diff options
| author | Eric Paris <eparis@redhat.com> | 2012-04-03 12:37:02 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2012-04-03 12:48:40 -0400 |
| commit | 3b3b0e4fc15efa507b902d90cea39e496a523c3b (patch) | |
| tree | d7b91c21ad6c6f4ac21dd51297b74eec47c61684 /security/apparmor | |
| parent | 95694129b43165911dc4e8a972f0d39ad98d86be (diff) | |
LSM: shrink sizeof LSM specific portion of common_audit_data
Linus found that the gigantic size of the common audit data caused a big
perf hit on something as simple as running stat() in a loop. This patch
requires LSMs to declare the LSM specific portion separately rather than
doing it in a union. Thus each LSM can be responsible for shrinking their
portion and don't have to pay a penalty just because other LSMs have a
bigger space requirement.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'security/apparmor')
| -rw-r--r-- | security/apparmor/audit.c | 38 | ||||
| -rw-r--r-- | security/apparmor/capability.c | 6 | ||||
| -rw-r--r-- | security/apparmor/file.c | 54 | ||||
| -rw-r--r-- | security/apparmor/include/audit.h | 28 | ||||
| -rw-r--r-- | security/apparmor/ipc.c | 10 | ||||
| -rw-r--r-- | security/apparmor/lib.c | 4 | ||||
| -rw-r--r-- | security/apparmor/lsm.c | 8 | ||||
| -rw-r--r-- | security/apparmor/policy.c | 10 | ||||
| -rw-r--r-- | security/apparmor/policy_unpack.c | 20 | ||||
| -rw-r--r-- | security/apparmor/resource.c | 12 |
10 files changed, 116 insertions, 74 deletions
diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c index 5ff67776a5ad..23f7eb658d9c 100644 --- a/security/apparmor/audit.c +++ b/security/apparmor/audit.c | |||
| @@ -115,23 +115,23 @@ static void audit_pre(struct audit_buffer *ab, void *ca) | |||
| 115 | 115 | ||
| 116 | if (aa_g_audit_header) { | 116 | if (aa_g_audit_header) { |
| 117 | audit_log_format(ab, "apparmor="); | 117 | audit_log_format(ab, "apparmor="); |
| 118 | audit_log_string(ab, aa_audit_type[sa->aad.type]); | 118 | audit_log_string(ab, aa_audit_type[sa->aad->type]); |
| 119 | } | 119 | } |
| 120 | 120 | ||
| 121 | if (sa->aad.op) { | 121 | if (sa->aad->op) { |
| 122 | audit_log_format(ab, " operation="); | 122 | audit_log_format(ab, " operation="); |
| 123 | audit_log_string(ab, op_table[sa->aad.op]); | 123 | audit_log_string(ab, op_table[sa->aad->op]); |
| 124 | } | 124 | } |
| 125 | 125 | ||
| 126 | if (sa->aad.info) { | 126 | if (sa->aad->info) { |
| 127 | audit_log_format(ab, " info="); | 127 | audit_log_format(ab, " info="); |
| 128 | audit_log_string(ab, sa->aad.info); | 128 | audit_log_string(ab, sa->aad->info); |
| 129 | if (sa->aad.error) | 129 | if (sa->aad->error) |
| 130 | audit_log_format(ab, " error=%d", sa->aad.error); | 130 | audit_log_format(ab, " error=%d", sa->aad->error); |
| 131 | } | 131 | } |
| 132 | 132 | ||
| 133 | if (sa->aad.profile) { | 133 | if (sa->aad->profile) { |
| 134 | struct aa_profile *profile = sa->aad.profile; | 134 | struct aa_profile *profile = sa->aad->profile; |
| 135 | pid_t pid; | 135 | pid_t pid; |
| 136 | rcu_read_lock(); | 136 | rcu_read_lock(); |
