aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--include/linux/audit.h11
-rw-r--r--include/net/cipso_ipv4.h4
-rw-r--r--include/net/netlabel.h8
-rw-r--r--net/ipv4/cipso_ipv4.c4
-rw-r--r--net/netlabel/netlabel_cipso_v4.c48
-rw-r--r--net/netlabel/netlabel_domainhash.c82
-rw-r--r--net/netlabel/netlabel_domainhash.h8
-rw-r--r--net/netlabel/netlabel_mgmt.c27
-rw-r--r--net/netlabel/netlabel_unlabeled.c34
-rw-r--r--net/netlabel/netlabel_user.c66
-rw-r--r--net/netlabel/netlabel_user.h16
11 files changed, 157 insertions, 151 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 42719d07612a..c3aa09751814 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -95,12 +95,11 @@
95#define AUDIT_MAC_POLICY_LOAD 1403 /* Policy file load */ 95#define AUDIT_MAC_POLICY_LOAD 1403 /* Policy file load */
96#define AUDIT_MAC_STATUS 1404 /* Changed enforcing,permissive,off */ 96#define AUDIT_MAC_STATUS 1404 /* Changed enforcing,permissive,off */
97#define AUDIT_MAC_CONFIG_CHANGE 1405 /* Changes to booleans */ 97#define AUDIT_MAC_CONFIG_CHANGE 1405 /* Changes to booleans */
98#define AUDIT_MAC_UNLBL_ACCEPT 1406 /* NetLabel: allow unlabeled traffic */ 98#define AUDIT_MAC_UNLBL_ALLOW 1406 /* NetLabel: allow unlabeled traffic */
99#define AUDIT_MAC_UNLBL_DENY 1407 /* NetLabel: deny unlabeled traffic */ 99#define AUDIT_MAC_CIPSOV4_ADD 1407 /* NetLabel: add CIPSOv4 DOI entry */
100#define AUDIT_MAC_CIPSOV4_ADD 1408 /* NetLabel: add CIPSOv4 DOI entry */ 100#define AUDIT_MAC_CIPSOV4_DEL 1408 /* NetLabel: del CIPSOv4 DOI entry */
101#define AUDIT_MAC_CIPSOV4_DEL 1409 /* NetLabel: del CIPSOv4 DOI entry */ 101#define AUDIT_MAC_MAP_ADD 1409 /* NetLabel: add LSM domain mapping */
102#define AUDIT_MAC_MAP_ADD 1410 /* NetLabel: add LSM domain mapping */ 102#define AUDIT_MAC_MAP_DEL 1410 /* NetLabel: del LSM domain mapping */
103#define AUDIT_MAC_MAP_DEL 1411 /* NetLabel: del LSM domain mapping */
104 103
105#define AUDIT_FIRST_KERN_ANOM_MSG 1700 104#define AUDIT_FIRST_KERN_ANOM_MSG 1700
106#define AUDIT_LAST_KERN_ANOM_MSG 1799 105#define AUDIT_LAST_KERN_ANOM_MSG 1799
diff --git a/include/net/cipso_ipv4.h b/include/net/cipso_ipv4.h
index 5d6ae1b2b196..718b4d9c891f 100644
--- a/include/net/cipso_ipv4.h
+++ b/include/net/cipso_ipv4.h
@@ -129,7 +129,7 @@ extern int cipso_v4_rbm_strictvalid;
129#ifdef CONFIG_NETLABEL 129#ifdef CONFIG_NETLABEL
130int cipso_v4_doi_add(struct cipso_v4_doi *doi_def); 130int cipso_v4_doi_add(struct cipso_v4_doi *doi_def);
131int cipso_v4_doi_remove(u32 doi, 131int cipso_v4_doi_remove(u32 doi,
132 u32 audit_secid, 132 struct netlbl_audit *audit_info,
133 void (*callback) (struct rcu_head * head)); 133 void (*callback) (struct rcu_head * head));
134struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi); 134struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi);
135int cipso_v4_doi_walk(u32 *skip_cnt, 135int cipso_v4_doi_walk(u32 *skip_cnt,
@@ -145,7 +145,7 @@ static inline int cipso_v4_doi_add(struct cipso_v4_doi *doi_def)
145} 145}
146 146
147static inline int cipso_v4_doi_remove(u32 doi, 147static inline int cipso_v4_doi_remove(u32 doi,
148 u32 audit_secid, 148 struct netlbl_audit *audit_info,
149 void (*callback) (struct rcu_head * head)) 149 void (*callback) (struct rcu_head * head))
150{ 150{
151 return 0; 151 return 0;
diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index 190bfdbbdba6..c63a58058e21 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -92,11 +92,17 @@
92 * 92 *
93 */ 93 */
94 94
95/* NetLabel audit information */
96struct netlbl_audit {
97 u32 secid;
98 uid_t loginuid;
99};
100
95/* Domain mapping definition struct */ 101/* Domain mapping definition struct */
96struct netlbl_dom_map; 102struct netlbl_dom_map;
97 103
98/* Domain mapping operations */ 104/* Domain mapping operations */
99int netlbl_domhsh_remove(const char *domain, u32 audit_secid); 105int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info);
