diff options
-rw-r--r-- | drivers/char/tty_audit.c | 7 | ||||
-rw-r--r-- | include/linux/audit.h | 3 | ||||
-rw-r--r-- | include/linux/netlink.h | 1 | ||||
-rw-r--r-- | include/linux/tty.h | 4 | ||||
-rw-r--r-- | include/net/netlabel.h | 1 | ||||
-rw-r--r-- | include/net/xfrm.h | 23 | ||||
-rw-r--r-- | kernel/audit.c | 72 | ||||
-rw-r--r-- | kernel/auditfilter.c | 16 | ||||
-rw-r--r-- | net/key/af_key.c | 17 | ||||
-rw-r--r-- | net/netlabel/netlabel_unlabeled.c | 1 | ||||
-rw-r--r-- | net/netlabel/netlabel_user.c | 4 | ||||
-rw-r--r-- | net/netlabel/netlabel_user.h | 1 | ||||
-rw-r--r-- | net/netlink/af_netlink.c | 1 | ||||
-rw-r--r-- | net/xfrm/xfrm_policy.c | 12 | ||||
-rw-r--r-- | net/xfrm/xfrm_state.c | 13 | ||||
-rw-r--r-- | net/xfrm/xfrm_user.c | 41 | ||||
-rw-r--r-- | security/smack/smackfs.c | 2 |
17 files changed, 132 insertions, 87 deletions
diff --git a/drivers/char/tty_audit.c b/drivers/char/tty_audit.c index 7722466e052..9739bbfc8f7 100644 --- a/drivers/char/tty_audit.c +++ b/drivers/char/tty_audit.c | |||
@@ -151,14 +151,9 @@ void tty_audit_fork(struct signal_struct *sig) | |||
151 | /** | 151 | /** |
152 | * tty_audit_push_task - Flush task's pending audit data | 152 | * tty_audit_push_task - Flush task's pending audit data |
153 | */ | 153 | */ |
154 | void tty_audit_push_task(struct task_struct *tsk, uid_t loginuid) | 154 | void tty_audit_push_task(struct task_struct *tsk, uid_t loginuid, u32 sessionid) |
155 | { | 155 | { |
156 | struct tty_audit_buf *buf; | 156 | struct tty_audit_buf *buf; |
157 | /* FIXME I think this is correct. Check against netlink once that is | ||
158 | * I really need to read this code more closely. But that's for | ||
159 | * another patch. | ||
160 | */ | ||
161 | unsigned int sessionid = audit_get_sessionid(tsk); | ||
162 | 157 | ||
163 | spin_lock_irq(&tsk->sighand->siglock); | 158 | spin_lock_irq(&tsk->sighand->siglock); |
164 | buf = tsk->signal->tty_audit_buf; | 159 | buf = tsk->signal->tty_audit_buf; |
diff --git a/include/linux/audit.h b/include/linux/audit.h index 4ccb048cae1..25f6ae30dd4 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h | |||
@@ -569,7 +569,8 @@ extern int audit_update_lsm_rules(void); | |||
569 | extern int audit_filter_user(struct netlink_skb_parms *cb, int type); | 569 | extern int audit_filter_user(struct netlink_skb_parms *cb, int type); |
570 | extern int audit_filter_type(int type); | 570 | extern int audit_filter_type(int type); |
571 | extern int audit_receive_filter(int type, int pid, int uid, int seq, | 571 | extern int audit_receive_filter(int type, int pid, int uid, int seq, |
572 | void *data, size_t datasz, uid_t loginuid, u32 sid); | 572 | void *data, size_t datasz, uid_t loginuid, |
573 | u32 sessionid, u32 sid); | ||
573 | extern int audit_enabled; | 574 | extern int audit_enabled; |
574 | #else | 575 | #else |
575 | #define audit_log(c,g,t,f,...) do { ; } while (0) | 576 | #define audit_log(c,g,t,f,...) do { ; } while (0) |
diff --git a/include/linux/netlink.h b/include/linux/netlink.h index fb0713b6ffa..bec1062a25a 100644 --- a/include/linux/netlink.h +++ b/include/linux/netlink.h | |||
@@ -166,6 +166,7 @@ struct netlink_skb_parms | |||
166 | __u32 dst_group; | 166 | __u32 dst_group; |
167 | kernel_cap_t eff_cap; | 167 | kernel_cap_t eff_cap; |
168 | __u32 loginuid; /* Login (audit) uid */ | 168 | __u32 loginuid; /* Login (audit) uid */ |
169 | __u32 sessionid; /* Session id (audit) */ | ||
169 | __u32 sid; /* SELinux security id */ | 170 | __u32 sid; /* SELinux security id */ |
170 | }; | 171 | }; |
171 | 172 | ||
diff --git a/include/linux/tty.h b/include/linux/tty.h index dd8e08fe885..430624504ca 100644 --- a/include/linux/tty.h +++ b/include/linux/tty.h | |||
@@ -351,7 +351,7 @@ extern void tty_audit_add_data(struct tty_struct *tty, unsigned char *data, | |||
351 | extern void tty_audit_exit(void); | 351 | extern void tty_audit_exit(void); |
352 | extern void tty_audit_fork(struct signal_struct *sig); | 352 | extern void tty_audit_fork(struct signal_struct *sig); |
353 | extern void tty_audit_push(struct tty_struct *tty); | 353 | extern void tty_audit_push(struct tty_struct *tty); |
354 | extern void tty_audit_push_task(struct task_struct *tsk, uid_t loginuid); | 354 | extern void tty_audit_push_task(struct task_struct *tsk, uid_t loginuid, u32 sessionid); |
355 | extern void tty_audit_opening(void); | 355 | extern void tty_audit_opening(void); |
356 | #else | 356 | #else |
357 | static inline void tty_audit_add_data(struct tty_struct *tty, | 357 | static inline void tty_audit_add_data(struct tty_struct *tty, |
@@ -367,7 +367,7 @@ static inline void tty_audit_fork(struct signal_struct *sig) | |||
367 | static inline void tty_audit_push(struct tty_struct *tty) | 367 | static inline void tty_audit_push(struct tty_struct *tty) |
368 | { | 368 | { |
369 | } | 369 | } |
370 | static inline void tty_audit_push_task(struct task_struct *tsk, uid_t loginuid) | 370 | static inline void tty_audit_push_task(struct task_struct *tsk, uid_t loginuid, u32 sessionid) |
371 | { | 371 | { |
372 | } | 372 | } |
373 | static inline void tty_audit_opening(void) | 373 | static inline void tty_audit_opening(void) |
diff --git a/include/net/netlabel.h b/include/net/netlabel.h index 5e53a85b5ca..e4d2d6baa98 100644 --- a/include/net/netlabel.h +++ b/include/net/netlabel.h | |||
@@ -103,6 +103,7 @@ struct cipso_v4_doi; | |||
103 | struct netlbl_audit { | 103 | struct netlbl_audit { |
104 | u32 secid; | 104 | u32 secid; |
105 | uid_t loginuid; | 105 | uid_t loginuid; |
106 | u32 sessionid; | ||
106 | }; | 107 | }; |
107 | 108 | ||
108 | /* | 109 | /* |
diff --git a/include/net/xfrm.h b/include/net/xfrm.h index baa9f372cfd..d1350bcccb0 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h | |||
@@ -597,8 +597,9 @@ struct xfrm_spi_skb_cb { | |||
597 | /* Audit Information */ | 597 | /* Audit Information */ |
598 | struct xfrm_audit | 598 | struct xfrm_audit |
599 | { | 599 | { |
600 | u32 loginuid; | ||
601 | u32 secid; | 600 | u32 secid; |
601 | uid_t loginuid; | ||
602 | u32 sessionid; | ||
602 | }; | 603 | }; |
603 | 604 | ||
604 | #ifdef CONFIG_AUDITSYSCALL | 605 | #ifdef CONFIG_AUDITSYSCALL |
@@ -616,13 +617,13 @@ static inline struct audit_buffer *xfrm_audit_start(const char *op) | |||
