diff options
-rw-r--r-- | include/linux/audit.h | 11 | ||||
-rw-r--r-- | include/net/cipso_ipv4.h | 4 | ||||
-rw-r--r-- | include/net/netlabel.h | 8 | ||||
-rw-r--r-- | net/ipv4/cipso_ipv4.c | 4 | ||||
-rw-r--r-- | net/netlabel/netlabel_cipso_v4.c | 48 | ||||
-rw-r--r-- | net/netlabel/netlabel_domainhash.c | 82 | ||||
-rw-r--r-- | net/netlabel/netlabel_domainhash.h | 8 | ||||
-rw-r--r-- | net/netlabel/netlabel_mgmt.c | 27 | ||||
-rw-r--r-- | net/netlabel/netlabel_unlabeled.c | 34 | ||||
-rw-r--r-- | net/netlabel/netlabel_user.c | 66 | ||||
-rw-r--r-- | net/netlabel/netlabel_user.h | 16 |
11 files changed, 157 insertions, 151 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h index 42719d07612a..c3aa09751814 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h | |||
@@ -95,12 +95,11 @@ | |||
95 | #define AUDIT_MAC_POLICY_LOAD 1403 /* Policy file load */ | 95 | #define AUDIT_MAC_POLICY_LOAD 1403 /* Policy file load */ |
96 | #define AUDIT_MAC_STATUS 1404 /* Changed enforcing,permissive,off */ | 96 | #define AUDIT_MAC_STATUS 1404 /* Changed enforcing,permissive,off */ |
97 | #define AUDIT_MAC_CONFIG_CHANGE 1405 /* Changes to booleans */ | 97 | #define AUDIT_MAC_CONFIG_CHANGE 1405 /* Changes to booleans */ |
98 | #define AUDIT_MAC_UNLBL_ACCEPT 1406 /* NetLabel: allow unlabeled traffic */ | 98 | #define AUDIT_MAC_UNLBL_ALLOW 1406 /* NetLabel: allow unlabeled traffic */ |
99 | #define AUDIT_MAC_UNLBL_DENY 1407 /* NetLabel: deny unlabeled traffic */ | 99 | #define AUDIT_MAC_CIPSOV4_ADD 1407 /* NetLabel: add CIPSOv4 DOI entry */ |
100 | #define AUDIT_MAC_CIPSOV4_ADD 1408 /* NetLabel: add CIPSOv4 DOI entry */ | 100 | #define AUDIT_MAC_CIPSOV4_DEL 1408 /* NetLabel: del CIPSOv4 DOI entry */ |
101 | #define AUDIT_MAC_CIPSOV4_DEL 1409 /* NetLabel: del CIPSOv4 DOI entry */ | 101 | #define AUDIT_MAC_MAP_ADD 1409 /* NetLabel: add LSM domain mapping */ |
102 | #define AUDIT_MAC_MAP_ADD 1410 /* NetLabel: add LSM domain mapping */ | 102 | #define AUDIT_MAC_MAP_DEL 1410 /* NetLabel: del LSM domain mapping */ |
103 | #define AUDIT_MAC_MAP_DEL 1411 /* NetLabel: del LSM domain mapping */ | ||
104 | 103 | ||
105 | #define AUDIT_FIRST_KERN_ANOM_MSG 1700 | 104 | #define AUDIT_FIRST_KERN_ANOM_MSG 1700 |
106 | #define AUDIT_LAST_KERN_ANOM_MSG 1799 | 105 | #define AUDIT_LAST_KERN_ANOM_MSG 1799 |
diff --git a/include/net/cipso_ipv4.h b/include/net/cipso_ipv4.h index 5d6ae1b2b196..718b4d9c891f 100644 --- a/include/net/cipso_ipv4.h +++ b/include/net/cipso_ipv4.h | |||
@@ -129,7 +129,7 @@ extern int cipso_v4_rbm_strictvalid; | |||
129 | #ifdef CONFIG_NETLABEL | 129 | #ifdef CONFIG_NETLABEL |
130 | int cipso_v4_doi_add(struct cipso_v4_doi *doi_def); | 130 | int cipso_v4_doi_add(struct cipso_v4_doi *doi_def); |
131 | int cipso_v4_doi_remove(u32 doi, | 131 | int cipso_v4_doi_remove(u32 doi, |
132 | u32 audit_secid, | 132 | struct netlbl_audit *audit_info, |
133 | void (*callback) (struct rcu_head * head)); | 133 | void (*callback) (struct rcu_head * head)); |
134 | struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi); | 134 | struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi); |
135 | int cipso_v4_doi_walk(u32 *skip_cnt, | 135 | int cipso_v4_doi_walk(u32 *skip_cnt, |
@@ -145,7 +145,7 @@ static inline int cipso_v4_doi_add(struct cipso_v4_doi *doi_def) | |||
145 | } | 145 | } |
146 | 146 | ||
147 | static inline int cipso_v4_doi_remove(u32 doi, | 147 | static inline int cipso_v4_doi_remove(u32 doi, |
148 | u32 audit_secid, | 148 | struct netlbl_audit *audit_info, |
149 | void (*callback) (struct rcu_head * head)) | 149 | void (*callback) (struct rcu_head * head)) |
150 | { | 150 | { |
151 | return 0; | 151 | return 0; |
diff --git a/include/net/netlabel.h b/include/net/netlabel.h index 190bfdbbdba6..c63a58058e21 100644 --- a/include/net/netlabel.h +++ b/include/net/netlabel.h | |||
@@ -92,11 +92,17 @@ | |||
92 | * | 92 | * |
93 | */ | 93 | */ |
94 | 94 | ||
95 | /* NetLabel audit information */ | ||
96 | struct netlbl_audit { | ||
97 | u32 secid; | ||
98 | uid_t loginuid; | ||
99 | }; | ||
100 | |||
95 | /* Domain mapping definition struct */ | 101 | /* Domain mapping definition struct */ |
