aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorThomas Liu <tliu@redhat.com>2009-07-14 12:14:09 -0400
committerJames Morris <jmorris@namei.org>2009-08-16 18:37:18 -0400
commit2bf49690325b62480a42f7afed5e9f164173c570 (patch)
treebc8525f6a45ea3ffaed9449084df7644bcd4e3c2
parentf322abf83feddc3c37c3a91794e0c5aece4af18e (diff)
SELinux: Convert avc_audit to use lsm_audit.h
Convert avc_audit in security/selinux/avc.c to use lsm_audit.h, for better maintainability. - changed selinux to use common_audit_data instead of avc_audit_data - eliminated code in avc.c and used code from lsm_audit.h instead. Had to add a LSM_AUDIT_NO_AUDIT to lsm_audit.h so that avc_audit can call common_lsm_audit and do the pre and post callbacks without doing the actual dump. This makes it so that the patched version behaves the same way as the unpatched version. Also added a denied field to the selinux_audit_data private space, once again to make it so that the patched version behaves like the unpatched. I've tested and confirmed that AVCs look the same before and after this patch. Signed-off-by: Thomas Liu <tliu@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r--include/linux/lsm_audit.h2
-rw-r--r--security/Makefile4
-rw-r--r--security/lsm_audit.c2
-rw-r--r--security/selinux/avc.c197
-rw-r--r--security/selinux/hooks.c142
-rw-r--r--security/selinux/include/avc.h49
-rw-r--r--security/selinux/include/netlabel.h4
-rw-r--r--security/selinux/include/xfrm.h8
-rw-r--r--security/selinux/netlabel.c2
-rw-r--r--security/selinux/xfrm.c4
10 files changed, 131 insertions, 283 deletions
diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
index a5514a3a4f17..190c37854870 100644
--- a/include/linux/lsm_audit.h
+++ b/include/linux/lsm_audit.h
@@ -33,6 +33,7 @@ struct common_audit_data {
33#define LSM_AUDIT_DATA_IPC 4 33#define LSM_AUDIT_DATA_IPC 4
34#define LSM_AUDIT_DATA_TASK 5 34#define LSM_AUDIT_DATA_TASK 5
35#define LSM_AUDIT_DATA_KEY 6 35#define LSM_AUDIT_DATA_KEY 6
36#define LSM_AUDIT_NO_AUDIT 7
36 struct task_struct *tsk; 37 struct task_struct *tsk;
37 union { 38 union {
38 struct { 39 struct {
@@ -86,6 +87,7 @@ struct common_audit_data {
86 u16 tclass; 87 u16 tclass;
87 u32 requested; 88 u32 requested;
88 u32 audited; 89 u32 audited;
90 u32 denied;
89 struct av_decision *avd; 91 struct av_decision *avd;
90 int result; 92 int result;
91 } selinux_audit_data; 93 } selinux_audit_data;
diff --git a/security/Makefile b/security/Makefile
index b56e7f9ecbc2..95ecc06392d7 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -16,9 +16,7 @@ obj-$(CONFIG_SECURITYFS) += inode.o
16# Must precede capability.o in order to stack properly. 16# Must precede capability.o in order to stack properly.
17obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o 17obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o
18obj-$(CONFIG_SECURITY_SMACK) += smack/built-in.o 18obj-$(CONFIG_SECURITY_SMACK) += smack/built-in.o
19ifeq ($(CONFIG_AUDIT),y) 19obj-$(CONFIG_AUDIT) += lsm_audit.o
20obj-$(CONFIG_SECURITY_SMACK) += lsm_audit.o
21endif
22obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/built-in.o 20obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/built-in.o
23obj-$(CONFIG_SECURITY_ROOTPLUG) += root_plug.o 21obj-$(CONFIG_SECURITY_ROOTPLUG) += root_plug.o
24obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o 22obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index 94b868494b31..500aad0ebd6a 100644
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -220,6 +220,8 @@ static void dump_common_audit_data(struct audit_buffer *ab,
220 } 220 }
221 221
222 switch (a->type) { 222 switch (a->type) {
223 case LSM_AUDIT_NO_AUDIT:
224 return;
223 case LSM_AUDIT_DATA_IPC: 225 case LSM_AUDIT_DATA_IPC:
224 audit_log_format(ab, " key=%d ", a->u.ipc_id); 226 audit_log_format(ab, " key=%d ", a->u.ipc_id);
225 break; 227 break;
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 236aaa2ea86d..e3d19014259b 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -492,23 +492,35 @@ out:
492 return node; 492 return node;
493} 493}
494 494
495static inline void avc_print_ipv6_addr(struct audit_buffer *ab, 495/**
496 struct in6_addr *addr, __be16 port, 496 * avc_audit_pre_callback - SELinux specific information
497 char *name1, char *name2) 497 * will be called by generic audit code
498 * @ab: the audit buffer
499 * @a: audit_data
500 */
501static void avc_audit_pre_callback(struct audit_buffer *ab, void *a)
498{ 502{
499 if (!ipv6_addr_any(addr)) 503 struct common_audit_data *ad = a;
500 audit_log_format(ab, " %s=%pI6", name1, addr); 504 audit_log_format(ab, "avc: %s ",
501 if (port) 505 ad->selinux_audit_data.denied ? "denied" : "granted");
502 audit_log_format(ab, " %s=%d", name2, ntohs(port)); 506 avc_dump_av(ab, ad->selinux_audit_data.tclass,
507 ad->selinux_audit_data.audited);
508 audit_log_format(ab, " for ");
503} 509}
504 510
505static inline void avc_print_ipv4_addr(struct audit_buffer *ab, __be32 addr, 511/**
506 __be16 port, char *name1, char *name2) 512 * avc_audit_post_callback - SELinux specific information
513 * will be called by generic audit code
514 * @ab: the audit buffer
515 * @a: audit_data
516 */
517static void avc_audit_post_callback(struct audit_buffer *ab, void *a)
507{ 518{
508 if (addr) 519 struct common_audit_data *ad = a;
