aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2006-09-29 20:05:05 -0400
committerDavid S. Miller <davem@davemloft.net>2006-09-29 20:05:05 -0400
commit95d4e6be25a68cd9fbe8c0d356b585504d8db1c7 (patch)
tree2133c970e6786bdf82004ace225b6bca19b9ddba
parentd6c641026dec68acfb4b0baa98aad960e963ed97 (diff)
[NetLabel]: audit fixups due to delayed feedback
Fix some issues Steve Grubb had with the way NetLabel was using the audit subsystem. This should make NetLabel more consistent with other kernel generated audit messages specifying configuration changes. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: Steve Grubb <sgrubb@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--include/linux/audit.h11
-rw-r--r--include/net/cipso_ipv4.h4
-rw-r--r--include/net/netlabel.h8
-rw-r--r--net/ipv4/cipso_ipv4.c4
-rw-r--r--net/netlabel/netlabel_cipso_v4.c48
-rw-r--r--net/netlabel/netlabel_domainhash.c82
-rw-r--r--net/netlabel/netlabel_domainhash.h8
-rw-r--r--net/netlabel/netlabel_mgmt.c27
-rw-r--r--net/netlabel/netlabel_unlabeled.c34
-rw-r--r--net/netlabel/netlabel_user.c66
-rw-r--r--net/netlabel/netlabel_user.h16
11 files changed, 157 insertions, 151 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 42719d07612a..c3aa09751814 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -95,12 +95,11 @@
95#define AUDIT_MAC_POLICY_LOAD 1403 /* Policy file load */ 95#define AUDIT_MAC_POLICY_LOAD 1403 /* Policy file load */
96#define AUDIT_MAC_STATUS 1404 /* Changed enforcing,permissive,off */ 96#define AUDIT_MAC_STATUS 1404 /* Changed enforcing,permissive,off */
97#define AUDIT_MAC_CONFIG_CHANGE 1405 /* Changes to booleans */ 97#define AUDIT_MAC_CONFIG_CHANGE 1405 /* Changes to booleans */
98#define AUDIT_MAC_UNLBL_ACCEPT 1406 /* NetLabel: allow unlabeled traffic */ 98#define AUDIT_MAC_UNLBL_ALLOW 1406 /* NetLabel: allow unlabeled traffic */
99#define AUDIT_MAC_UNLBL_DENY 1407 /* NetLabel: deny unlabeled traffic */ 99#define AUDIT_MAC_CIPSOV4_ADD 1407 /* NetLabel: add CIPSOv4 DOI entry */
100#define AUDIT_MAC_CIPSOV4_ADD 1408 /* NetLabel: add CIPSOv4 DOI entry */ 100#define AUDIT_MAC_CIPSOV4_DEL 1408 /* NetLabel: del CIPSOv4 DOI entry */
101#define AUDIT_MAC_CIPSOV4_DEL 1409 /* NetLabel: del CIPSOv4 DOI entry */ 101#define AUDIT_MAC_MAP_ADD 1409 /* NetLabel: add LSM domain mapping */
102#define AUDIT_MAC_MAP_ADD 1410 /* NetLabel: add LSM domain mapping */ 102#define AUDIT_MAC_MAP_DEL 1410 /* NetLabel: del LSM domain mapping */
103#define AUDIT_MAC_MAP_DEL 1411 /* NetLabel: del LSM domain mapping */
104 103
105#define AUDIT_FIRST_KERN_ANOM_MSG 1700 104#define AUDIT_FIRST_KERN_ANOM_MSG 1700
106#define AUDIT_LAST_KERN_ANOM_MSG 1799 105#define AUDIT_LAST_KERN_ANOM_MSG 1799
diff --git a/include/net/cipso_ipv4.h b/include/net/cipso_ipv4.h
index 5d6ae1b2b196..718b4d9c891f 100644
--- a/include/net/cipso_ipv4.h
+++ b/include/net/cipso_ipv4.h
@@ -129,7 +129,7 @@ extern int cipso_v4_rbm_strictvalid;
129#ifdef CONFIG_NETLABEL 129#ifdef CONFIG_NETLABEL
130int cipso_v4_doi_add(struct cipso_v4_doi *doi_def); 130int cipso_v4_doi_add(struct cipso_v4_doi *doi_def);
131int cipso_v4_doi_remove(u32 doi, 131int cipso_v4_doi_remove(u32 doi,
132 u32 audit_secid, 132 struct netlbl_audit *audit_info,
133 void (*callback) (struct rcu_head * head)); 133 void (*callback) (struct rcu_head * head));
134struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi); 134struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi);
135int cipso_v4_doi_walk(u32 *skip_cnt, 135int cipso_v4_doi_walk(u32 *skip_cnt,
@@ -145,7 +145,7 @@ static inline int cipso_v4_doi_add(struct cipso_v4_doi *doi_def)
145} 145}
146 146
147static inline int cipso_v4_doi_remove(u32 doi, 147static inline int cipso_v4_doi_remove(u32 doi,
148 u32 audit_secid, 148 struct netlbl_audit *audit_info,
149 void (*callback) (struct rcu_head * head)) 149 void (*callback) (struct rcu_head * head))
150{ 150{
151 return 0; 151 return 0;
diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index 190bfdbbdba6..c63a58058e21 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -92,11 +92,17 @@