616 | return audit_buf; | 617 | return audit_buf; |
617 | } | 618 | } |
618 | 619 | ||
619 | static inline void xfrm_audit_helper_usrinfo(u32 auid, u32 secid, | 620 | static inline void xfrm_audit_helper_usrinfo(uid_t auid, u32 ses, u32 secid, |
620 | struct audit_buffer *audit_buf) | 621 | struct audit_buffer *audit_buf) |
621 | { | 622 | { |
622 | char *secctx; | 623 | char *secctx; |
623 | u32 secctx_len; | 624 | u32 secctx_len; |
624 | 625 | ||
625 | audit_log_format(audit_buf, " auid=%u", auid); | 626 | audit_log_format(audit_buf, " auid=%u ses=%u", auid, ses); |
626 | if (secid != 0 && | 627 | if (secid != 0 && |
627 | security_secid_to_secctx(secid, &secctx, &secctx_len) == 0) { | 628 | security_secid_to_secctx(secid, &secctx, &secctx_len) == 0) { |
628 | audit_log_format(audit_buf, " subj=%s", secctx); | 629 | audit_log_format(audit_buf, " subj=%s", secctx); |
@@ -632,13 +633,13 @@ static inline void xfrm_audit_helper_usrinfo(u32 auid, u32 secid, | |||
632 | } | 633 | } |
633 | 634 | ||
634 | extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, | 635 | extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, |
635 | u32 auid, u32 secid); | 636 | u32 auid, u32 ses, u32 secid); |
636 | extern void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, | 637 | extern void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, |
637 | u32 auid, u32 secid); | 638 | u32 auid, u32 ses, u32 secid); |
638 | extern void xfrm_audit_state_add(struct xfrm_state *x, int result, | 639 | extern void xfrm_audit_state_add(struct xfrm_state *x, int result, |
639 | u32 auid, u32 secid); | 640 | u32 auid, u32 ses, u32 secid); |
640 | extern void xfrm_audit_state_delete(struct xfrm_state *x, int result, | 641 | extern void xfrm_audit_state_delete(struct xfrm_state *x, int result, |
641 | u32 auid, u32 secid); | 642 | u32 auid, u32 ses, u32 secid); |
642 | extern void xfrm_audit_state_replay_overflow(struct xfrm_state *x, | 643 | extern void xfrm_audit_state_replay_overflow(struct xfrm_state *x, |
643 | struct sk_buff *skb); | 644 | struct sk_buff *skb); |
644 | extern void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family); | 645 | extern void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family); |
@@ -647,10 +648,10 @@ extern void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family, | |||
647 | extern void xfrm_audit_state_icvfail(struct xfrm_state *x, | 648 | extern void xfrm_audit_state_icvfail(struct xfrm_state *x, |
648 | struct sk_buff *skb, u8 proto); | 649 | struct sk_buff *skb, u8 proto); |
649 | #else | 650 | #else |
650 | #define xfrm_audit_policy_add(x, r, a, s) do { ; } while (0) | 651 | #define xfrm_audit_policy_add(x, r, a, se, s) do { ; } while (0) |
651 | #define xfrm_audit_policy_delete(x, r, a, s) do { ; } while (0) | 652 | #define xfrm_audit_policy_delete(x, r, a, se, s) do { ; } while (0) |
652 | #define xfrm_audit_state_add(x, r, a, s) do { ; } while (0) | 653 | #define xfrm_audit_state_add(x, r, a, se, s) do { ; } while (0) |
653 | #define xfrm_audit_state_delete(x, r, a, s) do { ; } while (0) | 654 | #define xfrm_audit_state_delete(x, r, a, se, s) do { ; } while (0) |
654 | #define xfrm_audit_state_replay_overflow(x, s) do { ; } while (0) | 655 | #define xfrm_audit_state_replay_overflow(x, s) do { ; } while (0) |
655 | #define xfrm_audit_state_notfound_simple(s, f) do { ; } while (0) | 656 | #define xfrm_audit_state_notfound_simple(s, f) do { ; } while (0) |
656 | #define xfrm_audit_state_notfound(s, f, sp, sq) do { ; } while (0) | 657 | #define xfrm_audit_state_notfound(s, f, sp, sq) do { ; } while (0) |
diff --git a/kernel/audit.c b/kernel/audit.c index a7b16086d36..ad6d1abfa1d 100644 --- a/kernel/audit.c +++ b/kernel/audit.c | |||
@@ -252,14 +252,15 @@ void audit_log_lost(const char *message) | |||
252 | } | 252 | } |
253 | 253 | ||
254 | static int audit_log_config_change(char *function_name, int new, int old, | 254 | static int audit_log_config_change(char *function_name, int new, int old, |
255 | uid_t loginuid, u32 sid, int allow_changes) | 255 | uid_t loginuid, u32 sessionid, u32 sid, |
256 | int allow_changes) | ||
256 | { | 257 | { |
257 | struct audit_buffer *ab; | 258 | struct audit_buffer *ab; |
258 | int rc = 0; | 259 | int rc = 0; |
259 | 260 | ||
260 | ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); | 261 | ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); |
261 | audit_log_format(ab, "%s=%d old=%d by auid=%u", function_name, new, | 262 | audit_log_format(ab, "%s=%d old=%d auid=%u ses=%u", function_name, new, |
262 | old, loginuid); | 263 | old, loginuid, sessionid); |
263 | if (sid) { | 264 | if (sid) { |
264 | char *ctx = NULL; | 265 | char *ctx = NULL; |
265 | u32 len; | 266 | u32 len; |
@@ -279,7 +280,8 @@ static int audit_log_config_change(char *function_name, int new, int old, | |||
279 | } | 280 | } |
280 | 281 | ||
281 | static int audit_do_config_change(char *function_name, int *to_change, | 282 | static int audit_do_config_change(char *function_name, int *to_change, |
282 | int new, uid_t loginuid, u32 sid) | 283 | int new, uid_t loginuid, u32 sessionid, |
284 | u32 sid) | ||
283 | { | 285 | { |
284 | int allow_changes, rc = 0, old = *to_change; | 286 | int allow_changes, rc = 0, old = *to_change; |
285 | 287 | ||
@@ -290,8 +292,8 @@ static int audit_do_config_change(char *function_name, int *to_change, | |||
290 | allow_changes = 1; | 292 | allow_changes = 1; |
291 | 293 | ||
292 | if (audit_enabled != AUDIT_OFF) { | 294 | if (audit_enabled != AUDIT_OFF) { |
293 | rc = audit_log_config_change(function_name, new, old, | 295 | rc = audit_log_config_change(function_name, new, old, loginuid, |
294 | loginuid, sid, allow_changes); | 296 | sessionid, sid, allow_changes); |
295 | if (rc) | 297 | if (rc) |
296 | allow_changes = 0; | 298 | allow_changes = 0; |
297 | } | 299 | } |
@@ -305,26 +307,28 @@ static int audit_do_config_change(char *function_name, int *to_change, | |||
305 | return rc; | 307 | return rc; |
306 | } | 308 | } |
307 | 309 | ||
308 | static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid) | 310 | static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sessionid, |
311 | u32 sid) | ||
309 | { | 312 | { |