96 | struct netlbl_dom_map; | 102 | struct netlbl_dom_map; |
97 | 103 | ||
98 | /* Domain mapping operations */ | 104 | /* Domain mapping operations */ |
99 | int netlbl_domhsh_remove(const char *domain, u32 audit_secid); | 105 | int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info); |
100 | 106 | ||
101 | /* LSM security attributes */ | 107 | /* LSM security attributes */ |
102 | struct netlbl_lsm_cache { | 108 | struct netlbl_lsm_cache { |
diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c index c4e469ff842d..a8e2e879a647 100644 --- a/net/ipv4/cipso_ipv4.c +++ b/net/ipv4/cipso_ipv4.c | |||
@@ -485,7 +485,7 @@ doi_add_failure_rlock: | |||
485 | * | 485 | * |
486 | */ | 486 | */ |
487 | int cipso_v4_doi_remove(u32 doi, | 487 | int cipso_v4_doi_remove(u32 doi, |
488 | u32 audit_secid, | 488 | struct netlbl_audit *audit_info, |
489 | void (*callback) (struct rcu_head * head)) | 489 | void (*callback) (struct rcu_head * head)) |
490 | { | 490 | { |
491 | struct cipso_v4_doi *doi_def; | 491 | struct cipso_v4_doi *doi_def; |
@@ -506,7 +506,7 @@ int cipso_v4_doi_remove(u32 doi, | |||
506 | list_for_each_entry_rcu(dom_iter, &doi_def->dom_list, list) | 506 | list_for_each_entry_rcu(dom_iter, &doi_def->dom_list, list) |
507 | if (dom_iter->valid) | 507 | if (dom_iter->valid) |
508 | netlbl_domhsh_remove(dom_iter->domain, | 508 | netlbl_domhsh_remove(dom_iter->domain, |
509 | audit_secid); | 509 | audit_info); |
510 | cipso_v4_cache_invalidate(); | 510 | cipso_v4_cache_invalidate(); |
511 | rcu_read_unlock(); | 511 | rcu_read_unlock(); |
512 | 512 | ||
diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c index 09986ca962a6..a6ce1d6d5c59 100644 --- a/net/netlabel/netlabel_cipso_v4.c +++ b/net/netlabel/netlabel_cipso_v4.c | |||
@@ -384,11 +384,15 @@ static int netlbl_cipsov4_add(struct sk_buff *skb, struct genl_info *info) | |||
384 | u32 doi; | 384 | u32 doi; |
385 | const char *type_str = "(unknown)"; | 385 | const char *type_str = "(unknown)"; |
386 | struct audit_buffer *audit_buf; | 386 | struct audit_buffer *audit_buf; |
387 | struct netlbl_audit audit_info; | ||
387 | 388 | ||
388 | if (!info->attrs[NLBL_CIPSOV4_A_DOI] || | 389 | if (!info->attrs[NLBL_CIPSOV4_A_DOI] || |
389 | !info->attrs[NLBL_CIPSOV4_A_MTYPE]) | 390 | !info->attrs[NLBL_CIPSOV4_A_MTYPE]) |
390 | return -EINVAL; | 391 | return -EINVAL; |
391 | 392 | ||
393 | doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]); | ||
394 | netlbl_netlink_auditinfo(skb, &audit_info); | ||
395 | |||
392 | type = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE]); | 396 | type = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE]); |
393 | switch (type) { | 397 | switch (type) { |
394 | case CIPSO_V4_MAP_STD: | 398 | case CIPSO_V4_MAP_STD: |
@@ -401,13 +405,14 @@ static int netlbl_cipsov4_add(struct sk_buff *skb, struct genl_info *info) | |||
401 | break; | 405 | break; |
402 | } | 406 | } |
403 | 407 | ||
404 | if (ret_val == 0) { | 408 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD, |
405 | doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]); | 409 | &audit_info); |
406 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD, | 410 | audit_log_format(audit_buf, |
407 | NETLINK_CB(skb).sid); | 411 | " cipso_doi=%u cipso_type=%s res=%u", |
408 | audit_log_format(audit_buf, " doi=%u type=%s", doi, type_str); | 412 | doi, |
409 | audit_log_end(audit_buf); | 413 | type_str, |
410 | } | 414 | ret_val == 0 ? 1 : 0); |
415 | audit_log_end(audit_buf); | ||
411 | 416 | ||
412 | return ret_val; | 417 | return ret_val; |
413 | } | 418 | } |
@@ -668,20 +673,25 @@ static int netlbl_cipsov4_remove(struct sk_buff *skb, struct genl_info *info) | |||
668 | int ret_val = -EINVAL; | 673 | int ret_val = -EINVAL; |
669 | u32 doi = 0; | 674 | u32 doi = 0; |
670 | struct audit_buffer *audit_buf; | 675 | struct audit_buffer *audit_buf; |
676 | struct netlbl_audit audit_info; | ||
671 | 677 | ||
672 | if (info->attrs[NLBL_CIPSOV4_A_DOI]) { | 678 | if (!info->attrs[NLBL_CIPSOV4_A_DOI]) |
673 | doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]); | 679 | return -EINVAL; |
