aboutsummaryrefslogtreecommitdiffstats
path: root/kernel
diff options
context:
space:
mode:
authorAl Viro <viro@zeniv.linux.org.uk>2008-12-10 03:40:06 -0500
committerAl Viro <viro@zeniv.linux.org.uk>2009-01-04 15:14:39 -0500
commita33e6751003c5ade603737d828b1519d980ce392 (patch)
treeaa484d033e886945aed78172dbdd4d2fd928bacf /kernel
parentf3298dc4f2277874d40cb4fc3a6e277317d6603b (diff)
sanitize audit_ipc_obj()
* get rid of allocations * make it return void * simplify callers Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'kernel')
-rw-r--r--kernel/auditsc.c88
1 files changed, 37 insertions, 51 deletions
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 5cda66466e14..73504313264f 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -247,6 +247,12 @@ struct audit_context {
247 int nargs; 247 int nargs;
248 long args[6]; 248 long args[6];
249 } socketcall; 249 } socketcall;
250 struct {
251 uid_t uid;
252 gid_t gid;
253 mode_t mode;
254 u32 osid;
255 } ipc;
250 }; 256 };
251 257
252#if AUDIT_DEBUG 258#if AUDIT_DEBUG
@@ -605,19 +611,12 @@ static int audit_filter_rules(struct task_struct *tsk,
605 } 611 }
606 } 612 }
607 /* Find ipc objects that match */ 613 /* Find ipc objects that match */
608 if (ctx) { 614 if (!ctx || ctx->type != AUDIT_IPC)
609 struct audit_aux_data *aux; 615 break;
610 for (aux = ctx->aux; aux; 616 if (security_audit_rule_match(ctx->ipc.osid,
611 aux = aux->next) { 617 f->type, f->op,
612 if (aux->type == AUDIT_IPC) { 618 f->lsm_rule, ctx))
613 struct audit_aux_data_ipcctl *axi = (void *)aux; 619 ++result;
614 if (security_audit_rule_match(axi->osid, f->type, f->op, f->lsm_rule, ctx)) {
615 ++result;
616 break;
617 }
618 }
619 }
620 }
621 } 620 }
622 break; 621 break;
623 case AUDIT_ARG0: 622 case AUDIT_ARG0:
@@ -1228,7 +1227,7 @@ static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
1228 audit_log_format(ab, " cap_fe=%d cap_fver=%x", name->fcap.fE, name->fcap_ver); 1227 audit_log_format(ab, " cap_fe=%d cap_fver=%x", name->fcap.fE, name->fcap_ver);
1229} 1228}
1230 1229
1231static void show_special(struct audit_context *context) 1230static void show_special(struct audit_context *context, int *call_panic)
1232{ 1231{
1233 struct audit_buffer *ab; 1232 struct audit_buffer *ab;
1234 int i; 1233 int i;
@@ -1245,6 +1244,23 @@ static void show_special(struct audit_context *context)
1245 audit_log_format(ab, " a%d=%lx", i, 1244 audit_log_format(ab, " a%d=%lx", i,
1246 context->socketcall.args[i]); 1245 context->socketcall.args[i]);
1247 break; } 1246 break; }
1247 case AUDIT_IPC: {
1248 u32 osid = context->ipc.osid;
1249
1250 audit_log_format(ab, "ouid=%u ogid=%u mode=%#o",
1251 context->ipc.uid, context->ipc.gid, context->ipc.mode);
1252 if (osid) {
1253 char *ctx = NULL;
1254 u32 len;
1255 if (security_secid_to_secctx(osid, &ctx, &len)) {
1256 audit_log_format(ab, " osid=%u", osid);
1257 *call_panic = 1;
1258 } else {
1259 audit_log_format(ab, " obj=%s", ctx);
1260 security_release_secctx(ctx, len);
1261 }
1262 }
1263 break; }
1248 } 1264 }
1249 audit_log_end(ab); 1265 audit_log_end(ab);
1250} 1266}
@@ -1363,26 +1379,6 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
1363 axi->mqstat.mq_msgsize, axi->mqstat.mq_curmsgs); 1379 axi->mqstat.mq_msgsize, axi->mqstat.mq_curmsgs);
1364 break; } 1380 break; }
1365 1381
1366 case AUDIT_IPC: {
1367 struct audit_aux_data_ipcctl *axi = (void *)aux;
1368 audit_log_format(ab,
1369 "ouid=%u ogid=%u mode=%#o",
1370 axi->uid, axi->gid, axi->mode);
1371 if (axi->osid != 0) {
1372 char *ctx = NULL;
1373 u32 len;
1374 if (security_secid_to_secctx(
1375 axi->osid, &ctx, &len)) {
1376 audit_log_format(ab, " osid=%u",
1377 axi->osid);
1378 call_panic = 1;
1379 } else {
1380 audit_log_format(ab, " obj=%s", ctx);
1381 security_release_secctx(ctx, len);
1382 }
1383 }
1384 break; }
1385
1386 case AUDIT_IPC_SET_PERM: { 1382 case AUDIT_IPC_SET_PERM: {
1387 struct audit_aux_data_ipcctl *axi = (void *)aux; 1383 struct audit_aux_data_ipcctl *axi = (void *)aux;
1388 audit_log_format(ab, 1384 audit_log_format(ab,
@@ -1427,7 +1423,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
1427 } 1423 }
1428 1424
1429 if (context->type) 1425 if (context->type)
1430 show_special(context); 1426 show_special(context, &call_panic);
1431 1427
1432 if (context->sockaddr_len) { 1428 if (context->sockaddr_len) {
1433 ab = audit_log_start(context, GFP_KERNEL, AUDIT_SOCKADDR); 1429 ab = audit_log_start(context, GFP_KERNEL, AUDIT_SOCKADDR);
@@ -2349,25 +2345,15 @@ int __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
2349 * audit_ipc_obj - record audit data for ipc object 2345 * audit_ipc_obj - record audit data for ipc object
2350 * @ipcp: ipc permissions 2346 * @ipcp: ipc permissions
2351 * 2347 *
2352 * Returns 0 for success or NULL context or < 0 on error.
2353 */ 2348 */
2354int __audit_ipc_obj(struct kern_ipc_perm *ipcp) 2349void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
2355{ 2350{
2356 struct audit_aux_data_ipcctl *ax;
2357 struct audit_context *context = current->audit_context; 2351 struct audit_context *context = current->audit_context;
2358 2352 context->ipc.uid = ipcp->uid;
2359 ax = kmalloc(sizeof(*ax), GFP_ATOMIC); 2353 context->ipc.gid = ipcp->gid;
2360 if (!ax) 2354 context->ipc.mode = ipcp->mode;
2361 return -ENOMEM; 2355 security_ipc_getsecid(ipcp, &context->ipc.osid);
2362 2356 context->type = AUDIT_IPC;
2363 ax->uid = ipcp->uid;
2364 ax->gid = ipcp->gid;
2365 ax->mode = ipcp->mode;
2366 security_ipc_getsecid(ipcp, &ax->osid);
2367 ax->d.type = AUDIT_IPC;
2368 ax->d.next = context->aux;
2369 context->aux = (void *)ax;
2370 return 0;
2371} 2357}
2372 2358
2373/** 2359/**