310 | return audit_do_config_change("audit_rate_limit", &audit_rate_limit, | 313 | return audit_do_config_change("audit_rate_limit", &audit_rate_limit, |
311 | limit, loginuid, sid); | 314 | limit, loginuid, sessionid, sid); |
312 | } | 315 | } |
313 | 316 | ||
314 | static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid) | 317 | static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sessionid, |
318 | u32 sid) | ||
315 | { | 319 | { |
316 | return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit, | 320 | return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit, |
317 | limit, loginuid, sid); | 321 | limit, loginuid, sessionid, sid); |
318 | } | 322 | } |
319 | 323 | ||
320 | static int audit_set_enabled(int state, uid_t loginuid, u32 sid) | 324 | static int audit_set_enabled(int state, uid_t loginuid, u32 sessionid, u32 sid) |
321 | { | 325 | { |
322 | int rc; | 326 | int rc; |
323 | if (state < AUDIT_OFF || state > AUDIT_LOCKED) | 327 | if (state < AUDIT_OFF || state > AUDIT_LOCKED) |
324 | return -EINVAL; | 328 | return -EINVAL; |
325 | 329 | ||
326 | rc = audit_do_config_change("audit_enabled", &audit_enabled, state, | 330 | rc = audit_do_config_change("audit_enabled", &audit_enabled, state, |
327 | loginuid, sid); | 331 | loginuid, sessionid, sid); |
328 | 332 | ||
329 | if (!rc) | 333 | if (!rc) |
330 | audit_ever_enabled |= !!state; | 334 | audit_ever_enabled |= !!state; |
@@ -332,7 +336,7 @@ static int audit_set_enabled(int state, uid_t loginuid, u32 sid) | |||
332 | return rc; | 336 | return rc; |
333 | } | 337 | } |
334 | 338 | ||
335 | static int audit_set_failure(int state, uid_t loginuid, u32 sid) | 339 | static int audit_set_failure(int state, uid_t loginuid, u32 sessionid, u32 sid) |
336 | { | 340 | { |
337 | if (state != AUDIT_FAIL_SILENT | 341 | if (state != AUDIT_FAIL_SILENT |
338 | && state != AUDIT_FAIL_PRINTK | 342 | && state != AUDIT_FAIL_PRINTK |
@@ -340,7 +344,7 @@ static int audit_set_failure(int state, uid_t loginuid, u32 sid) | |||
340 | return -EINVAL; | 344 | return -EINVAL; |
341 | 345 | ||
342 | return audit_do_config_change("audit_failure", &audit_failure, state, | 346 | return audit_do_config_change("audit_failure", &audit_failure, state, |
343 | loginuid, sid); | 347 | loginuid, sessionid, sid); |
344 | } | 348 | } |
345 | 349 | ||
346 | static int kauditd_thread(void *dummy) | 350 | static int kauditd_thread(void *dummy) |
@@ -385,7 +389,7 @@ static int kauditd_thread(void *dummy) | |||
385 | return 0; | 389 | return 0; |
386 | } | 390 | } |
387 | 391 | ||
388 | static int audit_prepare_user_tty(pid_t pid, uid_t loginuid) | 392 | static int audit_prepare_user_tty(pid_t pid, uid_t loginuid, u32 sessionid) |
389 | { | 393 | { |
390 | struct task_struct *tsk; | 394 | struct task_struct *tsk; |
391 | int err; | 395 | int err; |
@@ -404,7 +408,7 @@ static int audit_prepare_user_tty(pid_t pid, uid_t loginuid) | |||
404 | if (err) | 408 | if (err) |
405 | goto out; | 409 | goto out; |
406 | 410 | ||
407 | tty_audit_push_task(tsk, loginuid); | 411 | tty_audit_push_task(tsk, loginuid, sessionid); |
408 | out: | 412 | out: |
409 | read_unlock(&tasklist_lock); | 413 | read_unlock(&tasklist_lock); |
410 | return err; | 414 | return err; |
@@ -534,7 +538,8 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type) | |||
534 | } | 538 | } |
535 | 539 | ||
536 | static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type, | 540 | static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type, |
537 | u32 pid, u32 uid, uid_t auid, u32 sid) | 541 | u32 pid, u32 uid, uid_t auid, u32 ses, |
542 | u32 sid) | ||
538 | { | 543 | { |
539 | int rc = 0; | 544 | int rc = 0; |
540 | char *ctx = NULL; | 545 | char *ctx = NULL; |
@@ -546,8 +551,8 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type, | |||
546 | } | 551 | } |
547 | 552 | ||
548 | *ab = audit_log_start(NULL, GFP_KERNEL, msg_type); | 553 | *ab = audit_log_start(NULL, GFP_KERNEL, msg_type); |
549 | audit_log_format(*ab, "user pid=%d uid=%u auid=%u", | 554 | audit_log_format(*ab, "user pid=%d uid=%u auid=%u ses=%u", |
550 | pid, uid, auid); | 555 | pid, uid, auid, ses); |
551 | if (sid) { | 556 | if (sid) { |
552 | rc = security_secid_to_secctx(sid, &ctx, &len); | 557 | rc = security_secid_to_secctx(sid, &ctx, &len); |
553 | if (rc) | 558 | if (rc) |
@@ -570,6 +575,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
570 | struct audit_buffer *ab; | 575 | struct audit_buffer *ab; |
571 | u16 msg_type = nlh->nlmsg_type; | 576 | u16 msg_type = nlh->nlmsg_type; |
572 | uid_t loginuid; /* loginuid of sender */ | 577 | uid_t loginuid; /* loginuid of sender */ |
578 | u32 sessionid; | ||
573 | struct audit_sig_info *sig_data; | 579 | struct audit_sig_info *sig_data; |
574 | char *ctx = NULL; | 580 | char *ctx = NULL; |
575 | u32 len; | 581 | u32 len; |
@@ -591,6 +597,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
591 | pid = NETLINK_CREDS(skb)->pid; | 597 | pid = NETLINK_CREDS(skb)->pid; |
592 | uid = NETLINK_CREDS(skb)->uid; | 598 | uid = NETLINK_CREDS(skb)->uid; |
593 | loginuid = NETLINK_CB(skb).loginuid; | 599 | loginuid = NETLINK_CB(skb).loginuid; |
600 | sessionid = NETLINK_CB(skb).sessionid; | ||
594 | sid = NETLINK_CB(skb).sid; | 601 | sid = NETLINK_CB(skb).sid; |
595 | seq = nlh->nlmsg_seq; | 602 | seq = nlh->nlmsg_seq; |
596 | data = NLMSG_DATA(nlh); | 603 | data = NLMSG_DATA(nlh); |
@@ -613,12 +620,12 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
613 | status_get = (struct audit_status *)data; | 620 | status_get = (struct audit_status *)data; |
614 | if (status_get->mask & AUDIT_STATUS_ENABLED) { | 621 | if (status_get->mask & AUDIT_STATUS_ENABLED) { |
615 | err = audit_set_enabled(status_get->enabled, | 622 | err = audit_set_enabled(status_get->enabled, |
616 | loginuid, sid); | 623 | loginuid, sessionid, sid); |
617 | if (err < 0) return err; | 624 | if (err < 0) return err; |
618 | } | 625 | } |
619 | if (status_get->mask & AUDIT_STATUS_FAILURE) { | 626 | if (status_get->mask & AUDIT_STATUS_FAILURE) { |
620 | err = audit_set_failure(status_get->failure, | 627 | err = audit_set_failure(status_get->failure, |
621 | loginuid, sid); | 628 | loginuid, sessionid, sid); |
622 | if (err < 0) return err; | 629 | if (err < 0) return err; |
623 | } | 630 | } |
624 | if (status_get->mask & AUDIT_STATUS_PID) { | 631 | if (status_get->mask & AUDIT_STATUS_PID) { |