| 137 | pid = rcu_dereference(tsk->real_parent)->pid; | 137 | pid = rcu_dereference(tsk->real_parent)->pid; |
| @@ -145,9 +145,9 @@ static void audit_pre(struct audit_buffer *ab, void *ca) | |||
| 145 | audit_log_untrustedstring(ab, profile->base.hname); | 145 | audit_log_untrustedstring(ab, profile->base.hname); |
| 146 | } | 146 | } |
| 147 | 147 | ||
| 148 | if (sa->aad.name) { | 148 | if (sa->aad->name) { |
| 149 | audit_log_format(ab, " name="); | 149 | audit_log_format(ab, " name="); |
| 150 | audit_log_untrustedstring(ab, sa->aad.name); | 150 | audit_log_untrustedstring(ab, sa->aad->name); |
| 151 | } | 151 | } |
| 152 | } | 152 | } |
| 153 | 153 | ||
| @@ -159,7 +159,7 @@ static void audit_pre(struct audit_buffer *ab, void *ca) | |||
| 159 | void aa_audit_msg(int type, struct common_audit_data *sa, | 159 | void aa_audit_msg(int type, struct common_audit_data *sa, |
| 160 | void (*cb) (struct audit_buffer *, void *)) | 160 | void (*cb) (struct audit_buffer *, void *)) |
| 161 | { | 161 | { |
| 162 | sa->aad.type = type; | 162 | sa->aad->type = type; |
| 163 | sa->lsm_pre_audit = audit_pre; | 163 | sa->lsm_pre_audit = audit_pre; |
| 164 | sa->lsm_post_audit = cb; | 164 | sa->lsm_post_audit = cb; |
| 165 | common_lsm_audit(sa); | 165 | common_lsm_audit(sa); |
| @@ -184,7 +184,7 @@ int aa_audit(int type, struct aa_profile *profile, gfp_t gfp, | |||
| 184 | BUG_ON(!profile); | 184 | BUG_ON(!profile); |
| 185 | 185 | ||
| 186 | if (type == AUDIT_APPARMOR_AUTO) { | 186 | if (type == AUDIT_APPARMOR_AUTO) { |
| 187 | if (likely(!sa->aad.error)) { | 187 | if (likely(!sa->aad->error)) { |
| 188 | if (AUDIT_MODE(profile) != AUDIT_ALL) | 188 | if (AUDIT_MODE(profile) != AUDIT_ALL) |
| 189 | return 0; | 189 | return 0; |
| 190 | type = AUDIT_APPARMOR_AUDIT; | 190 | type = AUDIT_APPARMOR_AUDIT; |
| @@ -196,21 +196,21 @@ int aa_audit(int type, struct aa_profile *profile, gfp_t gfp, | |||
| 196 | if (AUDIT_MODE(profile) == AUDIT_QUIET || | 196 | if (AUDIT_MODE(profile) == AUDIT_QUIET || |
| 197 | (type == AUDIT_APPARMOR_DENIED && | 197 | (type == AUDIT_APPARMOR_DENIED && |
| 198 | AUDIT_MODE(profile) == AUDIT_QUIET)) | 198 | AUDIT_MODE(profile) == AUDIT_QUIET)) |
| 199 | return sa->aad.error; | 199 | return sa->aad->error; |
| 200 | 200 | ||
| 201 | if (KILL_MODE(profile) && type == AUDIT_APPARMOR_DENIED) | 201 | if (KILL_MODE(profile) && type == AUDIT_APPARMOR_DENIED) |
| 202 | type = AUDIT_APPARMOR_KILL; | 202 | type = AUDIT_APPARMOR_KILL; |
| 203 | 203 | ||
| 204 | if (!unconfined(profile)) | 204 | if (!unconfined(profile)) |
| 205 | sa->aad.profile = profile; | 205 | sa->aad->profile = profile; |
| 206 | 206 | ||
| 207 | aa_audit_msg(type, sa, cb); | 207 | aa_audit_msg(type, sa, cb); |
| 208 | 208 | ||
| 209 | if (sa->aad.type == AUDIT_APPARMOR_KILL) | 209 | if (sa->aad->type == AUDIT_APPARMOR_KILL) |
| 210 | (void)send_sig_info(SIGKILL, NULL, sa->tsk ? sa->tsk : current); | 210 | (void)send_sig_info(SIGKILL, NULL, sa->tsk ? sa->tsk : current); |
| 211 | 211 | ||
| 212 | if (sa->aad.type == AUDIT_APPARMOR_ALLOWED) | 212 | if (sa->aad->type == AUDIT_APPARMOR_ALLOWED) |
