diff options
author | Paul Moore <paul.moore@hp.com> | 2006-09-29 20:05:05 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2006-09-29 20:05:05 -0400 |
commit | 95d4e6be25a68cd9fbe8c0d356b585504d8db1c7 (patch) | |
tree | 2133c970e6786bdf82004ace225b6bca19b9ddba | |
parent | d6c641026dec68acfb4b0baa98aad960e963ed97 (diff) |
[NetLabel]: audit fixups due to delayed feedback
Fix some issues Steve Grubb had with the way NetLabel was using the audit
subsystem. This should make NetLabel more consistent with other kernel
generated audit messages specifying configuration changes.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: Steve Grubb <sgrubb@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | include/linux/audit.h | 11 | ||||
-rw-r--r-- | include/net/cipso_ipv4.h | 4 | ||||
-rw-r--r-- | include/net/netlabel.h | 8 | ||||
-rw-r--r-- | net/ipv4/cipso_ipv4.c | 4 | ||||
-rw-r--r-- | net/netlabel/netlabel_cipso_v4.c | 48 | ||||
-rw-r--r-- | net/netlabel/netlabel_domainhash.c | 82 | ||||
-rw-r--r-- | net/netlabel/netlabel_domainhash.h | 8 | ||||
-rw-r--r-- | net/netlabel/netlabel_mgmt.c | 27 | ||||
-rw-r--r-- | net/netlabel/netlabel_unlabeled.c | 34 | ||||
-rw-r--r-- | net/netlabel/netlabel_user.c | 66 | ||||
-rw-r--r-- | net/netlabel/netlabel_user.h | 16 |
11 files changed, 157 insertions, 151 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h index 42719d07612a..c3aa09751814 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h | |||
@@ -95,12 +95,11 @@ | |||
95 | #define AUDIT_MAC_POLICY_LOAD 1403 /* Policy file load */ | 95 | #define AUDIT_MAC_POLICY_LOAD 1403 /* Policy file load */ |
96 | #define AUDIT_MAC_STATUS 1404 /* Changed enforcing,permissive,off */ | 96 | #define AUDIT_MAC_STATUS 1404 /* Changed enforcing,permissive,off */ |
97 | #define AUDIT_MAC_CONFIG_CHANGE 1405 /* Changes to booleans */ | 97 | #define AUDIT_MAC_CONFIG_CHANGE 1405 /* Changes to booleans */ |
98 | #define AUDIT_MAC_UNLBL_ACCEPT 1406 /* NetLabel: allow unlabeled traffic */ | 98 | #define AUDIT_MAC_UNLBL_ALLOW 1406 /* NetLabel: allow unlabeled traffic */ |
99 | #define AUDIT_MAC_UNLBL_DENY 1407 /* NetLabel: deny unlabeled traffic */ | 99 | #define AUDIT_MAC_CIPSOV4_ADD 1407 /* NetLabel: add CIPSOv4 DOI entry */ |
100 | #define AUDIT_MAC_CIPSOV4_ADD 1408 /* NetLabel: add CIPSOv4 DOI entry */ | 100 | #define AUDIT_MAC_CIPSOV4_DEL 1408 /* NetLabel: del CIPSOv4 DOI entry */ |
101 | #define AUDIT_MAC_CIPSOV4_DEL 1409 /* NetLabel: del CIPSOv4 DOI entry */ | 101 | #define AUDIT_MAC_MAP_ADD 1409 /* NetLabel: add LSM domain mapping */ |
102 | #define AUDIT_MAC_MAP_ADD 1410 /* NetLabel: add LSM domain mapping */ | 102 | #define AUDIT_MAC_MAP_DEL 1410 /* NetLabel: del LSM domain mapping */ |
103 | #define AUDIT_MAC_MAP_DEL 1411 /* NetLabel: del LSM domain mapping */ | ||
104 | 103 | ||
105 | #define AUDIT_FIRST_KERN_ANOM_MSG 1700 | 104 | #define AUDIT_FIRST_KERN_ANOM_MSG 1700 |
106 | #define AUDIT_LAST_KERN_ANOM_MSG 1799 | 105 | #define AUDIT_LAST_KERN_ANOM_MSG 1799 |
diff --git a/include/net/cipso_ipv4.h b/include/net/cipso_ipv4.h index 5d6ae1b2b196..718b4d9c891f 100644 --- a/include/net/cipso_ipv4.h +++ b/include/net/cipso_ipv4.h | |||
@@ -129,7 +129,7 @@ extern int cipso_v4_rbm_strictvalid; | |||
129 | #ifdef CONFIG_NETLABEL | 129 | #ifdef CONFIG_NETLABEL |
130 | int cipso_v4_doi_add(struct cipso_v4_doi *doi_def); | 130 | int cipso_v4_doi_add(struct cipso_v4_doi *doi_def); |
131 | int cipso_v4_doi_remove(u32 doi, | 131 | int cipso_v4_doi_remove(u32 doi, |
132 | u32 audit_secid, | 132 | struct netlbl_audit *audit_info, |
133 | void (*callback) (struct rcu_head * head)); | 133 | void (*callback) (struct rcu_head * head)); |
134 | struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi); | 134 | struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi); |
135 | int cipso_v4_doi_walk(u32 *skip_cnt, | 135 | int cipso_v4_doi_walk(u32 *skip_cnt, |
@@ -145,7 +145,7 @@ static inline int cipso_v4_doi_add(struct cipso_v4_doi *doi_def) | |||
145 | } | 145 | } |
146 | 146 | ||
147 | static inline int cipso_v4_doi_remove(u32 doi, | 147 | static inline int cipso_v4_doi_remove(u32 doi, |
148 | u32 audit_secid, | 148 | struct netlbl_audit *audit_info, |