@@ -627,17 +634,17 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
627 | if (audit_enabled != AUDIT_OFF) | 634 | if (audit_enabled != AUDIT_OFF) |
628 | audit_log_config_change("audit_pid", new_pid, | 635 | audit_log_config_change("audit_pid", new_pid, |
629 | audit_pid, loginuid, | 636 | audit_pid, loginuid, |
630 | sid, 1); | 637 | sessionid, sid, 1); |
631 | 638 | ||
632 | audit_pid = new_pid; | 639 | audit_pid = new_pid; |
633 | audit_nlk_pid = NETLINK_CB(skb).pid; | 640 | audit_nlk_pid = NETLINK_CB(skb).pid; |
634 | } | 641 | } |
635 | if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) | 642 | if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) |
636 | err = audit_set_rate_limit(status_get->rate_limit, | 643 | err = audit_set_rate_limit(status_get->rate_limit, |
637 | loginuid, sid); | 644 | loginuid, sessionid, sid); |
638 | if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT) | 645 | if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT) |
639 | err = audit_set_backlog_limit(status_get->backlog_limit, | 646 | err = audit_set_backlog_limit(status_get->backlog_limit, |
640 | loginuid, sid); | 647 | loginuid, sessionid, sid); |
641 | break; | 648 | break; |
642 | case AUDIT_USER: | 649 | case AUDIT_USER: |
643 | case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG: | 650 | case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG: |
@@ -649,12 +656,13 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
649 | if (err == 1) { | 656 | if (err == 1) { |
650 | err = 0; | 657 | err = 0; |
651 | if (msg_type == AUDIT_USER_TTY) { | 658 | if (msg_type == AUDIT_USER_TTY) { |
652 | err = audit_prepare_user_tty(pid, loginuid); | 659 | err = audit_prepare_user_tty(pid, loginuid, |
660 | sessionid); | ||
653 | if (err) | 661 | if (err) |
654 | break; | 662 | break; |
655 | } | 663 | } |
656 | audit_log_common_recv_msg(&ab, msg_type, pid, uid, | 664 | audit_log_common_recv_msg(&ab, msg_type, pid, uid, |
657 | loginuid, sid); | 665 | loginuid, sessionid, sid); |
658 | 666 | ||
659 | if (msg_type != AUDIT_USER_TTY) | 667 | if (msg_type != AUDIT_USER_TTY) |
660 | audit_log_format(ab, " msg='%.1024s'", | 668 | audit_log_format(ab, " msg='%.1024s'", |
@@ -677,7 +685,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
677 | return -EINVAL; | 685 | return -EINVAL; |
678 | if (audit_enabled == AUDIT_LOCKED) { | 686 | if (audit_enabled == AUDIT_LOCKED) { |
679 | audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid, | 687 | audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid, |
680 | uid, loginuid, sid); | 688 | uid, loginuid, sessionid, sid); |
681 | 689 | ||
682 | audit_log_format(ab, " audit_enabled=%d res=0", | 690 | audit_log_format(ab, " audit_enabled=%d res=0", |
683 | audit_enabled); | 691 | audit_enabled); |
@@ -688,7 +696,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
688 | case AUDIT_LIST: | 696 | case AUDIT_LIST: |
689 | err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid, | 697 | err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid, |
690 | uid, seq, data, nlmsg_len(nlh), | 698 | uid, seq, data, nlmsg_len(nlh), |
691 | loginuid, sid); | 699 | loginuid, sessionid, sid); |
692 | break; | 700 | break; |
693 | case AUDIT_ADD_RULE: | 701 | case AUDIT_ADD_RULE: |
694 | case AUDIT_DEL_RULE: | 702 | case AUDIT_DEL_RULE: |
@@ -696,7 +704,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
696 | return -EINVAL; | 704 | return -EINVAL; |
697 | if (audit_enabled == AUDIT_LOCKED) { | 705 | if (audit_enabled == AUDIT_LOCKED) { |
698 | audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid, | 706 | audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid, |
699 | uid, loginuid, sid); | 707 | uid, loginuid, sessionid, sid); |
700 | 708 | ||
701 | audit_log_format(ab, " audit_enabled=%d res=0", | 709 | audit_log_format(ab, " audit_enabled=%d res=0", |
702 | audit_enabled); | 710 | audit_enabled); |
@@ -707,13 +715,13 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
707 | case AUDIT_LIST_RULES: | 715 | case AUDIT_LIST_RULES: |
708 | err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid, | 716 | err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid, |
709 | uid, seq, data, nlmsg_len(nlh), | 717 | uid, seq, data, nlmsg_len(nlh), |
710 | loginuid, sid); | 718 | loginuid, sessionid, sid); |
711 | break; | 719 | break; |
712 | case AUDIT_TRIM: | 720 | case AUDIT_TRIM: |
713 | audit_trim_trees(); | 721 | audit_trim_trees(); |
714 | 722 | ||
715 | audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid, | 723 | audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid, |
716 | uid, loginuid, sid); | 724 | uid, loginuid, sessionid, sid); |
717 | 725 | ||
718 | audit_log_format(ab, " op=trim res=1"); | 726 | audit_log_format(ab, " op=trim res=1"); |
719 | audit_log_end(ab); | 727 | audit_log_end(ab); |
@@ -745,7 +753,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
745 | err = audit_tag_tree(old, new); | 753 | err = audit_tag_tree(old, new); |
746 | 754 | ||
747 | audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid, | 755 | audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid, |
748 | uid, loginuid, sid); | 756 | uid, loginuid, sessionid, sid); |
749 | 757 | ||
750 | audit_log_format(ab, " op=make_equiv old="); | 758 | audit_log_format(ab, " op=make_equiv old="); |
751 | audit_log_untrustedstring(ab, old); | 759 | audit_log_untrustedstring(ab, old); |
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 28fef6bf853..af3ae91c47b 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c | |||
@@ -1500,8 +1500,9 @@ static void audit_list_rules(int pid, int seq, struct sk_buff_head *q) | |||
1500 | } | 1500 | } |
1501 | 1501 | ||
1502 | /* Log rule additions and removals */ | 1502 | /* Log rule additions and removals */ |
1503 | static void audit_log_rule_change(uid_t loginuid, u32 sid, char *action, | 1503 | static void audit_log_rule_change(uid_t loginuid, u32 sessionid, u32 sid, |
1504 | struct audit_krule *rule, int res) | 1504 | char *action, struct audit_krule *rule, |
1505 | int res) | ||
1505 | { | 1506 | { |
1506 | struct audit_buffer *ab; | 1507 | struct audit_buffer *ab; |
1507 | 1508 | ||
@@ -1511,7 +1512,7 @@ static void audit_log_rule_change(uid_t loginuid, u32 sid, char *action, | |||