92 * 92 *
93 */ 93 */
94 94
95/* NetLabel audit information */
96struct netlbl_audit {
97 u32 secid;
98 uid_t loginuid;
99};
100
95/* Domain mapping definition struct */ 101/* Domain mapping definition struct */
96struct netlbl_dom_map; 102struct netlbl_dom_map;
97 103
98/* Domain mapping operations */ 104/* Domain mapping operations */
99int netlbl_domhsh_remove(const char *domain, u32 audit_secid); 105int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info);
100 106
101/* LSM security attributes */ 107/* LSM security attributes */
102struct netlbl_lsm_cache { 108struct netlbl_lsm_cache {
diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
index c4e469ff842d..a8e2e879a647 100644
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -485,7 +485,7 @@ doi_add_failure_rlock:
485 * 485 *
486 */ 486 */
487int cipso_v4_doi_remove(u32 doi, 487int cipso_v4_doi_remove(u32 doi,
488 u32 audit_secid, 488 struct netlbl_audit *audit_info,
489 void (*callback) (struct rcu_head * head)) 489 void (*callback) (struct rcu_head * head))
490{ 490{
491 struct cipso_v4_doi *doi_def; 491 struct cipso_v4_doi *doi_def;
@@ -506,7 +506,7 @@ int cipso_v4_doi_remove(u32 doi,
506 list_for_each_entry_rcu(dom_iter, &doi_def->dom_list, list) 506 list_for_each_entry_rcu(dom_iter, &doi_def->dom_list, list)
507 if (dom_iter->valid) 507 if (dom_iter->valid)
508 netlbl_domhsh_remove(dom_iter->domain, 508 netlbl_domhsh_remove(dom_iter->domain,
509 audit_secid); 509 audit_info);
510 cipso_v4_cache_invalidate(); 510 cipso_v4_cache_invalidate();
511 rcu_read_unlock(); 511 rcu_read_unlock();
512 512
diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c
index 09986ca962a6..a6ce1d6d5c59 100644
--- a/net/netlabel/netlabel_cipso_v4.c
+++ b/net/netlabel/netlabel_cipso_v4.c
@@ -384,11 +384,15 @@ static int netlbl_cipsov4_add(struct sk_buff *skb, struct genl_info *info)
384 u32 doi; 384 u32 doi;
385 const char *type_str = "(unknown)"; 385 const char *type_str = "(unknown)";
386 struct audit_buffer *audit_buf; 386 struct audit_buffer *audit_buf;
387 struct netlbl_audit audit_info;
387 388
388 if (!info->attrs[NLBL_CIPSOV4_A_DOI] || 389 if (!info->attrs[NLBL_CIPSOV4_A_DOI] ||
389 !info->attrs[NLBL_CIPSOV4_A_MTYPE]) 390 !info->attrs[NLBL_CIPSOV4_A_MTYPE])
390 return -EINVAL; 391 return -EINVAL;
391 392
393 doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]);
394 netlbl_netlink_auditinfo(skb, &audit_info);
395
392 type = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE]); 396 type = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE]);
393 switch (type) { 397 switch (type) {
394 case CIPSO_V4_MAP_STD: 398 case CIPSO_V4_MAP_STD:
@@ -401,13 +405,14 @@ static int netlbl_cipsov4_add(struct sk_buff *skb, struct genl_info *info)
401 break; 405 break;
402 } 406 }
403 407
404 if (ret_val == 0) { 408 audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD,
405 doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]); 409 &audit_info);
406 audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD, 410 audit_log_format(audit_buf,
407 NETLINK_CB(skb).sid); 411 " cipso_doi=%u cipso_type=%s res=%u",
408 audit_log_format(audit_buf, " doi=%u type=%s", doi, type_str); 412 doi,
409 audit_log_end(audit_buf); 413 type_str,
410 } 414 ret_val == 0 ? 1 : 0);
415 audit_log_end(audit_buf);
411 416
412 return ret_val; 417 return ret_val;
413} 418}
@@ -668,20 +673,25 @@ static int netlbl_cipsov4_remove(struct sk_buff *skb, struct genl_info *info)
668 int ret_val = -EINVAL; 673 int ret_val = -EINVAL;
669 u32 doi = 0; 674 u32 doi = 0;
670 struct audit_buffer *audit_buf; 675 struct audit_buffer *audit_buf;
676 struct netlbl_audit audit_info;
671 677
672 if (info->attrs[NLBL_CIPSOV4_A_DOI]) { 678 if (!info->attrs[NLBL_CIPSOV4_A_DOI])
673 doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]); 679 return -EINVAL;
674 ret_val = cipso_v4_doi_remove(doi,
675 NETLINK_CB(skb).sid,
676 netlbl_cipsov4_doi_free);
677 }
678 680
679 if (ret_val == 0) { 681 doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]);