509 audit_log_format(ab, " %s=%pI4", name1, &addr); 520 audit_log_format(ab, " ");
510 if (port) 521 avc_dump_query(ab, ad->selinux_audit_data.ssid,
511 audit_log_format(ab, " %s=%d", name2, ntohs(port)); 522 ad->selinux_audit_data.tsid,
523 ad->selinux_audit_data.tclass);
512} 524}
513 525
514/** 526/**
@@ -532,13 +544,10 @@ static inline void avc_print_ipv4_addr(struct audit_buffer *ab, __be32 addr,
532 */ 544 */
533void avc_audit(u32 ssid, u32 tsid, 545void avc_audit(u32 ssid, u32 tsid,
534 u16 tclass, u32 requested, 546 u16 tclass, u32 requested,
535 struct av_decision *avd, int result, struct avc_audit_data *a) 547 struct av_decision *avd, int result, struct common_audit_data *a)
536{ 548{
537 struct task_struct *tsk = current; 549 struct common_audit_data stack_data;
538 struct inode *inode = NULL;
539 u32 denied, audited; 550 u32 denied, audited;
540 struct audit_buffer *ab;
541
542 denied = requested & ~avd->allowed; 551 denied = requested & ~avd->allowed;
543 if (denied) { 552 if (denied) {
544 audited = denied; 553 audited = denied;
@@ -551,144 +560,20 @@ void avc_audit(u32 ssid, u32 tsid,
551 if (!(audited & avd->auditallow)) 560 if (!(audited & avd->auditallow))
552 return; 561 return;
553 } 562 }
554 563 if (!a) {
555 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_AVC); 564 a = &stack_data;
556 if (!ab) 565 memset(a, 0, sizeof(*a));
557 return; /* audit_panic has been called */ 566 a->type = LSM_AUDIT_NO_AUDIT;
558 audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted");
559 avc_dump_av(ab, tclass, audited);
560 audit_log_format(ab, " for ");
561 if (a && a->tsk)
562 tsk = a->tsk;
563 if (tsk && tsk->pid) {
564 audit_log_format(ab, " pid=%d comm=", tsk->pid);
565 audit_log_untrustedstring(ab, tsk->comm);
566 }
567 if (a) {
568 switch (a->type) {
569 case AVC_AUDIT_DATA_IPC:
570 audit_log_format(ab, " key=%d", a->u.ipc_id);
571 break;
572 case AVC_AUDIT_DATA_CAP:
573 audit_log_format(ab, " capability=%d", a->u.cap);
574 break;
575 case AVC_AUDIT_DATA_FS:
576 if (a->u.fs.path.dentry) {
577 struct dentry *dentry = a->u.fs.path.dentry;
578 if (a->u.fs.path.mnt) {
579 audit_log_d_path(ab, "path=",
580 &a->u.fs.path);
581 } else {
582 audit_log_format(ab, " name=");
583 audit_log_untrustedstring(ab, dentry->d_name.name);
584 }
585 inode = dentry->d_inode;
586 } else if (a->u.fs.inode) {
587 struct dentry *dentry;
588 inode = a->u.fs.inode;
589 dentry = d_find_alias(inode);
590 if (dentry) {
591 audit_log_format(ab, " name=");
592 audit_log_untrustedstring(ab, dentry->d_name.name);
593 dput(dentry);
594 }
595 }
596 if (inode)
597 audit_log_format(ab, " dev=%s ino=%lu",
598 inode->i_sb->s_id,
599 inode->i_ino);
600 break;
601 case AVC_AUDIT_DATA_NET:
602 if (a->u.net.sk) {
603 struct sock *sk = a->u.net.sk;
604 struct unix_sock *u;
605 int len = 0;
606 char *p = NULL;
607
608 switch (sk->sk_family) {
609 case AF_INET: {
610 struct inet_sock *inet = inet_sk(sk);
611
612 avc_print_ipv4_addr(ab, inet->rcv_saddr,
613 inet->sport,
614 "laddr", "lport");
615 avc_print_ipv4_addr(ab, inet->daddr,
616 inet->dport,
617 "faddr", "fport");
618 break;
619 }
620 case AF_INET6: {
621 struct inet_sock *inet = inet_sk(sk);
622 struct ipv6_pinfo *inet6 = inet6_sk(sk);
623
624 avc_print_ipv6_addr(ab, &inet6->rcv_saddr,
625 inet->sport,
626 "laddr", "lport");
627 avc_print_ipv6_addr(ab, &inet6->daddr,
628 inet->dport,
629 "faddr", "fport");
630 break;
631 }
632 case AF_UNIX:
633 u = unix_sk(sk);
634 if (u->dentry) {
635 struct path path = {
636 .dentry = u->dentry,
637 .mnt = u->mnt
638 };
639 audit_log_d_path(ab, "path=",
640 &path);
641 break;
642 }
643 if (!u->addr)
644 break;
645 len = u->addr->len-sizeof(short);
646 p = &u->addr->name->sun_path[0];
647 audit_log_format(ab, " path=");
648 if (*p)
649 audit_log_untrustedstring(ab, p);
650 else
651 audit_log_n_hex(ab, p, len);
652 break;
653 }
654 }
655
656 switch (a->u.net.family) {
657 case AF_INET:
658 avc_print_ipv4_addr(ab, a->u.net.v4info.saddr,
659 a->u.net.sport,
660 "saddr", "src");
661 avc_print_ipv4_addr(ab, a->u.net.v4info.daddr,
662 a->u.net.dport,
663 "daddr", "dest");
664 break;
665 case AF_INET6:
666 avc_print_ipv6_addr(ab, &a->u.net.v6info.saddr,
667 a->u.net.sport,
668 "saddr", "src");
669 avc_print_ipv6_addr(ab, &a->u.net.v6info.daddr,
670 a->u.net.dport,
671 "daddr", "dest");
672 break;
673 }
674 if (a->u.net.netif > 0) {
675 struct net_device *dev;
676
677 /* NOTE: we always use init's namespace */
678 dev = dev_get_by_index(&init_net,
679 a->u.net.netif);
680 if (dev) {
681 audit_log_format(ab, " netif=%s",
682 dev->name);
683 dev_put(dev);
684 }
685 }
686 break;
687 }
688 } 567 }
689 audit_log_format(ab, " "); 568 a->selinux_audit_data.tclass = tclass;
690 avc_dump_query(ab, ssid, tsid, tclass); 569 a->selinux_audit_data.requested = requested;
691 audit_log_end(ab); 570 a->selinux_audit_data.ssid = ssid;
571 a->selinux_audit_data.tsid = tsid;
572 a->selinux_audit_data.audited = audited;
573 a->selinux_audit_data.denied = denied;
574 a->lsm_pre_audit = avc_audit_pre_callback;
575 a->lsm_post_audit = avc_audit_post_callback;
576 common_lsm_audit(a);
692} 577}
693 578
694/** 579/**
@@ -956,7 +841,7 @@ out:
956 * another -errno upon other errors. 841 * another -errno upon other errors.
