[PATCH] More user space subject labels

Hi, The patch below builds upon the patch sent earlier and adds subject label to all audit events generated via the netlink interface. It also cleans up a few other minor things. Signed-off-by: Steve Grubb <sgrubb@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
author: Steve Grubb <sgrubb@redhat.com> 2006-04-01 18:29:34 -0500
committer: Al Viro <viro@zeniv.linux.org.uk> 2006-05-01 06:10:01 -0400
commit: ce29b682e228c70cdc91a1b2935c5adb2087bab8 (patch)
tree: 39e3e5b345748bec1c2d21962407689cdb1b7dab /kernel/audit.c
parent: e7c3497013a7e5496ce3d5fd3c73b5cf5af7a56e (diff)
1 files changed, 102 insertions, 30 deletions
diff --git a/kernel/audit.c b/kernel/audit.c
index 7ec9ccae1299..df57b493e1cb 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -230,49 +230,103 @@ void audit_log_lost(const char *message)
        }
 }
-static int audit_set_rate_limit(int limit, uid_t loginuid)
+static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid)
 {
-        int old          = audit_rate_limit;
+        int old = audit_rate_limit;
-        audit_rate_limit = limit;
-        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 
+        if (sid) {
+                char *ctx = NULL;
+                u32 len;
+                int rc;
+                if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
+                        return rc;
+                else
+                        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+                                "audit_rate_limit=%d old=%d by auid=%u subj=%s",
+                                limit, old, loginuid, ctx);
+                kfree(ctx);
+        } else
+                audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
                        "audit_rate_limit=%d old=%d by auid=%u",
-                        audit_rate_limit, old, loginuid);
+                        limit, old, loginuid);
+        audit_rate_limit = limit;
        return old;
 }
-static int audit_set_backlog_limit(int limit, uid_t loginuid)
+static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid)
 {
-        int old          = audit_backlog_limit;
+        int old = audit_backlog_limit;
-        audit_backlog_limit = limit;
-        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+        if (sid) {
+                char *ctx = NULL;
+                u32 len;
+                int rc;
+                if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
+                        return rc;
+                else
+                        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+                            "audit_backlog_limit=%d old=%d by auid=%u subj=%s",
+                                limit, old, loginuid, ctx);
+                kfree(ctx);
+        } else
+                audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
                        "audit_backlog_limit=%d old=%d by auid=%u",
-                        audit_backlog_limit, old, loginuid);
+                        limit, old, loginuid);
+        audit_backlog_limit = limit;
        return old;
 }
-static int audit_set_enabled(int state, uid_t loginuid)
+static int audit_set_enabled(int state, uid_t loginuid, u32 sid)
 {
-        int old          = audit_enabled;
+        int old = audit_enabled;
        if (state != 0 && state != 1)
                return -EINVAL;
-        audit_enabled = state;
-        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+        if (sid) {
+                char *ctx = NULL;
+                u32 len;
+                int rc;
+                if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
+                        return rc;
+                else
+                        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+                                "audit_enabled=%d old=%d by auid=%u subj=%s",
+                                state, old, loginuid, ctx);
+                kfree(ctx);
+        } else
+                audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
                        "audit_enabled=%d old=%d by auid=%u",
-                        audit_enabled, old, loginuid);
+                        state, old, loginuid);
+        audit_enabled = state;
        return old;
 }
-static int audit_set_failure(int state, uid_t loginuid)
+static int audit_set_failure(int state, uid_t loginuid, u32 sid)
 {
-        int old          = audit_failure;
+        int old = audit_failure;
        if (state != AUDIT_FAIL_SILENT
            && state != AUDIT_FAIL_PRINTK
            && state != AUDIT_FAIL_PANIC)
                return -EINVAL;
