diff options
author | Linus Torvalds <torvalds@g5.osdl.org> | 2006-03-25 12:24:53 -0500 |
---|---|---|
committer | Linus Torvalds <torvalds@g5.osdl.org> | 2006-03-25 12:24:53 -0500 |
commit | 1b9a3917366028cc451a98dd22e3bcd537d4e5c1 (patch) | |
tree | d911058720e0a9aeeaf9f407ccdc6fbf4047f47d /include/linux | |
parent | 3661f00e2097676847deb01add1a0918044bd816 (diff) | |
parent | 71e1c784b24a026a490b3de01541fc5ee14ebc09 (diff) |
Merge branch 'audit.b3' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current
* 'audit.b3' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current: (22 commits)
[PATCH] fix audit_init failure path
[PATCH] EXPORT_SYMBOL patch for audit_log, audit_log_start, audit_log_end and audit_format
[PATCH] sem2mutex: audit_netlink_sem
[PATCH] simplify audit_free() locking
[PATCH] Fix audit operators
[PATCH] promiscuous mode
[PATCH] Add tty to syscall audit records
[PATCH] add/remove rule update
[PATCH] audit string fields interface + consumer
[PATCH] SE Linux audit events
[PATCH] Minor cosmetic cleanups to the code moved into auditfilter.c
[PATCH] Fix audit record filtering with !CONFIG_AUDITSYSCALL
[PATCH] Fix IA64 success/failure indication in syscall auditing.
[PATCH] Miscellaneous bug and warning fixes
[PATCH] Capture selinux subject/object context information.
[PATCH] Exclude messages by message type
[PATCH] Collect more inode information during syscall processing.
[PATCH] Pass dentry, not just name, in fsnotify creation hooks.
[PATCH] Define new range of userspace messages.
[PATCH] Filter rule comparators
...
Fixed trivial conflict in security/selinux/hooks.c
Diffstat (limited to 'include/linux')
-rw-r--r-- | include/linux/audit.h | 130 | ||||
-rw-r--r-- | include/linux/fsnotify.h | 14 | ||||
-rw-r--r-- | include/linux/security.h | 33 |
3 files changed, 147 insertions, 30 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h index da3c01955f3d..1c47c59058c1 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h | |||
@@ -33,27 +33,42 @@ | |||
33 | * 1200 - 1299 messages internal to the audit daemon | 33 | * 1200 - 1299 messages internal to the audit daemon |
34 | * 1300 - 1399 audit event messages | 34 | * 1300 - 1399 audit event messages |
35 | * 1400 - 1499 SE Linux use | 35 | * 1400 - 1499 SE Linux use |
36 | * 1500 - 1999 future use | 36 | * 1500 - 1599 kernel LSPP events |
37 | * 2000 is for otherwise unclassified kernel audit messages | 37 | * 1600 - 1699 kernel crypto events |
38 | * 1700 - 1799 kernel anomaly records | ||
39 | * 1800 - 1999 future kernel use (maybe integrity labels and related events) | ||
40 | * 2000 is for otherwise unclassified kernel audit messages (legacy) | ||
41 | * 2001 - 2099 unused (kernel) | ||
42 | * 2100 - 2199 user space anomaly records | ||
43 | * 2200 - 2299 user space actions taken in response to anomalies | ||
44 | * 2300 - 2399 user space generated LSPP events | ||
45 | * 2400 - 2499 user space crypto events | ||
46 | * 2500 - 2999 future user space (maybe integrity labels and related events) | ||
38 | * | 47 | * |
39 | * Messages from 1000-1199 are bi-directional. 1200-1299 are exclusively user | 48 | * Messages from 1000-1199 are bi-directional. 1200-1299 & 2100 - 2999 are |
40 | * space. Anything over that is kernel --> user space communication. | 49 | * exclusively user space. 1300-2099 is kernel --> user space |