957 */ 842 */
958int avc_has_perm(u32 ssid, u32 tsid, u16 tclass, 843int avc_has_perm(u32 ssid, u32 tsid, u16 tclass,
959 u32 requested, struct avc_audit_data *auditdata) 844 u32 requested, struct common_audit_data *auditdata)
960{ 845{
961 struct av_decision avd; 846 struct av_decision avd;
962 int rc; 847 int rc;
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 5aa45b168122..254b7983657d 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1478,14 +1478,14 @@ static int task_has_capability(struct task_struct *tsk,
1478 const struct cred *cred, 1478 const struct cred *cred,
1479 int cap, int audit) 1479 int cap, int audit)
1480{ 1480{
1481 struct avc_audit_data ad; 1481 struct common_audit_data ad;
1482 struct av_decision avd; 1482 struct av_decision avd;
1483 u16 sclass; 1483 u16 sclass;
1484 u32 sid = cred_sid(cred); 1484 u32 sid = cred_sid(cred);
1485 u32 av = CAP_TO_MASK(cap); 1485 u32 av = CAP_TO_MASK(cap);
1486 int rc; 1486 int rc;
1487 1487
1488 AVC_AUDIT_DATA_INIT(&ad, CAP); 1488 COMMON_AUDIT_DATA_INIT(&ad, CAP);
1489 ad.tsk = tsk; 1489 ad.tsk = tsk;
1490 ad.u.cap = cap; 1490 ad.u.cap = cap;
1491 1491
@@ -1524,10 +1524,10 @@ static int task_has_system(struct task_struct *tsk,
1524static int inode_has_perm(const struct cred *cred, 1524static int inode_has_perm(const struct cred *cred,
1525 struct inode *inode, 1525 struct inode *inode,
1526 u32 perms, 1526 u32 perms,
1527 struct avc_audit_data *adp) 1527 struct common_audit_data *adp)
1528{ 1528{
1529 struct inode_security_struct *isec; 1529 struct inode_security_struct *isec;
1530 struct avc_audit_data ad; 1530 struct common_audit_data ad;
1531 u32 sid; 1531 u32 sid;
1532 1532
1533 if (unlikely(IS_PRIVATE(inode))) 1533 if (unlikely(IS_PRIVATE(inode)))
@@ -1538,7 +1538,7 @@ static int inode_has_perm(const struct cred *cred,
1538 1538
1539 if (!adp) { 1539 if (!adp) {
1540 adp = &ad; 1540 adp = &ad;
1541 AVC_AUDIT_DATA_INIT(&ad, FS); 1541 COMMON_AUDIT_DATA_INIT(&ad, FS);
1542 ad.u.fs.inode = inode; 1542 ad.u.fs.inode = inode;
1543 } 1543 }
1544 1544
@@ -1554,9 +1554,9 @@ static inline int dentry_has_perm(const struct cred *cred,
1554 u32 av) 1554 u32 av)
1555{ 1555{
1556 struct inode *inode = dentry->d_inode; 1556 struct inode *inode = dentry->d_inode;
1557 struct avc_audit_data ad; 1557 struct common_audit_data ad;
1558 1558
1559 AVC_AUDIT_DATA_INIT(&ad, FS); 1559 COMMON_AUDIT_DATA_INIT(&ad, FS);
1560 ad.u.fs.path.mnt = mnt; 1560 ad.u.fs.path.mnt = mnt;
1561 ad.u.fs.path.dentry = dentry; 1561 ad.u.fs.path.dentry = dentry;
1562 return inode_has_perm(cred, inode, av, &ad); 1562 return inode_has_perm(cred, inode, av, &ad);
@@ -1576,11 +1576,11 @@ static int file_has_perm(const struct cred *cred,
1576{ 1576{
1577 struct file_security_struct *fsec = file->f_security; 1577 struct file_security_struct *fsec = file->f_security;
1578 struct inode *inode = file->f_path.dentry->d_inode; 1578 struct inode *inode = file->f_path.dentry->d_inode;
1579 struct avc_audit_data ad; 1579 struct common_audit_data ad;
1580 u32 sid = cred_sid(cred); 1580 u32 sid = cred_sid(cred);
1581 int rc; 1581 int rc;
1582 1582
1583 AVC_AUDIT_DATA_INIT(&ad, FS); 1583 COMMON_AUDIT_DATA_INIT(&ad, FS);
1584 ad.u.fs.path = file->f_path; 1584 ad.u.fs.path = file->f_path;
1585 1585
1586 if (sid != fsec->sid) { 1586 if (sid != fsec->sid) {
@@ -1611,7 +1611,7 @@ static int may_create(struct inode *dir,
1611 struct inode_security_struct *dsec; 1611 struct inode_security_struct *dsec;
1612 struct superblock_security_struct *sbsec; 1612 struct superblock_security_struct *sbsec;
1613 u32 sid, newsid; 1613 u32 sid, newsid;
1614 struct avc_audit_data ad; 1614 struct common_audit_data ad;
1615 int rc; 1615 int rc;
1616 1616
1617 dsec = dir->i_security; 1617 dsec = dir->i_security;
@@ -1620,7 +1620,7 @@ static int may_create(struct inode *dir,
1620 sid = tsec->sid; 1620 sid = tsec->sid;
1621 newsid = tsec->create_sid; 1621 newsid = tsec->create_sid;
1622 1622
1623 AVC_AUDIT_DATA_INIT(&ad, FS); 1623 COMMON_AUDIT_DATA_INIT(&ad, FS);
1624 ad.u.fs.path.dentry = dentry; 1624 ad.u.fs.path.dentry = dentry;
1625 1625
1626 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, 1626 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
@@ -1664,7 +1664,7 @@ static int may_link(struct inode *dir,
1664 1664
1665{ 1665{
1666 struct inode_security_struct *dsec, *isec; 1666 struct inode_security_struct *dsec, *isec;
1667 struct avc_audit_data ad; 1667 struct common_audit_data ad;
1668 u32 sid = current_sid(); 1668 u32 sid = current_sid();
1669 u32 av; 1669 u32 av;
1670 int rc; 1670 int rc;
@@ -1672,7 +1672,7 @@ static int may_link(struct inode *dir,
1672 dsec = dir->i_security; 1672 dsec = dir->i_security;
1673 isec = dentry->d_inode->i_security; 1673 isec = dentry->d_inode->i_security;
1674 1674
1675 AVC_AUDIT_DATA_INIT(&ad, FS); 1675 COMMON_AUDIT_DATA_INIT(&ad, FS);
1676 ad.u.fs.path.dentry = dentry; 1676 ad.u.fs.path.dentry = dentry;
1677 1677
1678 av = DIR__SEARCH; 1678 av = DIR__SEARCH;
@@ -1707,7 +1707,7 @@ static inline int may_rename(struct inode *old_dir,
1707 struct dentry *new_dentry) 1707 struct dentry *new_dentry)
1708{ 1708{
1709 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1709 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1710 struct avc_audit_data ad; 1710 struct common_audit_data ad;
1711 u32 sid = current_sid(); 1711 u32 sid = current_sid();
1712 u32 av; 1712 u32 av;
1713 int old_is_dir, new_is_dir; 1713 int old_is_dir, new_is_dir;
@@ -1718,7 +1718,7 @@ static inline int may_rename(struct inode *old_dir,
1718 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode); 1718 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1719 new_dsec = new_dir->i_security; 1719 new_dsec = new_dir->i_security;
1720 1720
1721 AVC_AUDIT_DATA_INIT(&ad, FS); 1721 COMMON_AUDIT_DATA_INIT(&ad, FS);
1722 1722
1723 ad.u.fs.path.dentry = old_dentry; 1723 ad.u.fs.path.dentry = old_dentry;
1724 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR, 1724 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
@@ -1760,7 +1760,7 @@ static inline int may_rename(struct inode *old_dir,
1760static int superblock_has_perm(const struct cred *cred, 1760static int superblock_has_perm(const struct cred *cred,
