diff options
author | Steve Grubb <sgrubb@redhat.com> | 2006-03-31 15:22:49 -0500 |
---|---|---|
committer | Al Viro <viro@zeniv.linux.org.uk> | 2006-05-01 06:09:56 -0400 |
commit | 9c7aa6aa74fa8a5cda36e54cbbe4fffe0214497d (patch) | |
tree | 1e1489ed5080ea4aff6206bfa904f549de8e56ca /kernel | |
parent | 1b50eed9cac0e8e5e4d3a522d8aa267f7f8f8acb (diff) |
[PATCH] change lspp ipc auditing
Hi,
The patch below converts IPC auditing to collect sid's and convert to context
string only if it needs to output an audit record. This patch depends on the
inode audit change patch already being applied.
Signed-off-by: Steve Grubb <sgrubb@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'kernel')
-rw-r--r-- | kernel/auditsc.c | 68 |
1 files changed, 21 insertions, 47 deletions
diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 2e123a8a0d60..b4f7223811fe 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c | |||
@@ -107,7 +107,7 @@ struct audit_aux_data_ipcctl { | |||
107 | uid_t uid; | 107 | uid_t uid; |
108 | gid_t gid; | 108 | gid_t gid; |
109 | mode_t mode; | 109 | mode_t mode; |
110 | char *ctx; | 110 | u32 osid; |
111 | }; | 111 | }; |
112 | 112 | ||
113 | struct audit_aux_data_socketcall { | 113 | struct audit_aux_data_socketcall { |
@@ -432,11 +432,6 @@ static inline void audit_free_aux(struct audit_context *context) | |||
432 | dput(axi->dentry); | 432 | dput(axi->dentry); |
433 | mntput(axi->mnt); | 433 | mntput(axi->mnt); |
434 | } | 434 | } |
435 | if ( aux->type == AUDIT_IPC ) { | ||
436 | struct audit_aux_data_ipcctl *axi = (void *)aux; | ||
437 | if (axi->ctx) | ||
438 | kfree(axi->ctx); | ||
439 | } | ||
440 | 435 | ||
441 | context->aux = aux->next; | 436 | context->aux = aux->next; |
442 | kfree(aux); | 437 | kfree(aux); |
@@ -584,7 +579,7 @@ static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk | |||
584 | 579 | ||
585 | static void audit_log_exit(struct audit_context *context, struct task_struct *tsk) | 580 | static void audit_log_exit(struct audit_context *context, struct task_struct *tsk) |
586 | { | 581 | { |
587 | int i; | 582 | int i, call_panic = 0; |
588 | struct audit_buffer *ab; | 583 | struct audit_buffer *ab; |
589 | struct audit_aux_data *aux; | 584 | struct audit_aux_data *aux; |
590 | const char *tty; | 585 | const char *tty; |
@@ -635,8 +630,20 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts | |||
635 | case AUDIT_IPC: { | 630 | case AUDIT_IPC: { |
636 | struct audit_aux_data_ipcctl *axi = (void *)aux; | 631 | struct audit_aux_data_ipcctl *axi = (void *)aux; |
637 | audit_log_format(ab, | 632 | audit_log_format(ab, |
638 | " qbytes=%lx iuid=%u igid=%u mode=%x obj=%s", | 633 | " qbytes=%lx iuid=%u igid=%u mode=%x", |
639 | axi->qbytes, axi->uid, axi->gid, axi->mode, axi->ctx); | 634 | axi->qbytes, axi->uid, axi->gid, axi->mode); |
635 | if (axi->osid != 0) { | ||
636 | char *ctx = NULL; | ||
637 | u32 len; | ||
638 | if (selinux_ctxid_to_string( | ||
639 | axi->osid, &ctx, &len)) { | ||
640 | audit_log_format(ab, " obj=%u", | ||
641 | axi->osid); | ||
642 | call_panic = 1; | ||
643 | } else | ||
644 | audit_log_format(ab, " obj=%s", ctx); | ||
645 | kfree(ctx); | ||
646 | } | ||
640 | break; } | 647 | break; } |
641 | 648 | ||
642 | case AUDIT_SOCKETCALL: { | 649 | case AUDIT_SOCKETCALL: { |
@@ -671,7 +678,6 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts | |||
671 | } | 678 | } |
672 | } | 679 | } |