| 213 | return complain_error(sa->aad.error); | 213 | return complain_error(sa->aad->error); |
| 214 | 214 | ||
| 215 | return sa->aad.error; | 215 | return sa->aad->error; |
| 216 | } | 216 | } |
diff --git a/security/apparmor/capability.c b/security/apparmor/capability.c index 9982c48def4e..088dba3bf7dc 100644 --- a/security/apparmor/capability.c +++ b/security/apparmor/capability.c | |||
| @@ -64,11 +64,13 @@ static int audit_caps(struct aa_profile *profile, struct task_struct *task, | |||
| 64 | struct audit_cache *ent; | 64 | struct audit_cache *ent; |
| 65 | int type = AUDIT_APPARMOR_AUTO; | 65 | int type = AUDIT_APPARMOR_AUTO; |
| 66 | struct common_audit_data sa; | 66 | struct common_audit_data sa; |
| 67 | struct apparmor_audit_data aad = {0,}; | ||
| 67 | COMMON_AUDIT_DATA_INIT(&sa, CAP); | 68 | COMMON_AUDIT_DATA_INIT(&sa, CAP); |
| 69 | sa.aad = &aad; | ||
| 68 | sa.tsk = task; | 70 | sa.tsk = task; |
| 69 | sa.u.cap = cap; | 71 | sa.u.cap = cap; |
| 70 | sa.aad.op = OP_CAPABLE; | 72 | sa.aad->op = OP_CAPABLE; |
| 71 | sa.aad.error = error; | 73 | sa.aad->error = error; |
| 72 | 74 | ||
| 73 | if (likely(!error)) { | 75 | if (likely(!error)) { |
| 74 | /* test if auditing is being forced */ | 76 | /* test if auditing is being forced */ |
diff --git a/security/apparmor/file.c b/security/apparmor/file.c index 5d176f2530c9..2f8fcba9ce4b 100644 --- a/security/apparmor/file.c +++ b/security/apparmor/file.c | |||
| @@ -67,22 +67,22 @@ static void file_audit_cb(struct audit_buffer *ab, void *va) | |||
| 67 | struct common_audit_data *sa = va; | 67 | struct common_audit_data *sa = va; |
| 68 | uid_t fsuid = current_fsuid(); | 68 | uid_t fsuid = current_fsuid(); |
| 69 | 69 | ||
| 70 | if (sa->aad.fs.request & AA_AUDIT_FILE_MASK) { | 70 | if (sa->aad->fs.request & AA_AUDIT_FILE_MASK) { |
| 71 | audit_log_format(ab, " requested_mask="); | 71 | audit_log_format(ab, " requested_mask="); |
| 72 | audit_file_mask(ab, sa->aad.fs.request); | 72 | audit_file_mask(ab, sa->aad->fs.request); |
| 73 | } | 73 | } |
| 74 | if (sa->aad.fs.denied & AA_AUDIT_FILE_MASK) { | 74 | if (sa->aad->fs.denied & AA_AUDIT_FILE_MASK) { |
| 75 | audit_log_format(ab, " denied_mask="); | 75 | audit_log_format(ab, " denied_mask="); |
| 76 | audit_file_mask(ab, sa->aad.fs.denied); | 76 | audit_file_mask(ab, sa->aad->fs.denied); |
| 77 | } | 77 | } |
| 78 | if (sa->aad.fs.request & AA_AUDIT_FILE_MASK) { | 78 | if (sa->aad->fs.request & AA_AUDIT_FILE_MASK) { |
| 79 | audit_log_format(ab, " fsuid=%d", fsuid); | 79 | audit_log_format(ab, " fsuid=%d", fsuid); |
| 80 | audit_log_format(ab, " ouid=%d", sa->aad.fs.ouid); | 80 | audit_log_format(ab, " ouid=%d", sa->aad->fs.ouid); |
| 81 | } | 81 | } |
| 82 | 82 | ||
| 83 | if (sa->aad.fs.target) { | 83 | if (sa->aad->fs.target) { |
| 84 | audit_log_format(ab, " target="); | 84 | audit_log_format(ab, " target="); |
| 85 | audit_log_untrustedstring(ab, sa->aad.fs.target); | 85 | audit_log_untrustedstring(ab, sa->aad->fs.target); |
| 86 | } | 86 | } |
| 87 | } | 87 | } |
| 88 | 88 | ||
| @@ -107,45 +107,47 @@ int aa_audit_file(struct aa_profile *profile, struct file_perms *perms, | |||