100 106
101/* LSM security attributes */ 107/* LSM security attributes */
102struct netlbl_lsm_cache { 108struct netlbl_lsm_cache {
diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
index c4e469ff842d..a8e2e879a647 100644
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -485,7 +485,7 @@ doi_add_failure_rlock:
485 * 485 *
486 */ 486 */
487int cipso_v4_doi_remove(u32 doi, 487int cipso_v4_doi_remove(u32 doi,
488 u32 audit_secid, 488 struct netlbl_audit *audit_info,
489 void (*callback) (struct rcu_head * head)) 489 void (*callback) (struct rcu_head * head))
490{ 490{
491 struct cipso_v4_doi *doi_def; 491 struct cipso_v4_doi *doi_def;
@@ -506,7 +506,7 @@ int cipso_v4_doi_remove(u32 doi,
506 list_for_each_entry_rcu(dom_iter, &doi_def->dom_list, list) 506 list_for_each_entry_rcu(dom_iter, &doi_def->dom_list, list)
507 if (dom_iter->valid) 507 if (dom_iter->valid)
508 netlbl_domhsh_remove(dom_iter->domain, 508 netlbl_domhsh_remove(dom_iter->domain,
509 audit_secid); 509 audit_info);
510 cipso_v4_cache_invalidate(); 510 cipso_v4_cache_invalidate();
511 rcu_read_unlock(); 511 rcu_read_unlock();
512 512
diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c
index 09986ca962a6..a6ce1d6d5c59 100644
--- a/net/netlabel/netlabel_cipso_v4.c
+++ b/net/netlabel/netlabel_cipso_v4.c
@@ -384,11 +384,15 @@ static int netlbl_cipsov4_add(struct sk_buff *skb, struct genl_info *info)
384 u32 doi; 384 u32 doi;
385 const char *type_str = "(unknown)"; 385 const char *type_str = "(unknown)";
386 struct audit_buffer *audit_buf; 386 struct audit_buffer *audit_buf;
387 struct netlbl_audit audit_info;
387 388
388 if (!info->attrs[NLBL_CIPSOV4_A_DOI] || 389 if (!info->attrs[NLBL_CIPSOV4_A_DOI] ||
389 !info->attrs[NLBL_CIPSOV4_A_MTYPE]) 390 !info->attrs[NLBL_CIPSOV4_A_MTYPE])
390 return -EINVAL; 391 return -EINVAL;
391 392
393 doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]);
394 netlbl_netlink_auditinfo(skb, &audit_info);
395
392 type = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE]); 396 type = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE]);
393 switch (type) { 397 switch (type) {
394 case CIPSO_V4_MAP_STD: 398 case CIPSO_V4_MAP_STD:
@@ -401,13 +405,14 @@ static int netlbl_cipsov4_add(struct sk_buff *skb, struct genl_info *info)
401 break; 405 break;
402 } 406 }
403 407
404 if (ret_val == 0) { 408 audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD,
405 doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]); 409 &audit_info);
406 audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD, 410 audit_log_format(audit_buf,
407 NETLINK_CB(skb).sid); 411 " cipso_doi=%u cipso_type=%s res=%u",
408 audit_log_format(audit_buf, " doi=%u type=%s", doi, type_str); 412 doi,
409 audit_log_end(audit_buf); 413 type_str,
410 } 414 ret_val == 0 ? 1 : 0);
415 audit_log_end(audit_buf);
411 416
412 return ret_val; 417 return ret_val;
413} 418}
@@ -668,20 +673,25 @@ static int netlbl_cipsov4_remove(struct sk_buff *skb, struct genl_info *info)
668 int ret_val = -EINVAL; 673 int ret_val = -EINVAL;
669 u32 doi = 0; 674 u32 doi = 0;
670 struct audit_buffer *audit_buf; 675 struct audit_buffer *audit_buf;
676 struct netlbl_audit audit_info;
671 677
672 if (info->attrs[NLBL_CIPSOV4_A_DOI]) { 678 if (!info->attrs[NLBL_CIPSOV4_A_DOI])
673 doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]); 679 return -EINVAL;
674 ret_val = cipso_v4_doi_remove(doi,
675 NETLINK_CB(skb).sid,
676 netlbl_cipsov4_doi_free);
677 }
678 680
679 if (ret_val == 0) { 681 doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]);
680 audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_DEL, 682 netlbl_netlink_auditinfo(skb, &audit_info);
681 NETLINK_CB(skb).sid); 683
682 audit_log_format(audit_buf, " doi=%u", doi); 684 ret_val = cipso_v4_doi_remove(doi,
