diff options
author | Paul Moore <paul.moore@hp.com> | 2006-11-17 17:38:55 -0500 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2006-12-03 00:24:15 -0500 |
commit | de64688ffb952a65ddbc5295ccd235d35f292593 (patch) | |
tree | f15714858c974bb4b86023d38639a39a539901e2 /net/netlabel | |
parent | 3de4bab5b9f8848a0c16a4b1ffe0452f0d670237 (diff) |
NetLabel: honor the audit_enabled flag
The audit_enabled flag is used to signal when syscall auditing is to be
performed. While NetLabel uses a Netlink interface instead of syscalls, it is
reasonable to consider the NetLabel Netlink interface as a form of syscall so
pay attention to the audit_enabled flag when generating audit messages in
NetLabel.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'net/netlabel')
-rw-r--r-- | net/netlabel/netlabel_cipso_v4.c | 26 | ||||
-rw-r--r-- | net/netlabel/netlabel_domainhash.c | 48 | ||||
-rw-r--r-- | net/netlabel/netlabel_unlabeled.c | 8 | ||||
-rw-r--r-- | net/netlabel/netlabel_user.c | 7 |
4 files changed, 50 insertions, 39 deletions
diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c index fe9851fac85d..743b05734a49 100644 --- a/net/netlabel/netlabel_cipso_v4.c +++ b/net/netlabel/netlabel_cipso_v4.c | |||
@@ -407,12 +407,14 @@ static int netlbl_cipsov4_add(struct sk_buff *skb, struct genl_info *info) | |||
407 | 407 | ||
408 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD, | 408 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD, |
409 | &audit_info); | 409 | &audit_info); |
410 | audit_log_format(audit_buf, | 410 | if (audit_buf != NULL) { |
411 | " cipso_doi=%u cipso_type=%s res=%u", | 411 | audit_log_format(audit_buf, |
412 | doi, | 412 | " cipso_doi=%u cipso_type=%s res=%u", |
413 | type_str, | 413 | doi, |
414 | ret_val == 0 ? 1 : 0); | 414 | type_str, |
415 | audit_log_end(audit_buf); | 415 | ret_val == 0 ? 1 : 0); |
416 | audit_log_end(audit_buf); | ||
417 | } | ||
416 | 418 | ||
417 | return ret_val; | 419 | return ret_val; |
418 | } | 420 | } |
@@ -680,11 +682,13 @@ static int netlbl_cipsov4_remove(struct sk_buff *skb, struct genl_info *info) | |||
680 | 682 | ||
681 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_DEL, | 683 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_DEL, |
682 | &audit_info); | 684 | &audit_info); |
683 | audit_log_format(audit_buf, | 685 | if (audit_buf != NULL) { |
684 | " cipso_doi=%u res=%u", | 686 | audit_log_format(audit_buf, |
685 | doi, | 687 | " cipso_doi=%u res=%u", |
686 | ret_val == 0 ? 1 : 0); | 688 | doi, |
687 | audit_log_end(audit_buf); | 689 | ret_val == 0 ? 1 : 0); |
690 | audit_log_end(audit_buf); | ||
691 | } | ||
688 | 692 | ||
689 | return ret_val; | 693 | return ret_val; |
690 | } | 694 | } |
diff --git a/net/netlabel/netlabel_domainhash.c b/net/netlabel/netlabel_domainhash.c index af4371d3b459..f46a0aeec44f 100644 --- a/net/netlabel/netlabel_domainhash.c +++ b/net/netlabel/netlabel_domainhash.c | |||
@@ -202,7 +202,6 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry, | |||
202 | int ret_val; | 202 | int ret_val; |
203 | u32 bkt; | 203 | u32 bkt; |
204 | struct audit_buffer *audit_buf; | 204 | struct audit_buffer *audit_buf; |
205 | char *audit_domain; | ||
206 | 205 | ||
207 | switch (entry->type) { | 206 | switch (entry->type) { |
208 | case NETLBL_NLTYPE_UNLABELED: | 207 | case NETLBL_NLTYPE_UNLABELED: |
@@ -243,24 +242,24 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry, | |||
243 | } else | 242 | } else |
244 | ret_val = -EINVAL; | 243 | ret_val = -EINVAL; |
245 | 244 | ||
246 | if (entry->domain != NULL) | ||
247 | audit_domain = entry->domain; | ||
248 | else | ||
249 | audit_domain = "(default)"; | ||
250 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_ADD, audit_info); | 245 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_ADD, audit_info); |
251 | audit_log_format(audit_buf, " nlbl_domain=%s", audit_domain); | 246 | if (audit_buf != NULL) { |
252 | switch (entry->type) { | ||
253 | case NETLBL_NLTYPE_UNLABELED: | ||
254 | audit_log_format(audit_buf, " nlbl_protocol=unlbl"); | ||
255 | break; | ||
256 | case NETLBL_NLTYPE_CIPSOV4: | ||
257 | audit_log_format(audit_buf, | 247 | audit_log_format(audit_buf, |
258 | " nlbl_protocol=cipsov4 cipso_doi=%u", | 248 | " nlbl_domain=%s", |
259 | entry->type_def.cipsov4->doi); | 249 | entry->domain ? entry->domain : "(default)"); |
260 | break; | 250 | switch (entry->type) { |
251 | case NETLBL_NLTYPE_UNLABELED: | ||