50 | * communication. | ||
41 | */ | 51 | */ |
42 | #define AUDIT_GET 1000 /* Get status */ | 52 | #define AUDIT_GET 1000 /* Get status */ |
43 | #define AUDIT_SET 1001 /* Set status (enable/disable/auditd) */ | 53 | #define AUDIT_SET 1001 /* Set status (enable/disable/auditd) */ |
44 | #define AUDIT_LIST 1002 /* List syscall filtering rules */ | 54 | #define AUDIT_LIST 1002 /* List syscall rules -- deprecated */ |
45 | #define AUDIT_ADD 1003 /* Add syscall filtering rule */ | 55 | #define AUDIT_ADD 1003 /* Add syscall rule -- deprecated */ |
46 | #define AUDIT_DEL 1004 /* Delete syscall filtering rule */ | 56 | #define AUDIT_DEL 1004 /* Delete syscall rule -- deprecated */ |
47 | #define AUDIT_USER 1005 /* Message from userspace -- deprecated */ | 57 | #define AUDIT_USER 1005 /* Message from userspace -- deprecated */ |
48 | #define AUDIT_LOGIN 1006 /* Define the login id and information */ | 58 | #define AUDIT_LOGIN 1006 /* Define the login id and information */ |
49 | #define AUDIT_WATCH_INS 1007 /* Insert file/dir watch entry */ | 59 | #define AUDIT_WATCH_INS 1007 /* Insert file/dir watch entry */ |
50 | #define AUDIT_WATCH_REM 1008 /* Remove file/dir watch entry */ | 60 | #define AUDIT_WATCH_REM 1008 /* Remove file/dir watch entry */ |
51 | #define AUDIT_WATCH_LIST 1009 /* List all file/dir watches */ | 61 | #define AUDIT_WATCH_LIST 1009 /* List all file/dir watches */ |
52 | #define AUDIT_SIGNAL_INFO 1010 /* Get info about sender of signal to auditd */ | 62 | #define AUDIT_SIGNAL_INFO 1010 /* Get info about sender of signal to auditd */ |
63 | #define AUDIT_ADD_RULE 1011 /* Add syscall filtering rule */ | ||
64 | #define AUDIT_DEL_RULE 1012 /* Delete syscall filtering rule */ | ||
65 | #define AUDIT_LIST_RULES 1013 /* List syscall filtering rules */ | ||
53 | 66 | ||
54 | #define AUDIT_FIRST_USER_MSG 1100 /* Userspace messages mostly uninteresting to kernel */ | 67 | #define AUDIT_FIRST_USER_MSG 1100 /* Userspace messages mostly uninteresting to kernel */ |
55 | #define AUDIT_USER_AVC 1107 /* We filter this differently */ | 68 | #define AUDIT_USER_AVC 1107 /* We filter this differently */ |
56 | #define AUDIT_LAST_USER_MSG 1199 | 69 | #define AUDIT_LAST_USER_MSG 1199 |
70 | #define AUDIT_FIRST_USER_MSG2 2100 /* More user space messages */ | ||
71 | #define AUDIT_LAST_USER_MSG2 2999 | ||
57 | 72 | ||
58 | #define AUDIT_DAEMON_START 1200 /* Daemon startup record */ | 73 | #define AUDIT_DAEMON_START 1200 /* Daemon startup record */ |
59 | #define AUDIT_DAEMON_END 1201 /* Daemon normal stop record */ | 74 | #define AUDIT_DAEMON_END 1201 /* Daemon normal stop record */ |
@@ -72,6 +87,13 @@ | |||
72 | #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ | 87 | #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ |
73 | #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ | 88 | #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ |
74 | #define AUDIT_AVC_PATH 1402 /* dentry, vfsmount pair from avc */ | 89 | #define AUDIT_AVC_PATH 1402 /* dentry, vfsmount pair from avc */ |
90 | #define AUDIT_MAC_POLICY_LOAD 1403 /* Policy file load */ | ||
91 | #define AUDIT_MAC_STATUS 1404 /* Changed enforcing,permissive,off */ | ||
92 | #define AUDIT_MAC_CONFIG_CHANGE 1405 /* Changes to booleans */ | ||
93 | |||
94 | #define AUDIT_FIRST_KERN_ANOM_MSG 1700 | ||
95 | #define AUDIT_LAST_KERN_ANOM_MSG 1799 | ||
