diff options
-rw-r--r-- | include/linux/lsm_audit.h | 2 | ||||
-rw-r--r-- | security/Makefile | 4 | ||||
-rw-r--r-- | security/lsm_audit.c | 2 | ||||
-rw-r--r-- | security/selinux/avc.c | 197 | ||||
-rw-r--r-- | security/selinux/hooks.c | 142 | ||||
-rw-r--r-- | security/selinux/include/avc.h | 49 | ||||
-rw-r--r-- | security/selinux/include/netlabel.h | 4 | ||||
-rw-r--r-- | security/selinux/include/xfrm.h | 8 | ||||
-rw-r--r-- | security/selinux/netlabel.c | 2 | ||||
-rw-r--r-- | security/selinux/xfrm.c | 4 |
10 files changed, 131 insertions, 283 deletions
diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h index a5514a3a4f17..190c37854870 100644 --- a/include/linux/lsm_audit.h +++ b/include/linux/lsm_audit.h | |||
@@ -33,6 +33,7 @@ struct common_audit_data { | |||
33 | #define LSM_AUDIT_DATA_IPC 4 | 33 | #define LSM_AUDIT_DATA_IPC 4 |
34 | #define LSM_AUDIT_DATA_TASK 5 | 34 | #define LSM_AUDIT_DATA_TASK 5 |
35 | #define LSM_AUDIT_DATA_KEY 6 | 35 | #define LSM_AUDIT_DATA_KEY 6 |
36 | #define LSM_AUDIT_NO_AUDIT 7 | ||
36 | struct task_struct *tsk; | 37 | struct task_struct *tsk; |
37 | union { | 38 | union { |
38 | struct { | 39 | struct { |
@@ -86,6 +87,7 @@ struct common_audit_data { | |||
86 | u16 tclass; | 87 | u16 tclass; |
87 | u32 requested; | 88 | u32 requested; |
88 | u32 audited; | 89 | u32 audited; |
90 | u32 denied; | ||
89 | struct av_decision *avd; | 91 | struct av_decision *avd; |
90 | int result; | 92 | int result; |
91 | } selinux_audit_data; | 93 | } selinux_audit_data; |
diff --git a/security/Makefile b/security/Makefile index b56e7f9ecbc2..95ecc06392d7 100644 --- a/security/Makefile +++ b/security/Makefile | |||
@@ -16,9 +16,7 @@ obj-$(CONFIG_SECURITYFS) += inode.o | |||
16 | # Must precede capability.o in order to stack properly. | 16 | # Must precede capability.o in order to stack properly. |
17 | obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o | 17 | obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o |
18 | obj-$(CONFIG_SECURITY_SMACK) += smack/built-in.o | 18 | obj-$(CONFIG_SECURITY_SMACK) += smack/built-in.o |
19 | ifeq ($(CONFIG_AUDIT),y) | 19 | obj-$(CONFIG_AUDIT) += lsm_audit.o |
20 | obj-$(CONFIG_SECURITY_SMACK) += lsm_audit.o | ||
21 | endif | ||
22 | obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/built-in.o | 20 | obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/built-in.o |
23 | obj-$(CONFIG_SECURITY_ROOTPLUG) += root_plug.o | 21 | obj-$(CONFIG_SECURITY_ROOTPLUG) += root_plug.o |
24 | obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o | 22 | obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o |
diff --git a/security/lsm_audit.c b/security/lsm_audit.c index 94b868494b31..500aad0ebd6a 100644 --- a/security/lsm_audit.c +++ b/security/lsm_audit.c | |||
@@ -220,6 +220,8 @@ static void dump_common_audit_data(struct audit_buffer *ab, | |||
220 | } | 220 | } |
221 | 221 | ||
222 | switch (a->type) { | 222 | switch (a->type) { |
223 | case LSM_AUDIT_NO_AUDIT: | ||
224 | return; | ||
223 | case LSM_AUDIT_DATA_IPC: | 225 | case LSM_AUDIT_DATA_IPC: |
224 | audit_log_format(ab, " key=%d ", a->u.ipc_id); | 226 | audit_log_format(ab, " key=%d ", a->u.ipc_id); |
225 | break; | 227 | break; |
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 236aaa2ea86d..e3d19014259b 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c | |||
@@ -492,23 +492,35 @@ out: | |||
492 | return node; | 492 | return node; |
493 | } | 493 | } |
494 | 494 | ||
495 | static inline void avc_print_ipv6_addr(struct audit_buffer *ab, | 495 | /** |
496 | struct in6_addr *addr, __be16 port, | 496 | * avc_audit_pre_callback - SELinux specific information |
497 | char *name1, char *name2) | 497 | * will be called by generic audit code |
498 | * @ab: the audit buffer | ||
499 | * @a: audit_data | ||
500 | */ | ||
501 | static void avc_audit_pre_callback(struct audit_buffer *ab, void *a) | ||
498 | { | 502 | { |
499 | if (!ipv6_addr_any(addr)) | 503 | struct common_audit_data *ad = a; |
500 | audit_log_format(ab, " %s=%pI6", name1, addr); | 504 | audit_log_format(ab, "avc: %s ", |
501 | if (port) | 505 | ad->selinux_audit_data.denied ? "denied" : "granted"); |
502 | audit_log_format(ab, " %s=%d", name2, ntohs(port)); | 506 | avc_dump_av(ab, ad->selinux_audit_data.tclass, |
