aboutsummaryrefslogtreecommitdiffstats
path: root/net/netlabel
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2006-11-17 17:38:55 -0500
committerDavid S. Miller <davem@sunset.davemloft.net>2006-12-03 00:24:15 -0500
commitde64688ffb952a65ddbc5295ccd235d35f292593 (patch)
treef15714858c974bb4b86023d38639a39a539901e2 /net/netlabel
parent3de4bab5b9f8848a0c16a4b1ffe0452f0d670237 (diff)
NetLabel: honor the audit_enabled flag
The audit_enabled flag is used to signal when syscall auditing is to be performed. While NetLabel uses a Netlink interface instead of syscalls, it is reasonable to consider the NetLabel Netlink interface as a form of syscall so pay attention to the audit_enabled flag when generating audit messages in NetLabel. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'net/netlabel')
-rw-r--r--net/netlabel/netlabel_cipso_v4.c26
-rw-r--r--net/netlabel/netlabel_domainhash.c48
-rw-r--r--net/netlabel/netlabel_unlabeled.c8
-rw-r--r--net/netlabel/netlabel_user.c7
4 files changed, 50 insertions, 39 deletions
diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c
index fe9851fac85d..743b05734a49 100644
--- a/net/netlabel/netlabel_cipso_v4.c
+++ b/net/netlabel/netlabel_cipso_v4.c
@@ -407,12 +407,14 @@ static int netlbl_cipsov4_add(struct sk_buff *skb, struct genl_info *info)
407 407
408 audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD, 408 audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD,
409 &audit_info); 409 &audit_info);
410 audit_log_format(audit_buf, 410 if (audit_buf != NULL) {
411 " cipso_doi=%u cipso_type=%s res=%u", 411 audit_log_format(audit_buf,
412 doi, 412 " cipso_doi=%u cipso_type=%s res=%u",
413 type_str, 413 doi,
414 ret_val == 0 ? 1 : 0); 414 type_str,
415 audit_log_end(audit_buf); 415 ret_val == 0 ? 1 : 0);
416 audit_log_end(audit_buf);
417 }
416 418
417 return ret_val; 419 return ret_val;
418} 420}
@@ -680,11 +682,13 @@ static int netlbl_cipsov4_remove(struct sk_buff *skb, struct genl_info *info)
680 682
681 audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_DEL, 683 audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_DEL,
682 &audit_info); 684 &audit_info);
683 audit_log_format(audit_buf, 685 if (audit_buf != NULL) {
684 " cipso_doi=%u res=%u", 686 audit_log_format(audit_buf,
685 doi, 687 " cipso_doi=%u res=%u",
686 ret_val == 0 ? 1 : 0); 688 doi,
687 audit_log_end(audit_buf); 689 ret_val == 0 ? 1 : 0);
690 audit_log_end(audit_buf);
691 }
688 692
689 return ret_val; 693 return ret_val;
690} 694}
diff --git a/net/netlabel/netlabel_domainhash.c b/net/netlabel/netlabel_domainhash.c
index af4371d3b459..f46a0aeec44f 100644
--- a/net/netlabel/netlabel_domainhash.c
+++ b/net/netlabel/netlabel_domainhash.c
@@ -202,7 +202,6 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry,
202 int ret_val; 202 int ret_val;
203 u32 bkt; 203 u32 bkt;
204 struct audit_buffer *audit_buf; 204 struct audit_buffer *audit_buf;
205 char *audit_domain;
206 205
207 switch (entry->type) { 206 switch (entry->type) {
208 case NETLBL_NLTYPE_UNLABELED: 207 case NETLBL_NLTYPE_UNLABELED:
@@ -243,24 +242,24 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry,
243 } else 242 } else
244 ret_val = -EINVAL; 243 ret_val = -EINVAL;
245 244
246 if (entry->domain != NULL)
247 audit_domain = entry->domain;
248 else
249 audit_domain = "(default)";
250 audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_ADD, audit_info); 245 audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_ADD, audit_info);
251 audit_log_format(audit_buf, " nlbl_domain=%s", audit_domain); 246 if (audit_buf != NULL) {
252 switch (entry->type) {
253 case NETLBL_NLTYPE_UNLABELED:
254 audit_log_format(audit_buf, " nlbl_protocol=unlbl");
255 break;
256 case NETLBL_NLTYPE_CIPSOV4:
257 audit_log_format(audit_buf, 247 audit_log_format(audit_buf,
258 " nlbl_protocol=cipsov4 cipso_doi=%u", 248 " nlbl_domain=%s",
259 entry->type_def.cipsov4->doi); 249 entry->domain ? entry->domain : "(default)");