1761 struct super_block *sb, 1761 struct super_block *sb,
1762 u32 perms, 1762 u32 perms,
1763 struct avc_audit_data *ad) 1763 struct common_audit_data *ad)
1764{ 1764{
1765 struct superblock_security_struct *sbsec; 1765 struct superblock_security_struct *sbsec;
1766 u32 sid = cred_sid(cred); 1766 u32 sid = cred_sid(cred);
@@ -2100,7 +2100,7 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2100 const struct task_security_struct *old_tsec; 2100 const struct task_security_struct *old_tsec;
2101 struct task_security_struct *new_tsec; 2101 struct task_security_struct *new_tsec;
2102 struct inode_security_struct *isec; 2102 struct inode_security_struct *isec;
2103 struct avc_audit_data ad; 2103 struct common_audit_data ad;
2104 struct inode *inode = bprm->file->f_path.dentry->d_inode; 2104 struct inode *inode = bprm->file->f_path.dentry->d_inode;
2105 int rc; 2105 int rc;
2106 2106
@@ -2138,7 +2138,7 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2138 return rc; 2138 return rc;
2139 } 2139 }
2140 2140
2141 AVC_AUDIT_DATA_INIT(&ad, FS); 2141 COMMON_AUDIT_DATA_INIT(&ad, FS);
2142 ad.u.fs.path = bprm->file->f_path; 2142 ad.u.fs.path = bprm->file->f_path;
2143 2143
2144 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) 2144 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
@@ -2231,7 +2231,7 @@ extern struct dentry *selinux_null;
2231static inline void flush_unauthorized_files(const struct cred *cred, 2231static inline void flush_unauthorized_files(const struct cred *cred,
2232 struct files_struct *files) 2232 struct files_struct *files)
2233{ 2233{
2234 struct avc_audit_data ad; 2234 struct common_audit_data ad;
2235 struct file *file, *devnull = NULL; 2235 struct file *file, *devnull = NULL;
2236 struct tty_struct *tty; 2236 struct tty_struct *tty;
2237 struct fdtable *fdt; 2237 struct fdtable *fdt;
@@ -2265,7 +2265,7 @@ static inline void flush_unauthorized_files(const struct cred *cred,
2265 2265
2266 /* Revalidate access to inherited open files. */ 2266 /* Revalidate access to inherited open files. */
2267 2267
2268 AVC_AUDIT_DATA_INIT(&ad, FS); 2268 COMMON_AUDIT_DATA_INIT(&ad, FS);
2269 2269
2270 spin_lock(&files->file_lock); 2270 spin_lock(&files->file_lock);
2271 for (;;) { 2271 for (;;) {
@@ -2514,7 +2514,7 @@ out:
2514static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) 2514static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2515{ 2515{
2516 const struct cred *cred = current_cred(); 2516 const struct cred *cred = current_cred();
2517 struct avc_audit_data ad; 2517 struct common_audit_data ad;
2518 int rc; 2518 int rc;
2519 2519
2520 rc = superblock_doinit(sb, data); 2520 rc = superblock_doinit(sb, data);
@@ -2525,7 +2525,7 @@ static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2525 if (flags & MS_KERNMOUNT) 2525 if (flags & MS_KERNMOUNT)
2526 return 0; 2526 return 0;
2527 2527
2528 AVC_AUDIT_DATA_INIT(&ad, FS); 2528 COMMON_AUDIT_DATA_INIT(&ad, FS);
2529 ad.u.fs.path.dentry = sb->s_root; 2529 ad.u.fs.path.dentry = sb->s_root;
2530 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); 2530 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2531} 2531}
@@ -2533,9 +2533,9 @@ static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2533static int selinux_sb_statfs(struct dentry *dentry) 2533static int selinux_sb_statfs(struct dentry *dentry)
2534{ 2534{
2535 const struct cred *cred = current_cred(); 2535 const struct cred *cred = current_cred();
2536 struct avc_audit_data ad; 2536 struct common_audit_data ad;
2537 2537
2538 AVC_AUDIT_DATA_INIT(&ad, FS); 2538 COMMON_AUDIT_DATA_INIT(&ad, FS);
2539 ad.u.fs.path.dentry = dentry->d_sb->s_root; 2539 ad.u.fs.path.dentry = dentry->d_sb->s_root;
2540 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2540 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2541} 2541}
@@ -2755,7 +2755,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2755 struct inode *inode = dentry->d_inode; 2755 struct inode *inode = dentry->d_inode;
2756 struct inode_security_struct *isec = inode->i_security; 2756 struct inode_security_struct *isec = inode->i_security;
2757 struct superblock_security_struct *sbsec; 2757 struct superblock_security_struct *sbsec;
2758 struct avc_audit_data ad; 2758 struct common_audit_data ad;
2759 u32 newsid, sid = current_sid(); 2759 u32 newsid, sid = current_sid();
2760 int rc = 0; 2760 int rc = 0;
2761 2761
@@ -2769,7 +2769,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2769 if (!is_owner_or_cap(inode)) 2769 if (!is_owner_or_cap(inode))
2770 return -EPERM; 2770 return -EPERM;
2771 2771
2772 AVC_AUDIT_DATA_INIT(&ad, FS); 2772 COMMON_AUDIT_DATA_INIT(&ad, FS);
2773 ad.u.fs.path.dentry = dentry; 2773 ad.u.fs.path.dentry = dentry;
2774 2774
2775 rc = avc_has_perm(sid, isec->sid, isec->sclass, 2775 rc = avc_has_perm(sid, isec->sid, isec->sclass,
@@ -3418,7 +3418,7 @@ static void selinux_task_to_inode(struct task_struct *p,
3418 3418
3419/* Returns error only if unable to parse addresses */ 3419/* Returns error only if unable to parse addresses */
3420static int selinux_parse_skb_ipv4(struct sk_buff *skb, 3420static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3421 struct avc_audit_data *ad, u8 *proto) 3421 struct common_audit_data *ad, u8 *proto)
3422{ 3422{
3423 int offset, ihlen, ret = -EINVAL; 3423 int offset, ihlen, ret = -EINVAL;
3424 struct iphdr _iph, *ih; 3424 struct iphdr _iph, *ih;
@@ -3499,7 +3499,7 @@ out:
3499 3499
3500/* Returns error only if unable to parse addresses */ 3500/* Returns error only if unable to parse addresses */
3501static int selinux_parse_skb_ipv6(struct sk_buff *skb, 3501static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3502 struct avc_audit_data *ad, u8 *proto) 3502 struct common_audit_data *ad, u8 *proto)
3503{ 3503{
3504 u8 nexthdr; 3504 u8 nexthdr;
3505 int ret = -EINVAL, offset; 3505 int ret = -EINVAL, offset;
@@ -3570,7 +3570,7 @@ out:
3570 3570
3571#endif /* IPV6 */ 3571#endif /* IPV6 */
3572 3572
3573static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad, 3573static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3574 char **_addrp, int src, u8 *proto) 3574 char **_addrp, int src, u8 *proto)
3575{ 3575{
3576 char *addrp; 3576 char *addrp;
@@ -3652,7 +3652,7 @@ static int socket_has_perm(struct task_struct *task, struct socket *sock,