149 | void (*callback) (struct rcu_head * head)) | 149 | void (*callback) (struct rcu_head * head)) |
150 | { | 150 | { |
151 | return 0; | 151 | return 0; |
diff --git a/include/net/netlabel.h b/include/net/netlabel.h index 190bfdbbdba6..c63a58058e21 100644 --- a/include/net/netlabel.h +++ b/include/net/netlabel.h | |||
@@ -92,11 +92,17 @@ | |||
92 | * | 92 | * |
93 | */ | 93 | */ |
94 | 94 | ||
95 | /* NetLabel audit information */ | ||
96 | struct netlbl_audit { | ||
97 | u32 secid; | ||
98 | uid_t loginuid; | ||
99 | }; | ||
100 | |||
95 | /* Domain mapping definition struct */ | 101 | /* Domain mapping definition struct */ |
96 | struct netlbl_dom_map; | 102 | struct netlbl_dom_map; |
97 | 103 | ||
98 | /* Domain mapping operations */ | 104 | /* Domain mapping operations */ |
99 | int netlbl_domhsh_remove(const char *domain, u32 audit_secid); | 105 | int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info); |
100 | 106 | ||
101 | /* LSM security attributes */ | 107 | /* LSM security attributes */ |
102 | struct netlbl_lsm_cache { | 108 | struct netlbl_lsm_cache { |
diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c index c4e469ff842d..a8e2e879a647 100644 --- a/net/ipv4/cipso_ipv4.c +++ b/net/ipv4/cipso_ipv4.c | |||
@@ -485,7 +485,7 @@ doi_add_failure_rlock: | |||
485 | * | 485 | * |
486 | */ | 486 | */ |
487 | int cipso_v4_doi_remove(u32 doi, | 487 | int cipso_v4_doi_remove(u32 doi, |
488 | u32 audit_secid, | 488 | struct netlbl_audit *audit_info, |
489 | void (*callback) (struct rcu_head * head)) | 489 | void (*callback) (struct rcu_head * head)) |
490 | { | 490 | { |
491 | struct cipso_v4_doi *doi_def; | 491 | struct cipso_v4_doi *doi_def; |
@@ -506,7 +506,7 @@ int cipso_v4_doi_remove(u32 doi, | |||
506 | list_for_each_entry_rcu(dom_iter, &doi_def->dom_list, list) | 506 | list_for_each_entry_rcu(dom_iter, &doi_def->dom_list, list) |
507 | if (dom_iter->valid) | 507 | if (dom_iter->valid) |
508 | netlbl_domhsh_remove(dom_iter->domain, | 508 | netlbl_domhsh_remove(dom_iter->domain, |
509 | audit_secid); | 509 | audit_info); |
510 | cipso_v4_cache_invalidate(); | 510 | cipso_v4_cache_invalidate(); |
511 | rcu_read_unlock(); | 511 | rcu_read_unlock(); |
512 | 512 | ||
diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c index 09986ca962a6..a6ce1d6d5c59 100644 --- a/net/netlabel/netlabel_cipso_v4.c +++ b/net/netlabel/netlabel_cipso_v4.c | |||
@@ -384,11 +384,15 @@ static int netlbl_cipsov4_add(struct sk_buff *skb, struct genl_info *info) | |||
384 | u32 doi; | 384 | u32 doi; |
385 | const char *type_str = "(unknown)"; | 385 | const char *type_str = "(unknown)"; |
386 | struct audit_buffer *audit_buf; | 386 | struct audit_buffer *audit_buf; |
387 | struct netlbl_audit audit_info; | ||
387 | 388 | ||
388 | if (!info->attrs[NLBL_CIPSOV4_A_DOI] || | 389 | if (!info->attrs[NLBL_CIPSOV4_A_DOI] || |
389 | !info->attrs[NLBL_CIPSOV4_A_MTYPE]) | 390 | !info->attrs[NLBL_CIPSOV4_A_MTYPE]) |
390 | return -EINVAL; | 391 | return -EINVAL; |
391 | 392 | ||
393 | doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]); | ||
394 | netlbl_netlink_auditinfo(skb, &audit_info); | ||
395 | |||
392 | type = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE]); | 396 | type = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE]); |
393 | switch (type) { | 397 | switch (type) { |
394 | case CIPSO_V4_MAP_STD: | 398 | case CIPSO_V4_MAP_STD: |
@@ -401,13 +405,14 @@ static int netlbl_cipsov4_add(struct sk_buff *skb, struct genl_info *info) | |||
401 | break; | 405 | break; |
402 | } | 406 | } |
403 | 407 | ||
404 | if (ret_val == 0) { | 408 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD, |
405 | doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]); | 409 | &audit_info); |
406 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD, | 410 | audit_log_format(audit_buf, |
407 | NETLINK_CB(skb).sid); | 411 | " cipso_doi=%u cipso_type=%s res=%u", |
408 | audit_log_format(audit_buf, " doi=%u type=%s", doi, type_str); | 412 | doi, |
409 | audit_log_end(audit_buf); | 413 | type_str, |
410 | } | 414 | ret_val == 0 ? 1 : 0); |
415 | audit_log_end(audit_buf); | ||
411 | 416 | ||
412 | return ret_val; | 417 | return ret_val; |
413 | } | 418 | } |