96 | #define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */ | ||
75 | 97 | ||
76 | #define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */ | 98 | #define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */ |
77 | 99 | ||
@@ -81,8 +103,9 @@ | |||
81 | #define AUDIT_FILTER_ENTRY 0x02 /* Apply rule at syscall entry */ | 103 | #define AUDIT_FILTER_ENTRY 0x02 /* Apply rule at syscall entry */ |
82 | #define AUDIT_FILTER_WATCH 0x03 /* Apply rule to file system watches */ | 104 | #define AUDIT_FILTER_WATCH 0x03 /* Apply rule to file system watches */ |
83 | #define AUDIT_FILTER_EXIT 0x04 /* Apply rule at syscall exit */ | 105 | #define AUDIT_FILTER_EXIT 0x04 /* Apply rule at syscall exit */ |
106 | #define AUDIT_FILTER_TYPE 0x05 /* Apply rule at audit_log_start */ | ||
84 | 107 | ||
85 | #define AUDIT_NR_FILTERS 5 | 108 | #define AUDIT_NR_FILTERS 6 |
86 | 109 | ||
87 | #define AUDIT_FILTER_PREPEND 0x10 /* Prepend to front of list */ | 110 | #define AUDIT_FILTER_PREPEND 0x10 /* Prepend to front of list */ |
88 | 111 | ||
@@ -98,6 +121,13 @@ | |||
98 | #define AUDIT_WORD(nr) ((__u32)((nr)/32)) | 121 | #define AUDIT_WORD(nr) ((__u32)((nr)/32)) |
99 | #define AUDIT_BIT(nr) (1 << ((nr) - AUDIT_WORD(nr)*32)) | 122 | #define AUDIT_BIT(nr) (1 << ((nr) - AUDIT_WORD(nr)*32)) |
100 | 123 | ||
124 | /* This bitmask is used to validate user input. It represents all bits that | ||
125 | * are currently used in an audit field constant understood by the kernel. | ||
126 | * If you are adding a new #define AUDIT_<whatever>, please ensure that | ||
127 | * AUDIT_UNUSED_BITS is updated if need be. */ | ||
128 | #define AUDIT_UNUSED_BITS 0x0FFFFC00 | ||
129 | |||
130 | |||
101 | /* Rule fields */ | 131 | /* Rule fields */ |
102 | /* These are useful when checking the | 132 | /* These are useful when checking the |
103 | * task structure at task creation time | 133 | * task structure at task creation time |
@@ -114,6 +144,7 @@ | |||
114 | #define AUDIT_LOGINUID 9 | 144 | #define AUDIT_LOGINUID 9 |
115 | #define AUDIT_PERS 10 | 145 | #define AUDIT_PERS 10 |
116 | #define AUDIT_ARCH 11 | 146 | #define AUDIT_ARCH 11 |
147 | #define AUDIT_MSGTYPE 12 | ||
117 | 148 | ||
118 | /* These are ONLY useful when checking | 149 | /* These are ONLY useful when checking |
119 | * at syscall exit time (AUDIT_AT_EXIT). */ | 150 | * at syscall exit time (AUDIT_AT_EXIT). */ |
@@ -128,8 +159,28 @@ | |||
128 | #define AUDIT_ARG2 (AUDIT_ARG0+2) | 159 | #define AUDIT_ARG2 (AUDIT_ARG0+2) |
129 | #define AUDIT_ARG3 (AUDIT_ARG0+3) | 160 | #define AUDIT_ARG3 (AUDIT_ARG0+3) |
130 | 161 | ||
131 | #define AUDIT_NEGATE 0x80000000 | 162 | #define AUDIT_NEGATE 0x80000000 |
132 | 163 | ||
164 | /* These are the supported operators. | ||
165 | * 4 2 1 | ||
166 | * = > < | ||
167 | * ------- | ||
168 | * 0 0 0 0 nonsense | ||
169 | * 0 0 1 1 < | ||
170 | * 0 1 0 2 > | ||
171 | * 0 1 1 3 != | ||
172 | * 1 0 0 4 = | ||
173 | * 1 0 1 5 <= | ||
174 | * 1 1 0 6 >= | ||
175 | * 1 1 1 7 all operators | ||
176 | */ | ||
177 | #define AUDIT_LESS_THAN 0x10000000 | ||
178 | #define AUDIT_GREATER_THAN 0x20000000 | ||
179 | #define AUDIT_NOT_EQUAL 0x30000000 | ||
180 | #define AUDIT_EQUAL 0x40000000 | ||
181 | #define AUDIT_LESS_THAN_OR_EQUAL (AUDIT_LESS_THAN|AUDIT_EQUAL) | ||
182 | #define AUDIT_GREATER_THAN_OR_EQUAL (AUDIT_GREATER_THAN|AUDIT_EQUAL) | ||
