aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSteve Grubb <sgrubb@redhat.com>2005-05-13 13:17:42 -0400
committerDavid Woodhouse <dwmw2@shinybook.infradead.org>2005-05-13 13:17:42 -0400
commitc04049939f88b29e235d2da217bce6e8ead44f32 (patch)
tree9bf3ab72b9939c529e7c96f8768bc8b7e1d768c9
parent9ea74f0655412d0fbd12bf9adb6c14c8fe707a42 (diff)
AUDIT: Add message types to audit records
This patch adds more messages types to the audit subsystem so that audit analysis is quicker, intuitive, and more useful. Signed-off-by: Steve Grubb <sgrubb@redhat.com> --- I forgot one type in the big patch. I need to add one for user space originating SE Linux avc messages. This is used by dbus and nscd. -Steve --- Updated to 2.6.12-rc4-mm1. -dwmw2 Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Diffstat
-rw-r--r--include/linux/audit.h66
-rw-r--r--kernel/audit.c78
-rw-r--r--kernel/auditsc.c42
-rw-r--r--security/selinux/avc.c4
-rw-r--r--security/selinux/hooks.c2
-rw-r--r--security/selinux/nlmsgtab.c8
-rw-r--r--security/selinux/ss/services.c4
7 files changed, 143 insertions, 61 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 405332ebf3c6..1a15ba38c660 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -27,15 +27,53 @@
27#include <linux/sched.h> 27#include <linux/sched.h>
28#include <linux/elf.h> 28#include <linux/elf.h>
29 29
30/* Request and reply types */ 30/* The netlink messages for the audit system is divided into blocks:
31 * 1000 - 1099 are for commanding the audit system
32 * 1100 - 1199 user space trusted application messages
33 * 1200 - 1299 messages internal to the audit daemon
34 * 1300 - 1399 audit event messages
35 * 1400 - 1499 SE Linux use
36 * 1500 - 1999 future use
37 * 2000 is for otherwise unclassified kernel audit messages
38 *
39 * Messages from 1000-1199 are bi-directional. 1200-1299 are exclusively user
40 * space. Anything over that is kernel --> user space communication.
41 */
31#define AUDIT_GET 1000 /* Get status */ 42#define AUDIT_GET 1000 /* Get status */
32#define AUDIT_SET 1001 /* Set status (enable/disable/auditd) */ 43#define AUDIT_SET 1001 /* Set status (enable/disable/auditd) */
33#define AUDIT_LIST 1002 /* List filtering rules */ 44#define AUDIT_LIST 1002 /* List syscall filtering rules */
34#define AUDIT_ADD 1003 /* Add filtering rule */ 45#define AUDIT_ADD 1003 /* Add syscall filtering rule */
35#define AUDIT_DEL 1004 /* Delete filtering rule */ 46#define AUDIT_DEL 1004 /* Delete syscall filtering rule */
36#define AUDIT_USER 1005 /* Send a message from user-space */ 47#define AUDIT_USER 1005 /* Message from userspace -- deprecated */
37#define AUDIT_LOGIN 1006 /* Define the login id and information */ 48#define AUDIT_LOGIN 1006 /* Define the login id and information */
38#define AUDIT_SIGNAL_INFO 1010 /* Get information about sender of signal*/ 49#define AUDIT_WATCH_INS 1007 /* Insert file/dir watch entry */
50#define AUDIT_WATCH_REM 1008 /* Remove file/dir watch entry */
51#define AUDIT_WATCH_LIST 1009 /* List all file/dir watches */
52#define AUDIT_SIGNAL_INFO 1010 /* Get info about sender of signal to auditd */
53
54#define AUDIT_USER_AUTH 1100 /* User space authentication */
55#define AUDIT_USER_ACCT 1101 /* User space acct change */
56#define AUDIT_USER_MGMT 1102 /* User space acct management */
57#define AUDIT_CRED_ACQ 1103 /* User space credential acquired */
58#define AUDIT_CRED_DISP 1104 /* User space credential disposed */
59#define AUDIT_USER_START 1105 /* User space session start */
60#define AUDIT_USER_END 1106 /* User space session end */
61#define AUDIT_USER_AVC 1107 /* User space avc message */
62
63#define AUDIT_DAEMON_START 1200 /* Daemon startup record */
64#define AUDIT_DAEMON_END 1201 /* Daemon normal stop record */
65#define AUDIT_DAEMON_ABORT 1202 /* Daemon error stop record */
66#define AUDIT_DAEMON_CONFIG 1203 /* Daemon config change */
67
68#define AUDIT_SYSCALL 1300 /* Syscall event */
69#define AUDIT_FS_WATCH 1301 /* Filesystem watch event */
70#define AUDIT_PATH 1302 /* Filname path information */
71#define AUDIT_IPC 1303 /* IPC record */
72#define AUDIT_SOCKET 1304 /* Socket record */
73#define AUDIT_CONFIG_CHANGE 1305 /* Audit system configuration change */
74
75#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
76#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
39 77
40#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */ 78#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */
41 79
@@ -216,14 +254,11 @@ extern void audit_signal_info(int sig, struct task_struct *t);
216#ifdef CONFIG_AUDIT 254#ifdef CONFIG_AUDIT
217/* These are defined in audit.c */ 255/* These are defined in audit.c */
218 /* Public API */ 256 /* Public API */
219#define audit_log(ctx, fmt, args...) \ 257extern void audit_log(struct audit_context *ctx, int type,
220 audit_log_type(ctx, AUDIT_KERNEL, 0, fmt, ##args) 258 const char *fmt, ...)