@@ -668,20 +673,25 @@ static int netlbl_cipsov4_remove(struct sk_buff *skb, struct genl_info *info) | |||
668 | int ret_val = -EINVAL; | 673 | int ret_val = -EINVAL; |
669 | u32 doi = 0; | 674 | u32 doi = 0; |
670 | struct audit_buffer *audit_buf; | 675 | struct audit_buffer *audit_buf; |
676 | struct netlbl_audit audit_info; | ||
671 | 677 | ||
672 | if (info->attrs[NLBL_CIPSOV4_A_DOI]) { | 678 | if (!info->attrs[NLBL_CIPSOV4_A_DOI]) |
673 | doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]); | 679 | return -EINVAL; |
674 | ret_val = cipso_v4_doi_remove(doi, | ||
675 | NETLINK_CB(skb).sid, | ||
676 | netlbl_cipsov4_doi_free); | ||
677 | } | ||
678 | 680 | ||
679 | if (ret_val == 0) { | 681 | doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]); |
680 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_DEL, | 682 | netlbl_netlink_auditinfo(skb, &audit_info); |
681 | NETLINK_CB(skb).sid); | 683 | |
682 | audit_log_format(audit_buf, " doi=%u", doi); | 684 | ret_val = cipso_v4_doi_remove(doi, |
683 | audit_log_end(audit_buf); | 685 | &audit_info, |
684 | } | 686 | netlbl_cipsov4_doi_free); |
687 | |||
688 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_DEL, | ||
689 | &audit_info); | ||
690 | audit_log_format(audit_buf, | ||
691 | " cipso_doi=%u res=%u", | ||
692 | doi, | ||
693 | ret_val == 0 ? 1 : 0); | ||
694 | audit_log_end(audit_buf); | ||
685 | 695 | ||
686 | return ret_val; | 696 | return ret_val; |
687 | } | 697 | } |
diff --git a/net/netlabel/netlabel_domainhash.c b/net/netlabel/netlabel_domainhash.c index d64e2ae3b129..af4371d3b459 100644 --- a/net/netlabel/netlabel_domainhash.c +++ b/net/netlabel/netlabel_domainhash.c | |||
@@ -188,7 +188,7 @@ int netlbl_domhsh_init(u32 size) | |||
188 | /** | 188 | /** |
189 | * netlbl_domhsh_add - Adds a entry to the domain hash table | 189 | * netlbl_domhsh_add - Adds a entry to the domain hash table |
190 | * @entry: the entry to add | 190 | * @entry: the entry to add |
191 | * @audit_secid: the LSM secid to use in the audit message | 191 | * @audit_info: NetLabel audit information |
192 | * | 192 | * |
193 | * Description: | 193 | * Description: |
194 | * Adds a new entry to the domain hash table and handles any updates to the | 194 | * Adds a new entry to the domain hash table and handles any updates to the |
@@ -196,7 +196,8 @@ int netlbl_domhsh_init(u32 size) | |||
196 | * negative on failure. | 196 | * negative on failure. |
197 | * | 197 | * |
198 | */ | 198 | */ |
199 | int netlbl_domhsh_add(struct netlbl_dom_map *entry, u32 audit_secid) | 199 | int netlbl_domhsh_add(struct netlbl_dom_map *entry, |
200 | struct netlbl_audit *audit_info) | ||
200 | { | 201 | { |
201 | int ret_val; | 202 | int ret_val; |
202 | u32 bkt; | 203 | u32 bkt; |
@@ -241,26 +242,26 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry, u32 audit_secid) | |||
241 | spin_unlock(&netlbl_domhsh_def_lock); | 242 | spin_unlock(&netlbl_domhsh_def_lock); |
242 | } else | 243 | } else |
243 | ret_val = -EINVAL; | 244 | ret_val = -EINVAL; |
244 | if (ret_val == 0) { | 245 | |
245 | if (entry->domain != NULL) | 246 | if (entry->domain != NULL) |
246 | audit_domain = entry->domain; | 247 | audit_domain = entry->domain; |
247 | else | 248 | else |
248 | audit_domain = "(default)"; | 249 | audit_domain = "(default)"; |
249 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_ADD, | 250 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_ADD, audit_info); |
250 | audit_secid); | 251 | audit_log_format(audit_buf, " nlbl_domain=%s", audit_domain); |
251 | audit_log_format(audit_buf, " domain=%s", audit_domain); | 252 | switch (entry->type) { |
252 | switch (entry->type) { | 253 | case NETLBL_NLTYPE_UNLABELED: |
253 | case NETLBL_NLTYPE_UNLABELED: | 254 | audit_log_format(audit_buf, " nlbl_protocol=unlbl"); |
254 | audit_log_format(audit_buf, " protocol=unlbl"); | 255 | break; |
255 | break; | 256 | case NETLBL_NLTYPE_CIPSOV4: |
256 | case NETLBL_NLTYPE_CIPSOV4: | 257 | audit_log_format(audit_buf, |
257 | audit_log_format(audit_buf, | 258 | " nlbl_protocol=cipsov4 cipso_doi=%u", |
258 | " protocol=cipsov4 doi=%u", | 259 | entry->type_def.cipsov4->doi); |
259 | entry->type_def.cipsov4->doi); | 260 | break; |
