diff options
author | Linus Torvalds <torvalds@g5.osdl.org> | 2006-05-02 00:43:05 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@g5.osdl.org> | 2006-05-02 00:43:05 -0400 |
commit | 532f57da408c5a5710075d17047e2d97bdfd22f3 (patch) | |
tree | 3fb378bea1816f637aeeed0df805d0c30969cfc3 /include | |
parent | 46c5ea3c9ae7fbc6e52a13c92e59d4fc7f4ca80a (diff) | |
parent | 2ad312d2093ae506ae0fa184d8d026b559083087 (diff) |
Merge branch 'audit.b10' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current
* 'audit.b10' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current:
[PATCH] Audit Filter Performance
[PATCH] Rework of IPC auditing
[PATCH] More user space subject labels
[PATCH] Reworked patch for labels on user space messages
[PATCH] change lspp ipc auditing
[PATCH] audit inode patch
[PATCH] support for context based audit filtering, part 2
[PATCH] support for context based audit filtering
[PATCH] no need to wank with task_lock() and pinning task down in audit_syscall_exit()
[PATCH] drop task argument of audit_syscall_{entry,exit}
[PATCH] drop gfp_mask in audit_log_exit()
[PATCH] move call of audit_free() into do_exit()
[PATCH] sockaddr patch
[PATCH] deal with deadlocks in audit_free()
Diffstat (limited to 'include')
-rw-r--r-- | include/linux/audit.h | 22 | ||||
-rw-r--r-- | include/linux/netlink.h | 1 | ||||
-rw-r--r-- | include/linux/security.h | 16 | ||||
-rw-r--r-- | include/linux/selinux.h | 177 |
4 files changed, 193 insertions, 23 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h index 1c47c59058c1..b74c148f14e3 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h | |||
@@ -83,6 +83,7 @@ | |||
83 | #define AUDIT_CONFIG_CHANGE 1305 /* Audit system configuration change */ | 83 | #define AUDIT_CONFIG_CHANGE 1305 /* Audit system configuration change */ |
84 | #define AUDIT_SOCKADDR 1306 /* sockaddr copied as syscall arg */ | 84 | #define AUDIT_SOCKADDR 1306 /* sockaddr copied as syscall arg */ |
85 | #define AUDIT_CWD 1307 /* Current working directory */ | 85 | #define AUDIT_CWD 1307 /* Current working directory */ |
86 | #define AUDIT_IPC_SET_PERM 1311 /* IPC new permissions record type */ | ||
86 | 87 | ||
87 | #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ | 88 | #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ |
88 | #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ | 89 | #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ |
@@ -145,6 +146,11 @@ | |||
145 | #define AUDIT_PERS 10 | 146 | #define AUDIT_PERS 10 |
146 | #define AUDIT_ARCH 11 | 147 | #define AUDIT_ARCH 11 |
147 | #define AUDIT_MSGTYPE 12 | 148 | #define AUDIT_MSGTYPE 12 |
149 | #define AUDIT_SE_USER 13 /* security label user */ | ||
150 | #define AUDIT_SE_ROLE 14 /* security label role */ | ||
151 | #define AUDIT_SE_TYPE 15 /* security label type */ | ||
152 | #define AUDIT_SE_SEN 16 /* security label sensitivity label */ | ||
153 | #define AUDIT_SE_CLR 17 /* security label clearance label */ | ||
148 | 154 | ||
149 | /* These are ONLY useful when checking | 155 | /* These are ONLY useful when checking |
150 | * at syscall exit time (AUDIT_AT_EXIT). */ | 156 | * at syscall exit time (AUDIT_AT_EXIT). */ |
@@ -287,10 +293,10 @@ struct netlink_skb_parms; | |||
287 | /* Public API */ | 293 | /* Public API */ |
288 | extern int audit_alloc(struct task_struct *task); | 294 | extern int audit_alloc(struct task_struct *task); |
289 | extern void audit_free(struct task_struct *task); | 295 | extern void audit_free(struct task_struct *task); |
290 | extern void audit_syscall_entry(struct task_struct *task, int arch, | 296 | extern void audit_syscall_entry(int arch, |
291 | int major, unsigned long a0, unsigned long a1, | 297 | int major, unsigned long a0, unsigned long a1, |