507 | ad->selinux_audit_data.audited); | ||
508 | audit_log_format(ab, " for "); | ||
503 | } | 509 | } |
504 | 510 | ||
505 | static inline void avc_print_ipv4_addr(struct audit_buffer *ab, __be32 addr, | 511 | /** |
506 | __be16 port, char *name1, char *name2) | 512 | * avc_audit_post_callback - SELinux specific information |
513 | * will be called by generic audit code | ||
514 | * @ab: the audit buffer | ||
515 | * @a: audit_data | ||
516 | */ | ||
517 | static void avc_audit_post_callback(struct audit_buffer *ab, void *a) | ||
507 | { | 518 | { |
508 | if (addr) | 519 | struct common_audit_data *ad = a; |
509 | audit_log_format(ab, " %s=%pI4", name1, &addr); | 520 | audit_log_format(ab, " "); |
510 | if (port) | 521 | avc_dump_query(ab, ad->selinux_audit_data.ssid, |
511 | audit_log_format(ab, " %s=%d", name2, ntohs(port)); | 522 | ad->selinux_audit_data.tsid, |
523 | ad->selinux_audit_data.tclass); | ||
512 | } | 524 | } |
513 | 525 | ||
514 | /** | 526 | /** |
@@ -532,13 +544,10 @@ static inline void avc_print_ipv4_addr(struct audit_buffer *ab, __be32 addr, | |||
532 | */ | 544 | */ |
533 | void avc_audit(u32 ssid, u32 tsid, | 545 | void avc_audit(u32 ssid, u32 tsid, |
534 | u16 tclass, u32 requested, | 546 | u16 tclass, u32 requested, |
535 | struct av_decision *avd, int result, struct avc_audit_data *a) | 547 | struct av_decision *avd, int result, struct common_audit_data *a) |
536 | { | 548 | { |
537 | struct task_struct *tsk = current; | 549 | struct common_audit_data stack_data; |
538 | struct inode *inode = NULL; | ||
539 | u32 denied, audited; | 550 | u32 denied, audited; |
540 | struct audit_buffer *ab; | ||
541 | |||
542 | denied = requested & ~avd->allowed; | 551 | denied = requested & ~avd->allowed; |
543 | if (denied) { | 552 | if (denied) { |
544 | audited = denied; | 553 | audited = denied; |
@@ -551,144 +560,20 @@ void avc_audit(u32 ssid, u32 tsid, | |||
551 | if (!(audited & avd->auditallow)) | 560 | if (!(audited & avd->auditallow)) |
552 | return; | 561 | return; |
553 | } | 562 | } |
554 | 563 | if (!a) { | |
555 | ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_AVC); | 564 | a = &stack_data; |
556 | if (!ab) | 565 | memset(a, 0, sizeof(*a)); |
557 | return; /* audit_panic has been called */ | 566 | a->type = LSM_AUDIT_NO_AUDIT; |
558 | audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted"); | ||
559 | avc_dump_av(ab, tclass, audited); | ||
560 | audit_log_format(ab, " for "); | ||
561 | if (a && a->tsk) | ||
562 | tsk = a->tsk; | ||
563 | if (tsk && tsk->pid) { | ||
564 | audit_log_format(ab, " pid=%d comm=", tsk->pid); | ||
565 | audit_log_untrustedstring(ab, tsk->comm); | ||
566 | } | ||
567 | if (a) { | ||
568 | switch (a->type) { | ||
569 | case AVC_AUDIT_DATA_IPC: | ||
570 | audit_log_format(ab, " key=%d", a->u.ipc_id); | ||
571 | break; | ||
572 | case AVC_AUDIT_DATA_CAP: | ||
573 | audit_log_format(ab, " capability=%d", a->u.cap); | ||
574 | break; | ||
575 | case AVC_AUDIT_DATA_FS: | ||
576 | if (a->u.fs.path.dentry) { | ||
577 | struct dentry *dentry = a->u.fs.path.dentry; | ||
578 | if (a->u.fs.path.mnt) { | ||
579 | audit_log_d_path(ab, "path=", | ||
580 | &a->u.fs.path); | ||
581 | } else { | ||
582 | audit_log_format(ab, " name="); | ||
583 | audit_log_untrustedstring(ab, dentry->d_name.name); | ||
584 | } | ||
585 | inode = dentry->d_inode; | ||
586 | } else if (a->u.fs.inode) { | ||
587 | struct dentry *dentry; | ||
588 | inode = a->u.fs.inode; | ||
589 | dentry = d_find_alias(inode); | ||
590 | if (dentry) { | ||
591 | audit_log_format(ab, " name="); | ||
592 | audit_log_untrustedstring(ab, dentry->d_name.name); | ||
593 | dput(dentry); | ||
594 | } | ||
595 | } | ||
596 | if (inode) | ||
597 | audit_log_format(ab, " dev=%s ino=%lu", | ||
598 | inode->i_sb->s_id, | ||
599 | inode->i_ino); | ||
600 | break; | ||
601 | case AVC_AUDIT_DATA_NET: | ||
602 | if (a->u.net.sk) { | ||
603 | struct sock *sk = a->u.net.sk; | ||
604 | struct unix_sock *u; | ||
605 | int len = 0; | ||
606 | char *p = NULL; | ||
607 | |||
608 | switch (sk->sk_family) { | ||
609 | case AF_INET: { | ||
610 | struct inet_sock *inet = inet_sk(sk); | ||
611 | |||
612 | avc_print_ipv4_addr(ab, inet->rcv_saddr, | ||
613 | inet->sport, | ||