-        audit_failure = state;
-        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+        if (sid) {
+                char *ctx = NULL;
+                u32 len;
+                int rc;
+                if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
+                        return rc;
+                else
+                        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+                                "audit_failure=%d old=%d by auid=%u subj=%s",
+                                state, old, loginuid, ctx);
+                kfree(ctx);
+        } else
+                audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
                        "audit_failure=%d old=%d by auid=%u",
-                        audit_failure, old, loginuid);
+                        state, old, loginuid);
+        audit_failure = state;
        return old;
 }
@@ -437,25 +491,43 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                        return -EINVAL;
                status_get   = (struct audit_status *)data;
                if (status_get->mask & AUDIT_STATUS_ENABLED) {
-                        err = audit_set_enabled(status_get->enabled, loginuid);
+                        err = audit_set_enabled(status_get->enabled,
+                                                        loginuid, sid);
                        if (err < 0) return err;
                }
                if (status_get->mask & AUDIT_STATUS_FAILURE) {
-                        err = audit_set_failure(status_get->failure, loginuid);
+                        err = audit_set_failure(status_get->failure,
+                                                         loginuid, sid);
                        if (err < 0) return err;
                }
                if (status_get->mask & AUDIT_STATUS_PID) {
                        int old   = audit_pid;
+                        if (sid) {
+                                char *ctx = NULL;
+                                u32 len;
+                                int rc;
+                                if ((rc = selinux_ctxid_to_string(
+                                                sid, &ctx, &len)))
+                                        return rc;
+                                else
+                                        audit_log(NULL, GFP_KERNEL,
+                                                AUDIT_CONFIG_CHANGE,
+                                                "audit_pid=%d old=%d by auid=%u subj=%s",
+                                                status_get->pid, old,
+                                                loginuid, ctx);
+                                kfree(ctx);
+                        } else
+                                audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+                                        "audit_pid=%d old=%d by auid=%u",
+                                          status_get->pid, old, loginuid);
                        audit_pid = status_get->pid;
-                        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
-                                "audit_pid=%d old=%d by auid=%u",
-                                  audit_pid, old, loginuid);
                }
                if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
-                        audit_set_rate_limit(status_get->rate_limit, loginuid);
+                        audit_set_rate_limit(status_get->rate_limit,
+                                                         loginuid, sid);
                if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT)
                        audit_set_backlog_limit(status_get->backlog_limit,
-                                                        loginuid);
+                                                        loginuid, sid);
                break;
        case AUDIT_USER:
        case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG:
@@ -477,7 +549,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                                        if (selinux_ctxid_to_string(
                                                        sid, &ctx, &len)) {
                                                audit_log_format(ab, 
-                                                        " subj=%u", sid);
+                                                        " ssid=%u", sid);
                                                /* Maybe call audit_panic? */
                                        } else
                                                audit_log_format(ab, 
@@ -499,7 +571,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