221extern void audit_log_type(struct audit_context *ctx, int type, 259 __attribute__((format(printf,3,4)));
222 int pid, const char *fmt, ...)
223 __attribute__((format(printf,4,5)));
224 260
225extern struct audit_buffer *audit_log_start(struct audit_context *ctx, int type, 261extern struct audit_buffer *audit_log_start(struct audit_context *ctx,int type);
226 int pid);
227extern void audit_log_format(struct audit_buffer *ab, 262extern void audit_log_format(struct audit_buffer *ab,
228 const char *fmt, ...) 263 const char *fmt, ...)
229 __attribute__((format(printf,2,3))); 264 __attribute__((format(printf,2,3)));
@@ -243,9 +278,8 @@ extern void audit_send_reply(int pid, int seq, int type,
243 void *payload, int size); 278 void *payload, int size);
244extern void audit_log_lost(const char *message); 279extern void audit_log_lost(const char *message);
245#else 280#else
246#define audit_log(c,f,...) do { ; } while (0) 281#define audit_log(c,t,f,...) do { ; } while (0)
247#define audit_log_type(c,t,p,f,...) do { ; } while (0) 282#define audit_log_start(c,t) ({ NULL; })
248#define audit_log_start(c,t,p) ({ NULL; })
249#define audit_log_vformat(b,f,a) do { ; } while (0) 283#define audit_log_vformat(b,f,a) do { ; } while (0)
250#define audit_log_format(b,f,...) do { ; } while (0) 284#define audit_log_format(b,f,...) do { ; } while (0)
251#define audit_log_end(b) do { ; } while (0) 285#define audit_log_end(b) do { ; } while (0)
diff --git a/kernel/audit.c b/kernel/audit.c
index 187164572bd0..4e940c05ede8 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -140,6 +140,12 @@ struct audit_buffer {
140 struct audit_context *ctx; /* NULL or associated context */ 140 struct audit_context *ctx; /* NULL or associated context */
141}; 141};
142 142
143static void audit_set_pid(struct audit_buffer *ab, pid_t pid)
144{
145 struct nlmsghdr *nlh = (struct nlmsghdr *)ab->skb->data;
146 nlh->nlmsg_pid = pid;
147}
148
143struct audit_entry { 149struct audit_entry {
144 struct list_head list; 150 struct list_head list;
145 struct audit_rule rule; 151 struct audit_rule rule;
@@ -233,7 +239,8 @@ static int audit_set_rate_limit(int limit, uid_t loginuid)
233{ 239{
234 int old = audit_rate_limit; 240 int old = audit_rate_limit;
235 audit_rate_limit = limit; 241 audit_rate_limit = limit;
236 audit_log(NULL, "audit_rate_limit=%d old=%d by auid %u", 242 audit_log(NULL, AUDIT_CONFIG_CHANGE,
243 "audit_rate_limit=%d old=%d by auid %u",
237 audit_rate_limit, old, loginuid); 244 audit_rate_limit, old, loginuid);
238 return old; 245 return old;
239} 246}
@@ -242,7 +249,8 @@ static int audit_set_backlog_limit(int limit, uid_t loginuid)
242{ 249{
243 int old = audit_backlog_limit; 250 int old = audit_backlog_limit;
244 audit_backlog_limit = limit; 251 audit_backlog_limit = limit;
245 audit_log(NULL, "audit_backlog_limit=%d old=%d by auid %u", 252 audit_log(NULL, AUDIT_CONFIG_CHANGE,
253 "audit_backlog_limit=%d old=%d by auid %u",
246 audit_backlog_limit, old, loginuid); 254 audit_backlog_limit, old, loginuid);
247 return old; 255 return old;
248} 256}
@@ -253,8 +261,9 @@ static int audit_set_enabled(int state, uid_t loginuid)
253 if (state != 0 && state != 1) 261 if (state != 0 && state != 1)
254 return -EINVAL; 262 return -EINVAL;
255 audit_enabled = state; 263 audit_enabled = state;
256 audit_log(NULL, "audit_enabled=%d old=%d by auid %u", 264 audit_log(NULL, AUDIT_CONFIG_CHANGE,
257 audit_enabled, old, loginuid); 265 "audit_enabled=%d old=%d by auid %u",