614 | "laddr", "lport"); | ||
615 | avc_print_ipv4_addr(ab, inet->daddr, | ||
616 | inet->dport, | ||
617 | "faddr", "fport"); | ||
618 | break; | ||
619 | } | ||
620 | case AF_INET6: { | ||
621 | struct inet_sock *inet = inet_sk(sk); | ||
622 | struct ipv6_pinfo *inet6 = inet6_sk(sk); | ||
623 | |||
624 | avc_print_ipv6_addr(ab, &inet6->rcv_saddr, | ||
625 | inet->sport, | ||
626 | "laddr", "lport"); | ||
627 | avc_print_ipv6_addr(ab, &inet6->daddr, | ||
628 | inet->dport, | ||
629 | "faddr", "fport"); | ||
630 | break; | ||
631 | } | ||
632 | case AF_UNIX: | ||
633 | u = unix_sk(sk); | ||
634 | if (u->dentry) { | ||
635 | struct path path = { | ||
636 | .dentry = u->dentry, | ||
637 | .mnt = u->mnt | ||
638 | }; | ||
639 | audit_log_d_path(ab, "path=", | ||
640 | &path); | ||
641 | break; | ||
642 | } | ||
643 | if (!u->addr) | ||
644 | break; | ||
645 | len = u->addr->len-sizeof(short); | ||
646 | p = &u->addr->name->sun_path[0]; | ||
647 | audit_log_format(ab, " path="); | ||
648 | if (*p) | ||
649 | audit_log_untrustedstring(ab, p); | ||
650 | else | ||
651 | audit_log_n_hex(ab, p, len); | ||
652 | break; | ||
653 | } | ||
654 | } | ||
655 | |||
656 | switch (a->u.net.family) { | ||
657 | case AF_INET: | ||
658 | avc_print_ipv4_addr(ab, a->u.net.v4info.saddr, | ||
659 | a->u.net.sport, | ||
660 | "saddr", "src"); | ||
661 | avc_print_ipv4_addr(ab, a->u.net.v4info.daddr, | ||
662 | a->u.net.dport, | ||
663 | "daddr", "dest"); | ||
664 | break; | ||
665 | case AF_INET6: | ||
666 | avc_print_ipv6_addr(ab, &a->u.net.v6info.saddr, | ||
667 | a->u.net.sport, | ||
668 | "saddr", "src"); | ||
669 | avc_print_ipv6_addr(ab, &a->u.net.v6info.daddr, | ||
670 | a->u.net.dport, | ||
671 | "daddr", "dest"); | ||
672 | break; | ||
673 | } | ||
674 | if (a->u.net.netif > 0) { | ||
675 | struct net_device *dev; | ||
676 | |||
677 | /* NOTE: we always use init's namespace */ | ||
678 | dev = dev_get_by_index(&init_net, | ||
679 | a->u.net.netif); | ||
680 | if (dev) { | ||
681 | audit_log_format(ab, " netif=%s", | ||
682 | dev->name); | ||
683 | dev_put(dev); | ||
684 | } | ||
685 | } | ||
686 | break; | ||
687 | } | ||
688 | } | 567 | } |
689 | audit_log_format(ab, " "); | 568 | a->selinux_audit_data.tclass = tclass; |
690 | avc_dump_query(ab, ssid, tsid, tclass); | 569 | a->selinux_audit_data.requested = requested; |
691 | audit_log_end(ab); | 570 | a->selinux_audit_data.ssid = ssid; |
571 | a->selinux_audit_data.tsid = tsid; | ||
572 | a->selinux_audit_data.audited = audited; | ||
573 | a->selinux_audit_data.denied = denied; | ||
574 | a->lsm_pre_audit = avc_audit_pre_callback; | ||
575 | a->lsm_post_audit = avc_audit_post_callback; | ||
576 | common_lsm_audit(a); | ||
692 | } | 577 | } |
693 | 578 | ||
694 | /** | 579 | /** |
@@ -956,7 +841,7 @@ out: | |||
956 | * another -errno upon other errors. | 841 | * another -errno upon other errors. |
957 | */ | 842 | */ |
958 | int avc_has_perm(u32 ssid, u32 tsid, u16 tclass, | 843 | int avc_has_perm(u32 ssid, u32 tsid, u16 tclass, |
959 | u32 requested, struct avc_audit_data *auditdata) | 844 | u32 requested, struct common_audit_data *auditdata) |
960 | { | 845 | { |
961 | struct av_decision avd; | 846 | struct av_decision avd; |
962 | int rc; | 847 | int rc; |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 5aa45b168122..254b7983657d 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -1478,14 +1478,14 @@ static int task_has_capability(struct task_struct *tsk, | |||
1478 | const struct cred *cred, | 1478 | const struct cred *cred, |
1479 | int cap, int audit) | 1479 | int cap, int audit) |
1480 | { | 1480 | { |
1481 | struct avc_audit_data ad; | 1481 | struct common_audit_data ad; |
1482 | struct av_decision avd; | 1482 | struct av_decision avd; |
1483 | u16 sclass; | 1483 | u16 sclass; |
1484 | u32 sid = cred_sid(cred); | 1484 | u32 sid = cred_sid(cred); |
1485 | u32 av = CAP_TO_MASK(cap); | 1485 | u32 av = CAP_TO_MASK(cap); |
1486 | int rc; | 1486 | int rc; |
1487 | 1487 | ||
1488 | AVC_AUDIT_DATA_INIT(&ad, CAP); | 1488 | COMMON_AUDIT_DATA_INIT(&ad, CAP); |
1489 | ad.tsk = tsk; | 1489 | ad.tsk = tsk; |
1490 | ad.u.cap = cap; | 1490 | ad.u.cap = cap; |
1491 | 1491 | ||
@@ -1524,10 +1524,10 @@ static int task_has_system(struct task_struct *tsk, | |||