674 | ret_val = cipso_v4_doi_remove(doi, | ||
675 | NETLINK_CB(skb).sid, | ||
676 | netlbl_cipsov4_doi_free); | ||
677 | } | ||
678 | 680 | ||
679 | if (ret_val == 0) { | 681 | doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]); |
680 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_DEL, | 682 | netlbl_netlink_auditinfo(skb, &audit_info); |
681 | NETLINK_CB(skb).sid); | 683 | |
682 | audit_log_format(audit_buf, " doi=%u", doi); | 684 | ret_val = cipso_v4_doi_remove(doi, |
683 | audit_log_end(audit_buf); | 685 | &audit_info, |
684 | } | 686 | netlbl_cipsov4_doi_free); |
687 | |||
688 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_DEL, | ||
689 | &audit_info); | ||
690 | audit_log_format(audit_buf, | ||
691 | " cipso_doi=%u res=%u", | ||
692 | doi, | ||
693 | ret_val == 0 ? 1 : 0); | ||
694 | audit_log_end(audit_buf); | ||
685 | 695 | ||
686 | return ret_val; | 696 | return ret_val; |
687 | } | 697 | } |
diff --git a/net/netlabel/netlabel_domainhash.c b/net/netlabel/netlabel_domainhash.c index d64e2ae3b129..af4371d3b459 100644 --- a/net/netlabel/netlabel_domainhash.c +++ b/net/netlabel/netlabel_domainhash.c | |||
@@ -188,7 +188,7 @@ int netlbl_domhsh_init(u32 size) | |||
188 | /** | 188 | /** |
189 | * netlbl_domhsh_add - Adds a entry to the domain hash table | 189 | * netlbl_domhsh_add - Adds a entry to the domain hash table |
190 | * @entry: the entry to add | 190 | * @entry: the entry to add |
191 | * @audit_secid: the LSM secid to use in the audit message | 191 | * @audit_info: NetLabel audit information |
192 | * | 192 | * |
193 | * Description: | 193 | * Description: |
194 | * Adds a new entry to the domain hash table and handles any updates to the | 194 | * Adds a new entry to the domain hash table and handles any updates to the |
@@ -196,7 +196,8 @@ int netlbl_domhsh_init(u32 size) | |||
196 | * negative on failure. | 196 | * negative on failure. |
197 | * | 197 | * |
198 | */ | 198 | */ |
199 | int netlbl_domhsh_add(struct netlbl_dom_map *entry, u32 audit_secid) | 199 | int netlbl_domhsh_add(struct netlbl_dom_map *entry, |
200 | struct netlbl_audit *audit_info) | ||
200 | { | 201 | { |
201 | int ret_val; | 202 | int ret_val; |
202 | u32 bkt; | 203 | u32 bkt; |
@@ -241,26 +242,26 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry, u32 audit_secid) | |||
241 | spin_unlock(&netlbl_domhsh_def_lock); | 242 | spin_unlock(&netlbl_domhsh_def_lock); |
242 | } else | 243 | } else |
243 | ret_val = -EINVAL; | 244 | ret_val = -EINVAL; |
244 | if (ret_val == 0) { | 245 | |
245 | if (entry->domain != NULL) | 246 | if (entry->domain != NULL) |
246 | audit_domain = entry->domain; | 247 | audit_domain = entry->domain; |
247 | else | 248 | else |
248 | audit_domain = "(default)"; | 249 | audit_domain = "(default)"; |
249 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_ADD, | 250 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_ADD, audit_info); |
250 | audit_secid); | 251 | audit_log_format(audit_buf, " nlbl_domain=%s", audit_domain); |
251 | audit_log_format(audit_buf, " domain=%s", audit_domain); | 252 | switch (entry->type) { |
252 | switch (entry->type) { | 253 | case NETLBL_NLTYPE_UNLABELED: |
253 | case NETLBL_NLTYPE_UNLABELED: | 254 | audit_log_format(audit_buf, " nlbl_protocol=unlbl"); |
254 | audit_log_format(audit_buf, " protocol=unlbl"); | 255 | break; |
255 | break; | 256 | case NETLBL_NLTYPE_CIPSOV4: |
256 | case NETLBL_NLTYPE_CIPSOV4: | 257 | audit_log_format(audit_buf, |
257 | audit_log_format(audit_buf, | 258 | " nlbl_protocol=cipsov4 cipso_doi=%u", |
258 | " protocol=cipsov4 doi=%u", | 259 | entry->type_def.cipsov4->doi); |
259 | entry->type_def.cipsov4->doi); | 260 | break; |
260 | break; | ||
261 | } | ||
262 | audit_log_end(audit_buf); | ||
263 | } | 261 | } |
262 | audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0); | ||
263 | audit_log_end(audit_buf); | ||
264 | |||
264 | rcu_read_unlock(); | 265 | rcu_read_unlock(); |
265 | 266 | ||
266 | if (ret_val != 0) { | 267 | if (ret_val != 0) { |
@@ -279,7 +280,7 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry, u32 audit_secid) | |||
