diff options
author | Paul Moore <paul.moore@hp.com> | 2008-01-29 08:38:10 -0500 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2008-01-29 16:17:22 -0500 |
commit | da5645a28a15aed2e541a814ecf9f7ffcd4c4673 (patch) | |
tree | 8cedccebd0e12308de30573ad593d703943e3cbb /security | |
parent | e8bfdb9d0dfc1231a6a71e849dfbd4447acdfff6 (diff) |
SELinux: Only store the network interface's ifindex
Instead of storing the packet's network interface name store the ifindex. This
allows us to defer the need to lookup the net_device structure until the audit
record is generated meaning that in the majority of cases we never need to
bother with this at all.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r-- | security/selinux/avc.c | 15 | ||||
-rw-r--r-- | security/selinux/hooks.c | 4 | ||||
-rw-r--r-- | security/selinux/include/avc.h | 2 |
3 files changed, 15 insertions, 6 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 81b3dff3cbf0..e8529e2f51e5 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c | |||
@@ -661,9 +661,18 @@ void avc_audit(u32 ssid, u32 tsid, | |||
661 | "daddr", "dest"); | 661 | "daddr", "dest"); |
662 | break; | 662 | break; |
663 | } | 663 | } |
664 | if (a->u.net.netif) | 664 | if (a->u.net.netif > 0) { |
665 | audit_log_format(ab, " netif=%s", | 665 | struct net_device *dev; |
666 | a->u.net.netif); | 666 | |
667 | /* NOTE: we always use init's namespace */ | ||
668 | dev = dev_get_by_index(&init_net, | ||
669 | a->u.net.netif); | ||
670 | if (dev) { | ||
671 | audit_log_format(ab, " netif=%s", | ||
672 | dev->name); | ||
673 | dev_put(dev); | ||
674 | } | ||
675 | } | ||
667 | break; | 676 | break; |
668 | } | 677 | } |
669 | } | 678 | } |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index be544332214c..1a1fa3f20ef0 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -3928,7 +3928,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) | |||
3928 | family = PF_INET; | 3928 | family = PF_INET; |
3929 | 3929 | ||
3930 | AVC_AUDIT_DATA_INIT(&ad, NET); | 3930 | AVC_AUDIT_DATA_INIT(&ad, NET); |
3931 | ad.u.net.netif = skb->dev ? skb->dev->name : "[unknown]"; | 3931 | ad.u.net.netif = skb->iif; |
3932 | ad.u.net.family = family; | 3932 | ad.u.net.family = family; |
3933 | 3933 | ||
3934 | err = selinux_parse_skb(skb, &ad, &addrp, &len, 1, NULL); | 3934 | err = selinux_parse_skb(skb, &ad, &addrp, &len, 1, NULL); |
@@ -4259,7 +4259,7 @@ static unsigned int selinux_ip_postroute_last(unsigned int hooknum, | |||
4259 | sksec = sk->sk_security; | 4259 | sksec = sk->sk_security; |
4260 | 4260 | ||
4261 | AVC_AUDIT_DATA_INIT(&ad, NET); | 4261 | AVC_AUDIT_DATA_INIT(&ad, NET); |
4262 | ad.u.net.netif = dev->name; | 4262 | ad.u.net.netif = dev->ifindex; |
4263 | ad.u.net.family = family; | 4263 | ad.u.net.family = family; |
4264 | 4264 | ||
4265 | err = selinux_parse_skb(skb, &ad, &addrp, &len, 0, &proto); | 4265 | err = selinux_parse_skb(skb, &ad, &addrp, &len, 0, &proto); |
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h index 553607a19e92..80c28fa6621c 100644 --- a/security/selinux/include/avc.h +++ b/security/selinux/include/avc.h | |||
@@ -51,7 +51,7 @@ struct avc_audit_data { | |||
51 | struct inode *inode; | 51 | struct inode *inode; |
52 | } fs; | 52 | } fs; |
53 | struct { | 53 | struct { |
54 | char *netif; | 54 | int netif; |
55 | struct sock *sk; | 55 | struct sock *sk; |
56 | u16 family; | 56 | u16 family; |
57 | __be16 dport; | 57 | __be16 dport; |