683 audit_log_end(audit_buf); 685 &audit_info,
684 } 686 netlbl_cipsov4_doi_free);
687
688 audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_DEL,
689 &audit_info);
690 audit_log_format(audit_buf,
691 " cipso_doi=%u res=%u",
692 doi,
693 ret_val == 0 ? 1 : 0);
694 audit_log_end(audit_buf);
685 695
686 return ret_val; 696 return ret_val;
687} 697}
diff --git a/net/netlabel/netlabel_domainhash.c b/net/netlabel/netlabel_domainhash.c
index d64e2ae3b129..af4371d3b459 100644
--- a/net/netlabel/netlabel_domainhash.c
+++ b/net/netlabel/netlabel_domainhash.c
@@ -188,7 +188,7 @@ int netlbl_domhsh_init(u32 size)
188/** 188/**
189 * netlbl_domhsh_add - Adds a entry to the domain hash table 189 * netlbl_domhsh_add - Adds a entry to the domain hash table
190 * @entry: the entry to add 190 * @entry: the entry to add
191 * @audit_secid: the LSM secid to use in the audit message 191 * @audit_info: NetLabel audit information
192 * 192 *
193 * Description: 193 * Description:
194 * Adds a new entry to the domain hash table and handles any updates to the 194 * Adds a new entry to the domain hash table and handles any updates to the
@@ -196,7 +196,8 @@ int netlbl_domhsh_init(u32 size)
196 * negative on failure. 196 * negative on failure.
197 * 197 *
198 */ 198 */
199int netlbl_domhsh_add(struct netlbl_dom_map *entry, u32 audit_secid) 199int netlbl_domhsh_add(struct netlbl_dom_map *entry,
200 struct netlbl_audit *audit_info)
200{ 201{
201 int ret_val; 202 int ret_val;
202 u32 bkt; 203 u32 bkt;
@@ -241,26 +242,26 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry, u32 audit_secid)
241 spin_unlock(&netlbl_domhsh_def_lock); 242 spin_unlock(&netlbl_domhsh_def_lock);
242 } else 243 } else
243 ret_val = -EINVAL; 244 ret_val = -EINVAL;
244 if (ret_val == 0) { 245
245 if (entry->domain != NULL) 246 if (entry->domain != NULL)
246 audit_domain = entry->domain; 247 audit_domain = entry->domain;
247 else 248 else
248 audit_domain = "(default)"; 249 audit_domain = "(default)";
249 audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_ADD, 250 audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_ADD, audit_info);
250 audit_secid); 251 audit_log_format(audit_buf, " nlbl_domain=%s", audit_domain);
251 audit_log_format(audit_buf, " domain=%s", audit_domain); 252 switch (entry->type) {
252 switch (entry->type) { 253 case NETLBL_NLTYPE_UNLABELED:
253 case NETLBL_NLTYPE_UNLABELED: 254 audit_log_format(audit_buf, " nlbl_protocol=unlbl");
254 audit_log_format(audit_buf, " protocol=unlbl"); 255 break;
255 break; 256 case NETLBL_NLTYPE_CIPSOV4:
256 case NETLBL_NLTYPE_CIPSOV4: 257 audit_log_format(audit_buf,
257 audit_log_format(audit_buf, 258 " nlbl_protocol=cipsov4 cipso_doi=%u",
258 " protocol=cipsov4 doi=%u", 259 entry->type_def.cipsov4->doi);
259 entry->type_def.cipsov4->doi); 260 break;
260 break;
261 }
262 audit_log_end(audit_buf);
263 } 261 }
262 audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0);
263 audit_log_end(audit_buf);
264
264 rcu_read_unlock(); 265 rcu_read_unlock();
265 266
266 if (ret_val != 0) { 267 if (ret_val != 0) {
@@ -279,7 +280,7 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry, u32 audit_secid)
279/** 280/**
280 * netlbl_domhsh_add_default - Adds the default entry to the domain hash table 281 * netlbl_domhsh_add_default - Adds the default entry to the domain hash table
281 * @entry: the entry to add 282 * @entry: the entry to add
282 * @audit_secid: the LSM secid to use in the audit message 283 * @audit_info: NetLabel audit information
283 * 284 *
284 * Description: 285 * Description:
285 * Adds a new default entry to the domain hash table and handles any updates 286 * Adds a new default entry to the domain hash table and handles any updates
@@ -287,15 +288,16 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry, u32 audit_secid)
287 * negative on failure. 288 * negative on failure.