292 | unsigned long a2, unsigned long a3); | 298 | unsigned long a2, unsigned long a3); |
293 | extern void audit_syscall_exit(struct task_struct *task, int failed, long return_code); | 299 | extern void audit_syscall_exit(int failed, long return_code); |
294 | extern void audit_getname(const char *name); | 300 | extern void audit_getname(const char *name); |
295 | extern void audit_putname(const char *name); | 301 | extern void audit_putname(const char *name); |
296 | extern void __audit_inode(const char *name, const struct inode *inode, unsigned flags); | 302 | extern void __audit_inode(const char *name, const struct inode *inode, unsigned flags); |
@@ -314,7 +320,8 @@ extern void auditsc_get_stamp(struct audit_context *ctx, | |||
314 | struct timespec *t, unsigned int *serial); | 320 | struct timespec *t, unsigned int *serial); |
315 | extern int audit_set_loginuid(struct task_struct *task, uid_t loginuid); | 321 | extern int audit_set_loginuid(struct task_struct *task, uid_t loginuid); |
316 | extern uid_t audit_get_loginuid(struct audit_context *ctx); | 322 | extern uid_t audit_get_loginuid(struct audit_context *ctx); |
317 | extern int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode, struct kern_ipc_perm *ipcp); | 323 | extern int audit_ipc_obj(struct kern_ipc_perm *ipcp); |
324 | extern int audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode, struct kern_ipc_perm *ipcp); | ||
318 | extern int audit_socketcall(int nargs, unsigned long *args); | 325 | extern int audit_socketcall(int nargs, unsigned long *args); |
319 | extern int audit_sockaddr(int len, void *addr); | 326 | extern int audit_sockaddr(int len, void *addr); |
320 | extern int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt); | 327 | extern int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt); |
@@ -323,8 +330,8 @@ extern int audit_set_macxattr(const char *name); | |||
323 | #else | 330 | #else |
324 | #define audit_alloc(t) ({ 0; }) | 331 | #define audit_alloc(t) ({ 0; }) |
325 | #define audit_free(t) do { ; } while (0) | 332 | #define audit_free(t) do { ; } while (0) |
326 | #define audit_syscall_entry(t,ta,a,b,c,d,e) do { ; } while (0) | 333 | #define audit_syscall_entry(ta,a,b,c,d,e) do { ; } while (0) |
327 | #define audit_syscall_exit(t,f,r) do { ; } while (0) | 334 | #define audit_syscall_exit(f,r) do { ; } while (0) |
328 | #define audit_getname(n) do { ; } while (0) | 335 | #define audit_getname(n) do { ; } while (0) |
329 | #define audit_putname(n) do { ; } while (0) | 336 | #define audit_putname(n) do { ; } while (0) |
330 | #define __audit_inode(n,i,f) do { ; } while (0) | 337 | #define __audit_inode(n,i,f) do { ; } while (0) |
@@ -333,7 +340,8 @@ extern int audit_set_macxattr(const char *name); | |||
333 | #define audit_inode_child(d,i,p) do { ; } while (0) | 340 | #define audit_inode_child(d,i,p) do { ; } while (0) |
334 | #define auditsc_get_stamp(c,t,s) do { BUG(); } while (0) | 341 | #define auditsc_get_stamp(c,t,s) do { BUG(); } while (0) |
335 | #define audit_get_loginuid(c) ({ -1; }) | 342 | #define audit_get_loginuid(c) ({ -1; }) |
336 | #define audit_ipc_perms(q,u,g,m,i) ({ 0; }) | 343 | #define audit_ipc_obj(i) ({ 0; }) |
344 | #define audit_ipc_set_perm(q,u,g,m,i) ({ 0; }) | ||
337 | #define audit_socketcall(n,a) ({ 0; }) | 345 | #define audit_socketcall(n,a) ({ 0; }) |
338 | #define audit_sockaddr(len, addr) ({ 0; }) | 346 | #define audit_sockaddr(len, addr) ({ 0; }) |
339 | #define audit_avc_path(dentry, mnt) ({ 0; }) | 347 | #define audit_avc_path(dentry, mnt) ({ 0; }) |
@@ -366,7 +374,7 @@ extern void audit_log_d_path(struct audit_buffer *ab, | |||
366 | extern int audit_filter_user(struct netlink_skb_parms *cb, int type); | 374 | extern int audit_filter_user(struct netlink_skb_parms *cb, int type); |