279 | /** | 280 | /** |
280 | * netlbl_domhsh_add_default - Adds the default entry to the domain hash table | 281 | * netlbl_domhsh_add_default - Adds the default entry to the domain hash table |
281 | * @entry: the entry to add | 282 | * @entry: the entry to add |
282 | * @audit_secid: the LSM secid to use in the audit message | 283 | * @audit_info: NetLabel audit information |
283 | * | 284 | * |
284 | * Description: | 285 | * Description: |
285 | * Adds a new default entry to the domain hash table and handles any updates | 286 | * Adds a new default entry to the domain hash table and handles any updates |
@@ -287,15 +288,16 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry, u32 audit_secid) | |||
287 | * negative on failure. | 288 | * negative on failure. |
288 | * | 289 | * |
289 | */ | 290 | */ |
290 | int netlbl_domhsh_add_default(struct netlbl_dom_map *entry, u32 audit_secid) | 291 | int netlbl_domhsh_add_default(struct netlbl_dom_map *entry, |
292 | struct netlbl_audit *audit_info) | ||
291 | { | 293 | { |
292 | return netlbl_domhsh_add(entry, audit_secid); | 294 | return netlbl_domhsh_add(entry, audit_info); |
293 | } | 295 | } |
294 | 296 | ||
295 | /** | 297 | /** |
296 | * netlbl_domhsh_remove - Removes an entry from the domain hash table | 298 | * netlbl_domhsh_remove - Removes an entry from the domain hash table |
297 | * @domain: the domain to remove | 299 | * @domain: the domain to remove |
298 | * @audit_secid: the LSM secid to use in the audit message | 300 | * @audit_info: NetLabel audit information |
299 | * | 301 | * |
300 | * Description: | 302 | * Description: |
301 | * Removes an entry from the domain hash table and handles any updates to the | 303 | * Removes an entry from the domain hash table and handles any updates to the |
@@ -303,7 +305,7 @@ int netlbl_domhsh_add_default(struct netlbl_dom_map *entry, u32 audit_secid) | |||
303 | * negative on failure. | 305 | * negative on failure. |
304 | * | 306 | * |
305 | */ | 307 | */ |
306 | int netlbl_domhsh_remove(const char *domain, u32 audit_secid) | 308 | int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info) |
307 | { | 309 | { |
308 | int ret_val = -ENOENT; | 310 | int ret_val = -ENOENT; |
309 | struct netlbl_dom_map *entry; | 311 | struct netlbl_dom_map *entry; |
@@ -345,18 +347,20 @@ int netlbl_domhsh_remove(const char *domain, u32 audit_secid) | |||
345 | ret_val = -ENOENT; | 347 | ret_val = -ENOENT; |
346 | spin_unlock(&netlbl_domhsh_def_lock); | 348 | spin_unlock(&netlbl_domhsh_def_lock); |
347 | } | 349 | } |
348 | if (ret_val == 0) { | ||
349 | if (entry->domain != NULL) | ||
350 | audit_domain = entry->domain; | ||
351 | else | ||
352 | audit_domain = "(default)"; | ||
353 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_DEL, | ||
354 | audit_secid); | ||
355 | audit_log_format(audit_buf, " domain=%s", audit_domain); | ||
356 | audit_log_end(audit_buf); | ||
357 | 350 | ||
351 | if (entry->domain != NULL) | ||
352 | audit_domain = entry->domain; | ||
353 | else | ||
354 | audit_domain = "(default)"; | ||
355 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_DEL, audit_info); | ||
356 | audit_log_format(audit_buf, | ||
357 | " nlbl_domain=%s res=%u", | ||
358 | audit_domain, | ||
359 | ret_val == 0 ? 1 : 0); | ||
360 | audit_log_end(audit_buf); | ||
361 | |||
362 | if (ret_val == 0) | ||
358 | call_rcu(&entry->rcu, netlbl_domhsh_free_entry); | 363 | call_rcu(&entry->rcu, netlbl_domhsh_free_entry); |
359 | } | ||
360 | 364 | ||
361 | remove_return: | 365 | remove_return: |
362 | rcu_read_unlock(); | 366 | rcu_read_unlock(); |
@@ -365,7 +369,7 @@ remove_return: | |||
365 | 369 | ||
366 | /** | 370 | /** |
367 | * netlbl_domhsh_remove_default - Removes the default entry from the table | 371 | * netlbl_domhsh_remove_default - Removes the default entry from the table |
368 | * @audit_secid: the LSM secid to use in the audit message | 372 | * @audit_info: NetLabel audit information |
369 | * | 373 | * |
370 | * Description: | 374 | * Description: |
371 | * Removes/resets the default entry for the domain hash table and handles any | 375 | * Removes/resets the default entry for the domain hash table and handles any |