3652 u32 perms) 3652 u32 perms)
3653{ 3653{
3654 struct inode_security_struct *isec; 3654 struct inode_security_struct *isec;
3655 struct avc_audit_data ad; 3655 struct common_audit_data ad;
3656 u32 sid; 3656 u32 sid;
3657 int err = 0; 3657 int err = 0;
3658 3658
@@ -3662,7 +3662,7 @@ static int socket_has_perm(struct task_struct *task, struct socket *sock,
3662 goto out; 3662 goto out;
3663 sid = task_sid(task); 3663 sid = task_sid(task);
3664 3664
3665 AVC_AUDIT_DATA_INIT(&ad, NET); 3665 COMMON_AUDIT_DATA_INIT(&ad, NET);
3666 ad.u.net.sk = sock->sk; 3666 ad.u.net.sk = sock->sk;
3667 err = avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); 3667 err = avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
3668 3668
@@ -3749,7 +3749,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
3749 if (family == PF_INET || family == PF_INET6) { 3749 if (family == PF_INET || family == PF_INET6) {
3750 char *addrp; 3750 char *addrp;
3751 struct inode_security_struct *isec; 3751 struct inode_security_struct *isec;
3752 struct avc_audit_data ad; 3752 struct common_audit_data ad;
3753 struct sockaddr_in *addr4 = NULL; 3753 struct sockaddr_in *addr4 = NULL;
3754 struct sockaddr_in6 *addr6 = NULL; 3754 struct sockaddr_in6 *addr6 = NULL;
3755 unsigned short snum; 3755 unsigned short snum;
@@ -3778,7 +3778,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
3778 snum, &sid); 3778 snum, &sid);
3779 if (err) 3779 if (err)
3780 goto out; 3780 goto out;
3781 AVC_AUDIT_DATA_INIT(&ad, NET); 3781 COMMON_AUDIT_DATA_INIT(&ad, NET);
3782 ad.u.net.sport = htons(snum); 3782 ad.u.net.sport = htons(snum);
3783 ad.u.net.family = family; 3783 ad.u.net.family = family;
3784 err = avc_has_perm(isec->sid, sid, 3784 err = avc_has_perm(isec->sid, sid,
@@ -3811,7 +3811,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
3811 if (err) 3811 if (err)
3812 goto out; 3812 goto out;
3813 3813
3814 AVC_AUDIT_DATA_INIT(&ad, NET); 3814 COMMON_AUDIT_DATA_INIT(&ad, NET);
3815 ad.u.net.sport = htons(snum); 3815 ad.u.net.sport = htons(snum);
3816 ad.u.net.family = family; 3816 ad.u.net.family = family;
3817 3817
@@ -3845,7 +3845,7 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address,
3845 isec = SOCK_INODE(sock)->i_security; 3845 isec = SOCK_INODE(sock)->i_security;
3846 if (isec->sclass == SECCLASS_TCP_SOCKET || 3846 if (isec->sclass == SECCLASS_TCP_SOCKET ||
3847 isec->sclass == SECCLASS_DCCP_SOCKET) { 3847 isec->sclass == SECCLASS_DCCP_SOCKET) {
3848 struct avc_audit_data ad; 3848 struct common_audit_data ad;
3849 struct sockaddr_in *addr4 = NULL; 3849 struct sockaddr_in *addr4 = NULL;
3850 struct sockaddr_in6 *addr6 = NULL; 3850 struct sockaddr_in6 *addr6 = NULL;
3851 unsigned short snum; 3851 unsigned short snum;
@@ -3870,7 +3870,7 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address,
3870 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ? 3870 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3871 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; 3871 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3872 3872
3873 AVC_AUDIT_DATA_INIT(&ad, NET); 3873 COMMON_AUDIT_DATA_INIT(&ad, NET);
3874 ad.u.net.dport = htons(snum); 3874 ad.u.net.dport = htons(snum);
3875 ad.u.net.family = sk->sk_family; 3875 ad.u.net.family = sk->sk_family;
3876 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad); 3876 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
@@ -3960,13 +3960,13 @@ static int selinux_socket_unix_stream_connect(struct socket *sock,
3960 struct sk_security_struct *ssec; 3960 struct sk_security_struct *ssec;
3961 struct inode_security_struct *isec; 3961 struct inode_security_struct *isec;
3962 struct inode_security_struct *other_isec; 3962 struct inode_security_struct *other_isec;
3963 struct avc_audit_data ad; 3963 struct common_audit_data ad;
3964 int err; 3964 int err;
3965 3965
3966 isec = SOCK_INODE(sock)->i_security; 3966 isec = SOCK_INODE(sock)->i_security;
3967 other_isec = SOCK_INODE(other)->i_security; 3967 other_isec = SOCK_INODE(other)->i_security;
3968 3968
3969 AVC_AUDIT_DATA_INIT(&ad, NET); 3969 COMMON_AUDIT_DATA_INIT(&ad, NET);
3970 ad.u.net.sk = other->sk; 3970 ad.u.net.sk = other->sk;
3971 3971
3972 err = avc_has_perm(isec->sid, other_isec->sid, 3972 err = avc_has_perm(isec->sid, other_isec->sid,
@@ -3992,13 +3992,13 @@ static int selinux_socket_unix_may_send(struct socket *sock,
3992{ 3992{
3993 struct inode_security_struct *isec; 3993 struct inode_security_struct *isec;
3994 struct inode_security_struct *other_isec; 3994 struct inode_security_struct *other_isec;
3995 struct avc_audit_data ad; 3995 struct common_audit_data ad;
3996 int err; 3996 int err;
3997 3997
3998 isec = SOCK_INODE(sock)->i_security; 3998 isec = SOCK_INODE(sock)->i_security;
3999 other_isec = SOCK_INODE(other)->i_security; 3999 other_isec = SOCK_INODE(other)->i_security;
4000 4000
4001 AVC_AUDIT_DATA_INIT(&ad, NET); 4001 COMMON_AUDIT_DATA_INIT(&ad, NET);
4002 ad.u.net.sk = other->sk; 4002 ad.u.net.sk = other->sk;
4003 4003
4004 err = avc_has_perm(isec->sid, other_isec->sid, 4004 err = avc_has_perm(isec->sid, other_isec->sid,
@@ -4011,7 +4011,7 @@ static int selinux_socket_unix_may_send(struct socket *sock,
4011 4011
4012static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family, 4012static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4013 u32 peer_sid, 4013 u32 peer_sid,
4014 struct avc_audit_data *ad) 4014 struct common_audit_data *ad)
4015{ 4015{
4016 int err; 4016 int err;
4017 u32 if_sid; 4017 u32 if_sid;
@@ -4039,10 +4039,10 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4039 struct sk_security_struct *sksec = sk->sk_security; 4039 struct sk_security_struct *sksec = sk->sk_security;
4040 u32 peer_sid; 4040 u32 peer_sid;
4041 u32 sk_sid = sksec->sid; 4041 u32 sk_sid = sksec->sid;
4042 struct avc_audit_data ad; 4042 struct common_audit_data ad;
4043 char *addrp; 4043 char *addrp;
4044 4044
4045 AVC_AUDIT_DATA_INIT(&ad, NET); 4045 COMMON_AUDIT_DATA_INIT(&ad, NET);
4046 ad.u.net.netif = skb->iif; 4046 ad.u.net.netif = skb->iif;
4047 ad.u.net.family = family; 4047 ad.u.net.family = family;
4048 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4048 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
