diff options
author | Ahmed S. Darwish <darwish.07@gmail.com> | 2008-03-01 14:54:38 -0500 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2008-04-18 19:52:34 -0400 |
commit | 2a862b32f3da5a2120043921ad301322ad526084 (patch) | |
tree | bb97054b2f648504f670e3eaed2626b547c4d081 | |
parent | 713a04aeaba35bb95d442cdeb52055498519be25 (diff) |
Audit: use new LSM hooks instead of SELinux exports
Stop using the following exported SELinux interfaces:
selinux_get_inode_sid(inode, sid)
selinux_get_ipc_sid(ipcp, sid)
selinux_get_task_sid(tsk, sid)
selinux_sid_to_string(sid, ctx, len)
kfree(ctx)
and use following generic LSM equivalents respectively:
security_inode_getsecid(inode, secid)
security_ipc_getsecid*(ipcp, secid)
security_task_getsecid(tsk, secid)
security_sid_to_secctx(sid, ctx, len)
security_release_secctx(ctx, len)
Call security_release_secctx only if security_secid_to_secctx
succeeded.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com>
Acked-by: James Morris <jmorris@namei.org>
Reviewed-by: Paul Moore <paul.moore@hp.com>
-rw-r--r-- | kernel/audit.c | 17 | ||||
-rw-r--r-- | kernel/auditfilter.c | 8 | ||||
-rw-r--r-- | kernel/auditsc.c | 55 |
3 files changed, 43 insertions, 37 deletions
diff --git a/kernel/audit.c b/kernel/audit.c index b782b046543d..784a48e9f382 100644 --- a/kernel/audit.c +++ b/kernel/audit.c | |||
@@ -265,13 +265,13 @@ static int audit_log_config_change(char *function_name, int new, int old, | |||
265 | char *ctx = NULL; | 265 | char *ctx = NULL; |
266 | u32 len; | 266 | u32 len; |
267 | 267 | ||
268 | rc = selinux_sid_to_string(sid, &ctx, &len); | 268 | rc = security_secid_to_secctx(sid, &ctx, &len); |
269 | if (rc) { | 269 | if (rc) { |
270 | audit_log_format(ab, " sid=%u", sid); | 270 | audit_log_format(ab, " sid=%u", sid); |
271 | allow_changes = 0; /* Something weird, deny request */ | 271 | allow_changes = 0; /* Something weird, deny request */ |
272 | } else { | 272 | } else { |
273 | audit_log_format(ab, " subj=%s", ctx); | 273 | audit_log_format(ab, " subj=%s", ctx); |
274 | kfree(ctx); | 274 | security_release_secctx(ctx, len); |
275 | } | 275 | } |
276 | } | 276 | } |
277 | audit_log_format(ab, " res=%d", allow_changes); | 277 | audit_log_format(ab, " res=%d", allow_changes); |
@@ -550,12 +550,13 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type, | |||
550 | audit_log_format(*ab, "user pid=%d uid=%u auid=%u", | 550 | audit_log_format(*ab, "user pid=%d uid=%u auid=%u", |
551 | pid, uid, auid); | 551 | pid, uid, auid); |
552 | if (sid) { | 552 | if (sid) { |
553 | rc = selinux_sid_to_string(sid, &ctx, &len); | 553 | rc = security_secid_to_secctx(sid, &ctx, &len); |
554 | if (rc) | 554 | if (rc) |
555 | audit_log_format(*ab, " ssid=%u", sid); | 555 | audit_log_format(*ab, " ssid=%u", sid); |
556 | else | 556 | else { |
557 | audit_log_format(*ab, " subj=%s", ctx); | 557 | audit_log_format(*ab, " subj=%s", ctx); |
558 | kfree(ctx); | 558 | security_release_secctx(ctx, len); |
559 | } | ||
559 | } | 560 | } |
560 | 561 | ||
561 | return rc; | 562 | return rc; |
@@ -758,18 +759,18 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
758 | break; | 759 | break; |
759 | } | 760 | } |
760 | case AUDIT_SIGNAL_INFO: | 761 | case AUDIT_SIGNAL_INFO: |
761 | err = selinux_sid_to_string(audit_sig_sid, &ctx, &len); | 762 | err = security_secid_to_secctx(audit_sig_sid, &ctx, &len); |
762 | if (err) | 763 | if (err) |
763 | return err; | 764 | return err; |
764 | sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL); | 765 | sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL); |
765 | if (!sig_data) { | 766 | if (!sig_data) { |
766 | kfree(ctx); | 767 | security_release_secctx(ctx, len); |
767 | return -ENOMEM; | 768 | return -ENOMEM; |
768 | } | 769 | } |
769 | sig_data->uid = audit_sig_uid; | 770 | sig_data->uid = audit_sig_uid; |
