aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2011-03-03 13:55:40 -0500
committerDavid S. Miller <davem@davemloft.net>2011-03-03 13:55:40 -0500
commitc53fa1ed92cd671a1dfb1e7569e9ab672612ddc6 (patch)
tree9bb539a7731af94cac0112b8f13771e4a33e0450
parent06dc94b1ed05f91e246315afeb1c652d6d0dc9ab (diff)
netlink: kill loginuid/sessionid/sid members from struct netlink_skb_parms
Netlink message processing in the kernel is synchronous these days, the session information can be collected when needed. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat
-rw-r--r--include/linux/netlink.h3
-rw-r--r--kernel/audit.c6
-rw-r--r--kernel/auditfilter.c10
-rw-r--r--net/netlabel/netlabel_user.h6
-rw-r--r--net/netlink/af_netlink.c3
-rw-r--r--net/xfrm/xfrm_user.c56
-rw-r--r--security/selinux/hooks.c6
7 files changed, 49 insertions, 41 deletions
diff --git a/include/linux/netlink.h b/include/linux/netlink.h
index e2b9e63afa68..66823b862022 100644
--- a/include/linux/netlink.h
+++ b/include/linux/netlink.h
@@ -161,9 +161,6 @@ struct netlink_skb_parms {
161 __u32 pid; 161 __u32 pid;
162 __u32 dst_group; 162 __u32 dst_group;
163 kernel_cap_t eff_cap; 163 kernel_cap_t eff_cap;
164 __u32 loginuid; /* Login (audit) uid */
165 __u32 sessionid; /* Session id (audit) */
166 __u32 sid; /* SELinux security id */
167}; 164};
168 165
169#define NETLINK_CB(skb) (*(struct netlink_skb_parms*)&((skb)->cb)) 166#define NETLINK_CB(skb) (*(struct netlink_skb_parms*)&((skb)->cb))
diff --git a/kernel/audit.c b/kernel/audit.c
index 162e88e33bc9..939500317066 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -673,9 +673,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
673 673
674 pid = NETLINK_CREDS(skb)->pid; 674 pid = NETLINK_CREDS(skb)->pid;
675 uid = NETLINK_CREDS(skb)->uid; 675 uid = NETLINK_CREDS(skb)->uid;
676 loginuid = NETLINK_CB(skb).loginuid; 676 loginuid = audit_get_loginuid(current);
677 sessionid = NETLINK_CB(skb).sessionid; 677 sessionid = audit_get_sessionid(current);
678 sid = NETLINK_CB(skb).sid; 678 security_task_getsecid(current, &sid);
679 seq = nlh->nlmsg_seq; 679 seq = nlh->nlmsg_seq;
680 data = NLMSG_DATA(nlh); 680 data = NLMSG_DATA(nlh);
681 681
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index add2819af71b..f8277c80d678 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1238,6 +1238,7 @@ static int audit_filter_user_rules(struct netlink_skb_parms *cb,
1238 for (i = 0; i < rule->field_count; i++) { 1238 for (i = 0; i < rule->field_count; i++) {
1239 struct audit_field *f = &rule->fields[i]; 1239 struct audit_field *f = &rule->fields[i];
1240 int result = 0; 1240 int result = 0;
1241 u32 sid;
1241 1242
1242 switch (f->type) { 1243 switch (f->type) {
1243 case AUDIT_PID: 1244 case AUDIT_PID:
@@ -1250,19 +1251,22 @@ static int audit_filter_user_rules(struct netlink_skb_parms *cb,
1250 result = audit_comparator(cb->creds.gid, f->op, f->val); 1251 result = audit_comparator(cb->creds.gid, f->op, f->val);
1251 break; 1252 break;
1252 case AUDIT_LOGINUID: 1253 case AUDIT_LOGINUID:
1253 result = audit_comparator(cb->loginuid, f->op, f->val); 1254 result = audit_comparator(audit_get_loginuid(current),
1255 f->op, f->val);
1254 break; 1256 break;
1255 case AUDIT_SUBJ_USER: 1257 case AUDIT_SUBJ_USER:
1256 case AUDIT_SUBJ_ROLE: 1258 case AUDIT_SUBJ_ROLE:
1257 case AUDIT_SUBJ_TYPE: 1259 case AUDIT_SUBJ_TYPE:
1258 case AUDIT_SUBJ_SEN: 1260 case AUDIT_SUBJ_SEN:
1259 case AUDIT_SUBJ_CLR: 1261 case AUDIT_SUBJ_CLR:
1260 if (f->lsm_rule) 1262 if (f->lsm_rule) {
1261 result = security_audit_rule_match(cb->sid, 1263 security_task_getsecid(current, &sid);
1264 result = security_audit_rule_match(sid,
1262 f->type, 1265 f->type,
1263 f->op, 1266 f->op,
1264 f->lsm_rule, 1267 f->lsm_rule,
1265 NULL); 1268 NULL);
1269 }
1266 break; 1270 break;
1267 } 1271 }
1268 1272
diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h
index 6caef8b20611..f4fc4c9ad567 100644
--- a/net/netlabel/netlabel_user.h
+++ b/net/netlabel/netlabel_user.h
@@ -49,9 +49,9 @@
49static inline void netlbl_netlink_auditinfo(struct sk_buff *skb, 49static inline void netlbl_netlink_auditinfo(struct sk_buff *skb,
50 struct netlbl_audit *audit_info) 50 struct netlbl_audit *audit_info)
51{ 51{
52 audit_info->secid = NETLINK_CB(skb).sid; 52 security_task_getsecid(current, &audit_info->secid);
53 audit_info->loginuid = NETLINK_CB(skb).loginuid; 53 audit_info->loginuid = audit_get_loginuid(current);
54 audit_info->sessionid = NETLINK_CB(skb).sessionid; 54 audit_info->sessionid = audit_get_sessionid(current);
55} 55}
56 56
57/* NetLabel NETLINK I/O functions */ 57/* NetLabel NETLINK I/O functions */
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 478181d53c55..97ecd923d7ee 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1362,9 +1362,6 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
1362 1362
1363 NETLINK_CB(skb).pid = nlk->pid; 1363 NETLINK_CB(skb).pid = nlk->pid;
1364 NETLINK_CB(skb).dst_group = dst_group; 1364 NETLINK_CB(skb).dst_group = dst_group;
1365 NETLINK_CB(skb).loginuid = audit_get_loginuid(current);
1366 NETLINK_CB(skb).sessionid = audit_get_sessionid(current);
1367 security_task_getsecid(current, &(NETLINK_CB(skb).sid));
1368 memcpy(NETLINK_CREDS(skb), &siocb->scm->creds, sizeof(struct ucred)); 1365 memcpy(NETLINK_CREDS(skb), &siocb->scm->creds, sizeof(struct ucred));
1369 1366
1370 /* What can I do? Netlink is asynchronous, so that 1367 /* What can I do? Netlink is asynchronous, so that
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 673698d380d7..468ab60d3dc0 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -497,9 +497,9 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
497 struct xfrm_state *x; 497 struct xfrm_state *x;
498 int err; 498 int err;
499 struct km_event c; 499 struct km_event c;
500 uid_t loginuid = NETLINK_CB(skb).loginuid; 500 uid_t loginuid = audit_get_loginuid(current);
501 u32 sessionid = NETLINK_CB(skb).sessionid; 501 u32 sessionid = audit_get_sessionid(current);
502 u32 sid = NETLINK_CB(skb).sid; 502 u32 sid;
503 503
504 err = verify_newsa_info(p, attrs); 504 err = verify_newsa_info(p, attrs);
505 if (err) 505 if (err)
@@ -515,6 +515,7 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
515 else 515 else
516 err = xfrm_state_update(x); 516 err = xfrm_state_update(x);
517 517
518 security_task_getsecid(current, &sid);
518 xfrm_audit_state_add(x, err ? 0 : 1, loginuid, sessionid, sid); 519 xfrm_audit_state_add(x, err ? 0 : 1, loginuid, sessionid, sid);
519 520
520 if (err < 0) { 521 if (err < 0) {
@@ -575,9 +576,9 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
575 int err = -ESRCH; 576 int err = -ESRCH;
576 struct km_event c; 577 struct km_event c;
