diff options
| author | Ahmed S. Darwish <darwish.07@gmail.com> | 2008-03-01 15:03:14 -0500 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2008-04-18 19:53:46 -0400 |
| commit | 9d57a7f9e23dc30783d245280fc9907cf2c87837 (patch) | |
| tree | 508b81e213f5dca1097ccf0ece8ba092b168607b /security | |
| parent | d7a96f3a1ae279a2129653d6cb18d722f2f00f91 (diff) | |
SELinux: use new audit hooks, remove redundant exports
Setup the new Audit LSM hooks for SELinux.
Remove the now redundant exported SELinux Audit interface.
Audit: Export 'audit_krule' and 'audit_field' to the public
since their internals are needed by the implementation of the
new LSM hook 'audit_rule_known'.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com>
Acked-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
| -rw-r--r-- | security/selinux/hooks.c | 8 | ||||
| -rw-r--r-- | security/selinux/ss/services.c | 45 |
2 files changed, 42 insertions, 11 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index bfffaa52e0cb..a2f7e9cf78c5 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -83,6 +83,7 @@ | |||
| 83 | #include "netport.h" | 83 | #include "netport.h" |
| 84 | #include "xfrm.h" | 84 | #include "xfrm.h" |
| 85 | #include "netlabel.h" | 85 | #include "netlabel.h" |
| 86 | #include "audit.h" | ||
| 86 | 87 | ||
| 87 | #define XATTR_SELINUX_SUFFIX "selinux" | 88 | #define XATTR_SELINUX_SUFFIX "selinux" |
| 88 | #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX | 89 | #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX |
| @@ -5478,6 +5479,13 @@ static struct security_operations selinux_ops = { | |||
| 5478 | .key_free = selinux_key_free, | 5479 | .key_free = selinux_key_free, |
| 5479 | .key_permission = selinux_key_permission, | 5480 | .key_permission = selinux_key_permission, |
| 5480 | #endif | 5481 | #endif |
| 5482 | |||
| 5483 | #ifdef CONFIG_AUDIT | ||
| 5484 | .audit_rule_init = selinux_audit_rule_init, | ||
| 5485 | .audit_rule_known = selinux_audit_rule_known, | ||
| 5486 | .audit_rule_match = selinux_audit_rule_match, | ||
| 5487 | .audit_rule_free = selinux_audit_rule_free, | ||
| 5488 | #endif | ||
| 5481 | }; | 5489 | }; |
| 5482 | 5490 | ||
| 5483 | static __init int selinux_init(void) | 5491 | static __init int selinux_init(void) |
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index d75050819b06..1e0df5ec1bcd 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
| @@ -57,6 +57,7 @@ | |||
| 57 | #include "netlabel.h" | 57 | #include "netlabel.h" |
| 58 | #include "xfrm.h" | 58 | #include "xfrm.h" |
| 59 | #include "ebitmap.h" | 59 | #include "ebitmap.h" |
| 60 | #include "audit.h" | ||
| 60 | 61 | ||
| 61 | extern void selnl_notify_policyload(u32 seqno); | 62 | extern void selnl_notify_policyload(u32 seqno); |
| 62 | unsigned int policydb_loaded_version; | 63 | unsigned int policydb_loaded_version; |
| @@ -2296,21 +2297,23 @@ struct selinux_audit_rule { | |||
| 2296 | struct context au_ctxt; | 2297 | struct context au_ctxt; |
| 2297 | }; | 2298 | }; |
| 2298 | 2299 | ||
| 2299 | void selinux_audit_rule_free(struct selinux_audit_rule *rule) | 2300 | void selinux_audit_rule_free(void *vrule) |
| 2300 | { | 2301 | { |
| 2302 | struct selinux_audit_rule *rule = vrule; | ||
| 2303 | |||
| 2301 | if (rule) { | 2304 | if (rule) { |
| 2302 | context_destroy(&rule->au_ctxt); | 2305 | context_destroy(&rule->au_ctxt); |
| 2303 | kfree(rule); | 2306 | kfree(rule); |
| 2304 | } | 2307 | } |