        case AUDIT_LIST:
                err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,
                                           uid, seq, data, nlmsg_len(nlh),
-                                           loginuid);
+                                           loginuid, sid);
                break;
        case AUDIT_ADD_RULE:
        case AUDIT_DEL_RULE:
@@ -509,7 +581,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
        case AUDIT_LIST_RULES:
                err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,
                                           uid, seq, data, nlmsg_len(nlh),
-                                           loginuid);
+                                           loginuid, sid);
                break;
        case AUDIT_SIGNAL_INFO:
                sig_data.uid = audit_sig_uid;
author	Steve Grubb <sgrubb@redhat.com>	2006-04-01 18:29:34 -0500
committer	Al Viro <viro@zeniv.linux.org.uk>	2006-05-01 06:10:01 -0400
commit	ce29b682e228c70cdc91a1b2935c5adb2087bab8 (patch)
tree	39e3e5b345748bec1c2d21962407689cdb1b7dab /kernel/audit.c
parent	e7c3497013a7e5496ce3d5fd3c73b5cf5af7a56e (diff)

diff --git a/kernel/audit.c b/kernel/audit.c index 7ec9ccae1299..df57b493e1cb 100644 --- a/kernel/audit.c +++ b/kernel/audit.c
@@ -230,49 +230,103 @@ void audit_log_lost(const char *message)
230	}	230	}
231	}	231	}
232		232
233	static int audit_set_rate_limit(int limit, uid_t loginuid)	233	static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid)
234	{	234	{
235	int old = audit_rate_limit;	235	int old = audit_rate_limit;
236	audit_rate_limit = limit;	236
237	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,	237	if (sid) {
		238	char *ctx = NULL;
		239	u32 len;
		240	int rc;
		241	if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
		242	return rc;
		243	else
		244	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
		245	"audit_rate_limit=%d old=%d by auid=%u subj=%s",
		246	limit, old, loginuid, ctx);
		247	kfree(ctx);
		248	} else
		249	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
238	"audit_rate_limit=%d old=%d by auid=%u",	250	"audit_rate_limit=%d old=%d by auid=%u",
239	audit_rate_limit, old, loginuid);	251	limit, old, loginuid);
		252	audit_rate_limit = limit;
240	return old;	253	return old;
241	}	254	}
242		255
243	static int audit_set_backlog_limit(int limit, uid_t loginuid)	256	static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid)
244	{	257	{
245	int old = audit_backlog_limit;	258	int old = audit_backlog_limit;
246	audit_backlog_limit = limit;	259
247	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,	260	if (sid) {
		261	char *ctx = NULL;
		262	u32 len;
		263	int rc;
		264	if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
		265	return rc;
		266	else
		267	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
		268	"audit_backlog_limit=%d old=%d by auid=%u subj=%s",
		269	limit, old, loginuid, ctx);
		270	kfree(ctx);
		271	} else
		272	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
248	"audit_backlog_limit=%d old=%d by auid=%u",	273	"audit_backlog_limit=%d old=%d by auid=%u",
249	audit_backlog_limit, old, loginuid);	274	limit, old, loginuid);
		275	audit_backlog_limit = limit;
250	return old;	276	return old;
251	}	277	}
252		278
253	static int audit_set_enabled(int state, uid_t loginuid)	279	static int audit_set_enabled(int state, uid_t loginuid, u32 sid)
254	{	280	{
255	int old = audit_enabled;	281	int old = audit_enabled;
		282
256	if (state != 0 && state != 1)	283	if (state != 0 && state != 1)
257	return -EINVAL;	284	return -EINVAL;
258	audit_enabled = state;	285
259	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,	286	if (sid) {
		287	char *ctx = NULL;
		288	u32 len;
		289	int rc;
		290	if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
		291	return rc;
		292	else
		293	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
		294	"audit_enabled=%d old=%d by auid=%u subj=%s",
		295	state, old, loginuid, ctx);
		296	kfree(ctx);
		297	} else
		298	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
260	"audit_enabled=%d old=%d by auid=%u",	299	"audit_enabled=%d old=%d by auid=%u",
261	audit_enabled, old, loginuid);	300	state, old, loginuid);
		301	audit_enabled = state;
262	return old;	302	return old;
263	}	303	}
264		304
265	static int audit_set_failure(int state, uid_t loginuid)	305	static int audit_set_failure(int state, uid_t loginuid, u32 sid)
266	{	306	{
267	int old = audit_failure;	307	int old = audit_failure;
		308
268	if (state != AUDIT_FAIL_SILENT	309	if (state != AUDIT_FAIL_SILENT
269	&& state != AUDIT_FAIL_PRINTK	310	&& state != AUDIT_FAIL_PRINTK