577 struct xfrm_usersa_id *p = nlmsg_data(nlh); 578 struct xfrm_usersa_id *p = nlmsg_data(nlh);
578 uid_t loginuid = NETLINK_CB(skb).loginuid; 579 uid_t loginuid = audit_get_loginuid(current);
579 u32 sessionid = NETLINK_CB(skb).sessionid; 580 u32 sessionid = audit_get_sessionid(current);
580 u32 sid = NETLINK_CB(skb).sid; 581 u32 sid;
581 582
582 x = xfrm_user_state_lookup(net, p, attrs, &err); 583 x = xfrm_user_state_lookup(net, p, attrs, &err);
583 if (x == NULL) 584 if (x == NULL)
@@ -602,6 +603,7 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
602 km_state_notify(x, &c); 603 km_state_notify(x, &c);
603 604
604out: 605out:
606 security_task_getsecid(current, &sid);
605 xfrm_audit_state_delete(x, err ? 0 : 1, loginuid, sessionid, sid); 607 xfrm_audit_state_delete(x, err ? 0 : 1, loginuid, sessionid, sid);
606 xfrm_state_put(x); 608 xfrm_state_put(x);
607 return err; 609 return err;
@@ -1265,9 +1267,9 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
1265 struct km_event c; 1267 struct km_event c;
1266 int err; 1268 int err;
1267 int excl; 1269 int excl;
1268 uid_t loginuid = NETLINK_CB(skb).loginuid; 1270 uid_t loginuid = audit_get_loginuid(current);
1269 u32 sessionid = NETLINK_CB(skb).sessionid; 1271 u32 sessionid = audit_get_sessionid(current);
1270 u32 sid = NETLINK_CB(skb).sid; 1272 u32 sid;
1271 1273
1272 err = verify_newpolicy_info(p); 1274 err = verify_newpolicy_info(p);
1273 if (err) 1275 if (err)
@@ -1286,6 +1288,7 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
1286 * a type XFRM_MSG_UPDPOLICY - JHS */ 1288 * a type XFRM_MSG_UPDPOLICY - JHS */
1287 excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; 1289 excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY;
1288 err = xfrm_policy_insert(p->dir, xp, excl); 1290 err = xfrm_policy_insert(p->dir, xp, excl);
1291 security_task_getsecid(current, &sid);
1289 xfrm_audit_policy_add(xp, err ? 0 : 1, loginuid, sessionid, sid); 1292 xfrm_audit_policy_add(xp, err ? 0 : 1, loginuid, sessionid, sid);
1290 1293
1291 if (err) { 1294 if (err) {
@@ -1522,10 +1525,11 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
1522 NETLINK_CB(skb).pid); 1525 NETLINK_CB(skb).pid);
1523 } 1526 }
1524 } else { 1527 } else {
1525 uid_t loginuid = NETLINK_CB(skb).loginuid; 1528 uid_t loginuid = audit_get_loginuid(current);
1526 u32 sessionid = NETLINK_CB(skb).sessionid; 1529 u32 sessionid = audit_get_sessionid(current);
1527 u32 sid = NETLINK_CB(skb).sid; 1530 u32 sid;
1528 1531
1532 security_task_getsecid(current, &sid);
1529 xfrm_audit_policy_delete(xp, err ? 0 : 1, loginuid, sessionid, 1533 xfrm_audit_policy_delete(xp, err ? 0 : 1, loginuid, sessionid,
1530 sid); 1534 sid);
1531 1535
@@ -1553,9 +1557,9 @@ static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
1553 struct xfrm_audit audit_info; 1557 struct xfrm_audit audit_info;
1554 int err; 1558 int err;
1555 1559
1556 audit_info.loginuid = NETLINK_CB(skb).loginuid; 1560 audit_info.loginuid = audit_get_loginuid(current);
1557 audit_info.sessionid = NETLINK_CB(skb).sessionid; 1561 audit_info.sessionid = audit_get_sessionid(current);
1558 audit_info.secid = NETLINK_CB(skb).sid; 1562 security_task_getsecid(current, &audit_info.secid);
1559 err = xfrm_state_flush(net, p->proto, &audit_info); 1563 err = xfrm_state_flush(net, p->proto, &audit_info);
1560 if (err) { 1564 if (err) {