1511 | ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); | 1512 | ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); |
1512 | if (!ab) | 1513 | if (!ab) |
1513 | return; | 1514 | return; |
1514 | audit_log_format(ab, "auid=%u", loginuid); | 1515 | audit_log_format(ab, "auid=%u ses=%u", loginuid, sessionid); |
1515 | if (sid) { | 1516 | if (sid) { |
1516 | char *ctx = NULL; | 1517 | char *ctx = NULL; |
1517 | u32 len; | 1518 | u32 len; |
@@ -1543,7 +1544,7 @@ static void audit_log_rule_change(uid_t loginuid, u32 sid, char *action, | |||
1543 | * @sid: SE Linux Security ID of sender | 1544 | * @sid: SE Linux Security ID of sender |
1544 | */ | 1545 | */ |
1545 | int audit_receive_filter(int type, int pid, int uid, int seq, void *data, | 1546 | int audit_receive_filter(int type, int pid, int uid, int seq, void *data, |
1546 | size_t datasz, uid_t loginuid, u32 sid) | 1547 | size_t datasz, uid_t loginuid, u32 sessionid, u32 sid) |
1547 | { | 1548 | { |
1548 | struct task_struct *tsk; | 1549 | struct task_struct *tsk; |
1549 | struct audit_netlink_list *dest; | 1550 | struct audit_netlink_list *dest; |
@@ -1590,7 +1591,8 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data, | |||
1590 | 1591 | ||
1591 | err = audit_add_rule(entry, | 1592 | err = audit_add_rule(entry, |
1592 | &audit_filter_list[entry->rule.listnr]); | 1593 | &audit_filter_list[entry->rule.listnr]); |
1593 | audit_log_rule_change(loginuid, sid, "add", &entry->rule, !err); | 1594 | audit_log_rule_change(loginuid, sessionid, sid, "add", |
1595 | &entry->rule, !err); | ||
1594 | 1596 | ||
1595 | if (err) | 1597 | if (err) |
1596 | audit_free_rule(entry); | 1598 | audit_free_rule(entry); |
@@ -1606,8 +1608,8 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data, | |||
1606 | 1608 | ||
1607 | err = audit_del_rule(entry, | 1609 | err = audit_del_rule(entry, |
1608 | &audit_filter_list[entry->rule.listnr]); | 1610 | &audit_filter_list[entry->rule.listnr]); |
1609 | audit_log_rule_change(loginuid, sid, "remove", &entry->rule, | 1611 | audit_log_rule_change(loginuid, sessionid, sid, "remove", |
1610 | !err); | 1612 | &entry->rule, !err); |
1611 | 1613 | ||
1612 | audit_free_rule(entry); | 1614 | audit_free_rule(entry); |
1613 | break; | 1615 | break; |
diff --git a/net/key/af_key.c b/net/key/af_key.c index 2403a31fe0f..9e7236ff6bc 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c | |||
@@ -1498,7 +1498,8 @@ static int pfkey_add(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, | |||
1498 | err = xfrm_state_update(x); | 1498 | err = xfrm_state_update(x); |
1499 | 1499 | ||
1500 | xfrm_audit_state_add(x, err ? 0 : 1, | 1500 | xfrm_audit_state_add(x, err ? 0 : 1, |
1501 | audit_get_loginuid(current), 0); | 1501 | audit_get_loginuid(current), |
1502 | audit_get_sessionid(current), 0); | ||
1502 | 1503 | ||
1503 | if (err < 0) { | 1504 | if (err < 0) { |
1504 | x->km.state = XFRM_STATE_DEAD; | 1505 | x->km.state = XFRM_STATE_DEAD; |
@@ -1552,7 +1553,8 @@ static int pfkey_delete(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h | |||
1552 | km_state_notify(x, &c); | 1553 | km_state_notify(x, &c); |
1553 | out: | 1554 | out: |
1554 | xfrm_audit_state_delete(x, err ? 0 : 1, | 1555 | xfrm_audit_state_delete(x, err ? 0 : 1, |
1555 | audit_get_loginuid(current), 0); | 1556 | audit_get_loginuid(current), |
1557 | audit_get_sessionid(current), 0); | ||
1556 | xfrm_state_put(x); | 1558 | xfrm_state_put(x); |
1557 | 1559 | ||
1558 | return err; | 1560 | return err; |
@@ -1728,6 +1730,7 @@ static int pfkey_flush(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hd | |||
1728 | return -EINVAL; | 1730 | return -EINVAL; |
1729 | 1731 | ||
1730 | audit_info.loginuid = audit_get_loginuid(current); | 1732 | audit_info.loginuid = audit_get_loginuid(current); |
1733 | audit_info.sessionid = audit_get_sessionid(current); | ||
1731 | audit_info.secid = 0; | 1734 | audit_info.secid = 0; |
1732 | err = xfrm_state_flush(proto, &audit_info); | 1735 | err = xfrm_state_flush(proto, &audit_info); |
1733 | if (err) | 1736 | if (err) |
@@ -2324,7 +2327,8 @@ static int pfkey_spdadd(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h | |||
2324 | hdr->sadb_msg_type != SADB_X_SPDUPDATE); | 2327 | hdr->sadb_msg_type != SADB_X_SPDUPDATE); |
2325 | 2328 | ||
2326 | xfrm_audit_policy_add(xp, err ? 0 : 1, | 2329 | xfrm_audit_policy_add(xp, err ? 0 : 1, |
2327 | audit_get_loginuid(current), 0); | 2330 | audit_get_loginuid(current), |
2331 | audit_get_sessionid(current), 0); | ||
2328 | 2332 | ||
2329 | if (err) | 2333 | if (err) |
2330 | goto out; | 2334 | goto out; |
@@ -2406,7 +2410,8 @@ static int pfkey_spddelete(struct sock *sk, struct sk_buff *skb, struct sadb_msg | |||
2406 | return -ENOENT; | 2410 | return -ENOENT; |
2407 | 2411 | ||
2408 | xfrm_audit_policy_delete(xp, err ? 0 : 1, | 2412 | xfrm_audit_policy_delete(xp, err ? 0 : 1, |
2409 | audit_get_loginuid(current), 0); | 2413 | audit_get_loginuid(current), |
2414 | audit_get_sessionid(current), 0); | ||
2410 | 2415 | ||
2411 | if (err) | 2416 | if (err) |
2412 | goto out; | 2417 | goto out; |
@@ -2667,7 +2672,8 @@ static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h | |||
2667 | 2672 | ||
2668 | if (delete) { | 2673 | if (delete) { |
2669 | xfrm_audit_policy_delete(xp, err ? 0 : 1, | 2674 | xfrm_audit_policy_delete(xp, err ? 0 : 1, |
2670 | audit_get_loginuid(current), 0); | 2675 | audit_get_loginuid(current), |
2676 | audit_get_sessionid(current), 0); | ||
2671 | 2677 | ||
2672 | if (err) | 2678 | if (err) |
2673 | goto out; | 2679 | goto out; |
@@ -2767,6 +2773,7 @@ static int pfkey_spdflush(struct sock *sk, struct sk_buff *skb, struct sadb_msg | |||
2767 | int err; | 2773 | int err; |
2768 | 2774 | ||
2769 | audit_info.loginuid = audit_get_loginuid(current); | 2775 | audit_info.loginuid = audit_get_loginuid(current); |
2776 | audit_info.sessionid = audit_get_sessionid(current); | ||
2770 | audit_info.secid = 0; | 2777 | audit_info.secid = 0; |
2771 | err = xfrm_policy_flush(XFRM_POLICY_TYPE_MAIN, &audit_info); | 2778 | err = xfrm_policy_flush(XFRM_POLICY_TYPE_MAIN, &audit_info); |
2772 | if (err) | 2779 | if (err) |
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index d282ad1570a..0099da5b259 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c | |||
