode, av, &ad); | 1562 | return inode_has_perm(cred, inode, av, &ad); |
@@ -1576,11 +1576,11 @@ static int file_has_perm(const struct cred *cred, | |||
1576 | { | 1576 | { |
1577 | struct file_security_struct *fsec = file->f_security; | 1577 | struct file_security_struct *fsec = file->f_security; |
1578 | struct inode *inode = file->f_path.dentry->d_inode; | 1578 | struct inode *inode = file->f_path.dentry->d_inode; |
1579 | struct avc_audit_data ad; | 1579 | struct common_audit_data ad; |
1580 | u32 sid = cred_sid(cred); | 1580 | u32 sid = cred_sid(cred); |
1581 | int rc; | 1581 | int rc; |
1582 | 1582 | ||
1583 | AVC_AUDIT_DATA_INIT(&ad, FS); | 1583 | COMMON_AUDIT_DATA_INIT(&ad, FS); |
1584 | ad.u.fs.path = file->f_path; | 1584 | ad.u.fs.path = file->f_path; |
1585 | 1585 | ||
1586 | if (sid != fsec->sid) { | 1586 | if (sid != fsec->sid) { |
@@ -1611,7 +1611,7 @@ static int may_create(struct inode *dir, | |||
1611 | struct inode_security_struct *dsec; | 1611 | struct inode_security_struct *dsec; |
1612 | struct superblock_security_struct *sbsec; | 1612 | struct superblock_security_struct *sbsec; |
1613 | u32 sid, newsid; | 1613 | u32 sid, newsid; |
1614 | struct avc_audit_data ad; | 1614 | struct common_audit_data ad; |
1615 | int rc; | 1615 | int rc; |
1616 | 1616 | ||
1617 | dsec = dir->i_security; | 1617 | dsec = dir->i_security; |
@@ -1620,7 +1620,7 @@ static int may_create(struct inode *dir, | |||
1620 | sid = tsec->sid; | 1620 | sid = tsec->sid; |
1621 | newsid = tsec->create_sid; | 1621 | newsid = tsec->create_sid; |
1622 | 1622 | ||
1623 | AVC_AUDIT_DATA_INIT(&ad, FS); | 1623 | COMMON_AUDIT_DATA_INIT(&ad, FS); |
1624 | ad.u.fs.path.dentry = dentry; | 1624 | ad.u.fs.path.dentry = dentry; |
1625 | 1625 | ||
1626 | rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, | 1626 | rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, |
@@ -1664,7 +1664,7 @@ static int may_link(struct inode *dir, | |||
1664 | 1664 | ||
1665 | { | 1665 | { |
1666 | struct inode_security_struct *dsec, *isec; | 1666 | struct inode_security_struct *dsec, *isec; |
1667 | struct avc_audit_data ad; | 1667 | struct common_audit_data ad; |
1668 | u32 sid = current_sid(); | 1668 | u32 sid = current_sid(); |
1669 | u32 av; | 1669 | u32 av; |
1670 | int rc; | 1670 | int rc; |
@@ -1672,7 +1672,7 @@ static int may_link(struct inode *dir, | |||
1672 | dsec = dir->i_security; | 1672 | dsec = dir->i_security; |
1673 | isec = dentry->d_inode->i_security; | 1673 | isec = dentry->d_inode->i_security; |
1674 | 1674 | ||
1675 | AVC_AUDIT_DATA_INIT(&ad, FS); | 1675 | COMMON_AUDIT_DATA_INIT(&ad, FS); |
1676 | ad.u.fs.path.dentry = dentry; | 1676 | ad.u.fs.path.dentry = dentry; |
1677 | 1677 | ||
1678 | av = DIR__SEARCH; | 1678 | av = DIR__SEARCH; |
@@ -1707,7 +1707,7 @@ static inline int may_rename(struct inode *old_dir, | |||
1707 | struct dentry *new_dentry) | 1707 | struct dentry *new_dentry) |
1708 | { | 1708 | { |
1709 | struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; | 1709 | struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; |
1710 | struct avc_audit_data ad; | 1710 | struct common_audit_data ad; |
1711 | u32 sid = current_sid(); | 1711 | u32 sid = current_sid(); |
1712 | u32 av; | 1712 | u32 av; |
1713 | int old_is_dir, new_is_dir; | 1713 | int old_is_dir, new_is_dir; |
@@ -1718,7 +1718,7 @@ static inline int may_rename(struct inode *old_dir, | |||
1718 | old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode); | 1718 | old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode); |
1719 | new_dsec = new_dir->i_security; | 1719 | new_dsec = new_dir->i_security; |
1720 | 1720 | ||
1721 | AVC_AUDIT_DATA_INIT(&ad, FS); | 1721 | COMMON_AUDIT_DATA_INIT(&ad, FS); |
1722 | 1722 | ||
1723 | ad.u.fs.path.dentry = old_dentry; | 1723 | ad.u.fs.path.dentry = old_dentry; |
1724 | rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR, | 1724 | rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR, |
@@ -1760,7 +1760,7 @@ static inline int may_rename(struct inode *old_dir, | |||
