diff options
author | Darrel Goeddel <dgoeddel@trustedcs.com> | 2006-06-29 17:57:08 -0400 |
---|---|---|
committer | Al Viro <viro@zeniv.linux.org.uk> | 2006-07-01 05:44:19 -0400 |
commit | 6e5a2d1d32596850a0ebf7fb3e54c0d69901dabd (patch) | |
tree | 27718d7df96c9b9f08a2ba333aa36c8e9ebbadfe /kernel | |
parent | 3a6b9f85c641a3b89420b0c8150ed377526a1fe1 (diff) |
[PATCH] audit: support for object context filters
This patch introduces object audit filters based on the elements
of the SELinux context.
Signed-off-by: Darrel Goeddel <dgoeddel@trustedcs.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
kernel/auditfilter.c | 25 +++++++++++++++++++++++++
kernel/auditsc.c | 40 ++++++++++++++++++++++++++++++++++++++++
security/selinux/ss/services.c | 18 +++++++++++++++++-
3 files changed, 82 insertions(+), 1 deletion(-)
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'kernel')
-rw-r--r-- | kernel/auditfilter.c | 25 | ||||
-rw-r--r-- | kernel/auditsc.c | 40 |
2 files changed, 65 insertions, 0 deletions
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 40a9931a13e2..7f2ea8b84a27 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c | |||
@@ -475,6 +475,11 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, | |||
475 | case AUDIT_SUBJ_TYPE: | 475 | case AUDIT_SUBJ_TYPE: |
476 | case AUDIT_SUBJ_SEN: | 476 | case AUDIT_SUBJ_SEN: |
477 | case AUDIT_SUBJ_CLR: | 477 | case AUDIT_SUBJ_CLR: |
478 | case AUDIT_OBJ_USER: | ||
479 | case AUDIT_OBJ_ROLE: | ||
480 | case AUDIT_OBJ_TYPE: | ||
481 | case AUDIT_OBJ_LEV_LOW: | ||
482 | case AUDIT_OBJ_LEV_HIGH: | ||
478 | str = audit_unpack_string(&bufp, &remain, f->val); | 483 | str = audit_unpack_string(&bufp, &remain, f->val); |
479 | if (IS_ERR(str)) | 484 | if (IS_ERR(str)) |
480 | goto exit_free; | 485 | goto exit_free; |
@@ -616,6 +621,11 @@ static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) | |||
616 | case AUDIT_SUBJ_TYPE: | 621 | case AUDIT_SUBJ_TYPE: |
617 | case AUDIT_SUBJ_SEN: | 622 | case AUDIT_SUBJ_SEN: |
618 | case AUDIT_SUBJ_CLR: | 623 | case AUDIT_SUBJ_CLR: |
624 | case AUDIT_OBJ_USER: | ||
625 | case AUDIT_OBJ_ROLE: | ||
626 | case AUDIT_OBJ_TYPE: | ||
627 | case AUDIT_OBJ_LEV_LOW: | ||
628 | case AUDIT_OBJ_LEV_HIGH: | ||
619 | data->buflen += data->values[i] = | 629 | data->buflen += data->values[i] = |
620 | audit_pack_string(&bufp, f->se_str); | 630 | audit_pack_string(&bufp, f->se_str); |
621 | break; | 631 | break; |
@@ -659,6 +669,11 @@ static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b) | |||
659 | case AUDIT_SUBJ_TYPE: | 669 | case AUDIT_SUBJ_TYPE: |
660 | case AUDIT_SUBJ_SEN: | 670 | case AUDIT_SUBJ_SEN: |
661 | case AUDIT_SUBJ_CLR: | 671 | case AUDIT_SUBJ_CLR: |
672 | case AUDIT_OBJ_USER: | ||
673 | case AUDIT_OBJ_ROLE: | ||
674 | case AUDIT_OBJ_TYPE: | ||
675 | case AUDIT_OBJ_LEV_LOW: | ||
676 | case AUDIT_OBJ_LEV_HIGH: | ||
662 | if (strcmp(a->fields[i].se_str, b->fields[i].se_str)) | 677 | if (strcmp(a->fields[i].se_str, b->fields[i].se_str)) |
