[NetLabel]: audit fixups due to delayed feedback

Fix some issues Steve Grubb had with the way NetLabel was using the audit subsystem. This should make NetLabel more consistent with other kernel generated audit messages specifying configuration changes. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: Steve Grubb <sgrubb@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Paul Moore <paul.moore@hp.com> 2006-09-29 20:05:05 -0400
committer: David S. Miller <davem@davemloft.net> 2006-09-29 20:05:05 -0400
commit: 95d4e6be25a68cd9fbe8c0d356b585504d8db1c7 (patch)
tree: 2133c970e6786bdf82004ace225b6bca19b9ddba /net/netlabel/netlabel_unlabeled.c
parent: d6c641026dec68acfb4b0baa98aad960e963ed97 (diff)
1 files changed, 23 insertions, 11 deletions
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index ab36675fee8c..1833ad233b39 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -70,18 +70,25 @@ static struct nla_policy netlbl_unlabel_genl_policy[NLBL_UNLABEL_A_MAX + 1] = {
 /**
 * netlbl_unlabel_acceptflg_set - Set the unlabeled accept flag
 * @value: desired value
- * @audit_secid: the LSM secid to use in the audit message
+ * @audit_info: NetLabel audit information
 *
 * Description:
 * Set the value of the unlabeled accept flag to @value.
 *
 */
-static void netlbl_unlabel_acceptflg_set(u8 value, u32 audit_secid)
+static void netlbl_unlabel_acceptflg_set(u8 value,
+                                         struct netlbl_audit *audit_info)
 {
+        struct audit_buffer *audit_buf;
+        u8 old_val;
+        old_val = atomic_read(&netlabel_unlabel_accept_flg);
        atomic_set(&netlabel_unlabel_accept_flg, value);
-        netlbl_audit_nomsg((value ?
-                            AUDIT_MAC_UNLBL_ACCEPT : AUDIT_MAC_UNLBL_DENY),
+        audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_ALLOW,
-                           audit_secid);
+                                              audit_info);
+        audit_log_format(audit_buf, " unlbl_accept=%u old=%u", value, old_val);
+        audit_log_end(audit_buf);
 }
 /*
@@ -101,12 +108,13 @@ static void netlbl_unlabel_acceptflg_set(u8 value, u32 audit_secid)
 static int netlbl_unlabel_accept(struct sk_buff *skb, struct genl_info *info)
 {
        u8 value;
+        struct netlbl_audit audit_info;
        if (info->attrs[NLBL_UNLABEL_A_ACPTFLG]) {
                value = nla_get_u8(info->attrs[NLBL_UNLABEL_A_ACPTFLG]);
                if (value == 1 || value == 0) {
-                        netlbl_unlabel_acceptflg_set(value,
+                        netlbl_netlink_auditinfo(skb, &audit_info);
-                                                     NETLINK_CB(skb).sid);
+                        netlbl_unlabel_acceptflg_set(value, &audit_info);
                        return 0;
                }
        }
@@ -250,19 +258,23 @@ int netlbl_unlabel_defconf(void)
 {
        int ret_val;
        struct netlbl_dom_map *entry;
-        u32 secid;
+        struct netlbl_audit audit_info;
-        security_task_getsecid(current, &secid);
+        /* Only the kernel is allowed to call this function and the only time
+         * it is called is at bootup before the audit subsystem is reporting
+         * messages so don't worry to much about these values. */
+        security_task_getsecid(current, &audit_info.secid);
+        audit_info.loginuid = 0;
        entry = kzalloc(sizeof(*entry), GFP_KERNEL);
        if (entry == NULL)
                return -ENOMEM;
        entry->type = NETLBL_NLTYPE_UNLABELED;
-        ret_val = netlbl_domhsh_add_default(entry, secid);
+        ret_val = netlbl_domhsh_add_default(entry, &audit_info);
        if (ret_val != 0)
                return ret_val;
-        netlbl_unlabel_acceptflg_set(1, secid);
+        netlbl_unlabel_acceptflg_set(1, &audit_info);
        return 0;
 }
author	Paul Moore <paul.moore@hp.com>	2006-09-29 20:05:05 -0400
committer	David S. Miller <davem@davemloft.net>	2006-09-29 20:05:05 -0400
commit	95d4e6be25a68cd9fbe8c0d356b585504d8db1c7 (patch)
tree	2133c970e6786bdf82004ace225b6bca19b9ddba /net/netlabel/netlabel_unlabeled.c
parent	d6c641026dec68acfb4b0baa98aad960e963ed97 (diff)

diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index ab36675fee8c..1833ad233b39 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c
@@ -70,18 +70,25 @@ static struct nla_policy netlbl_unlabel_genl_policy[NLBL_UNLABEL_A_MAX + 1] = {
70	/**	70	/**
71	* netlbl_unlabel_acceptflg_set - Set the unlabeled accept flag	71	* netlbl_unlabel_acceptflg_set - Set the unlabeled accept flag
72	* @value: desired value	72	* @value: desired value
73	* @audit_secid: the LSM secid to use in the audit message	73	* @audit_info: NetLabel audit information
74	*	74	*
75	* Description:	75	* Description:
76	* Set the value of the unlabeled accept flag to @value.	76	* Set the value of the unlabeled accept flag to @value.