1760 | static int superblock_has_perm(const struct cred *cred, | 1760 | static int superblock_has_perm(const struct cred *cred, |
1761 | struct super_block *sb, | 1761 | struct super_block *sb, |
1762 | u32 perms, | 1762 | u32 perms, |
1763 | struct avc_audit_data *ad) | 1763 | struct common_audit_data *ad) |
1764 | { | 1764 | { |
1765 | struct superblock_security_struct *sbsec; | 1765 | struct superblock_security_struct *sbsec; |
1766 | u32 sid = cred_sid(cred); | 1766 | u32 sid = cred_sid(cred); |
@@ -2100,7 +2100,7 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) | |||
2100 | const struct task_security_struct *old_tsec; | 2100 | const struct task_security_struct *old_tsec; |
2101 | struct task_security_struct *new_tsec; | 2101 | struct task_security_struct *new_tsec; |
2102 | struct inode_security_struct *isec; | 2102 | struct inode_security_struct *isec; |
2103 | struct avc_audit_data ad; | 2103 | struct common_audit_data ad; |
2104 | struct inode *inode = bprm->file->f_path.dentry->d_inode; | 2104 | struct inode *inode = bprm->file->f_path.dentry->d_inode; |
2105 | int rc; | 2105 | int rc; |
2106 | 2106 | ||
@@ -2138,7 +2138,7 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) | |||
2138 | return rc; | 2138 | return rc; |
2139 | } | 2139 | } |
2140 | 2140 | ||
2141 | AVC_AUDIT_DATA_INIT(&ad, FS); | 2141 | COMMON_AUDIT_DATA_INIT(&ad, FS); |
2142 | ad.u.fs.path = bprm->file->f_path; | 2142 | ad.u.fs.path = bprm->file->f_path; |
2143 | 2143 | ||
2144 | if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) | 2144 | if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) |
@@ -2231,7 +2231,7 @@ extern struct dentry *selinux_null; | |||
2231 | static inline void flush_unauthorized_files(const struct cred *cred, | 2231 | static inline void flush_unauthorized_files(const struct cred *cred, |
2232 | struct files_struct *files) | 2232 | struct files_struct *files) |
2233 | { | 2233 | { |
2234 | struct avc_audit_data ad; | 2234 | struct common_audit_data ad; |
2235 | struct file *file, *devnull = NULL; | 2235 | struct file *file, *devnull = NULL; |
2236 | struct tty_struct *tty; | 2236 | struct tty_struct *tty; |
2237 | struct fdtable *fdt; | 2237 | struct fdtable *fdt; |
@@ -2265,7 +2265,7 @@ static inline void flush_unauthorized_files(const struct cred *cred, | |||
2265 | 2265 | ||
2266 | /* Revalidate access to inherited open files. */ | 2266 | /* Revalidate access to inherited open files. */ |
2267 | 2267 | ||
2268 | AVC_AUDIT_DATA_INIT(&ad, FS); | 2268 | COMMON_AUDIT_DATA_INIT(&ad, FS); |
2269 | 2269 | ||
2270 | spin_lock(&files->file_lock); | 2270 | spin_lock(&files->file_lock); |
2271 | for (;;) { | 2271 | for (;;) { |
@@ -2514,7 +2514,7 @@ out: | |||
2514 | static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) | 2514 | static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) |
2515 | { | 2515 | { |
2516 | const struct cred *cred = current_cred(); | 2516 | const struct cred *cred = current_cred(); |
2517 | struct avc_audit_data ad; | 2517 | struct common_audit_data ad; |
2518 | int rc; | 2518 | int rc; |
2519 | 2519 | ||
2520 | rc = superblock_doinit(sb, data); | 2520 | rc = superblock_doinit(sb, data); |
@@ -2525,7 +2525,7 @@ static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) | |||
2525 | if (flags & MS_KERNMOUNT) | 2525 | if (flags & MS_KERNMOUNT) |
2526 | return 0; | 2526 | return 0; |
2527 | 2527 | ||
2528 | AVC_AUDIT_DATA_INIT(&ad, FS); | 2528 | COMMON_AUDIT_DATA_INIT(&ad, FS); |
2529 | ad.u.fs.path.dentry = sb->s_root; | 2529 | ad.u.fs.path.dentry = sb->s_root; |
2530 | return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); | 2530 | return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); |
2531 | } | 2531 | } |
@@ -2533,9 +2533,9 @@ static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) | |||
2533 | static int selinux_sb_statfs(struct dentry *dentry) | 2533 | static int selinux_sb_statfs(struct dentry *dentry) |
2534 | { | 2534 | { |