288 * 289 *
289 */ 290 */
290int netlbl_domhsh_add_default(struct netlbl_dom_map *entry, u32 audit_secid) 291int netlbl_domhsh_add_default(struct netlbl_dom_map *entry,
292 struct netlbl_audit *audit_info)
291{ 293{
292 return netlbl_domhsh_add(entry, audit_secid); 294 return netlbl_domhsh_add(entry, audit_info);
293} 295}
294 296
295/** 297/**
296 * netlbl_domhsh_remove - Removes an entry from the domain hash table 298 * netlbl_domhsh_remove - Removes an entry from the domain hash table
297 * @domain: the domain to remove 299 * @domain: the domain to remove
298 * @audit_secid: the LSM secid to use in the audit message 300 * @audit_info: NetLabel audit information
299 * 301 *
300 * Description: 302 * Description:
301 * Removes an entry from the domain hash table and handles any updates to the 303 * Removes an entry from the domain hash table and handles any updates to the
@@ -303,7 +305,7 @@ int netlbl_domhsh_add_default(struct netlbl_dom_map *entry, u32 audit_secid)
303 * negative on failure. 305 * negative on failure.
304 * 306 *
305 */ 307 */
306int netlbl_domhsh_remove(const char *domain, u32 audit_secid) 308int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info)
307{ 309{
308 int ret_val = -ENOENT; 310 int ret_val = -ENOENT;
309 struct netlbl_dom_map *entry; 311 struct netlbl_dom_map *entry;
@@ -345,18 +347,20 @@ int netlbl_domhsh_remove(const char *domain, u32 audit_secid)
345 ret_val = -ENOENT; 347 ret_val = -ENOENT;
346 spin_unlock(&netlbl_domhsh_def_lock); 348 spin_unlock(&netlbl_domhsh_def_lock);
347 } 349 }
348 if (ret_val == 0) {
349 if (entry->domain != NULL)
350 audit_domain = entry->domain;
351 else
352 audit_domain = "(default)";
353 audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_DEL,
354 audit_secid);
355 audit_log_format(audit_buf, " domain=%s", audit_domain);
356 audit_log_end(audit_buf);
357 350
351 if (entry->domain != NULL)
352 audit_domain = entry->domain;
353 else
354 audit_domain = "(default)";
355 audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_DEL, audit_info);
356 audit_log_format(audit_buf,
357 " nlbl_domain=%s res=%u",
358 audit_domain,
359 ret_val == 0 ? 1 : 0);
360 audit_log_end(audit_buf);
361
362 if (ret_val == 0)
358 call_rcu(&entry->rcu, netlbl_domhsh_free_entry); 363 call_rcu(&entry->rcu, netlbl_domhsh_free_entry);
359 }
360 364
361remove_return: 365remove_return:
362 rcu_read_unlock(); 366 rcu_read_unlock();
@@ -365,7 +369,7 @@ remove_return:
365 369
366/** 370/**
367 * netlbl_domhsh_remove_default - Removes the default entry from the table 371 * netlbl_domhsh_remove_default - Removes the default entry from the table
368 * @audit_secid: the LSM secid to use in the audit message 372 * @audit_info: NetLabel audit information
369 * 373 *
370 * Description: 374 * Description:
371 * Removes/resets the default entry for the domain hash table and handles any 375 * Removes/resets the default entry for the domain hash table and handles any
@@ -373,9 +377,9 @@ remove_return:
373 * success, non-zero on failure. 377 * success, non-zero on failure.