183 | #define AUDIT_OPERATORS (AUDIT_EQUAL|AUDIT_NOT_EQUAL) | ||
133 | 184 | ||
134 | /* Status symbols */ | 185 | /* Status symbols */ |
135 | /* Mask values */ | 186 | /* Mask values */ |
@@ -186,6 +237,26 @@ struct audit_status { | |||
186 | __u32 backlog; /* messages waiting in queue */ | 237 | __u32 backlog; /* messages waiting in queue */ |
187 | }; | 238 | }; |
188 | 239 | ||
240 | /* audit_rule_data supports filter rules with both integer and string | ||
241 | * fields. It corresponds with AUDIT_ADD_RULE, AUDIT_DEL_RULE and | ||
242 | * AUDIT_LIST_RULES requests. | ||
243 | */ | ||
244 | struct audit_rule_data { | ||
245 | __u32 flags; /* AUDIT_PER_{TASK,CALL}, AUDIT_PREPEND */ | ||
246 | __u32 action; /* AUDIT_NEVER, AUDIT_POSSIBLE, AUDIT_ALWAYS */ | ||
247 | __u32 field_count; | ||
248 | __u32 mask[AUDIT_BITMASK_SIZE]; /* syscall(s) affected */ | ||
249 | __u32 fields[AUDIT_MAX_FIELDS]; | ||
250 | __u32 values[AUDIT_MAX_FIELDS]; | ||
251 | __u32 fieldflags[AUDIT_MAX_FIELDS]; | ||
252 | __u32 buflen; /* total length of string fields */ | ||
253 | char buf[0]; /* string fields buffer */ | ||
254 | }; | ||
255 | |||
256 | /* audit_rule is supported to maintain backward compatibility with | ||
257 | * userspace. It supports integer fields only and corresponds to | ||
258 | * AUDIT_ADD, AUDIT_DEL and AUDIT_LIST requests. | ||
259 | */ | ||
189 | struct audit_rule { /* for AUDIT_LIST, AUDIT_ADD, and AUDIT_DEL */ | 260 | struct audit_rule { /* for AUDIT_LIST, AUDIT_ADD, and AUDIT_DEL */ |
190 | __u32 flags; /* AUDIT_PER_{TASK,CALL}, AUDIT_PREPEND */ | 261 | __u32 flags; /* AUDIT_PER_{TASK,CALL}, AUDIT_PREPEND */ |
191 | __u32 action; /* AUDIT_NEVER, AUDIT_POSSIBLE, AUDIT_ALWAYS */ | 262 | __u32 action; /* AUDIT_NEVER, AUDIT_POSSIBLE, AUDIT_ALWAYS */ |
@@ -222,22 +293,33 @@ extern void audit_syscall_entry(struct task_struct *task, int arch, | |||
222 | extern void audit_syscall_exit(struct task_struct *task, int failed, long return_code); | 293 | extern void audit_syscall_exit(struct task_struct *task, int failed, long return_code); |
223 | extern void audit_getname(const char *name); | 294 | extern void audit_getname(const char *name); |
224 | extern void audit_putname(const char *name); | 295 | extern void audit_putname(const char *name); |
225 | extern void audit_inode(const char *name, const struct inode *inode, unsigned flags); | 296 | extern void __audit_inode(const char *name, const struct inode *inode, unsigned flags); |
297 | extern void __audit_inode_child(const char *dname, const struct inode *inode, | ||
298 | unsigned long pino); | ||
299 | static inline void audit_inode(const char *name, const struct inode *inode, | ||
300 | unsigned flags) { | ||
301 | if (unlikely(current->audit_context)) | ||
302 | __audit_inode(name, inode, flags); | ||
303 | } | ||
304 | static inline void audit_inode_child(const char *dname, | ||
305 | const struct inode *inode, | ||
306 | unsigned long pino) { | ||
307 | if (unlikely(current->audit_context)) | ||
308 | __audit_inode_child(dname, inode, pino); | ||
309 | } | ||
226 | 310 | ||
227 | /* Private API (for audit.c only) */ | 311 | /* Private API (for audit.c only) */ |
228 | extern int audit_receive_filter(int type, int pid, int uid, int seq, | ||
229 | void *data, uid_t loginuid); | ||