770 | sig_data->pid = audit_sig_pid; | 771 | sig_data->pid = audit_sig_pid; |
771 | memcpy(sig_data->ctx, ctx, len); | 772 | memcpy(sig_data->ctx, ctx, len); |
772 | kfree(ctx); | 773 | security_release_secctx(ctx, len); |
773 | audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_SIGNAL_INFO, | 774 | audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_SIGNAL_INFO, |
774 | 0, 0, sig_data, sizeof(*sig_data) + len); | 775 | 0, 0, sig_data, sizeof(*sig_data) + len); |
775 | kfree(sig_data); | 776 | kfree(sig_data); |
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 2f2914b7cc30..35e58a146eff 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c | |||
@@ -28,6 +28,7 @@ | |||
28 | #include <linux/netlink.h> | 28 | #include <linux/netlink.h> |
29 | #include <linux/sched.h> | 29 | #include <linux/sched.h> |
30 | #include <linux/inotify.h> | 30 | #include <linux/inotify.h> |
31 | #include <linux/security.h> | ||
31 | #include <linux/selinux.h> | 32 | #include <linux/selinux.h> |
32 | #include "audit.h" | 33 | #include "audit.h" |
33 | 34 | ||
@@ -1515,11 +1516,12 @@ static void audit_log_rule_change(uid_t loginuid, u32 sid, char *action, | |||
1515 | if (sid) { | 1516 | if (sid) { |
1516 | char *ctx = NULL; | 1517 | char *ctx = NULL; |
1517 | u32 len; | 1518 | u32 len; |
1518 | if (selinux_sid_to_string(sid, &ctx, &len)) | 1519 | if (security_secid_to_secctx(sid, &ctx, &len)) |
1519 | audit_log_format(ab, " ssid=%u", sid); | 1520 | audit_log_format(ab, " ssid=%u", sid); |
1520 | else | 1521 | else { |
1521 | audit_log_format(ab, " subj=%s", ctx); | 1522 | audit_log_format(ab, " subj=%s", ctx); |
1522 | kfree(ctx); | 1523 | security_release_secctx(ctx, len); |
1524 | } | ||
1523 | } | 1525 | } |
1524 | audit_log_format(ab, " op=%s rule key=", action); | 1526 | audit_log_format(ab, " op=%s rule key=", action); |
1525 | if (rule->filterkey) | 1527 | if (rule->filterkey) |
diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 782262e4107d..6a83c706b504 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c | |||
@@ -530,7 +530,7 @@ static int audit_filter_rules(struct task_struct *tsk, | |||
530 | logged upon error */ | 530 | logged upon error */ |
531 | if (f->se_rule) { | 531 | if (f->se_rule) { |
532 | if (need_sid) { | 532 | if (need_sid) { |
533 | selinux_get_task_sid(tsk, &sid); | 533 | security_task_getsecid(tsk, &sid); |
534 | need_sid = 0; | 534 | need_sid = 0; |
535 | } | 535 | } |
536 | result = selinux_audit_rule_match(sid, f->type, | 536 | result = selinux_audit_rule_match(sid, f->type, |
@@ -885,11 +885,11 @@ void audit_log_task_context(struct audit_buffer *ab) | |||
885 | int error; | 885 | int error; |
886 | u32 sid; | 886 | u32 sid; |
887 | 887 | ||
888 | selinux_get_task_sid(current, &sid); | 888 | security_task_getsecid(current, &sid); |
889 | if (!sid) | 889 | if (!sid) |
890 | return; | 890 | return; |
891 | 891 | ||
892 | error = selinux_sid_to_string(sid, &ctx, &len); | 892 | error = security_secid_to_secctx(sid, &ctx, &len); |
893 | if (error) { | 893 | if (error) { |
894 | if (error != -EINVAL) | 894 | if (error != -EINVAL) |
895 | goto error_path; | 895 | goto error_path; |
@@ -897,7 +897,7 @@ void audit_log_task_context(struct audit_buffer *ab) | |||
897 | } | 897 | } |
898 | 898 | ||
899 | audit_log_format(ab, " subj=%s", ctx); | 899 | audit_log_format(ab, " subj=%s", ctx); |
900 | kfree(ctx); | 900 | security_release_secctx(ctx, len); |
901 | return; | 901 | return; |
902 | 902 | ||
903 | error_path: | 903 | error_path: |
@@ -941,7 +941,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, | |||
941 | u32 sid, char *comm) | 941 | u32 sid, char *comm) |
942 | { | 942 | { |
943 | struct audit_buffer *ab; | 943 | struct audit_buffer *ab; |
944 | char *s = NULL; | 944 | char *ctx = NULL; |
945 | u32 len; | 945 | u32 len; |
946 | int rc = 0; | 946 | int rc = 0; |
947 | 947 | ||
