aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--include/linux/lsm_audit.h2
-rw-r--r--security/Makefile4
-rw-r--r--security/lsm_audit.c2
-rw-r--r--security/selinux/avc.c197
-rw-r--r--security/selinux/hooks.c142
-rw-r--r--security/selinux/include/avc.h49
-rw-r--r--security/selinux/include/netlabel.h4
-rw-r--r--security/selinux/include/xfrm.h8
-rw-r--r--security/selinux/netlabel.c2
-rw-r--r--security/selinux/xfrm.c4
10 files changed, 131 insertions, 283 deletions
diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
index a5514a3a4f17..190c37854870 100644
--- a/include/linux/lsm_audit.h
+++ b/include/linux/lsm_audit.h
@@ -33,6 +33,7 @@ struct common_audit_data {
33#define LSM_AUDIT_DATA_IPC 4 33#define LSM_AUDIT_DATA_IPC 4
34#define LSM_AUDIT_DATA_TASK 5 34#define LSM_AUDIT_DATA_TASK 5
35#define LSM_AUDIT_DATA_KEY 6 35#define LSM_AUDIT_DATA_KEY 6
36#define LSM_AUDIT_NO_AUDIT 7
36 struct task_struct *tsk; 37 struct task_struct *tsk;
37 union { 38 union {
38 struct { 39 struct {
@@ -86,6 +87,7 @@ struct common_audit_data {
86 u16 tclass; 87 u16 tclass;
87 u32 requested; 88 u32 requested;
88 u32 audited; 89 u32 audited;
90 u32 denied;
89 struct av_decision *avd; 91 struct av_decision *avd;
90 int result; 92 int result;
91 } selinux_audit_data; 93 } selinux_audit_data;
diff --git a/security/Makefile b/security/Makefile
index b56e7f9ecbc2..95ecc06392d7 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -16,9 +16,7 @@ obj-$(CONFIG_SECURITYFS) += inode.o
16# Must precede capability.o in order to stack properly. 16# Must precede capability.o in order to stack properly.
17obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o 17obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o
18obj-$(CONFIG_SECURITY_SMACK) += smack/built-in.o 18obj-$(CONFIG_SECURITY_SMACK) += smack/built-in.o
19ifeq ($(CONFIG_AUDIT),y) 19obj-$(CONFIG_AUDIT) += lsm_audit.o
20obj-$(CONFIG_SECURITY_SMACK) += lsm_audit.o
21endif
22obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/built-in.o 20obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/built-in.o
23obj-$(CONFIG_SECURITY_ROOTPLUG) += root_plug.o 21obj-$(CONFIG_SECURITY_ROOTPLUG) += root_plug.o
24obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o 22obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index 94b868494b31..500aad0ebd6a 100644
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -220,6 +220,8 @@ static void dump_common_audit_data(struct audit_buffer *ab,
220 } 220 }
221 221
222 switch (a->type) { 222 switch (a->type) {
223 case LSM_AUDIT_NO_AUDIT:
224 return;
223 case LSM_AUDIT_DATA_IPC: 225 case LSM_AUDIT_DATA_IPC:
224 audit_log_format(ab, " key=%d ", a->u.ipc_id); 226 audit_log_format(ab, " key=%d ", a->u.ipc_id);
225 break; 227 break;
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 236aaa2ea86d..e3d19014259b 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -492,23 +492,35 @@ out:
492 return node; 492 return node;
493} 493}
494 494
495static inline void avc_print_ipv6_addr(struct audit_buffer *ab, 495/**
496 struct in6_addr *addr, __be16 port, 496 * avc_audit_pre_callback - SELinux specific information
497 char *name1, char *name2) 497 * will be called by generic audit code
498 * @ab: the audit buffer
499 * @a: audit_data
500 */
501static void avc_audit_pre_callback(struct audit_buffer *ab, void *a)
498{ 502{
499 if (!ipv6_addr_any(addr)) 503 struct common_audit_data *ad = a;
500 audit_log_format(ab, " %s=%pI6", name1, addr); 504 audit_log_format(ab, "avc: %s ",
501 if (port) 505 ad->selinux_audit_data.denied ? "denied" : "granted");
502 audit_log_format(ab, " %s=%d", name2, ntohs(port)); 506 avc_dump_av(ab, ad->selinux_audit_data.tclass,
507 ad->selinux_audit_data.audited);
508 audit_log_format(ab, " for ");
503} 509}
504 510
505static inline void avc_print_ipv4_addr(struct audit_buffer *ab, __be32 addr, 511/**
506 __be16 port, char *name1, char *name2) 512 * avc_audit_post_callback - SELinux specific information
513 * will be called by generic audit code
514 * @ab: the audit buffer
515 * @a: audit_data
516 */
517static void avc_audit_post_callback(struct audit_buffer *ab, void *a)
507{ 518{
508 if (addr) 519 struct common_audit_data *ad = a;
509 audit_log_format(ab, " %s=%pI4", name1, &addr); 520 audit_log_format(ab, " ");
510 if (port) 521 avc_dump_query(ab, ad->selinux_audit_data.ssid,
511 audit_log_format(ab, " %s=%d", name2, ntohs(port)); 522 ad->selinux_audit_data.tsid,
523 ad->selinux_audit_data.tclass);
512} 524}
513 525
514/** 526/**
@@ -532,13 +544,10 @@ static inline void avc_print_ipv4_addr(struct audit_buffer *ab, __be32 addr,
532 */ 544 */
533void avc_audit(u32 ssid, u32 tsid, 545void avc_audit(u32 ssid, u32 tsid,
534 u16 tclass, u32 requested, 546 u16 tclass, u32 requested,