260 | break; | ||
261 | } | ||
262 | audit_log_end(audit_buf); | ||
263 | } | 261 | } |
262 | audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0); | ||
263 | audit_log_end(audit_buf); | ||
264 | |||
264 | rcu_read_unlock(); | 265 | rcu_read_unlock(); |
265 | 266 | ||
266 | if (ret_val != 0) { | 267 | if (ret_val != 0) { |
@@ -279,7 +280,7 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry, u32 audit_secid) | |||
279 | /** | 280 | /** |
280 | * netlbl_domhsh_add_default - Adds the default entry to the domain hash table | 281 | * netlbl_domhsh_add_default - Adds the default entry to the domain hash table |
281 | * @entry: the entry to add | 282 | * @entry: the entry to add |
282 | * @audit_secid: the LSM secid to use in the audit message | 283 | * @audit_info: NetLabel audit information |
283 | * | 284 | * |
284 | * Description: | 285 | * Description: |
285 | * Adds a new default entry to the domain hash table and handles any updates | 286 | * Adds a new default entry to the domain hash table and handles any updates |
@@ -287,15 +288,16 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry, u32 audit_secid) | |||
287 | * negative on failure. | 288 | * negative on failure. |
288 | * | 289 | * |
289 | */ | 290 | */ |
290 | int netlbl_domhsh_add_default(struct netlbl_dom_map *entry, u32 audit_secid) | 291 | int netlbl_domhsh_add_default(struct netlbl_dom_map *entry, |
292 | struct netlbl_audit *audit_info) | ||
291 | { | 293 | { |
292 | return netlbl_domhsh_add(entry, audit_secid); | 294 | return netlbl_domhsh_add(entry, audit_info); |
293 | } | 295 | } |
294 | 296 | ||
295 | /** | 297 | /** |
296 | * netlbl_domhsh_remove - Removes an entry from the domain hash table | 298 | * netlbl_domhsh_remove - Removes an entry from the domain hash table |
297 | * @domain: the domain to remove | 299 | * @domain: the domain to remove |
298 | * @audit_secid: the LSM secid to use in the audit message | 300 | * @audit_info: NetLabel audit information |
299 | * | 301 | * |
300 | * Description: | 302 | * Description: |
301 | * Removes an entry from the domain hash table and handles any updates to the | 303 | * Removes an entry from the domain hash table and handles any updates to the |
@@ -303,7 +305,7 @@ int netlbl_domhsh_add_default(struct netlbl_dom_map *entry, u32 audit_secid) | |||
303 | * negative on failure. | 305 | * negative on failure. |
304 | * | 306 | * |
305 | */ | 307 | */ |
306 | int netlbl_domhsh_remove(const char *domain, u32 audit_secid) | 308 | int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info) |
307 | { | 309 | { |
308 | int ret_val = -ENOENT; | 310 | int ret_val = -ENOENT; |
309 | struct netlbl_dom_map *entry; | 311 | struct netlbl_dom_map *entry; |
@@ -345,18 +347,20 @@ int netlbl_domhsh_remove(const char *domain, u32 audit_secid) | |||
345 | ret_val = -ENOENT; | 347 | ret_val = -ENOENT; |
346 | spin_unlock(&netlbl_domhsh_def_lock); | 348 | spin_unlock(&netlbl_domhsh_def_lock); |
347 | } | 349 | } |
348 | if (ret_val == 0) { | ||
349 | if (entry->domain != NULL) | ||
350 | audit_domain = entry->domain; | ||
351 | else | ||
352 | audit_domain = "(default)"; | ||
353 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_DEL, | ||
354 | audit_secid); | ||
355 | audit_log_format(audit_buf, " domain=%s", audit_domain); | ||
356 | audit_log_end(audit_buf); | ||
357 | 350 | ||
351 | if (entry->domain != NULL) | ||
352 | audit_domain = entry->domain; | ||
353 | else | ||
354 | audit_domain = "(default)"; | ||
355 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_DEL, audit_info); | ||
356 | audit_log_format(audit_buf, | ||
357 | " nlbl_domain=%s res=%u", | ||
358 | audit_domain, | ||
359 | ret_val == 0 ? 1 : 0); | ||
360 | audit_log_end(audit_buf); | ||
361 | |||
362 | if (ret_val == 0) | ||
358 | call_rcu(&entry->rcu, netlbl_domhsh_free_entry); | 363 | call_rcu(&entry->rcu, netlbl_domhsh_free_entry); |
359 | } | ||
360 | 364 | ||
361 | remove_return: | 365 | remove_return: |
362 | rcu_read_unlock(); | 366 | rcu_read_unlock(); |
@@ -365,7 +369,7 @@ remove_return: | |||
365 | 369 | ||
366 | /** | 370 | /** |
367 | * netlbl_domhsh_remove_default - Removes the default entry from the table | 371 | * netlbl_domhsh_remove_default - Removes the default entry from the table |