374 * 378 *
375 */ 379 */
376int netlbl_domhsh_remove_default(u32 audit_secid) 380int netlbl_domhsh_remove_default(struct netlbl_audit *audit_info)
377{ 381{
378 return netlbl_domhsh_remove(NULL, audit_secid); 382 return netlbl_domhsh_remove(NULL, audit_info);
379} 383}
380 384
381/** 385/**
diff --git a/net/netlabel/netlabel_domainhash.h b/net/netlabel/netlabel_domainhash.h
index d50f13cacdca..3689956c3436 100644
--- a/net/netlabel/netlabel_domainhash.h
+++ b/net/netlabel/netlabel_domainhash.h
@@ -57,9 +57,11 @@ struct netlbl_dom_map {
57int netlbl_domhsh_init(u32 size); 57int netlbl_domhsh_init(u32 size);
58 58
59/* Manipulate the domain hash table */ 59/* Manipulate the domain hash table */
60int netlbl_domhsh_add(struct netlbl_dom_map *entry, u32 audit_secid); 60int netlbl_domhsh_add(struct netlbl_dom_map *entry,
61int netlbl_domhsh_add_default(struct netlbl_dom_map *entry, u32 audit_secid); 61 struct netlbl_audit *audit_info);
62int netlbl_domhsh_remove_default(u32 audit_secid); 62int netlbl_domhsh_add_default(struct netlbl_dom_map *entry,
63 struct netlbl_audit *audit_info);
64int netlbl_domhsh_remove_default(struct netlbl_audit *audit_info);
63struct netlbl_dom_map *netlbl_domhsh_getentry(const char *domain); 65struct netlbl_dom_map *netlbl_domhsh_getentry(const char *domain);
64int netlbl_domhsh_walk(u32 *skip_bkt, 66int netlbl_domhsh_walk(u32 *skip_bkt,
65 u32 *skip_chain, 67 u32 *skip_chain,
diff --git a/net/netlabel/netlabel_mgmt.c b/net/netlabel/netlabel_mgmt.c
index 0ac314f18ad1..53c9079ad2c3 100644
--- a/net/netlabel/netlabel_mgmt.c
+++ b/net/netlabel/netlabel_mgmt.c
@@ -87,11 +87,14 @@ static int netlbl_mgmt_add(struct sk_buff *skb, struct genl_info *info)
87 struct netlbl_dom_map *entry = NULL; 87 struct netlbl_dom_map *entry = NULL;
88 size_t tmp_size; 88 size_t tmp_size;
89 u32 tmp_val; 89 u32 tmp_val;
90 struct netlbl_audit audit_info;
90 91
91 if (!info->attrs[NLBL_MGMT_A_DOMAIN] || 92 if (!info->attrs[NLBL_MGMT_A_DOMAIN] ||
92 !info->attrs[NLBL_MGMT_A_PROTOCOL]) 93 !info->attrs[NLBL_MGMT_A_PROTOCOL])
93 goto add_failure; 94 goto add_failure;
94 95
96 netlbl_netlink_auditinfo(skb, &audit_info);
97
95 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 98 entry = kzalloc(sizeof(*entry), GFP_KERNEL);
96 if (entry == NULL) { 99 if (entry == NULL) {
97 ret_val = -ENOMEM; 100 ret_val = -ENOMEM;
@@ -108,7 +111,7 @@ static int netlbl_mgmt_add(struct sk_buff *skb, struct genl_info *info)
108 111
109 switch (entry->type) { 112 switch (entry->type) {
110 case NETLBL_NLTYPE_UNLABELED: 113 case NETLBL_NLTYPE_UNLABELED:
111 ret_val = netlbl_domhsh_add(entry, NETLINK_CB(skb).sid); 114 ret_val = netlbl_domhsh_add(entry, &audit_info);
112 break; 115 break;
113 case NETLBL_NLTYPE_CIPSOV4: 116 case NETLBL_NLTYPE_CIPSOV4:
114 if (!info->attrs[NLBL_MGMT_A_CV4DOI]) 117 if (!info->attrs[NLBL_MGMT_A_CV4DOI])
@@ -125,7 +128,7 @@ static int netlbl_mgmt_add(struct sk_buff *skb, struct genl_info *info)
125 rcu_read_unlock(); 128 rcu_read_unlock();
126 goto add_failure; 129 goto add_failure;
127 } 130 }
128 ret_val = netlbl_domhsh_add(entry, NETLINK_CB(skb).sid); 131 ret_val = netlbl_domhsh_add(entry, &audit_info);
129 rcu_read_unlock(); 132 rcu_read_unlock();
130 break; 133 break;
131 default: 134 default:
@@ -156,12 +159,15 @@ add_failure:
156static int netlbl_mgmt_remove(struct sk_buff *skb, struct genl_info *info) 159static int netlbl_mgmt_remove(struct sk_buff *skb, struct genl_info *info)