367 | extern int audit_filter_type(int type); | 375 | extern int audit_filter_type(int type); |
368 | extern int audit_receive_filter(int type, int pid, int uid, int seq, | 376 | extern int audit_receive_filter(int type, int pid, int uid, int seq, |
369 | void *data, size_t datasz, uid_t loginuid); | 377 | void *data, size_t datasz, uid_t loginuid, u32 sid); |
370 | #else | 378 | #else |
371 | #define audit_log(c,g,t,f,...) do { ; } while (0) | 379 | #define audit_log(c,g,t,f,...) do { ; } while (0) |
372 | #define audit_log_start(c,g,t) ({ NULL; }) | 380 | #define audit_log_start(c,g,t) ({ NULL; }) |
diff --git a/include/linux/netlink.h b/include/linux/netlink.h index f8f3d1c927f8..87b8a5703ebc 100644 --- a/include/linux/netlink.h +++ b/include/linux/netlink.h | |||
@@ -143,6 +143,7 @@ struct netlink_skb_parms | |||
143 | __u32 dst_group; | 143 | __u32 dst_group; |
144 | kernel_cap_t eff_cap; | 144 | kernel_cap_t eff_cap; |
145 | __u32 loginuid; /* Login (audit) uid */ | 145 | __u32 loginuid; /* Login (audit) uid */ |
146 | __u32 sid; /* SELinux security id */ | ||
146 | }; | 147 | }; |
147 | 148 | ||
148 | #define NETLINK_CB(skb) (*(struct netlink_skb_parms*)&((skb)->cb)) | 149 | #define NETLINK_CB(skb) (*(struct netlink_skb_parms*)&((skb)->cb)) |
diff --git a/include/linux/security.h b/include/linux/security.h index aaa0a5cdbf75..1bab48f6aeac 100644 --- a/include/linux/security.h +++ b/include/linux/security.h | |||
@@ -869,11 +869,6 @@ struct swap_info_struct; | |||
869 | * @ipcp contains the kernel IPC permission structure | 869 | * @ipcp contains the kernel IPC permission structure |
870 | * @flag contains the desired (requested) permission set | 870 | * @flag contains the desired (requested) permission set |
871 | * Return 0 if permission is granted. | 871 | * Return 0 if permission is granted. |
872 | * @ipc_getsecurity: | ||
873 | * Copy the security label associated with the ipc object into | ||
874 | * @buffer. @buffer may be NULL to request the size of the buffer | ||
875 | * required. @size indicates the size of @buffer in bytes. Return | ||
876 | * number of bytes used/required on success. | ||
877 | * | 872 | * |
878 | * Security hooks for individual messages held in System V IPC message queues | 873 | * Security hooks for individual messages held in System V IPC message queues |
879 | * @msg_msg_alloc_security: | 874 | * @msg_msg_alloc_security: |
@@ -1223,7 +1218,6 @@ struct security_operations { | |||
1223 | void (*task_to_inode)(struct task_struct *p, struct inode *inode); | 1218 | void (*task_to_inode)(struct task_struct *p, struct inode *inode); |
1224 | 1219 | ||
1225 | int (*ipc_permission) (struct kern_ipc_perm * ipcp, short flag); | 1220 | int (*ipc_permission) (struct kern_ipc_perm * ipcp, short flag); |
1226 | int (*ipc_getsecurity)(struct kern_ipc_perm *ipcp, void *buffer, size_t size); | ||
1227 | 1221 | ||
1228 | int (*msg_msg_alloc_security) (struct msg_msg * msg); | 1222 | int (*msg_msg_alloc_security) (struct msg_msg * msg); |
1229 | void (*msg_msg_free_security) (struct msg_msg * msg); | 1223 | void (*msg_msg_free_security) (struct msg_msg * msg); |
@@ -1887,11 +1881,6 @@ static inline int security_ipc_permission (struct kern_ipc_perm *ipcp, | |||
1887 | return security_ops->ipc_permission (ipcp, flag); | 1881 | return security_ops->ipc_permission (ipcp, flag); |
1888 | } | 1882 | } |
1889 | 1883 | ||
1890 | static inline int security_ipc_getsecurity(struct kern_ipc_perm *ipcp, void *buffer, size_t size) | ||
1891 | { | ||
1892 | return security_ops->ipc_getsecurity(ipcp, buffer, size); | ||
1893 | } | ||
1894 | |||
1895 | static inline int security_msg_msg_alloc (struct msg_msg * msg) | 1884 | static inline int security_msg_msg_alloc (struct msg_msg * msg) |
1896 | { | 1885 | { |