2535 | const struct cred *cred = current_cred(); | 2535 | const struct cred *cred = current_cred(); |
2536 | struct avc_audit_data ad; | 2536 | struct common_audit_data ad; |
2537 | 2537 | ||
2538 | AVC_AUDIT_DATA_INIT(&ad, FS); | 2538 | COMMON_AUDIT_DATA_INIT(&ad, FS); |
2539 | ad.u.fs.path.dentry = dentry->d_sb->s_root; | 2539 | ad.u.fs.path.dentry = dentry->d_sb->s_root; |
2540 | return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); | 2540 | return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); |
2541 | } | 2541 | } |
@@ -2755,7 +2755,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name, | |||
2755 | struct inode *inode = dentry->d_inode; | 2755 | struct inode *inode = dentry->d_inode; |
2756 | struct inode_security_struct *isec = inode->i_security; | 2756 | struct inode_security_struct *isec = inode->i_security; |
2757 | struct superblock_security_struct *sbsec; | 2757 | struct superblock_security_struct *sbsec; |
2758 | struct avc_audit_data ad; | 2758 | struct common_audit_data ad; |
2759 | u32 newsid, sid = current_sid(); | 2759 | u32 newsid, sid = current_sid(); |
2760 | int rc = 0; | 2760 | int rc = 0; |
2761 | 2761 | ||
@@ -2769,7 +2769,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name, | |||
2769 | if (!is_owner_or_cap(inode)) | 2769 | if (!is_owner_or_cap(inode)) |
2770 | return -EPERM; | 2770 | return -EPERM; |
2771 | 2771 | ||
2772 | AVC_AUDIT_DATA_INIT(&ad, FS); | 2772 | COMMON_AUDIT_DATA_INIT(&ad, FS); |
2773 | ad.u.fs.path.dentry = dentry; | 2773 | ad.u.fs.path.dentry = dentry; |
2774 | 2774 | ||
2775 | rc = avc_has_perm(sid, isec->sid, isec->sclass, | 2775 | rc = avc_has_perm(sid, isec->sid, isec->sclass, |
@@ -3418,7 +3418,7 @@ static void selinux_task_to_inode(struct task_struct *p, | |||
3418 | 3418 | ||
3419 | /* Returns error only if unable to parse addresses */ | 3419 | /* Returns error only if unable to parse addresses */ |
3420 | static int selinux_parse_skb_ipv4(struct sk_buff *skb, | 3420 | static int selinux_parse_skb_ipv4(struct sk_buff *skb, |
3421 | struct avc_audit_data *ad, u8 *proto) | 3421 | struct common_audit_data *ad, u8 *proto) |
3422 | { | 3422 | { |
3423 | int offset, ihlen, ret = -EINVAL; | 3423 | int offset, ihlen, ret = -EINVAL; |
3424 | struct iphdr _iph, *ih; | 3424 | struct iphdr _iph, *ih; |
@@ -3499,7 +3499,7 @@ out: | |||
3499 | 3499 | ||
3500 | /* Returns error only if unable to parse addresses */ | 3500 | /* Returns error only if unable to parse addresses */ |
3501 | static int selinux_parse_skb_ipv6(struct sk_buff *skb, | 3501 | static int selinux_parse_skb_ipv6(struct sk_buff *skb, |
3502 | struct avc_audit_data *ad, u8 *proto) | 3502 | struct common_audit_data *ad, u8 *proto) |
3503 | { | 3503 | { |
3504 | u8 nexthdr; | 3504 | u8 nexthdr; |
3505 | int ret = -EINVAL, offset; | 3505 | int ret = -EINVAL, offset; |
@@ -3570,7 +3570,7 @@ out: | |||
3570 | 3570 | ||
3571 | #endif /* IPV6 */ | 3571 | #endif /* IPV6 */ |
3572 | 3572 | ||
3573 | static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad, | 3573 | static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad, |
3574 | char **_addrp, int src, u8 *proto) | 3574 | char **_addrp, int src, u8 *proto) |
3575 | { | 3575 | { |
3576 | char *addrp; | 3576 | char *addrp; |
@@ -3652,7 +3652,7 @@ static int socket_has_perm(struct task_struct *task, struct socket *sock, | |||
3652 | u32 perms) | 3652 | u32 perms) |
3653 | { | 3653 | { |
3654 | struct inode_security_struct *isec; | 3654 | struct inode_security_struct *isec; |
3655 | struct avc_audit_data ad; | 3655 | struct common_audit_data ad; |
3656 | u32 sid; | 3656 | u32 sid; |
3657 | int err = 0; | 3657 | int err = 0; |
3658 | 3658 | ||
@@ -3662,7 +3662,7 @@ static int socket_has_perm(struct task_struct *task, struct socket *sock, | |||
3662 | goto out; | 3662 | goto out; |
3663 | sid = task_sid(task); | 3663 | sid = task_sid(task); |
3664 | 3664 | ||
3665 | AVC_AUDIT_DATA_INIT(&ad, NET); | 3665 | COMMON_AUDIT_DATA_INIT(&ad, NET); |
3666 | ad.u.net.sk = sock->sk; | 3666 | ad.u.net.sk = sock->sk; |