270	&& state != AUDIT_FAIL_PANIC)	311	&& state != AUDIT_FAIL_PANIC)
271	return -EINVAL;	312	return -EINVAL;
272	audit_failure = state;	313
273	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,	314	if (sid) {
		315	char *ctx = NULL;
		316	u32 len;
		317	int rc;
		318	if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
		319	return rc;
		320	else
		321	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
		322	"audit_failure=%d old=%d by auid=%u subj=%s",
		323	state, old, loginuid, ctx);
		324	kfree(ctx);
		325	} else
		326	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
274	"audit_failure=%d old=%d by auid=%u",	327	"audit_failure=%d old=%d by auid=%u",
275	audit_failure, old, loginuid);	328	state, old, loginuid);
		329	audit_failure = state;
276	return old;	330	return old;
277	}	331	}
278		332
@@ -437,25 +491,43 @@ static int audit_receive_msg(struct sk_buff skb, struct nlmsghdr nlh)
437	return -EINVAL;	491	return -EINVAL;
438	status_get = (struct audit_status *)data;	492	status_get = (struct audit_status *)data;
439	if (status_get->mask & AUDIT_STATUS_ENABLED) {	493	if (status_get->mask & AUDIT_STATUS_ENABLED) {
440	err = audit_set_enabled(status_get->enabled, loginuid);	494	err = audit_set_enabled(status_get->enabled,
		495	loginuid, sid);
441	if (err < 0) return err;	496	if (err < 0) return err;
442	}	497	}
443	if (status_get->mask & AUDIT_STATUS_FAILURE) {	498	if (status_get->mask & AUDIT_STATUS_FAILURE) {
444	err = audit_set_failure(status_get->failure, loginuid);	499	err = audit_set_failure(status_get->failure,
		500	loginuid, sid);
445	if (err < 0) return err;	501	if (err < 0) return err;
446	}	502	}
447	if (status_get->mask & AUDIT_STATUS_PID) {	503	if (status_get->mask & AUDIT_STATUS_PID) {
448	int old = audit_pid;	504	int old = audit_pid;
		505	if (sid) {
		506	char *ctx = NULL;
		507	u32 len;
		508	int rc;
		509	if ((rc = selinux_ctxid_to_string(
		510	sid, &ctx, &len)))
		511	return rc;
		512	else
		513	audit_log(NULL, GFP_KERNEL,
		514	AUDIT_CONFIG_CHANGE,
		515	"audit_pid=%d old=%d by auid=%u subj=%s",
		516	status_get->pid, old,
		517	loginuid, ctx);
		518	kfree(ctx);
		519	} else
		520	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
		521	"audit_pid=%d old=%d by auid=%u",
		522	status_get->pid, old, loginuid);
449	audit_pid = status_get->pid;	523	audit_pid = status_get->pid;
450	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
451	"audit_pid=%d old=%d by auid=%u",
452	audit_pid, old, loginuid);
453	}	524	}
454	if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)	525	if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
455	audit_set_rate_limit(status_get->rate_limit, loginuid);	526	audit_set_rate_limit(status_get->rate_limit,
		527	loginuid, sid);
456	if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT)	528	if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT)
457	audit_set_backlog_limit(status_get->backlog_limit,	529	audit_set_backlog_limit(status_get->backlog_limit,
458	loginuid);	530	loginuid, sid);
459	break;	531	break;
460	case AUDIT_USER:	532	case AUDIT_USER:
461	case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG:	533	case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG:
@@ -477,7 +549,7 @@ static int audit_receive_msg(struct sk_buff skb, struct nlmsghdr nlh)
477	if (selinux_ctxid_to_string(	549	if (selinux_ctxid_to_string(
478	sid, &ctx, &len)) {	550	sid, &ctx, &len)) {
479	audit_log_format(ab,	551	audit_log_format(ab,
480	" subj=%u", sid);	552	" ssid=%u", sid);
481	/* Maybe call audit_panic? */	553	/* Maybe call audit_panic? */
482	} else	554	} else
483	audit_log_format(ab,	555	audit_log_format(ab,
@@ -499,7 +571,7 @@ static int audit_receive_msg(struct sk_buff skb, struct nlmsghdr nlh)
499	case AUDIT_LIST:	571	case AUDIT_LIST:
500	err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,	572	err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,
501	uid, seq, data, nlmsg_len(nlh),	573	uid, seq, data, nlmsg_len(nlh),
502	loginuid);	574	loginuid, sid);
503	break;	575	break;
504	case AUDIT_ADD_RULE:	576	case AUDIT_ADD_RULE:
505	case AUDIT_DEL_RULE:	577	case AUDIT_DEL_RULE:
@@ -509,7 +581,7 @@ static int audit_receive_msg(struct sk_buff skb, struct nlmsghdr nlh)
509	case AUDIT_LIST_RULES:	581	case AUDIT_LIST_RULES:
510	err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,	582	err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,
511	uid, seq, data, nlmsg_len(nlh),	583	uid, seq, data, nlmsg_len(nlh),
512	loginuid);	584	loginuid, sid);
513	break;	585	break;
514	case AUDIT_SIGNAL_INFO:	586	case AUDIT_SIGNAL_INFO:
515	sig_data.uid = audit_sig_uid;	587	sig_data.uid = audit_sig_uid;