260 break; 250 switch (entry->type) {
251 case NETLBL_NLTYPE_UNLABELED:
252 audit_log_format(audit_buf, " nlbl_protocol=unlbl");
253 break;
254 case NETLBL_NLTYPE_CIPSOV4:
255 audit_log_format(audit_buf,
256 " nlbl_protocol=cipsov4 cipso_doi=%u",
257 entry->type_def.cipsov4->doi);
258 break;
259 }
260 audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0);
261 audit_log_end(audit_buf);
261 } 262 }
262 audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0);
263 audit_log_end(audit_buf);
264 263
265 rcu_read_unlock(); 264 rcu_read_unlock();
266 265
@@ -310,7 +309,6 @@ int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info)
310 int ret_val = -ENOENT; 309 int ret_val = -ENOENT;
311 struct netlbl_dom_map *entry; 310 struct netlbl_dom_map *entry;
312 struct audit_buffer *audit_buf; 311 struct audit_buffer *audit_buf;
313 char *audit_domain;
314 312
315 rcu_read_lock(); 313 rcu_read_lock();
316 if (domain != NULL) 314 if (domain != NULL)
@@ -348,16 +346,14 @@ int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info)
348 spin_unlock(&netlbl_domhsh_def_lock); 346 spin_unlock(&netlbl_domhsh_def_lock);
349 } 347 }
350 348
351 if (entry->domain != NULL)
352 audit_domain = entry->domain;
353 else
354 audit_domain = "(default)";
355 audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_DEL, audit_info); 349 audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_DEL, audit_info);
356 audit_log_format(audit_buf, 350 if (audit_buf != NULL) {
357 " nlbl_domain=%s res=%u", 351 audit_log_format(audit_buf,
358 audit_domain, 352 " nlbl_domain=%s res=%u",
359 ret_val == 0 ? 1 : 0); 353 entry->domain ? entry->domain : "(default)",
360 audit_log_end(audit_buf); 354 ret_val == 0 ? 1 : 0);
355 audit_log_end(audit_buf);
356 }
361 357
362 if (ret_val == 0) 358 if (ret_val == 0)
363 call_rcu(&entry->rcu, netlbl_domhsh_free_entry); 359 call_rcu(&entry->rcu, netlbl_domhsh_free_entry);
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index 07283e1dfad2..5bc37181662e 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -35,6 +35,7 @@
35#include <linux/socket.h> 35#include <linux/socket.h>
36#include <linux/string.h> 36#include <linux/string.h>
37#include <linux/skbuff.h> 37#include <linux/skbuff.h>
38#include <linux/audit.h>
38#include <net/sock.h> 39#include <net/sock.h>
39#include <net/netlink.h> 40#include <net/netlink.h>
40#include <net/genetlink.h> 41#include <net/genetlink.h>
@@ -92,8 +93,11 @@ static void netlbl_unlabel_acceptflg_set(u8 value,
92 93
93 audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_ALLOW, 94 audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_ALLOW,
94 audit_info); 95 audit_info);
95 audit_log_format(audit_buf, " unlbl_accept=%u old=%u", value, old_val); 96 if (audit_buf != NULL) {
96 audit_log_end(audit_buf); 97 audit_log_format(audit_buf,
98 " unlbl_accept=%u old=%u", value, old_val);
99 audit_log_end(audit_buf);
100 }
97} 101}
98 102
99/* 103/*
diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c
index 98a416381e61..42f12bd65964 100644
--- a/net/netlabel/netlabel_user.c
+++ b/net/netlabel/netlabel_user.c
@@ -46,6 +46,10 @@
46#include "netlabel_cipso_v4.h" 46#include "netlabel_cipso_v4.h"
47#include "netlabel_user.h" 47#include "netlabel_user.h"
48 48
49/* do not do any auditing if audit_enabled == 0, see kernel/audit.c for
50 * details */
51extern int audit_enabled;
52
49/* 53/*
50 * NetLabel NETLINK Setup Functions 54 * NetLabel NETLINK Setup Functions
51 */ 55 */
@@ -101,6 +105,9 @@ struct audit_buffer *netlbl_audit_start_common(int type,
101 char *secctx; 105 char *secctx;
102 u32 secctx_len; 106 u32 secctx_len;
103 107
108 if (audit_enabled == 0)
109 return NULL;
110
104 audit_buf = audit_log_start(audit_ctx, GFP_ATOMIC, type); 111 audit_buf = audit_log_start(audit_ctx, GFP_ATOMIC, type);
105 if (audit_buf == NULL) 112 if (audit_buf == NULL)
106 return NULL; 113 return NULL;