aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAhmed S. Darwish <darwish.07@gmail.com>2008-03-01 14:54:38 -0500
committerJames Morris <jmorris@namei.org>2008-04-18 19:52:34 -0400
commit2a862b32f3da5a2120043921ad301322ad526084 (patch)
treebb97054b2f648504f670e3eaed2626b547c4d081
parent713a04aeaba35bb95d442cdeb52055498519be25 (diff)
Audit: use new LSM hooks instead of SELinux exports
Stop using the following exported SELinux interfaces: selinux_get_inode_sid(inode, sid) selinux_get_ipc_sid(ipcp, sid) selinux_get_task_sid(tsk, sid) selinux_sid_to_string(sid, ctx, len) kfree(ctx) and use following generic LSM equivalents respectively: security_inode_getsecid(inode, secid) security_ipc_getsecid*(ipcp, secid) security_task_getsecid(tsk, secid) security_sid_to_secctx(sid, ctx, len) security_release_secctx(ctx, len) Call security_release_secctx only if security_secid_to_secctx succeeded. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com> Acked-by: James Morris <jmorris@namei.org> Reviewed-by: Paul Moore <paul.moore@hp.com>
-rw-r--r--kernel/audit.c17
-rw-r--r--kernel/auditfilter.c8
-rw-r--r--kernel/auditsc.c55
3 files changed, 43 insertions, 37 deletions
diff --git a/kernel/audit.c b/kernel/audit.c
index b782b046543d..784a48e9f382 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -265,13 +265,13 @@ static int audit_log_config_change(char *function_name, int new, int old,
265 char *ctx = NULL; 265 char *ctx = NULL;
266 u32 len; 266 u32 len;
267 267
268 rc = selinux_sid_to_string(sid, &ctx, &len); 268 rc = security_secid_to_secctx(sid, &ctx, &len);
269 if (rc) { 269 if (rc) {
270 audit_log_format(ab, " sid=%u", sid); 270 audit_log_format(ab, " sid=%u", sid);
271 allow_changes = 0; /* Something weird, deny request */ 271 allow_changes = 0; /* Something weird, deny request */
272 } else { 272 } else {
273 audit_log_format(ab, " subj=%s", ctx); 273 audit_log_format(ab, " subj=%s", ctx);
274 kfree(ctx); 274 security_release_secctx(ctx, len);
275 } 275 }
276 } 276 }
277 audit_log_format(ab, " res=%d", allow_changes); 277 audit_log_format(ab, " res=%d", allow_changes);
@@ -550,12 +550,13 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
550 audit_log_format(*ab, "user pid=%d uid=%u auid=%u", 550 audit_log_format(*ab, "user pid=%d uid=%u auid=%u",
551 pid, uid, auid); 551 pid, uid, auid);
552 if (sid) { 552 if (sid) {
553 rc = selinux_sid_to_string(sid, &ctx, &len); 553 rc = security_secid_to_secctx(sid, &ctx, &len);
554 if (rc) 554 if (rc)
555 audit_log_format(*ab, " ssid=%u", sid); 555 audit_log_format(*ab, " ssid=%u", sid);
556 else 556 else {
557 audit_log_format(*ab, " subj=%s", ctx); 557 audit_log_format(*ab, " subj=%s", ctx);
558 kfree(ctx); 558 security_release_secctx(ctx, len);
559 }
559 } 560 }
560 561
561 return rc; 562 return rc;
@@ -758,18 +759,18 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
758 break; 759 break;
759 } 760 }
760 case AUDIT_SIGNAL_INFO: 761 case AUDIT_SIGNAL_INFO:
761 err = selinux_sid_to_string(audit_sig_sid, &ctx, &len); 762 err = security_secid_to_secctx(audit_sig_sid, &ctx, &len);
762 if (err) 763 if (err)
763 return err; 764 return err;
764 sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL); 765 sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL);
765 if (!sig_data) { 766 if (!sig_data) {
766 kfree(ctx); 767 security_release_secctx(ctx, len);
767 return -ENOMEM; 768 return -ENOMEM;
768 } 769 }
