SELinux: Convert avc_audit to use lsm_audit.h

Convert avc_audit in security/selinux/avc.c to use lsm_audit.h, for better maintainability. - changed selinux to use common_audit_data instead of avc_audit_data - eliminated code in avc.c and used code from lsm_audit.h instead. Had to add a LSM_AUDIT_NO_AUDIT to lsm_audit.h so that avc_audit can call common_lsm_audit and do the pre and post callbacks without doing the actual dump. This makes it so that the patched version behaves the same way as the unpatched version. Also added a denied field to the selinux_audit_data private space, once again to make it so that the patched version behaves like the unpatched. I've tested and confirmed that AVCs look the same before and after this patch. Signed-off-by: Thomas Liu <tliu@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
author: Thomas Liu <tliu@redhat.com> 2009-07-14 12:14:09 -0400
committer: James Morris <jmorris@namei.org> 2009-08-16 18:37:18 -0400
commit: 2bf49690325b62480a42f7afed5e9f164173c570 (patch)
tree: bc8525f6a45ea3ffaed9449084df7644bcd4e3c2 /security/selinux/include
parent: f322abf83feddc3c37c3a91794e0c5aece4af18e (diff)
3 files changed, 11 insertions, 50 deletions
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index ae4c3a0e2c1a..e94e82f73818 100644
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -13,6 +13,7 @@
 #include <linux/spinlock.h>
 #include <linux/init.h>
 #include <linux/audit.h>
+#include <linux/lsm_audit.h>
 #include <linux/in6.h>
 #include <linux/path.h>
 #include <asm/system.h>
@@ -36,48 +37,6 @@ struct inode;
 struct sock;
 struct sk_buff;
-/* Auxiliary data to use in generating the audit record. */
-struct avc_audit_data {
-        char    type;
-#define AVC_AUDIT_DATA_FS   1
-#define AVC_AUDIT_DATA_NET  2
-#define AVC_AUDIT_DATA_CAP  3
-#define AVC_AUDIT_DATA_IPC  4
-        struct task_struct *tsk;
-        union   {
-                struct {
-                        struct path path;
-                        struct inode *inode;
-                } fs;
-                struct {
-                        int netif;
-                        struct sock *sk;
-                        u16 family;
-                        __be16 dport;
-                        __be16 sport;
-                        union {
-                                struct {
-                                        __be32 daddr;
-                                        __be32 saddr;
-                                } v4;
-                                struct {
-                                        struct in6_addr daddr;
-                                        struct in6_addr saddr;
-                                } v6;
-                        } fam;
-                } net;
-                int cap;
-                int ipc_id;
-        } u;
-};
-#define v4info fam.v4
-#define v6info fam.v6
-/* Initialize an AVC audit data structure. */
-#define AVC_AUDIT_DATA_INIT(_d,_t) \
-        { memset((_d), 0, sizeof(struct avc_audit_data)); (_d)->type = AVC_AUDIT_DATA_##_t; }
 /*
 * AVC statistics
 */
@@ -98,7 +57,9 @@ void __init avc_init(void);
 void avc_audit(u32 ssid, u32 tsid,
               u16 tclass, u32 requested,
-               struct av_decision *avd, int result, struct avc_audit_data *auditdata);
+               struct av_decision *avd,
+               int result,
+               struct common_audit_data *a);
 #define AVC_STRICT 1 /* Ignore permissive mode. */
 int avc_has_perm_noaudit(u32 ssid, u32 tsid,
@@ -108,7 +69,7 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
 int avc_has_perm(u32 ssid, u32 tsid,
                 u16 tclass, u32 requested,
-                 struct avc_audit_data *auditdata);
+                 struct common_audit_data *auditdata);
 u32 avc_policy_seqno(void);
diff --git a/security/selinux/include/netlabel.h b/security/selinux/include/netlabel.h
index b4b5b9b2f0be..8d7384280a7a 100644
--- a/security/selinux/include/netlabel.h
+++ b/security/selinux/include/netlabel.h
@@ -59,7 +59,7 @@ int selinux_netlbl_socket_post_create(struct sock *sk, u16 family);
 int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
                                struct sk_buff *skb,
                                u16 family,
-                                struct avc_audit_data *ad);
+                                struct common_audit_data *ad);
 int selinux_netlbl_socket_setsockopt(struct socket *sock,
                                     int level,
                                     int optname);
@@ -129,7 +129,7 @@ static inline int selinux_netlbl_socket_post_create(struct sock *sk,
 static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
                                              struct sk_buff *skb,
                                              u16 family,
-                                              struct avc_audit_data *ad)
+                                              struct common_audit_data *ad)
 {
        return 0;
 }
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
index 289e24b39e3e..13128f9a3e5a 100644
--- a/security/selinux/include/xfrm.h
+++ b/security/selinux/include/xfrm.h
@@ -41,9 +41,9 @@ static inline int selinux_xfrm_enabled(void)
 }
 int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb,
-                        struct avc_audit_data *ad);
+                        struct common_audit_data *ad);
 int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
-                        struct avc_audit_data *ad, u8 proto);
+                        struct common_audit_data *ad, u8 proto);
 int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall);
 static inline void selinux_xfrm_notify_policyload(void)
@@ -57,13 +57,13 @@ static inline int selinux_xfrm_enabled(void)
 }
 static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
-                        struct avc_audit_data *ad)
+                        struct common_audit_data *ad)
 {
        return 0;
 }
 static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
-                        struct avc_audit_data *ad, u8 proto)
+                        struct common_audit_data *ad, u8 proto)
 {
        return 0;
 }
author	Thomas Liu <tliu@redhat.com>	2009-07-14 12:14:09 -0400
committer	James Morris <jmorris@namei.org>	2009-08-16 18:37:18 -0400
commit	2bf49690325b62480a42f7afed5e9f164173c570 (patch)
tree	bc8525f6a45ea3ffaed9449084df7644bcd4e3c2 /security/selinux/include
parent	f322abf83feddc3c37c3a91794e0c5aece4af18e (diff)