diff options
| author | Richard Guy Briggs <rgb@redhat.com> | 2013-08-14 11:32:45 -0400 |
|---|---|---|
| committer | Eric Paris <eparis@redhat.com> | 2014-01-13 22:26:52 -0500 |
| commit | f9441639e6319f0c0e12bd63fa2f58990af0a9d2 (patch) | |
| tree | 3fc0c477d498240e517c471f76efa2deee81ce5d | |
| parent | ca24a23ebca17d9d0f2afde4ee49cd810bccc8d7 (diff) | |
audit: fix netlink portid naming and types
Normally, netlink ports use the PID of the userspace process as the port ID.
If the PID is already in use by a port, the kernel will allocate another port
ID to avoid conflict. Re-name all references to netlink ports from pid to
portid to reflect this reality and avoid confusion with actual PIDs. Ports
use the __u32 type, so re-type all portids accordingly.
(This patch is very similar to ebiederman's 5deadd69)
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
| -rw-r--r-- | include/linux/audit.h | 2 | ||||
| -rw-r--r-- | kernel/audit.c | 32 | ||||
| -rw-r--r-- | kernel/audit.h | 8 | ||||
| -rw-r--r-- | kernel/auditfilter.c | 18 |
4 files changed, 31 insertions, 29 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h index c9a66c6f1307..9185bfa1c78b 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h | |||
| @@ -461,7 +461,7 @@ extern int audit_update_lsm_rules(void); | |||
| 461 | /* Private API (for audit.c only) */ | 461 | /* Private API (for audit.c only) */ |
| 462 | extern int audit_filter_user(int type); | 462 | extern int audit_filter_user(int type); |
| 463 | extern int audit_filter_type(int type); | 463 | extern int audit_filter_type(int type); |
| 464 | extern int audit_receive_filter(int type, int pid, int seq, | 464 | extern int audit_receive_filter(int type, __u32 portid, int seq, |
| 465 | void *data, size_t datasz); | 465 | void *data, size_t datasz); |
| 466 | extern int audit_enabled; | 466 | extern int audit_enabled; |
| 467 | #else /* CONFIG_AUDIT */ | 467 | #else /* CONFIG_AUDIT */ |
diff --git a/kernel/audit.c b/kernel/audit.c index 906ae5a0233a..3d3747be7c52 100644 --- a/kernel/audit.c +++ b/kernel/audit.c | |||
| @@ -93,7 +93,7 @@ static int audit_failure = AUDIT_FAIL_PRINTK; | |||
| 93 | * the portid to use to send netlink messages to that process. | 93 | * the portid to use to send netlink messages to that process. |
| 94 | */ | 94 | */ |
| 95 | int audit_pid; | 95 | int audit_pid; |
| 96 | static int audit_nlk_portid; | 96 | static __u32 audit_nlk_portid; |
| 97 | 97 | ||
| 98 | /* If audit_rate_limit is non-zero, limit the rate of sending audit records | 98 | /* If audit_rate_limit is non-zero, limit the rate of sending audit records |
| 99 | * to that number per second. This prevents DoS attacks, but results in | 99 | * to that number per second. This prevents DoS attacks, but results in |
| @@ -175,15 +175,15 @@ struct audit_buffer { | |||
| 175 | }; | 175 | }; |
| 176 | 176 | ||
| 177 | struct audit_reply { | 177 | struct audit_reply { |
| 178 | int pid; | 178 | __u32 portid; |
| 179 | struct sk_buff *skb; | 179 | struct sk_buff *skb; |
| 180 | }; | 180 | }; |
| 181 | 181 | ||
| 182 | static void audit_set_pid(struct audit_buffer *ab, pid_t pid) | 182 | static void audit_set_portid(struct audit_buffer *ab, __u32 portid) |
| 183 | { | 183 | { |
| 184 | if (ab) { | 184 | if (ab) { |
| 185 | struct nlmsghdr *nlh = nlmsg_hdr(ab->skb); | 185 | struct nlmsghdr *nlh = nlmsg_hdr(ab->skb); |