| 107 | { | 107 | { |
| 108 | int type = AUDIT_APPARMOR_AUTO; | 108 | int type = AUDIT_APPARMOR_AUTO; |
| 109 | struct common_audit_data sa; | 109 | struct common_audit_data sa; |
| 110 | struct apparmor_audit_data aad = {0,}; | ||
| 110 | COMMON_AUDIT_DATA_INIT(&sa, NONE); | 111 | COMMON_AUDIT_DATA_INIT(&sa, NONE); |
| 111 | sa.aad.op = op, | 112 | sa.aad = &aad; |
| 112 | sa.aad.fs.request = request; | 113 | aad.op = op, |
| 113 | sa.aad.name = name; | 114 | aad.fs.request = request; |
| 114 | sa.aad.fs.target = target; | 115 | aad.name = name; |
| 115 | sa.aad.fs.ouid = ouid; | 116 | aad.fs.target = target; |
| 116 | sa.aad.info = info; | 117 | aad.fs.ouid = ouid; |
| 117 | sa.aad.error = error; | 118 | aad.info = info; |
| 118 | 119 | aad.error = error; | |
| 119 | if (likely(!sa.aad.error)) { | 120 | |
| 121 | if (likely(!sa.aad->error)) { | ||
| 120 | u32 mask = perms->audit; | 122 | u32 mask = perms->audit; |
| 121 | 123 | ||
| 122 | if (unlikely(AUDIT_MODE(profile) == AUDIT_ALL)) | 124 | if (unlikely(AUDIT_MODE(profile) == AUDIT_ALL)) |
| 123 | mask = 0xffff; | 125 | mask = 0xffff; |
| 124 | 126 | ||
| 125 | /* mask off perms that are not being force audited */ | 127 | /* mask off perms that are not being force audited */ |
| 126 | sa.aad.fs.request &= mask; | 128 | sa.aad->fs.request &= mask; |
| 127 | 129 | ||
| 128 | if (likely(!sa.aad.fs.request)) | 130 | if (likely(!sa.aad->fs.request)) |
| 129 | return 0; | 131 | return 0; |
| 130 | type = AUDIT_APPARMOR_AUDIT; | 132 | type = AUDIT_APPARMOR_AUDIT; |
| 131 | } else { | 133 | } else { |
| 132 | /* only report permissions that were denied */ | 134 | /* only report permissions that were denied */ |
| 133 | sa.aad.fs.request = sa.aad.fs.request & ~perms->allow; | 135 | sa.aad->fs.request = sa.aad->fs.request & ~perms->allow; |
| 134 | 136 | ||
| 135 | if (sa.aad.fs.request & perms->kill) | 137 | if (sa.aad->fs.request & perms->kill) |
| 136 | type = AUDIT_APPARMOR_KILL; | 138 | type = AUDIT_APPARMOR_KILL; |
| 137 | 139 | ||
| 138 | /* quiet known rejects, assumes quiet and kill do not overlap */ | 140 | /* quiet known rejects, assumes quiet and kill do not overlap */ |
| 139 | if ((sa.aad.fs.request & perms->quiet) && | 141 | if ((sa.aad->fs.request & perms->quiet) && |
| 140 | AUDIT_MODE(profile) != AUDIT_NOQUIET && | 142 | AUDIT_MODE(profile) != AUDIT_NOQUIET && |
| 141 | AUDIT_MODE(profile) != AUDIT_ALL) | 143 | AUDIT_MODE(profile) != AUDIT_ALL) |
| 142 | sa.aad.fs.request &= ~perms->quiet; | 144 | sa.aad->fs.request &= ~perms->quiet; |
| 143 | 145 | ||
| 144 | if (!sa.aad.fs.request) | 146 | if (!sa.aad->fs.request) |
| 145 | return COMPLAIN_MODE(profile) ? 0 : sa.aad.error; | 147 | return COMPLAIN_MODE(profile) ? 0 : sa.aad->error; |
| 146 | } | 148 | } |
| 147 | 149 | ||
| 148 | sa.aad.fs.denied = sa.aad.fs.request & ~perms->allow; | 150 | sa.aad->fs.denied = sa.aad->fs.request & ~perms->allow; |
| 149 | return aa_audit(type, profile, gfp, &sa, file_audit_cb); | 151 | return aa_audit(type, profile, gfp, &sa, file_audit_cb); |
| 150 | } | 152 | } |
| 151 | 153 | ||
diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h index 4ba78c203af1..3868b1e5d5ba 100644 --- a/security/apparmor/include/audit.h +++ b/security/apparmor/include/audit.h | |||
| @@ -103,7 +103,33 @@ enum aa_ops { | |||
| 103 | }; | 103 | }; |
| 104 | 104 | ||
| 105 | 105 | ||
| 106 | /* define a short hand for apparmor_audit_data portion of common_audit_data */ | 106 | struct apparmor_audit_data { |
| 107 | int error; | ||
| 108 | int op; | ||
| 109 | int type; | ||
| 110 | void *profile; | ||
| 111 | const char *name; | ||
| 112 | const char *info; | ||
| 113 | union { | ||
| 114 | void *target; | ||
| 115 | struct { | ||
| 116 | long pos; | ||
| 117 | void *target; | ||
| 118 | } iface; | ||
| 119 | struct { | ||
| 120 | int rlim; | ||
| 121 | unsigned long max; | ||
| 122 | } rlim; | ||
| 123 | struct { | ||
| 124 | const char *target; | ||
| 125 | u32 request; | ||
| 126 | u32 denied; | ||
| 127 | uid_t ouid; | ||
| 128 | } fs; | ||
| 129 | }; | ||
| 130 | }; | ||
| 131 | |||
| 132 | /* define a short hand for apparmor_audit_data structure */ | ||
| 107 | #define aad apparmor_audit_data | 133 | #define aad apparmor_audit_data |
| 108 | 134 | ||
| 109 | void aa_audit_msg(int type, struct common_audit_data *sa, | 135 | void aa_audit_msg(int type, struct common_audit_data *sa, |
diff --git a/security/apparmor/ipc.c b/security/apparmor/ipc.c index 7ee05c6f3c64..c3da93a5150d 100644 --- a/security/apparmor/ipc.c +++ b/security/apparmor/ipc.c | |||
| @@ -26,7 +26,7 @@ static void audit_cb(struct audit_buffer *ab, void *va) | |||
| 26 | { | 26 | { |
| 27 | struct common_audit_data *sa = va; | 27 | struct common_audit_data *sa = va; |
| 28 | audit_log_format(ab, " target="); | 28 | audit_log_format(ab, " target="); |
| 29 | audit_log_untrustedstring(ab, sa->aad.target); | 29 | audit_log_untrustedstring(ab, sa->aad->target); |
| 30 | } | 30 | } |
| 31 | 31 | ||
| 32 | /** | 32 | /** |
| @@ -41,10 +41,12 @@ static int aa_audit_ptrace(struct aa_profile *profile, | |||
| 41 | struct aa_profile *target, int error) | 41 | struct aa_profile *target, int error) |
| 42 | { | 42 | { |
| 43 | struct common_audit_data sa; | 43 | struct common_audit_data sa; |
| 44 | struct apparmor_audit_data aad = {0,}; | ||
| 44 | COMMON_AUDIT_DATA_INIT(&sa, NONE); | 45 | COMMON_AUDIT_DATA_INIT(&sa, NONE); |
| 45 | sa.aad.op = OP_PTRACE; | 46 | sa.aad = &aad; |
| 46 | sa.aad.target = target; | 47 | aad.op = OP_PTRACE; |
| 47 | sa.aad.error = error; | 48 | aad.target = target; |
| 49 | aad.error = error; | ||
| 48 | 50 | ||
| 49 | return aa_audit(AUDIT_APPARMOR_AUTO, profile, GFP_ATOMIC, &sa, | 51 | return aa_audit(AUDIT_APPARMOR_AUTO, profile, GFP_ATOMIC, &sa, |
| 50 | audit_cb); | 52 | audit_cb); |
diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c index 9516948041ad..e75829ba0ff9 100644 --- a/security/apparmor/lib.c +++ b/security/apparmor/lib.c | |||
| @@ -65,8 +65,10 @@ void aa_info_message(const char *str) | |||
| 65 | { | 65 | { |
| 66 | if (audit_enabled) { | 66 | if (audit_enabled) { |
| 67 | struct common_audit_data sa; | 67 | struct common_audit_data sa; |