663 | return 1; | 678 | return 1; |
664 | break; | 679 | break; |
@@ -779,6 +794,11 @@ static struct audit_entry *audit_dupe_rule(struct audit_krule *old, | |||
779 | case AUDIT_SUBJ_TYPE: | 794 | case AUDIT_SUBJ_TYPE: |
780 | case AUDIT_SUBJ_SEN: | 795 | case AUDIT_SUBJ_SEN: |
781 | case AUDIT_SUBJ_CLR: | 796 | case AUDIT_SUBJ_CLR: |
797 | case AUDIT_OBJ_USER: | ||
798 | case AUDIT_OBJ_ROLE: | ||
799 | case AUDIT_OBJ_TYPE: | ||
800 | case AUDIT_OBJ_LEV_LOW: | ||
801 | case AUDIT_OBJ_LEV_HIGH: | ||
782 | err = audit_dupe_selinux_field(&new->fields[i], | 802 | err = audit_dupe_selinux_field(&new->fields[i], |
783 | &old->fields[i]); | 803 | &old->fields[i]); |
784 | break; | 804 | break; |
@@ -1542,6 +1562,11 @@ static inline int audit_rule_has_selinux(struct audit_krule *rule) | |||
1542 | case AUDIT_SUBJ_TYPE: | 1562 | case AUDIT_SUBJ_TYPE: |
1543 | case AUDIT_SUBJ_SEN: | 1563 | case AUDIT_SUBJ_SEN: |
1544 | case AUDIT_SUBJ_CLR: | 1564 | case AUDIT_SUBJ_CLR: |
1565 | case AUDIT_OBJ_USER: | ||
1566 | case AUDIT_OBJ_ROLE: | ||
1567 | case AUDIT_OBJ_TYPE: | ||
1568 | case AUDIT_OBJ_LEV_LOW: | ||
1569 | case AUDIT_OBJ_LEV_HIGH: | ||
1545 | return 1; | 1570 | return 1; |
1546 | } | 1571 | } |
1547 | } | 1572 | } |
diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 1d24fade17e6..ae40ac8c39e7 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c | |||
@@ -342,6 +342,46 @@ static int audit_filter_rules(struct task_struct *tsk, | |||
342 | ctx); | 342 | ctx); |
343 | } | 343 | } |
344 | break; | 344 | break; |
345 | case AUDIT_OBJ_USER: | ||
346 | case AUDIT_OBJ_ROLE: | ||
347 | case AUDIT_OBJ_TYPE: | ||
348 | case AUDIT_OBJ_LEV_LOW: | ||
349 | case AUDIT_OBJ_LEV_HIGH: | ||
350 | /* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR | ||
351 | also applies here */ | ||
352 | if (f->se_rule) { | ||
353 | /* Find files that match */ | ||
354 | if (name) { | ||
355 | result = selinux_audit_rule_match( | ||
356 | name->osid, f->type, f->op, | ||
357 | f->se_rule, ctx); | ||
358 | } else if (ctx) { | ||
359 | for (j = 0; j < ctx->name_count; j++) { | ||
360 | if (selinux_audit_rule_match( | ||
361 | ctx->names[j].osid, | ||
362 | f->type, f->op, | ||
363 | f->se_rule, ctx)) { | ||
364 | ++result; | ||
365 | break; | ||
366 | } | ||
367 | } | ||
368 | } | ||
369 | /* Find ipc objects that match */ | ||
370 | if (ctx) { | ||
371 | struct audit_aux_data *aux; | ||
372 | for (aux = ctx->aux; aux; | ||
373 | aux = aux->next) { | ||
374 | if (aux->type == AUDIT_IPC) { | ||
375 | struct audit_aux_data_ipcctl *axi = (void *)aux; | ||
376 | if (selinux_audit_rule_match(axi->osid, f->type, f->op, f->se_rule, ctx)) { | ||
377 | ++result; | ||
378 | break; | ||
379 | } | ||
380 | } | ||
381 | } | ||
382 | } | ||
383 | } | ||
384 | break; | ||
345 | case AUDIT_ARG0: | 385 | case AUDIT_ARG0: |
346 | case AUDIT_ARG1: | 386 | case AUDIT_ARG1: |
347 | case AUDIT_ARG2: | 387 | case AUDIT_ARG2: |