1897 | return security_ops->msg_msg_alloc_security (msg); | 1886 | return security_ops->msg_msg_alloc_security (msg); |
@@ -2532,11 +2521,6 @@ static inline int security_ipc_permission (struct kern_ipc_perm *ipcp, | |||
2532 | return 0; | 2521 | return 0; |
2533 | } | 2522 | } |
2534 | 2523 | ||
2535 | static inline int security_ipc_getsecurity(struct kern_ipc_perm *ipcp, void *buffer, size_t size) | ||
2536 | { | ||
2537 | return -EOPNOTSUPP; | ||
2538 | } | ||
2539 | |||
2540 | static inline int security_msg_msg_alloc (struct msg_msg * msg) | 2524 | static inline int security_msg_msg_alloc (struct msg_msg * msg) |
2541 | { | 2525 | { |
2542 | return 0; | 2526 | return 0; |
diff --git a/include/linux/selinux.h b/include/linux/selinux.h new file mode 100644 index 000000000000..4047bcde4484 --- /dev/null +++ b/include/linux/selinux.h | |||
@@ -0,0 +1,177 @@ | |||
1 | /* | ||
2 | * SELinux services exported to the rest of the kernel. | ||
3 | * | ||
4 | * Author: James Morris <jmorris@redhat.com> | ||
5 | * | ||
6 | * Copyright (C) 2005 Red Hat, Inc., James Morris <jmorris@redhat.com> | ||
7 | * Copyright (C) 2006 Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> | ||
8 | * Copyright (C) 2006 IBM Corporation, Timothy R. Chavez <tinytim@us.ibm.com> | ||
9 | * | ||
10 | * This program is free software; you can redistribute it and/or modify | ||
11 | * it under the terms of the GNU General Public License version 2, | ||
12 | * as published by the Free Software Foundation. | ||
13 | */ | ||
14 | #ifndef _LINUX_SELINUX_H | ||
15 | #define _LINUX_SELINUX_H | ||
16 | |||
17 | struct selinux_audit_rule; | ||
18 | struct audit_context; | ||
19 | struct inode; | ||
20 | struct kern_ipc_perm; | ||
21 | |||
22 | #ifdef CONFIG_SECURITY_SELINUX | ||
23 | |||
24 | /** | ||
25 | * selinux_audit_rule_init - alloc/init an selinux audit rule structure. | ||
26 | * @field: the field this rule refers to | ||
27 | * @op: the operater the rule uses | ||
28 | * @rulestr: the text "target" of the rule | ||
29 | * @rule: pointer to the new rule structure returned via this | ||
30 | * | ||
31 | * Returns 0 if successful, -errno if not. On success, the rule structure | ||
32 | * will be allocated internally. The caller must free this structure with | ||
33 | * selinux_audit_rule_free() after use. | ||
34 | */ | ||
35 | int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, | ||
36 | struct selinux_audit_rule **rule); | ||
37 | |||
38 | /** | ||
39 | * selinux_audit_rule_free - free an selinux audit rule structure. | ||
40 | * @rule: pointer to the audit rule to be freed | ||
41 | * | ||
42 | * This will free all memory associated with the given rule. | ||
43 | * If @rule is NULL, no operation is performed. | ||
44 | */ | ||
45 | void selinux_audit_rule_free(struct selinux_audit_rule *rule); | ||
46 | |||
47 | /** | ||
48 | * selinux_audit_rule_match - determine if a context ID matches a rule. | ||
49 | * @ctxid: the context ID to check | ||
50 | * @field: the field this rule refers to | ||
51 | * @op: the operater the rule uses | ||
52 | * @rule: pointer to the audit rule to check against | ||
53 | * @actx: the audit context (can be NULL) associated with the check | ||
54 | * | ||
55 | * Returns 1 if the context id matches the rule, 0 if it does not, and | ||
56 | * -errno on failure. | ||
57 | */ | ||
58 | int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op, | ||
59 | struct selinux_audit_rule *rule, | ||
60 | struct audit_context *actx); | ||
61 | |||
62 | /** | ||
63 | * selinux_audit_set_callback - set the callback for policy reloads. | ||
64 | * @callback: the function to call when the policy is reloaded | ||
65 | * | ||
66 | * This sets the function callback function that will update the rules | ||
67 | * upon policy reloads. This callback should rebuild all existing rules | ||