157{ 160{
158 char *domain; 161 char *domain;
162 struct netlbl_audit audit_info;
159 163
160 if (!info->attrs[NLBL_MGMT_A_DOMAIN]) 164 if (!info->attrs[NLBL_MGMT_A_DOMAIN])
161 return -EINVAL; 165 return -EINVAL;
162 166
167 netlbl_netlink_auditinfo(skb, &audit_info);
168
163 domain = nla_data(info->attrs[NLBL_MGMT_A_DOMAIN]); 169 domain = nla_data(info->attrs[NLBL_MGMT_A_DOMAIN]);
164 return netlbl_domhsh_remove(domain, NETLINK_CB(skb).sid); 170 return netlbl_domhsh_remove(domain, &audit_info);
165} 171}
166 172
167/** 173/**
@@ -264,10 +270,13 @@ static int netlbl_mgmt_adddef(struct sk_buff *skb, struct genl_info *info)
264 int ret_val = -EINVAL; 270 int ret_val = -EINVAL;
265 struct netlbl_dom_map *entry = NULL; 271 struct netlbl_dom_map *entry = NULL;
266 u32 tmp_val; 272 u32 tmp_val;
273 struct netlbl_audit audit_info;
267 274
268 if (!info->attrs[NLBL_MGMT_A_PROTOCOL]) 275 if (!info->attrs[NLBL_MGMT_A_PROTOCOL])
269 goto adddef_failure; 276 goto adddef_failure;
270 277
278 netlbl_netlink_auditinfo(skb, &audit_info);
279
271 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 280 entry = kzalloc(sizeof(*entry), GFP_KERNEL);
272 if (entry == NULL) { 281 if (entry == NULL) {
273 ret_val = -ENOMEM; 282 ret_val = -ENOMEM;
@@ -277,8 +286,7 @@ static int netlbl_mgmt_adddef(struct sk_buff *skb, struct genl_info *info)
277 286
278 switch (entry->type) { 287 switch (entry->type) {
279 case NETLBL_NLTYPE_UNLABELED: 288 case NETLBL_NLTYPE_UNLABELED:
280 ret_val = netlbl_domhsh_add_default(entry, 289 ret_val = netlbl_domhsh_add_default(entry, &audit_info);
281 NETLINK_CB(skb).sid);
282 break; 290 break;
283 case NETLBL_NLTYPE_CIPSOV4: 291 case NETLBL_NLTYPE_CIPSOV4:
284 if (!info->attrs[NLBL_MGMT_A_CV4DOI]) 292 if (!info->attrs[NLBL_MGMT_A_CV4DOI])
@@ -295,8 +303,7 @@ static int netlbl_mgmt_adddef(struct sk_buff *skb, struct genl_info *info)
295 rcu_read_unlock(); 303 rcu_read_unlock();
296 goto adddef_failure; 304 goto adddef_failure;
297 } 305 }
298 ret_val = netlbl_domhsh_add_default(entry, 306 ret_val = netlbl_domhsh_add_default(entry, &audit_info);
299 NETLINK_CB(skb).sid);
300 rcu_read_unlock(); 307 rcu_read_unlock();
301 break; 308 break;
302 default: 309 default:
@@ -324,7 +331,11 @@ adddef_failure:
324 */ 331 */
325static int netlbl_mgmt_removedef(struct sk_buff *skb, struct genl_info *info) 332static int netlbl_mgmt_removedef(struct sk_buff *skb, struct genl_info *info)
326{ 333{
327 return netlbl_domhsh_remove_default(NETLINK_CB(skb).sid); 334 struct netlbl_audit audit_info;
335
336 netlbl_netlink_auditinfo(skb, &audit_info);
337
338 return netlbl_domhsh_remove_default(&audit_info);
328} 339}
329 340
330/** 341/**
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index ab36675fee8c..1833ad233b39 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -70,18 +70,25 @@ static struct nla_policy netlbl_unlabel_genl_policy[NLBL_UNLABEL_A_MAX + 1] = {
70/** 70/**
71 * netlbl_unlabel_acceptflg_set - Set the unlabeled accept flag 71 * netlbl_unlabel_acceptflg_set - Set the unlabeled accept flag
72 * @value: desired value 72 * @value: desired value
73 * @audit_secid: the LSM secid to use in the audit message 73 * @audit_info: NetLabel audit information
74 * 74 *
75 * Description: 75 * Description:
76 * Set the value of the unlabeled accept flag to @value. 76 * Set the value of the unlabeled accept flag to @value.