769 sig_data->uid = audit_sig_uid; 770 sig_data->uid = audit_sig_uid;
770 sig_data->pid = audit_sig_pid; 771 sig_data->pid = audit_sig_pid;
771 memcpy(sig_data->ctx, ctx, len); 772 memcpy(sig_data->ctx, ctx, len);
772 kfree(ctx); 773 security_release_secctx(ctx, len);
773 audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_SIGNAL_INFO, 774 audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_SIGNAL_INFO,
774 0, 0, sig_data, sizeof(*sig_data) + len); 775 0, 0, sig_data, sizeof(*sig_data) + len);
775 kfree(sig_data); 776 kfree(sig_data);
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 2f2914b7cc30..35e58a146eff 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -28,6 +28,7 @@
28#include <linux/netlink.h> 28#include <linux/netlink.h>
29#include <linux/sched.h> 29#include <linux/sched.h>
30#include <linux/inotify.h> 30#include <linux/inotify.h>
31#include <linux/security.h>
31#include <linux/selinux.h> 32#include <linux/selinux.h>
32#include "audit.h" 33#include "audit.h"
33 34
@@ -1515,11 +1516,12 @@ static void audit_log_rule_change(uid_t loginuid, u32 sid, char *action,
1515 if (sid) { 1516 if (sid) {
1516 char *ctx = NULL; 1517 char *ctx = NULL;
1517 u32 len; 1518 u32 len;
1518 if (selinux_sid_to_string(sid, &ctx, &len)) 1519 if (security_secid_to_secctx(sid, &ctx, &len))
1519 audit_log_format(ab, " ssid=%u", sid); 1520 audit_log_format(ab, " ssid=%u", sid);
1520 else 1521 else {
1521 audit_log_format(ab, " subj=%s", ctx); 1522 audit_log_format(ab, " subj=%s", ctx);
1522 kfree(ctx); 1523 security_release_secctx(ctx, len);
1524 }
1523 } 1525 }
1524 audit_log_format(ab, " op=%s rule key=", action); 1526 audit_log_format(ab, " op=%s rule key=", action);
1525 if (rule->filterkey) 1527 if (rule->filterkey)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 782262e4107d..6a83c706b504 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -530,7 +530,7 @@ static int audit_filter_rules(struct task_struct *tsk,
530 logged upon error */ 530 logged upon error */
531 if (f->se_rule) { 531 if (f->se_rule) {
532 if (need_sid) { 532 if (need_sid) {
533 selinux_get_task_sid(tsk, &sid); 533 security_task_getsecid(tsk, &sid);
534 need_sid = 0; 534 need_sid = 0;
535 } 535 }
536 result = selinux_audit_rule_match(sid, f->type, 536 result = selinux_audit_rule_match(sid, f->type,
@@ -885,11 +885,11 @@ void audit_log_task_context(struct audit_buffer *ab)
885 int error; 885 int error;
886 u32 sid; 886 u32 sid;
887 887
888 selinux_get_task_sid(current, &sid); 888 security_task_getsecid(current, &sid);
889 if (!sid) 889 if (!sid)
890 return; 890 return;
891 891
892 error = selinux_sid_to_string(sid, &ctx, &len); 892 error = security_secid_to_secctx(sid, &ctx, &len);
893 if (error) { 893 if (error) {
894 if (error != -EINVAL) 894 if (error != -EINVAL)
895 goto error_path; 895 goto error_path;
@@ -897,7 +897,7 @@ void audit_log_task_context(struct audit_buffer *ab)
897 } 897 }
898 898
899 audit_log_format(ab, " subj=%s", ctx); 899 audit_log_format(ab, " subj=%s", ctx);
900 kfree(ctx); 900 security_release_secctx(ctx, len);
901 return; 901 return;
902 902
903error_path: 903error_path:
@@ -941,7 +941,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
941 u32 sid, char *comm) 941 u32 sid, char *comm)
942{ 942{
943 struct audit_buffer *ab; 943 struct audit_buffer *ab;
944 char *s = NULL; 944 char *ctx = NULL;
945 u32 len; 945 u32 len;
946 int rc = 0; 946 int rc = 0;
947 947