@@ -1780,6 +1780,7 @@ int __init netlbl_unlabel_defconf(void) | |||
1780 | * messages so don't worry to much about these values. */ | 1780 | * messages so don't worry to much about these values. */ |
1781 | security_task_getsecid(current, &audit_info.secid); | 1781 | security_task_getsecid(current, &audit_info.secid); |
1782 | audit_info.loginuid = 0; | 1782 | audit_info.loginuid = 0; |
1783 | audit_info.sessionid = 0; | ||
1783 | 1784 | ||
1784 | entry = kzalloc(sizeof(*entry), GFP_KERNEL); | 1785 | entry = kzalloc(sizeof(*entry), GFP_KERNEL); |
1785 | if (entry == NULL) | 1786 | if (entry == NULL) |
diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index b17d4203806..68706b4e3bf 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c | |||
@@ -107,7 +107,9 @@ struct audit_buffer *netlbl_audit_start_common(int type, | |||
107 | if (audit_buf == NULL) | 107 | if (audit_buf == NULL) |
108 | return NULL; | 108 | return NULL; |
109 | 109 | ||
110 | audit_log_format(audit_buf, "netlabel: auid=%u", audit_info->loginuid); | 110 | audit_log_format(audit_buf, "netlabel: auid=%u ses=%u", |
111 | audit_info->loginuid, | ||
112 | audit_info->sessionid); | ||
111 | 113 | ||
112 | if (audit_info->secid != 0 && | 114 | if (audit_info->secid != 0 && |
113 | security_secid_to_secctx(audit_info->secid, | 115 | security_secid_to_secctx(audit_info->secid, |
diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h index 6d7f4ab46c2..6caef8b2061 100644 --- a/net/netlabel/netlabel_user.h +++ b/net/netlabel/netlabel_user.h | |||
@@ -51,6 +51,7 @@ static inline void netlbl_netlink_auditinfo(struct sk_buff *skb, | |||
51 | { | 51 | { |
52 | audit_info->secid = NETLINK_CB(skb).sid; | 52 | audit_info->secid = NETLINK_CB(skb).sid; |
53 | audit_info->loginuid = NETLINK_CB(skb).loginuid; | 53 | audit_info->loginuid = NETLINK_CB(skb).loginuid; |
54 | audit_info->sessionid = NETLINK_CB(skb).sessionid; | ||
54 | } | 55 | } |
55 | 56 | ||
56 | /* NetLabel NETLINK I/O functions */ | 57 | /* NetLabel NETLINK I/O functions */ |
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index 46f3e44bb83..9b97f8006c9 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c | |||
@@ -1248,6 +1248,7 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock, | |||
1248 | NETLINK_CB(skb).pid = nlk->pid; | 1248 | NETLINK_CB(skb).pid = nlk->pid; |
1249 | NETLINK_CB(skb).dst_group = dst_group; | 1249 | NETLINK_CB(skb).dst_group = dst_group; |
1250 | NETLINK_CB(skb).loginuid = audit_get_loginuid(current); | 1250 | NETLINK_CB(skb).loginuid = audit_get_loginuid(current); |
1251 | NETLINK_CB(skb).sessionid = audit_get_sessionid(current); | ||
1251 | security_task_getsecid(current, &(NETLINK_CB(skb).sid)); | 1252 | security_task_getsecid(current, &(NETLINK_CB(skb).sid)); |
1252 | memcpy(NETLINK_CREDS(skb), &siocb->scm->creds, sizeof(struct ucred)); | 1253 | memcpy(NETLINK_CREDS(skb), &siocb->scm->creds, sizeof(struct ucred)); |
1253 | 1254 | ||
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index e0c0390613c..cae9fd81554 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c | |||
@@ -762,6 +762,7 @@ xfrm_policy_flush_secctx_check(u8 type, struct xfrm_audit *audit_info) | |||
762 | if (err) { | 762 | if (err) { |
763 | xfrm_audit_policy_delete(pol, 0, | 763 | xfrm_audit_policy_delete(pol, 0, |
764 | audit_info->loginuid, | 764 | audit_info->loginuid, |
765 | audit_info->sessionid, | ||
765 | audit_info->secid); | 766 | audit_info->secid); |
766 | return err; | 767 | return err; |
767 | } | 768 | } |
@@ -777,6 +778,7 @@ xfrm_policy_flush_secctx_check(u8 type, struct xfrm_audit *audit_info) | |||
777 | if (err) { | 778 | if (err) { |
778 | xfrm_audit_policy_delete(pol, 0, | 779 | xfrm_audit_policy_delete(pol, 0, |
779 | audit_info->loginuid, | 780 | audit_info->loginuid, |
781 | audit_info->sessionid, | ||
780 | audit_info->secid); | 782 | audit_info->secid); |
781 | return err; | 783 | return err; |
782 | } | 784 | } |
@@ -819,6 +821,7 @@ int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info) | |||
819 | write_unlock_bh(&xfrm_policy_lock); | 821 | write_unlock_bh(&xfrm_policy_lock); |
820 | 822 | ||
821 | xfrm_audit_policy_delete(pol, 1, audit_info->loginuid, | 823 | xfrm_audit_policy_delete(pol, 1, audit_info->loginuid, |
824 | audit_info->sessionid, | ||
822 | audit_info->secid); | 825 | audit_info->secid); |
823 | 826 | ||
824 | xfrm_policy_kill(pol); | 827 | xfrm_policy_kill(pol); |
@@ -841,6 +844,7 @@ int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info) | |||
841 | 844 | ||
842 | xfrm_audit_policy_delete(pol, 1, | 845 | xfrm_audit_policy_delete(pol, 1, |
843 | audit_info->loginuid, | 846 | audit_info->loginuid, |
847 | audit_info->sessionid, | ||
844 | audit_info->secid); | 848 | audit_info->secid); |
845 | xfrm_policy_kill(pol); | 849 | xfrm_policy_kill(pol); |
846 | killed++; | 850 | killed++; |
@@ -2472,14 +2476,14 @@ static void xfrm_audit_common_policyinfo(struct xfrm_policy *xp, | |||
2472 | } | 2476 | } |
2473 | 2477 | ||
2474 | void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, | 2478 | void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, |
2475 | u32 auid, u32 secid) | 2479 | uid_t auid, u32 sessionid, u32 secid) |
2476 | { | 2480 | { |
2477 | struct audit_buffer *audit_buf; | 2481 | struct audit_buffer *audit_buf; |
2478 | 2482 | ||
2479 | audit_buf = xfrm_audit_start("SPD-add"); | 2483 | audit_buf = xfrm_audit_start("SPD-add"); |
2480 | if (audit_buf == NULL) | 2484 | if (audit_buf == NULL) |
2481 | return; | 2485 | return; |
2482 | xfrm_audit_helper_usrinfo(auid, secid, audit_buf); | 2486 | xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf); |
2483 | audit_log_format(audit_buf, " res=%u", result); | 2487 | audit_log_format(audit_buf, " res=%u", result); |
2484 | xfrm_audit_common_policyinfo(xp, audit_buf); | 2488 | xfrm_audit_common_policyinfo(xp, audit_buf); |
2485 | audit_log_end(audit_buf); | 2489 | audit_log_end(audit_buf); |
@@ -2487,14 +2491,14 @@ void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, | |||
2487 | EXPORT_SYMBOL_GPL(xfrm_audit_policy_add); | 2491 | EXPORT_SYMBOL_GPL(xfrm_audit_policy_add); |
2488 | 2492 | ||
2489 | void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, | 2493 | void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, |