535 struct av_decision *avd, int result, struct avc_audit_data *a) 547 struct av_decision *avd, int result, struct common_audit_data *a)
536{ 548{
537 struct task_struct *tsk = current; 549 struct common_audit_data stack_data;
538 struct inode *inode = NULL;
539 u32 denied, audited; 550 u32 denied, audited;
540 struct audit_buffer *ab;
541
542 denied = requested & ~avd->allowed; 551 denied = requested & ~avd->allowed;
543 if (denied) { 552 if (denied) {
544 audited = denied; 553 audited = denied;
@@ -551,144 +560,20 @@ void avc_audit(u32 ssid, u32 tsid,
551 if (!(audited & avd->auditallow)) 560 if (!(audited & avd->auditallow))
552 return; 561 return;
553 } 562 }
554 563 if (!a) {
555 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_AVC); 564 a = &stack_data;
556 if (!ab) 565 memset(a, 0, sizeof(*a));
557 return; /* audit_panic has been called */ 566 a->type = LSM_AUDIT_NO_AUDIT;
558 audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted");
559 avc_dump_av(ab, tclass, audited);
560 audit_log_format(ab, " for ");
561 if (a && a->tsk)
562 tsk = a->tsk;
563 if (tsk && tsk->pid) {
564 audit_log_format(ab, " pid=%d comm=", tsk->pid);
565 audit_log_untrustedstring(ab, tsk->comm);
566 }
567 if (a) {
568 switch (a->type) {
569 case AVC_AUDIT_DATA_IPC:
570 audit_log_format(ab, " key=%d", a->u.ipc_id);
571 break;
572 case AVC_AUDIT_DATA_CAP:
573 audit_log_format(ab, " capability=%d", a->u.cap);
574 break;
575 case AVC_AUDIT_DATA_FS:
576 if (a->u.fs.path.dentry) {
577 struct dentry *dentry = a->u.fs.path.dentry;
578 if (a->u.fs.path.mnt) {
579 audit_log_d_path(ab, "path=",
580 &a->u.fs.path);
581 } else {
582 audit_log_format(ab, " name=");
583 audit_log_untrustedstring(ab, dentry->d_name.name);
584 }
585 inode = dentry->d_inode;
586 } else if (a->u.fs.inode) {
587 struct dentry *dentry;
588 inode = a->u.fs.inode;
589 dentry = d_find_alias(inode);
590 if (dentry) {
591 audit_log_format(ab, " name=");
592 audit_log_untrustedstring(ab, dentry->d_name.name);
593 dput(dentry);
594 }
595 }
596 if (inode)
597 audit_log_format(ab, " dev=%s ino=%lu",
598 inode->i_sb->s_id,
599 inode->i_ino);
600 break;
601 case AVC_AUDIT_DATA_NET:
602 if (a->u.net.sk) {
603 struct sock *sk = a->u.net.sk;
604 struct unix_sock *u;
605 int len = 0;
606 char *p = NULL;
607
608 switch (sk->sk_family) {
609 case AF_INET: {
610 struct inet_sock *inet = inet_sk(sk);
611
612 avc_print_ipv4_addr(ab, inet->rcv_saddr,
613 inet->sport,
614 "laddr", "lport");
615 avc_print_ipv4_addr(ab, inet->daddr,
616 inet->dport,
617 "faddr", "fport");
618 break;
619 }
620 case AF_INET6: {
621 struct inet_sock *inet = inet_sk(sk);
622 struct ipv6_pinfo *inet6 = inet6_sk(sk);
623
624 avc_print_ipv6_addr(ab, &inet6->rcv_saddr,
625 inet->sport,
626 "laddr", "lport");
627 avc_print_ipv6_addr(ab, &inet6->daddr,
628 inet->dport,
629 "faddr", "fport");
630 break;
631 }
632 case AF_UNIX:
633 u = unix_sk(sk);
634 if (u->dentry) {
635 struct path path = {
636 .dentry = u->dentry,
637 .mnt = u->mnt
638 };
639 audit_log_d_path(ab, "path=",
640 &path);
641 break;
642 }
643 if (!u->addr)
644 break;
645 len = u->addr->len-sizeof(short);
646 p = &u->addr->name->sun_path[0];
647 audit_log_format(ab, " path=");
648 if (*p)
649 audit_log_untrustedstring(ab, p);
650 else
651 audit_log_n_hex(ab, p, len);
652 break;
653 }
654 }
655
656 switch (a->u.net.family) {
657 case AF_INET:
658 avc_print_ipv4_addr(ab, a->u.net.v4info.saddr,
659 a->u.net.sport,
660 "saddr", "src");
661 avc_print_ipv4_addr(ab, a->u.net.v4info.daddr,
662 a->u.net.dport,
663 "daddr", "dest");
664 break;
665 case AF_INET6:
666 avc_print_ipv6_addr(ab, &a->u.net.v6info.saddr,
667 a->u.net.sport,
668 "saddr", "src");
669 avc_print_ipv6_addr(ab, &a->u.net.v6info.daddr,
670 a->u.net.dport,
671 "daddr", "dest");
672 break;
673 }
674 if (a->u.net.netif > 0) {
675 struct net_device *dev;
676
677 /* NOTE: we always use init's namespace */
678 dev = dev_get_by_index(&init_net,
679 a->u.net.netif);
680 if (dev) {
681 audit_log_format(ab, " netif=%s",
682 dev->name);
683 dev_put(dev);
684 }
685 }
686 break;
687 }
688 } 567 }
689 audit_log_format(ab, " "); 568 a->selinux_audit_data.tclass = tclass;
690 avc_dump_query(ab, ssid, tsid, tclass); 569 a->selinux_audit_data.requested = requested;
691 audit_log_end(ab); 570 a->selinux_audit_data.ssid = ssid;
571 a->selinux_audit_data.tsid = tsid;
572 a->selinux_audit_data.audited = audited;
573 a->selinux_audit_data.denied = denied;
574 a->lsm_pre_audit = avc_audit_pre_callback;
575 a->lsm_post_audit = avc_audit_post_callback;
576 common_lsm_audit(a);
692} 577}
693 578
694/** 579/**
@@ -956,7 +841,7 @@ out:
956 * another -errno upon other errors. 841 * another -errno upon other errors.