| 186 | nlh->nlmsg_pid = pid; | 186 | nlh->nlmsg_pid = portid; |
| 187 | } | 187 | } |
| 188 | } | 188 | } |
| 189 | 189 | ||
| @@ -482,7 +482,7 @@ static int kauditd_thread(void *dummy) | |||
| 482 | int audit_send_list(void *_dest) | 482 | int audit_send_list(void *_dest) |
| 483 | { | 483 | { |
| 484 | struct audit_netlink_list *dest = _dest; | 484 | struct audit_netlink_list *dest = _dest; |
| 485 | int pid = dest->pid; | 485 | __u32 portid = dest->portid; |
| 486 | struct sk_buff *skb; | 486 | struct sk_buff *skb; |
| 487 | 487 | ||
| 488 | /* wait for parent to finish and send an ACK */ | 488 | /* wait for parent to finish and send an ACK */ |
| @@ -490,14 +490,14 @@ int audit_send_list(void *_dest) | |||
| 490 | mutex_unlock(&audit_cmd_mutex); | 490 | mutex_unlock(&audit_cmd_mutex); |
| 491 | 491 | ||
| 492 | while ((skb = __skb_dequeue(&dest->q)) != NULL) | 492 | while ((skb = __skb_dequeue(&dest->q)) != NULL) |
| 493 | netlink_unicast(audit_sock, skb, pid, 0); | 493 | netlink_unicast(audit_sock, skb, portid, 0); |
| 494 | 494 | ||
| 495 | kfree(dest); | 495 | kfree(dest); |
| 496 | 496 | ||
| 497 | return 0; | 497 | return 0; |
| 498 | } | 498 | } |
| 499 | 499 | ||
| 500 | struct sk_buff *audit_make_reply(int pid, int seq, int type, int done, | 500 | struct sk_buff *audit_make_reply(__u32 portid, int seq, int type, int done, |
| 501 | int multi, const void *payload, int size) | 501 | int multi, const void *payload, int size) |
| 502 | { | 502 | { |
| 503 | struct sk_buff *skb; | 503 | struct sk_buff *skb; |
| @@ -510,7 +510,7 @@ struct sk_buff *audit_make_reply(int pid, int seq, int type, int done, | |||
| 510 | if (!skb) | 510 | if (!skb) |
| 511 | return NULL; | 511 | return NULL; |
| 512 | 512 | ||
| 513 | nlh = nlmsg_put(skb, pid, seq, t, size, flags); | 513 | nlh = nlmsg_put(skb, portid, seq, t, size, flags); |
| 514 | if (!nlh) | 514 | if (!nlh) |
| 515 | goto out_kfree_skb; | 515 | goto out_kfree_skb; |
| 516 | data = nlmsg_data(nlh); | 516 | data = nlmsg_data(nlh); |
| @@ -531,13 +531,13 @@ static int audit_send_reply_thread(void *arg) | |||
| 531 | 531 | ||
| 532 | /* Ignore failure. It'll only happen if the sender goes away, | 532 | /* Ignore failure. It'll only happen if the sender goes away, |
| 533 | because our timeout is set to infinite. */ | 533 | because our timeout is set to infinite. */ |
| 534 | netlink_unicast(audit_sock, reply->skb, reply->pid, 0); | 534 | netlink_unicast(audit_sock, reply->skb, reply->portid, 0); |
| 535 | kfree(reply); | 535 | kfree(reply); |
| 536 | return 0; | 536 | return 0; |
| 537 | } | 537 | } |
| 538 | /** | 538 | /** |
| 539 | * audit_send_reply - send an audit reply message via netlink | 539 | * audit_send_reply - send an audit reply message via netlink |
| 540 | * @pid: process id to send reply to | 540 | * @portid: netlink port to which to send reply |
| 541 | * @seq: sequence number | 541 | * @seq: sequence number |
| 542 | * @type: audit message type | 542 | * @type: audit message type |
| 543 | * @done: done (last) flag | 543 | * @done: done (last) flag |
| @@ -545,11 +545,11 @@ static int audit_send_reply_thread(void *arg) | |||
| 545 | * @payload: payload data | 545 | * @payload: payload data |
| 546 | * @size: payload size | 546 | * @size: payload size |
| 547 | * | 547 | * |
| 548 | * Allocates an skb, builds the netlink message, and sends it to the pid. | 548 | * Allocates an skb, builds the netlink message, and sends it to the port id. |