368 | * @audit_secid: the LSM secid to use in the audit message | 372 | * @audit_info: NetLabel audit information |
369 | * | 373 | * |
370 | * Description: | 374 | * Description: |
371 | * Removes/resets the default entry for the domain hash table and handles any | 375 | * Removes/resets the default entry for the domain hash table and handles any |
@@ -373,9 +377,9 @@ remove_return: | |||
373 | * success, non-zero on failure. | 377 | * success, non-zero on failure. |
374 | * | 378 | * |
375 | */ | 379 | */ |
376 | int netlbl_domhsh_remove_default(u32 audit_secid) | 380 | int netlbl_domhsh_remove_default(struct netlbl_audit *audit_info) |
377 | { | 381 | { |
378 | return netlbl_domhsh_remove(NULL, audit_secid); | 382 | return netlbl_domhsh_remove(NULL, audit_info); |
379 | } | 383 | } |
380 | 384 | ||
381 | /** | 385 | /** |
diff --git a/net/netlabel/netlabel_domainhash.h b/net/netlabel/netlabel_domainhash.h index d50f13cacdca..3689956c3436 100644 --- a/net/netlabel/netlabel_domainhash.h +++ b/net/netlabel/netlabel_domainhash.h | |||
@@ -57,9 +57,11 @@ struct netlbl_dom_map { | |||
57 | int netlbl_domhsh_init(u32 size); | 57 | int netlbl_domhsh_init(u32 size); |
58 | 58 | ||
59 | /* Manipulate the domain hash table */ | 59 | /* Manipulate the domain hash table */ |
60 | int netlbl_domhsh_add(struct netlbl_dom_map *entry, u32 audit_secid); | 60 | int netlbl_domhsh_add(struct netlbl_dom_map *entry, |
61 | int netlbl_domhsh_add_default(struct netlbl_dom_map *entry, u32 audit_secid); | 61 | struct netlbl_audit *audit_info); |
62 | int netlbl_domhsh_remove_default(u32 audit_secid); | 62 | int netlbl_domhsh_add_default(struct netlbl_dom_map *entry, |
63 | struct netlbl_audit *audit_info); | ||
64 | int netlbl_domhsh_remove_default(struct netlbl_audit *audit_info); | ||
63 | struct netlbl_dom_map *netlbl_domhsh_getentry(const char *domain); | 65 | struct netlbl_dom_map *netlbl_domhsh_getentry(const char *domain); |
64 | int netlbl_domhsh_walk(u32 *skip_bkt, | 66 | int netlbl_domhsh_walk(u32 *skip_bkt, |
65 | u32 *skip_chain, | 67 | u32 *skip_chain, |
diff --git a/net/netlabel/netlabel_mgmt.c b/net/netlabel/netlabel_mgmt.c index 0ac314f18ad1..53c9079ad2c3 100644 --- a/net/netlabel/netlabel_mgmt.c +++ b/net/netlabel/netlabel_mgmt.c | |||
@@ -87,11 +87,14 @@ static int netlbl_mgmt_add(struct sk_buff *skb, struct genl_info *info) | |||
87 | struct netlbl_dom_map *entry = NULL; | 87 | struct netlbl_dom_map *entry = NULL; |
88 | size_t tmp_size; | 88 | size_t tmp_size; |
89 | u32 tmp_val; | 89 | u32 tmp_val; |
90 | struct netlbl_audit audit_info; | ||
90 | 91 | ||
91 | if (!info->attrs[NLBL_MGMT_A_DOMAIN] || | 92 | if (!info->attrs[NLBL_MGMT_A_DOMAIN] || |
92 | !info->attrs[NLBL_MGMT_A_PROTOCOL]) | 93 | !info->attrs[NLBL_MGMT_A_PROTOCOL]) |
93 | goto add_failure; | 94 | goto add_failure; |
94 | 95 | ||
96 | netlbl_netlink_auditinfo(skb, &audit_info); | ||
97 | |||
95 | entry = kzalloc(sizeof(*entry), GFP_KERNEL); | 98 | entry = kzalloc(sizeof(*entry), GFP_KERNEL); |
96 | if (entry == NULL) { | 99 | if (entry == NULL) { |
97 | ret_val = -ENOMEM; | 100 | ret_val = -ENOMEM; |
@@ -108,7 +111,7 @@ static int netlbl_mgmt_add(struct sk_buff *skb, struct genl_info *info) | |||
108 | 111 | ||
109 | switch (entry->type) { | 112 | switch (entry->type) { |
110 | case NETLBL_NLTYPE_UNLABELED: | 113 | case NETLBL_NLTYPE_UNLABELED: |
111 | ret_val = netlbl_domhsh_add(entry, NETLINK_CB(skb).sid); | 114 | ret_val = netlbl_domhsh_add(entry, &audit_info); |
112 | break; | 115 | break; |
113 | case NETLBL_NLTYPE_CIPSOV4: | 116 | case NETLBL_NLTYPE_CIPSOV4: |
114 | if (!info->attrs[NLBL_MGMT_A_CV4DOI]) | 117 | if (!info->attrs[NLBL_MGMT_A_CV4DOI]) |
@@ -125,7 +128,7 @@ static int netlbl_mgmt_add(struct sk_buff *skb, struct genl_info *info) | |||
125 | rcu_read_unlock(); | 128 | rcu_read_unlock(); |
126 | goto add_failure; | 129 | goto add_failure; |
127 | } | 130 | } |
128 | ret_val = netlbl_domhsh_add(entry, NETLINK_CB(skb).sid); | 131 | ret_val = netlbl_domhsh_add(entry, &audit_info); |
129 | rcu_read_unlock(); | 132 | rcu_read_unlock(); |
130 | break; | 133 | break; |
131 | default: | 134 | default: |