957 */ 842 */
958int avc_has_perm(u32 ssid, u32 tsid, u16 tclass, 843int avc_has_perm(u32 ssid, u32 tsid, u16 tclass,
959 u32 requested, struct avc_audit_data *auditdata) 844 u32 requested, struct common_audit_data *auditdata)
960{ 845{
961 struct av_decision avd; 846 struct av_decision avd;
962 int rc; 847 int rc;
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 5aa45b168122..254b7983657d 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1478,14 +1478,14 @@ static int task_has_capability(struct task_struct *tsk,
1478 const struct cred *cred, 1478 const struct cred *cred,
1479 int cap, int audit) 1479 int cap, int audit)
1480{ 1480{
1481 struct avc_audit_data ad; 1481 struct common_audit_data ad;
1482 struct av_decision avd; 1482 struct av_decision avd;
1483 u16 sclass; 1483 u16 sclass;
1484 u32 sid = cred_sid(cred); 1484 u32 sid = cred_sid(cred);
1485 u32 av = CAP_TO_MASK(cap); 1485 u32 av = CAP_TO_MASK(cap);
1486 int rc; 1486 int rc;
1487 1487
1488 AVC_AUDIT_DATA_INIT(&ad, CAP); 1488 COMMON_AUDIT_DATA_INIT(&ad, CAP);
1489 ad.tsk = tsk; 1489 ad.tsk = tsk;
1490 ad.u.cap = cap; 1490 ad.u.cap = cap;
1491 1491
@@ -1524,10 +1524,10 @@ static int task_has_system(struct task_struct *tsk,
1524static int inode_has_perm(const struct cred *cred, 1524static int inode_has_perm(const struct cred *cred,
1525 struct inode *inode, 1525 struct inode *inode,
1526 u32 perms, 1526 u32 perms,
1527 struct avc_audit_data *adp) 1527 struct common_audit_data *adp)
1528{ 1528{
1529 struct inode_security_struct *isec; 1529 struct inode_security_struct *isec;
1530 struct avc_audit_data ad; 1530 struct common_audit_data ad;
1531 u32 sid; 1531 u32 sid;
1532 1532
1533 if (unlikely(IS_PRIVATE(inode))) 1533 if (unlikely(IS_PRIVATE(inode)))
@@ -1538,7 +1538,7 @@ static int inode_has_perm(const struct cred *cred,
1538 1538
1539 if (!adp) { 1539 if (!adp) {
1540 adp = &ad; 1540 adp = &ad;
1541 AVC_AUDIT_DATA_INIT(&ad, FS); 1541 COMMON_AUDIT_DATA_INIT(&ad, FS);
1542 ad.u.fs.inode = inode; 1542 ad.u.fs.inode = inode;
1543 } 1543 }
1544 1544
@@ -1554,9 +1554,9 @@ static inline int dentry_has_perm(const struct cred *cred,
1554 u32 av) 1554 u32 av)
1555{ 1555{
1556 struct inode *inode = dentry->d_inode; 1556 struct inode *inode = dentry->d_inode;
1557 struct avc_audit_data ad; 1557 struct common_audit_data ad;
1558 1558
1559 AVC_AUDIT_DATA_INIT(&ad, FS); 1559 COMMON_AUDIT_DATA_INIT(&ad, FS);
1560 ad.u.fs.path.mnt = mnt; 1560 ad.u.fs.path.mnt = mnt;
1561 ad.u.fs.path.dentry = dentry; 1561 ad.u.fs.path.dentry = dentry;
1562 return inode_has_perm(cred, inode, av, &ad); 1562 return inode_has_perm(cred, inode, av, &ad);
@@ -1576,11 +1576,11 @@ static int file_has_perm(const struct cred *cred,
1576{ 1576{
1577 struct file_security_struct *fsec = file->f_security; 1577 struct file_security_struct *fsec = file->f_security;
1578 struct inode *inode = file->f_path.dentry->d_inode; 1578 struct inode *inode = file->f_path.dentry->d_inode;
1579 struct avc_audit_data ad; 1579 struct common_audit_data ad;
1580 u32 sid = cred_sid(cred); 1580 u32 sid = cred_sid(cred);
1581 int rc; 1581 int rc;
1582 1582
1583 AVC_AUDIT_DATA_INIT(&ad, FS); 1583 COMMON_AUDIT_DATA_INIT(&ad, FS);
1584 ad.u.fs.path = file->f_path; 1584 ad.u.fs.path = file->f_path;
1585 1585
1586 if (sid != fsec->sid) { 1586 if (sid != fsec->sid) {
@@ -1611,7 +1611,7 @@ static int may_create(struct inode *dir,
1611 struct inode_security_struct *dsec; 1611 struct inode_security_struct *dsec;
1612 struct superblock_security_struct *sbsec; 1612 struct superblock_security_struct *sbsec;
1613 u32 sid, newsid; 1613 u32 sid, newsid;
1614 struct avc_audit_data ad; 1614 struct common_audit_data ad;
1615 int rc; 1615 int rc;
1616 1616
1617 dsec = dir->i_security; 1617 dsec = dir->i_security;
@@ -1620,7 +1620,7 @@ static int may_create(struct inode *dir,
1620 sid = tsec->sid; 1620 sid = tsec->sid;
1621 newsid = tsec->create_sid; 1621 newsid = tsec->create_sid;
1622 1622
1623 AVC_AUDIT_DATA_INIT(&ad, FS); 1623 COMMON_AUDIT_DATA_INIT(&ad, FS);
1624 ad.u.fs.path.dentry = dentry; 1624 ad.u.fs.path.dentry = dentry;
1625 1625
1626 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, 1626 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
@@ -1664,7 +1664,7 @@ static int may_link(struct inode *dir,
1664 1664
1665{ 1665{
1666 struct inode_security_struct *dsec, *isec; 1666 struct inode_security_struct *dsec, *isec;
1667 struct avc_audit_data ad; 1667 struct common_audit_data ad;
1668 u32 sid = current_sid(); 1668 u32 sid = current_sid();
1669 u32 av; 1669 u32 av;
1670 int rc; 1670 int rc;
@@ -1672,7 +1672,7 @@ static int may_link(struct inode *dir,
1672 dsec = dir->i_security; 1672 dsec = dir->i_security;
1673 isec = dentry->d_inode->i_security; 1673 isec = dentry->d_inode->i_security;
1674 1674
1675 AVC_AUDIT_DATA_INIT(&ad, FS); 1675 COMMON_AUDIT_DATA_INIT(&ad, FS);
1676 ad.u.fs.path.dentry = dentry; 1676 ad.u.fs.path.dentry = dentry;
1677 1677
1678 av = DIR__SEARCH; 1678 av = DIR__SEARCH;
@@ -1707,7 +1707,7 @@ static inline int may_rename(struct inode *old_dir,
1707 struct dentry *new_dentry) 1707 struct dentry *new_dentry)
1708{ 1708{
1709 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1709 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1710 struct avc_audit_data ad; 1710 struct common_audit_data ad;
1711 u32 sid = current_sid(); 1711 u32 sid = current_sid();
1712 u32 av; 1712 u32 av;
1713 int old_is_dir, new_is_dir; 1713 int old_is_dir, new_is_dir;
@@ -1718,7 +1718,7 @@ static inline int may_rename(struct inode *old_dir,
1718 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode); 1718 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1719 new_dsec = new_dir->i_security; 1719 new_dsec = new_dir->i_security;
1720 1720
1721 AVC_AUDIT_DATA_INIT(&ad, FS); 1721 COMMON_AUDIT_DATA_INIT(&ad, FS);
1722 1722
1723 ad.u.fs.path.dentry = old_dentry; 1723 ad.u.fs.path.dentry = old_dentry;
1724 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR, 1724 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
@@ -1760,7 +1760,7 @@ static inline int may_rename(struct inode *old_dir,
1760static int superblock_has_perm(const struct cred *cred, 1760static int superblock_has_perm(const struct cred *cred,