| 549 | * No failure notifications. | 549 | * No failure notifications. |
| 550 | */ | 550 | */ |
| 551 | static void audit_send_reply(int pid, int seq, int type, int done, int multi, | 551 | static void audit_send_reply(__u32 portid, int seq, int type, int done, |
| 552 | const void *payload, int size) | 552 | int multi, const void *payload, int size) |
| 553 | { | 553 | { |
| 554 | struct sk_buff *skb; | 554 | struct sk_buff *skb; |
| 555 | struct task_struct *tsk; | 555 | struct task_struct *tsk; |
| @@ -559,11 +559,11 @@ static void audit_send_reply(int pid, int seq, int type, int done, int multi, | |||
| 559 | if (!reply) | 559 | if (!reply) |
| 560 | return; | 560 | return; |
| 561 | 561 | ||
| 562 | skb = audit_make_reply(pid, seq, type, done, multi, payload, size); | 562 | skb = audit_make_reply(portid, seq, type, done, multi, payload, size); |
| 563 | if (!skb) | 563 | if (!skb) |
| 564 | goto out; | 564 | goto out; |
| 565 | 565 | ||
| 566 | reply->pid = pid; | 566 | reply->portid = portid; |
| 567 | reply->skb = skb; | 567 | reply->skb = skb; |
| 568 | 568 | ||
| 569 | tsk = kthread_run(audit_send_reply_thread, reply, "audit_send_reply"); | 569 | tsk = kthread_run(audit_send_reply_thread, reply, "audit_send_reply"); |
| @@ -839,7 +839,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
| 839 | size--; | 839 | size--; |
| 840 | audit_log_n_untrustedstring(ab, data, size); | 840 | audit_log_n_untrustedstring(ab, data, size); |
| 841 | } | 841 | } |
| 842 | audit_set_pid(ab, NETLINK_CB(skb).portid); | 842 | audit_set_portid(ab, NETLINK_CB(skb).portid); |
| 843 | audit_log_end(ab); | 843 | audit_log_end(ab); |
| 844 | } | 844 | } |
| 845 | break; | 845 | break; |
diff --git a/kernel/audit.h b/kernel/audit.h index b779642b29af..c7282444caea 100644 --- a/kernel/audit.h +++ b/kernel/audit.h | |||
| @@ -240,13 +240,13 @@ extern int audit_uid_comparator(kuid_t left, u32 op, kuid_t right); | |||
| 240 | extern int audit_gid_comparator(kgid_t left, u32 op, kgid_t right); | 240 | extern int audit_gid_comparator(kgid_t left, u32 op, kgid_t right); |
| 241 | extern int parent_len(const char *path); | 241 | extern int parent_len(const char *path); |
| 242 | extern int audit_compare_dname_path(const char *dname, const char *path, int plen); | 242 | extern int audit_compare_dname_path(const char *dname, const char *path, int plen); |
| 243 | extern struct sk_buff * audit_make_reply(int pid, int seq, int type, | 243 | extern struct sk_buff *audit_make_reply(__u32 portid, int seq, int type, |
| 244 | int done, int multi, | 244 | int done, int multi, |
| 245 | const void *payload, int size); | 245 | const void *payload, int size); |
| 246 | extern void audit_panic(const char *message); | 246 | extern void audit_panic(const char *message); |
| 247 | 247 | ||
| 248 | struct audit_netlink_list { | 248 | struct audit_netlink_list { |
| 249 | int pid; | 249 | __u32 portid; |
| 250 | struct sk_buff_head q; | 250 | struct sk_buff_head q; |
| 251 | }; | 251 | }; |
| 252 | 252 | ||
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 51f3fd4c1ed3..08f7f7bef26c 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c | |||
| @@ -972,7 +972,7 @@ out: | |||
| 972 | } | 972 | } |
| 973 | 973 | ||
| 974 | /* List rules using struct audit_rule_data. */ | 974 | /* List rules using struct audit_rule_data. */ |
