aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorStephen Smalley <sds@tycho.nsa.gov>2005-05-20 19:15:52 -0400
committerDavid Woodhouse <dwmw2@shinybook.infradead.org>2005-05-20 19:15:52 -0400
commit011161051bbc25f7f8b7df059dbd934c534443f0 (patch)
treef1ca3727e4130cacad86dfdae65e7533fcb67784
parentfb19b4c6aa024837a0071f07baa07dbf49d07151 (diff)
AUDIT: Avoid sleeping function in SElinux AVC audit.
This patch changes the SELinux AVC to defer logging of paths to the audit framework upon syscall exit, by saving a reference to the (dentry,vfsmount) pair in an auxiliary audit item on the current audit context for processing by audit_log_exit. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
-rw-r--r--include/linux/audit.h3
-rw-r--r--kernel/auditsc.c40
-rw-r--r--security/selinux/avc.c17
3 files changed, 51 insertions, 9 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 17ea5d522d81..4b7caf0c6e10 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -69,6 +69,7 @@
69 69
70#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ 70#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
71#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ 71#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
72#define AUDIT_AVC_PATH 1402 /* dentry, vfsmount pair from avc */
72 73
73#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */ 74#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */
74 75
@@ -225,6 +226,7 @@ extern uid_t audit_get_loginuid(struct audit_context *ctx);
225extern int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode); 226extern int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode);
226extern int audit_socketcall(int nargs, unsigned long *args); 227extern int audit_socketcall(int nargs, unsigned long *args);
227extern int audit_sockaddr(int len, void *addr); 228extern int audit_sockaddr(int len, void *addr);
229extern int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt);
228extern void audit_signal_info(int sig, struct task_struct *t); 230extern void audit_signal_info(int sig, struct task_struct *t);
229#else 231#else
230#define audit_alloc(t) ({ 0; }) 232#define audit_alloc(t) ({ 0; })
@@ -240,6 +242,7 @@ extern void audit_signal_info(int sig, struct task_struct *t);
240#define audit_ipc_perms(q,u,g,m) ({ 0; }) 242#define audit_ipc_perms(q,u,g,m) ({ 0; })
241#define audit_socketcall(n,a) ({ 0; }) 243#define audit_socketcall(n,a) ({ 0; })
242#define audit_sockaddr(len, addr) ({ 0; }) 244#define audit_sockaddr(len, addr) ({ 0; })
245#define audit_avc_path(dentry, mnt) ({ 0; })
243#define audit_signal_info(s,t) do { ; } while (0) 246#define audit_signal_info(s,t) do { ; } while (0)
244#endif 247#endif
245 248
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 78d7a13fc86f..8dc5b2767145 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -34,6 +34,7 @@
34#include <asm/types.h> 34#include <asm/types.h>
35#include <linux/mm.h> 35#include <linux/mm.h>
36#include <linux/module.h> 36#include <linux/module.h>
37#include <linux/mount.h>
37#include <linux/socket.h> 38#include <linux/socket.h>
38#include <linux/audit.h> 39#include <linux/audit.h>
39#include <linux/personality.h> 40#include <linux/personality.h>
@@ -124,6 +125,11 @@ struct audit_aux_data_sockaddr {
124 char a[0]; 125 char a[0];
125}; 126};
126 127
128struct audit_aux_data_path {
129 struct audit_aux_data d;
130 struct dentry *dentry;
131 struct vfsmount *mnt;
132};
127 133
128/* The per-task audit context. */ 134/* The per-task audit context. */
129struct audit_context { 135struct audit_context {
@@ -553,6 +559,11 @@ static inline void audit_free_aux(struct audit_context *context)
553 struct audit_aux_data *aux; 559 struct audit_aux_data *aux;
554 560
555 while ((aux = context->aux)) { 561 while ((aux = context->aux)) {
562 if (aux->type == AUDIT_AVC_PATH) {
563 struct audit_aux_data_path *axi = (void *)aux;
564 dput(axi->dentry);
565 mntput(axi->mnt);
566 }
556 context->aux = aux->next; 567 context->aux = aux->next;
557 kfree(aux); 568 kfree(aux);
558 } 569 }
@@ -724,6 +735,14 @@ static void audit_log_exit(struct audit_context *context)
724 audit_log_format(ab, "saddr="); 735 audit_log_format(ab, "saddr=");
725 audit_log_hex(ab, axs->a, axs->len); 736 audit_log_hex(ab, axs->a, axs->len);
726 break; } 737 break; }
738
739 case AUDIT_AVC_PATH: {
740 struct audit_aux_data_path *axi = (void *)aux;
741 audit_log_d_path(ab, "path=", axi->dentry, axi->mnt);
742 dput(axi->dentry);
743 mntput(axi->mnt);
744 break; }
745
727 } 746 }
728 audit_log_end(ab); 747 audit_log_end(ab);
729 748
@@ -1124,6 +1143,27 @@ int audit_sockaddr(int len, void *a)
1124 return 0; 1143 return 0;
1125} 1144}
1126 1145
1146int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt)
1147{
1148 struct audit_aux_data_path *ax;
1149 struct audit_context *context = current->audit_context;
1150
1151 if (likely(!context))
1152 return 0;
1153
1154 ax = kmalloc(sizeof(*ax), GFP_ATOMIC);
1155 if (!ax)
1156 return -ENOMEM;
1157
1158 ax->dentry = dget(dentry);
1159 ax->mnt = mntget(mnt);
1160
1161 ax->d.type = AUDIT_AVC_PATH;
1162 ax->d.next = context->aux;
1163 context->aux = (void *)ax;
1164 return 0;
1165}
1166
1127void audit_signal_info(int sig, struct task_struct *t) 1167void audit_signal_info(int sig, struct task_struct *t)
1128{ 1168{
1129 extern pid_t audit_sig_pid; 1169 extern pid_t audit_sig_pid;
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 62b963aca275..0fbc3e98c5ea 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -573,13 +573,10 @@ void avc_audit(u32 ssid, u32 tsid,
573 case AVC_AUDIT_DATA_FS: 573 case AVC_AUDIT_DATA_FS:
574 if (a->u.fs.dentry) { 574 if (a->u.fs.dentry) {
575 struct dentry *dentry = a->u.fs.dentry; 575 struct dentry *dentry = a->u.fs.dentry;
576 if (a->u.fs.mnt) { 576 if (a->u.fs.mnt)
577 audit_log_d_path(ab, "path=", dentry, 577 audit_avc_path(dentry, a->u.fs.mnt);
578 a->u.fs.mnt); 578 audit_log_format(ab, " name=%s",
579 } else { 579 dentry->d_name.name);
580 audit_log_format(ab, " name=%s",
581 dentry->d_name.name);
582 }
583 inode = dentry->d_inode; 580 inode = dentry->d_inode;
584 } else if (a->u.fs.inode) { 581 } else if (a->u.fs.inode) {
585 struct dentry *dentry; 582 struct dentry *dentry;
@@ -630,8 +627,10 @@ void avc_audit(u32 ssid, u32 tsid,
630 case AF_UNIX: 627 case AF_UNIX:
631 u = unix_sk(sk); 628 u = unix_sk(sk);
632 if (u->dentry) { 629 if (u->dentry) {
633 audit_log_d_path(ab, "path=", 630 audit_avc_path(u->dentry, u->mnt);
634 u->dentry, u->mnt); 631 audit_log_format(ab, " name=%s",
632 u->dentry->d_name.name);
633
635 break; 634 break;
636 } 635 }
637 if (!u->addr) 636 if (!u->addr)