diff options
| author | Eric Paris <eparis@redhat.com> | 2013-04-19 15:00:33 -0400 |
|---|---|---|
| committer | Eric Paris <eparis@redhat.com> | 2013-04-30 15:31:28 -0400 |
| commit | b122c3767c1d89763b4babca062c3171a71ed97c (patch) | |
| tree | 6d11cbca5af63bd1ac4089895d8751f09af28823 /kernel | |
| parent | 152f497b9b5940f81de3205465840a5eb316458e (diff) | |
audit: use a consistent audit helper to log lsm information
We have a number of places we were reimplementing the same code to write
out lsm labels. Just do it one darn place.
Signed-off-by: Eric Paris <eparis@redhat.com>
Diffstat (limited to 'kernel')
| -rw-r--r-- | kernel/audit.c | 34 | ||||
| -rw-r--r-- | kernel/auditfilter.c | 13 | ||||
| -rw-r--r-- | kernel/auditsc.c | 10 |
3 files changed, 10 insertions, 47 deletions
diff --git a/kernel/audit.c b/kernel/audit.c index 79b42fd14c22..a3c77b979b5b 100644 --- a/kernel/audit.c +++ b/kernel/audit.c | |||
| @@ -271,29 +271,15 @@ static int audit_log_config_change(char *function_name, int new, int old, | |||
| 271 | int rc = 0; | 271 | int rc = 0; |
| 272 | u32 sessionid = audit_get_sessionid(current); | 272 | u32 sessionid = audit_get_sessionid(current); |
| 273 | uid_t auid = from_kuid(&init_user_ns, audit_get_loginuid(current)); | 273 | uid_t auid = from_kuid(&init_user_ns, audit_get_loginuid(current)); |
| 274 | u32 sid; | ||
| 275 | |||
| 276 | 274 | ||
| 277 | ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); | 275 | ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); |
| 278 | if (unlikely(!ab)) | 276 | if (unlikely(!ab)) |
| 279 | return rc; | 277 | return rc; |
| 280 | audit_log_format(ab, "%s=%d old=%d auid=%u ses=%u", function_name, new, | 278 | audit_log_format(ab, "%s=%d old=%d auid=%u ses=%u", function_name, new, |
| 281 | old, auid, sessionid); | 279 | old, auid, sessionid); |
| 282 | 280 | rc = audit_log_task_context(ab); | |
| 283 | security_task_getsecid(current, &sid); | 281 | if (rc) |
| 284 | if (sid) { | 282 | allow_changes = 0; /* Something weird, deny request */ |
| 285 | char *ctx = NULL; | ||
| 286 | u32 len; | ||
| 287 | |||
| 288 | rc = security_secid_to_secctx(sid, &ctx, &len); | ||
| 289 | if (rc) { | ||
| 290 | audit_log_format(ab, " sid=%u", sid); | ||
| 291 | allow_changes = 0; /* Something weird, deny request */ | ||
| 292 | } else { | ||
| 293 | audit_log_format(ab, " subj=%s", ctx); | ||
| 294 | security_release_secctx(ctx, len); | ||
| 295 | } | ||
| 296 | } | ||
| 297 | audit_log_format(ab, " res=%d", allow_changes); | 283 | audit_log_format(ab, " res=%d", allow_changes); |
| 298 | audit_log_end(ab); | 284 | audit_log_end(ab); |
| 299 | return rc; | 285 | return rc; |
| @@ -625,12 +611,9 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type) | |||
| 625 | static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type) | 611 | static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type) |
| 626 | { | 612 | { |
| 627 | int rc = 0; | 613 | int rc = 0; |
| 628 | char *ctx = NULL; | ||
| 629 | u32 len; | ||
| 630 | u32 sessionid = audit_get_sessionid(current); | 614 | u32 sessionid = audit_get_sessionid(current); |
| 631 | uid_t uid = from_kuid(&init_user_ns, current_uid()); | 615 | uid_t uid = from_kuid(&init_user_ns, current_uid()); |
| 632 | uid_t auid = from_kuid(&init_user_ns, audit_get_loginuid(current)); | 616 | uid_t auid = from_kuid(&init_user_ns, audit_get_loginuid(current)); |
| 633 | u32 sid; | ||
| 634 | 617 | ||
| 635 | if (!audit_enabled) { | 618 | if (!audit_enabled) { |
| 636 | *ab = NULL; | 619 | *ab = NULL; |
| @@ -642,16 +625,7 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type) | |||
| 642 | return rc; | 625 | return rc; |
| 643 | audit_log_format(*ab, "pid=%d uid=%u auid=%u ses=%u", | 626 | audit_log_format(*ab, "pid=%d uid=%u auid=%u ses=%u", |
| 644 | task_tgid_vnr(current), uid, auid, sessionid); | 627 | task_tgid_vnr(current), uid, auid, sessionid); |
| 645 | security_task_getsecid(current, &sid); | 628 | audit_log_task_context(*ab); |