230 | extern unsigned int audit_serial(void); | 312 | extern unsigned int audit_serial(void); |
231 | extern void auditsc_get_stamp(struct audit_context *ctx, | 313 | extern void auditsc_get_stamp(struct audit_context *ctx, |
232 | struct timespec *t, unsigned int *serial); | 314 | struct timespec *t, unsigned int *serial); |
233 | extern int audit_set_loginuid(struct task_struct *task, uid_t loginuid); | 315 | extern int audit_set_loginuid(struct task_struct *task, uid_t loginuid); |
234 | extern uid_t audit_get_loginuid(struct audit_context *ctx); | 316 | extern uid_t audit_get_loginuid(struct audit_context *ctx); |
235 | extern int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode); | 317 | extern int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode, struct kern_ipc_perm *ipcp); |
236 | extern int audit_socketcall(int nargs, unsigned long *args); | 318 | extern int audit_socketcall(int nargs, unsigned long *args); |
237 | extern int audit_sockaddr(int len, void *addr); | 319 | extern int audit_sockaddr(int len, void *addr); |
238 | extern int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt); | 320 | extern int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt); |
239 | extern void audit_signal_info(int sig, struct task_struct *t); | 321 | extern void audit_signal_info(int sig, struct task_struct *t); |
240 | extern int audit_filter_user(struct netlink_skb_parms *cb, int type); | 322 | extern int audit_set_macxattr(const char *name); |
241 | #else | 323 | #else |
242 | #define audit_alloc(t) ({ 0; }) | 324 | #define audit_alloc(t) ({ 0; }) |
243 | #define audit_free(t) do { ; } while (0) | 325 | #define audit_free(t) do { ; } while (0) |
@@ -245,16 +327,18 @@ extern int audit_filter_user(struct netlink_skb_parms *cb, int type); | |||
245 | #define audit_syscall_exit(t,f,r) do { ; } while (0) | 327 | #define audit_syscall_exit(t,f,r) do { ; } while (0) |
246 | #define audit_getname(n) do { ; } while (0) | 328 | #define audit_getname(n) do { ; } while (0) |
247 | #define audit_putname(n) do { ; } while (0) | 329 | #define audit_putname(n) do { ; } while (0) |
330 | #define __audit_inode(n,i,f) do { ; } while (0) | ||
331 | #define __audit_inode_child(d,i,p) do { ; } while (0) | ||
248 | #define audit_inode(n,i,f) do { ; } while (0) | 332 | #define audit_inode(n,i,f) do { ; } while (0) |
249 | #define audit_receive_filter(t,p,u,s,d,l) ({ -EOPNOTSUPP; }) | 333 | #define audit_inode_child(d,i,p) do { ; } while (0) |
250 | #define auditsc_get_stamp(c,t,s) do { BUG(); } while (0) | 334 | #define auditsc_get_stamp(c,t,s) do { BUG(); } while (0) |
251 | #define audit_get_loginuid(c) ({ -1; }) | 335 | #define audit_get_loginuid(c) ({ -1; }) |
252 | #define audit_ipc_perms(q,u,g,m) ({ 0; }) | 336 | #define audit_ipc_perms(q,u,g,m,i) ({ 0; }) |
253 | #define audit_socketcall(n,a) ({ 0; }) | 337 | #define audit_socketcall(n,a) ({ 0; }) |
254 | #define audit_sockaddr(len, addr) ({ 0; }) | 338 | #define audit_sockaddr(len, addr) ({ 0; }) |
255 | #define audit_avc_path(dentry, mnt) ({ 0; }) | 339 | #define audit_avc_path(dentry, mnt) ({ 0; }) |
256 | #define audit_signal_info(s,t) do { ; } while (0) | 340 | #define audit_signal_info(s,t) do { ; } while (0) |
257 | #define audit_filter_user(cb,t) ({ 1; }) | 341 | #define audit_set_macxattr(n) do { ; } while (0) |
258 | #endif | 342 | #endif |
259 | 343 | ||