680 audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_DEL, 682 netlbl_netlink_auditinfo(skb, &audit_info);
681 NETLINK_CB(skb).sid); 683
682 audit_log_format(audit_buf, " doi=%u", doi); 684 ret_val = cipso_v4_doi_remove(doi,
683 audit_log_end(audit_buf); 685 &audit_info,
684 } 686 netlbl_cipsov4_doi_free);
687
688 audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_DEL,
689 &audit_info);
690 audit_log_format(audit_buf,
691 " cipso_doi=%u res=%u",
692 doi,
693 ret_val == 0 ? 1 : 0);
694 audit_log_end(audit_buf);
685 695
686 return ret_val; 696 return ret_val;
687} 697}
diff --git a/net/netlabel/netlabel_domainhash.c b/net/netlabel/netlabel_domainhash.c
index d64e2ae3b129..af4371d3b459 100644
--- a/net/netlabel/netlabel_domainhash.c
+++ b/net/netlabel/netlabel_domainhash.c
@@ -188,7 +188,7 @@ int netlbl_domhsh_init(u32 size)
188/** 188/**
189 * netlbl_domhsh_add - Adds a entry to the domain hash table 189 * netlbl_domhsh_add - Adds a entry to the domain hash table
190 * @entry: the entry to add 190 * @entry: the entry to add
191 * @audit_secid: the LSM secid to use in the audit message 191 * @audit_info: NetLabel audit information
192 * 192 *
193 * Description: 193 * Description:
194 * Adds a new entry to the domain hash table and handles any updates to the 194 * Adds a new entry to the domain hash table and handles any updates to the
@@ -196,7 +196,8 @@ int netlbl_domhsh_init(u32 size)
196 * negative on failure. 196 * negative on failure.
197 * 197 *
198 */ 198 */
199int netlbl_domhsh_add(struct netlbl_dom_map *entry, u32 audit_secid) 199int netlbl_domhsh_add(struct netlbl_dom_map *entry,
200 struct netlbl_audit *audit_info)
200{ 201{
201 int ret_val; 202 int ret_val;
202 u32 bkt; 203 u32 bkt;
@@ -241,26 +242,26 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry, u32 audit_secid)
241 spin_unlock(&netlbl_domhsh_def_lock); 242 spin_unlock(&netlbl_domhsh_def_lock);
242 } else 243 } else
243 ret_val = -EINVAL; 244 ret_val = -EINVAL;
244 if (ret_val == 0) { 245
245 if (entry->domain != NULL) 246 if (entry->domain != NULL)
246 audit_domain = entry->domain; 247 audit_domain = entry->domain;
247 else 248 else
248 audit_domain = "(default)"; 249 audit_domain = "(default)";
249 audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_ADD, 250 audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_ADD, audit_info);
250 audit_secid); 251 audit_log_format(audit_buf, " nlbl_domain=%s", audit_domain);
251 audit_log_format(audit_buf, " domain=%s", audit_domain); 252 switch (entry->type) {
252 switch (entry->type) { 253 case NETLBL_NLTYPE_UNLABELED:
253 case NETLBL_NLTYPE_UNLABELED: 254 audit_log_format(audit_buf, " nlbl_protocol=unlbl");
254 audit_log_format(audit_buf, " protocol=unlbl"); 255 break;
255 break; 256 case NETLBL_NLTYPE_CIPSOV4:
256 case NETLBL_NLTYPE_CIPSOV4: 257 audit_log_format(audit_buf,
257 audit_log_format(audit_buf, 258 " nlbl_protocol=cipsov4 cipso_doi=%u",
258 " protocol=cipsov4 doi=%u", 259 entry->type_def.cipsov4->doi);
259 entry->type_def.cipsov4->doi); 260 break;
260 break;
261 }
262 audit_log_end(audit_buf);
263 } 261 }
262 audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0);
263 audit_log_end(audit_buf);
264
264 rcu_read_unlock(); 265 rcu_read_unlock();
265 266
266 if (ret_val != 0) { 267 if (ret_val != 0) {
@@ -279,7 +280,7 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry, u32 audit_secid)
279/** 280/**
280 * netlbl_domhsh_add_default - Adds the default entry to the domain hash table 281 * netlbl_domhsh_add_default - Adds the default entry to the domain hash table
281 * @entry: the entry to add 282 * @entry: the entry to add
282 * @audit_secid: the LSM secid to use in the audit message 283 * @audit_info: NetLabel audit information
283 * 284 *
284 * Description: 285 * Description:
285 * Adds a new default entry to the domain hash table and handles any updates 286 * Adds a new default entry to the domain hash table and handles any updates
@@ -287,15 +288,16 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry, u32 audit_secid)
287 * negative on failure. 288 * negative on failure.