@@ -373,9 +377,9 @@ remove_return: | |||
373 | * success, non-zero on failure. | 377 | * success, non-zero on failure. |
374 | * | 378 | * |
375 | */ | 379 | */ |
376 | int netlbl_domhsh_remove_default(u32 audit_secid) | 380 | int netlbl_domhsh_remove_default(struct netlbl_audit *audit_info) |
377 | { | 381 | { |
378 | return netlbl_domhsh_remove(NULL, audit_secid); | 382 | return netlbl_domhsh_remove(NULL, audit_info); |
379 | } | 383 | } |
380 | 384 | ||
381 | /** | 385 | /** |
diff --git a/net/netlabel/netlabel_domainhash.h b/net/netlabel/netlabel_domainhash.h index d50f13cacdca..3689956c3436 100644 --- a/net/netlabel/netlabel_domainhash.h +++ b/net/netlabel/netlabel_domainhash.h | |||
@@ -57,9 +57,11 @@ struct netlbl_dom_map { | |||
57 | int netlbl_domhsh_init(u32 size); | 57 | int netlbl_domhsh_init(u32 size); |
58 | 58 | ||
59 | /* Manipulate the domain hash table */ | 59 | /* Manipulate the domain hash table */ |
60 | int netlbl_domhsh_add(struct netlbl_dom_map *entry, u32 audit_secid); | 60 | int netlbl_domhsh_add(struct netlbl_dom_map *entry, |
61 | int netlbl_domhsh_add_default(struct netlbl_dom_map *entry, u32 audit_secid); | 61 | struct netlbl_audit *audit_info); |
62 | int netlbl_domhsh_remove_default(u32 audit_secid); | 62 | int netlbl_domhsh_add_default(struct netlbl_dom_map *entry, |
63 | struct netlbl_audit *audit_info); | ||
64 | int netlbl_domhsh_remove_default(struct netlbl_audit *audit_info); | ||
63 | struct netlbl_dom_map *netlbl_domhsh_getentry(const char *domain); | 65 | struct netlbl_dom_map *netlbl_domhsh_getentry(const char *domain); |
64 | int netlbl_domhsh_walk(u32 *skip_bkt, | 66 | int netlbl_domhsh_walk(u32 *skip_bkt, |
65 | u32 *skip_chain, | 67 | u32 *skip_chain, |
diff --git a/net/netlabel/netlabel_mgmt.c b/net/netlabel/netlabel_mgmt.c index 0ac314f18ad1..53c9079ad2c3 100644 --- a/net/netlabel/netlabel_mgmt.c +++ b/net/netlabel/netlabel_mgmt.c | |||
@@ -87,11 +87,14 @@ static int netlbl_mgmt_add(struct sk_buff *skb, struct genl_info *info) | |||
87 | struct netlbl_dom_map *entry = NULL; | 87 | struct netlbl_dom_map *entry = NULL; |
88 | size_t tmp_size; | 88 | size_t tmp_size; |
89 | u32 tmp_val; | 89 | u32 tmp_val; |
90 | struct netlbl_audit audit_info; | ||
90 | 91 | ||
91 | if (!info->attrs[NLBL_MGMT_A_DOMAIN] || | 92 | if (!info->attrs[NLBL_MGMT_A_DOMAIN] || |
92 | !info->attrs[NLBL_MGMT_A_PROTOCOL]) | 93 | !info->attrs[NLBL_MGMT_A_PROTOCOL]) |
93 | goto add_failure; | 94 | goto add_failure; |
94 | 95 | ||
96 | netlbl_netlink_auditinfo(skb, &audit_info); | ||
97 | |||
95 | entry = kzalloc(sizeof(*entry), GFP_KERNEL); | 98 | entry = kzalloc(sizeof(*entry), GFP_KERNEL); |
96 | if (entry == NULL) { | 99 | if (entry == NULL) { |
97 | ret_val = -ENOMEM; | 100 | ret_val = -ENOMEM; |
@@ -108,7 +111,7 @@ static int netlbl_mgmt_add(struct sk_buff *skb, struct genl_info *info) | |||
108 | 111 | ||
109 | switch (entry->type) { | 112 | switch (entry->type) { |
110 | case NETLBL_NLTYPE_UNLABELED: | 113 | case NETLBL_NLTYPE_UNLABELED: |
111 | ret_val = netlbl_domhsh_add(entry, NETLINK_CB(skb).sid); | 114 | ret_val = netlbl_domhsh_add(entry, &audit_info); |
112 | break; | 115 | break; |
113 | case NETLBL_NLTYPE_CIPSOV4: | 116 | case NETLBL_NLTYPE_CIPSOV4: |
114 | if (!info->attrs[NLBL_MGMT_A_CV4DOI]) | 117 | if (!info->attrs[NLBL_MGMT_A_CV4DOI]) |
@@ -125,7 +128,7 @@ static int netlbl_mgmt_add(struct sk_buff *skb, struct genl_info *info) | |||
125 | rcu_read_unlock(); | 128 | rcu_read_unlock(); |
126 | goto add_failure; | 129 | goto add_failure; |
127 | } | 130 | } |
128 | ret_val = netlbl_domhsh_add(entry, NETLINK_CB(skb).sid); | 131 | ret_val = netlbl_domhsh_add(entry, &audit_info); |
129 | rcu_read_unlock(); | 132 | rcu_read_unlock(); |
130 | break; | 133 | break; |
131 | default: | 134 | default: |
@@ -156,12 +159,15 @@ add_failure: | |||
156 | static int netlbl_mgmt_remove(struct sk_buff *skb, struct genl_info *info) | 159 | static int netlbl_mgmt_remove(struct sk_buff *skb, struct genl_info *info) |
157 | { | 160 | { |
158 | char *domain; | 161 | char *domain; |