68 | * using selinux_audit_rule_init(). | ||
69 | */ | ||
70 | void selinux_audit_set_callback(int (*callback)(void)); | ||
71 | |||
72 | /** | ||
73 | * selinux_task_ctxid - determine a context ID for a process. | ||
74 | * @tsk: the task object | ||
75 | * @ctxid: ID value returned via this | ||
76 | * | ||
77 | * On return, ctxid will contain an ID for the context. This value | ||
78 | * should only be used opaquely. | ||
79 | */ | ||
80 | void selinux_task_ctxid(struct task_struct *tsk, u32 *ctxid); | ||
81 | |||
82 | /** | ||
83 | * selinux_ctxid_to_string - map a security context ID to a string | ||
84 | * @ctxid: security context ID to be converted. | ||
85 | * @ctx: address of context string to be returned | ||
86 | * @ctxlen: length of returned context string. | ||
87 | * | ||
88 | * Returns 0 if successful, -errno if not. On success, the context | ||
89 | * string will be allocated internally, and the caller must call | ||
90 | * kfree() on it after use. | ||
91 | */ | ||
92 | int selinux_ctxid_to_string(u32 ctxid, char **ctx, u32 *ctxlen); | ||
93 | |||
94 | /** | ||
95 | * selinux_get_inode_sid - get the inode's security context ID | ||
96 | * @inode: inode structure to get the sid from. | ||
97 | * @sid: pointer to security context ID to be filled in. | ||
98 | * | ||
99 | * Returns nothing | ||
100 | */ | ||
101 | void selinux_get_inode_sid(const struct inode *inode, u32 *sid); | ||
102 | |||
103 | /** | ||
104 | * selinux_get_ipc_sid - get the ipc security context ID | ||
105 | * @ipcp: ipc structure to get the sid from. | ||
106 | * @sid: pointer to security context ID to be filled in. | ||
107 | * | ||
108 | * Returns nothing | ||
109 | */ | ||
110 | void selinux_get_ipc_sid(const struct kern_ipc_perm *ipcp, u32 *sid); | ||
111 | |||
112 | /** | ||
113 | * selinux_get_task_sid - return the SID of task | ||
114 | * @tsk: the task whose SID will be returned | ||
115 | * @sid: pointer to security context ID to be filled in. | ||
116 | * | ||
117 | * Returns nothing | ||
118 | */ | ||
119 | void selinux_get_task_sid(struct task_struct *tsk, u32 *sid); | ||
120 | |||
121 | |||
122 | #else | ||
123 | |||
124 | static inline int selinux_audit_rule_init(u32 field, u32 op, | ||
125 | char *rulestr, | ||
126 | struct selinux_audit_rule **rule) | ||
127 | { | ||
128 | return -ENOTSUPP; | ||
129 | } | ||
130 | |||
131 | static inline void selinux_audit_rule_free(struct selinux_audit_rule *rule) | ||
132 | { | ||
133 | return; | ||
134 | } | ||
135 | |||
136 | static inline int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op, | ||
137 | struct selinux_audit_rule *rule, | ||
138 | struct audit_context *actx) | ||
139 | { | ||
140 | return 0; | ||
141 | } | ||
142 | |||
143 | static inline void selinux_audit_set_callback(int (*callback)(void)) | ||
144 | { | ||
145 | return; | ||
146 | } | ||
147 | |||
148 | static inline void selinux_task_ctxid(struct task_struct *tsk, u32 *ctxid) | ||
149 | { | ||
150 | *ctxid = 0; | ||
151 | } | ||
152 | |||
153 | static inline int selinux_ctxid_to_string(u32 ctxid, char **ctx, u32 *ctxlen) | ||
154 | { | ||
155 | *ctx = NULL; | ||
156 | *ctxlen = 0; | ||
157 | return 0; | ||
158 | } | ||
159 | |||
160 | static inline void selinux_get_inode_sid(const struct inode *inode, u32 *sid) | ||
161 | { | ||
162 | *sid = 0; | ||
163 | } | ||
164 | |||
165 | static inline void selinux_get_ipc_sid(const struct kern_ipc_perm *ipcp, u32 *sid) | ||
166 | { | ||
167 | *sid = 0; | ||
168 | } | ||
169 | |||
170 | static inline void selinux_get_task_sid(struct task_struct *tsk, u32 *sid) | ||
171 | { | ||
172 | *sid = 0; | ||
173 | } | ||
174 | |||
175 | #endif /* CONFIG_SECURITY_SELINUX */ | ||
176 | |||
177 | #endif /* _LINUX_SELINUX_H */ | ||