[PATCH] support for context based audit filtering, part 2

This patch provides the ability to filter audit messages based on the
elements of the process' SELinux context (user, role, type, mls sensitivity,
and mls clearance).  It uses the new interfaces from selinux to opaquely
store information related to the selinux context and to filter based on that
information.  It also uses the callback mechanism provided by selinux to
refresh the information when a new policy is loaded.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

1 files changed, 8 insertions, 0 deletions

diff --git a/kernel/audit.c b/kernel/audit.c
index c8ccbd09048f..9060be750c48 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -55,6 +55,9 @@
 #include <net/netlink.h>
 #include <linux/skbuff.h>
 #include <linux/netlink.h>
+#include <linux/selinux.h>
+
+#include "audit.h"
 
 /* No auditing will take place until audit_initialized != 0.
  * (Initialization happens after skb_init is called.) */
@@ -564,6 +567,11 @@ static int __init audit_init(void)
         skb_queue_head_init(&audit_skb_queue);
         audit_initialized = 1;
         audit_enabled = audit_default;
+
+        /* Register the callback with selinux.  This callback will be invoked
+         * when a new policy is loaded. */
+        selinux_audit_set_callback(&selinux_audit_rule_update);
+
         audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL, "initialized");
         return 0;
 }