diff options
| author | Steve Grubb <sgrubb@redhat.com> | 2006-04-03 09:08:13 -0400 |
|---|---|---|
| committer | Al Viro <viro@zeniv.linux.org.uk> | 2006-05-01 06:09:58 -0400 |
| commit | e7c3497013a7e5496ce3d5fd3c73b5cf5af7a56e (patch) | |
| tree | 2a57da5e958011b300256988e414387b1455660c | |
| parent | 9c7aa6aa74fa8a5cda36e54cbbe4fffe0214497d (diff) | |
[PATCH] Reworked patch for labels on user space messages
The below patch should be applied after the inode and ipc sid patches.
This patch is a reworking of Tim's patch that has been updated to match
the inode and ipc patches since its similar.
[updated:
> Stephen Smalley also wanted to change a variable from isec to tsec in the
> user sid patch. ]
Signed-off-by: Steve Grubb <sgrubb@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
| -rw-r--r-- | include/linux/netlink.h | 1 | ||||
| -rw-r--r-- | include/linux/selinux.h | 16 | ||||
| -rw-r--r-- | kernel/audit.c | 22 | ||||
| -rw-r--r-- | net/netlink/af_netlink.c | 2 | ||||
| -rw-r--r-- | security/selinux/exports.c | 11 |
5 files changed, 49 insertions, 3 deletions
diff --git a/include/linux/netlink.h b/include/linux/netlink.h index f8f3d1c927f8..87b8a5703ebc 100644 --- a/include/linux/netlink.h +++ b/include/linux/netlink.h | |||
| @@ -143,6 +143,7 @@ struct netlink_skb_parms | |||
| 143 | __u32 dst_group; | 143 | __u32 dst_group; |
| 144 | kernel_cap_t eff_cap; | 144 | kernel_cap_t eff_cap; |
| 145 | __u32 loginuid; /* Login (audit) uid */ | 145 | __u32 loginuid; /* Login (audit) uid */ |
| 146 | __u32 sid; /* SELinux security id */ | ||
| 146 | }; | 147 | }; |
| 147 | 148 | ||
| 148 | #define NETLINK_CB(skb) (*(struct netlink_skb_parms*)&((skb)->cb)) | 149 | #define NETLINK_CB(skb) (*(struct netlink_skb_parms*)&((skb)->cb)) |
diff --git a/include/linux/selinux.h b/include/linux/selinux.h index 413d66773b91..4047bcde4484 100644 --- a/include/linux/selinux.h +++ b/include/linux/selinux.h | |||
| @@ -5,6 +5,7 @@ | |||
| 5 | * | 5 | * |
| 6 | * Copyright (C) 2005 Red Hat, Inc., James Morris <jmorris@redhat.com> | 6 | * Copyright (C) 2005 Red Hat, Inc., James Morris <jmorris@redhat.com> |
| 7 | * Copyright (C) 2006 Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> | 7 | * Copyright (C) 2006 Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> |
| 8 | * Copyright (C) 2006 IBM Corporation, Timothy R. Chavez <tinytim@us.ibm.com> | ||
| 8 | * | 9 | * |
| 9 | * This program is free software; you can redistribute it and/or modify | 10 | * This program is free software; you can redistribute it and/or modify |
| 10 | * it under the terms of the GNU General Public License version 2, | 11 | * it under the terms of the GNU General Public License version 2, |
| @@ -108,6 +109,16 @@ void selinux_get_inode_sid(const struct inode *inode, u32 *sid); | |||
| 108 | */ | 109 | */ |
| 109 | void selinux_get_ipc_sid(const struct kern_ipc_perm *ipcp, u32 *sid); | 110 | void selinux_get_ipc_sid(const struct kern_ipc_perm *ipcp, u32 *sid); |
| 110 | 111 | ||
| 112 | /** | ||
