aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2008-01-29 08:38:10 -0500
committerJames Morris <jmorris@namei.org>2008-01-29 16:17:22 -0500
commitda5645a28a15aed2e541a814ecf9f7ffcd4c4673 (patch)
tree8cedccebd0e12308de30573ad593d703943e3cbb /security
parente8bfdb9d0dfc1231a6a71e849dfbd4447acdfff6 (diff)
SELinux: Only store the network interface's ifindex
Instead of storing the packet's network interface name store the ifindex. This allows us to defer the need to lookup the net_device structure until the audit record is generated meaning that in the majority of cases we never need to bother with this at all. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r--security/selinux/avc.c15
-rw-r--r--security/selinux/hooks.c4
-rw-r--r--security/selinux/include/avc.h2
3 files changed, 15 insertions, 6 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 81b3dff3cbf0..e8529e2f51e5 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -661,9 +661,18 @@ void avc_audit(u32 ssid, u32 tsid,
661 "daddr", "dest"); 661 "daddr", "dest");
662 break; 662 break;
663 } 663 }
664 if (a->u.net.netif) 664 if (a->u.net.netif > 0) {
665 audit_log_format(ab, " netif=%s", 665 struct net_device *dev;
666 a->u.net.netif); 666
667 /* NOTE: we always use init's namespace */
668 dev = dev_get_by_index(&init_net,
669 a->u.net.netif);
670 if (dev) {
671 audit_log_format(ab, " netif=%s",
672 dev->name);
673 dev_put(dev);
674 }
675 }
667 break; 676 break;
668 } 677 }
669 } 678 }
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index be544332214c..1a1fa3f20ef0 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3928,7 +3928,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3928 family = PF_INET; 3928 family = PF_INET;
3929 3929
3930 AVC_AUDIT_DATA_INIT(&ad, NET); 3930 AVC_AUDIT_DATA_INIT(&ad, NET);
3931 ad.u.net.netif = skb->dev ? skb->dev->name : "[unknown]"; 3931 ad.u.net.netif = skb->iif;
3932 ad.u.net.family = family; 3932 ad.u.net.family = family;
3933 3933
3934 err = selinux_parse_skb(skb, &ad, &addrp, &len, 1, NULL); 3934 err = selinux_parse_skb(skb, &ad, &addrp, &len, 1, NULL);
@@ -4259,7 +4259,7 @@ static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
4259 sksec = sk->sk_security; 4259 sksec = sk->sk_security;
4260 4260
4261 AVC_AUDIT_DATA_INIT(&ad, NET); 4261 AVC_AUDIT_DATA_INIT(&ad, NET);
4262 ad.u.net.netif = dev->name; 4262 ad.u.net.netif = dev->ifindex;
4263 ad.u.net.family = family; 4263 ad.u.net.family = family;
4264 4264
4265 err = selinux_parse_skb(skb, &ad, &addrp, &len, 0, &proto); 4265 err = selinux_parse_skb(skb, &ad, &addrp, &len, 0, &proto);
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index 553607a19e92..80c28fa6621c 100644
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -51,7 +51,7 @@ struct avc_audit_data {
51 struct inode *inode; 51 struct inode *inode;
52 } fs; 52 } fs;
53 struct { 53 struct {
54 char *netif; 54 int netif;
55 struct sock *sk; 55 struct sock *sk;
56 u16 family; 56 u16 family;
57 __be16 dport; 57 __be16 dport;