@@ -4080,7 +4080,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4080 struct sk_security_struct *sksec = sk->sk_security; 4080 struct sk_security_struct *sksec = sk->sk_security;
4081 u16 family = sk->sk_family; 4081 u16 family = sk->sk_family;
4082 u32 sk_sid = sksec->sid; 4082 u32 sk_sid = sksec->sid;
4083 struct avc_audit_data ad; 4083 struct common_audit_data ad;
4084 char *addrp; 4084 char *addrp;
4085 u8 secmark_active; 4085 u8 secmark_active;
4086 u8 peerlbl_active; 4086 u8 peerlbl_active;
@@ -4104,7 +4104,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4104 if (!secmark_active && !peerlbl_active) 4104 if (!secmark_active && !peerlbl_active)
4105 return 0; 4105 return 0;
4106 4106
4107 AVC_AUDIT_DATA_INIT(&ad, NET); 4107 COMMON_AUDIT_DATA_INIT(&ad, NET);
4108 ad.u.net.netif = skb->iif; 4108 ad.u.net.netif = skb->iif;
4109 ad.u.net.family = family; 4109 ad.u.net.family = family;
4110 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4110 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
@@ -4362,7 +4362,7 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4362 int err; 4362 int err;
4363 char *addrp; 4363 char *addrp;
4364 u32 peer_sid; 4364 u32 peer_sid;
4365 struct avc_audit_data ad; 4365 struct common_audit_data ad;
4366 u8 secmark_active; 4366 u8 secmark_active;
4367 u8 netlbl_active; 4367 u8 netlbl_active;
4368 u8 peerlbl_active; 4368 u8 peerlbl_active;
@@ -4379,7 +4379,7 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4379 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 4379 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4380 return NF_DROP; 4380 return NF_DROP;
4381 4381
4382 AVC_AUDIT_DATA_INIT(&ad, NET); 4382 COMMON_AUDIT_DATA_INIT(&ad, NET);
4383 ad.u.net.netif = ifindex; 4383 ad.u.net.netif = ifindex;
4384 ad.u.net.family = family; 4384 ad.u.net.family = family;
4385 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 4385 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
@@ -4467,7 +4467,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4467{ 4467{
4468 struct sock *sk = skb->sk; 4468 struct sock *sk = skb->sk;
4469 struct sk_security_struct *sksec; 4469 struct sk_security_struct *sksec;
4470 struct avc_audit_data ad; 4470 struct common_audit_data ad;
4471 char *addrp; 4471 char *addrp;
4472 u8 proto; 4472 u8 proto;
4473 4473
@@ -4475,7 +4475,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4475 return NF_ACCEPT; 4475 return NF_ACCEPT;
4476 sksec = sk->sk_security; 4476 sksec = sk->sk_security;
4477 4477
4478 AVC_AUDIT_DATA_INIT(&ad, NET); 4478 COMMON_AUDIT_DATA_INIT(&ad, NET);
4479 ad.u.net.netif = ifindex; 4479 ad.u.net.netif = ifindex;
4480 ad.u.net.family = family; 4480 ad.u.net.family = family;
4481 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) 4481 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
@@ -4499,7 +4499,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4499 u32 secmark_perm; 4499 u32 secmark_perm;
4500 u32 peer_sid; 4500 u32 peer_sid;
4501 struct sock *sk; 4501 struct sock *sk;
4502 struct avc_audit_data ad; 4502 struct common_audit_data ad;
4503 char *addrp; 4503 char *addrp;
4504 u8 secmark_active; 4504 u8 secmark_active;
4505 u8 peerlbl_active; 4505 u8 peerlbl_active;
@@ -4558,7 +4558,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4558 secmark_perm = PACKET__SEND; 4558 secmark_perm = PACKET__SEND;
4559 } 4559 }
4560 4560
4561 AVC_AUDIT_DATA_INIT(&ad, NET); 4561 COMMON_AUDIT_DATA_INIT(&ad, NET);
4562 ad.u.net.netif = ifindex; 4562 ad.u.net.netif = ifindex;
4563 ad.u.net.family = family; 4563 ad.u.net.family = family;
4564 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 4564 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
@@ -4628,13 +4628,13 @@ static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4628static int selinux_netlink_recv(struct sk_buff *skb, int capability) 4628static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4629{ 4629{
4630 int err; 4630 int err;
4631 struct avc_audit_data ad; 4631 struct common_audit_data ad;
4632 4632
4633 err = cap_netlink_recv(skb, capability); 4633 err = cap_netlink_recv(skb, capability);
4634 if (err) 4634 if (err)
4635 return err; 4635 return err;
4636 4636
4637 AVC_AUDIT_DATA_INIT(&ad, CAP); 4637 COMMON_AUDIT_DATA_INIT(&ad, CAP);
4638 ad.u.cap = capability; 4638 ad.u.cap = capability;
4639 4639
4640 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid, 4640 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
@@ -4693,12 +4693,12 @@ static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4693 u32 perms) 4693 u32 perms)
4694{ 4694{
4695 struct ipc_security_struct *isec; 4695 struct ipc_security_struct *isec;
4696 struct avc_audit_data ad; 4696 struct common_audit_data ad;
4697 u32 sid = current_sid(); 4697 u32 sid = current_sid();
4698 4698
4699 isec = ipc_perms->security; 4699 isec = ipc_perms->security;
4700 4700
4701 AVC_AUDIT_DATA_INIT(&ad, IPC); 4701 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4702 ad.u.ipc_id = ipc_perms->key; 4702 ad.u.ipc_id = ipc_perms->key;
4703 4703
4704 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); 4704 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
@@ -4718,7 +4718,7 @@ static void selinux_msg_msg_free_security(struct msg_msg *msg)
4718static int selinux_msg_queue_alloc_security(struct msg_queue *msq) 4718static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4719{ 4719{
4720 struct ipc_security_struct *isec; 4720 struct ipc_security_struct *isec;
4721 struct avc_audit_data ad; 4721 struct common_audit_data ad;
4722 u32 sid = current_sid(); 4722 u32 sid = current_sid();
4723 int rc; 4723 int rc;
4724 4724
@@ -4728,7 +4728,7 @@ static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4728 4728
4729 isec = msq->q_perm.security; 4729 isec = msq->q_perm.security;
4730 4730
4731 AVC_AUDIT_DATA_INIT(&ad, IPC); 4731 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4732 ad.u.ipc_id = msq->q_perm.key; 4732 ad.u.ipc_id = msq->q_perm.key;
4733 4733
4734 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 4734 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
@@ -4748,12 +4748,12 @@ static void selinux_msg_queue_free_security(struct msg_queue *msq)