1561 if (err == -ESRCH) /* empty table */ 1565 if (err == -ESRCH) /* empty table */
@@ -1720,9 +1724,9 @@ static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
1720 if (err) 1724 if (err)
1721 return err; 1725 return err;
1722 1726
1723 audit_info.loginuid = NETLINK_CB(skb).loginuid; 1727 audit_info.loginuid = audit_get_loginuid(current);
1724 audit_info.sessionid = NETLINK_CB(skb).sessionid; 1728 audit_info.sessionid = audit_get_sessionid(current);
1725 audit_info.secid = NETLINK_CB(skb).sid; 1729 security_task_getsecid(current, &audit_info.secid);
1726 err = xfrm_policy_flush(net, type, &audit_info); 1730 err = xfrm_policy_flush(net, type, &audit_info);
1727 if (err) { 1731 if (err) {
1728 if (err == -ESRCH) /* empty table */ 1732 if (err == -ESRCH) /* empty table */
@@ -1789,9 +1793,11 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
1789 1793
1790 err = 0; 1794 err = 0;
1791 if (up->hard) { 1795 if (up->hard) {
1792 uid_t loginuid = NETLINK_CB(skb).loginuid; 1796 uid_t loginuid = audit_get_loginuid(current);
1793 uid_t sessionid = NETLINK_CB(skb).sessionid; 1797 u32 sessionid = audit_get_sessionid(current);
1794 u32 sid = NETLINK_CB(skb).sid; 1798 u32 sid;
1799
1800 security_task_getsecid(current, &sid);
1795 xfrm_policy_delete(xp, p->dir); 1801 xfrm_policy_delete(xp, p->dir);
1796 xfrm_audit_policy_delete(xp, 1, loginuid, sessionid, sid); 1802 xfrm_audit_policy_delete(xp, 1, loginuid, sessionid, sid);
1797 1803
@@ -1830,9 +1836,11 @@ static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
1830 km_state_expired(x, ue->hard, current->pid); 1836 km_state_expired(x, ue->hard, current->pid);
1831 1837
1832 if (ue->hard) { 1838 if (ue->hard) {
1833 uid_t loginuid = NETLINK_CB(skb).loginuid; 1839 uid_t loginuid = audit_get_loginuid(current);
1834 uid_t sessionid = NETLINK_CB(skb).sessionid; 1840 u32 sessionid = audit_get_sessionid(current);
1835 u32 sid = NETLINK_CB(skb).sid; 1841 u32 sid;
1842
1843 security_task_getsecid(current, &sid);
1836 __xfrm_state_delete(x); 1844 __xfrm_state_delete(x);
1837 xfrm_audit_state_delete(x, 1, loginuid, sessionid, sid); 1845 xfrm_audit_state_delete(x, 1, loginuid, sessionid, sid);
1838 } 1846 }
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index c8d699270687..cef42f5d69a2 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4669,6 +4669,7 @@ static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4669{ 4669{
4670 int err; 4670 int err;
4671 struct common_audit_data ad; 4671 struct common_audit_data ad;
4672 u32 sid;
4672 4673
4673 err = cap_netlink_recv(skb, capability); 4674 err = cap_netlink_recv(skb, capability);
4674 if (err) 4675 if (err)
@@ -4677,8 +4678,9 @@ static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4677 COMMON_AUDIT_DATA_INIT(&ad, CAP); 4678 COMMON_AUDIT_DATA_INIT(&ad, CAP);
4678 ad.u.cap = capability; 4679 ad.u.cap = capability;
4679 4680
4680 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid, 4681 security_task_getsecid(current, &sid);
4681 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad); 4682 return avc_has_perm(sid, sid, SECCLASS_CAPABILITY,
4683 CAP_TO_MASK(capability), &ad);
4682} 4684}
4683 4685
4684static int ipc_alloc_security(struct task_struct *task, 4686static int ipc_alloc_security(struct task_struct *task,
generated by cgit v1.2.2 (git 2.25.0) at 2024-11-22 18:07:25 -0500