@@ -951,15 +951,16 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, | |||
951 | 951 | ||
952 | audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, auid, | 952 | audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, auid, |
953 | uid, sessionid); | 953 | uid, sessionid); |
954 | if (selinux_sid_to_string(sid, &s, &len)) { | 954 | if (security_secid_to_secctx(sid, &ctx, &len)) { |
955 | audit_log_format(ab, " obj=(none)"); | 955 | audit_log_format(ab, " obj=(none)"); |
956 | rc = 1; | 956 | rc = 1; |
957 | } else | 957 | } else { |
958 | audit_log_format(ab, " obj=%s", s); | 958 | audit_log_format(ab, " obj=%s", ctx); |
959 | security_release_secctx(ctx, len); | ||
960 | } | ||
959 | audit_log_format(ab, " ocomm="); | 961 | audit_log_format(ab, " ocomm="); |
960 | audit_log_untrustedstring(ab, comm); | 962 | audit_log_untrustedstring(ab, comm); |
961 | audit_log_end(ab); | 963 | audit_log_end(ab); |
962 | kfree(s); | ||
963 | 964 | ||
964 | return rc; | 965 | return rc; |
965 | } | 966 | } |
@@ -1271,14 +1272,15 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts | |||
1271 | if (axi->osid != 0) { | 1272 | if (axi->osid != 0) { |
1272 | char *ctx = NULL; | 1273 | char *ctx = NULL; |
1273 | u32 len; | 1274 | u32 len; |
1274 | if (selinux_sid_to_string( | 1275 | if (security_secid_to_secctx( |
1275 | axi->osid, &ctx, &len)) { | 1276 | axi->osid, &ctx, &len)) { |
1276 | audit_log_format(ab, " osid=%u", | 1277 | audit_log_format(ab, " osid=%u", |
1277 | axi->osid); | 1278 | axi->osid); |
1278 | call_panic = 1; | 1279 | call_panic = 1; |
1279 | } else | 1280 | } else { |
1280 | audit_log_format(ab, " obj=%s", ctx); | 1281 | audit_log_format(ab, " obj=%s", ctx); |
1281 | kfree(ctx); | 1282 | security_release_secctx(ctx, len); |
1283 | } | ||
1282 | } | 1284 | } |
1283 | break; } | 1285 | break; } |
1284 | 1286 | ||
@@ -1392,13 +1394,14 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts | |||
1392 | if (n->osid != 0) { | 1394 | if (n->osid != 0) { |
1393 | char *ctx = NULL; | 1395 | char *ctx = NULL; |
1394 | u32 len; | 1396 | u32 len; |
1395 | if (selinux_sid_to_string( | 1397 | if (security_secid_to_secctx( |
1396 | n->osid, &ctx, &len)) { | 1398 | n->osid, &ctx, &len)) { |
1397 | audit_log_format(ab, " osid=%u", n->osid); | 1399 | audit_log_format(ab, " osid=%u", n->osid); |
1398 | call_panic = 2; | 1400 | call_panic = 2; |
1399 | } else | 1401 | } else { |
1400 | audit_log_format(ab, " obj=%s", ctx); | 1402 | audit_log_format(ab, " obj=%s", ctx); |
1401 | kfree(ctx); | 1403 | security_release_secctx(ctx, len); |
1404 | } | ||
1402 | } | 1405 | } |
1403 | 1406 | ||
1404 | audit_log_end(ab); | 1407 | audit_log_end(ab); |
@@ -1775,7 +1778,7 @@ static void audit_copy_inode(struct audit_names *name, const struct inode *inode | |||
1775 | name->uid = inode->i_uid; | 1778 | name->uid = inode->i_uid; |
1776 | name->gid = inode->i_gid; | 1779 | name->gid = inode->i_gid; |
1777 | name->rdev = inode->i_rdev; | 1780 | name->rdev = inode->i_rdev; |
1778 | selinux_get_inode_sid(inode, &name->osid); | 1781 | security_inode_getsecid(inode, &name->osid); |
1779 | } | 1782 | } |
1780 | 1783 | ||
1781 | /** | 1784 | /** |
@@ -2190,8 +2193,7 @@ int __audit_ipc_obj(struct kern_ipc_perm *ipcp) | |||
2190 | ax->uid = ipcp->uid; | 2193 | ax->uid = ipcp->uid; |
2191 | ax->gid = ipcp->gid; | 2194 | ax->gid = ipcp->gid; |
2192 | ax->mode = ipcp->mode; | 2195 | ax->mode = ipcp->mode; |
2193 | selinux_get_ipc_sid(ipcp, &ax->osid); | 2196 | security_ipc_getsecid(ipcp, &ax->osid); |
2194 | |||
2195 | ax->d.type = AUDIT_IPC; | 2197 | ax->d.type = AUDIT_IPC; |
2196 | ax->d.next = context->aux; | 2198 | ax->d.next = context->aux; |
2197 | context->aux = (void *)ax; | 2199 | context->aux = (void *)ax; |
@@ -2343,7 +2345,7 @@ void __audit_ptrace(struct task_struct *t) | |||
2343 | context->target_auid = audit_get_loginuid(t); | 2345 | context->target_auid = audit_get_loginuid(t); |