260 | #ifdef CONFIG_AUDIT | 344 | #ifdef CONFIG_AUDIT |
@@ -278,12 +362,11 @@ extern void audit_log_d_path(struct audit_buffer *ab, | |||
278 | const char *prefix, | 362 | const char *prefix, |
279 | struct dentry *dentry, | 363 | struct dentry *dentry, |
280 | struct vfsmount *vfsmnt); | 364 | struct vfsmount *vfsmnt); |
281 | /* Private API (for auditsc.c only) */ | 365 | /* Private API (for audit.c only) */ |
282 | extern void audit_send_reply(int pid, int seq, int type, | 366 | extern int audit_filter_user(struct netlink_skb_parms *cb, int type); |
283 | int done, int multi, | 367 | extern int audit_filter_type(int type); |
284 | void *payload, int size); | 368 | extern int audit_receive_filter(int type, int pid, int uid, int seq, |
285 | extern void audit_log_lost(const char *message); | 369 | void *data, size_t datasz, uid_t loginuid); |
286 | extern struct semaphore audit_netlink_sem; | ||
287 | #else | 370 | #else |
288 | #define audit_log(c,g,t,f,...) do { ; } while (0) | 371 | #define audit_log(c,g,t,f,...) do { ; } while (0) |
289 | #define audit_log_start(c,g,t) ({ NULL; }) | 372 | #define audit_log_start(c,g,t) ({ NULL; }) |
@@ -293,6 +376,7 @@ extern struct semaphore audit_netlink_sem; | |||
293 | #define audit_log_hex(a,b,l) do { ; } while (0) | 376 | #define audit_log_hex(a,b,l) do { ; } while (0) |
294 | #define audit_log_untrustedstring(a,s) do { ; } while (0) | 377 | #define audit_log_untrustedstring(a,s) do { ; } while (0) |
295 | #define audit_log_d_path(b,p,d,v) do { ; } while (0) | 378 | #define audit_log_d_path(b,p,d,v) do { ; } while (0) |
379 | #define audit_panic(m) do { ; } while (0) | ||
296 | #endif | 380 | #endif |
297 | #endif | 381 | #endif |
298 | #endif | 382 | #endif |
diff --git a/include/linux/fsnotify.h b/include/linux/fsnotify.h index f7e517c1f1bd..11438eff4d44 100644 --- a/include/linux/fsnotify.h +++ b/include/linux/fsnotify.h | |||
@@ -15,6 +15,7 @@ | |||
15 | 15 | ||
16 | #include <linux/dnotify.h> | 16 | #include <linux/dnotify.h> |
17 | #include <linux/inotify.h> | 17 | #include <linux/inotify.h> |
18 | #include <linux/audit.h> | ||
18 | 19 | ||
19 | /* | 20 | /* |
20 | * fsnotify_d_instantiate - instantiate a dentry for inode | 21 | * fsnotify_d_instantiate - instantiate a dentry for inode |
@@ -64,6 +65,8 @@ static inline void fsnotify_move(struct inode *old_dir, struct inode *new_dir, | |||
64 | if (source) { | 65 | if (source) { |
65 | inotify_inode_queue_event(source, IN_MOVE_SELF, 0, NULL); | 66 | inotify_inode_queue_event(source, IN_MOVE_SELF, 0, NULL); |
66 | } | 67 | } |
68 | audit_inode_child(old_name, source, old_dir->i_ino); | ||
69 | audit_inode_child(new_name, target, new_dir->i_ino); | ||
67 | } | 70 | } |
68 | 71 | ||
69 | /* | 72 | /* |
@@ -89,19 +92,22 @@ static inline void fsnotify_inoderemove(struct inode *inode) | |||
89 | /* | 92 | /* |
90 | * fsnotify_create - 'name' was linked in | 93 | * fsnotify_create - 'name' was linked in |
91 | */ | 94 | */ |
92 | static inline void fsnotify_create(struct inode *inode, const char *name) | 95 | static inline void fsnotify_create(struct inode *inode, struct dentry *dentry) |
93 | { | 96 | { |
94 | inode_dir_notify(inode, DN_CREATE); | 97 | inode_dir_notify(inode, DN_CREATE); |
95 | inotify_inode_queue_event(inode, IN_CREATE, 0, name); | 98 | inotify_inode_queue_event(inode, IN_CREATE, 0, dentry->d_name.name); |
