aboutsummaryrefslogtreecommitdiffstats
path: root/kernel/audit.c
diff options
context:
space:
mode:
authorSteve Grubb <sgrubb@redhat.com>2006-04-01 18:29:34 -0500
committerAl Viro <viro@zeniv.linux.org.uk>2006-05-01 06:10:01 -0400
commitce29b682e228c70cdc91a1b2935c5adb2087bab8 (patch)
tree39e3e5b345748bec1c2d21962407689cdb1b7dab /kernel/audit.c
parente7c3497013a7e5496ce3d5fd3c73b5cf5af7a56e (diff)
[PATCH] More user space subject labels
Hi, The patch below builds upon the patch sent earlier and adds subject label to all audit events generated via the netlink interface. It also cleans up a few other minor things. Signed-off-by: Steve Grubb <sgrubb@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'kernel/audit.c')
-rw-r--r--kernel/audit.c132
1 files changed, 102 insertions, 30 deletions
diff --git a/kernel/audit.c b/kernel/audit.c
index 7ec9ccae1299..df57b493e1cb 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -230,49 +230,103 @@ void audit_log_lost(const char *message)
230 } 230 }
231} 231}
232 232
233static int audit_set_rate_limit(int limit, uid_t loginuid) 233static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid)
234{ 234{
235 int old = audit_rate_limit; 235 int old = audit_rate_limit;
236 audit_rate_limit = limit; 236
237 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 237 if (sid) {
238 char *ctx = NULL;
239 u32 len;
240 int rc;
241 if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
242 return rc;
243 else
244 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
245 "audit_rate_limit=%d old=%d by auid=%u subj=%s",
246 limit, old, loginuid, ctx);
247 kfree(ctx);
248 } else
249 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
238 "audit_rate_limit=%d old=%d by auid=%u", 250 "audit_rate_limit=%d old=%d by auid=%u",
239 audit_rate_limit, old, loginuid); 251 limit, old, loginuid);
252 audit_rate_limit = limit;
240 return old; 253 return old;
241} 254}
242 255
243static int audit_set_backlog_limit(int limit, uid_t loginuid) 256static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid)
244{ 257{
245 int old = audit_backlog_limit; 258 int old = audit_backlog_limit;
246 audit_backlog_limit = limit; 259
247 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 260 if (sid) {
261 char *ctx = NULL;
262 u32 len;
263 int rc;
264 if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
265 return rc;
266 else
267 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
268 "audit_backlog_limit=%d old=%d by auid=%u subj=%s",
269 limit, old, loginuid, ctx);
270 kfree(ctx);
271 } else
272 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
248 "audit_backlog_limit=%d old=%d by auid=%u", 273 "audit_backlog_limit=%d old=%d by auid=%u",
249 audit_backlog_limit, old, loginuid); 274 limit, old, loginuid);
275 audit_backlog_limit = limit;
250 return old; 276 return old;
251} 277}
252 278
253static int audit_set_enabled(int state, uid_t loginuid) 279static int audit_set_enabled(int state, uid_t loginuid, u32 sid)
254{ 280{
255 int old = audit_enabled; 281 int old = audit_enabled;
282
256 if (state != 0 && state != 1) 283 if (state != 0 && state != 1)
257 return -EINVAL; 284 return -EINVAL;
258 audit_enabled = state; 285
259 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 286 if (sid) {
287 char *ctx = NULL;
288 u32 len;
289 int rc;
290 if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
291 return rc;
292 else
293 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
294 "audit_enabled=%d old=%d by auid=%u subj=%s",
295 state, old, loginuid, ctx);
296 kfree(ctx);
297 } else
298 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
260 "audit_enabled=%d old=%d by auid=%u", 299 "audit_enabled=%d old=%d by auid=%u",
261 audit_enabled, old, loginuid); 300 state, old, loginuid);
301 audit_enabled = state;
262 return old; 302 return old;
263} 303}
264 304
265static int audit_set_failure(int state, uid_t loginuid) 305static int audit_set_failure(int state, uid_t loginuid, u32 sid)
266{ 306{
267 int old = audit_failure; 307 int old = audit_failure;
308
268 if (state != AUDIT_FAIL_SILENT 309 if (state != AUDIT_FAIL_SILENT
269 && state != AUDIT_FAIL_PRINTK 310 && state != AUDIT_FAIL_PRINTK
270 && state != AUDIT_FAIL_PANIC) 311 && state != AUDIT_FAIL_PANIC)
271 return -EINVAL; 312 return -EINVAL;
272 audit_failure = state; 313