| 113 | * selinux_get_task_sid - return the SID of task | ||
| 114 | * @tsk: the task whose SID will be returned | ||
| 115 | * @sid: pointer to security context ID to be filled in. | ||
| 116 | * | ||
| 117 | * Returns nothing | ||
| 118 | */ | ||
| 119 | void selinux_get_task_sid(struct task_struct *tsk, u32 *sid); | ||
| 120 | |||
| 121 | |||
| 111 | #else | 122 | #else |
| 112 | 123 | ||
| 113 | static inline int selinux_audit_rule_init(u32 field, u32 op, | 124 | static inline int selinux_audit_rule_init(u32 field, u32 op, |
| @@ -156,6 +167,11 @@ static inline void selinux_get_ipc_sid(const struct kern_ipc_perm *ipcp, u32 *si | |||
| 156 | *sid = 0; | 167 | *sid = 0; |
| 157 | } | 168 | } |
| 158 | 169 | ||
| 170 | static inline void selinux_get_task_sid(struct task_struct *tsk, u32 *sid) | ||
| 171 | { | ||
| 172 | *sid = 0; | ||
| 173 | } | ||
| 174 | |||
| 159 | #endif /* CONFIG_SECURITY_SELINUX */ | 175 | #endif /* CONFIG_SECURITY_SELINUX */ |
| 160 | 176 | ||
| 161 | #endif /* _LINUX_SELINUX_H */ | 177 | #endif /* _LINUX_SELINUX_H */ |
diff --git a/kernel/audit.c b/kernel/audit.c index 9060be750c48..7ec9ccae1299 100644 --- a/kernel/audit.c +++ b/kernel/audit.c | |||
| @@ -390,7 +390,7 @@ static int audit_netlink_ok(kernel_cap_t eff_cap, u16 msg_type) | |||
| 390 | 390 | ||
| 391 | static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | 391 | static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) |
| 392 | { | 392 | { |
| 393 | u32 uid, pid, seq; | 393 | u32 uid, pid, seq, sid; |
| 394 | void *data; | 394 | void *data; |
| 395 | struct audit_status *status_get, status_set; | 395 | struct audit_status *status_get, status_set; |
| 396 | int err; | 396 | int err; |
| @@ -416,6 +416,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
| 416 | pid = NETLINK_CREDS(skb)->pid; | 416 | pid = NETLINK_CREDS(skb)->pid; |
| 417 | uid = NETLINK_CREDS(skb)->uid; | 417 | uid = NETLINK_CREDS(skb)->uid; |
| 418 | loginuid = NETLINK_CB(skb).loginuid; | 418 | loginuid = NETLINK_CB(skb).loginuid; |
| 419 | sid = NETLINK_CB(skb).sid; | ||
| 419 | seq = nlh->nlmsg_seq; | 420 | seq = nlh->nlmsg_seq; |
| 420 | data = NLMSG_DATA(nlh); | 421 | data = NLMSG_DATA(nlh); |
| 421 | 422 | ||
| @@ -468,8 +469,23 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
| 468 | ab = audit_log_start(NULL, GFP_KERNEL, msg_type); | 469 | ab = audit_log_start(NULL, GFP_KERNEL, msg_type); |
| 469 | if (ab) { | 470 | if (ab) { |
| 470 | audit_log_format(ab, | 471 | audit_log_format(ab, |
| 471 | "user pid=%d uid=%u auid=%u msg='%.1024s'", | 472 | "user pid=%d uid=%u auid=%u", |
| 472 | pid, uid, loginuid, (char *)data); | 473 | pid, uid, loginuid); |
| 474 | if (sid) { | ||
| 475 | char *ctx = NULL; | ||
| 476 | u32 len; | ||
| 477 | if (selinux_ctxid_to_string( | ||
| 478 | sid, &ctx, &len)) { | ||
| 479 | audit_log_format(ab, | ||
| 480 | " subj=%u", sid); | ||
| 481 | /* Maybe call audit_panic? */ | ||
| 482 | } else | ||
| 483 | audit_log_format(ab, | ||
| 484 | " subj=%s", ctx); | ||