@@ -156,12 +159,15 @@ add_failure: | |||
156 | static int netlbl_mgmt_remove(struct sk_buff *skb, struct genl_info *info) | 159 | static int netlbl_mgmt_remove(struct sk_buff *skb, struct genl_info *info) |
157 | { | 160 | { |
158 | char *domain; | 161 | char *domain; |
162 | struct netlbl_audit audit_info; | ||
159 | 163 | ||
160 | if (!info->attrs[NLBL_MGMT_A_DOMAIN]) | 164 | if (!info->attrs[NLBL_MGMT_A_DOMAIN]) |
161 | return -EINVAL; | 165 | return -EINVAL; |
162 | 166 | ||
167 | netlbl_netlink_auditinfo(skb, &audit_info); | ||
168 | |||
163 | domain = nla_data(info->attrs[NLBL_MGMT_A_DOMAIN]); | 169 | domain = nla_data(info->attrs[NLBL_MGMT_A_DOMAIN]); |
164 | return netlbl_domhsh_remove(domain, NETLINK_CB(skb).sid); | 170 | return netlbl_domhsh_remove(domain, &audit_info); |
165 | } | 171 | } |
166 | 172 | ||
167 | /** | 173 | /** |
@@ -264,10 +270,13 @@ static int netlbl_mgmt_adddef(struct sk_buff *skb, struct genl_info *info) | |||
264 | int ret_val = -EINVAL; | 270 | int ret_val = -EINVAL; |
265 | struct netlbl_dom_map *entry = NULL; | 271 | struct netlbl_dom_map *entry = NULL; |
266 | u32 tmp_val; | 272 | u32 tmp_val; |
273 | struct netlbl_audit audit_info; | ||
267 | 274 | ||
268 | if (!info->attrs[NLBL_MGMT_A_PROTOCOL]) | 275 | if (!info->attrs[NLBL_MGMT_A_PROTOCOL]) |
269 | goto adddef_failure; | 276 | goto adddef_failure; |
270 | 277 | ||
278 | netlbl_netlink_auditinfo(skb, &audit_info); | ||
279 | |||
271 | entry = kzalloc(sizeof(*entry), GFP_KERNEL); | 280 | entry = kzalloc(sizeof(*entry), GFP_KERNEL); |
272 | if (entry == NULL) { | 281 | if (entry == NULL) { |
273 | ret_val = -ENOMEM; | 282 | ret_val = -ENOMEM; |
@@ -277,8 +286,7 @@ static int netlbl_mgmt_adddef(struct sk_buff *skb, struct genl_info *info) | |||
277 | 286 | ||
278 | switch (entry->type) { | 287 | switch (entry->type) { |
279 | case NETLBL_NLTYPE_UNLABELED: | 288 | case NETLBL_NLTYPE_UNLABELED: |
280 | ret_val = netlbl_domhsh_add_default(entry, | 289 | ret_val = netlbl_domhsh_add_default(entry, &audit_info); |
281 | NETLINK_CB(skb).sid); | ||
282 | break; | 290 | break; |
283 | case NETLBL_NLTYPE_CIPSOV4: | 291 | case NETLBL_NLTYPE_CIPSOV4: |
284 | if (!info->attrs[NLBL_MGMT_A_CV4DOI]) | 292 | if (!info->attrs[NLBL_MGMT_A_CV4DOI]) |
@@ -295,8 +303,7 @@ static int netlbl_mgmt_adddef(struct sk_buff *skb, struct genl_info *info) | |||
295 | rcu_read_unlock(); | 303 | rcu_read_unlock(); |
296 | goto adddef_failure; | 304 | goto adddef_failure; |
297 | } | 305 | } |
298 | ret_val = netlbl_domhsh_add_default(entry, | 306 | ret_val = netlbl_domhsh_add_default(entry, &audit_info); |
299 | NETLINK_CB(skb).sid); | ||
300 | rcu_read_unlock(); | 307 | rcu_read_unlock(); |
301 | break; | 308 | break; |
302 | default: | 309 | default: |
@@ -324,7 +331,11 @@ adddef_failure: | |||
324 | */ | 331 | */ |
325 | static int netlbl_mgmt_removedef(struct sk_buff *skb, struct genl_info *info) | 332 | static int netlbl_mgmt_removedef(struct sk_buff *skb, struct genl_info *info) |
326 | { | 333 | { |
327 | return netlbl_domhsh_remove_default(NETLINK_CB(skb).sid); | 334 | struct netlbl_audit audit_info; |
335 | |||
336 | netlbl_netlink_auditinfo(skb, &audit_info); | ||
337 | |||
338 | return netlbl_domhsh_remove_default(&audit_info); | ||
328 | } | 339 | } |
329 | 340 | ||
330 | /** | 341 | /** |
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index ab36675fee8c..1833ad233b39 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c | |||
@@ -70,18 +70,25 @@ static struct nla_policy netlbl_unlabel_genl_policy[NLBL_UNLABEL_A_MAX + 1] = { | |||
70 | /** | 70 | /** |
71 | * netlbl_unlabel_acceptflg_set - Set the unlabeled accept flag | 71 | * netlbl_unlabel_acceptflg_set - Set the unlabeled accept flag |
72 | * @value: desired value | 72 | * @value: desired value |
73 | * @audit_secid: the LSM secid to use in the audit message | 73 | * @audit_info: NetLabel audit information |
74 | * | 74 | * |
75 | * Description: | 75 | * Description: |
76 | * Set the value of the unlabeled accept flag to @value. | 76 | * Set the value of the unlabeled accept flag to @value. |
77 | * | 77 | * |
78 | */ | 78 | */ |
79 | static void netlbl_unlabel_acceptflg_set(u8 value, u32 audit_secid) | 79 | static void netlbl_unlabel_acceptflg_set(u8 value, |