99 | audit_inode_child(dentry->d_name.name, dentry->d_inode, inode->i_ino); | ||
96 | } | 100 | } |
97 | 101 | ||
98 | /* | 102 | /* |
99 | * fsnotify_mkdir - directory 'name' was created | 103 | * fsnotify_mkdir - directory 'name' was created |
100 | */ | 104 | */ |
101 | static inline void fsnotify_mkdir(struct inode *inode, const char *name) | 105 | static inline void fsnotify_mkdir(struct inode *inode, struct dentry *dentry) |
102 | { | 106 | { |
103 | inode_dir_notify(inode, DN_CREATE); | 107 | inode_dir_notify(inode, DN_CREATE); |
104 | inotify_inode_queue_event(inode, IN_CREATE | IN_ISDIR, 0, name); | 108 | inotify_inode_queue_event(inode, IN_CREATE | IN_ISDIR, 0, |
109 | dentry->d_name.name); | ||
110 | audit_inode_child(dentry->d_name.name, dentry->d_inode, inode->i_ino); | ||
105 | } | 111 | } |
106 | 112 | ||
107 | /* | 113 | /* |
diff --git a/include/linux/security.h b/include/linux/security.h index 3c19be35124b..aaa0a5cdbf75 100644 --- a/include/linux/security.h +++ b/include/linux/security.h | |||
@@ -869,6 +869,11 @@ struct swap_info_struct; | |||
869 | * @ipcp contains the kernel IPC permission structure | 869 | * @ipcp contains the kernel IPC permission structure |
870 | * @flag contains the desired (requested) permission set | 870 | * @flag contains the desired (requested) permission set |
871 | * Return 0 if permission is granted. | 871 | * Return 0 if permission is granted. |
872 | * @ipc_getsecurity: | ||
873 | * Copy the security label associated with the ipc object into | ||
874 | * @buffer. @buffer may be NULL to request the size of the buffer | ||
875 | * required. @size indicates the size of @buffer in bytes. Return | ||
876 | * number of bytes used/required on success. | ||
872 | * | 877 | * |
873 | * Security hooks for individual messages held in System V IPC message queues | 878 | * Security hooks for individual messages held in System V IPC message queues |
874 | * @msg_msg_alloc_security: | 879 | * @msg_msg_alloc_security: |
@@ -1168,7 +1173,8 @@ struct security_operations { | |||
1168 | int (*inode_getxattr) (struct dentry *dentry, char *name); | 1173 | int (*inode_getxattr) (struct dentry *dentry, char *name); |
1169 | int (*inode_listxattr) (struct dentry *dentry); | 1174 | int (*inode_listxattr) (struct dentry *dentry); |
1170 | int (*inode_removexattr) (struct dentry *dentry, char *name); | 1175 | int (*inode_removexattr) (struct dentry *dentry, char *name); |
1171 | int (*inode_getsecurity)(struct inode *inode, const char *name, void *buffer, size_t size, int err); | 1176 | const char *(*inode_xattr_getsuffix) (void); |
1177 | int (*inode_getsecurity)(const struct inode *inode, const char *name, void *buffer, size_t size, int err); | ||
1172 | int (*inode_setsecurity)(struct inode *inode, const char *name, const void *value, size_t size, int flags); | 1178 | int (*inode_setsecurity)(struct inode *inode, const char *name, const void *value, size_t size, int flags); |
1173 | int (*inode_listsecurity)(struct inode *inode, char *buffer, size_t buffer_size); | 1179 | int (*inode_listsecurity)(struct inode *inode, char *buffer, size_t buffer_size); |
1174 | 1180 | ||
@@ -1217,6 +1223,7 @@ struct security_operations { | |||
1217 | void (*task_to_inode)(struct task_struct *p, struct inode *inode); | 1223 | void (*task_to_inode)(struct task_struct *p, struct inode *inode); |