3667 | err = avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); | 3667 | err = avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); |
3668 | 3668 | ||
@@ -3749,7 +3749,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in | |||
3749 | if (family == PF_INET || family == PF_INET6) { | 3749 | if (family == PF_INET || family == PF_INET6) { |
3750 | char *addrp; | 3750 | char *addrp; |
3751 | struct inode_security_struct *isec; | 3751 | struct inode_security_struct *isec; |
3752 | struct avc_audit_data ad; | 3752 | struct common_audit_data ad; |
3753 | struct sockaddr_in *addr4 = NULL; | 3753 | struct sockaddr_in *addr4 = NULL; |
3754 | struct sockaddr_in6 *addr6 = NULL; | 3754 | struct sockaddr_in6 *addr6 = NULL; |
3755 | unsigned short snum; | 3755 | unsigned short snum; |
@@ -3778,7 +3778,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in | |||
3778 | snum, &sid); | 3778 | snum, &sid); |
3779 | if (err) | 3779 | if (err) |
3780 | goto out; | 3780 | goto out; |
3781 | AVC_AUDIT_DATA_INIT(&ad, NET); | 3781 | COMMON_AUDIT_DATA_INIT(&ad, NET); |
3782 | ad.u.net.sport = htons(snum); | 3782 | ad.u.net.sport = htons(snum); |
3783 | ad.u.net.family = family; | 3783 | ad.u.net.family = family; |
3784 | err = avc_has_perm(isec->sid, sid, | 3784 | err = avc_has_perm(isec->sid, sid, |
@@ -3811,7 +3811,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in | |||
3811 | if (err) | 3811 | if (err) |
3812 | goto out; | 3812 | goto out; |
3813 | 3813 | ||
3814 | AVC_AUDIT_DATA_INIT(&ad, NET); | 3814 | COMMON_AUDIT_DATA_INIT(&ad, NET); |
3815 | ad.u.net.sport = htons(snum); | 3815 | ad.u.net.sport = htons(snum); |
3816 | ad.u.net.family = family; | 3816 | ad.u.net.family = family; |
3817 | 3817 | ||
@@ -3845,7 +3845,7 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, | |||
3845 | isec = SOCK_INODE(sock)->i_security; | 3845 | isec = SOCK_INODE(sock)->i_security; |
3846 | if (isec->sclass == SECCLASS_TCP_SOCKET || | 3846 | if (isec->sclass == SECCLASS_TCP_SOCKET || |
3847 | isec->sclass == SECCLASS_DCCP_SOCKET) { | 3847 | isec->sclass == SECCLASS_DCCP_SOCKET) { |
3848 | struct avc_audit_data ad; | 3848 | struct common_audit_data ad; |
3849 | struct sockaddr_in *addr4 = NULL; | 3849 | struct sockaddr_in *addr4 = NULL; |
3850 | struct sockaddr_in6 *addr6 = NULL; | 3850 | struct sockaddr_in6 *addr6 = NULL; |
3851 | unsigned short snum; | 3851 | unsigned short snum; |
@@ -3870,7 +3870,7 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, | |||
3870 | perm = (isec->sclass == SECCLASS_TCP_SOCKET) ? | 3870 | perm = (isec->sclass == SECCLASS_TCP_SOCKET) ? |
3871 | TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; | 3871 | TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; |
3872 | 3872 | ||
3873 | AVC_AUDIT_DATA_INIT(&ad, NET); | 3873 | COMMON_AUDIT_DATA_INIT(&ad, NET); |
3874 | ad.u.net.dport = htons(snum); | 3874 | ad.u.net.dport = htons(snum); |
3875 | ad.u.net.family = sk->sk_family; | 3875 | ad.u.net.family = sk->sk_family; |
3876 | err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad); | 3876 | err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad); |
@@ -3960,13 +3960,13 @@ static int selinux_socket_unix_stream_connect(struct socket *sock, | |||
3960 | struct sk_security_struct *ssec; | 3960 | struct sk_security_struct *ssec; |
3961 | struct inode_security_struct *isec; | 3961 | struct inode_security_struct *isec; |
3962 | struct inode_security_struct *other_isec; | 3962 | struct inode_security_struct *other_isec; |
3963 | struct avc_audit_data ad; | 3963 | struct common_audit_data ad; |
3964 | int err; | 3964 | int err; |
3965 | 3965 | ||
3966 | isec = SOCK_INODE(sock)->i_security; | 3966 | isec = SOCK_INODE(sock)->i_security; |
3967 | other_isec = SOCK_INODE(other)->i_security; | 3967 | other_isec = SOCK_INODE(other)->i_security; |
3968 | 3968 | ||
3969 | AVC_AUDIT_DATA_INIT(&ad, NET); | 3969 | COMMON_AUDIT_DATA_INIT(&ad, NET); |
3970 | ad.u.net.sk = other->sk; | 3970 | ad.u.net.sk = other->sk; |
3971 | 3971 | ||