273 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 314 if (sid) {
315 char *ctx = NULL;
316 u32 len;
317 int rc;
318 if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
319 return rc;
320 else
321 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
322 "audit_failure=%d old=%d by auid=%u subj=%s",
323 state, old, loginuid, ctx);
324 kfree(ctx);
325 } else
326 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
274 "audit_failure=%d old=%d by auid=%u", 327 "audit_failure=%d old=%d by auid=%u",
275 audit_failure, old, loginuid); 328 state, old, loginuid);
329 audit_failure = state;
276 return old; 330 return old;
277} 331}
278 332
@@ -437,25 +491,43 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
437 return -EINVAL; 491 return -EINVAL;
438 status_get = (struct audit_status *)data; 492 status_get = (struct audit_status *)data;
439 if (status_get->mask & AUDIT_STATUS_ENABLED) { 493 if (status_get->mask & AUDIT_STATUS_ENABLED) {
440 err = audit_set_enabled(status_get->enabled, loginuid); 494 err = audit_set_enabled(status_get->enabled,
495 loginuid, sid);
441 if (err < 0) return err; 496 if (err < 0) return err;
442 } 497 }
443 if (status_get->mask & AUDIT_STATUS_FAILURE) { 498 if (status_get->mask & AUDIT_STATUS_FAILURE) {
444 err = audit_set_failure(status_get->failure, loginuid); 499 err = audit_set_failure(status_get->failure,
500 loginuid, sid);
445 if (err < 0) return err; 501 if (err < 0) return err;
446 } 502 }
447 if (status_get->mask & AUDIT_STATUS_PID) { 503 if (status_get->mask & AUDIT_STATUS_PID) {
448 int old = audit_pid; 504 int old = audit_pid;
505 if (sid) {
506 char *ctx = NULL;
507 u32 len;
508 int rc;
509 if ((rc = selinux_ctxid_to_string(
510 sid, &ctx, &len)))
511 return rc;
512 else
513 audit_log(NULL, GFP_KERNEL,
514 AUDIT_CONFIG_CHANGE,
515 "audit_pid=%d old=%d by auid=%u subj=%s",
516 status_get->pid, old,
517 loginuid, ctx);
518 kfree(ctx);
519 } else
520 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
521 "audit_pid=%d old=%d by auid=%u",
522 status_get->pid, old, loginuid);
449 audit_pid = status_get->pid; 523 audit_pid = status_get->pid;
450 audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
451 "audit_pid=%d old=%d by auid=%u",
452 audit_pid, old, loginuid);
453 } 524 }
454 if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) 525 if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
455 audit_set_rate_limit(status_get->rate_limit, loginuid); 526 audit_set_rate_limit(status_get->rate_limit,
527 loginuid, sid);
456 if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT) 528 if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT)
457 audit_set_backlog_limit(status_get->backlog_limit, 529 audit_set_backlog_limit(status_get->backlog_limit,
458 loginuid); 530 loginuid, sid);
459 break; 531 break;
460 case AUDIT_USER: 532 case AUDIT_USER:
461 case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG: 533 case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG:
@@ -477,7 +549,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
477 if (selinux_ctxid_to_string( 549 if (selinux_ctxid_to_string(
478 sid, &ctx, &len)) { 550 sid, &ctx, &len)) {
479 audit_log_format(ab, 551 audit_log_format(ab,
480 " subj=%u", sid); 552 " ssid=%u", sid);
481 /* Maybe call audit_panic? */ 553 /* Maybe call audit_panic? */
482 } else 554 } else
483 audit_log_format(ab, 555 audit_log_format(ab,
@@ -499,7 +571,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
499 case AUDIT_LIST: 571 case AUDIT_LIST:
500 err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid, 572 err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,
501 uid, seq, data, nlmsg_len(nlh), 573 uid, seq, data, nlmsg_len(nlh),
502 loginuid); 574 loginuid, sid);
503 break; 575 break;
504 case AUDIT_ADD_RULE: 576 case AUDIT_ADD_RULE:
505 case AUDIT_DEL_RULE: 577 case AUDIT_DEL_RULE:
@@ -509,7 +581,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
509 case AUDIT_LIST_RULES: 581 case AUDIT_LIST_RULES:
510 err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid, 582 err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,
511 uid, seq, data, nlmsg_len(nlh), 583 uid, seq, data, nlmsg_len(nlh),
512 loginuid); 584 loginuid, sid);
513 break; 585 break;
514 case AUDIT_SIGNAL_INFO: 586 case AUDIT_SIGNAL_INFO:
515 sig_data.uid = audit_sig_uid; 587 sig_data.uid = audit_sig_uid;