| 68 | struct apparmor_audit_data aad = {0,}; | ||
| 68 | COMMON_AUDIT_DATA_INIT(&sa, NONE); | 69 | COMMON_AUDIT_DATA_INIT(&sa, NONE); |
| 69 | sa.aad.info = str; | 70 | sa.aad = &aad; |
| 71 | aad.info = str; | ||
| 70 | aa_audit_msg(AUDIT_APPARMOR_STATUS, &sa, NULL); | 72 | aa_audit_msg(AUDIT_APPARMOR_STATUS, &sa, NULL); |
| 71 | } | 73 | } |
| 72 | printk(KERN_INFO "AppArmor: %s\n", str); | 74 | printk(KERN_INFO "AppArmor: %s\n", str); |
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 97ce8fae49b3..ad05d391974d 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c | |||
| @@ -588,10 +588,12 @@ static int apparmor_setprocattr(struct task_struct *task, char *name, | |||
| 588 | error = aa_setprocattr_permipc(args); | 588 | error = aa_setprocattr_permipc(args); |
| 589 | } else { | 589 | } else { |
| 590 | struct common_audit_data sa; | 590 | struct common_audit_data sa; |
| 591 | struct apparmor_audit_data aad = {0,}; | ||
| 591 | COMMON_AUDIT_DATA_INIT(&sa, NONE); | 592 | COMMON_AUDIT_DATA_INIT(&sa, NONE); |
| 592 | sa.aad.op = OP_SETPROCATTR; | 593 | sa.aad = &aad; |
| 593 | sa.aad.info = name; | 594 | aad.op = OP_SETPROCATTR; |
| 594 | sa.aad.error = -EINVAL; | 595 | aad.info = name; |
| 596 | aad.error = -EINVAL; | ||
| 595 | return aa_audit(AUDIT_APPARMOR_DENIED, | 597 | return aa_audit(AUDIT_APPARMOR_DENIED, |
| 596 | __aa_current_profile(), GFP_KERNEL, | 598 | __aa_current_profile(), GFP_KERNEL, |
| 597 | &sa, NULL); | 599 | &sa, NULL); |
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c index 906414383022..f1f7506a464d 100644 --- a/security/apparmor/policy.c +++ b/security/apparmor/policy.c | |||
| @@ -964,11 +964,13 @@ static int audit_policy(int op, gfp_t gfp, const char *name, const char *info, | |||
| 964 | int error) | 964 | int error) |
| 965 | { | 965 | { |
| 966 | struct common_audit_data sa; | 966 | struct common_audit_data sa; |
| 967 | struct apparmor_audit_data aad = {0,}; | ||
| 967 | COMMON_AUDIT_DATA_INIT(&sa, NONE); | 968 | COMMON_AUDIT_DATA_INIT(&sa, NONE); |
| 968 | sa.aad.op = op; | 969 | sa.aad = &aad; |
| 969 | sa.aad.name = name; | 970 | aad.op = op; |
| 970 | sa.aad.info = info; | 971 | aad.name = name; |
| 971 | sa.aad.error = error; | 972 | aad.info = info; |
| 973 | aad.error = error; | ||
| 972 | 974 | ||
| 973 | return aa_audit(AUDIT_APPARMOR_STATUS, __aa_current_profile(), gfp, | 975 | return aa_audit(AUDIT_APPARMOR_STATUS, __aa_current_profile(), gfp, |
| 974 | &sa, NULL); | 976 | &sa, NULL); |
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c index 25fd51edc8da..deab7c7e8dc0 100644 --- a/security/apparmor/policy_unpack.c +++ b/security/apparmor/policy_unpack.c | |||
| @@ -70,13 +70,13 @@ struct aa_ext { | |||
| 70 | static void audit_cb(struct audit_buffer *ab, void *va) | 70 | static void audit_cb(struct audit_buffer *ab, void *va) |
| 71 | { | 71 | { |
| 72 | struct common_audit_data *sa = va; | 72 | struct common_audit_data *sa = va; |
| 73 | if (sa->aad.iface.target) { | 73 | if (sa->aad->iface.target) { |
| 74 | struct aa_profile *name = sa->aad.iface.target; | 74 | struct aa_profile *name = sa->aad->iface.target; |