3972 | err = avc_has_perm(isec->sid, other_isec->sid, | 3972 | err = avc_has_perm(isec->sid, other_isec->sid, |
@@ -3992,13 +3992,13 @@ static int selinux_socket_unix_may_send(struct socket *sock, | |||
3992 | { | 3992 | { |
3993 | struct inode_security_struct *isec; | 3993 | struct inode_security_struct *isec; |
3994 | struct inode_security_struct *other_isec; | 3994 | struct inode_security_struct *other_isec; |
3995 | struct avc_audit_data ad; | 3995 | struct common_audit_data ad; |
3996 | int err; | 3996 | int err; |
3997 | 3997 | ||
3998 | isec = SOCK_INODE(sock)->i_security; | 3998 | isec = SOCK_INODE(sock)->i_security; |
3999 | other_isec = SOCK_INODE(other)->i_security; | 3999 | other_isec = SOCK_INODE(other)->i_security; |
4000 | 4000 | ||
4001 | AVC_AUDIT_DATA_INIT(&ad, NET); | 4001 | COMMON_AUDIT_DATA_INIT(&ad, NET); |
4002 | ad.u.net.sk = other->sk; | 4002 | ad.u.net.sk = other->sk; |
4003 | 4003 | ||
4004 | err = avc_has_perm(isec->sid, other_isec->sid, | 4004 | err = avc_has_perm(isec->sid, other_isec->sid, |
@@ -4011,7 +4011,7 @@ static int selinux_socket_unix_may_send(struct socket *sock, | |||
4011 | 4011 | ||
4012 | static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family, | 4012 | static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family, |
4013 | u32 peer_sid, | 4013 | u32 peer_sid, |
4014 | struct avc_audit_data *ad) | 4014 | struct common_audit_data *ad) |
4015 | { | 4015 | { |
4016 | int err; | 4016 | int err; |
4017 | u32 if_sid; | 4017 | u32 if_sid; |
@@ -4039,10 +4039,10 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, | |||
4039 | struct sk_security_struct *sksec = sk->sk_security; | 4039 | struct sk_security_struct *sksec = sk->sk_security; |
4040 | u32 peer_sid; | 4040 | u32 peer_sid; |
4041 | u32 sk_sid = sksec->sid; | 4041 | u32 sk_sid = sksec->sid; |
4042 | struct avc_audit_data ad; | 4042 | struct common_audit_data ad; |
4043 | char *addrp; | 4043 | char *addrp; |
4044 | 4044 | ||
4045 | AVC_AUDIT_DATA_INIT(&ad, NET); | 4045 | COMMON_AUDIT_DATA_INIT(&ad, NET); |
4046 | ad.u.net.netif = skb->iif; | 4046 | ad.u.net.netif = skb->iif; |
4047 | ad.u.net.family = family; | 4047 | ad.u.net.family = family; |
4048 | err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); | 4048 | err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); |
@@ -4080,7 +4080,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) | |||
4080 | struct sk_security_struct *sksec = sk->sk_security; | 4080 | struct sk_security_struct *sksec = sk->sk_security; |
4081 | u16 family = sk->sk_family; | 4081 | u16 family = sk->sk_family; |
4082 | u32 sk_sid = sksec->sid; | 4082 | u32 sk_sid = sksec->sid; |
4083 | struct avc_audit_data ad; | 4083 | struct common_audit_data ad; |
4084 | char *addrp; | 4084 | char *addrp; |
4085 | u8 secmark_active; | 4085 | u8 secmark_active; |
4086 | u8 peerlbl_active; | 4086 | u8 peerlbl_active; |
@@ -4104,7 +4104,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) | |||
4104 | if (!secmark_active && !peerlbl_active) | 4104 | if (!secmark_active && !peerlbl_active) |
4105 | return 0; | 4105 | return 0; |
4106 | 4106 | ||
4107 | AVC_AUDIT_DATA_INIT(&ad, NET); | 4107 | COMMON_AUDIT_DATA_INIT(&ad, NET); |
4108 | ad.u.net.netif = skb->iif; | 4108 | ad.u.net.netif = skb->iif; |
4109 | ad.u.net.family = family; | 4109 | ad.u.net.family = family; |
4110 | err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); | 4110 | err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); |
@@ -4362,7 +4362,7 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex, | |||
4362 | int err; | 4362 | int err; |
4363 | char *addrp; | 4363 | char *addrp; |
4364 | u32 peer_sid; | 4364 | u32 peer_sid; |
4365 | struct avc_audit_data ad; | 4365 | struct common_audit_data ad; |
4366 | u8 secmark_active; | 4366 | u8 secmark_active; |
4367 | u8 netlbl_active; | 4367 | u8 netlbl_active; |
4368 | u8 peerlbl_active; | 4368 | u8 peerlbl_active; |
@@ -4379,7 +4379,7 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex, | |||