1761 struct super_block *sb, 1761 struct super_block *sb,
1762 u32 perms, 1762 u32 perms,
1763 struct avc_audit_data *ad) 1763 struct common_audit_data *ad)
1764{ 1764{
1765 struct superblock_security_struct *sbsec; 1765 struct superblock_security_struct *sbsec;
1766 u32 sid = cred_sid(cred); 1766 u32 sid = cred_sid(cred);
@@ -2100,7 +2100,7 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2100 const struct task_security_struct *old_tsec; 2100 const struct task_security_struct *old_tsec;
2101 struct task_security_struct *new_tsec; 2101 struct task_security_struct *new_tsec;
2102 struct inode_security_struct *isec; 2102 struct inode_security_struct *isec;
2103 struct avc_audit_data ad; 2103 struct common_audit_data ad;
2104 struct inode *inode = bprm->file->f_path.dentry->d_inode; 2104 struct inode *inode = bprm->file->f_path.dentry->d_inode;
2105 int rc; 2105 int rc;
2106 2106
@@ -2138,7 +2138,7 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2138 return rc; 2138 return rc;
2139 } 2139 }
2140 2140
2141 AVC_AUDIT_DATA_INIT(&ad, FS); 2141 COMMON_AUDIT_DATA_INIT(&ad, FS);
2142 ad.u.fs.path = bprm->file->f_path; 2142 ad.u.fs.path = bprm->file->f_path;
2143 2143
2144 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) 2144 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
@@ -2231,7 +2231,7 @@ extern struct dentry *selinux_null;
2231static inline void flush_unauthorized_files(const struct cred *cred, 2231static inline void flush_unauthorized_files(const struct cred *cred,
2232 struct files_struct *files) 2232 struct files_struct *files)
2233{ 2233{
2234 struct avc_audit_data ad; 2234 struct common_audit_data ad;
2235 struct file *file, *devnull = NULL; 2235 struct file *file, *devnull = NULL;
2236 struct tty_struct *tty; 2236 struct tty_struct *tty;
2237 struct fdtable *fdt; 2237 struct fdtable *fdt;
@@ -2265,7 +2265,7 @@ static inline void flush_unauthorized_files(const struct cred *cred,
2265 2265
2266 /* Revalidate access to inherited open files. */ 2266 /* Revalidate access to inherited open files. */
2267 2267
2268 AVC_AUDIT_DATA_INIT(&ad, FS); 2268 COMMON_AUDIT_DATA_INIT(&ad, FS);
2269 2269
2270 spin_lock(&files->file_lock); 2270 spin_lock(&files->file_lock);
2271 for (;;) { 2271 for (;;) {
@@ -2514,7 +2514,7 @@ out:
2514static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) 2514static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2515{ 2515{
2516 const struct cred *cred = current_cred(); 2516 const struct cred *cred = current_cred();
2517 struct avc_audit_data ad; 2517 struct common_audit_data ad;
2518 int rc; 2518 int rc;
2519 2519
2520 rc = superblock_doinit(sb, data); 2520 rc = superblock_doinit(sb, data);
@@ -2525,7 +2525,7 @@ static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2525 if (flags & MS_KERNMOUNT) 2525 if (flags & MS_KERNMOUNT)
2526 return 0; 2526 return 0;
2527 2527
2528 AVC_AUDIT_DATA_INIT(&ad, FS); 2528 COMMON_AUDIT_DATA_INIT(&ad, FS);
2529 ad.u.fs.path.dentry = sb->s_root; 2529 ad.u.fs.path.dentry = sb->s_root;
2530 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); 2530 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2531} 2531}
@@ -2533,9 +2533,9 @@ static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2533static int selinux_sb_statfs(struct dentry *dentry) 2533static int selinux_sb_statfs(struct dentry *dentry)
2534{ 2534{
2535 const struct cred *cred = current_cred(); 2535 const struct cred *cred = current_cred();
2536 struct avc_audit_data ad; 2536 struct common_audit_data ad;
2537 2537
2538 AVC_AUDIT_DATA_INIT(&ad, FS); 2538 COMMON_AUDIT_DATA_INIT(&ad, FS);
2539 ad.u.fs.path.dentry = dentry->d_sb->s_root; 2539 ad.u.fs.path.dentry = dentry->d_sb->s_root;
2540 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2540 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2541} 2541}
@@ -2755,7 +2755,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2755 struct inode *inode = dentry->d_inode; 2755 struct inode *inode = dentry->d_inode;
2756 struct inode_security_struct *isec = inode->i_security; 2756 struct inode_security_struct *isec = inode->i_security;
2757 struct superblock_security_struct *sbsec; 2757 struct superblock_security_struct *sbsec;
2758 struct avc_audit_data ad; 2758 struct common_audit_data ad;
2759 u32 newsid, sid = current_sid(); 2759 u32 newsid, sid = current_sid();
2760 int rc = 0; 2760 int rc = 0;
2761 2761
@@ -2769,7 +2769,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2769 if (!is_owner_or_cap(inode)) 2769 if (!is_owner_or_cap(inode))
2770 return -EPERM; 2770 return -EPERM;
2771 2771
2772 AVC_AUDIT_DATA_INIT(&ad, FS); 2772 COMMON_AUDIT_DATA_INIT(&ad, FS);
2773 ad.u.fs.path.dentry = dentry; 2773 ad.u.fs.path.dentry = dentry;
2774 2774
2775 rc = avc_has_perm(sid, isec->sid, isec->sclass, 2775 rc = avc_has_perm(sid, isec->sid, isec->sclass,
@@ -3418,7 +3418,7 @@ static void selinux_task_to_inode(struct task_struct *p,
3418 3418
3419/* Returns error only if unable to parse addresses */ 3419/* Returns error only if unable to parse addresses */
3420static int selinux_parse_skb_ipv4(struct sk_buff *skb, 3420static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3421 struct avc_audit_data *ad, u8 *proto) 3421 struct common_audit_data *ad, u8 *proto)
3422{ 3422{
3423 int offset, ihlen, ret = -EINVAL; 3423 int offset, ihlen, ret = -EINVAL;
3424 struct iphdr _iph, *ih; 3424 struct iphdr _iph, *ih;
@@ -3499,7 +3499,7 @@ out:
3499 3499
3500/* Returns error only if unable to parse addresses */ 3500/* Returns error only if unable to parse addresses */
3501static int selinux_parse_skb_ipv6(struct sk_buff *skb, 3501static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3502 struct avc_audit_data *ad, u8 *proto) 3502 struct common_audit_data *ad, u8 *proto)
3503{ 3503{
3504 u8 nexthdr; 3504 u8 nexthdr;
3505 int ret = -EINVAL, offset; 3505 int ret = -EINVAL, offset;
@@ -3570,7 +3570,7 @@ out:
3570 3570
3571#endif /* IPV6 */ 3571#endif /* IPV6 */
3572 3572
3573static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad, 3573static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3574 char **_addrp, int src, u8 *proto) 3574 char **_addrp, int src, u8 *proto)
3575{ 3575{
3576 char *addrp; 3576 char *addrp;
@@ -3652,7 +3652,7 @@ static int socket_has_perm(struct task_struct *task, struct socket *sock,