@@ -951,15 +951,16 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
951 951
952 audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, auid, 952 audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, auid,
953 uid, sessionid); 953 uid, sessionid);
954 if (selinux_sid_to_string(sid, &s, &len)) { 954 if (security_secid_to_secctx(sid, &ctx, &len)) {
955 audit_log_format(ab, " obj=(none)"); 955 audit_log_format(ab, " obj=(none)");
956 rc = 1; 956 rc = 1;
957 } else 957 } else {
958 audit_log_format(ab, " obj=%s", s); 958 audit_log_format(ab, " obj=%s", ctx);
959 security_release_secctx(ctx, len);
960 }
959 audit_log_format(ab, " ocomm="); 961 audit_log_format(ab, " ocomm=");
960 audit_log_untrustedstring(ab, comm); 962 audit_log_untrustedstring(ab, comm);
961 audit_log_end(ab); 963 audit_log_end(ab);
962 kfree(s);
963 964
964 return rc; 965 return rc;
965} 966}
@@ -1271,14 +1272,15 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
1271 if (axi->osid != 0) { 1272 if (axi->osid != 0) {
1272 char *ctx = NULL; 1273 char *ctx = NULL;
1273 u32 len; 1274 u32 len;
1274 if (selinux_sid_to_string( 1275 if (security_secid_to_secctx(
1275 axi->osid, &ctx, &len)) { 1276 axi->osid, &ctx, &len)) {
1276 audit_log_format(ab, " osid=%u", 1277 audit_log_format(ab, " osid=%u",
1277 axi->osid); 1278 axi->osid);
1278 call_panic = 1; 1279 call_panic = 1;
1279 } else 1280 } else {
1280 audit_log_format(ab, " obj=%s", ctx); 1281 audit_log_format(ab, " obj=%s", ctx);
1281 kfree(ctx); 1282 security_release_secctx(ctx, len);
1283 }
1282 } 1284 }
1283 break; } 1285 break; }
1284 1286
@@ -1392,13 +1394,14 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
1392 if (n->osid != 0) { 1394 if (n->osid != 0) {
1393 char *ctx = NULL; 1395 char *ctx = NULL;
1394 u32 len; 1396 u32 len;
1395 if (selinux_sid_to_string( 1397 if (security_secid_to_secctx(
1396 n->osid, &ctx, &len)) { 1398 n->osid, &ctx, &len)) {
1397 audit_log_format(ab, " osid=%u", n->osid); 1399 audit_log_format(ab, " osid=%u", n->osid);
1398 call_panic = 2; 1400 call_panic = 2;
1399 } else 1401 } else {
1400 audit_log_format(ab, " obj=%s", ctx); 1402 audit_log_format(ab, " obj=%s", ctx);
1401 kfree(ctx); 1403 security_release_secctx(ctx, len);
1404 }
1402 } 1405 }
1403 1406
1404 audit_log_end(ab); 1407 audit_log_end(ab);
@@ -1775,7 +1778,7 @@ static void audit_copy_inode(struct audit_names *name, const struct inode *inode
1775 name->uid = inode->i_uid; 1778 name->uid = inode->i_uid;
1776 name->gid = inode->i_gid; 1779 name->gid = inode->i_gid;
1777 name->rdev = inode->i_rdev; 1780 name->rdev = inode->i_rdev;
1778 selinux_get_inode_sid(inode, &name->osid); 1781 security_inode_getsecid(inode, &name->osid);
1779} 1782}
1780 1783
1781/** 1784/**
@@ -2190,8 +2193,7 @@ int __audit_ipc_obj(struct kern_ipc_perm *ipcp)
2190 ax->uid = ipcp->uid; 2193 ax->uid = ipcp->uid;
2191 ax->gid = ipcp->gid; 2194 ax->gid = ipcp->gid;
2192 ax->mode = ipcp->mode; 2195 ax->mode = ipcp->mode;
2193 selinux_get_ipc_sid(ipcp, &ax->osid); 2196 security_ipc_getsecid(ipcp, &ax->osid);
2194
2195 ax->d.type = AUDIT_IPC; 2197 ax->d.type = AUDIT_IPC;
2196 ax->d.next = context->aux; 2198 ax->d.next = context->aux;
2197 context->aux = (void *)ax; 2199 context->aux = (void *)ax;
@@ -2343,7 +2345,7 @@ void __audit_ptrace(struct task_struct *t)
2343 context->target_auid = audit_get_loginuid(t); 2345 context->target_auid = audit_get_loginuid(t);