288 * 289 *
289 */ 290 */
290int netlbl_domhsh_add_default(struct netlbl_dom_map *entry, u32 audit_secid) 291int netlbl_domhsh_add_default(struct netlbl_dom_map *entry,
292 struct netlbl_audit *audit_info)
291{ 293{
292 return netlbl_domhsh_add(entry, audit_secid); 294 return netlbl_domhsh_add(entry, audit_info);
293} 295}
294 296
295/** 297/**
296 * netlbl_domhsh_remove - Removes an entry from the domain hash table 298 * netlbl_domhsh_remove - Removes an entry from the domain hash table
297 * @domain: the domain to remove 299 * @domain: the domain to remove
298 * @audit_secid: the LSM secid to use in the audit message 300 * @audit_info: NetLabel audit information
299 * 301 *
300 * Description: 302 * Description:
301 * Removes an entry from the domain hash table and handles any updates to the 303 * Removes an entry from the domain hash table and handles any updates to the
@@ -303,7 +305,7 @@ int netlbl_domhsh_add_default(struct netlbl_dom_map *entry, u32 audit_secid)
303 * negative on failure. 305 * negative on failure.
304 * 306 *
305 */ 307 */
306int netlbl_domhsh_remove(const char *domain, u32 audit_secid) 308int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info)
307{ 309{
308 int ret_val = -ENOENT; 310 int ret_val = -ENOENT;
309 struct netlbl_dom_map *entry; 311 struct netlbl_dom_map *entry;
@@ -345,18 +347,20 @@ int netlbl_domhsh_remove(const char *domain, u32 audit_secid)
345 ret_val = -ENOENT; 347 ret_val = -ENOENT;
346 spin_unlock(&netlbl_domhsh_def_lock); 348 spin_unlock(&netlbl_domhsh_def_lock);
347 } 349 }
348 if (ret_val == 0) {
349 if (entry->domain != NULL)
350 audit_domain = entry->domain;
351 else
352 audit_domain = "(default)";
353 audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_DEL,
354 audit_secid);
355 audit_log_format(audit_buf, " domain=%s", audit_domain);
356 audit_log_end(audit_buf);
357 350
351 if (entry->domain != NULL)
352 audit_domain = entry->domain;
353 else
354 audit_domain = "(default)";
355 audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_DEL, audit_info);
356 audit_log_format(audit_buf,
357 " nlbl_domain=%s res=%u",
358 audit_domain,
359 ret_val == 0 ? 1 : 0);
360 audit_log_end(audit_buf);
361
362 if (ret_val == 0)
358 call_rcu(&entry->rcu, netlbl_domhsh_free_entry); 363 call_rcu(&entry->rcu, netlbl_domhsh_free_entry);
359 }
360 364
361remove_return: 365remove_return:
362 rcu_read_unlock(); 366 rcu_read_unlock();
@@ -365,7 +369,7 @@ remove_return:
365 369
366/** 370/**
367 * netlbl_domhsh_remove_default - Removes the default entry from the table 371 * netlbl_domhsh_remove_default - Removes the default entry from the table
368 * @audit_secid: the LSM secid to use in the audit message 372 * @audit_info: NetLabel audit information
369 * 373 *
370 * Description: 374 * Description:
371 * Removes/resets the default entry for the domain hash table and handles any 375 * Removes/resets the default entry for the domain hash table and handles any
@@ -373,9 +377,9 @@ remove_return:
373 * success, non-zero on failure. 377 * success, non-zero on failure.