252 | audit_log_format(audit_buf, " nlbl_protocol=unlbl"); | ||
253 | break; | ||
254 | case NETLBL_NLTYPE_CIPSOV4: | ||
255 | audit_log_format(audit_buf, | ||
256 | " nlbl_protocol=cipsov4 cipso_doi=%u", | ||
257 | entry->type_def.cipsov4->doi); | ||
258 | break; | ||
259 | } | ||
260 | audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0); | ||
261 | audit_log_end(audit_buf); | ||
261 | } | 262 | } |
262 | audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0); | ||
263 | audit_log_end(audit_buf); | ||
264 | 263 | ||
265 | rcu_read_unlock(); | 264 | rcu_read_unlock(); |
266 | 265 | ||
@@ -310,7 +309,6 @@ int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info) | |||
310 | int ret_val = -ENOENT; | 309 | int ret_val = -ENOENT; |
311 | struct netlbl_dom_map *entry; | 310 | struct netlbl_dom_map *entry; |
312 | struct audit_buffer *audit_buf; | 311 | struct audit_buffer *audit_buf; |
313 | char *audit_domain; | ||
314 | 312 | ||
315 | rcu_read_lock(); | 313 | rcu_read_lock(); |
316 | if (domain != NULL) | 314 | if (domain != NULL) |
@@ -348,16 +346,14 @@ int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info) | |||
348 | spin_unlock(&netlbl_domhsh_def_lock); | 346 | spin_unlock(&netlbl_domhsh_def_lock); |
349 | } | 347 | } |
350 | 348 | ||
351 | if (entry->domain != NULL) | ||
352 | audit_domain = entry->domain; | ||
353 | else | ||
354 | audit_domain = "(default)"; | ||
355 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_DEL, audit_info); | 349 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_DEL, audit_info); |
356 | audit_log_format(audit_buf, | 350 | if (audit_buf != NULL) { |
357 | " nlbl_domain=%s res=%u", | 351 | audit_log_format(audit_buf, |
358 | audit_domain, | 352 | " nlbl_domain=%s res=%u", |
359 | ret_val == 0 ? 1 : 0); | 353 | entry->domain ? entry->domain : "(default)", |
360 | audit_log_end(audit_buf); | 354 | ret_val == 0 ? 1 : 0); |
355 | audit_log_end(audit_buf); | ||
356 | } | ||
361 | 357 | ||
362 | if (ret_val == 0) | 358 | if (ret_val == 0) |
363 | call_rcu(&entry->rcu, netlbl_domhsh_free_entry); | 359 | call_rcu(&entry->rcu, netlbl_domhsh_free_entry); |
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index 07283e1dfad2..5bc37181662e 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c | |||
@@ -35,6 +35,7 @@ | |||
35 | #include <linux/socket.h> | 35 | #include <linux/socket.h> |
36 | #include <linux/string.h> | 36 | #include <linux/string.h> |
37 | #include <linux/skbuff.h> | 37 | #include <linux/skbuff.h> |
38 | #include <linux/audit.h> | ||
38 | #include <net/sock.h> | 39 | #include <net/sock.h> |
39 | #include <net/netlink.h> | 40 | #include <net/netlink.h> |
40 | #include <net/genetlink.h> | 41 | #include <net/genetlink.h> |
@@ -92,8 +93,11 @@ static void netlbl_unlabel_acceptflg_set(u8 value, | |||
92 | 93 | ||
93 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_ALLOW, | 94 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_ALLOW, |
94 | audit_info); | 95 | audit_info); |
95 | audit_log_format(audit_buf, " unlbl_accept=%u old=%u", value, old_val); | 96 | if (audit_buf != NULL) { |
96 | audit_log_end(audit_buf); | 97 | audit_log_format(audit_buf, |
98 | " unlbl_accept=%u old=%u", value, old_val); | ||
99 | audit_log_end(audit_buf); | ||
100 | } | ||
97 | } | 101 | } |
98 | 102 | ||
99 | /* | 103 | /* |
diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index 98a416381e61..42f12bd65964 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c | |||
@@ -46,6 +46,10 @@ | |||
46 | #include "netlabel_cipso_v4.h" | 46 | #include "netlabel_cipso_v4.h" |
47 | #include "netlabel_user.h" | 47 | #include "netlabel_user.h" |
48 | 48 | ||
49 | /* do not do any auditing if audit_enabled == 0, see kernel/audit.c for | ||
50 | * details */ | ||
51 | extern int audit_enabled; | ||
52 | |||
49 | /* | 53 | /* |
50 | * NetLabel NETLINK Setup Functions | 54 | * NetLabel NETLINK Setup Functions |
51 | */ | 55 | */ |
@@ -101,6 +105,9 @@ struct audit_buffer *netlbl_audit_start_common(int type, | |||
101 | char *secctx; | 105 | char *secctx; |
102 | u32 secctx_len; | 106 | u32 secctx_len; |
103 | 107 | ||
108 | if (audit_enabled == 0) | ||
109 | return NULL; | ||
110 | |||
104 | audit_buf = audit_log_start(audit_ctx, GFP_ATOMIC, type); | 111 | audit_buf = audit_log_start(audit_ctx, GFP_ATOMIC, type); |
105 | if (audit_buf == NULL) | 112 | if (audit_buf == NULL) |
106 | return NULL; | 113 | return NULL; |