4748static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) 4748static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4749{ 4749{
4750 struct ipc_security_struct *isec; 4750 struct ipc_security_struct *isec;
4751 struct avc_audit_data ad; 4751 struct common_audit_data ad;
4752 u32 sid = current_sid(); 4752 u32 sid = current_sid();
4753 4753
4754 isec = msq->q_perm.security; 4754 isec = msq->q_perm.security;
4755 4755
4756 AVC_AUDIT_DATA_INIT(&ad, IPC); 4756 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4757 ad.u.ipc_id = msq->q_perm.key; 4757 ad.u.ipc_id = msq->q_perm.key;
4758 4758
4759 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 4759 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
@@ -4792,7 +4792,7 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
4792{ 4792{
4793 struct ipc_security_struct *isec; 4793 struct ipc_security_struct *isec;
4794 struct msg_security_struct *msec; 4794 struct msg_security_struct *msec;
4795 struct avc_audit_data ad; 4795 struct common_audit_data ad;
4796 u32 sid = current_sid(); 4796 u32 sid = current_sid();
4797 int rc; 4797 int rc;
4798 4798
@@ -4813,7 +4813,7 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
4813 return rc; 4813 return rc;
4814 } 4814 }
4815 4815
4816 AVC_AUDIT_DATA_INIT(&ad, IPC); 4816 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4817 ad.u.ipc_id = msq->q_perm.key; 4817 ad.u.ipc_id = msq->q_perm.key;
4818 4818
4819 /* Can this process write to the queue? */ 4819 /* Can this process write to the queue? */
@@ -4837,14 +4837,14 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4837{ 4837{
4838 struct ipc_security_struct *isec; 4838 struct ipc_security_struct *isec;
4839 struct msg_security_struct *msec; 4839 struct msg_security_struct *msec;
4840 struct avc_audit_data ad; 4840 struct common_audit_data ad;
4841 u32 sid = task_sid(target); 4841 u32 sid = task_sid(target);
4842 int rc; 4842 int rc;
4843 4843
4844 isec = msq->q_perm.security; 4844 isec = msq->q_perm.security;
4845 msec = msg->security; 4845 msec = msg->security;
4846 4846
4847 AVC_AUDIT_DATA_INIT(&ad, IPC); 4847 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4848 ad.u.ipc_id = msq->q_perm.key; 4848 ad.u.ipc_id = msq->q_perm.key;
4849 4849
4850 rc = avc_has_perm(sid, isec->sid, 4850 rc = avc_has_perm(sid, isec->sid,
@@ -4859,7 +4859,7 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4859static int selinux_shm_alloc_security(struct shmid_kernel *shp) 4859static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4860{ 4860{
4861 struct ipc_security_struct *isec; 4861 struct ipc_security_struct *isec;
4862 struct avc_audit_data ad; 4862 struct common_audit_data ad;
4863 u32 sid = current_sid(); 4863 u32 sid = current_sid();
4864 int rc; 4864 int rc;
4865 4865
@@ -4869,7 +4869,7 @@ static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4869 4869
4870 isec = shp->shm_perm.security; 4870 isec = shp->shm_perm.security;
4871 4871
4872 AVC_AUDIT_DATA_INIT(&ad, IPC); 4872 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4873 ad.u.ipc_id = shp->shm_perm.key; 4873 ad.u.ipc_id = shp->shm_perm.key;
4874 4874
4875 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM, 4875 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
@@ -4889,12 +4889,12 @@ static void selinux_shm_free_security(struct shmid_kernel *shp)
4889static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) 4889static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4890{ 4890{
4891 struct ipc_security_struct *isec; 4891 struct ipc_security_struct *isec;
4892 struct avc_audit_data ad; 4892 struct common_audit_data ad;
4893 u32 sid = current_sid(); 4893 u32 sid = current_sid();
4894 4894
4895 isec = shp->shm_perm.security; 4895 isec = shp->shm_perm.security;
4896 4896
4897 AVC_AUDIT_DATA_INIT(&ad, IPC); 4897 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4898 ad.u.ipc_id = shp->shm_perm.key; 4898 ad.u.ipc_id = shp->shm_perm.key;
4899 4899
4900 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, 4900 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
@@ -4951,7 +4951,7 @@ static int selinux_shm_shmat(struct shmid_kernel *shp,
4951static int selinux_sem_alloc_security(struct sem_array *sma) 4951static int selinux_sem_alloc_security(struct sem_array *sma)
4952{ 4952{
4953 struct ipc_security_struct *isec; 4953 struct ipc_security_struct *isec;
4954 struct avc_audit_data ad; 4954 struct common_audit_data ad;
4955 u32 sid = current_sid(); 4955 u32 sid = current_sid();
4956 int rc; 4956 int rc;
4957 4957
@@ -4961,7 +4961,7 @@ static int selinux_sem_alloc_security(struct sem_array *sma)
4961 4961
4962 isec = sma->sem_perm.security; 4962 isec = sma->sem_perm.security;
4963 4963
4964 AVC_AUDIT_DATA_INIT(&ad, IPC); 4964 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4965 ad.u.ipc_id = sma->sem_perm.key; 4965 ad.u.ipc_id = sma->sem_perm.key;
4966 4966
4967 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM, 4967 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
@@ -4981,12 +4981,12 @@ static void selinux_sem_free_security(struct sem_array *sma)
4981static int selinux_sem_associate(struct sem_array *sma, int semflg) 4981static int selinux_sem_associate(struct sem_array *sma, int semflg)
4982{ 4982{
4983 struct ipc_security_struct *isec; 4983 struct ipc_security_struct *isec;
4984 struct avc_audit_data ad; 4984 struct common_audit_data ad;
4985 u32 sid = current_sid(); 4985 u32 sid = current_sid();
4986 4986
4987 isec = sma->sem_perm.security; 4987 isec = sma->sem_perm.security;
4988 4988
4989 AVC_AUDIT_DATA_INIT(&ad, IPC); 4989 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4990 ad.u.ipc_id = sma->sem_perm.key; 4990 ad.u.ipc_id = sma->sem_perm.key;
4991 4991
4992 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, 4992 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index ae4c3a0e2c1a..e94e82f73818 100644
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -13,6 +13,7 @@
13#include <linux/spinlock.h> 13#include <linux/spinlock.h>
14#include <linux/init.h> 14#include <linux/init.h>
15#include <linux/audit.h> 15#include <linux/audit.h>
16#include <linux/lsm_audit.h>
16#include <linux/in6.h> 17#include <linux/in6.h>
17#include <linux/path.h> 18#include <linux/path.h>