77 * 77 *
78 */ 78 */
79static void netlbl_unlabel_acceptflg_set(u8 value, u32 audit_secid) 79static void netlbl_unlabel_acceptflg_set(u8 value,
80 struct netlbl_audit *audit_info)
80{ 81{
82 struct audit_buffer *audit_buf;
83 u8 old_val;
84
85 old_val = atomic_read(&netlabel_unlabel_accept_flg);
81 atomic_set(&netlabel_unlabel_accept_flg, value); 86 atomic_set(&netlabel_unlabel_accept_flg, value);
82 netlbl_audit_nomsg((value ? 87
83 AUDIT_MAC_UNLBL_ACCEPT : AUDIT_MAC_UNLBL_DENY), 88 audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_ALLOW,
84 audit_secid); 89 audit_info);
90 audit_log_format(audit_buf, " unlbl_accept=%u old=%u", value, old_val);
91 audit_log_end(audit_buf);
85} 92}
86 93
87/* 94/*
@@ -101,12 +108,13 @@ static void netlbl_unlabel_acceptflg_set(u8 value, u32 audit_secid)
101static int netlbl_unlabel_accept(struct sk_buff *skb, struct genl_info *info) 108static int netlbl_unlabel_accept(struct sk_buff *skb, struct genl_info *info)
102{ 109{
103 u8 value; 110 u8 value;
111 struct netlbl_audit audit_info;
104 112
105 if (info->attrs[NLBL_UNLABEL_A_ACPTFLG]) { 113 if (info->attrs[NLBL_UNLABEL_A_ACPTFLG]) {
106 value = nla_get_u8(info->attrs[NLBL_UNLABEL_A_ACPTFLG]); 114 value = nla_get_u8(info->attrs[NLBL_UNLABEL_A_ACPTFLG]);
107 if (value == 1 || value == 0) { 115 if (value == 1 || value == 0) {
108 netlbl_unlabel_acceptflg_set(value, 116 netlbl_netlink_auditinfo(skb, &audit_info);
109 NETLINK_CB(skb).sid); 117 netlbl_unlabel_acceptflg_set(value, &audit_info);
110 return 0; 118 return 0;
111 } 119 }
112 } 120 }
@@ -250,19 +258,23 @@ int netlbl_unlabel_defconf(void)
250{ 258{
251 int ret_val; 259 int ret_val;
252 struct netlbl_dom_map *entry; 260 struct netlbl_dom_map *entry;
253 u32 secid; 261 struct netlbl_audit audit_info;
254 262
255 security_task_getsecid(current, &secid); 263 /* Only the kernel is allowed to call this function and the only time
264 * it is called is at bootup before the audit subsystem is reporting
265 * messages so don't worry to much about these values. */
266 security_task_getsecid(current, &audit_info.secid);
267 audit_info.loginuid = 0;
256 268
257 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 269 entry = kzalloc(sizeof(*entry), GFP_KERNEL);
258 if (entry == NULL) 270 if (entry == NULL)
259 return -ENOMEM; 271 return -ENOMEM;
260 entry->type = NETLBL_NLTYPE_UNLABELED; 272 entry->type = NETLBL_NLTYPE_UNLABELED;
261 ret_val = netlbl_domhsh_add_default(entry, secid); 273 ret_val = netlbl_domhsh_add_default(entry, &audit_info);
262 if (ret_val != 0) 274 if (ret_val != 0)
263 return ret_val; 275 return ret_val;
264 276
265 netlbl_unlabel_acceptflg_set(1, secid); 277 netlbl_unlabel_acceptflg_set(1, &audit_info);
266 278
267 return 0; 279 return 0;
268} 280}
diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c
index c2343af584cb..98a416381e61 100644
--- a/net/netlabel/netlabel_user.c
+++ b/net/netlabel/netlabel_user.c
@@ -85,7 +85,7 @@ int netlbl_netlink_init(void)
85/** 85/**
86 * netlbl_audit_start_common - Start an audit message 86 * netlbl_audit_start_common - Start an audit message
87 * @type: audit message type 87 * @type: audit message type
88 * @secid: LSM context ID 88 * @audit_info: NetLabel audit information
89 * 89 *
90 * Description: 90 * Description:
91 * Start an audit message using the type specified in @type and fill the audit 91 * Start an audit message using the type specified in @type and fill the audit
@@ -93,14 +93,11 @@ int netlbl_netlink_init(void)
93 * a pointer to the audit buffer on success, NULL on failure. 93 * a pointer to the audit buffer on success, NULL on failure.