3652 u32 perms) 3652 u32 perms)
3653{ 3653{
3654 struct inode_security_struct *isec; 3654 struct inode_security_struct *isec;
3655 struct avc_audit_data ad; 3655 struct common_audit_data ad;
3656 u32 sid; 3656 u32 sid;
3657 int err = 0; 3657 int err = 0;
3658 3658
@@ -3662,7 +3662,7 @@ static int socket_has_perm(struct task_struct *task, struct socket *sock,
3662 goto out; 3662 goto out;
3663 sid = task_sid(task); 3663 sid = task_sid(task);
3664 3664
3665 AVC_AUDIT_DATA_INIT(&ad, NET); 3665 COMMON_AUDIT_DATA_INIT(&ad, NET);
3666 ad.u.net.sk = sock->sk; 3666 ad.u.net.sk = sock->sk;
3667 err = avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); 3667 err = avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
3668 3668
@@ -3749,7 +3749,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
3749 if (family == PF_INET || family == PF_INET6) { 3749 if (family == PF_INET || family == PF_INET6) {
3750 char *addrp; 3750 char *addrp;
3751 struct inode_security_struct *isec; 3751 struct inode_security_struct *isec;
3752 struct avc_audit_data ad; 3752 struct common_audit_data ad;
3753 struct sockaddr_in *addr4 = NULL; 3753 struct sockaddr_in *addr4 = NULL;
3754 struct sockaddr_in6 *addr6 = NULL; 3754 struct sockaddr_in6 *addr6 = NULL;
3755 unsigned short snum; 3755 unsigned short snum;
@@ -3778,7 +3778,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
3778 snum, &sid); 3778 snum, &sid);
3779 if (err) 3779 if (err)
3780 goto out; 3780 goto out;
3781 AVC_AUDIT_DATA_INIT(&ad, NET); 3781 COMMON_AUDIT_DATA_INIT(&ad, NET);
3782 ad.u.net.sport = htons(snum); 3782 ad.u.net.sport = htons(snum);
3783 ad.u.net.family = family; 3783 ad.u.net.family = family;
3784 err = avc_has_perm(isec->sid, sid, 3784 err = avc_has_perm(isec->sid, sid,
@@ -3811,7 +3811,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
3811 if (err) 3811 if (err)
3812 goto out; 3812 goto out;
3813 3813
3814 AVC_AUDIT_DATA_INIT(&ad, NET); 3814 COMMON_AUDIT_DATA_INIT(&ad, NET);
3815 ad.u.net.sport = htons(snum); 3815 ad.u.net.sport = htons(snum);
3816 ad.u.net.family = family; 3816 ad.u.net.family = family;
3817 3817
@@ -3845,7 +3845,7 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address,
3845 isec = SOCK_INODE(sock)->i_security; 3845 isec = SOCK_INODE(sock)->i_security;
3846 if (isec->sclass == SECCLASS_TCP_SOCKET || 3846 if (isec->sclass == SECCLASS_TCP_SOCKET ||
3847 isec->sclass == SECCLASS_DCCP_SOCKET) { 3847 isec->sclass == SECCLASS_DCCP_SOCKET) {
3848 struct avc_audit_data ad; 3848 struct common_audit_data ad;
3849 struct sockaddr_in *addr4 = NULL; 3849 struct sockaddr_in *addr4 = NULL;
3850 struct sockaddr_in6 *addr6 = NULL; 3850 struct sockaddr_in6 *addr6 = NULL;
3851 unsigned short snum; 3851 unsigned short snum;
@@ -3870,7 +3870,7 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address,
3870 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ? 3870 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3871 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; 3871 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3872 3872
3873 AVC_AUDIT_DATA_INIT(&ad, NET); 3873 COMMON_AUDIT_DATA_INIT(&ad, NET);
3874 ad.u.net.dport = htons(snum); 3874 ad.u.net.dport = htons(snum);
3875 ad.u.net.family = sk->sk_family; 3875 ad.u.net.family = sk->sk_family;
3876 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad); 3876 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
@@ -3960,13 +3960,13 @@ static int selinux_socket_unix_stream_connect(struct socket *sock,
3960 struct sk_security_struct *ssec; 3960 struct sk_security_struct *ssec;
3961 struct inode_security_struct *isec; 3961 struct inode_security_struct *isec;
3962 struct inode_security_struct *other_isec; 3962 struct inode_security_struct *other_isec;
3963 struct avc_audit_data ad; 3963 struct common_audit_data ad;
3964 int err; 3964 int err;
3965 3965
3966 isec = SOCK_INODE(sock)->i_security; 3966 isec = SOCK_INODE(sock)->i_security;
3967 other_isec = SOCK_INODE(other)->i_security; 3967 other_isec = SOCK_INODE(other)->i_security;
3968 3968
3969 AVC_AUDIT_DATA_INIT(&ad, NET); 3969 COMMON_AUDIT_DATA_INIT(&ad, NET);
3970 ad.u.net.sk = other->sk; 3970 ad.u.net.sk = other->sk;
3971 3971
3972 err = avc_has_perm(isec->sid, other_isec->sid, 3972 err = avc_has_perm(isec->sid, other_isec->sid,
@@ -3992,13 +3992,13 @@ static int selinux_socket_unix_may_send(struct socket *sock,
3992{ 3992{
3993 struct inode_security_struct *isec; 3993 struct inode_security_struct *isec;
3994 struct inode_security_struct *other_isec; 3994 struct inode_security_struct *other_isec;
3995 struct avc_audit_data ad; 3995 struct common_audit_data ad;
3996 int err; 3996 int err;
3997 3997
3998 isec = SOCK_INODE(sock)->i_security; 3998 isec = SOCK_INODE(sock)->i_security;
3999 other_isec = SOCK_INODE(other)->i_security; 3999 other_isec = SOCK_INODE(other)->i_security;
4000 4000
4001 AVC_AUDIT_DATA_INIT(&ad, NET); 4001 COMMON_AUDIT_DATA_INIT(&ad, NET);
4002 ad.u.net.sk = other->sk; 4002 ad.u.net.sk = other->sk;
4003 4003
4004 err = avc_has_perm(isec->sid, other_isec->sid, 4004 err = avc_has_perm(isec->sid, other_isec->sid,
@@ -4011,7 +4011,7 @@ static int selinux_socket_unix_may_send(struct socket *sock,
4011 4011
4012static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family, 4012static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4013 u32 peer_sid, 4013 u32 peer_sid,
4014 struct avc_audit_data *ad) 4014 struct common_audit_data *ad)
4015{ 4015{
4016 int err; 4016 int err;
4017 u32 if_sid; 4017 u32 if_sid;
@@ -4039,10 +4039,10 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4039 struct sk_security_struct *sksec = sk->sk_security; 4039 struct sk_security_struct *sksec = sk->sk_security;
4040 u32 peer_sid; 4040 u32 peer_sid;
4041 u32 sk_sid = sksec->sid; 4041 u32 sk_sid = sksec->sid;
4042 struct avc_audit_data ad; 4042 struct common_audit_data ad;
4043 char *addrp; 4043 char *addrp;
4044 4044
4045 AVC_AUDIT_DATA_INIT(&ad, NET); 4045 COMMON_AUDIT_DATA_INIT(&ad, NET);
4046 ad.u.net.netif = skb->iif; 4046 ad.u.net.netif = skb->iif;
4047 ad.u.net.family = family; 4047 ad.u.net.family = family;
4048 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4048 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