| 2305 | } | 2308 | } |
| 2306 | 2309 | ||
| 2307 | int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, | 2310 | int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) |
| 2308 | struct selinux_audit_rule **rule) | ||
| 2309 | { | 2311 | { |
| 2310 | struct selinux_audit_rule *tmprule; | 2312 | struct selinux_audit_rule *tmprule; |
| 2311 | struct role_datum *roledatum; | 2313 | struct role_datum *roledatum; |
| 2312 | struct type_datum *typedatum; | 2314 | struct type_datum *typedatum; |
| 2313 | struct user_datum *userdatum; | 2315 | struct user_datum *userdatum; |
| 2316 | struct selinux_audit_rule **rule = (struct selinux_audit_rule **)vrule; | ||
| 2314 | int rc = 0; | 2317 | int rc = 0; |
| 2315 | 2318 | ||
| 2316 | *rule = NULL; | 2319 | *rule = NULL; |
| @@ -2397,12 +2400,37 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, | |||
| 2397 | return rc; | 2400 | return rc; |
| 2398 | } | 2401 | } |
| 2399 | 2402 | ||
| 2400 | int selinux_audit_rule_match(u32 sid, u32 field, u32 op, | 2403 | /* Check to see if the rule contains any selinux fields */ |
| 2401 | struct selinux_audit_rule *rule, | 2404 | int selinux_audit_rule_known(struct audit_krule *rule) |
| 2405 | { | ||
| 2406 | int i; | ||
| 2407 | |||
| 2408 | for (i = 0; i < rule->field_count; i++) { | ||
| 2409 | struct audit_field *f = &rule->fields[i]; | ||
| 2410 | switch (f->type) { | ||
| 2411 | case AUDIT_SUBJ_USER: | ||
| 2412 | case AUDIT_SUBJ_ROLE: | ||
| 2413 | case AUDIT_SUBJ_TYPE: | ||
| 2414 | case AUDIT_SUBJ_SEN: | ||
| 2415 | case AUDIT_SUBJ_CLR: | ||
| 2416 | case AUDIT_OBJ_USER: | ||
| 2417 | case AUDIT_OBJ_ROLE: | ||
| 2418 | case AUDIT_OBJ_TYPE: | ||
| 2419 | case AUDIT_OBJ_LEV_LOW: | ||
| 2420 | case AUDIT_OBJ_LEV_HIGH: | ||
| 2421 | return 1; | ||
| 2422 | } | ||
| 2423 | } | ||
| 2424 | |||
| 2425 | return 0; | ||
| 2426 | } | ||
| 2427 | |||
| 2428 | int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, | ||
| 2402 | struct audit_context *actx) | 2429 | struct audit_context *actx) |
| 2403 | { | 2430 | { |
| 2404 | struct context *ctxt; | 2431 | struct context *ctxt; |
| 2405 | struct mls_level *level; | 2432 | struct mls_level *level; |
| 2433 | struct selinux_audit_rule *rule = vrule; | ||
| 2406 | int match = 0; | 2434 | int match = 0; |
| 2407 | 2435 | ||
| 2408 | if (!rule) { | 2436 | if (!rule) { |
| @@ -2509,7 +2537,7 @@ out: | |||
| 2509 | return match; | 2537 | return match; |
| 2510 | } | 2538 | } |
| 2511 | 2539 | ||
| 2512 | static int (*aurule_callback)(void) = NULL; | 2540 | static int (*aurule_callback)(void) = audit_update_lsm_rules; |
| 2513 | 2541 | ||
| 2514 | static int aurule_avc_callback(u32 event, u32 ssid, u32 tsid, | 2542 | static int aurule_avc_callback(u32 event, u32 ssid, u32 tsid, |
| 2515 | u16 class, u32 perms, u32 *retained) | 2543 | u16 class, u32 perms, u32 *retained) |
| @@ -2534,11 +2562,6 @@ static int __init aurule_init(void) | |||
| 2534 | } | 2562 | } |
| 2535 | __initcall(aurule_init); | 2563 | __initcall(aurule_init); |
| 2536 | 2564 | ||
| 2537 | void selinux_audit_set_callback(int (*callback)(void)) | ||
| 2538 | { | ||
| 2539 | aurule_callback = callback; | ||
| 2540 | } | ||
| 2541 | |||
| 2542 | #ifdef CONFIG_NETLABEL | 2565 | #ifdef CONFIG_NETLABEL |
| 2543 | /** | 2566 | /** |
| 2544 | * security_netlbl_cache_add - Add an entry to the NetLabel cache | 2567 | * security_netlbl_cache_add - Add an entry to the NetLabel cache |