266 audit_enabled, old, loginuid);
258 return old; 267 return old;
259} 268}
260 269
@@ -266,8 +275,9 @@ static int audit_set_failure(int state, uid_t loginuid)
266 && state != AUDIT_FAIL_PANIC) 275 && state != AUDIT_FAIL_PANIC)
267 return -EINVAL; 276 return -EINVAL;
268 audit_failure = state; 277 audit_failure = state;
269 audit_log(NULL, "audit_failure=%d old=%d by auid %u", 278 audit_log(NULL, AUDIT_CONFIG_CHANGE,
270 audit_failure, old, loginuid); 279 "audit_failure=%d old=%d by auid %u",
280 audit_failure, old, loginuid);
271 return old; 281 return old;
272} 282}
273 283
@@ -316,6 +326,14 @@ static int audit_netlink_ok(kernel_cap_t eff_cap, u16 msg_type)
316 err = -EPERM; 326 err = -EPERM;
317 break; 327 break;
318 case AUDIT_USER: 328 case AUDIT_USER:
329 case AUDIT_USER_AUTH:
330 case AUDIT_USER_ACCT:
331 case AUDIT_USER_MGMT:
332 case AUDIT_CRED_ACQ:
333 case AUDIT_CRED_DISP:
334 case AUDIT_USER_START:
335 case AUDIT_USER_END:
336 case AUDIT_USER_AVC:
319 if (!cap_raised(eff_cap, CAP_AUDIT_WRITE)) 337 if (!cap_raised(eff_cap, CAP_AUDIT_WRITE))
320 err = -EPERM; 338 err = -EPERM;
321 break; 339 break;
@@ -332,6 +350,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
332 void *data; 350 void *data;
333 struct audit_status *status_get, status_set; 351 struct audit_status *status_get, status_set;
334 int err; 352 int err;
353 struct audit_buffer *ab;
335 u16 msg_type = nlh->nlmsg_type; 354 u16 msg_type = nlh->nlmsg_type;
336 uid_t loginuid; /* loginuid of sender */ 355 uid_t loginuid; /* loginuid of sender */
337 struct audit_sig_info sig_data; 356 struct audit_sig_info sig_data;
@@ -373,7 +392,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
373 if (status_get->mask & AUDIT_STATUS_PID) { 392 if (status_get->mask & AUDIT_STATUS_PID) {
374 int old = audit_pid; 393 int old = audit_pid;
375 audit_pid = status_get->pid; 394 audit_pid = status_get->pid;
376 audit_log(NULL, "audit_pid=%d old=%d by auid %u", 395 audit_log(NULL, AUDIT_CONFIG_CHANGE,
396 "audit_pid=%d old=%d by auid %u",
377 audit_pid, old, loginuid); 397 audit_pid, old, loginuid);
378 } 398 }
379 if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) 399 if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
@@ -383,13 +403,26 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
383 loginuid); 403 loginuid);
384 break; 404 break;
385 case AUDIT_USER: 405 case AUDIT_USER:
386 audit_log_type(NULL, AUDIT_USER, pid, 406 case AUDIT_USER_AUTH:
407 case AUDIT_USER_ACCT:
408 case AUDIT_USER_MGMT:
409 case AUDIT_CRED_ACQ:
410 case AUDIT_CRED_DISP:
411 case AUDIT_USER_START:
412 case AUDIT_USER_END:
413 case AUDIT_USER_AVC:
414 ab = audit_log_start(NULL, msg_type);
415 if (!ab)
416 break; /* audit_panic has been called */
417 audit_log_format(ab,
387 "user pid=%d uid=%d length=%d loginuid=%u" 418 "user pid=%d uid=%d length=%d loginuid=%u"
388 " msg='%.1024s'", 419 " msg='%.1024s'",
389 pid, uid, 420 pid, uid,
390 (int)(nlh->nlmsg_len 421 (int)(nlh->nlmsg_len
391 - ((char *)data - (char *)nlh)), 422 - ((char *)data - (char *)nlh)),
392 loginuid, (char *)data); 423 loginuid, (char *)data);
424 audit_set_pid(ab, pid);
425 audit_log_end(ab);
393 break; 426 break;
394 case AUDIT_ADD: 427 case AUDIT_ADD:
395 case AUDIT_DEL: 428 case AUDIT_DEL:
@@ -504,7 +537,7 @@ static int __init audit_init(void)
504 537
505 audit_initialized = 1; 538 audit_initialized = 1;
506 audit_enabled = audit_default; 539 audit_enabled = audit_default;
507 audit_log(NULL, "initialized"); 540 audit_log(NULL, AUDIT_KERNEL, "initialized");