162 | struct netlbl_audit audit_info; | ||
159 | 163 | ||
160 | if (!info->attrs[NLBL_MGMT_A_DOMAIN]) | 164 | if (!info->attrs[NLBL_MGMT_A_DOMAIN]) |
161 | return -EINVAL; | 165 | return -EINVAL; |
162 | 166 | ||
167 | netlbl_netlink_auditinfo(skb, &audit_info); | ||
168 | |||
163 | domain = nla_data(info->attrs[NLBL_MGMT_A_DOMAIN]); | 169 | domain = nla_data(info->attrs[NLBL_MGMT_A_DOMAIN]); |
164 | return netlbl_domhsh_remove(domain, NETLINK_CB(skb).sid); | 170 | return netlbl_domhsh_remove(domain, &audit_info); |
165 | } | 171 | } |
166 | 172 | ||
167 | /** | 173 | /** |
@@ -264,10 +270,13 @@ static int netlbl_mgmt_adddef(struct sk_buff *skb, struct genl_info *info) | |||
264 | int ret_val = -EINVAL; | 270 | int ret_val = -EINVAL; |
265 | struct netlbl_dom_map *entry = NULL; | 271 | struct netlbl_dom_map *entry = NULL; |
266 | u32 tmp_val; | 272 | u32 tmp_val; |
273 | struct netlbl_audit audit_info; | ||
267 | 274 | ||
268 | if (!info->attrs[NLBL_MGMT_A_PROTOCOL]) | 275 | if (!info->attrs[NLBL_MGMT_A_PROTOCOL]) |
269 | goto adddef_failure; | 276 | goto adddef_failure; |
270 | 277 | ||
278 | netlbl_netlink_auditinfo(skb, &audit_info); | ||
279 | |||
271 | entry = kzalloc(sizeof(*entry), GFP_KERNEL); | 280 | entry = kzalloc(sizeof(*entry), GFP_KERNEL); |
272 | if (entry == NULL) { | 281 | if (entry == NULL) { |
273 | ret_val = -ENOMEM; | 282 | ret_val = -ENOMEM; |
@@ -277,8 +286,7 @@ static int netlbl_mgmt_adddef(struct sk_buff *skb, struct genl_info *info) | |||
277 | 286 | ||
278 | switch (entry->type) { | 287 | switch (entry->type) { |
279 | case NETLBL_NLTYPE_UNLABELED: | 288 | case NETLBL_NLTYPE_UNLABELED: |
280 | ret_val = netlbl_domhsh_add_default(entry, | 289 | ret_val = netlbl_domhsh_add_default(entry, &audit_info); |
281 | NETLINK_CB(skb).sid); | ||
282 | break; | 290 | break; |
283 | case NETLBL_NLTYPE_CIPSOV4: | 291 | case NETLBL_NLTYPE_CIPSOV4: |
284 | if (!info->attrs[NLBL_MGMT_A_CV4DOI]) | 292 | if (!info->attrs[NLBL_MGMT_A_CV4DOI]) |
@@ -295,8 +303,7 @@ static int netlbl_mgmt_adddef(struct sk_buff *skb, struct genl_info *info) | |||
295 | rcu_read_unlock(); | 303 | rcu_read_unlock(); |
296 | goto adddef_failure; | 304 | goto adddef_failure; |
297 | } | 305 | } |
298 | ret_val = netlbl_domhsh_add_default(entry, | 306 | ret_val = netlbl_domhsh_add_default(entry, &audit_info); |
299 | NETLINK_CB(skb).sid); | ||
300 | rcu_read_unlock(); | 307 | rcu_read_unlock(); |
301 | break; | 308 | break; |
302 | default: | 309 | default: |
@@ -324,7 +331,11 @@ adddef_failure: | |||
324 | */ | 331 | */ |
325 | static int netlbl_mgmt_removedef(struct sk_buff *skb, struct genl_info *info) | 332 | static int netlbl_mgmt_removedef(struct sk_buff *skb, struct genl_info *info) |
326 | { | 333 | { |
327 | return netlbl_domhsh_remove_default(NETLINK_CB(skb).sid); | 334 | struct netlbl_audit audit_info; |
335 | |||
336 | netlbl_netlink_auditinfo(skb, &audit_info); | ||
337 | |||
338 | return netlbl_domhsh_remove_default(&audit_info); | ||
328 | } | 339 | } |
329 | 340 | ||
330 | /** | 341 | /** |
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index ab36675fee8c..1833ad233b39 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c | |||
@@ -70,18 +70,25 @@ static struct nla_policy netlbl_unlabel_genl_policy[NLBL_UNLABEL_A_MAX + 1] = { | |||
70 | /** | 70 | /** |
71 | * netlbl_unlabel_acceptflg_set - Set the unlabeled accept flag | 71 | * netlbl_unlabel_acceptflg_set - Set the unlabeled accept flag |
72 | * @value: desired value | 72 | * @value: desired value |
73 | * @audit_secid: the LSM secid to use in the audit message | 73 | * @audit_info: NetLabel audit information |
74 | * | 74 | * |
75 | * Description: | 75 | * Description: |
76 | * Set the value of the unlabeled accept flag to @value. | 76 | * Set the value of the unlabeled accept flag to @value. |
77 | * | 77 | * |
78 | */ | 78 | */ |
79 | static void netlbl_unlabel_acceptflg_set(u8 value, u32 audit_secid) | 79 | static void netlbl_unlabel_acceptflg_set(u8 value, |
80 | struct netlbl_audit *audit_info) | ||
80 | { | 81 | { |
82 | struct audit_buffer *audit_buf; | ||
83 | u8 old_val; | ||
84 | |||
