[NetLabel]: add audit support for configuration changes

This patch adds audit support to NetLabel, including six new audit message types shown below. #define AUDIT_MAC_UNLBL_ACCEPT 1406 #define AUDIT_MAC_UNLBL_DENY 1407 #define AUDIT_MAC_CIPSOV4_ADD 1408 #define AUDIT_MAC_CIPSOV4_DEL 1409 #define AUDIT_MAC_MAP_ADD 1410 #define AUDIT_MAC_MAP_DEL 1411 Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Paul Moore <paul.moore@hp.com> 2006-09-28 17:51:47 -0400
committer: David S. Miller <davem@sunset.davemloft.net> 2006-09-28 21:03:09 -0400
commit: 32f50cdee666333168b5203c7864bede159f789e (patch)
tree: c4989cc2521551714f656d60f6b895232ffdeda6 /net/netlabel/netlabel_unlabeled.c
parent: 8ea333eb5da3e3219f570220c56bca09f6f4d25a (diff)
1 files changed, 30 insertions, 6 deletions
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index 440f5c4e1e2..ab36675fee8 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -64,6 +64,27 @@ static struct nla_policy netlbl_unlabel_genl_policy[NLBL_UNLABEL_A_MAX + 1] = {
 };
 /*
+ * Helper Functions
+ */
+/**
+ * netlbl_unlabel_acceptflg_set - Set the unlabeled accept flag
+ * @value: desired value
+ * @audit_secid: the LSM secid to use in the audit message
+ *
+ * Description:
+ * Set the value of the unlabeled accept flag to @value.
+ *
+ */
+static void netlbl_unlabel_acceptflg_set(u8 value, u32 audit_secid)
+{
+        atomic_set(&netlabel_unlabel_accept_flg, value);
+        netlbl_audit_nomsg((value ?
+                            AUDIT_MAC_UNLBL_ACCEPT : AUDIT_MAC_UNLBL_DENY),
+                           audit_secid);
+}
+/*
 * NetLabel Command Handlers
 */
@@ -79,18 +100,18 @@ static struct nla_policy netlbl_unlabel_genl_policy[NLBL_UNLABEL_A_MAX + 1] = {
 */
 static int netlbl_unlabel_accept(struct sk_buff *skb, struct genl_info *info)
 {
-        int ret_val = -EINVAL;
        u8 value;
        if (info->attrs[NLBL_UNLABEL_A_ACPTFLG]) {
                value = nla_get_u8(info->attrs[NLBL_UNLABEL_A_ACPTFLG]);
                if (value == 1 || value == 0) {
-                        atomic_set(&netlabel_unlabel_accept_flg, value);
+                        netlbl_unlabel_acceptflg_set(value,
-                        ret_val = 0;
+                                                     NETLINK_CB(skb).sid);
+                        return 0;
                }
        }
-        return ret_val;
+        return -EINVAL;
 }
 /**
@@ -229,16 +250,19 @@ int netlbl_unlabel_defconf(void)
 {
        int ret_val;
        struct netlbl_dom_map *entry;
+        u32 secid;
+        security_task_getsecid(current, &secid);
        entry = kzalloc(sizeof(*entry), GFP_KERNEL);
        if (entry == NULL)
                return -ENOMEM;
        entry->type = NETLBL_NLTYPE_UNLABELED;
-        ret_val = netlbl_domhsh_add_default(entry);
+        ret_val = netlbl_domhsh_add_default(entry, secid);
        if (ret_val != 0)
                return ret_val;
-        atomic_set(&netlabel_unlabel_accept_flg, 1);
+        netlbl_unlabel_acceptflg_set(1, secid);
        return 0;
 }
author	Paul Moore <paul.moore@hp.com>	2006-09-28 17:51:47 -0400
committer	David S. Miller <davem@sunset.davemloft.net>	2006-09-28 21:03:09 -0400
commit	32f50cdee666333168b5203c7864bede159f789e (patch)
tree	c4989cc2521551714f656d60f6b895232ffdeda6 /net/netlabel/netlabel_unlabeled.c
parent	8ea333eb5da3e3219f570220c56bca09f6f4d25a (diff)