374 * 378 *
375 */ 379 */
376int netlbl_domhsh_remove_default(u32 audit_secid) 380int netlbl_domhsh_remove_default(struct netlbl_audit *audit_info)
377{ 381{
378 return netlbl_domhsh_remove(NULL, audit_secid); 382 return netlbl_domhsh_remove(NULL, audit_info);
379} 383}
380 384
381/** 385/**
diff --git a/net/netlabel/netlabel_domainhash.h b/net/netlabel/netlabel_domainhash.h
index d50f13cacdca..3689956c3436 100644
--- a/net/netlabel/netlabel_domainhash.h
+++ b/net/netlabel/netlabel_domainhash.h
@@ -57,9 +57,11 @@ struct netlbl_dom_map {
57int netlbl_domhsh_init(u32 size); 57int netlbl_domhsh_init(u32 size);
58 58
59/* Manipulate the domain hash table */ 59/* Manipulate the domain hash table */
60int netlbl_domhsh_add(struct netlbl_dom_map *entry, u32 audit_secid); 60int netlbl_domhsh_add(struct netlbl_dom_map *entry,
61int netlbl_domhsh_add_default(struct netlbl_dom_map *entry, u32 audit_secid); 61 struct netlbl_audit *audit_info);
62int netlbl_domhsh_remove_default(u32 audit_secid); 62int netlbl_domhsh_add_default(struct netlbl_dom_map *entry,
63 struct netlbl_audit *audit_info);
64int netlbl_domhsh_remove_default(struct netlbl_audit *audit_info);
63struct netlbl_dom_map *netlbl_domhsh_getentry(const char *domain); 65struct netlbl_dom_map *netlbl_domhsh_getentry(const char *domain);
64int netlbl_domhsh_walk(u32 *skip_bkt, 66int netlbl_domhsh_walk(u32 *skip_bkt,
65 u32 *skip_chain, 67 u32 *skip_chain,
diff --git a/net/netlabel/netlabel_mgmt.c b/net/netlabel/netlabel_mgmt.c
index 0ac314f18ad1..53c9079ad2c3 100644
--- a/net/netlabel/netlabel_mgmt.c
+++ b/net/netlabel/netlabel_mgmt.c
@@ -87,11 +87,14 @@ static int netlbl_mgmt_add(struct sk_buff *skb, struct genl_info *info)
87 struct netlbl_dom_map *entry = NULL; 87 struct netlbl_dom_map *entry = NULL;
88 size_t tmp_size; 88 size_t tmp_size;
89 u32 tmp_val; 89 u32 tmp_val;
90 struct netlbl_audit audit_info;
90 91
91 if (!info->attrs[NLBL_MGMT_A_DOMAIN] || 92 if (!info->attrs[NLBL_MGMT_A_DOMAIN] ||
92 !info->attrs[NLBL_MGMT_A_PROTOCOL]) 93 !info->attrs[NLBL_MGMT_A_PROTOCOL])
93 goto add_failure; 94 goto add_failure;
94 95
96 netlbl_netlink_auditinfo(skb, &audit_info);
97
95 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 98 entry = kzalloc(sizeof(*entry), GFP_KERNEL);
96 if (entry == NULL) { 99 if (entry == NULL) {
97 ret_val = -ENOMEM; 100 ret_val = -ENOMEM;
@@ -108,7 +111,7 @@ static int netlbl_mgmt_add(struct sk_buff *skb, struct genl_info *info)
108 111
109 switch (entry->type) { 112 switch (entry->type) {
110 case NETLBL_NLTYPE_UNLABELED: 113 case NETLBL_NLTYPE_UNLABELED:
111 ret_val = netlbl_domhsh_add(entry, NETLINK_CB(skb).sid); 114 ret_val = netlbl_domhsh_add(entry, &audit_info);
112 break; 115 break;
113 case NETLBL_NLTYPE_CIPSOV4: 116 case NETLBL_NLTYPE_CIPSOV4:
114 if (!info->attrs[NLBL_MGMT_A_CV4DOI]) 117 if (!info->attrs[NLBL_MGMT_A_CV4DOI])
@@ -125,7 +128,7 @@ static int netlbl_mgmt_add(struct sk_buff *skb, struct genl_info *info)
125 rcu_read_unlock(); 128 rcu_read_unlock();
126 goto add_failure; 129 goto add_failure;
127 } 130 }
128 ret_val = netlbl_domhsh_add(entry, NETLINK_CB(skb).sid); 131 ret_val = netlbl_domhsh_add(entry, &audit_info);
129 rcu_read_unlock(); 132 rcu_read_unlock();
130 break; 133 break;
131 default: 134 default:
@@ -156,12 +159,15 @@ add_failure:
156static int netlbl_mgmt_remove(struct sk_buff *skb, struct genl_info *info) 159static int netlbl_mgmt_remove(struct sk_buff *skb, struct genl_info *info)