85 | old_val = atomic_read(&netlabel_unlabel_accept_flg); | ||
81 | atomic_set(&netlabel_unlabel_accept_flg, value); | 86 | atomic_set(&netlabel_unlabel_accept_flg, value); |
82 | netlbl_audit_nomsg((value ? | 87 | |
83 | AUDIT_MAC_UNLBL_ACCEPT : AUDIT_MAC_UNLBL_DENY), | 88 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_ALLOW, |
84 | audit_secid); | 89 | audit_info); |
90 | audit_log_format(audit_buf, " unlbl_accept=%u old=%u", value, old_val); | ||
91 | audit_log_end(audit_buf); | ||
85 | } | 92 | } |
86 | 93 | ||
87 | /* | 94 | /* |
@@ -101,12 +108,13 @@ static void netlbl_unlabel_acceptflg_set(u8 value, u32 audit_secid) | |||
101 | static int netlbl_unlabel_accept(struct sk_buff *skb, struct genl_info *info) | 108 | static int netlbl_unlabel_accept(struct sk_buff *skb, struct genl_info *info) |
102 | { | 109 | { |
103 | u8 value; | 110 | u8 value; |
111 | struct netlbl_audit audit_info; | ||
104 | 112 | ||
105 | if (info->attrs[NLBL_UNLABEL_A_ACPTFLG]) { | 113 | if (info->attrs[NLBL_UNLABEL_A_ACPTFLG]) { |
106 | value = nla_get_u8(info->attrs[NLBL_UNLABEL_A_ACPTFLG]); | 114 | value = nla_get_u8(info->attrs[NLBL_UNLABEL_A_ACPTFLG]); |
107 | if (value == 1 || value == 0) { | 115 | if (value == 1 || value == 0) { |
108 | netlbl_unlabel_acceptflg_set(value, | 116 | netlbl_netlink_auditinfo(skb, &audit_info); |
109 | NETLINK_CB(skb).sid); | 117 | netlbl_unlabel_acceptflg_set(value, &audit_info); |
110 | return 0; | 118 | return 0; |
111 | } | 119 | } |
112 | } | 120 | } |
@@ -250,19 +258,23 @@ int netlbl_unlabel_defconf(void) | |||
250 | { | 258 | { |
251 | int ret_val; | 259 | int ret_val; |
252 | struct netlbl_dom_map *entry; | 260 | struct netlbl_dom_map *entry; |
253 | u32 secid; | 261 | struct netlbl_audit audit_info; |
254 | 262 | ||
255 | security_task_getsecid(current, &secid); | 263 | /* Only the kernel is allowed to call this function and the only time |
264 | * it is called is at bootup before the audit subsystem is reporting | ||
265 | * messages so don't worry to much about these values. */ | ||
266 | security_task_getsecid(current, &audit_info.secid); | ||
267 | audit_info.loginuid = 0; | ||
256 | 268 | ||
257 | entry = kzalloc(sizeof(*entry), GFP_KERNEL); | 269 | entry = kzalloc(sizeof(*entry), GFP_KERNEL); |
258 | if (entry == NULL) | 270 | if (entry == NULL) |
259 | return -ENOMEM; | 271 | return -ENOMEM; |
260 | entry->type = NETLBL_NLTYPE_UNLABELED; | 272 | entry->type = NETLBL_NLTYPE_UNLABELED; |
261 | ret_val = netlbl_domhsh_add_default(entry, secid); | 273 | ret_val = netlbl_domhsh_add_default(entry, &audit_info); |
262 | if (ret_val != 0) | 274 | if (ret_val != 0) |
263 | return ret_val; | 275 | return ret_val; |
264 | 276 | ||
265 | netlbl_unlabel_acceptflg_set(1, secid); | 277 | netlbl_unlabel_acceptflg_set(1, &audit_info); |
266 | 278 | ||
267 | return 0; | 279 | return 0; |
268 | } | 280 | } |
diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index c2343af584cb..98a416381e61 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c | |||
@@ -85,7 +85,7 @@ int netlbl_netlink_init(void) | |||
85 | /** | 85 | /** |
86 | * netlbl_audit_start_common - Start an audit message | 86 | * netlbl_audit_start_common - Start an audit message |
87 | * @type: audit message type | 87 | * @type: audit message type |
88 | * @secid: LSM context ID | 88 | * @audit_info: NetLabel audit information |
89 | * | 89 | * |
90 | * Description: | 90 | * Description: |
91 | * Start an audit message using the type specified in @type and fill the audit | 91 | * Start an audit message using the type specified in @type and fill the audit |
@@ -93,14 +93,11 @@ int netlbl_netlink_init(void) | |||
93 | * a pointer to the audit buffer on success, NULL on failure. | 93 | * a pointer to the audit buffer on success, NULL on failure. |
94 | * | 94 | * |
95 | */ | 95 | */ |
96 | struct audit_buffer *netlbl_audit_start_common(int type, u32 secid) | 96 | struct audit_buffer *netlbl_audit_start_common(int type, |
97 | struct netlbl_audit *audit_info) | ||
97 | { | 98 | { |
98 | struct audit_context *audit_ctx = current->audit_context; | 99 | struct audit_context *audit_ctx = current->audit_context; |
