[NetLabel]: add audit support for configuration changes

This patch adds audit support to NetLabel, including six new audit message
types shown below.

 #define AUDIT_MAC_UNLBL_ACCEPT 1406
 #define AUDIT_MAC_UNLBL_DENY   1407
 #define AUDIT_MAC_CIPSOV4_ADD  1408
 #define AUDIT_MAC_CIPSOV4_DEL  1409
 #define AUDIT_MAC_MAP_ADD      1410
 #define AUDIT_MAC_MAP_DEL      1411

Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 91 insertions, 0 deletions

diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c
index eeb7d768d2bb..c2343af584cb 100644
--- a/net/netlabel/netlabel_user.c
+++ b/net/netlabel/netlabel_user.c
@@ -32,6 +32,9 @@
 #include <linux/types.h>
 #include <linux/list.h>
 #include <linux/socket.h>
+#include <linux/audit.h>
+#include <linux/tty.h>
+#include <linux/security.h>
 #include <net/sock.h>
 #include <net/netlink.h>
 #include <net/genetlink.h>
@@ -74,3 +77,91 @@ int netlbl_netlink_init(void)
 
         return 0;
 }
+
+/*
+ * NetLabel Audit Functions
+ */
+
+/**
+ * netlbl_audit_start_common - Start an audit message
+ * @type: audit message type
+ * @secid: LSM context ID
+ *
+ * Description:
+ * Start an audit message using the type specified in @type and fill the audit
+ * message with some fields common to all NetLabel audit messages.  Returns
+ * a pointer to the audit buffer on success, NULL on failure.
+ *
+ */
+struct audit_buffer *netlbl_audit_start_common(int type, u32 secid)
+{
+        struct audit_context *audit_ctx = current->audit_context;
+        struct audit_buffer *audit_buf;
+        uid_t audit_loginuid;
+        const char *audit_tty;
+        char audit_comm[sizeof(current->comm)];
+        struct vm_area_struct *vma;
+        char *secctx;
+        u32 secctx_len;
+
+        audit_buf = audit_log_start(audit_ctx, GFP_ATOMIC, type);
+        if (audit_buf == NULL)
+                return NULL;
+
+        audit_loginuid = audit_get_loginuid(audit_ctx);
+        if (current->signal &&
+            current->signal->tty &&
+            current->signal->tty->name)
+                audit_tty = current->signal->tty->name;
+        else
+                audit_tty = "(none)";
+        get_task_comm(audit_comm, current);
+
+        audit_log_format(audit_buf,
+                         "netlabel: auid=%u uid=%u tty=%s pid=%d",
+                         audit_loginuid,
+                         current->uid,
+                         audit_tty,
+                         current->pid);
+        audit_log_format(audit_buf, " comm=");
+        audit_log_untrustedstring(audit_buf, audit_comm);
+        if (current->mm) {
+                down_read(&current->mm->mmap_sem);
+                vma = current->mm->mmap;
+                while (vma) {
+                        if ((vma->vm_flags & VM_EXECUTABLE) &&
+                            vma->vm_file) {
+                                audit_log_d_path(audit_buf,
+                                                 " exe=",
+                                                 vma->vm_file->f_dentry,
+                                                 vma->vm_file->f_vfsmnt);
+                                break;
+                        }
+                        vma = vma->vm_next;
+                }
+                up_read(&current->mm->mmap_sem);
+        }
+
+        if (secid != 0 &&
+            security_secid_to_secctx(secid, &secctx, &secctx_len) == 0)
+                audit_log_format(audit_buf, " subj=%s", secctx);
+
+        return audit_buf;
+}
+
+/**
+ * netlbl_audit_nomsg - Send an audit message without additional text
+ * @type: audit message type
+ * @secid: LSM context ID
+ *
+ * Description:
+ * Send an audit message with only the common NetLabel audit fields.
+ *
+ */
+void netlbl_audit_nomsg(int type, u32 secid)
+{
+        struct audit_buffer *audit_buf;
+
+        audit_buf = netlbl_audit_start_common(type, secid);
+        audit_log_end(audit_buf);
+}