4379 | if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) | 4379 | if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) |
4380 | return NF_DROP; | 4380 | return NF_DROP; |
4381 | 4381 | ||
4382 | AVC_AUDIT_DATA_INIT(&ad, NET); | 4382 | COMMON_AUDIT_DATA_INIT(&ad, NET); |
4383 | ad.u.net.netif = ifindex; | 4383 | ad.u.net.netif = ifindex; |
4384 | ad.u.net.family = family; | 4384 | ad.u.net.family = family; |
4385 | if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) | 4385 | if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) |
@@ -4467,7 +4467,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, | |||
4467 | { | 4467 | { |
4468 | struct sock *sk = skb->sk; | 4468 | struct sock *sk = skb->sk; |
4469 | struct sk_security_struct *sksec; | 4469 | struct sk_security_struct *sksec; |
4470 | struct avc_audit_data ad; | 4470 | struct common_audit_data ad; |
4471 | char *addrp; | 4471 | char *addrp; |
4472 | u8 proto; | 4472 | u8 proto; |
4473 | 4473 | ||
@@ -4475,7 +4475,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, | |||
4475 | return NF_ACCEPT; | 4475 | return NF_ACCEPT; |
4476 | sksec = sk->sk_security; | 4476 | sksec = sk->sk_security; |
4477 | 4477 | ||
4478 | AVC_AUDIT_DATA_INIT(&ad, NET); | 4478 | COMMON_AUDIT_DATA_INIT(&ad, NET); |
4479 | ad.u.net.netif = ifindex; | 4479 | ad.u.net.netif = ifindex; |
4480 | ad.u.net.family = family; | 4480 | ad.u.net.family = family; |
4481 | if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) | 4481 | if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) |
@@ -4499,7 +4499,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, | |||
4499 | u32 secmark_perm; | 4499 | u32 secmark_perm; |
4500 | u32 peer_sid; | 4500 | u32 peer_sid; |
4501 | struct sock *sk; | 4501 | struct sock *sk; |
4502 | struct avc_audit_data ad; | 4502 | struct common_audit_data ad; |
4503 | char *addrp; | 4503 | char *addrp; |
4504 | u8 secmark_active; | 4504 | u8 secmark_active; |
4505 | u8 peerlbl_active; | 4505 | u8 peerlbl_active; |
@@ -4558,7 +4558,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, | |||
4558 | secmark_perm = PACKET__SEND; | 4558 | secmark_perm = PACKET__SEND; |
4559 | } | 4559 | } |
4560 | 4560 | ||
4561 | AVC_AUDIT_DATA_INIT(&ad, NET); | 4561 | COMMON_AUDIT_DATA_INIT(&ad, NET); |
4562 | ad.u.net.netif = ifindex; | 4562 | ad.u.net.netif = ifindex; |
4563 | ad.u.net.family = family; | 4563 | ad.u.net.family = family; |
4564 | if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) | 4564 | if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) |
@@ -4628,13 +4628,13 @@ static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) | |||
4628 | static int selinux_netlink_recv(struct sk_buff *skb, int capability) | 4628 | static int selinux_netlink_recv(struct sk_buff *skb, int capability) |
4629 | { | 4629 | { |
4630 | int err; | 4630 | int err; |
4631 | struct avc_audit_data ad; | 4631 | struct common_audit_data ad; |
4632 | 4632 | ||
4633 | err = cap_netlink_recv(skb, capability); | 4633 | err = cap_netlink_recv(skb, capability); |
4634 | if (err) | 4634 | if (err) |
4635 | return err; | 4635 | return err; |
4636 | 4636 | ||
4637 | AVC_AUDIT_DATA_INIT(&ad, CAP); | 4637 | COMMON_AUDIT_DATA_INIT(&ad, CAP); |
4638 | ad.u.cap = capability; | 4638 | ad.u.cap = capability; |
4639 | 4639 | ||
4640 | return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid, | 4640 | return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid, |
@@ -4693,12 +4693,12 @@ static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, | |||
4693 | u32 perms) | 4693 | u32 perms) |
4694 | { | 4694 | { |
4695 | struct ipc_security_struct *isec; | 4695 | struct ipc_security_struct *isec; |
4696 | struct avc_audit_data ad; | 4696 | struct common_audit_data ad; |
4697 | u32 sid = current_sid(); | 4697 | u32 sid = current_sid(); |
4698 | 4698 | ||
4699 | isec = ipc_perms->security; | 4699 | isec = ipc_perms->security; |
4700 | 4700 | ||
4701 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 4701 | COMMON_AUDIT_DATA_INIT(&ad, IPC); |
