aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/ss
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2008-04-18 21:18:30 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2008-04-18 21:18:30 -0400
commit3925e6fc1f774048404fdd910b0345b06c699eb4 (patch)
treec9a58417d9492f39f7fe81d4721d674c34dd8be2 /security/selinux/ss
parent334d094504c2fe1c44211ecb49146ae6bca8c321 (diff)
parent7cea51be4e91edad05bd834f3235b45c57783f0d (diff)
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: security: fix up documentation for security_module_enable Security: Introduce security= boot parameter Audit: Final renamings and cleanup SELinux: use new audit hooks, remove redundant exports Audit: internally use the new LSM audit hooks LSM/Audit: Introduce generic Audit LSM hooks SELinux: remove redundant exports Netlink: Use generic LSM hook Audit: use new LSM hooks instead of SELinux exports SELinux: setup new inode/ipc getsecid hooks LSM: Introduce inode_getsecid and ipc_getsecid hooks
Diffstat (limited to 'security/selinux/ss')
-rw-r--r--security/selinux/ss/services.c45
1 files changed, 34 insertions, 11 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 33425b1ac8d6..b341b8fd8c7c 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -57,6 +57,7 @@
57#include "netlabel.h" 57#include "netlabel.h"
58#include "xfrm.h" 58#include "xfrm.h"
59#include "ebitmap.h" 59#include "ebitmap.h"
60#include "audit.h"
60 61
61extern void selnl_notify_policyload(u32 seqno); 62extern void selnl_notify_policyload(u32 seqno);
62unsigned int policydb_loaded_version; 63unsigned int policydb_loaded_version;
@@ -2296,21 +2297,23 @@ struct selinux_audit_rule {
2296 struct context au_ctxt; 2297 struct context au_ctxt;
2297}; 2298};
2298 2299
2299void selinux_audit_rule_free(struct selinux_audit_rule *rule) 2300void selinux_audit_rule_free(void *vrule)
2300{ 2301{
2302 struct selinux_audit_rule *rule = vrule;
2303
2301 if (rule) { 2304 if (rule) {
2302 context_destroy(&rule->au_ctxt); 2305 context_destroy(&rule->au_ctxt);
2303 kfree(rule); 2306 kfree(rule);
2304 } 2307 }
2305} 2308}
2306 2309
2307int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, 2310int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
2308 struct selinux_audit_rule **rule)
2309{ 2311{
2310 struct selinux_audit_rule *tmprule; 2312 struct selinux_audit_rule *tmprule;
2311 struct role_datum *roledatum; 2313 struct role_datum *roledatum;
2312 struct type_datum *typedatum; 2314 struct type_datum *typedatum;
2313 struct user_datum *userdatum; 2315 struct user_datum *userdatum;
2316 struct selinux_audit_rule **rule = (struct selinux_audit_rule **)vrule;
2314 int rc = 0; 2317 int rc = 0;
2315 2318
2316 *rule = NULL; 2319 *rule = NULL;
@@ -2397,12 +2400,37 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr,
2397 return rc; 2400 return rc;
2398} 2401}
2399 2402
2400int selinux_audit_rule_match(u32 sid, u32 field, u32 op, 2403/* Check to see if the rule contains any selinux fields */
2401 struct selinux_audit_rule *rule, 2404int selinux_audit_rule_known(struct audit_krule *rule)
2405{
2406 int i;
2407
2408 for (i = 0; i < rule->field_count; i++) {
2409 struct audit_field *f = &rule->fields[i];
2410 switch (f->type) {
2411 case AUDIT_SUBJ_USER:
2412 case AUDIT_SUBJ_ROLE:
2413 case AUDIT_SUBJ_TYPE:
2414 case AUDIT_SUBJ_SEN:
2415 case AUDIT_SUBJ_CLR:
2416 case AUDIT_OBJ_USER:
2417 case AUDIT_OBJ_ROLE:
2418 case AUDIT_OBJ_TYPE:
2419 case AUDIT_OBJ_LEV_LOW:
2420 case AUDIT_OBJ_LEV_HIGH:
2421 return 1;
2422 }
2423 }
2424
2425 return 0;
2426}
2427
2428int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
2402 struct audit_context *actx) 2429 struct audit_context *actx)
2403{ 2430{
2404 struct context *ctxt; 2431 struct context *ctxt;
2405 struct mls_level *level; 2432 struct mls_level *level;
2433 struct selinux_audit_rule *rule = vrule;
2406 int match = 0; 2434 int match = 0;
2407 2435
2408 if (!rule) { 2436 if (!rule) {
@@ -2509,7 +2537,7 @@ out:
2509 return match; 2537 return match;
2510} 2538}
2511 2539
2512static int (*aurule_callback)(void) = NULL; 2540static int (*aurule_callback)(void) = audit_update_lsm_rules;
2513 2541
2514static int aurule_avc_callback(u32 event, u32 ssid, u32 tsid, 2542static int aurule_avc_callback(u32 event, u32 ssid, u32 tsid,
2515 u16 class, u32 perms, u32 *retained) 2543 u16 class, u32 perms, u32 *retained)
@@ -2534,11 +2562,6 @@ static int __init aurule_init(void)
2534} 2562}
2535__initcall(aurule_init); 2563__initcall(aurule_init);
2536 2564
2537void selinux_audit_set_callback(int (*callback)(void))
2538{
2539 aurule_callback = callback;
2540}
2541
2542#ifdef CONFIG_NETLABEL 2565#ifdef CONFIG_NETLABEL
2543/** 2566/**
2544 * security_netlbl_cache_add - Add an entry to the NetLabel cache 2567 * security_netlbl_cache_add - Add an entry to the NetLabel cache