508 return 0; 541 return 0;
509} 542}
510__initcall(audit_init); 543__initcall(audit_init);
@@ -541,10 +574,12 @@ static void audit_buffer_free(struct audit_buffer *ab)
541 spin_unlock_irqrestore(&audit_freelist_lock, flags); 574 spin_unlock_irqrestore(&audit_freelist_lock, flags);
542} 575}
543 576
544static struct audit_buffer * audit_buffer_alloc(int gfp_mask) 577static struct audit_buffer * audit_buffer_alloc(struct audit_context *ctx,
578 int gfp_mask, int type)
545{ 579{
546 unsigned long flags; 580 unsigned long flags;
547 struct audit_buffer *ab = NULL; 581 struct audit_buffer *ab = NULL;
582 struct nlmsghdr *nlh;
548 583
549 spin_lock_irqsave(&audit_freelist_lock, flags); 584 spin_lock_irqsave(&audit_freelist_lock, flags);
550 if (!list_empty(&audit_freelist)) { 585 if (!list_empty(&audit_freelist)) {
@@ -566,6 +601,12 @@ static struct audit_buffer * audit_buffer_alloc(int gfp_mask)
566 if (!ab->skb) 601 if (!ab->skb)
567 goto err; 602 goto err;
568 603
604 ab->ctx = ctx;
605 nlh = (struct nlmsghdr *)skb_put(ab->skb, NLMSG_SPACE(0));
606 nlh->nlmsg_type = type;
607 nlh->nlmsg_flags = 0;
608 nlh->nlmsg_pid = 0;
609 nlh->nlmsg_seq = 0;
569 return ab; 610 return ab;
570err: 611err:
571 audit_buffer_free(ab); 612 audit_buffer_free(ab);
@@ -578,12 +619,11 @@ err:
578 * syscall, then the syscall is marked as auditable and an audit record 619 * syscall, then the syscall is marked as auditable and an audit record
579 * will be written at syscall exit. If there is no associated task, tsk 620 * will be written at syscall exit. If there is no associated task, tsk
580 * should be NULL. */ 621 * should be NULL. */
581struct audit_buffer *audit_log_start(struct audit_context *ctx, int type, int pid) 622struct audit_buffer *audit_log_start(struct audit_context *ctx, int type)
582{ 623{
583 struct audit_buffer *ab = NULL; 624 struct audit_buffer *ab = NULL;
584 struct timespec t; 625 struct timespec t;
585 unsigned int serial; 626 unsigned int serial;
586 struct nlmsghdr *nlh;
587 627
588 if (!audit_initialized) 628 if (!audit_initialized)
589 return NULL; 629 return NULL;
@@ -600,19 +640,12 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, int type, int pi
600 return NULL; 640 return NULL;
601 } 641 }
602 642
603 ab = audit_buffer_alloc(GFP_ATOMIC); 643 ab = audit_buffer_alloc(ctx, GFP_ATOMIC, type);
604 if (!ab) { 644 if (!ab) {
605 audit_log_lost("out of memory in audit_log_start"); 645 audit_log_lost("out of memory in audit_log_start");
606 return NULL; 646 return NULL;
607 } 647 }
608 648
609 ab->ctx = ctx;
610 nlh = (struct nlmsghdr *)skb_put(ab->skb, NLMSG_SPACE(0));
611 nlh->nlmsg_type = type;
612 nlh->nlmsg_flags = 0;
613 nlh->nlmsg_pid = pid;
614 nlh->nlmsg_seq = 0;
615
616 if (!audit_get_stamp(ab->ctx, &t, &serial)) { 649 if (!audit_get_stamp(ab->ctx, &t, &serial)) {
617 t = CURRENT_TIME; 650 t = CURRENT_TIME;
618 serial = 0; 651 serial = 0;
@@ -809,13 +842,12 @@ void audit_log_end(struct audit_buffer *ab)
809/* Log an audit record. This is a convenience function that calls 842/* Log an audit record. This is a convenience function that calls
810 * audit_log_start, audit_log_vformat, and audit_log_end. It may be 843 * audit_log_start, audit_log_vformat, and audit_log_end. It may be
811 * called in any context. */ 844 * called in any context. */
812void audit_log_type(struct audit_context *ctx, int type, int pid, 845void audit_log(struct audit_context *ctx, int type, const char *fmt, ...)