@@ -4080,7 +4080,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4080 struct sk_security_struct *sksec = sk->sk_security; 4080 struct sk_security_struct *sksec = sk->sk_security;
4081 u16 family = sk->sk_family; 4081 u16 family = sk->sk_family;
4082 u32 sk_sid = sksec->sid; 4082 u32 sk_sid = sksec->sid;
4083 struct avc_audit_data ad; 4083 struct common_audit_data ad;
4084 char *addrp; 4084 char *addrp;
4085 u8 secmark_active; 4085 u8 secmark_active;
4086 u8 peerlbl_active; 4086 u8 peerlbl_active;
@@ -4104,7 +4104,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4104 if (!secmark_active && !peerlbl_active) 4104 if (!secmark_active && !peerlbl_active)
4105 return 0; 4105 return 0;
4106 4106
4107 AVC_AUDIT_DATA_INIT(&ad, NET); 4107 COMMON_AUDIT_DATA_INIT(&ad, NET);
4108 ad.u.net.netif = skb->iif; 4108 ad.u.net.netif = skb->iif;
4109 ad.u.net.family = family; 4109 ad.u.net.family = family;
4110 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4110 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
@@ -4362,7 +4362,7 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4362 int err; 4362 int err;
4363 char *addrp; 4363 char *addrp;
4364 u32 peer_sid; 4364 u32 peer_sid;
4365 struct avc_audit_data ad; 4365 struct common_audit_data ad;
4366 u8 secmark_active; 4366 u8 secmark_active;
4367 u8 netlbl_active; 4367 u8 netlbl_active;
4368 u8 peerlbl_active; 4368 u8 peerlbl_active;
@@ -4379,7 +4379,7 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4379 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 4379 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4380 return NF_DROP; 4380 return NF_DROP;
4381 4381
4382 AVC_AUDIT_DATA_INIT(&ad, NET); 4382 COMMON_AUDIT_DATA_INIT(&ad, NET);
4383 ad.u.net.netif = ifindex; 4383 ad.u.net.netif = ifindex;
4384 ad.u.net.family = family; 4384 ad.u.net.family = family;
4385 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 4385 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
@@ -4467,7 +4467,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4467{ 4467{
4468 struct sock *sk = skb->sk; 4468 struct sock *sk = skb->sk;
4469 struct sk_security_struct *sksec; 4469 struct sk_security_struct *sksec;
4470 struct avc_audit_data ad; 4470 struct common_audit_data ad;
4471 char *addrp; 4471 char *addrp;
4472 u8 proto; 4472 u8 proto;
4473 4473
@@ -4475,7 +4475,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4475 return NF_ACCEPT; 4475 return NF_ACCEPT;
4476 sksec = sk->sk_security; 4476 sksec = sk->sk_security;
4477 4477
4478 AVC_AUDIT_DATA_INIT(&ad, NET); 4478 COMMON_AUDIT_DATA_INIT(&ad, NET);
4479 ad.u.net.netif = ifindex; 4479 ad.u.net.netif = ifindex;
4480 ad.u.net.family = family; 4480 ad.u.net.family = family;
4481 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) 4481 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
@@ -4499,7 +4499,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4499 u32 secmark_perm; 4499 u32 secmark_perm;
4500 u32 peer_sid; 4500 u32 peer_sid;
4501 struct sock *sk; 4501 struct sock *sk;
4502 struct avc_audit_data ad; 4502 struct common_audit_data ad;
4503 char *addrp; 4503 char *addrp;
4504 u8 secmark_active; 4504 u8 secmark_active;
4505 u8 peerlbl_active; 4505 u8 peerlbl_active;
@@ -4558,7 +4558,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4558 secmark_perm = PACKET__SEND; 4558 secmark_perm = PACKET__SEND;
4559 } 4559 }
4560 4560
4561 AVC_AUDIT_DATA_INIT(&ad, NET); 4561 COMMON_AUDIT_DATA_INIT(&ad, NET);
4562 ad.u.net.netif = ifindex; 4562 ad.u.net.netif = ifindex;
4563 ad.u.net.family = family; 4563 ad.u.net.family = family;
4564 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 4564 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
@@ -4628,13 +4628,13 @@ static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4628static int selinux_netlink_recv(struct sk_buff *skb, int capability) 4628static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4629{ 4629{
4630 int err; 4630 int err;
4631 struct avc_audit_data ad; 4631 struct common_audit_data ad;
4632 4632
4633 err = cap_netlink_recv(skb, capability); 4633 err = cap_netlink_recv(skb, capability);
4634 if (err) 4634 if (err)
4635 return err; 4635 return err;
4636 4636
4637 AVC_AUDIT_DATA_INIT(&ad, CAP); 4637 COMMON_AUDIT_DATA_INIT(&ad, CAP);
4638 ad.u.cap = capability; 4638 ad.u.cap = capability;
4639 4639
4640 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid, 4640 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
@@ -4693,12 +4693,12 @@ static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4693 u32 perms) 4693 u32 perms)
4694{ 4694{
4695 struct ipc_security_struct *isec; 4695 struct ipc_security_struct *isec;
4696 struct avc_audit_data ad; 4696 struct common_audit_data ad;
4697 u32 sid = current_sid(); 4697 u32 sid = current_sid();
4698 4698
4699 isec = ipc_perms->security; 4699 isec = ipc_perms->security;
4700 4700
4701 AVC_AUDIT_DATA_INIT(&ad, IPC); 4701 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4702 ad.u.ipc_id = ipc_perms->key; 4702 ad.u.ipc_id = ipc_perms->key;
4703 4703
4704 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); 4704 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
@@ -4718,7 +4718,7 @@ static void selinux_msg_msg_free_security(struct msg_msg *msg)
4718static int selinux_msg_queue_alloc_security(struct msg_queue *msq) 4718static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4719{ 4719{
4720 struct ipc_security_struct *isec; 4720 struct ipc_security_struct *isec;
4721 struct avc_audit_data ad; 4721 struct common_audit_data ad;
4722 u32 sid = current_sid(); 4722 u32 sid = current_sid();
4723 int rc; 4723 int rc;
4724 4724
@@ -4728,7 +4728,7 @@ static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4728 4728
4729 isec = msq->q_perm.security; 4729 isec = msq->q_perm.security;
4730 4730
4731 AVC_AUDIT_DATA_INIT(&ad, IPC); 4731 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4732 ad.u.ipc_id = msq->q_perm.key; 4732 ad.u.ipc_id = msq->q_perm.key;
4733 4733
4734 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 4734 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
@@ -4748,12 +4748,12 @@ static void selinux_msg_queue_free_security(struct msg_queue *msq)