157{ 160{
158 char *domain; 161 char *domain;
162 struct netlbl_audit audit_info;
159 163
160 if (!info->attrs[NLBL_MGMT_A_DOMAIN]) 164 if (!info->attrs[NLBL_MGMT_A_DOMAIN])
161 return -EINVAL; 165 return -EINVAL;
162 166
167 netlbl_netlink_auditinfo(skb, &audit_info);
168
163 domain = nla_data(info->attrs[NLBL_MGMT_A_DOMAIN]); 169 domain = nla_data(info->attrs[NLBL_MGMT_A_DOMAIN]);
164 return netlbl_domhsh_remove(domain, NETLINK_CB(skb).sid); 170 return netlbl_domhsh_remove(domain, &audit_info);
165} 171}
166 172
167/** 173/**
@@ -264,10 +270,13 @@ static int netlbl_mgmt_adddef(struct sk_buff *skb, struct genl_info *info)
264 int ret_val = -EINVAL; 270 int ret_val = -EINVAL;
265 struct netlbl_dom_map *entry = NULL; 271 struct netlbl_dom_map *entry = NULL;
266 u32 tmp_val; 272 u32 tmp_val;
273 struct netlbl_audit audit_info;
267 274
268 if (!info->attrs[NLBL_MGMT_A_PROTOCOL]) 275 if (!info->attrs[NLBL_MGMT_A_PROTOCOL])
269 goto adddef_failure; 276 goto adddef_failure;
270 277
278 netlbl_netlink_auditinfo(skb, &audit_info);
279
271 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 280 entry = kzalloc(sizeof(*entry), GFP_KERNEL);
272 if (entry == NULL) { 281 if (entry == NULL) {
273 ret_val = -ENOMEM; 282 ret_val = -ENOMEM;
@@ -277,8 +286,7 @@ static int netlbl_mgmt_adddef(struct sk_buff *skb, struct genl_info *info)
277 286
278 switch (entry->type) { 287 switch (entry->type) {
279 case NETLBL_NLTYPE_UNLABELED: 288 case NETLBL_NLTYPE_UNLABELED:
280 ret_val = netlbl_domhsh_add_default(entry, 289 ret_val = netlbl_domhsh_add_default(entry, &audit_info);
281 NETLINK_CB(skb).sid);
282 break; 290 break;
283 case NETLBL_NLTYPE_CIPSOV4: 291 case NETLBL_NLTYPE_CIPSOV4:
284 if (!info->attrs[NLBL_MGMT_A_CV4DOI]) 292 if (!info->attrs[NLBL_MGMT_A_CV4DOI])
@@ -295,8 +303,7 @@ static int netlbl_mgmt_adddef(struct sk_buff *skb, struct genl_info *info)
295 rcu_read_unlock(); 303 rcu_read_unlock();
296 goto adddef_failure; 304 goto adddef_failure;
297 } 305 }
298 ret_val = netlbl_domhsh_add_default(entry, 306 ret_val = netlbl_domhsh_add_default(entry, &audit_info);
299 NETLINK_CB(skb).sid);
300 rcu_read_unlock(); 307 rcu_read_unlock();
301 break; 308 break;
302 default: 309 default:
@@ -324,7 +331,11 @@ adddef_failure:
324 */ 331 */
325static int netlbl_mgmt_removedef(struct sk_buff *skb, struct genl_info *info) 332static int netlbl_mgmt_removedef(struct sk_buff *skb, struct genl_info *info)
326{ 333{
327 return netlbl_domhsh_remove_default(NETLINK_CB(skb).sid); 334 struct netlbl_audit audit_info;
335
336 netlbl_netlink_auditinfo(skb, &audit_info);
337
338 return netlbl_domhsh_remove_default(&audit_info);
328} 339}
329 340
330/** 341/**
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index ab36675fee8c..1833ad233b39 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -70,18 +70,25 @@ static struct nla_policy netlbl_unlabel_genl_policy[NLBL_UNLABEL_A_MAX + 1] = {
70/** 70/**
71 * netlbl_unlabel_acceptflg_set - Set the unlabeled accept flag 71 * netlbl_unlabel_acceptflg_set - Set the unlabeled accept flag
72 * @value: desired value 72 * @value: desired value
73 * @audit_secid: the LSM secid to use in the audit message 73 * @audit_info: NetLabel audit information
74 * 74 *
75 * Description: 75 * Description:
76 * Set the value of the unlabeled accept flag to @value. 76 * Set the value of the unlabeled accept flag to @value.