| 975 | static void audit_list_rules(int pid, int seq, struct sk_buff_head *q) | 975 | static void audit_list_rules(__u32 portid, int seq, struct sk_buff_head *q) |
| 976 | { | 976 | { |
| 977 | struct sk_buff *skb; | 977 | struct sk_buff *skb; |
| 978 | struct audit_krule *r; | 978 | struct audit_krule *r; |
| @@ -987,14 +987,15 @@ static void audit_list_rules(int pid, int seq, struct sk_buff_head *q) | |||
| 987 | data = audit_krule_to_data(r); | 987 | data = audit_krule_to_data(r); |
| 988 | if (unlikely(!data)) | 988 | if (unlikely(!data)) |
| 989 | break; | 989 | break; |
| 990 | skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 0, 1, | 990 | skb = audit_make_reply(portid, seq, AUDIT_LIST_RULES, |
| 991 | data, sizeof(*data) + data->buflen); | 991 | 0, 1, data, |
| 992 | sizeof(*data) + data->buflen); | ||
| 992 | if (skb) | 993 | if (skb) |
| 993 | skb_queue_tail(q, skb); | 994 | skb_queue_tail(q, skb); |
| 994 | kfree(data); | 995 | kfree(data); |
| 995 | } | 996 | } |
| 996 | } | 997 | } |
| 997 | skb = audit_make_reply(pid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0); | 998 | skb = audit_make_reply(portid, seq, AUDIT_LIST_RULES, 1, 1, NULL, 0); |
| 998 | if (skb) | 999 | if (skb) |
| 999 | skb_queue_tail(q, skb); | 1000 | skb_queue_tail(q, skb); |
| 1000 | } | 1001 | } |
| @@ -1024,12 +1025,13 @@ static void audit_log_rule_change(char *action, struct audit_krule *rule, int re | |||
| 1024 | /** | 1025 | /** |
| 1025 | * audit_receive_filter - apply all rules to the specified message type | 1026 | * audit_receive_filter - apply all rules to the specified message type |
| 1026 | * @type: audit message type | 1027 | * @type: audit message type |
| 1027 | * @pid: target pid for netlink audit messages | 1028 | * @portid: target port id for netlink audit messages |
| 1028 | * @seq: netlink audit message sequence (serial) number | 1029 | * @seq: netlink audit message sequence (serial) number |
| 1029 | * @data: payload data | 1030 | * @data: payload data |
| 1030 | * @datasz: size of payload data | 1031 | * @datasz: size of payload data |
| 1031 | */ | 1032 | */ |
| 1032 | int audit_receive_filter(int type, int pid, int seq, void *data, size_t datasz) | 1033 | int audit_receive_filter(int type, __u32 portid, int seq, void *data, |
| 1034 | size_t datasz) | ||
| 1033 | { | 1035 | { |
| 1034 | struct task_struct *tsk; | 1036 | struct task_struct *tsk; |
| 1035 | struct audit_netlink_list *dest; | 1037 | struct audit_netlink_list *dest; |
| @@ -1047,11 +1049,11 @@ int audit_receive_filter(int type, int pid, int seq, void *data, size_t datasz) | |||
| 1047 | dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL); | 1049 | dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL); |
| 1048 | if (!dest) | 1050 | if (!dest) |
| 1049 | return -ENOMEM; | 1051 | return -ENOMEM; |
| 1050 | dest->pid = pid; | 1052 | dest->portid = portid; |
| 1051 | skb_queue_head_init(&dest->q); | 1053 | skb_queue_head_init(&dest->q); |
| 1052 | 1054 | ||
| 1053 | mutex_lock(&audit_filter_mutex); | 1055 | mutex_lock(&audit_filter_mutex); |
| 1054 | audit_list_rules(pid, seq, &dest->q); | 1056 | audit_list_rules(portid, seq, &dest->q); |
| 1055 | mutex_unlock(&audit_filter_mutex); | 1057 | mutex_unlock(&audit_filter_mutex); |
| 1056 | 1058 | ||
| 1057 | tsk = kthread_run(audit_send_list, dest, "audit_send_list"); | 1059 | tsk = kthread_run(audit_send_list, dest, "audit_send_list"); |