94 * 94 *
95 */ 95 */
96struct audit_buffer *netlbl_audit_start_common(int type, u32 secid) 96struct audit_buffer *netlbl_audit_start_common(int type,
97 struct netlbl_audit *audit_info)
97{ 98{
98 struct audit_context *audit_ctx = current->audit_context; 99 struct audit_context *audit_ctx = current->audit_context;
99 struct audit_buffer *audit_buf; 100 struct audit_buffer *audit_buf;
100 uid_t audit_loginuid;
101 const char *audit_tty;
102 char audit_comm[sizeof(current->comm)];
103 struct vm_area_struct *vma;
104 char *secctx; 101 char *secctx;
105 u32 secctx_len; 102 u32 secctx_len;
106 103
@@ -108,60 +105,13 @@ struct audit_buffer *netlbl_audit_start_common(int type, u32 secid)
108 if (audit_buf == NULL) 105 if (audit_buf == NULL)
109 return NULL; 106 return NULL;
110 107
111 audit_loginuid = audit_get_loginuid(audit_ctx); 108 audit_log_format(audit_buf, "netlabel: auid=%u", audit_info->loginuid);
112 if (current->signal &&
113 current->signal->tty &&
114 current->signal->tty->name)
115 audit_tty = current->signal->tty->name;
116 else
117 audit_tty = "(none)";
118 get_task_comm(audit_comm, current);
119 109
120 audit_log_format(audit_buf, 110 if (audit_info->secid != 0 &&
121 "netlabel: auid=%u uid=%u tty=%s pid=%d", 111 security_secid_to_secctx(audit_info->secid,
122 audit_loginuid, 112 &secctx,
123 current->uid, 113 &secctx_len) == 0)
124 audit_tty,
125 current->pid);
126 audit_log_format(audit_buf, " comm=");
127 audit_log_untrustedstring(audit_buf, audit_comm);
128 if (current->mm) {
129 down_read(&current->mm->mmap_sem);
130 vma = current->mm->mmap;
131 while (vma) {
132 if ((vma->vm_flags & VM_EXECUTABLE) &&
133 vma->vm_file) {
134 audit_log_d_path(audit_buf,
135 " exe=",
136 vma->vm_file->f_dentry,
137 vma->vm_file->f_vfsmnt);
138 break;
139 }
140 vma = vma->vm_next;
141 }
142 up_read(&current->mm->mmap_sem);
143 }
144
145 if (secid != 0 &&
146 security_secid_to_secctx(secid, &secctx, &secctx_len) == 0)
147 audit_log_format(audit_buf, " subj=%s", secctx); 114 audit_log_format(audit_buf, " subj=%s", secctx);
148 115
149 return audit_buf; 116 return audit_buf;
150} 117}
151
152/**
153 * netlbl_audit_nomsg - Send an audit message without additional text
154 * @type: audit message type
155 * @secid: LSM context ID
156 *
157 * Description:
158 * Send an audit message with only the common NetLabel audit fields.
159 *
160 */
161void netlbl_audit_nomsg(int type, u32 secid)
162{
163 struct audit_buffer *audit_buf;
164
165 audit_buf = netlbl_audit_start_common(type, secid);
166 audit_log_end(audit_buf);
167}
diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h
index ab840acfc964..47967ef32964 100644
--- a/net/netlabel/netlabel_user.h
+++ b/net/netlabel/netlabel_user.h
@@ -72,13 +72,25 @@ static inline void *netlbl_netlink_hdr_put(struct sk_buff *skb,
72 NETLBL_PROTO_VERSION); 72 NETLBL_PROTO_VERSION);
73} 73}
74 74
75/**
76 * netlbl_netlink_auditinfo - Fetch the audit information from a NETLINK msg
77 * @skb: the packet
78 * @audit_info: NetLabel audit information
79 */
80static inline void netlbl_netlink_auditinfo(struct sk_buff *skb,
81 struct netlbl_audit *audit_info)
82{
83 audit_info->secid = NETLINK_CB(skb).sid;
84 audit_info->loginuid = NETLINK_CB(skb).loginuid;
85}
86
75/* NetLabel NETLINK I/O functions */ 87/* NetLabel NETLINK I/O functions */
76 88
77int netlbl_netlink_init(void); 89int netlbl_netlink_init(void);
78 90
79/* NetLabel Audit Functions */ 91/* NetLabel Audit Functions */
80 92
81struct audit_buffer *netlbl_audit_start_common(int type, u32 secid); 93struct audit_buffer *netlbl_audit_start_common(int type,
82void netlbl_audit_nomsg(int type, u32 secid); 94 struct netlbl_audit *audit_info);
83 95
84#endif 96#endif