77 * 77 *
78 */ 78 */
79static void netlbl_unlabel_acceptflg_set(u8 value, u32 audit_secid) 79static void netlbl_unlabel_acceptflg_set(u8 value,
80 struct netlbl_audit *audit_info)
80{ 81{
82 struct audit_buffer *audit_buf;
83 u8 old_val;
84
85 old_val = atomic_read(&netlabel_unlabel_accept_flg);
81 atomic_set(&netlabel_unlabel_accept_flg, value); 86 atomic_set(&netlabel_unlabel_accept_flg, value);
82 netlbl_audit_nomsg((value ? 87
83 AUDIT_MAC_UNLBL_ACCEPT : AUDIT_MAC_UNLBL_DENY), 88 audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_ALLOW,
84 audit_secid); 89 audit_info);
90 audit_log_format(audit_buf, " unlbl_accept=%u old=%u", value, old_val);
91 audit_log_end(audit_buf);
85} 92}
86 93
87/* 94/*
@@ -101,12 +108,13 @@ static void netlbl_unlabel_acceptflg_set(u8 value, u32 audit_secid)
101static int netlbl_unlabel_accept(struct sk_buff *skb, struct genl_info *info) 108static int netlbl_unlabel_accept(struct sk_buff *skb, struct genl_info *info)
102{ 109{
103 u8 value; 110 u8 value;
111 struct netlbl_audit audit_info;
104 112
105 if (info->attrs[NLBL_UNLABEL_A_ACPTFLG]) { 113 if (info->attrs[NLBL_UNLABEL_A_ACPTFLG]) {
106 value = nla_get_u8(info->attrs[NLBL_UNLABEL_A_ACPTFLG]); 114 value = nla_get_u8(info->attrs[NLBL_UNLABEL_A_ACPTFLG]);
107 if (value == 1 || value == 0) { 115 if (value == 1 || value == 0) {
108 netlbl_unlabel_acceptflg_set(value, 116 netlbl_netlink_auditinfo(skb, &audit_info);
109 NETLINK_CB(skb).sid); 117 netlbl_unlabel_acceptflg_set(value, &audit_info);
110 return 0; 118 return 0;
111 } 119 }
112 } 120 }
@@ -250,19 +258,23 @@ int netlbl_unlabel_defconf(void)
250{ 258{
251 int ret_val; 259 int ret_val;
252 struct netlbl_dom_map *entry; 260 struct netlbl_dom_map *entry;
253 u32 secid; 261 struct netlbl_audit audit_info;
254 262
255 security_task_getsecid(current, &secid); 263 /* Only the kernel is allowed to call this function and the only time
264 * it is called is at bootup before the audit subsystem is reporting
265 * messages so don't worry to much about these values. */
266 security_task_getsecid(current, &audit_info.secid);
267 audit_info.loginuid = 0;
256 268
257 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 269 entry = kzalloc(sizeof(*entry), GFP_KERNEL);
258 if (entry == NULL) 270 if (entry == NULL)
259 return -ENOMEM; 271 return -ENOMEM;
260 entry->type = NETLBL_NLTYPE_UNLABELED; 272 entry->type = NETLBL_NLTYPE_UNLABELED;
261 ret_val = netlbl_domhsh_add_default(entry, secid); 273 ret_val = netlbl_domhsh_add_default(entry, &audit_info);
262 if (ret_val != 0) 274 if (ret_val != 0)
263 return ret_val; 275 return ret_val;
264 276
265 netlbl_unlabel_acceptflg_set(1, secid); 277 netlbl_unlabel_acceptflg_set(1, &audit_info);
266 278
267 return 0; 279 return 0;
268} 280}
diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c
index c2343af584cb..98a416381e61 100644
--- a/net/netlabel/netlabel_user.c
+++ b/net/netlabel/netlabel_user.c
@@ -85,7 +85,7 @@ int netlbl_netlink_init(void)
85/** 85/**
86 * netlbl_audit_start_common - Start an audit message 86 * netlbl_audit_start_common - Start an audit message
87 * @type: audit message type 87 * @type: audit message type
88 * @secid: LSM context ID 88 * @audit_info: NetLabel audit information
89 * 89 *
90 * Description: 90 * Description:
91 * Start an audit message using the type specified in @type and fill the audit 91 * Start an audit message using the type specified in @type and fill the audit
@@ -93,14 +93,11 @@ int netlbl_netlink_init(void)
93 * a pointer to the audit buffer on success, NULL on failure. 93 * a pointer to the audit buffer on success, NULL on failure.