4702 | ad.u.ipc_id = ipc_perms->key; | 4702 | ad.u.ipc_id = ipc_perms->key; |
4703 | 4703 | ||
4704 | return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); | 4704 | return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); |
@@ -4718,7 +4718,7 @@ static void selinux_msg_msg_free_security(struct msg_msg *msg) | |||
4718 | static int selinux_msg_queue_alloc_security(struct msg_queue *msq) | 4718 | static int selinux_msg_queue_alloc_security(struct msg_queue *msq) |
4719 | { | 4719 | { |
4720 | struct ipc_security_struct *isec; | 4720 | struct ipc_security_struct *isec; |
4721 | struct avc_audit_data ad; | 4721 | struct common_audit_data ad; |
4722 | u32 sid = current_sid(); | 4722 | u32 sid = current_sid(); |
4723 | int rc; | 4723 | int rc; |
4724 | 4724 | ||
@@ -4728,7 +4728,7 @@ static int selinux_msg_queue_alloc_security(struct msg_queue *msq) | |||
4728 | 4728 | ||
4729 | isec = msq->q_perm.security; | 4729 | isec = msq->q_perm.security; |
4730 | 4730 | ||
4731 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 4731 | COMMON_AUDIT_DATA_INIT(&ad, IPC); |
4732 | ad.u.ipc_id = msq->q_perm.key; | 4732 | ad.u.ipc_id = msq->q_perm.key; |
4733 | 4733 | ||
4734 | rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, | 4734 | rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, |
@@ -4748,12 +4748,12 @@ static void selinux_msg_queue_free_security(struct msg_queue *msq) | |||
4748 | static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) | 4748 | static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) |
4749 | { | 4749 | { |
4750 | struct ipc_security_struct *isec; | 4750 | struct ipc_security_struct *isec; |
4751 | struct avc_audit_data ad; | 4751 | struct common_audit_data ad; |
4752 | u32 sid = current_sid(); | 4752 | u32 sid = current_sid(); |
4753 | 4753 | ||
4754 | isec = msq->q_perm.security; | 4754 | isec = msq->q_perm.security; |
4755 | 4755 | ||
4756 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 4756 | COMMON_AUDIT_DATA_INIT(&ad, IPC); |
4757 | ad.u.ipc_id = msq->q_perm.key; | 4757 | ad.u.ipc_id = msq->q_perm.key; |
4758 | 4758 | ||
4759 | return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, | 4759 | return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, |
@@ -4792,7 +4792,7 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, | |||
4792 | { | 4792 | { |
4793 | struct ipc_security_struct *isec; | 4793 | struct ipc_security_struct *isec; |
4794 | struct msg_security_struct *msec; | 4794 | struct msg_security_struct *msec; |
4795 | struct avc_audit_data ad; | 4795 | struct common_audit_data ad; |
4796 | u32 sid = current_sid(); | 4796 | u32 sid = current_sid(); |
4797 | int rc; | 4797 | int rc; |
4798 | 4798 | ||
@@ -4813,7 +4813,7 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, | |||
4813 | return rc; | 4813 | return rc; |
4814 | } | 4814 | } |
4815 | 4815 | ||
4816 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 4816 | COMMON_AUDIT_DATA_INIT(&ad, IPC); |
4817 | ad.u.ipc_id = msq->q_perm.key; | 4817 | ad.u.ipc_id = msq->q_perm.key; |
4818 | 4818 | ||
4819 | /* Can this process write to the queue? */ | 4819 | /* Can this process write to the queue? */ |
@@ -4837,14 +4837,14 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, | |||
4837 | { | 4837 | { |
4838 | struct ipc_security_struct *isec; | 4838 | struct ipc_security_struct *isec; |
4839 | struct msg_security_struct *msec; | 4839 | struct msg_security_struct *msec; |
4840 | struct avc_audit_data ad; | 4840 | struct common_audit_data ad; |
4841 | u32 sid = task_sid(target); | 4841 | u32 sid = task_sid(target); |
4842 | int rc; | 4842 | int rc; |
4843 | 4843 | ||
4844 | isec = msq->q_perm.security; | 4844 | isec = msq->q_perm.security; |
4845 | msec = msg->security; | 4845 | msec = msg->security; |
4846 | 4846 | ||
4847 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 4847 | COMMON_AUDIT_DATA_INIT(&ad, IPC); |
4848 | ad.u.ipc_id = msq->q_perm.key; | 4848 | ad.u.ipc_id = msq->q_perm.key; |
4849 | 4849 | ||