2490 | u32 auid, u32 secid) | 2494 | uid_t auid, u32 sessionid, u32 secid) |
2491 | { | 2495 | { |
2492 | struct audit_buffer *audit_buf; | 2496 | struct audit_buffer *audit_buf; |
2493 | 2497 | ||
2494 | audit_buf = xfrm_audit_start("SPD-delete"); | 2498 | audit_buf = xfrm_audit_start("SPD-delete"); |
2495 | if (audit_buf == NULL) | 2499 | if (audit_buf == NULL) |
2496 | return; | 2500 | return; |
2497 | xfrm_audit_helper_usrinfo(auid, secid, audit_buf); | 2501 | xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf); |
2498 | audit_log_format(audit_buf, " res=%u", result); | 2502 | audit_log_format(audit_buf, " res=%u", result); |
2499 | xfrm_audit_common_policyinfo(xp, audit_buf); | 2503 | xfrm_audit_common_policyinfo(xp, audit_buf); |
2500 | audit_log_end(audit_buf); | 2504 | audit_log_end(audit_buf); |
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index 5dcc10b93c8..c3f5f70934e 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c | |||
@@ -496,7 +496,8 @@ expired: | |||
496 | km_state_expired(x, 1, 0); | 496 | km_state_expired(x, 1, 0); |
497 | 497 | ||
498 | xfrm_audit_state_delete(x, err ? 0 : 1, | 498 | xfrm_audit_state_delete(x, err ? 0 : 1, |
499 | audit_get_loginuid(current), 0); | 499 | audit_get_loginuid(current), |
500 | audit_get_sessionid(current), 0); | ||
500 | 501 | ||
501 | out: | 502 | out: |
502 | spin_unlock(&x->lock); | 503 | spin_unlock(&x->lock); |
@@ -603,6 +604,7 @@ xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info) | |||
603 | (err = security_xfrm_state_delete(x)) != 0) { | 604 | (err = security_xfrm_state_delete(x)) != 0) { |
604 | xfrm_audit_state_delete(x, 0, | 605 | xfrm_audit_state_delete(x, 0, |
605 | audit_info->loginuid, | 606 | audit_info->loginuid, |
607 | audit_info->sessionid, | ||
606 | audit_info->secid); | 608 | audit_info->secid); |
607 | return err; | 609 | return err; |
608 | } | 610 | } |
@@ -641,6 +643,7 @@ restart: | |||
641 | err = xfrm_state_delete(x); | 643 | err = xfrm_state_delete(x); |
642 | xfrm_audit_state_delete(x, err ? 0 : 1, | 644 | xfrm_audit_state_delete(x, err ? 0 : 1, |
643 | audit_info->loginuid, | 645 | audit_info->loginuid, |
646 | audit_info->sessionid, | ||
644 | audit_info->secid); | 647 | audit_info->secid); |
645 | xfrm_state_put(x); | 648 | xfrm_state_put(x); |
646 | 649 | ||
@@ -2123,14 +2126,14 @@ static void xfrm_audit_helper_pktinfo(struct sk_buff *skb, u16 family, | |||
2123 | } | 2126 | } |
2124 | 2127 | ||
2125 | void xfrm_audit_state_add(struct xfrm_state *x, int result, | 2128 | void xfrm_audit_state_add(struct xfrm_state *x, int result, |
2126 | u32 auid, u32 secid) | 2129 | uid_t auid, u32 sessionid, u32 secid) |
2127 | { | 2130 | { |
2128 | struct audit_buffer *audit_buf; | 2131 | struct audit_buffer *audit_buf; |
2129 | 2132 | ||
2130 | audit_buf = xfrm_audit_start("SAD-add"); | 2133 | audit_buf = xfrm_audit_start("SAD-add"); |
2131 | if (audit_buf == NULL) | 2134 | if (audit_buf == NULL) |
2132 | return; | 2135 | return; |
2133 | xfrm_audit_helper_usrinfo(auid, secid, audit_buf); | 2136 | xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf); |
2134 | xfrm_audit_helper_sainfo(x, audit_buf); | 2137 | xfrm_audit_helper_sainfo(x, audit_buf); |
2135 | audit_log_format(audit_buf, " res=%u", result); | 2138 | audit_log_format(audit_buf, " res=%u", result); |
2136 | audit_log_end(audit_buf); | 2139 | audit_log_end(audit_buf); |
@@ -2138,14 +2141,14 @@ void xfrm_audit_state_add(struct xfrm_state *x, int result, | |||
2138 | EXPORT_SYMBOL_GPL(xfrm_audit_state_add); | 2141 | EXPORT_SYMBOL_GPL(xfrm_audit_state_add); |
2139 | 2142 | ||
2140 | void xfrm_audit_state_delete(struct xfrm_state *x, int result, | 2143 | void xfrm_audit_state_delete(struct xfrm_state *x, int result, |
2141 | u32 auid, u32 secid) | 2144 | uid_t auid, u32 sessionid, u32 secid) |
2142 | { | 2145 | { |
2143 | struct audit_buffer *audit_buf; | 2146 | struct audit_buffer *audit_buf; |
2144 | 2147 | ||
2145 | audit_buf = xfrm_audit_start("SAD-delete"); | 2148 | audit_buf = xfrm_audit_start("SAD-delete"); |
2146 | if (audit_buf == NULL) | 2149 | if (audit_buf == NULL) |
2147 | return; | 2150 | return; |
2148 | xfrm_audit_helper_usrinfo(auid, secid, audit_buf); | 2151 | xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf); |
2149 | xfrm_audit_helper_sainfo(x, audit_buf); | 2152 | xfrm_audit_helper_sainfo(x, audit_buf); |
2150 | audit_log_format(audit_buf, " res=%u", result); | 2153 | audit_log_format(audit_buf, " res=%u", result); |
2151 | audit_log_end(audit_buf); | 2154 | audit_log_end(audit_buf); |
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 22a30ae582a..a1b0fbe3ea3 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c | |||
@@ -407,6 +407,9 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
407 | struct xfrm_state *x; | 407 | struct xfrm_state *x; |
408 | int err; | 408 | int err; |
409 | struct km_event c; | 409 | struct km_event c; |
410 | uid_t loginuid = NETLINK_CB(skb).loginuid; | ||
411 | u32 sessionid = NETLINK_CB(skb).sessionid; | ||
412 | u32 sid = NETLINK_CB(skb).sid; | ||
410 | 413 | ||
411 | err = verify_newsa_info(p, attrs); | 414 | err = verify_newsa_info(p, attrs); |
412 | if (err) | 415 | if (err) |
@@ -422,8 +425,7 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
422 | else | 425 | else |
423 | err = xfrm_state_update(x); | 426 | err = xfrm_state_update(x); |
424 | 427 | ||
425 | xfrm_audit_state_add(x, err ? 0 : 1, NETLINK_CB(skb).loginuid, | 428 | xfrm_audit_state_add(x, err ? 0 : 1, loginuid, sessionid, sid); |
426 | NETLINK_CB(skb).sid); | ||
427 | 429 | ||
428 | if (err < 0) { | 430 | if (err < 0) { |
429 | x->km.state = XFRM_STATE_DEAD; | 431 | x->km.state = XFRM_STATE_DEAD; |
@@ -478,6 +480,9 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
478 | int err = -ESRCH; | 480 | int err = -ESRCH; |
479 | struct km_event c; | 481 | struct km_event c; |
480 | struct xfrm_usersa_id *p = nlmsg_data(nlh); | 482 | struct xfrm_usersa_id *p = nlmsg_data(nlh); |
483 | uid_t loginuid = NETLINK_CB(skb).loginuid; | ||
484 | u32 sessionid = NETLINK_CB(skb).sessionid; | ||
485 | u32 sid = NETLINK_CB(skb).sid; | ||
481 | 486 | ||
482 | x = xfrm_user_state_lookup(p, attrs, &err); | 487 | x = xfrm_user_state_lookup(p, attrs, &err); |