1524 | static int inode_has_perm(const struct cred *cred, | 1524 | static int inode_has_perm(const struct cred *cred, |
1525 | struct inode *inode, | 1525 | struct inode *inode, |
1526 | u32 perms, | 1526 | u32 perms, |
1527 | struct avc_audit_data *adp) | 1527 | struct common_audit_data *adp) |
1528 | { | 1528 | { |
1529 | struct inode_security_struct *isec; | 1529 | struct inode_security_struct *isec; |
1530 | struct avc_audit_data ad; | 1530 | struct common_audit_data ad; |
1531 | u32 sid; | 1531 | u32 sid; |
1532 | 1532 | ||
1533 | if (unlikely(IS_PRIVATE(inode))) | 1533 | if (unlikely(IS_PRIVATE(inode))) |
@@ -1538,7 +1538,7 @@ static int inode_has_perm(const struct cred *cred, | |||
1538 | 1538 | ||
1539 | if (!adp) { | 1539 | if (!adp) { |
1540 | adp = &ad; | 1540 | adp = &ad; |
1541 | AVC_AUDIT_DATA_INIT(&ad, FS); | 1541 | COMMON_AUDIT_DATA_INIT(&ad, FS); |
1542 | ad.u.fs.inode = inode; | 1542 | ad.u.fs.inode = inode; |
1543 | } | 1543 | } |
1544 | 1544 | ||
@@ -1554,9 +1554,9 @@ static inline int dentry_has_perm(const struct cred *cred, | |||
1554 | u32 av) | 1554 | u32 av) |
1555 | { | 1555 | { |
1556 | struct inode *inode = dentry->d_inode; | 1556 | struct inode *inode = dentry->d_inode; |
1557 | struct avc_audit_data ad; | 1557 | struct common_audit_data ad; |
1558 | 1558 | ||
1559 | AVC_AUDIT_DATA_INIT(&ad, FS); | 1559 | COMMON_AUDIT_DATA_INIT(&ad, FS); |
1560 | ad.u.fs.path.mnt = mnt; | 1560 | ad.u.fs.path.mnt = mnt; |
1561 | ad.u.fs.path.dentry = dentry; | 1561 | ad.u.fs.path.dentry = dentry; |
1562 | return inode_has_perm(cred, inode, av, &ad); | 1562 | return inode_has_perm(cred, inode, av, &ad); |
@@ -1576,11 +1576,11 @@ static int file_has_perm(const struct cred *cred, | |||
1576 | { | 1576 | { |
1577 | struct file_security_struct *fsec = file->f_security; | 1577 | struct file_security_struct *fsec = file->f_security; |
1578 | struct inode *inode = file->f_path.dentry->d_inode; | 1578 | struct inode *inode = file->f_path.dentry->d_inode; |
1579 | struct avc_audit_data ad; | 1579 | struct common_audit_data ad; |
1580 | u32 sid = cred_sid(cred); | 1580 | u32 sid = cred_sid(cred); |
1581 | int rc; | 1581 | int rc; |
1582 | 1582 | ||
1583 | AVC_AUDIT_DATA_INIT(&ad, FS); | 1583 | COMMON_AUDIT_DATA_INIT(&ad, FS); |
1584 | ad.u.fs.path = file->f_path; | 1584 | ad.u.fs.path = file->f_path; |
1585 | 1585 | ||
1586 | if (sid != fsec->sid) { | 1586 | if (sid != fsec->sid) { |
@@ -1611,7 +1611,7 @@ static int may_create(struct inode *dir, | |||
1611 | struct inode_security_struct *dsec; | 1611 | struct inode_security_struct *dsec; |
1612 | struct superblock_security_struct *sbsec; | 1612 | struct superblock_security_struct *sbsec; |
1613 | u32 sid, newsid; | 1613 | u32 sid, newsid; |
1614 | struct avc_audit_data ad; | 1614 | struct common_audit_data ad; |
1615 | int rc; | 1615 | int rc; |
1616 | 1616 | ||
1617 | dsec = dir->i_security; | 1617 | dsec = dir->i_security; |
@@ -1620,7 +1620,7 @@ static int may_create(struct inode *dir, | |||
1620 | sid = tsec->sid; | 1620 | sid = tsec->sid; |
1621 | newsid = tsec->create_sid; | 1621 | newsid = tsec->create_sid; |
1622 | 1622 | ||
1623 | AVC_AUDIT_DATA_INIT(&ad, FS); | 1623 | COMMON_AUDIT_DATA_INIT(&ad, FS); |
1624 | ad.u.fs.path.dentry = dentry; | 1624 | ad.u.fs.path.dentry = dentry; |
1625 | 1625 | ||
1626 | rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, | 1626 | rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, |
@@ -1664,7 +1664,7 @@ static int may_link(struct inode *dir, | |||
1664 | 1664 | ||
1665 | { | 1665 | { |
1666 | struct inode_security_struct *dsec, *isec; | 1666 | struct inode_security_struct *dsec, *isec; |
1667 | struct avc_audit_data ad; | 1667 | struct common_audit_data ad; |
1668 | u32 sid = current_sid(); | 1668 | u32 sid = current_sid(); |
1669 | u32 av; | 1669 | u32 av; |
1670 | int rc; | 1670 | int rc; |
@@ -1672,7 +1672,7 @@ static int may_link(struct inode *dir, | |||
1672 | dsec = dir->i_security; | 1672 | dsec = dir->i_security; |
1673 | isec = dentry->d_inode->i_security; | 1673 | isec = dentry->d_inode->i_security; |
1674 | 1674 | ||
1675 | AVC_AUDIT_DATA_INIT(&ad, FS); | 1675 | COMMON_AUDIT_DATA_INIT(&ad, FS); |
1676 | ad.u.fs.path.dentry = dentry; | 1676 | ad.u.fs.path.dentry = dentry; |
