diff options
author | Paul Moore <paul.moore@hp.com> | 2006-09-29 20:05:05 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2006-09-29 20:05:05 -0400 |
commit | 95d4e6be25a68cd9fbe8c0d356b585504d8db1c7 (patch) | |
tree | 2133c970e6786bdf82004ace225b6bca19b9ddba /net/netlabel/netlabel_unlabeled.c | |
parent | d6c641026dec68acfb4b0baa98aad960e963ed97 (diff) |
[NetLabel]: audit fixups due to delayed feedback
Fix some issues Steve Grubb had with the way NetLabel was using the audit
subsystem. This should make NetLabel more consistent with other kernel
generated audit messages specifying configuration changes.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: Steve Grubb <sgrubb@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/netlabel/netlabel_unlabeled.c')
-rw-r--r-- | net/netlabel/netlabel_unlabeled.c | 34 |
1 files changed, 23 insertions, 11 deletions
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index ab36675fee8c..1833ad233b39 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c | |||
@@ -70,18 +70,25 @@ static struct nla_policy netlbl_unlabel_genl_policy[NLBL_UNLABEL_A_MAX + 1] = { | |||
70 | /** | 70 | /** |
71 | * netlbl_unlabel_acceptflg_set - Set the unlabeled accept flag | 71 | * netlbl_unlabel_acceptflg_set - Set the unlabeled accept flag |
72 | * @value: desired value | 72 | * @value: desired value |
73 | * @audit_secid: the LSM secid to use in the audit message | 73 | * @audit_info: NetLabel audit information |
74 | * | 74 | * |
75 | * Description: | 75 | * Description: |
76 | * Set the value of the unlabeled accept flag to @value. | 76 | * Set the value of the unlabeled accept flag to @value. |
77 | * | 77 | * |
78 | */ | 78 | */ |
79 | static void netlbl_unlabel_acceptflg_set(u8 value, u32 audit_secid) | 79 | static void netlbl_unlabel_acceptflg_set(u8 value, |
80 | struct netlbl_audit *audit_info) | ||
80 | { | 81 | { |
82 | struct audit_buffer *audit_buf; | ||
83 | u8 old_val; | ||
84 | |||
85 | old_val = atomic_read(&netlabel_unlabel_accept_flg); | ||
81 | atomic_set(&netlabel_unlabel_accept_flg, value); | 86 | atomic_set(&netlabel_unlabel_accept_flg, value); |
82 | netlbl_audit_nomsg((value ? | 87 | |
83 | AUDIT_MAC_UNLBL_ACCEPT : AUDIT_MAC_UNLBL_DENY), | 88 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_ALLOW, |
84 | audit_secid); | 89 | audit_info); |
90 | audit_log_format(audit_buf, " unlbl_accept=%u old=%u", value, old_val); | ||
91 | audit_log_end(audit_buf); | ||
85 | } | 92 | } |
86 | 93 | ||
87 | /* | 94 | /* |
@@ -101,12 +108,13 @@ static void netlbl_unlabel_acceptflg_set(u8 value, u32 audit_secid) | |||
101 | static int netlbl_unlabel_accept(struct sk_buff *skb, struct genl_info *info) | 108 | static int netlbl_unlabel_accept(struct sk_buff *skb, struct genl_info *info) |
102 | { | 109 | { |
103 | u8 value; | 110 | u8 value; |
111 | struct netlbl_audit audit_info; | ||
104 | 112 | ||
105 | if (info->attrs[NLBL_UNLABEL_A_ACPTFLG]) { | 113 | if (info->attrs[NLBL_UNLABEL_A_ACPTFLG]) { |
106 | value = nla_get_u8(info->attrs[NLBL_UNLABEL_A_ACPTFLG]); | 114 | value = nla_get_u8(info->attrs[NLBL_UNLABEL_A_ACPTFLG]); |
107 | if (value == 1 || value == 0) { | 115 | if (value == 1 || value == 0) { |
108 | netlbl_unlabel_acceptflg_set(value, | 116 | netlbl_netlink_auditinfo(skb, &audit_info); |
109 | NETLINK_CB(skb).sid); | 117 | netlbl_unlabel_acceptflg_set(value, &audit_info); |
110 | return 0; | 118 | return 0; |
111 | } | 119 | } |
112 | } | 120 | } |
@@ -250,19 +258,23 @@ int netlbl_unlabel_defconf(void) | |||
250 | { | 258 | { |
251 | int ret_val; | 259 | int ret_val; |
252 | struct netlbl_dom_map *entry; | 260 | struct netlbl_dom_map *entry; |
253 | u32 secid; | 261 | struct netlbl_audit audit_info; |
254 | 262 | ||
255 | security_task_getsecid(current, &secid); | 263 | /* Only the kernel is allowed to call this function and the only time |
264 | * it is called is at bootup before the audit subsystem is reporting | ||
265 | * messages so don't worry to much about these values. */ | ||
266 | security_task_getsecid(current, &audit_info.secid); | ||
267 | audit_info.loginuid = 0; | ||
256 | 268 | ||
257 | entry = kzalloc(sizeof(*entry), GFP_KERNEL); | 269 | entry = kzalloc(sizeof(*entry), GFP_KERNEL); |
258 | if (entry == NULL) | 270 | if (entry == NULL) |
259 | return -ENOMEM; | 271 | return -ENOMEM; |
260 | entry->type = NETLBL_NLTYPE_UNLABELED; | 272 | entry->type = NETLBL_NLTYPE_UNLABELED; |
261 | ret_val = netlbl_domhsh_add_default(entry, secid); | 273 | ret_val = netlbl_domhsh_add_default(entry, &audit_info); |
262 | if (ret_val != 0) | 274 | if (ret_val != 0) |
263 | return ret_val; | 275 | return ret_val; |
264 | 276 | ||
265 | netlbl_unlabel_acceptflg_set(1, secid); | 277 | netlbl_unlabel_acceptflg_set(1, &audit_info); |
266 | 278 | ||
267 | return 0; | 279 | return 0; |
268 | } | 280 | } |