2344 | context->target_uid = t->uid; | 2346 | context->target_uid = t->uid; |
2345 | context->target_sessionid = audit_get_sessionid(t); | 2347 | context->target_sessionid = audit_get_sessionid(t); |
2346 | selinux_get_task_sid(t, &context->target_sid); | 2348 | security_task_getsecid(t, &context->target_sid); |
2347 | memcpy(context->target_comm, t->comm, TASK_COMM_LEN); | 2349 | memcpy(context->target_comm, t->comm, TASK_COMM_LEN); |
2348 | } | 2350 | } |
2349 | 2351 | ||
@@ -2371,7 +2373,7 @@ int __audit_signal_info(int sig, struct task_struct *t) | |||
2371 | audit_sig_uid = tsk->loginuid; | 2373 | audit_sig_uid = tsk->loginuid; |
2372 | else | 2374 | else |
2373 | audit_sig_uid = tsk->uid; | 2375 | audit_sig_uid = tsk->uid; |
2374 | selinux_get_task_sid(tsk, &audit_sig_sid); | 2376 | security_task_getsecid(tsk, &audit_sig_sid); |
2375 | } | 2377 | } |
2376 | if (!audit_signals || audit_dummy_context()) | 2378 | if (!audit_signals || audit_dummy_context()) |
2377 | return 0; | 2379 | return 0; |
@@ -2384,7 +2386,7 @@ int __audit_signal_info(int sig, struct task_struct *t) | |||
2384 | ctx->target_auid = audit_get_loginuid(t); | 2386 | ctx->target_auid = audit_get_loginuid(t); |
2385 | ctx->target_uid = t->uid; | 2387 | ctx->target_uid = t->uid; |
2386 | ctx->target_sessionid = audit_get_sessionid(t); | 2388 | ctx->target_sessionid = audit_get_sessionid(t); |
2387 | selinux_get_task_sid(t, &ctx->target_sid); | 2389 | security_task_getsecid(t, &ctx->target_sid); |
2388 | memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN); | 2390 | memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN); |
2389 | return 0; | 2391 | return 0; |
2390 | } | 2392 | } |
@@ -2405,7 +2407,7 @@ int __audit_signal_info(int sig, struct task_struct *t) | |||
2405 | axp->target_auid[axp->pid_count] = audit_get_loginuid(t); | 2407 | axp->target_auid[axp->pid_count] = audit_get_loginuid(t); |
2406 | axp->target_uid[axp->pid_count] = t->uid; | 2408 | axp->target_uid[axp->pid_count] = t->uid; |
2407 | axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t); | 2409 | axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t); |
2408 | selinux_get_task_sid(t, &axp->target_sid[axp->pid_count]); | 2410 | security_task_getsecid(t, &axp->target_sid[axp->pid_count]); |
2409 | memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN); | 2411 | memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN); |
2410 | axp->pid_count++; | 2412 | axp->pid_count++; |
2411 | 2413 | ||
@@ -2435,16 +2437,17 @@ void audit_core_dumps(long signr) | |||
2435 | ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND); | 2437 | ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND); |
2436 | audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u", | 2438 | audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u", |
2437 | auid, current->uid, current->gid, sessionid); | 2439 | auid, current->uid, current->gid, sessionid); |
2438 | selinux_get_task_sid(current, &sid); | 2440 | security_task_getsecid(current, &sid); |
2439 | if (sid) { | 2441 | if (sid) { |
2440 | char *ctx = NULL; | 2442 | char *ctx = NULL; |
2441 | u32 len; | 2443 | u32 len; |
2442 | 2444 | ||
2443 | if (selinux_sid_to_string(sid, &ctx, &len)) | 2445 | if (security_secid_to_secctx(sid, &ctx, &len)) |
2444 | audit_log_format(ab, " ssid=%u", sid); | 2446 | audit_log_format(ab, " ssid=%u", sid); |
2445 | else | 2447 | else { |
2446 | audit_log_format(ab, " subj=%s", ctx); | 2448 | audit_log_format(ab, " subj=%s", ctx); |
2447 | kfree(ctx); | 2449 | security_release_secctx(ctx, len); |
2450 | } | ||
2448 | } | 2451 | } |
2449 | audit_log_format(ab, " pid=%d comm=", current->pid); | 2452 | audit_log_format(ab, " pid=%d comm=", current->pid); |
2450 | audit_log_untrustedstring(ab, current->comm); | 2453 | audit_log_untrustedstring(ab, current->comm); |