1677 | 1677 | ||
1678 | av = DIR__SEARCH; | 1678 | av = DIR__SEARCH; |
@@ -1707,7 +1707,7 @@ static inline int may_rename(struct inode *old_dir, | |||
1707 | struct dentry *new_dentry) | 1707 | struct dentry *new_dentry) |
1708 | { | 1708 | { |
1709 | struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; | 1709 | struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; |
1710 | struct avc_audit_data ad; | 1710 | struct common_audit_data ad; |
1711 | u32 sid = current_sid(); | 1711 | u32 sid = current_sid(); |
1712 | u32 av; | 1712 | u32 av; |
1713 | int old_is_dir, new_is_dir; | 1713 | int old_is_dir, new_is_dir; |
@@ -1718,7 +1718,7 @@ static inline int may_rename(struct inode *old_dir, | |||
1718 | old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode); | 1718 | old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode); |
1719 | new_dsec = new_dir->i_security; | 1719 | new_dsec = new_dir->i_security; |
1720 | 1720 | ||
1721 | AVC_AUDIT_DATA_INIT(&ad, FS); | 1721 | COMMON_AUDIT_DATA_INIT(&ad, FS); |
1722 | 1722 | ||
1723 | ad.u.fs.path.dentry = old_dentry; | 1723 | ad.u.fs.path.dentry = old_dentry; |
1724 | rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR, | 1724 | rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR, |
@@ -1760,7 +1760,7 @@ static inline int may_rename(struct inode *old_dir, | |||
1760 | static int superblock_has_perm(const struct cred *cred, | 1760 | static int superblock_has_perm(const struct cred *cred, |
1761 | struct super_block *sb, | 1761 | struct super_block *sb, |
1762 | u32 perms, | 1762 | u32 perms, |
1763 | struct avc_audit_data *ad) | 1763 | struct common_audit_data *ad) |
1764 | { | 1764 | { |
1765 | struct superblock_security_struct *sbsec; | 1765 | struct superblock_security_struct *sbsec; |
1766 | u32 sid = cred_sid(cred); | 1766 | u32 sid = cred_sid(cred); |
@@ -2100,7 +2100,7 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) | |||
2100 | const struct task_security_struct *old_tsec; | 2100 | const struct task_security_struct *old_tsec; |
2101 | struct task_security_struct *new_tsec; | 2101 | struct task_security_struct *new_tsec; |
2102 | struct inode_security_struct *isec; | 2102 | struct inode_security_struct *isec; |
2103 | struct avc_audit_data ad; | 2103 | struct common_audit_data ad; |
2104 | struct inode *inode = bprm->file->f_path.dentry->d_inode; | 2104 | struct inode *inode = bprm->file->f_path.dentry->d_inode; |
2105 | int rc; | 2105 | int rc; |
2106 | 2106 | ||
@@ -2138,7 +2138,7 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) | |||
2138 | return rc; | 2138 | return rc; |
2139 | } | 2139 | } |
2140 | 2140 | ||
2141 | AVC_AUDIT_DATA_INIT(&ad, FS); | 2141 | COMMON_AUDIT_DATA_INIT(&ad, FS); |
2142 | ad.u.fs.path = bprm->file->f_path; | 2142 | ad.u.fs.path = bprm->file->f_path; |
2143 | 2143 | ||
2144 | if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) | 2144 | if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) |
@@ -2231,7 +2231,7 @@ extern struct dentry *selinux_null; | |||
2231 | static inline void flush_unauthorized_files(const struct cred *cred, | 2231 | static inline void flush_unauthorized_files(const struct cred *cred, |
2232 | struct files_struct *files) | 2232 | struct files_struct *files) |
2233 | { | 2233 | { |
2234 | struct avc_audit_data ad; | 2234 | struct common_audit_data ad; |
2235 | struct file *file, *devnull = NULL; | 2235 | struct file *file, *devnull = NULL; |
2236 | struct tty_struct *tty; | 2236 | struct tty_struct *tty; |
2237 | struct fdtable *fdt; | 2237 | struct fdtable *fdt; |
@@ -2265,7 +2265,7 @@ static inline void flush_unauthorized_files(const struct cred *cred, | |||
2265 | 2265 | ||
2266 | /* Revalidate access to inherited open files. */ | 2266 | /* Revalidate access to inherited open files. */ |
2267 | 2267 | ||
2268 | AVC_AUDIT_DATA_INIT(&ad, FS); | 2268 | COMMON_AUDIT_DATA_INIT(&ad, FS); |
2269 | 2269 | ||
2270 | spin_lock(&files->file_lock); | 2270 | spin_lock(&files->file_lock); |
2271 | for (;;) { | 2271 | for (;;) { |
@@ -2514,7 +2514,7 @@ out: | |||
2514 | static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) | 2514 | static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) |
2515 | { | 2515 | { |