4748static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) 4748static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4749{ 4749{
4750 struct ipc_security_struct *isec; 4750 struct ipc_security_struct *isec;
4751 struct avc_audit_data ad; 4751 struct common_audit_data ad;
4752 u32 sid = current_sid(); 4752 u32 sid = current_sid();
4753 4753
4754 isec = msq->q_perm.security; 4754 isec = msq->q_perm.security;
4755 4755
4756 AVC_AUDIT_DATA_INIT(&ad, IPC); 4756 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4757 ad.u.ipc_id = msq->q_perm.key; 4757 ad.u.ipc_id = msq->q_perm.key;
4758 4758
4759 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 4759 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
@@ -4792,7 +4792,7 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
4792{ 4792{
4793 struct ipc_security_struct *isec; 4793 struct ipc_security_struct *isec;
4794 struct msg_security_struct *msec; 4794 struct msg_security_struct *msec;
4795 struct avc_audit_data ad; 4795 struct common_audit_data ad;
4796 u32 sid = current_sid(); 4796 u32 sid = current_sid();
4797 int rc; 4797 int rc;
4798 4798
@@ -4813,7 +4813,7 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
4813 return rc; 4813 return rc;
4814 } 4814 }
4815 4815
4816 AVC_AUDIT_DATA_INIT(&ad, IPC); 4816 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4817 ad.u.ipc_id = msq->q_perm.key; 4817 ad.u.ipc_id = msq->q_perm.key;
4818 4818
4819 /* Can this process write to the queue? */ 4819 /* Can this process write to the queue? */
@@ -4837,14 +4837,14 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4837{ 4837{
4838 struct ipc_security_struct *isec; 4838 struct ipc_security_struct *isec;
4839 struct msg_security_struct *msec; 4839 struct msg_security_struct *msec;
4840 struct avc_audit_data ad; 4840 struct common_audit_data ad;
4841 u32 sid = task_sid(target); 4841 u32 sid = task_sid(target);
4842 int rc; 4842 int rc;
4843 4843
4844 isec = msq->q_perm.security; 4844 isec = msq->q_perm.security;
4845 msec = msg->security; 4845 msec = msg->security;
4846 4846
4847 AVC_AUDIT_DATA_INIT(&ad, IPC); 4847 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4848 ad.u.ipc_id = msq->q_perm.key; 4848 ad.u.ipc_id = msq->q_perm.key;
4849 4849
4850 rc = avc_has_perm(sid, isec->sid, 4850 rc = avc_has_perm(sid, isec->sid,
@@ -4859,7 +4859,7 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4859static int selinux_shm_alloc_security(struct shmid_kernel *shp) 4859static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4860{ 4860{
4861 struct ipc_security_struct *isec; 4861 struct ipc_security_struct *isec;
4862 struct avc_audit_data ad; 4862 struct common_audit_data ad;
4863 u32 sid = current_sid(); 4863 u32 sid = current_sid();
4864 int rc; 4864 int rc;
4865 4865
@@ -4869,7 +4869,7 @@ static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4869 4869
4870 isec = shp->shm_perm.security; 4870 isec = shp->shm_perm.security;
4871 4871
4872 AVC_AUDIT_DATA_INIT(&ad, IPC); 4872 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4873 ad.u.ipc_id = shp->shm_perm.key; 4873 ad.u.ipc_id = shp->shm_perm.key;
4874 4874
4875 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM, 4875 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
@@ -4889,12 +4889,12 @@ static void selinux_shm_free_security(struct shmid_kernel *shp)
4889static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) 4889static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4890{ 4890{
4891 struct ipc_security_struct *isec; 4891 struct ipc_security_struct *isec;
4892 struct avc_audit_data ad; 4892 struct common_audit_data ad;
4893 u32 sid = current_sid(); 4893 u32 sid = current_sid();
4894 4894
4895 isec = shp->shm_perm.security; 4895 isec = shp->shm_perm.security;
4896 4896
4897 AVC_AUDIT_DATA_INIT(&ad, IPC); 4897 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4898 ad.u.ipc_id = shp->shm_perm.key; 4898 ad.u.ipc_id = shp->shm_perm.key;
4899 4899
4900 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, 4900 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
@@ -4951,7 +4951,7 @@ static int selinux_shm_shmat(struct shmid_kernel *shp,
4951static int selinux_sem_alloc_security(struct sem_array *sma) 4951static int selinux_sem_alloc_security(struct sem_array *sma)
4952{ 4952{
4953 struct ipc_security_struct *isec; 4953 struct ipc_security_struct *isec;
4954 struct avc_audit_data ad; 4954 struct common_audit_data ad;
4955 u32 sid = current_sid(); 4955 u32 sid = current_sid();
4956 int rc; 4956 int rc;
4957 4957
@@ -4961,7 +4961,7 @@ static int selinux_sem_alloc_security(struct sem_array *sma)
4961 4961
4962 isec = sma->sem_perm.security; 4962 isec = sma->sem_perm.security;
4963 4963
4964 AVC_AUDIT_DATA_INIT(&ad, IPC); 4964 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4965 ad.u.ipc_id = sma->sem_perm.key; 4965 ad.u.ipc_id = sma->sem_perm.key;
4966 4966
4967 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM, 4967 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
@@ -4981,12 +4981,12 @@ static void selinux_sem_free_security(struct sem_array *sma)
4981static int selinux_sem_associate(struct sem_array *sma, int semflg) 4981static int selinux_sem_associate(struct sem_array *sma, int semflg)
4982{ 4982{
4983 struct ipc_security_struct *isec; 4983 struct ipc_security_struct *isec;
4984 struct avc_audit_data ad; 4984 struct common_audit_data ad;
4985 u32 sid = current_sid(); 4985 u32 sid = current_sid();
4986 4986
4987 isec = sma->sem_perm.security; 4987 isec = sma->sem_perm.security;
4988 4988
4989 AVC_AUDIT_DATA_INIT(&ad, IPC); 4989 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4990 ad.u.ipc_id = sma->sem_perm.key; 4990 ad.u.ipc_id = sma->sem_perm.key;
4991 4991
4992 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, 4992 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index ae4c3a0e2c1a..e94e82f73818 100644
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -13,6 +13,7 @@
13#include <linux/spinlock.h> 13#include <linux/spinlock.h>
14#include <linux/init.h> 14#include <linux/init.h>
15#include <linux/audit.h> 15#include <linux/audit.h>
16#include <linux/lsm_audit.h>
16#include <linux/in6.h> 17#include <linux/in6.h>
17#include <linux/path.h> 18#include <linux/path.h>