80 | struct netlbl_audit *audit_info) | ||
80 | { | 81 | { |
82 | struct audit_buffer *audit_buf; | ||
83 | u8 old_val; | ||
84 | |||
85 | old_val = atomic_read(&netlabel_unlabel_accept_flg); | ||
81 | atomic_set(&netlabel_unlabel_accept_flg, value); | 86 | atomic_set(&netlabel_unlabel_accept_flg, value); |
82 | netlbl_audit_nomsg((value ? | 87 | |
83 | AUDIT_MAC_UNLBL_ACCEPT : AUDIT_MAC_UNLBL_DENY), | 88 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_ALLOW, |
84 | audit_secid); | 89 | audit_info); |
90 | audit_log_format(audit_buf, " unlbl_accept=%u old=%u", value, old_val); | ||
91 | audit_log_end(audit_buf); | ||
85 | } | 92 | } |
86 | 93 | ||
87 | /* | 94 | /* |
@@ -101,12 +108,13 @@ static void netlbl_unlabel_acceptflg_set(u8 value, u32 audit_secid) | |||
101 | static int netlbl_unlabel_accept(struct sk_buff *skb, struct genl_info *info) | 108 | static int netlbl_unlabel_accept(struct sk_buff *skb, struct genl_info *info) |
102 | { | 109 | { |
103 | u8 value; | 110 | u8 value; |
111 | struct netlbl_audit audit_info; | ||
104 | 112 | ||
105 | if (info->attrs[NLBL_UNLABEL_A_ACPTFLG]) { | 113 | if (info->attrs[NLBL_UNLABEL_A_ACPTFLG]) { |
106 | value = nla_get_u8(info->attrs[NLBL_UNLABEL_A_ACPTFLG]); | 114 | value = nla_get_u8(info->attrs[NLBL_UNLABEL_A_ACPTFLG]); |
107 | if (value == 1 || value == 0) { | 115 | if (value == 1 || value == 0) { |
108 | netlbl_unlabel_acceptflg_set(value, | 116 | netlbl_netlink_auditinfo(skb, &audit_info); |
109 | NETLINK_CB(skb).sid); | 117 | netlbl_unlabel_acceptflg_set(value, &audit_info); |
110 | return 0; | 118 | return 0; |
111 | } | 119 | } |
112 | } | 120 | } |
@@ -250,19 +258,23 @@ int netlbl_unlabel_defconf(void) | |||
250 | { | 258 | { |
251 | int ret_val; | 259 | int ret_val; |
252 | struct netlbl_dom_map *entry; | 260 | struct netlbl_dom_map *entry; |
253 | u32 secid; | 261 | struct netlbl_audit audit_info; |
254 | 262 | ||
255 | security_task_getsecid(current, &secid); | 263 | /* Only the kernel is allowed to call this function and the only time |
264 | * it is called is at bootup before the audit subsystem is reporting | ||
265 | * messages so don't worry to much about these values. */ | ||
266 | security_task_getsecid(current, &audit_info.secid); | ||
267 | audit_info.loginuid = 0; | ||
256 | 268 | ||
257 | entry = kzalloc(sizeof(*entry), GFP_KERNEL); | 269 | entry = kzalloc(sizeof(*entry), GFP_KERNEL); |
258 | if (entry == NULL) | 270 | if (entry == NULL) |
259 | return -ENOMEM; | 271 | return -ENOMEM; |
260 | entry->type = NETLBL_NLTYPE_UNLABELED; | 272 | entry->type = NETLBL_NLTYPE_UNLABELED; |
261 | ret_val = netlbl_domhsh_add_default(entry, secid); | 273 | ret_val = netlbl_domhsh_add_default(entry, &audit_info); |
262 | if (ret_val != 0) | 274 | if (ret_val != 0) |
263 | return ret_val; | 275 | return ret_val; |
264 | 276 | ||
265 | netlbl_unlabel_acceptflg_set(1, secid); | 277 | netlbl_unlabel_acceptflg_set(1, &audit_info); |
266 | 278 | ||
267 | return 0; | 279 | return 0; |
268 | } | 280 | } |
diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index c2343af584cb..98a416381e61 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c | |||
@@ -85,7 +85,7 @@ int netlbl_netlink_init(void) | |||
85 | /** | 85 | /** |
86 | * netlbl_audit_start_common - Start an audit message | 86 | * netlbl_audit_start_common - Start an audit message |
87 | * @type: audit message type | 87 | * @type: audit message type |
88 | * @secid: LSM context ID | 88 | * @audit_info: NetLabel audit information |
89 | * | 89 | * |
90 | * Description: | 90 | * Description: |
91 | * Start an audit message using the type specified in @type and fill the audit | 91 | * Start an audit message using the type specified in @type and fill the audit |
@@ -93,14 +93,11 @@ int netlbl_netlink_init(void) | |||
93 | * a pointer to the audit buffer on success, NULL on failure. | 93 | * a pointer to the audit buffer on success, NULL on failure. |
94 | * | 94 | * |
95 | */ | 95 | */ |
96 | struct audit_buffer *netlbl_audit_start_common(int type, u32 secid) | 96 | struct audit_buffer *netlbl_audit_start_common(int type, |
97 | struct netlbl_audit *audit_info) | ||
97 | { | 98 | { |