4850 | rc = avc_has_perm(sid, isec->sid, | 4850 | rc = avc_has_perm(sid, isec->sid, |
@@ -4859,7 +4859,7 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, | |||
4859 | static int selinux_shm_alloc_security(struct shmid_kernel *shp) | 4859 | static int selinux_shm_alloc_security(struct shmid_kernel *shp) |
4860 | { | 4860 | { |
4861 | struct ipc_security_struct *isec; | 4861 | struct ipc_security_struct *isec; |
4862 | struct avc_audit_data ad; | 4862 | struct common_audit_data ad; |
4863 | u32 sid = current_sid(); | 4863 | u32 sid = current_sid(); |
4864 | int rc; | 4864 | int rc; |
4865 | 4865 | ||
@@ -4869,7 +4869,7 @@ static int selinux_shm_alloc_security(struct shmid_kernel *shp) | |||
4869 | 4869 | ||
4870 | isec = shp->shm_perm.security; | 4870 | isec = shp->shm_perm.security; |
4871 | 4871 | ||
4872 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 4872 | COMMON_AUDIT_DATA_INIT(&ad, IPC); |
4873 | ad.u.ipc_id = shp->shm_perm.key; | 4873 | ad.u.ipc_id = shp->shm_perm.key; |
4874 | 4874 | ||
4875 | rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM, | 4875 | rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM, |
@@ -4889,12 +4889,12 @@ static void selinux_shm_free_security(struct shmid_kernel *shp) | |||
4889 | static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) | 4889 | static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) |
4890 | { | 4890 | { |
4891 | struct ipc_security_struct *isec; | 4891 | struct ipc_security_struct *isec; |
4892 | struct avc_audit_data ad; | 4892 | struct common_audit_data ad; |
4893 | u32 sid = current_sid(); | 4893 | u32 sid = current_sid(); |
4894 | 4894 | ||
4895 | isec = shp->shm_perm.security; | 4895 | isec = shp->shm_perm.security; |
4896 | 4896 | ||
4897 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 4897 | COMMON_AUDIT_DATA_INIT(&ad, IPC); |
4898 | ad.u.ipc_id = shp->shm_perm.key; | 4898 | ad.u.ipc_id = shp->shm_perm.key; |
4899 | 4899 | ||
4900 | return avc_has_perm(sid, isec->sid, SECCLASS_SHM, | 4900 | return avc_has_perm(sid, isec->sid, SECCLASS_SHM, |
@@ -4951,7 +4951,7 @@ static int selinux_shm_shmat(struct shmid_kernel *shp, | |||
4951 | static int selinux_sem_alloc_security(struct sem_array *sma) | 4951 | static int selinux_sem_alloc_security(struct sem_array *sma) |
4952 | { | 4952 | { |
4953 | struct ipc_security_struct *isec; | 4953 | struct ipc_security_struct *isec; |
4954 | struct avc_audit_data ad; | 4954 | struct common_audit_data ad; |
4955 | u32 sid = current_sid(); | 4955 | u32 sid = current_sid(); |
4956 | int rc; | 4956 | int rc; |
4957 | 4957 | ||
@@ -4961,7 +4961,7 @@ static int selinux_sem_alloc_security(struct sem_array *sma) | |||
4961 | 4961 | ||
4962 | isec = sma->sem_perm.security; | 4962 | isec = sma->sem_perm.security; |
4963 | 4963 | ||
4964 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 4964 | COMMON_AUDIT_DATA_INIT(&ad, IPC); |
4965 | ad.u.ipc_id = sma->sem_perm.key; | 4965 | ad.u.ipc_id = sma->sem_perm.key; |
4966 | 4966 | ||
4967 | rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM, | 4967 | rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM, |
@@ -4981,12 +4981,12 @@ static void selinux_sem_free_security(struct sem_array *sma) | |||
4981 | static int selinux_sem_associate(struct sem_array *sma, int semflg) | 4981 | static int selinux_sem_associate(struct sem_array *sma, int semflg) |
4982 | { | 4982 | { |
4983 | struct ipc_security_struct *isec; | 4983 | struct ipc_security_struct *isec; |
4984 | struct avc_audit_data ad; | 4984 | struct common_audit_data ad; |
4985 | u32 sid = current_sid(); | 4985 | u32 sid = current_sid(); |
4986 | 4986 | ||
4987 | isec = sma->sem_perm.security; | 4987 | isec = sma->sem_perm.security; |
4988 | 4988 | ||
4989 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 4989 | COMMON_AUDIT_DATA_INIT(&ad, IPC); |
4990 | ad.u.ipc_id = sma->sem_perm.key; | 4990 | ad.u.ipc_id = sma->sem_perm.key; |
4991 | 4991 | ||
4992 | return avc_has_perm(sid, isec->sid, SECCLASS_SEM, | 4992 | return avc_has_perm(sid, isec->sid, SECCLASS_SEM, |