18#include <asm/system.h> 19#include <asm/system.h>
@@ -36,48 +37,6 @@ struct inode;
36struct sock; 37struct sock;
37struct sk_buff; 38struct sk_buff;
38 39
39/* Auxiliary data to use in generating the audit record. */
40struct avc_audit_data {
41 char type;
42#define AVC_AUDIT_DATA_FS 1
43#define AVC_AUDIT_DATA_NET 2
44#define AVC_AUDIT_DATA_CAP 3
45#define AVC_AUDIT_DATA_IPC 4
46 struct task_struct *tsk;
47 union {
48 struct {
49 struct path path;
50 struct inode *inode;
51 } fs;
52 struct {
53 int netif;
54 struct sock *sk;
55 u16 family;
56 __be16 dport;
57 __be16 sport;
58 union {
59 struct {
60 __be32 daddr;
61 __be32 saddr;
62 } v4;
63 struct {
64 struct in6_addr daddr;
65 struct in6_addr saddr;
66 } v6;
67 } fam;
68 } net;
69 int cap;
70 int ipc_id;
71 } u;
72};
73
74#define v4info fam.v4
75#define v6info fam.v6
76
77/* Initialize an AVC audit data structure. */
78#define AVC_AUDIT_DATA_INIT(_d,_t) \
79 { memset((_d), 0, sizeof(struct avc_audit_data)); (_d)->type = AVC_AUDIT_DATA_##_t; }
80
81/* 40/*
82 * AVC statistics 41 * AVC statistics
83 */ 42 */
@@ -98,7 +57,9 @@ void __init avc_init(void);
98 57
99void avc_audit(u32 ssid, u32 tsid, 58void avc_audit(u32 ssid, u32 tsid,
100 u16 tclass, u32 requested, 59 u16 tclass, u32 requested,
101 struct av_decision *avd, int result, struct avc_audit_data *auditdata); 60 struct av_decision *avd,
61 int result,
62 struct common_audit_data *a);
102 63
103#define AVC_STRICT 1 /* Ignore permissive mode. */ 64#define AVC_STRICT 1 /* Ignore permissive mode. */
104int avc_has_perm_noaudit(u32 ssid, u32 tsid, 65int avc_has_perm_noaudit(u32 ssid, u32 tsid,
@@ -108,7 +69,7 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
108 69
109int avc_has_perm(u32 ssid, u32 tsid, 70int avc_has_perm(u32 ssid, u32 tsid,
110 u16 tclass, u32 requested, 71 u16 tclass, u32 requested,
111 struct avc_audit_data *auditdata); 72 struct common_audit_data *auditdata);
112 73
113u32 avc_policy_seqno(void); 74u32 avc_policy_seqno(void);
114 75
diff --git a/security/selinux/include/netlabel.h b/security/selinux/include/netlabel.h
index b4b5b9b2f0be..8d7384280a7a 100644
--- a/security/selinux/include/netlabel.h
+++ b/security/selinux/include/netlabel.h
@@ -59,7 +59,7 @@ int selinux_netlbl_socket_post_create(struct sock *sk, u16 family);
59int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, 59int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
60 struct sk_buff *skb, 60 struct sk_buff *skb,
61 u16 family, 61 u16 family,
62 struct avc_audit_data *ad); 62 struct common_audit_data *ad);
63int selinux_netlbl_socket_setsockopt(struct socket *sock, 63int selinux_netlbl_socket_setsockopt(struct socket *sock,
64 int level, 64 int level,
65 int optname); 65 int optname);
@@ -129,7 +129,7 @@ static inline int selinux_netlbl_socket_post_create(struct sock *sk,
129static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, 129static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
130 struct sk_buff *skb, 130 struct sk_buff *skb,
131 u16 family, 131 u16 family,
132 struct avc_audit_data *ad) 132 struct common_audit_data *ad)
133{ 133{
134 return 0; 134 return 0;
135} 135}
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
index 289e24b39e3e..13128f9a3e5a 100644
--- a/security/selinux/include/xfrm.h
+++ b/security/selinux/include/xfrm.h
@@ -41,9 +41,9 @@ static inline int selinux_xfrm_enabled(void)
41} 41}
42 42
43int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb, 43int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb,
44 struct avc_audit_data *ad); 44 struct common_audit_data *ad);
45int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, 45int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
46 struct avc_audit_data *ad, u8 proto); 46 struct common_audit_data *ad, u8 proto);
47int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall); 47int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall);
48 48
49static inline void selinux_xfrm_notify_policyload(void) 49static inline void selinux_xfrm_notify_policyload(void)
@@ -57,13 +57,13 @@ static inline int selinux_xfrm_enabled(void)
57} 57}
58 58
59static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, 59static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
60 struct avc_audit_data *ad) 60 struct common_audit_data *ad)
61{ 61{
62 return 0; 62 return 0;
63} 63}
64 64
65static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, 65static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
66 struct avc_audit_data *ad, u8 proto) 66 struct common_audit_data *ad, u8 proto)
67{ 67{
68 return 0; 68 return 0;
69} 69}
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index 2e984413c7b2..e68823741ad5 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -342,7 +342,7 @@ int selinux_netlbl_socket_post_create(struct sock *sk, u16 family)
342int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, 342int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
343 struct sk_buff *skb, 343 struct sk_buff *skb,
344 u16 family, 344 u16 family,
345 struct avc_audit_data *ad) 345 struct common_audit_data *ad)
346{ 346{
347 int rc; 347 int rc;
348 u32 nlbl_sid; 348 u32 nlbl_sid;
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index 72b18452e1a1..f3cb9ed731a9 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -401,7 +401,7 @@ int selinux_xfrm_state_delete(struct xfrm_state *x)
401 * gone thru the IPSec process. 401 * gone thru the IPSec process.
402 */ 402 */
403int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, 403int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
404 struct avc_audit_data *ad) 404 struct common_audit_data *ad)
405{ 405{
406 int i, rc = 0; 406 int i, rc = 0;
407 struct sec_path *sp; 407 struct sec_path *sp;
@@ -442,7 +442,7 @@ int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
442 * checked in the selinux_xfrm_state_pol_flow_match hook above. 442 * checked in the selinux_xfrm_state_pol_flow_match hook above.
443 */ 443 */
444int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, 444int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
445 struct avc_audit_data *ad, u8 proto) 445 struct common_audit_data *ad, u8 proto)
446{ 446{
447 struct dst_entry *dst; 447 struct dst_entry *dst;
448 int rc = 0; 448 int rc = 0;