98 | struct audit_context *audit_ctx = current->audit_context; | 99 | struct audit_context *audit_ctx = current->audit_context; |
99 | struct audit_buffer *audit_buf; | 100 | struct audit_buffer *audit_buf; |
100 | uid_t audit_loginuid; | ||
101 | const char *audit_tty; | ||
102 | char audit_comm[sizeof(current->comm)]; | ||
103 | struct vm_area_struct *vma; | ||
104 | char *secctx; | 101 | char *secctx; |
105 | u32 secctx_len; | 102 | u32 secctx_len; |
106 | 103 | ||
@@ -108,60 +105,13 @@ struct audit_buffer *netlbl_audit_start_common(int type, u32 secid) | |||
108 | if (audit_buf == NULL) | 105 | if (audit_buf == NULL) |
109 | return NULL; | 106 | return NULL; |
110 | 107 | ||
111 | audit_loginuid = audit_get_loginuid(audit_ctx); | 108 | audit_log_format(audit_buf, "netlabel: auid=%u", audit_info->loginuid); |
112 | if (current->signal && | ||
113 | current->signal->tty && | ||
114 | current->signal->tty->name) | ||
115 | audit_tty = current->signal->tty->name; | ||
116 | else | ||
117 | audit_tty = "(none)"; | ||
118 | get_task_comm(audit_comm, current); | ||
119 | 109 | ||
120 | audit_log_format(audit_buf, | 110 | if (audit_info->secid != 0 && |
121 | "netlabel: auid=%u uid=%u tty=%s pid=%d", | 111 | security_secid_to_secctx(audit_info->secid, |
122 | audit_loginuid, | 112 | &secctx, |
123 | current->uid, | 113 | &secctx_len) == 0) |
124 | audit_tty, | ||
125 | current->pid); | ||
126 | audit_log_format(audit_buf, " comm="); | ||
127 | audit_log_untrustedstring(audit_buf, audit_comm); | ||
128 | if (current->mm) { | ||
129 | down_read(¤t->mm->mmap_sem); | ||
130 | vma = current->mm->mmap; | ||
131 | while (vma) { | ||
132 | if ((vma->vm_flags & VM_EXECUTABLE) && | ||
133 | vma->vm_file) { | ||
134 | audit_log_d_path(audit_buf, | ||
135 | " exe=", | ||
136 | vma->vm_file->f_dentry, | ||
137 | vma->vm_file->f_vfsmnt); | ||
138 | break; | ||
139 | } | ||
140 | vma = vma->vm_next; | ||
141 | } | ||
142 | up_read(¤t->mm->mmap_sem); | ||
143 | } | ||
144 | |||
145 | if (secid != 0 && | ||
146 | security_secid_to_secctx(secid, &secctx, &secctx_len) == 0) | ||
147 | audit_log_format(audit_buf, " subj=%s", secctx); | 114 | audit_log_format(audit_buf, " subj=%s", secctx); |
148 | 115 | ||
149 | return audit_buf; | 116 | return audit_buf; |
150 | } | 117 | } |
151 | |||
152 | /** | ||
153 | * netlbl_audit_nomsg - Send an audit message without additional text | ||
154 | * @type: audit message type | ||
155 | * @secid: LSM context ID | ||
156 | * | ||
157 | * Description: | ||
158 | * Send an audit message with only the common NetLabel audit fields. | ||
159 | * | ||
160 | */ | ||
161 | void netlbl_audit_nomsg(int type, u32 secid) | ||
162 | { | ||
163 | struct audit_buffer *audit_buf; | ||
164 | |||
165 | audit_buf = netlbl_audit_start_common(type, secid); | ||
166 | audit_log_end(audit_buf); | ||
167 | } | ||
diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h index ab840acfc964..47967ef32964 100644 --- a/net/netlabel/netlabel_user.h +++ b/net/netlabel/netlabel_user.h | |||
@@ -72,13 +72,25 @@ static inline void *netlbl_netlink_hdr_put(struct sk_buff *skb, | |||
72 | NETLBL_PROTO_VERSION); | 72 | NETLBL_PROTO_VERSION); |
73 | } | 73 | } |
74 | 74 | ||
75 | /** | ||
76 | * netlbl_netlink_auditinfo - Fetch the audit information from a NETLINK msg | ||
77 | * @skb: the packet | ||
78 | * @audit_info: NetLabel audit information | ||
79 | */ | ||
80 | static inline void netlbl_netlink_auditinfo(struct sk_buff *skb, | ||
81 | struct netlbl_audit *audit_info) | ||
82 | { | ||
83 | audit_info->secid = NETLINK_CB(skb).sid; | ||
84 | audit_info->loginuid = NETLINK_CB(skb).loginuid; | ||
85 | } | ||
86 | |||
75 | /* NetLabel NETLINK I/O functions */ | 87 | /* NetLabel NETLINK I/O functions */ |
76 | 88 | ||
77 | int netlbl_netlink_init(void); | 89 | int netlbl_netlink_init(void); |
78 | 90 | ||
79 | /* NetLabel Audit Functions */ | 91 | /* NetLabel Audit Functions */ |
80 | 92 | ||
81 | struct audit_buffer *netlbl_audit_start_common(int type, u32 secid); | 93 | struct audit_buffer *netlbl_audit_start_common(int type, |
82 | void netlbl_audit_nomsg(int type, u32 secid); | 94 | struct netlbl_audit *audit_info); |
83 | 95 | ||
84 | #endif | 96 | #endif |