2516 | const struct cred *cred = current_cred(); | 2516 | const struct cred *cred = current_cred(); |
2517 | struct avc_audit_data ad; | 2517 | struct common_audit_data ad; |
2518 | int rc; | 2518 | int rc; |
2519 | 2519 | ||
2520 | rc = superblock_doinit(sb, data); | 2520 | rc = superblock_doinit(sb, data); |
@@ -2525,7 +2525,7 @@ static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) | |||
2525 | if (flags & MS_KERNMOUNT) | 2525 | if (flags & MS_KERNMOUNT) |
2526 | return 0; | 2526 | return 0; |
2527 | 2527 | ||
2528 | AVC_AUDIT_DATA_INIT(&ad, FS); | 2528 | COMMON_AUDIT_DATA_INIT(&ad, FS); |
2529 | ad.u.fs.path.dentry = sb->s_root; | 2529 | ad.u.fs.path.dentry = sb->s_root; |
2530 | return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); | 2530 | return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); |
2531 | } | 2531 | } |
@@ -2533,9 +2533,9 @@ static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) | |||
2533 | static int selinux_sb_statfs(struct dentry *dentry) | 2533 | static int selinux_sb_statfs(struct dentry *dentry) |
2534 | { | 2534 | { |
2535 | const struct cred *cred = current_cred(); | 2535 | const struct cred *cred = current_cred(); |
2536 | struct avc_audit_data ad; | 2536 | struct common_audit_data ad; |
2537 | 2537 | ||
2538 | AVC_AUDIT_DATA_INIT(&ad, FS); | 2538 | COMMON_AUDIT_DATA_INIT(&ad, FS); |
2539 | ad.u.fs.path.dentry = dentry->d_sb->s_root; | 2539 | ad.u.fs.path.dentry = dentry->d_sb->s_root; |
2540 | return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); | 2540 | return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); |
2541 | } | 2541 | } |
@@ -2755,7 +2755,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name, | |||
2755 | struct inode *inode = dentry->d_inode; | 2755 | struct inode *inode = dentry->d_inode; |
2756 | struct inode_security_struct *isec = inode->i_security; | 2756 | struct inode_security_struct *isec = inode->i_security; |
2757 | struct superblock_security_struct *sbsec; | 2757 | struct superblock_security_struct *sbsec; |
2758 | struct avc_audit_data ad; | 2758 | struct common_audit_data ad; |
2759 | u32 newsid, sid = current_sid(); | 2759 | u32 newsid, sid = current_sid(); |
2760 | int rc = 0; | 2760 | int rc = 0; |
2761 | 2761 | ||
@@ -2769,7 +2769,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name, | |||
2769 | if (!is_owner_or_cap(inode)) | 2769 | if (!is_owner_or_cap(inode)) |
2770 | return -EPERM; | 2770 | return -EPERM; |
2771 | 2771 | ||
2772 | AVC_AUDIT_DATA_INIT(&ad, FS); | 2772 | COMMON_AUDIT_DATA_INIT(&ad, FS); |
2773 | ad.u.fs.path.dentry = dentry; | 2773 | ad.u.fs.path.dentry = dentry; |
2774 | 2774 | ||
2775 | rc = avc_has_perm(sid, isec->sid, isec->sclass, | 2775 | rc = avc_has_perm(sid, isec->sid, isec->sclass, |
@@ -3418,7 +3418,7 @@ static void selinux_task_to_inode(struct task_struct *p, | |||
3418 | 3418 | ||
3419 | /* Returns error only if unable to parse addresses */ | 3419 | /* Returns error only if unable to parse addresses */ |
3420 | static int selinux_parse_skb_ipv4(struct sk_buff *skb, | 3420 | static int selinux_parse_skb_ipv4(struct sk_buff *skb, |
3421 | struct avc_audit_data *ad, u8 *proto) | 3421 | struct common_audit_data *ad, u8 *proto) |
3422 | { | 3422 | { |
3423 | int offset, ihlen, ret = -EINVAL; | 3423 | int offset, ihlen, ret = -EINVAL; |
3424 | struct iphdr _iph, *ih; | 3424 | struct iphdr _iph, *ih; |
@@ -3499,7 +3499,7 @@ out: | |||
3499 | 3499 | ||
3500 | /* Returns error only if unable to parse addresses */ | 3500 | /* Returns error only if unable to parse addresses */ |
3501 | static int selinux_parse_skb_ipv6(struct sk_buff *skb, | 3501 | static int selinux_parse_skb_ipv6(struct sk_buff *skb, |
3502 | struct avc_audit_data *ad, u8 *proto) | 3502 | struct common_audit_data *ad, u8 *proto) |
3503 | { | 3503 | { |
3504 | u8 nexthdr; | 3504 | u8 nexthdr; |
3505 | int ret = -EINVAL, offset; | 3505 | int ret = -EINVAL, offset; |
@@ -3570,7 +3570,7 @@ out: | |||
3570 | 3570 | ||
3571 | #endif /* IPV6 */ | 3571 | #endif /* IPV6 */ |
3572 | 3572 | ||
3573 | static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad, | 3573 | static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad, |
3574 | char **_addrp, int src, u8 *proto) | 3574 | char **_addrp, int src, u8 *proto) |