| 75 | audit_log_format(ab, " name="); | 75 | audit_log_format(ab, " name="); |
| 76 | audit_log_untrustedstring(ab, name->base.hname); | 76 | audit_log_untrustedstring(ab, name->base.hname); |
| 77 | } | 77 | } |
| 78 | if (sa->aad.iface.pos) | 78 | if (sa->aad->iface.pos) |
| 79 | audit_log_format(ab, " offset=%ld", sa->aad.iface.pos); | 79 | audit_log_format(ab, " offset=%ld", sa->aad->iface.pos); |
| 80 | } | 80 | } |
| 81 | 81 | ||
| 82 | /** | 82 | /** |
| @@ -94,13 +94,15 @@ static int audit_iface(struct aa_profile *new, const char *name, | |||
| 94 | { | 94 | { |
| 95 | struct aa_profile *profile = __aa_current_profile(); | 95 | struct aa_profile *profile = __aa_current_profile(); |
| 96 | struct common_audit_data sa; | 96 | struct common_audit_data sa; |
| 97 | struct apparmor_audit_data aad = {0,}; | ||
| 97 | COMMON_AUDIT_DATA_INIT(&sa, NONE); | 98 | COMMON_AUDIT_DATA_INIT(&sa, NONE); |
| 99 | sa.aad = &aad; | ||
| 98 | if (e) | 100 | if (e) |
| 99 | sa.aad.iface.pos = e->pos - e->start; | 101 | aad.iface.pos = e->pos - e->start; |
| 100 | sa.aad.iface.target = new; | 102 | aad.iface.target = new; |
| 101 | sa.aad.name = name; | 103 | aad.name = name; |
| 102 | sa.aad.info = info; | 104 | aad.info = info; |
| 103 | sa.aad.error = error; | 105 | aad.error = error; |
| 104 | 106 | ||
| 105 | return aa_audit(AUDIT_APPARMOR_STATUS, profile, GFP_KERNEL, &sa, | 107 | return aa_audit(AUDIT_APPARMOR_STATUS, profile, GFP_KERNEL, &sa, |
| 106 | audit_cb); | 108 | audit_cb); |
diff --git a/security/apparmor/resource.c b/security/apparmor/resource.c index 72c25a4f2cfd..2fe8613efe33 100644 --- a/security/apparmor/resource.c +++ b/security/apparmor/resource.c | |||
| @@ -34,7 +34,7 @@ static void audit_cb(struct audit_buffer *ab, void *va) | |||
| 34 | struct common_audit_data *sa = va; | 34 | struct common_audit_data *sa = va; |
| 35 | 35 | ||
| 36 | audit_log_format(ab, " rlimit=%s value=%lu", | 36 | audit_log_format(ab, " rlimit=%s value=%lu", |
| 37 | rlim_names[sa->aad.rlim.rlim], sa->aad.rlim.max); | 37 | rlim_names[sa->aad->rlim.rlim], sa->aad->rlim.max); |
| 38 | } | 38 | } |
| 39 | 39 | ||
| 40 | /** | 40 | /** |
| @@ -50,12 +50,14 @@ static int audit_resource(struct aa_profile *profile, unsigned int resource, | |||
| 50 | unsigned long value, int error) | 50 | unsigned long value, int error) |
| 51 | { | 51 | { |
| 52 | struct common_audit_data sa; | 52 | struct common_audit_data sa; |
| 53 | struct apparmor_audit_data aad = {0,}; | ||
| 53 | 54 | ||
| 54 | COMMON_AUDIT_DATA_INIT(&sa, NONE); | 55 | COMMON_AUDIT_DATA_INIT(&sa, NONE); |
| 55 | sa.aad.op = OP_SETRLIMIT, | 56 | sa.aad = &aad; |
| 56 | sa.aad.rlim.rlim = resource; | 57 | aad.op = OP_SETRLIMIT, |
| 57 | sa.aad.rlim.max = value; | 58 | aad.rlim.rlim = resource; |
| 58 | sa.aad.error = error; | 59 | aad.rlim.max = value; |
| 60 | aad.error = error; | ||
| 59 | return aa_audit(AUDIT_APPARMOR_AUTO, profile, GFP_KERNEL, &sa, | 61 | return aa_audit(AUDIT_APPARMOR_AUTO, profile, GFP_KERNEL, &sa, |
| 60 | audit_cb); | 62 | audit_cb); |
| 61 | } | 63 | } |