94 * 94 *
95 */ 95 */
96struct audit_buffer *netlbl_audit_start_common(int type, u32 secid) 96struct audit_buffer *netlbl_audit_start_common(int type,
97 struct netlbl_audit *audit_info)
97{ 98{
98 struct audit_context *audit_ctx = current->audit_context; 99 struct audit_context *audit_ctx = current->audit_context;
99 struct audit_buffer *audit_buf; 100 struct audit_buffer *audit_buf;
100 uid_t audit_loginuid;
101 const char *audit_tty;
102 char audit_comm[sizeof(current->comm)];
103 struct vm_area_struct *vma;
104 char *secctx; 101 char *secctx;
105 u32 secctx_len; 102 u32 secctx_len;
106 103
@@ -108,60 +105,13 @@ struct audit_buffer *netlbl_audit_start_common(int type, u32 secid)
108 if (audit_buf == NULL) 105 if (audit_buf == NULL)
109 return NULL; 106 return NULL;
110 107
111 audit_loginuid = audit_get_loginuid(audit_ctx); 108 audit_log_format(audit_buf, "netlabel: auid=%u", audit_info->loginuid);
112 if (current->signal &&
113 current->signal->tty &&
114 current->signal->tty->name)
115 audit_tty = current->signal->tty->name;
116 else
117 audit_tty = "(none)";
118 get_task_comm(audit_comm, current);
119 109
120 audit_log_format(audit_buf, 110 if (audit_info->secid != 0 &&
121 "netlabel: auid=%u uid=%u tty=%s pid=%d", 111 security_secid_to_secctx(audit_info->secid,
122 audit_loginuid, 112 &secctx,
123 current->uid, 113 &secctx_len) == 0)
124 audit_tty,
125 current->pid);
126 audit_log_format(audit_buf, " comm=");
127 audit_log_untrustedstring(audit_buf, audit_comm);
128 if (current->mm) {
129 down_read(&current->mm->mmap_sem);
130 vma = current->mm->mmap;
131 while (vma) {
132 if ((vma->vm_flags & VM_EXECUTABLE) &&
133 vma->vm_file) {
134 audit_log_d_path(audit_buf,
135 " exe=",
136 vma->vm_file->f_dentry,
137 vma->vm_file->f_vfsmnt);
138 break;
139 }
140 vma = vma->vm_next;
141 }
142 up_read(&current->mm->mmap_sem);
143 }
144
145 if (secid != 0 &&
146 security_secid_to_secctx(secid, &secctx, &secctx_len) == 0)
147 audit_log_format(audit_buf, " subj=%s", secctx); 114 audit_log_format(audit_buf, " subj=%s", secctx);
148 115
149 return audit_buf; 116 return audit_buf;
150} 117}
151
152/**
153 * netlbl_audit_nomsg - Send an audit message without additional text
154 * @type: audit message type
155 * @secid: LSM context ID
156 *
157 * Description:
158 * Send an audit message with only the common NetLabel audit fields.
159 *
160 */
161void netlbl_audit_nomsg(int type, u32 secid)
162{
163 struct audit_buffer *audit_buf;
164
165 audit_buf = netlbl_audit_start_common(type, secid);
166 audit_log_end(audit_buf);
167}
diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h
index ab840acfc964..47967ef32964 100644
--- a/net/netlabel/netlabel_user.h
+++ b/net/netlabel/netlabel_user.h
@@ -72,13 +72,25 @@ static inline void *netlbl_netlink_hdr_put(struct sk_buff *skb,
72 NETLBL_PROTO_VERSION); 72 NETLBL_PROTO_VERSION);
73} 73}
74 74
75/**
76 * netlbl_netlink_auditinfo - Fetch the audit information from a NETLINK msg
77 * @skb: the packet
78 * @audit_info: NetLabel audit information
79 */
80static inline void netlbl_netlink_auditinfo(struct sk_buff *skb,
81 struct netlbl_audit *audit_info)
82{
83 audit_info->secid = NETLINK_CB(skb).sid;
84 audit_info->loginuid = NETLINK_CB(skb).loginuid;
85}
86
75/* NetLabel NETLINK I/O functions */ 87/* NetLabel NETLINK I/O functions */
76 88
77int netlbl_netlink_init(void); 89int netlbl_netlink_init(void);
78 90
79/* NetLabel Audit Functions */ 91/* NetLabel Audit Functions */
80 92
81struct audit_buffer *netlbl_audit_start_common(int type, u32 secid); 93struct audit_buffer *netlbl_audit_start_common(int type,
82void netlbl_audit_nomsg(int type, u32 secid); 94 struct netlbl_audit *audit_info);
83 95
84#endif 96#endif