3575 | { | 3575 | { |
3576 | char *addrp; | 3576 | char *addrp; |
@@ -3652,7 +3652,7 @@ static int socket_has_perm(struct task_struct *task, struct socket *sock, | |||
3652 | u32 perms) | 3652 | u32 perms) |
3653 | { | 3653 | { |
3654 | struct inode_security_struct *isec; | 3654 | struct inode_security_struct *isec; |
3655 | struct avc_audit_data ad; | 3655 | struct common_audit_data ad; |
3656 | u32 sid; | 3656 | u32 sid; |
3657 | int err = 0; | 3657 | int err = 0; |
3658 | 3658 | ||
@@ -3662,7 +3662,7 @@ static int socket_has_perm(struct task_struct *task, struct socket *sock, | |||
3662 | goto out; | 3662 | goto out; |
3663 | sid = task_sid(task); | 3663 | sid = task_sid(task); |
3664 | 3664 | ||
3665 | AVC_AUDIT_DATA_INIT(&ad, NET); | 3665 | COMMON_AUDIT_DATA_INIT(&ad, NET); |
3666 | ad.u.net.sk = sock->sk; | 3666 | ad.u.net.sk = sock->sk; |
3667 | err = avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); | 3667 | err = avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); |
3668 | 3668 | ||
@@ -3749,7 +3749,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in | |||
3749 | if (family == PF_INET || family == PF_INET6) { | 3749 | if (family == PF_INET || family == PF_INET6) { |
3750 | char *addrp; | 3750 | char *addrp; |
3751 | struct inode_security_struct *isec; | 3751 | struct inode_security_struct *isec; |
3752 | struct avc_audit_data ad; | 3752 | struct common_audit_data ad; |
3753 | struct sockaddr_in *addr4 = NULL; | 3753 | struct sockaddr_in *addr4 = NULL; |
3754 | struct sockaddr_in6 *addr6 = NULL; | 3754 | struct sockaddr_in6 *addr6 = NULL; |
3755 | unsigned short snum; | 3755 | unsigned short snum; |
@@ -3778,7 +3778,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in | |||
3778 | snum, &sid); | 3778 | snum, &sid); |
3779 | if (err) | 3779 | if (err) |
3780 | goto out; | 3780 | goto out; |
3781 | AVC_AUDIT_DATA_INIT(&ad, NET); | 3781 | COMMON_AUDIT_DATA_INIT(&ad, NET); |
3782 | ad.u.net.sport = htons(snum); | 3782 | ad.u.net.sport = htons(snum); |
3783 | ad.u.net.family = family; | 3783 | ad.u.net.family = family; |
3784 | err = avc_has_perm(isec->sid, sid, | 3784 | err = avc_has_perm(isec->sid, sid, |
@@ -3811,7 +3811,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in | |||
3811 | if (err) | 3811 | if (err) |
3812 | goto out; | 3812 | goto out; |
3813 | 3813 | ||
3814 | AVC_AUDIT_DATA_INIT(&ad, NET); | 3814 | COMMON_AUDIT_DATA_INIT(&ad, NET); |
3815 | ad.u.net.sport = htons(snum); | 3815 | ad.u.net.sport = htons(snum); |
3816 | ad.u.net.family = family; | 3816 | ad.u.net.family = family; |
3817 | 3817 | ||
@@ -3845,7 +3845,7 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, | |||
3845 | isec = SOCK_INODE(sock)->i_security; | 3845 | isec = SOCK_INODE(sock)->i_security; |
3846 | if (isec->sclass == SECCLASS_TCP_SOCKET || | 3846 | if (isec->sclass == SECCLASS_TCP_SOCKET || |
3847 | isec->sclass == SECCLASS_DCCP_SOCKET) { | 3847 | isec->sclass == SECCLASS_DCCP_SOCKET) { |
3848 | struct avc_audit_data ad; | 3848 | struct common_audit_data ad; |
3849 | struct sockaddr_in *addr4 = NULL; | 3849 | struct sockaddr_in *addr4 = NULL; |
3850 | struct sockaddr_in6 *addr6 = NULL; | 3850 | struct sockaddr_in6 *addr6 = NULL; |
3851 | unsigned short snum; | 3851 | unsigned short snum; |
@@ -3870,7 +3870,7 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, | |||
3870 | perm = (isec->sclass == SECCLASS_TCP_SOCKET) ? | 3870 | perm = (isec->sclass == SECCLASS_TCP_SOCKET) ? |
3871 | TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; | 3871 | TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; |
3872 | 3872 | ||
3873 | AVC_AUDIT_DATA_INIT(&ad, NET); | 3873 | COMMON_AUDIT_DATA_INIT(&ad, NET); |
3874 | ad.u.net.dport = htons(snum); | 3874 | ad.u.net.dport = htons(snum); |
3875 | ad.u.net.family = sk->sk_family; | 3875 | ad.u.net.family = sk->sk_family; |
3876 | err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad); | 3876 | err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad); |
@@ -3960,13 +3960,13 @@ static int selinux_socket_unix_stream_connect(struct socket *sock, | |||
3960 | struct sk_security_struct *ssec; | 3960 | struct sk_security_struct *ssec; |
3961 | struct inode_security_struct *isec; | 3961 | struct inode_security_struct *isec; |