99 | struct audit_buffer *audit_buf; | 100 | struct audit_buffer *audit_buf; |
100 | uid_t audit_loginuid; | ||
101 | const char *audit_tty; | ||
102 | char audit_comm[sizeof(current->comm)]; | ||
103 | struct vm_area_struct *vma; | ||
104 | char *secctx; | 101 | char *secctx; |
105 | u32 secctx_len; | 102 | u32 secctx_len; |
106 | 103 | ||
@@ -108,60 +105,13 @@ struct audit_buffer *netlbl_audit_start_common(int type, u32 secid) | |||
108 | if (audit_buf == NULL) | 105 | if (audit_buf == NULL) |
109 | return NULL; | 106 | return NULL; |
110 | 107 | ||
111 | audit_loginuid = audit_get_loginuid(audit_ctx); | 108 | audit_log_format(audit_buf, "netlabel: auid=%u", audit_info->loginuid); |
112 | if (current->signal && | ||
113 | current->signal->tty && | ||
114 | current->signal->tty->name) | ||
115 | audit_tty = current->signal->tty->name; | ||
116 | else | ||
117 | audit_tty = "(none)"; | ||
118 | get_task_comm(audit_comm, current); | ||
119 | 109 | ||
120 | audit_log_format(audit_buf, | 110 | if (audit_info->secid != 0 && |
121 | "netlabel: auid=%u uid=%u tty=%s pid=%d", | 111 | security_secid_to_secctx(audit_info->secid, |
122 | audit_loginuid, | 112 | &secctx, |
123 | current->uid, | 113 | &secctx_len) == 0) |
124 | audit_tty, | ||
125 | current->pid); | ||
126 | audit_log_format(audit_buf, " comm="); | ||
127 | audit_log_untrustedstring(audit_buf, audit_comm); | ||
128 | if (current->mm) { | ||
129 | down_read(¤t->mm->mmap_sem); | ||
130 | vma = current->mm->mmap; | ||
131 | while (vma) { | ||
132 | if ((vma->vm_flags & VM_EXECUTABLE) && | ||
133 | vma->vm_file) { | ||
134 | audit_log_d_path(audit_buf, | ||
135 | " exe=", | ||
136 | vma->vm_file->f_dentry, | ||
137 | vma->vm_file->f_vfsmnt); | ||
138 | break; | ||
139 | } | ||
140 | vma = vma->vm_next; | ||
141 | } | ||
142 | up_read(¤t->mm->mmap_sem); | ||
143 | } | ||
144 | |||
145 | if (secid != 0 && | ||
146 | security_secid_to_secctx(secid, &secctx, &secctx_len) == 0) | ||
147 | audit_log_format(audit_buf, " subj=%s", secctx); | 114 | audit_log_format(audit_buf, " subj=%s", secctx); |
148 | 115 | ||
149 | return audit_buf; | 116 | return audit_buf; |
150 | } | 117 | } |
151 | |||
152 | /** | ||
153 | * netlbl_audit_nomsg - Send an audit message without additional text | ||
154 | * @type: audit message type | ||
155 | * @secid: LSM context ID | ||
156 | * | ||
157 | * Description: | ||
158 | * Send an audit message with only the common NetLabel audit fields. | ||
159 | * | ||
160 | */ | ||
161 | void netlbl_audit_nomsg(int type, u32 secid) | ||
162 | { | ||
163 | struct audit_buffer *audit_buf; | ||
164 | |||
165 | audit_buf = netlbl_audit_start_common(type, secid); | ||
166 | audit_log_end(audit_buf); | ||
167 | } | ||
diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h index ab840acfc964..47967ef32964 100644 --- a/net/netlabel/netlabel_user.h +++ b/net/netlabel/netlabel_user.h | |||
@@ -72,13 +72,25 @@ static inline void *netlbl_netlink_hdr_put(struct sk_buff *skb, | |||
72 | NETLBL_PROTO_VERSION); | 72 | NETLBL_PROTO_VERSION); |
73 | } | 73 | } |
74 | 74 | ||
75 | /** | ||
76 | * netlbl_netlink_auditinfo - Fetch the audit information from a NETLINK msg | ||
77 | * @skb: the packet | ||
78 | * @audit_info: NetLabel audit information | ||
79 | */ | ||
80 | static inline void netlbl_netlink_auditinfo(struct sk_buff *skb, | ||
81 | struct netlbl_audit *audit_info) | ||
82 | { | ||
83 | audit_info->secid = NETLINK_CB(skb).sid; | ||
84 | audit_info->loginuid = NETLINK_CB(skb).loginuid; | ||
85 | } | ||
86 | |||
75 | /* NetLabel NETLINK I/O functions */ | 87 | /* NetLabel NETLINK I/O functions */ |
76 | 88 | ||
77 | int netlbl_netlink_init(void); | 89 | int netlbl_netlink_init(void); |
78 | 90 | ||
79 | /* NetLabel Audit Functions */ | 91 | /* NetLabel Audit Functions */ |
80 | 92 | ||
81 | struct audit_buffer *netlbl_audit_start_common(int type, u32 secid); | 93 | struct audit_buffer *netlbl_audit_start_common(int type, |
82 | void netlbl_audit_nomsg(int type, u32 secid); | 94 | struct netlbl_audit *audit_info); |
83 | 95 | ||
84 | #endif | 96 | #endif |