smack: implement logging V3

the following patch, add logging of Smack security decisions. This is of course very useful to understand what your current smack policy does. As suggested by Casey, it also now forbids labels with ', " or \ It introduces a '/smack/logging' switch : 0: no logging 1: log denied (default) 2: log accepted 3: log denied&accepted Signed-off-by: Etienne Basset <etienne.basset@numericable.fr> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
author: Etienne Basset <etienne.basset@numericable.fr> 2009-04-08 14:40:06 -0400
committer: James Morris <jmorris@namei.org> 2009-04-13 19:00:23 -0400
commit: ecfcc53fef3c357574bb6143dce6631e6d56295c (patch)
tree: d7bee04b64c5ad2ba0ed273bff2c8c7c98b3eee5 /security/smack/smack.h
parent: 6e837fb152410e571a81aaadbd9884f0bc46a55e (diff)
1 files changed, 106 insertions, 2 deletions
diff --git a/security/smack/smack.h b/security/smack/smack.h
index 42ef313f9856..243bec175be0 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -20,6 +20,7 @@
 #include <net/netlabel.h>
 #include <linux/list.h>
 #include <linux/rculist.h>
+#include <linux/lsm_audit.h>
 /*
 * Why 23? CIPSO is constrained to 30, so a 32 byte buffer is
@@ -179,6 +180,20 @@ struct smack_known {
 #define MAY_NOT         0
 /*
+ * Number of access types used by Smack (rwxa)
+ */
+#define SMK_NUM_ACCESS_TYPE 4
+/*
+ * Smack audit data; is empty if CONFIG_AUDIT not set
+ * to save some stack
+ */
+struct smk_audit_info {
+#ifdef CONFIG_AUDIT
+        struct common_audit_data a;
+#endif
+};
+/*
 * These functions are in smack_lsm.c
 */
 struct inode_smack *new_inode_smack(char *);
@@ -186,8 +201,8 @@ struct inode_smack *new_inode_smack(char *);
 /*
 * These functions are in smack_access.c
 */
-int smk_access(char *, char *, int);
+int smk_access(char *, char *, int, struct smk_audit_info *);
-int smk_curacc(char *, u32);
+int smk_curacc(char *, u32, struct smk_audit_info *);
 int smack_to_cipso(const char *, struct smack_cipso *);
 void smack_from_cipso(u32, char *, char *);
 char *smack_from_secid(const u32);
@@ -237,4 +252,93 @@ static inline char *smk_of_inode(const struct inode *isp)
        return sip->smk_inode;
 }
+/*
+ * logging functions
+ */
+#define SMACK_AUDIT_DENIED 0x1
+#define SMACK_AUDIT_ACCEPT 0x2
+extern int log_policy;
+void smack_log(char *subject_label, char *object_label,
+                int request,
+                int result, struct smk_audit_info *auditdata);
+#ifdef CONFIG_AUDIT
+/*
+ * some inline functions to set up audit data
+ * they do nothing if CONFIG_AUDIT is not set
+ *
+ */
+static inline void smk_ad_init(struct smk_audit_info *a, const char *func,
+                               char type)
+{
+        memset(a, 0, sizeof(*a));
+        a->a.type = type;
+        a->a.function = func;
+}
+static inline void smk_ad_setfield_u_tsk(struct smk_audit_info *a,
+                                         struct task_struct *t)
+{
+        a->a.u.tsk = t;
+}
+static inline void smk_ad_setfield_u_fs_path_dentry(struct smk_audit_info *a,
+                                                    struct dentry *d)
+{
+        a->a.u.fs.path.dentry = d;
+}
+static inline void smk_ad_setfield_u_fs_path_mnt(struct smk_audit_info *a,
+                                                 struct vfsmount *m)
+{
+        a->a.u.fs.path.mnt = m;
+}
+static inline void smk_ad_setfield_u_fs_inode(struct smk_audit_info *a,
+                                              struct inode *i)
+{
+        a->a.u.fs.inode = i;
+}
+static inline void smk_ad_setfield_u_fs_path(struct smk_audit_info *a,
+                                             struct path p)
+{
+        a->a.u.fs.path = p;
+}
+static inline void smk_ad_setfield_u_net_sk(struct smk_audit_info *a,
+                                            struct sock *sk)
+{
+        a->a.u.net.sk = sk;
+}
+#else /* no AUDIT */
+static inline void smk_ad_init(struct smk_audit_info *a, const char *func,
+                               char type)
+{
+}
+static inline void smk_ad_setfield_u_tsk(struct smk_audit_info *a,
+                                         struct task_struct *t)
+{
+}
+static inline void smk_ad_setfield_u_fs_path_dentry(struct smk_audit_info *a,
+                                                    struct dentry *d)
+{
+}
+static inline void smk_ad_setfield_u_fs_path_mnt(struct smk_audit_info *a,
+                                                 struct vfsmount *m)
+{
+}
+static inline void smk_ad_setfield_u_fs_inode(struct smk_audit_info *a,
+                                              struct inode *i)
+{
+}
+static inline void smk_ad_setfield_u_fs_path(struct smk_audit_info *a,
+                                             struct path p)
+{
+}
+static inline void smk_ad_setfield_u_net_sk(struct smk_audit_info *a,
+                                            struct sock *sk)