813 const char *fmt, ...)
814{ 846{
815 struct audit_buffer *ab; 847 struct audit_buffer *ab;
816 va_list args; 848 va_list args;
817 849
818 ab = audit_log_start(ctx, type, pid); 850 ab = audit_log_start(ctx, type);
819 if (ab) { 851 if (ab) {
820 va_start(args, fmt); 852 va_start(args, fmt);
821 audit_log_vformat(ab, fmt, args); 853 audit_log_vformat(ab, fmt, args);
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index d089263253a7..1b7c91f9d5ff 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -286,7 +286,8 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
286 err = audit_add_rule(entry, &audit_entlist); 286 err = audit_add_rule(entry, &audit_entlist);
287 if (!err && (flags & AUDIT_AT_EXIT)) 287 if (!err && (flags & AUDIT_AT_EXIT))
288 err = audit_add_rule(entry, &audit_extlist); 288 err = audit_add_rule(entry, &audit_extlist);
289 audit_log(NULL, "auid %u added an audit rule\n", loginuid); 289 audit_log(NULL, AUDIT_CONFIG_CHANGE,
290 "auid %u added an audit rule\n", loginuid);
290 break; 291 break;
291 case AUDIT_DEL: 292 case AUDIT_DEL:
292 flags =((struct audit_rule *)data)->flags; 293 flags =((struct audit_rule *)data)->flags;
@@ -296,7 +297,8 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
296 err = audit_del_rule(data, &audit_entlist); 297 err = audit_del_rule(data, &audit_entlist);
297 if (!err && (flags & AUDIT_AT_EXIT)) 298 if (!err && (flags & AUDIT_AT_EXIT))
298 err = audit_del_rule(data, &audit_extlist); 299 err = audit_del_rule(data, &audit_extlist);
299 audit_log(NULL, "auid %u removed an audit rule\n", loginuid); 300 audit_log(NULL, AUDIT_CONFIG_CHANGE,
301 "auid %u removed an audit rule\n", loginuid);
300 break; 302 break;
301 default: 303 default:
302 return -EINVAL; 304 return -EINVAL;
@@ -648,7 +650,7 @@ static void audit_log_exit(struct audit_context *context)
648 int i; 650 int i;
649 struct audit_buffer *ab; 651 struct audit_buffer *ab;
650 652
651 ab = audit_log_start(context, AUDIT_KERNEL, 0); 653 ab = audit_log_start(context, AUDIT_SYSCALL);
652 if (!ab) 654 if (!ab)
653 return; /* audit_panic has been called */ 655 return; /* audit_panic has been called */
654 audit_log_format(ab, "syscall=%d", context->major); 656 audit_log_format(ab, "syscall=%d", context->major);
@@ -680,28 +682,28 @@ static void audit_log_exit(struct audit_context *context)
680 while (context->aux) { 682 while (context->aux) {
681 struct audit_aux_data *aux; 683 struct audit_aux_data *aux;
682 684
683 ab = audit_log_start(context, AUDIT_KERNEL, 0); 685 aux = context->aux;
686
687 ab = audit_log_start(context, aux->type);
684 if (!ab) 688 if (!ab)
685 continue; /* audit_panic has been called */ 689 continue; /* audit_panic has been called */
686 690
687 aux = context->aux;
688 context->aux = aux->next;
689
690 audit_log_format(ab, "auxitem=%d", aux->type);
691 switch (aux->type) { 691 switch (aux->type) {
692 case AUDIT_AUX_IPCPERM: { 692 case AUDIT_IPC: {
693 struct audit_aux_data_ipcctl *axi = (void *)aux; 693 struct audit_aux_data_ipcctl *axi = (void *)aux;
694 audit_log_format(ab, 694 audit_log_format(ab,
695 " qbytes=%lx uid=%d gid=%d mode=%x", 695 " qbytes=%lx iuid=%d igid=%d mode=%x",
696 axi->qbytes, axi->uid, axi->gid, axi->mode); 696 axi->qbytes, axi->uid, axi->gid, axi->mode);
697 } 697 }
698 } 698 }
699 audit_log_end(ab); 699 audit_log_end(ab);
700