2344 context->target_uid = t->uid; 2346 context->target_uid = t->uid;
2345 context->target_sessionid = audit_get_sessionid(t); 2347 context->target_sessionid = audit_get_sessionid(t);
2346 selinux_get_task_sid(t, &context->target_sid); 2348 security_task_getsecid(t, &context->target_sid);
2347 memcpy(context->target_comm, t->comm, TASK_COMM_LEN); 2349 memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
2348} 2350}
2349 2351
@@ -2371,7 +2373,7 @@ int __audit_signal_info(int sig, struct task_struct *t)
2371 audit_sig_uid = tsk->loginuid; 2373 audit_sig_uid = tsk->loginuid;
2372 else 2374 else
2373 audit_sig_uid = tsk->uid; 2375 audit_sig_uid = tsk->uid;
2374 selinux_get_task_sid(tsk, &audit_sig_sid); 2376 security_task_getsecid(tsk, &audit_sig_sid);
2375 } 2377 }
2376 if (!audit_signals || audit_dummy_context()) 2378 if (!audit_signals || audit_dummy_context())
2377 return 0; 2379 return 0;
@@ -2384,7 +2386,7 @@ int __audit_signal_info(int sig, struct task_struct *t)
2384 ctx->target_auid = audit_get_loginuid(t); 2386 ctx->target_auid = audit_get_loginuid(t);
2385 ctx->target_uid = t->uid; 2387 ctx->target_uid = t->uid;
2386 ctx->target_sessionid = audit_get_sessionid(t); 2388 ctx->target_sessionid = audit_get_sessionid(t);
2387 selinux_get_task_sid(t, &ctx->target_sid); 2389 security_task_getsecid(t, &ctx->target_sid);
2388 memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN); 2390 memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
2389 return 0; 2391 return 0;
2390 } 2392 }
@@ -2405,7 +2407,7 @@ int __audit_signal_info(int sig, struct task_struct *t)
2405 axp->target_auid[axp->pid_count] = audit_get_loginuid(t); 2407 axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
2406 axp->target_uid[axp->pid_count] = t->uid; 2408 axp->target_uid[axp->pid_count] = t->uid;
2407 axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t); 2409 axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
2408 selinux_get_task_sid(t, &axp->target_sid[axp->pid_count]); 2410 security_task_getsecid(t, &axp->target_sid[axp->pid_count]);
2409 memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN); 2411 memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
2410 axp->pid_count++; 2412 axp->pid_count++;
2411 2413
@@ -2435,16 +2437,17 @@ void audit_core_dumps(long signr)
2435 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND); 2437 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
2436 audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u", 2438 audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
2437 auid, current->uid, current->gid, sessionid); 2439 auid, current->uid, current->gid, sessionid);
2438 selinux_get_task_sid(current, &sid); 2440 security_task_getsecid(current, &sid);
2439 if (sid) { 2441 if (sid) {
2440 char *ctx = NULL; 2442 char *ctx = NULL;
2441 u32 len; 2443 u32 len;
2442 2444
2443 if (selinux_sid_to_string(sid, &ctx, &len)) 2445 if (security_secid_to_secctx(sid, &ctx, &len))
2444 audit_log_format(ab, " ssid=%u", sid); 2446 audit_log_format(ab, " ssid=%u", sid);
2445 else 2447 else {
2446 audit_log_format(ab, " subj=%s", ctx); 2448 audit_log_format(ab, " subj=%s", ctx);
2447 kfree(ctx); 2449 security_release_secctx(ctx, len);
2450 }
2448 } 2451 }
2449 audit_log_format(ab, " pid=%d comm=", current->pid); 2452 audit_log_format(ab, " pid=%d comm=", current->pid);
2450 audit_log_untrustedstring(ab, current->comm); 2453 audit_log_untrustedstring(ab, current->comm);