+{
+}
+#endif
 #endif  /* _SECURITY_SMACK_H */
author	Etienne Basset <etienne.basset@numericable.fr>	2009-04-08 14:40:06 -0400
committer	James Morris <jmorris@namei.org>	2009-04-13 19:00:23 -0400
commit	ecfcc53fef3c357574bb6143dce6631e6d56295c (patch)
tree	d7bee04b64c5ad2ba0ed273bff2c8c7c98b3eee5 /security/smack/smack.h
parent	6e837fb152410e571a81aaadbd9884f0bc46a55e (diff)

diff --git a/security/smack/smack.h b/security/smack/smack.h index 42ef313f9856..243bec175be0 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h
@@ -20,6 +20,7 @@
20	#include <net/netlabel.h>	20	#include <net/netlabel.h>
21	#include <linux/list.h>	21	#include <linux/list.h>
22	#include <linux/rculist.h>	22	#include <linux/rculist.h>
		23	#include <linux/lsm_audit.h>
23		24
24	/*	25	/*
25	* Why 23? CIPSO is constrained to 30, so a 32 byte buffer is	26	* Why 23? CIPSO is constrained to 30, so a 32 byte buffer is
@@ -179,6 +180,20 @@ struct smack_known {
179	#define MAY_NOT 0	180	#define MAY_NOT 0
180		181
181	/*	182	/*
		183	* Number of access types used by Smack (rwxa)
		184	*/
		185	#define SMK_NUM_ACCESS_TYPE 4
		186
		187	/*
		188	* Smack audit data; is empty if CONFIG_AUDIT not set
		189	* to save some stack
		190	*/
		191	struct smk_audit_info {
		192	#ifdef CONFIG_AUDIT
		193	struct common_audit_data a;
		194	#endif
		195	};
		196	/*
182	* These functions are in smack_lsm.c	197	* These functions are in smack_lsm.c
183	*/	198	*/
184	struct inode_smack new_inode_smack(char );	199	struct inode_smack new_inode_smack(char );
@@ -186,8 +201,8 @@ struct inode_smack new_inode_smack(char );
186	/*	201	/*
187	* These functions are in smack_access.c	202	* These functions are in smack_access.c
188	*/	203	*/
189	int smk_access(char , char , int);	204	int smk_access(char , char , int, struct smk_audit_info *);
190	int smk_curacc(char *, u32);	205	int smk_curacc(char , u32, struct smk_audit_info );
191	int smack_to_cipso(const char , struct smack_cipso );	206	int smack_to_cipso(const char , struct smack_cipso );
192	void smack_from_cipso(u32, char , char );	207	void smack_from_cipso(u32, char , char );
193	char *smack_from_secid(const u32);	208	char *smack_from_secid(const u32);
@@ -237,4 +252,93 @@ static inline char smk_of_inode(const struct inode isp)
237	return sip->smk_inode;	252	return sip->smk_inode;
238	}	253	}
239		254
		255	/*
		256	* logging functions
		257	*/
		258	#define SMACK_AUDIT_DENIED 0x1
		259	#define SMACK_AUDIT_ACCEPT 0x2
		260	extern int log_policy;
		261
		262	void smack_log(char subject_label, char object_label,
		263	int request,
		264	int result, struct smk_audit_info *auditdata);
		265
		266	#ifdef CONFIG_AUDIT
		267
		268	/*
		269	* some inline functions to set up audit data
		270	* they do nothing if CONFIG_AUDIT is not set
		271	*
		272	*/
		273	static inline void smk_ad_init(struct smk_audit_info a, const char func,
		274	char type)
		275	{
		276	memset(a, 0, sizeof(*a));
		277	a->a.type = type;
		278	a->a.function = func;
		279	}
		280
		281	static inline void smk_ad_setfield_u_tsk(struct smk_audit_info *a,
		282	struct task_struct *t)
		283	{
		284	a->a.u.tsk = t;
		285	}
		286	static inline void smk_ad_setfield_u_fs_path_dentry(struct smk_audit_info *a,
		287	struct dentry *d)
		288	{
		289	a->a.u.fs.path.dentry = d;
		290	}
		291	static inline void smk_ad_setfield_u_fs_path_mnt(struct smk_audit_info *a,
		292	struct vfsmount *m)
		293	{
		294	a->a.u.fs.path.mnt = m;
		295	}
		296	static inline void smk_ad_setfield_u_fs_inode(struct smk_audit_info *a,
		297	struct inode *i)
		298	{
		299	a->a.u.fs.inode = i;
		300	}
		301	static inline void smk_ad_setfield_u_fs_path(struct smk_audit_info *a,
		302	struct path p)
		303	{
		304	a->a.u.fs.path = p;
		305	}
		306	static inline void smk_ad_setfield_u_net_sk(struct smk_audit_info *a,
		307	struct sock *sk)
		308	{
		309	a->a.u.net.sk = sk;
		310	}
		311
		312	#else /* no AUDIT */
		313
		314	static inline void smk_ad_init(struct smk_audit_info a, const char func,
		315	char type)
		316	{
		317	}
		318	static inline void smk_ad_setfield_u_tsk(struct smk_audit_info *a,
		319	struct task_struct *t)
		320	{
		321	}
		322	static inline void smk_ad_setfield_u_fs_path_dentry(struct smk_audit_info *a,
		323	struct dentry *d)
		324	{
		325	}
		326	static inline void smk_ad_setfield_u_fs_path_mnt(struct smk_audit_info *a,
		327	struct vfsmount *m)
		328	{
		329	}
		330	static inline void smk_ad_setfield_u_fs_inode(struct smk_audit_info *a,
		331	struct inode *i)
		332	{
		333	}
		334	static inline void smk_ad_setfield_u_fs_path(struct smk_audit_info *a,
		335	struct path p)
		336	{
		337	}
		338	static inline void smk_ad_setfield_u_net_sk(struct smk_audit_info *a,
		339	struct sock *sk)
		340	{
		341	}
		342	#endif
		343
240	#endif /* _SECURITY_SMACK_H */	344	#endif /* _SECURITY_SMACK_H */