77	*	77	*
78	*/	78	*/
79	static void netlbl_unlabel_acceptflg_set(u8 value, u32 audit_secid)	79	static void netlbl_unlabel_acceptflg_set(u8 value,
		80	struct netlbl_audit *audit_info)
80	{	81	{
		82	struct audit_buffer *audit_buf;
		83	u8 old_val;
		84
		85	old_val = atomic_read(&netlabel_unlabel_accept_flg);
81	atomic_set(&netlabel_unlabel_accept_flg, value);	86	atomic_set(&netlabel_unlabel_accept_flg, value);
82	netlbl_audit_nomsg((value ?	87
83	AUDIT_MAC_UNLBL_ACCEPT : AUDIT_MAC_UNLBL_DENY),	88	audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_ALLOW,
84	audit_secid);	89	audit_info);
		90	audit_log_format(audit_buf, " unlbl_accept=%u old=%u", value, old_val);
		91	audit_log_end(audit_buf);
85	}	92	}
86		93
87	/*	94	/*
@@ -101,12 +108,13 @@ static void netlbl_unlabel_acceptflg_set(u8 value, u32 audit_secid)
101	static int netlbl_unlabel_accept(struct sk_buff skb, struct genl_info info)	108	static int netlbl_unlabel_accept(struct sk_buff skb, struct genl_info info)
102	{	109	{
103	u8 value;	110	u8 value;
		111	struct netlbl_audit audit_info;
104		112
105	if (info->attrs[NLBL_UNLABEL_A_ACPTFLG]) {	113	if (info->attrs[NLBL_UNLABEL_A_ACPTFLG]) {
106	value = nla_get_u8(info->attrs[NLBL_UNLABEL_A_ACPTFLG]);	114	value = nla_get_u8(info->attrs[NLBL_UNLABEL_A_ACPTFLG]);
107	if (value == 1 \|\| value == 0) {	115	if (value == 1 \|\| value == 0) {
108	netlbl_unlabel_acceptflg_set(value,	116	netlbl_netlink_auditinfo(skb, &audit_info);
109	NETLINK_CB(skb).sid);	117	netlbl_unlabel_acceptflg_set(value, &audit_info);
110	return 0;	118	return 0;
111	}	119	}
112	}	120	}
@@ -250,19 +258,23 @@ int netlbl_unlabel_defconf(void)
250	{	258	{
251	int ret_val;	259	int ret_val;
252	struct netlbl_dom_map *entry;	260	struct netlbl_dom_map *entry;
253	u32 secid;	261	struct netlbl_audit audit_info;
254		262
255	security_task_getsecid(current, &secid);	263	/* Only the kernel is allowed to call this function and the only time
		264	* it is called is at bootup before the audit subsystem is reporting
		265	* messages so don't worry to much about these values. */
		266	security_task_getsecid(current, &audit_info.secid);
		267	audit_info.loginuid = 0;
256		268
257	entry = kzalloc(sizeof(*entry), GFP_KERNEL);	269	entry = kzalloc(sizeof(*entry), GFP_KERNEL);
258	if (entry == NULL)	270	if (entry == NULL)
259	return -ENOMEM;	271	return -ENOMEM;
260	entry->type = NETLBL_NLTYPE_UNLABELED;	272	entry->type = NETLBL_NLTYPE_UNLABELED;
261	ret_val = netlbl_domhsh_add_default(entry, secid);	273	ret_val = netlbl_domhsh_add_default(entry, &audit_info);
262	if (ret_val != 0)	274	if (ret_val != 0)
263	return ret_val;	275	return ret_val;
264		276
265	netlbl_unlabel_acceptflg_set(1, secid);	277	netlbl_unlabel_acceptflg_set(1, &audit_info);
266		278
267	return 0;	279	return 0;
268	}	280	}