| 646 | if (sid) { | ||
| 647 | rc = security_secid_to_secctx(sid, &ctx, &len); | ||
| 648 | if (rc) | ||
| 649 | audit_log_format(*ab, " ssid=%u", sid); | ||
| 650 | else { | ||
| 651 | audit_log_format(*ab, " subj=%s", ctx); | ||
| 652 | security_release_secctx(ctx, len); | ||
| 653 | } | ||
| 654 | } | ||
| 655 | 629 | ||
| 656 | return rc; | 630 | return rc; |
| 657 | } | 631 | } |
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index f952234da2ca..478f4602c96b 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c | |||
| @@ -985,7 +985,6 @@ static void audit_log_rule_change(char *action, struct audit_krule *rule, int re | |||
| 985 | struct audit_buffer *ab; | 985 | struct audit_buffer *ab; |
| 986 | uid_t loginuid = from_kuid(&init_user_ns, audit_get_loginuid(current)); | 986 | uid_t loginuid = from_kuid(&init_user_ns, audit_get_loginuid(current)); |
| 987 | u32 sessionid = audit_get_sessionid(current); | 987 | u32 sessionid = audit_get_sessionid(current); |
| 988 | u32 sid; | ||
| 989 | 988 | ||
| 990 | if (!audit_enabled) | 989 | if (!audit_enabled) |
| 991 | return; | 990 | return; |
| @@ -994,17 +993,7 @@ static void audit_log_rule_change(char *action, struct audit_krule *rule, int re | |||
| 994 | if (!ab) | 993 | if (!ab) |
| 995 | return; | 994 | return; |
| 996 | audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid); | 995 | audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid); |
| 997 | security_task_getsecid(current, &sid); | 996 | audit_log_task_context(ab); |
| 998 | if (sid) { | ||
| 999 | char *ctx = NULL; | ||
| 1000 | u32 len; | ||
| 1001 | if (security_secid_to_secctx(sid, &ctx, &len)) | ||
| 1002 | audit_log_format(ab, " ssid=%u", sid); | ||
| 1003 | else { | ||
| 1004 | audit_log_format(ab, " subj=%s", ctx); | ||
| 1005 | security_release_secctx(ctx, len); | ||
| 1006 | } | ||
| 1007 | } | ||
| 1008 | audit_log_format(ab, " op="); | 997 | audit_log_format(ab, " op="); |
| 1009 | audit_log_string(ab, action); | 998 | audit_log_string(ab, action); |
| 1010 | audit_log_key(ab, rule->filterkey); | 999 | audit_log_key(ab, rule->filterkey); |
diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 4baf61d39836..17e9a260a545 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c | |||
| @@ -1109,7 +1109,7 @@ static inline void audit_free_context(struct audit_context *context) | |||
| 1109 | kfree(context); | 1109 | kfree(context); |
| 1110 | } | 1110 | } |
| 1111 | 1111 | ||
| 1112 | void audit_log_task_context(struct audit_buffer *ab) | 1112 | int audit_log_task_context(struct audit_buffer *ab) |
| 1113 | { | 1113 | { |
| 1114 | char *ctx = NULL; | 1114 | char *ctx = NULL; |
| 1115 | unsigned len; | 1115 | unsigned len; |
| @@ -1118,22 +1118,22 @@ void audit_log_task_context(struct audit_buffer *ab) | |||
| 1118 | 1118 | ||
| 1119 | security_task_getsecid(current, &sid); | 1119 | security_task_getsecid(current, &sid); |
| 1120 | if (!sid) | 1120 | if (!sid) |
| 1121 | return; | 1121 | return 0; |
| 1122 | 1122 | ||
| 1123 | error = security_secid_to_secctx(sid, &ctx, &len); | 1123 | error = security_secid_to_secctx(sid, &ctx, &len); |
| 1124 | if (error) { | 1124 | if (error) { |
| 1125 | if (error != -EINVAL) | 1125 | if (error != -EINVAL) |
| 1126 | goto error_path; | 1126 | goto error_path; |
| 1127 | return; | 1127 | return 0; |
| 1128 | } | 1128 | } |
| 1129 | 1129 | ||
| 1130 | audit_log_format(ab, " subj=%s", ctx); | 1130 | audit_log_format(ab, " subj=%s", ctx); |
| 1131 | security_release_secctx(ctx, len); | 1131 | security_release_secctx(ctx, len); |
| 1132 | return; | 1132 | return 0; |
| 1133 | 1133 | ||
| 1134 | error_path: | 1134 | error_path: |
| 1135 | audit_panic("error in audit_log_task_context"); | 1135 | audit_panic("error in audit_log_task_context"); |
| 1136 | return; | 1136 | return error; |
| 1137 | } | 1137 | } |
| 1138 | 1138 | ||
| 1139 | EXPORT_SYMBOL(audit_log_task_context); | 1139 | EXPORT_SYMBOL(audit_log_task_context); |