673 | for (i = 0; i < context->name_count; i++) { | 680 | for (i = 0; i < context->name_count; i++) { |
674 | int call_panic = 0; | ||
675 | unsigned long ino = context->names[i].ino; | 681 | unsigned long ino = context->names[i].ino; |
676 | unsigned long pino = context->names[i].pino; | 682 | unsigned long pino = context->names[i].pino; |
677 | 683 | ||
@@ -708,16 +714,16 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts | |||
708 | context->names[i].osid, &ctx, &len)) { | 714 | context->names[i].osid, &ctx, &len)) { |
709 | audit_log_format(ab, " obj=%u", | 715 | audit_log_format(ab, " obj=%u", |
710 | context->names[i].osid); | 716 | context->names[i].osid); |
711 | call_panic = 1; | 717 | call_panic = 2; |
712 | } else | 718 | } else |
713 | audit_log_format(ab, " obj=%s", ctx); | 719 | audit_log_format(ab, " obj=%s", ctx); |
714 | kfree(ctx); | 720 | kfree(ctx); |
715 | } | 721 | } |
716 | 722 | ||
717 | audit_log_end(ab); | 723 | audit_log_end(ab); |
718 | if (call_panic) | ||
719 | audit_panic("error converting sid to string"); | ||
720 | } | 724 | } |
725 | if (call_panic) | ||
726 | audit_panic("error converting sid to string"); | ||
721 | } | 727 | } |
722 | 728 | ||
723 | /** | 729 | /** |
@@ -951,7 +957,7 @@ void audit_putname(const char *name) | |||
951 | #endif | 957 | #endif |
952 | } | 958 | } |
953 | 959 | ||
954 | void audit_inode_context(int idx, const struct inode *inode) | 960 | static void audit_inode_context(int idx, const struct inode *inode) |
955 | { | 961 | { |
956 | struct audit_context *context = current->audit_context; | 962 | struct audit_context *context = current->audit_context; |
957 | 963 | ||
@@ -1141,38 +1147,6 @@ uid_t audit_get_loginuid(struct audit_context *ctx) | |||
1141 | return ctx ? ctx->loginuid : -1; | 1147 | return ctx ? ctx->loginuid : -1; |
1142 | } | 1148 | } |
1143 | 1149 | ||
1144 | static char *audit_ipc_context(struct kern_ipc_perm *ipcp) | ||
1145 | { | ||
1146 | struct audit_context *context = current->audit_context; | ||
1147 | char *ctx = NULL; | ||
1148 | int len = 0; | ||
1149 | |||
1150 | if (likely(!context)) | ||
1151 | return NULL; | ||
1152 | |||
1153 | len = security_ipc_getsecurity(ipcp, NULL, 0); | ||
1154 | if (len == -EOPNOTSUPP) | ||
1155 | goto ret; | ||
1156 | if (len < 0) | ||
1157 | goto error_path; | ||
1158 | |||
1159 | ctx = kmalloc(len, GFP_ATOMIC); | ||
1160 | if (!ctx) | ||
1161 | goto error_path; | ||
1162 | |||
1163 | len = security_ipc_getsecurity(ipcp, ctx, len); | ||
1164 | if (len < 0) | ||
1165 | goto error_path; | ||
1166 | |||
1167 | return ctx; | ||
1168 | |||
1169 | error_path: | ||
1170 | kfree(ctx); | ||
1171 | audit_panic("error in audit_ipc_context"); | ||
1172 | ret: | ||
1173 | return NULL; | ||
1174 | } | ||
1175 | |||
1176 | /** | 1150 | /** |
1177 | * audit_ipc_perms - record audit data for ipc | 1151 | * audit_ipc_perms - record audit data for ipc |
1178 | * @qbytes: msgq bytes | 1152 | * @qbytes: msgq bytes |
@@ -1198,7 +1172,7 @@ int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode, str | |||
1198 | ax->uid = uid; | 1172 | ax->uid = uid; |
1199 | ax->gid = gid; | 1173 | ax->gid = gid; |
1200 | ax->mode = mode; | 1174 | ax->mode = mode; |
1201 | ax->ctx = audit_ipc_context(ipcp); | 1175 | selinux_get_ipc_sid(ipcp, &ax->osid); |
1202 | 1176 | ||
1203 | ax->d.type = AUDIT_IPC; | 1177 | ax->d.type = AUDIT_IPC; |
1204 | ax->d.next = context->aux; | 1178 | ax->d.next = context->aux; |