701 context->aux = aux->next;
700 kfree(aux); 702 kfree(aux);
701 } 703 }
702 704
703 for (i = 0; i < context->name_count; i++) { 705 for (i = 0; i < context->name_count; i++) {
704 ab = audit_log_start(context, AUDIT_KERNEL, 0); 706 ab = audit_log_start(context, AUDIT_PATH);
705 if (!ab) 707 if (!ab)
706 continue; /* audit_panic has been called */ 708 continue; /* audit_panic has been called */
707 audit_log_format(ab, "item=%d", i); 709 audit_log_format(ab, "item=%d", i);
@@ -711,7 +713,7 @@ static void audit_log_exit(struct audit_context *context)
711 } 713 }
712 if (context->names[i].ino != (unsigned long)-1) 714 if (context->names[i].ino != (unsigned long)-1)
713 audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#o" 715 audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#o"
714 " uid=%d gid=%d rdev=%02x:%02x", 716 " ouid=%d ogid=%d rdev=%02x:%02x",
715 context->names[i].ino, 717 context->names[i].ino,
716 MAJOR(context->names[i].dev), 718 MAJOR(context->names[i].dev),
717 MINOR(context->names[i].dev), 719 MINOR(context->names[i].dev),
@@ -1008,10 +1010,16 @@ int audit_get_stamp(struct audit_context *ctx,
1008int audit_set_loginuid(struct task_struct *task, uid_t loginuid) 1010int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
1009{ 1011{
1010 if (task->audit_context) { 1012 if (task->audit_context) {
1011 audit_log_type(NULL, AUDIT_LOGIN, 0, 1013 struct audit_buffer *ab;
1012 "login pid=%d uid=%u old loginuid=%u new loginuid=%u", 1014
1013 task->pid, task->uid, task->audit_context->loginuid, 1015 ab = audit_log_start(NULL, AUDIT_LOGIN);
1014 loginuid); 1016 if (ab) {
1017 audit_log_format(ab, "login pid=%d uid=%u "
1018 "old loginuid=%u new loginuid=%u",
1019 task->pid, task->uid,
1020 task->audit_context->loginuid, loginuid);
1021 audit_log_end(ab);
1022 }
1015 task->audit_context->loginuid = loginuid; 1023 task->audit_context->loginuid = loginuid;
1016 } 1024 }
1017 return 0; 1025 return 0;
@@ -1039,7 +1047,7 @@ int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode)
1039 ax->gid = gid; 1047 ax->gid = gid;
1040 ax->mode = mode; 1048 ax->mode = mode;
1041 1049
1042 ax->d.type = AUDIT_AUX_IPCPERM; 1050 ax->d.type = AUDIT_IPC;
1043 ax->d.next = context->aux; 1051 ax->d.next = context->aux;
1044 context->aux = (void *)ax; 1052 context->aux = (void *)ax;
1045 return 0; 1053 return 0;
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 9e71a1bbe011..042f91e9f9d2 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -242,7 +242,7 @@ void __init avc_init(void)
242 avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node), 242 avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node),
243 0, SLAB_PANIC, NULL, NULL); 243 0, SLAB_PANIC, NULL, NULL);
244 244
245 audit_log(current->audit_context, "AVC INITIALIZED\n"); 245 audit_log(current->audit_context, AUDIT_KERNEL, "AVC INITIALIZED\n");
246} 246}
247 247
248int avc_get_hash_stats(char *page) 248int avc_get_hash_stats(char *page)
@@ -549,7 +549,7 @@ void avc_audit(u32 ssid, u32 tsid,
549 return; 549 return;
550 } 550 }
551 551
552 ab = audit_log_start(current->audit_context, AUDIT_KERNEL, 0); 552 ab = audit_log_start(current->audit_context, AUDIT_AVC);
553 if (!ab) 553 if (!ab)
554 return; /* audit_panic has been called */ 554 return; /* audit_panic has been called */