| 485 | kfree(ctx); | ||
| 486 | } | ||
| 487 | audit_log_format(ab, " msg='%.1024s'", | ||
| 488 | (char *)data); | ||
| 473 | audit_set_pid(ab, pid); | 489 | audit_set_pid(ab, pid); |
| 474 | audit_log_end(ab); | 490 | audit_log_end(ab); |
| 475 | } | 491 | } |
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index 2a233ffcf618..09fbc4bc7088 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c | |||
| @@ -56,6 +56,7 @@ | |||
| 56 | #include <linux/mm.h> | 56 | #include <linux/mm.h> |
| 57 | #include <linux/types.h> | 57 | #include <linux/types.h> |
| 58 | #include <linux/audit.h> | 58 | #include <linux/audit.h> |
| 59 | #include <linux/selinux.h> | ||
| 59 | 60 | ||
| 60 | #include <net/sock.h> | 61 | #include <net/sock.h> |
| 61 | #include <net/scm.h> | 62 | #include <net/scm.h> |
| @@ -1157,6 +1158,7 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock, | |||
| 1157 | NETLINK_CB(skb).dst_pid = dst_pid; | 1158 | NETLINK_CB(skb).dst_pid = dst_pid; |
| 1158 | NETLINK_CB(skb).dst_group = dst_group; | 1159 | NETLINK_CB(skb).dst_group = dst_group; |
| 1159 | NETLINK_CB(skb).loginuid = audit_get_loginuid(current->audit_context); | 1160 | NETLINK_CB(skb).loginuid = audit_get_loginuid(current->audit_context); |
| 1161 | selinux_get_task_sid(current, &(NETLINK_CB(skb).sid)); | ||
| 1160 | memcpy(NETLINK_CREDS(skb), &siocb->scm->creds, sizeof(struct ucred)); | 1162 | memcpy(NETLINK_CREDS(skb), &siocb->scm->creds, sizeof(struct ucred)); |
| 1161 | 1163 | ||
| 1162 | /* What can I do? Netlink is asynchronous, so that | 1164 | /* What can I do? Netlink is asynchronous, so that |
diff --git a/security/selinux/exports.c b/security/selinux/exports.c index 7357cf247f60..ae4c73eb3085 100644 --- a/security/selinux/exports.c +++ b/security/selinux/exports.c | |||
| @@ -5,6 +5,7 @@ | |||
| 5 | * | 5 | * |
| 6 | * Copyright (C) 2005 Red Hat, Inc., James Morris <jmorris@redhat.com> | 6 | * Copyright (C) 2005 Red Hat, Inc., James Morris <jmorris@redhat.com> |
| 7 | * Copyright (C) 2006 Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> | 7 | * Copyright (C) 2006 Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> |
| 8 | * Copyright (C) 2006 IBM Corporation, Timothy R. Chavez <tinytim@us.ibm.com> | ||
| 8 | * | 9 | * |
| 9 | * This program is free software; you can redistribute it and/or modify | 10 | * This program is free software; you can redistribute it and/or modify |
| 10 | * it under the terms of the GNU General Public License version 2, | 11 | * it under the terms of the GNU General Public License version 2, |
| @@ -61,3 +62,13 @@ void selinux_get_ipc_sid(const struct kern_ipc_perm *ipcp, u32 *sid) | |||
| 61 | *sid = 0; | 62 | *sid = 0; |
| 62 | } | 63 | } |
| 63 | 64 | ||
| 65 | void selinux_get_task_sid(struct task_struct *tsk, u32 *sid) | ||
| 66 | { | ||
| 67 | if (selinux_enabled) { | ||
| 68 | struct task_security_struct *tsec = tsk->security; | ||
| 69 | *sid = tsec->sid; | ||
| 70 | return; | ||
| 71 | } | ||
| 72 | *sid = 0; | ||
| 73 | } | ||
| 74 | |||