1218 | 1224 | ||
1219 | int (*ipc_permission) (struct kern_ipc_perm * ipcp, short flag); | 1225 | int (*ipc_permission) (struct kern_ipc_perm * ipcp, short flag); |
1226 | int (*ipc_getsecurity)(struct kern_ipc_perm *ipcp, void *buffer, size_t size); | ||
1220 | 1227 | ||
1221 | int (*msg_msg_alloc_security) (struct msg_msg * msg); | 1228 | int (*msg_msg_alloc_security) (struct msg_msg * msg); |
1222 | void (*msg_msg_free_security) (struct msg_msg * msg); | 1229 | void (*msg_msg_free_security) (struct msg_msg * msg); |
@@ -1680,7 +1687,12 @@ static inline int security_inode_removexattr (struct dentry *dentry, char *name) | |||
1680 | return security_ops->inode_removexattr (dentry, name); | 1687 | return security_ops->inode_removexattr (dentry, name); |
1681 | } | 1688 | } |
1682 | 1689 | ||
1683 | static inline int security_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size, int err) | 1690 | static inline const char *security_inode_xattr_getsuffix(void) |
1691 | { | ||
1692 | return security_ops->inode_xattr_getsuffix(); | ||
1693 | } | ||
1694 | |||
1695 | static inline int security_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err) | ||
1684 | { | 1696 | { |
1685 | if (unlikely (IS_PRIVATE (inode))) | 1697 | if (unlikely (IS_PRIVATE (inode))) |
1686 | return 0; | 1698 | return 0; |
@@ -1875,6 +1887,11 @@ static inline int security_ipc_permission (struct kern_ipc_perm *ipcp, | |||
1875 | return security_ops->ipc_permission (ipcp, flag); | 1887 | return security_ops->ipc_permission (ipcp, flag); |
1876 | } | 1888 | } |
1877 | 1889 | ||
1890 | static inline int security_ipc_getsecurity(struct kern_ipc_perm *ipcp, void *buffer, size_t size) | ||
1891 | { | ||
1892 | return security_ops->ipc_getsecurity(ipcp, buffer, size); | ||
1893 | } | ||
1894 | |||
1878 | static inline int security_msg_msg_alloc (struct msg_msg * msg) | 1895 | static inline int security_msg_msg_alloc (struct msg_msg * msg) |
1879 | { | 1896 | { |
1880 | return security_ops->msg_msg_alloc_security (msg); | 1897 | return security_ops->msg_msg_alloc_security (msg); |
@@ -2327,7 +2344,12 @@ static inline int security_inode_removexattr (struct dentry *dentry, char *name) | |||
2327 | return cap_inode_removexattr(dentry, name); | 2344 | return cap_inode_removexattr(dentry, name); |
2328 | } | 2345 | } |
2329 | 2346 | ||
2330 | static inline int security_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size, int err) | 2347 | static inline const char *security_inode_xattr_getsuffix (void) |
2348 | { | ||
2349 | return NULL ; | ||
2350 | } | ||
2351 | |||
2352 | static inline int security_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err) | ||
2331 | { | 2353 | { |
2332 | return -EOPNOTSUPP; | 2354 | return -EOPNOTSUPP; |
2333 | } | 2355 | } |
@@ -2510,6 +2532,11 @@ static inline int security_ipc_permission (struct kern_ipc_perm *ipcp, | |||
2510 | return 0; | 2532 | return 0; |
2511 | } | 2533 | } |
2512 | 2534 | ||
2535 | static inline int security_ipc_getsecurity(struct kern_ipc_perm *ipcp, void *buffer, size_t size) | ||
2536 | { | ||
2537 | return -EOPNOTSUPP; | ||
2538 | } | ||
2539 | |||
2513 | static inline int security_msg_msg_alloc (struct msg_msg * msg) | 2540 | static inline int security_msg_msg_alloc (struct msg_msg * msg) |
2514 | { | 2541 | { |
2515 | return 0; | 2542 | return 0; |