555 audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted"); 555 audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted");
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index aae1e794fe48..db845cbd5841 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3419,7 +3419,7 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3419 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm); 3419 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3420 if (err) { 3420 if (err) {
3421 if (err == -EINVAL) { 3421 if (err == -EINVAL) {
3422 audit_log(current->audit_context, 3422 audit_log(current->audit_context, AUDIT_SELINUX_ERR,
3423 "SELinux: unrecognized netlink message" 3423 "SELinux: unrecognized netlink message"
3424 " type=%hu for sclass=%hu\n", 3424 " type=%hu for sclass=%hu\n",
3425 nlh->nlmsg_type, isec->sclass); 3425 nlh->nlmsg_type, isec->sclass);
diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
index deac14367d43..67e77acc4795 100644
--- a/security/selinux/nlmsgtab.c
+++ b/security/selinux/nlmsgtab.c
@@ -98,6 +98,14 @@ static struct nlmsg_perm nlmsg_audit_perms[] =
98 { AUDIT_DEL, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, 98 { AUDIT_DEL, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
99 { AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, 99 { AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_RELAY },
100 { AUDIT_SIGNAL_INFO, NETLINK_AUDIT_SOCKET__NLMSG_READ }, 100 { AUDIT_SIGNAL_INFO, NETLINK_AUDIT_SOCKET__NLMSG_READ },
101 { AUDIT_USER_AUTH, NETLINK_AUDIT_SOCKET__NLMSG_RELAY },
102 { AUDIT_USER_ACCT, NETLINK_AUDIT_SOCKET__NLMSG_RELAY },
103 { AUDIT_USER_MGMT, NETLINK_AUDIT_SOCKET__NLMSG_RELAY },
104 { AUDIT_CRED_ACQ, NETLINK_AUDIT_SOCKET__NLMSG_RELAY },
105 { AUDIT_CRED_DISP, NETLINK_AUDIT_SOCKET__NLMSG_RELAY },
106 { AUDIT_USER_START, NETLINK_AUDIT_SOCKET__NLMSG_RELAY },
107 { AUDIT_USER_END, NETLINK_AUDIT_SOCKET__NLMSG_RELAY },
108 { AUDIT_USER_AVC, NETLINK_AUDIT_SOCKET__NLMSG_RELAY },
101}; 109};
102 110
103 111
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 5a820cf88c9c..07fdf6ee6148 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -365,7 +365,7 @@ static int security_validtrans_handle_fail(struct context *ocontext,
365 goto out; 365 goto out;
366 if (context_struct_to_string(tcontext, &t, &tlen) < 0) 366 if (context_struct_to_string(tcontext, &t, &tlen) < 0)
367 goto out; 367 goto out;
368 audit_log(current->audit_context, 368 audit_log(current->audit_context, AUDIT_SELINUX_ERR,
369 "security_validate_transition: denied for" 369 "security_validate_transition: denied for"
370 " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", 370 " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
371 o, n, t, policydb.p_class_val_to_name[tclass-1]); 371 o, n, t, policydb.p_class_val_to_name[tclass-1]);
@@ -742,7 +742,7 @@ static int compute_sid_handle_invalid_context(
742 goto out; 742 goto out;
743 if (context_struct_to_string(newcontext, &n, &nlen) < 0) 743 if (context_struct_to_string(newcontext, &n, &nlen) < 0)
744 goto out; 744 goto out;
745 audit_log(current->audit_context, 745 audit_log(current->audit_context, AUDIT_SELINUX_ERR,
746 "security_compute_sid: invalid context %s" 746 "security_compute_sid: invalid context %s"
747 " for scontext=%s" 747 " for scontext=%s"
748 " tcontext=%s" 748 " tcontext=%s"
generated by cgit v1.2.2 (git 2.25.0) at 2024-09-28 21:25:36 -0400