483 | if (x == NULL) | 488 | if (x == NULL) |
@@ -502,8 +507,7 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
502 | km_state_notify(x, &c); | 507 | km_state_notify(x, &c); |
503 | 508 | ||
504 | out: | 509 | out: |
505 | xfrm_audit_state_delete(x, err ? 0 : 1, NETLINK_CB(skb).loginuid, | 510 | xfrm_audit_state_delete(x, err ? 0 : 1, loginuid, sessionid, sid); |
506 | NETLINK_CB(skb).sid); | ||
507 | xfrm_state_put(x); | 511 | xfrm_state_put(x); |
508 | return err; | 512 | return err; |
509 | } | 513 | } |
@@ -1123,6 +1127,9 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
1123 | struct km_event c; | 1127 | struct km_event c; |
1124 | int err; | 1128 | int err; |
1125 | int excl; | 1129 | int excl; |
1130 | uid_t loginuid = NETLINK_CB(skb).loginuid; | ||
1131 | u32 sessionid = NETLINK_CB(skb).sessionid; | ||
1132 | u32 sid = NETLINK_CB(skb).sid; | ||
1126 | 1133 | ||
1127 | err = verify_newpolicy_info(p); | 1134 | err = verify_newpolicy_info(p); |
1128 | if (err) | 1135 | if (err) |
@@ -1141,8 +1148,7 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
1141 | * a type XFRM_MSG_UPDPOLICY - JHS */ | 1148 | * a type XFRM_MSG_UPDPOLICY - JHS */ |
1142 | excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; | 1149 | excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; |
1143 | err = xfrm_policy_insert(p->dir, xp, excl); | 1150 | err = xfrm_policy_insert(p->dir, xp, excl); |
1144 | xfrm_audit_policy_add(xp, err ? 0 : 1, NETLINK_CB(skb).loginuid, | 1151 | xfrm_audit_policy_add(xp, err ? 0 : 1, loginuid, sessionid, sid); |
1145 | NETLINK_CB(skb).sid); | ||
1146 | 1152 | ||
1147 | if (err) { | 1153 | if (err) { |
1148 | security_xfrm_policy_free(xp->security); | 1154 | security_xfrm_policy_free(xp->security); |
@@ -1371,9 +1377,12 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
1371 | NETLINK_CB(skb).pid); | 1377 | NETLINK_CB(skb).pid); |
1372 | } | 1378 | } |
1373 | } else { | 1379 | } else { |
1374 | xfrm_audit_policy_delete(xp, err ? 0 : 1, | 1380 | uid_t loginuid = NETLINK_CB(skb).loginuid; |
1375 | NETLINK_CB(skb).loginuid, | 1381 | u32 sessionid = NETLINK_CB(skb).sessionid; |
1376 | NETLINK_CB(skb).sid); | 1382 | u32 sid = NETLINK_CB(skb).sid; |
1383 | |||
1384 | xfrm_audit_policy_delete(xp, err ? 0 : 1, loginuid, sessionid, | ||
1385 | sid); | ||
1377 | 1386 | ||
1378 | if (err != 0) | 1387 | if (err != 0) |
1379 | goto out; | 1388 | goto out; |
@@ -1399,6 +1408,7 @@ static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
1399 | int err; | 1408 | int err; |
1400 | 1409 | ||
1401 | audit_info.loginuid = NETLINK_CB(skb).loginuid; | 1410 | audit_info.loginuid = NETLINK_CB(skb).loginuid; |
1411 | audit_info.sessionid = NETLINK_CB(skb).sessionid; | ||
1402 | audit_info.secid = NETLINK_CB(skb).sid; | 1412 | audit_info.secid = NETLINK_CB(skb).sid; |
1403 | err = xfrm_state_flush(p->proto, &audit_info); | 1413 | err = xfrm_state_flush(p->proto, &audit_info); |
1404 | if (err) | 1414 | if (err) |
@@ -1546,6 +1556,7 @@ static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
1546 | return err; | 1556 | return err; |
1547 | 1557 | ||
1548 | audit_info.loginuid = NETLINK_CB(skb).loginuid; | 1558 | audit_info.loginuid = NETLINK_CB(skb).loginuid; |
1559 | audit_info.sessionid = NETLINK_CB(skb).sessionid; | ||
1549 | audit_info.secid = NETLINK_CB(skb).sid; | 1560 | audit_info.secid = NETLINK_CB(skb).sid; |
1550 | err = xfrm_policy_flush(type, &audit_info); | 1561 | err = xfrm_policy_flush(type, &audit_info); |
1551 | if (err) | 1562 | if (err) |
@@ -1604,9 +1615,11 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
1604 | read_unlock(&xp->lock); | 1615 | read_unlock(&xp->lock); |
1605 | err = 0; | 1616 | err = 0; |
1606 | if (up->hard) { | 1617 | if (up->hard) { |
1618 | uid_t loginuid = NETLINK_CB(skb).loginuid; | ||
1619 | uid_t sessionid = NETLINK_CB(skb).sessionid; | ||
1620 | u32 sid = NETLINK_CB(skb).sid; | ||
1607 | xfrm_policy_delete(xp, p->dir); | 1621 | xfrm_policy_delete(xp, p->dir); |
1608 | xfrm_audit_policy_delete(xp, 1, NETLINK_CB(skb).loginuid, | 1622 | xfrm_audit_policy_delete(xp, 1, loginuid, sessionid, sid); |
1609 | NETLINK_CB(skb).sid); | ||
1610 | 1623 | ||
1611 | } else { | 1624 | } else { |
1612 | // reset the timers here? | 1625 | // reset the timers here? |
@@ -1640,9 +1653,11 @@ static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
1640 | km_state_expired(x, ue->hard, current->pid); | 1653 | km_state_expired(x, ue->hard, current->pid); |
1641 | 1654 | ||
1642 | if (ue->hard) { | 1655 | if (ue->hard) { |
1656 | uid_t loginuid = NETLINK_CB(skb).loginuid; | ||
1657 | uid_t sessionid = NETLINK_CB(skb).sessionid; | ||
1658 | u32 sid = NETLINK_CB(skb).sid; | ||
1643 | __xfrm_state_delete(x); | 1659 | __xfrm_state_delete(x); |
1644 | xfrm_audit_state_delete(x, 1, NETLINK_CB(skb).loginuid, | 1660 | xfrm_audit_state_delete(x, 1, loginuid, sessionid, sid); |
1645 | NETLINK_CB(skb).sid); | ||
1646 | } | 1661 | } |
1647 | err = 0; | 1662 | err = 0; |
1648 | out: | 1663 | out: |
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index 6ba283783b7..5d1bee0fa51 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c | |||
@@ -324,6 +324,7 @@ void smk_cipso_doi(void) | |||
324 | struct netlbl_audit audit_info; | 324 | struct netlbl_audit audit_info; |
325 | 325 | ||
326 | audit_info.loginuid = audit_get_loginuid(current); | 326 | audit_info.loginuid = audit_get_loginuid(current); |
327 | audit_info.sessionid = audit_get_sessionid(current); | ||
327 | audit_info.secid = smack_to_secid(current->security); | 328 | audit_info.secid = smack_to_secid(current->security); |
328 | 329 | ||
329 | rc = netlbl_cfg_map_del(NULL, &audit_info); | 330 | rc = netlbl_cfg_map_del(NULL, &audit_info); |
@@ -356,6 +357,7 @@ void smk_unlbl_ambient(char *oldambient) | |||
356 | struct netlbl_audit audit_info; | 357 | struct netlbl_audit audit_info; |
357 | 358 | ||
358 | audit_info.loginuid = audit_get_loginuid(current); | 359 | audit_info.loginuid = audit_get_loginuid(current); |
360 | audit_info.sessionid = audit_get_sessionid(current); | ||
359 | audit_info.secid = smack_to_secid(current->security); | 361 | audit_info.secid = smack_to_secid(current->security); |
360 | 362 | ||
361 | if (oldambient != NULL) { | 363 | if (oldambient != NULL) { |