18#include <asm/system.h> 19#include <asm/system.h>
@@ -36,48 +37,6 @@ struct inode;
36struct sock; 37struct sock;
37struct sk_buff; 38struct sk_buff;
38 39
39/* Auxiliary data to use in generating the audit record. */
40struct avc_audit_data {
41 char type;
42#define AVC_AUDIT_DATA_FS 1
43#define AVC_AUDIT_DATA_NET 2
44#define AVC_AUDIT_DATA_CAP 3
45#define AVC_AUDIT_DATA_IPC 4
46 struct task_struct *tsk;
47 union {
48 struct {
49 struct path path;
50 struct inode *inode;
51 } fs;
52 struct {
53 int netif;
54 struct sock *sk;
55 u16 family;
56 __be16 dport;
57 __be16 sport;
58 union {
59 struct {
60 __be32 daddr;
61 __be32 saddr;
62 } v4;
63 struct {
64 struct in6_addr daddr;
65 struct in6_addr saddr;
66 } v6;
67 } fam;
68 } net;
69 int cap;
70 int ipc_id;
71 } u;
72};
73
74#define v4info fam.v4
75#define v6info fam.v6
76
77/* Initialize an AVC audit data structure. */
78#define AVC_AUDIT_DATA_INIT(_d,_t) \
79 { memset((_d), 0, sizeof(struct avc_audit_data)); (_d)->type = AVC_AUDIT_DATA_##_t; }
80
81/* 40/*
82 * AVC statistics 41 * AVC statistics
83 */ 42 */
@@ -98,7 +57,9 @@ void __init avc_init(void);
98 57
99void avc_audit(u32 ssid, u32 tsid, 58void avc_audit(u32 ssid, u32 tsid,
100 u16 tclass, u32 requested, 59 u16 tclass, u32 requested,
101 struct av_decision *avd, int result, struct avc_audit_data *auditdata); 60 struct av_decision *avd,
61 int result,
62 struct common_audit_data *a);
102 63
103#define AVC_STRICT 1 /* Ignore permissive mode. */ 64#define AVC_STRICT 1 /* Ignore permissive mode. */
104int avc_has_perm_noaudit(u32 ssid, u32 tsid, 65int avc_has_perm_noaudit(u32 ssid, u32 tsid,
@@ -108,7 +69,7 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
108 69
109int avc_has_perm(u32 ssid, u32 tsid, 70int avc_has_perm(u32 ssid, u32 tsid,
110 u16 tclass, u32 requested, 71 u16 tclass, u32 requested,
111 struct avc_audit_data *auditdata); 72 struct common_audit_data *auditdata);
112 73
113u32 avc_policy_seqno(void); 74u32 avc_policy_seqno(void);
114 75
diff --git a/security/selinux/include/netlabel.h b/security/selinux/include/netlabel.h
index b4b5b9b2f0be..8d7384280a7a 100644
--- a/security/selinux/include/netlabel.h
+++ b/security/selinux/include/netlabel.h
@@ -59,7 +59,7 @@ int selinux_netlbl_socket_post_create(struct sock *sk, u16 family);
59int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, 59int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
60 struct sk_buff *skb, 60 struct sk_buff *skb,
61 u16 family, 61 u16 family,
62 struct avc_audit_data *ad); 62 struct common_audit_data *ad);
63int selinux_netlbl_socket_setsockopt(struct socket *sock, 63int selinux_netlbl_socket_setsockopt(struct socket *sock,
64 int level, 64 int level,
65 int optname); 65 int optname);
@@ -129,7 +129,7 @@ static inline int selinux_netlbl_socket_post_create(struct sock *sk,
129static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, 129static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
130 struct sk_buff *skb, 130 struct sk_buff *skb,
131 u16 family, 131 u16 family,
132 struct avc_audit_data *ad) 132 struct common_audit_data *ad)
133{ 133{
134 return 0; 134 return 0;
135} 135}
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
index 289e24b39e3e..13128f9a3e5a 100644
--- a/security/selinux/include/xfrm.h
+++ b/security/selinux/include/xfrm.h
@@ -41,9 +41,9 @@ static inline int selinux_xfrm_enabled(void)
41} 41}
42 42
43int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb, 43int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb,
44 struct avc_audit_data *ad); 44 struct common_audit_data *ad);
45int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, 45int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
46 struct avc_audit_data *ad, u8 proto); 46 struct common_audit_data *ad, u8 proto);
47int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall); 47int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall);
48 48
49static inline void selinux_xfrm_notify_policyload(void) 49static inline void selinux_xfrm_notify_policyload(void)
@@ -57,13 +57,13 @@ static inline int selinux_xfrm_enabled(void)
57} 57}
58 58
59static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, 59static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
60 struct avc_audit_data *ad) 60 struct common_audit_data *ad)
61{ 61{
62 return 0; 62 return 0;
63} 63}
64 64
65static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, 65static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
66 struct avc_audit_data *ad, u8 proto) 66 struct common_audit_data *ad, u8 proto)
67{ 67{
68 return 0; 68 return 0;
69} 69}
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index 2e984413c7b2..e68823741ad5 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -342,7 +342,7 @@ int selinux_netlbl_socket_post_create(struct sock *sk, u16 family)
342int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, 342int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
343 struct sk_buff *skb, 343 struct sk_buff *skb,
344 u16 family, 344 u16 family,
345 struct avc_audit_data *ad) 345 struct common_audit_data *ad)
346{ 346{
347 int rc; 347 int rc;
348 u32 nlbl_sid; 348 u32 nlbl_sid;
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index 72b18452e1a1..f3cb9ed731a9 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -401,7 +401,7 @@ int selinux_xfrm_state_delete(struct xfrm_state *x)
401 * gone thru the IPSec process. 401 * gone thru the IPSec process.
402 */ 402 */
403int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, 403int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
404 struct avc_audit_data *ad) 404 struct common_audit_data *ad)
405{ 405{
406 int i, rc = 0; 406 int i, rc = 0;
407 struct sec_path *sp; 407 struct sec_path *sp;
@@ -442,7 +442,7 @@ int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
442 * checked in the selinux_xfrm_state_pol_flow_match hook above. 442 * checked in the selinux_xfrm_state_pol_flow_match hook above.
443 */ 443 */
444int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, 444int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
445 struct avc_audit_data *ad, u8 proto) 445 struct common_audit_data *ad, u8 proto)
446{ 446{
447 struct dst_entry *dst; 447 struct dst_entry *dst;
448 int rc = 0; 448 int rc = 0;