[NetLabel]: add audit support for configuration changes

This patch adds audit support to NetLabel, including six new audit message
types shown below.

 #define AUDIT_MAC_UNLBL_ACCEPT 1406
 #define AUDIT_MAC_UNLBL_DENY   1407
 #define AUDIT_MAC_CIPSOV4_ADD  1408
 #define AUDIT_MAC_CIPSOV4_DEL  1409
 #define AUDIT_MAC_MAP_ADD      1410
 #define AUDIT_MAC_MAP_DEL      1411

Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 47 insertions, 7 deletions

diff --git a/net/netlabel/netlabel_domainhash.c b/net/netlabel/netlabel_domainhash.c
index f56d7a8ac7b7..d64e2ae3b129 100644
--- a/net/netlabel/netlabel_domainhash.c
+++ b/net/netlabel/netlabel_domainhash.c
@@ -35,12 +35,14 @@
 #include <linux/skbuff.h>
 #include <linux/spinlock.h>
 #include <linux/string.h>
+#include <linux/audit.h>
 #include <net/netlabel.h>
 #include <net/cipso_ipv4.h>
 #include <asm/bug.h>
 
 #include "netlabel_mgmt.h"
 #include "netlabel_domainhash.h"
+#include "netlabel_user.h"
 
 struct netlbl_domhsh_tbl {
         struct list_head *tbl;
@@ -186,6 +188,7 @@ int netlbl_domhsh_init(u32 size)
 /**
  * netlbl_domhsh_add - Adds a entry to the domain hash table
  * @entry: the entry to add
+ * @audit_secid: the LSM secid to use in the audit message
  *
  * Description:
  * Adds a new entry to the domain hash table and handles any updates to the
@@ -193,10 +196,12 @@ int netlbl_domhsh_init(u32 size)
  * negative on failure.
  *
  */
-int netlbl_domhsh_add(struct netlbl_dom_map *entry)
+int netlbl_domhsh_add(struct netlbl_dom_map *entry, u32 audit_secid)
 {
         int ret_val;
         u32 bkt;
+        struct audit_buffer *audit_buf;
+        char *audit_domain;
 
         switch (entry->type) {
         case NETLBL_NLTYPE_UNLABELED:
@@ -236,6 +241,26 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry)
                 spin_unlock(&netlbl_domhsh_def_lock);
         } else
                 ret_val = -EINVAL;
+        if (ret_val == 0) {
+                if (entry->domain != NULL)
+                        audit_domain = entry->domain;
+                else
+                        audit_domain = "(default)";
+                audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_ADD,
+                                                      audit_secid);
+                audit_log_format(audit_buf, " domain=%s", audit_domain);
+                switch (entry->type) {
+                case NETLBL_NLTYPE_UNLABELED:
+                        audit_log_format(audit_buf, " protocol=unlbl");
+                        break;
+                case NETLBL_NLTYPE_CIPSOV4:
+                        audit_log_format(audit_buf,
+                                         " protocol=cipsov4 doi=%u",
+                                         entry->type_def.cipsov4->doi);
+                        break;
+                }
+                audit_log_end(audit_buf);
+        }
         rcu_read_unlock();
 
         if (ret_val != 0) {
@@ -254,6 +279,7 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry)
 /**
  * netlbl_domhsh_add_default - Adds the default entry to the domain hash table
  * @entry: the entry to add
+ * @audit_secid: the LSM secid to use in the audit message
  *
  * Description:
  * Adds a new default entry to the domain hash table and handles any updates
@@ -261,14 +287,15 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry)
  * negative on failure.
  *
  */
-int netlbl_domhsh_add_default(struct netlbl_dom_map *entry)
+int netlbl_domhsh_add_default(struct netlbl_dom_map *entry, u32 audit_secid)
 {
-        return netlbl_domhsh_add(entry);
+        return netlbl_domhsh_add(entry, audit_secid);
 }
 
 /**
  * netlbl_domhsh_remove - Removes an entry from the domain hash table
  * @domain: the domain to remove
+ * @audit_secid: the LSM secid to use in the audit message
  *
  * Description:
  * Removes an entry from the domain hash table and handles any updates to the
@@ -276,10 +303,12 @@ int netlbl_domhsh_add_default(struct netlbl_dom_map *entry)
  * negative on failure.
  *
  */
-int netlbl_domhsh_remove(const char *domain)
+int netlbl_domhsh_remove(const char *domain, u32 audit_secid)
 {
         int ret_val = -ENOENT;
         struct netlbl_dom_map *entry;
+        struct audit_buffer *audit_buf;
+        char *audit_domain;
 
         rcu_read_lock();
         if (domain != NULL)
@@ -316,8 +345,18 @@ int netlbl_domhsh_remove(const char *domain)
                         ret_val = -ENOENT;
                 spin_unlock(&netlbl_domhsh_def_lock);
         }
-        if (ret_val == 0)
+        if (ret_val == 0) {
+                if (entry->domain != NULL)
+                        audit_domain = entry->domain;
+                else
+                        audit_domain = "(default)";
+                audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_DEL,
+                                                      audit_secid);
+                audit_log_format(audit_buf, " domain=%s", audit_domain);
+                audit_log_end(audit_buf);
+
                 call_rcu(&entry->rcu, netlbl_domhsh_free_entry);
+        }
 
 remove_return:
         rcu_read_unlock();
@@ -326,6 +365,7 @@ remove_return:
 
 /**
  * netlbl_domhsh_remove_default - Removes the default entry from the table
+ * @audit_secid: the LSM secid to use in the audit message
  *
  * Description:
  * Removes/resets the default entry for the domain hash table and handles any
@@ -333,9 +373,9 @@ remove_return:
  * success, non-zero on failure.
  *
  */
-int netlbl_domhsh_remove_default(void)
+int netlbl_domhsh_remove_default(u32 audit_secid)
 {
-        return netlbl_domhsh_remove(NULL);
+        return netlbl_domhsh_remove(NULL, audit_secid);
 }
 
 /**