3962 | struct inode_security_struct *other_isec; | 3962 | struct inode_security_struct *other_isec; |
3963 | struct avc_audit_data ad; | 3963 | struct common_audit_data ad; |
3964 | int err; | 3964 | int err; |
3965 | 3965 | ||
3966 | isec = SOCK_INODE(sock)->i_security; | 3966 | isec = SOCK_INODE(sock)->i_security; |
3967 | other_isec = SOCK_INODE(other)->i_security; | 3967 | other_isec = SOCK_INODE(other)->i_security; |
3968 | 3968 | ||
3969 | AVC_AUDIT_DATA_INIT(&ad, NET); | 3969 | COMMON_AUDIT_DATA_INIT(&ad, NET); |
3970 | ad.u.net.sk = other->sk; | 3970 | ad.u.net.sk = other->sk; |
3971 | 3971 | ||
3972 | err = avc_has_perm(isec->sid, other_isec->sid, | 3972 | err = avc_has_perm(isec->sid, other_isec->sid, |
@@ -3992,13 +3992,13 @@ static int selinux_socket_unix_may_send(struct socket *sock, | |||
3992 | { | 3992 | { |
3993 | struct inode_security_struct *isec; | 3993 | struct inode_security_struct *isec; |
3994 | struct inode_security_struct *other_isec; | 3994 | struct inode_security_struct *other_isec; |
3995 | struct avc_audit_data ad; | 3995 | struct common_audit_data ad; |
3996 | int err; | 3996 | int err; |
3997 | 3997 | ||
3998 | isec = SOCK_INODE(sock)->i_security; | 3998 | isec = SOCK_INODE(sock)->i_security; |
3999 | other_isec = SOCK_INODE(other)->i_security; | 3999 | other_isec = SOCK_INODE(other)->i_security; |
4000 | 4000 | ||
4001 | AVC_AUDIT_DATA_INIT(&ad, NET); | 4001 | COMMON_AUDIT_DATA_INIT(&ad, NET); |
4002 | ad.u.net.sk = other->sk; | 4002 | ad.u.net.sk = other->sk; |
4003 | 4003 | ||
4004 | err = avc_has_perm(isec->sid, other_isec->sid, | 4004 | err = avc_has_perm(isec->sid, other_isec->sid, |
@@ -4011,7 +4011,7 @@ static int selinux_socket_unix_may_send(struct socket *sock, | |||
4011 | 4011 | ||
4012 | static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family, | 4012 | static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family, |
4013 | u32 peer_sid, | 4013 | u32 peer_sid, |
4014 | struct avc_audit_data *ad) | 4014 | struct common_audit_data *ad) |
4015 | { | 4015 | { |
4016 | int err; | 4016 | int err; |
4017 | u32 if_sid; | 4017 | u32 if_sid; |
@@ -4039,10 +4039,10 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, | |||
4039 | struct sk_security_struct *sksec = sk->sk_security; | 4039 | struct sk_security_struct *sksec = sk->sk_security; |
4040 | u32 peer_sid; | 4040 | u32 peer_sid; |
4041 | u32 sk_sid = sksec->sid; | 4041 | u32 sk_sid = sksec->sid; |
4042 | struct avc_audit_data ad; | 4042 | struct common_audit_data ad; |
4043 | char *addrp; | 4043 | char *addrp; |
4044 | 4044 | ||
4045 | AVC_AUDIT_DATA_INIT(&ad, NET); | 4045 | COMMON_AUDIT_DATA_INIT(&ad, NET); |
4046 | ad.u.net.netif = skb->iif; | 4046 | ad.u.net.netif = skb->iif; |
4047 | ad.u.net.family = family; | 4047 | ad.u.net.family = family; |
4048 | err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); | 4048 | err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); |
@@ -4080,7 +4080,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) | |||
4080 | struct sk_security_struct *sksec = sk->sk_security; | 4080 | struct sk_security_struct *sksec = sk->sk_security; |
4081 | u16 family = sk->sk_family; | 4081 | u16 family = sk->sk_family; |
4082 | u32 sk_sid = sksec->sid; | 4082 | u32 sk_sid = sksec->sid; |
4083 | struct avc_audit_data ad; | 4083 | struct common_audit_data ad; |
4084 | char *addrp; | 4084 | char *addrp; |
4085 | u8 secmark_active; | 4085 | u8 secmark_active; |
4086 | u8 peerlbl_active; | 4086 | u8 peerlbl_active; |
@@ -4104,7 +4104,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) | |||
4104 | if (!secmark_active && !peerlbl_active) | 4104 | if (!secmark_active && !peerlbl_active) |
4105 | return 0; | 4105 | return 0; |
4106 | 4106 | ||
4107 | AVC_AUDIT_DATA_INIT(&ad, NET); | 4107 | COMMON_AUDIT_DATA_INIT(&ad, NET); |
4108 | ad.u.net.netif = skb->iif; | 4108 | ad.u.net.netif = skb->iif; |
4109 | ad.u.net.family = family; | 4109 | ad.u.net.family = family; |
4110 | err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); | 4110 | err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); |
@@ -4362,7 +4362,7 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex, | |||
4362 | int err; | 4362 | int err; |
4363 | char *addrp; | 4363 | char *addrp; |
4364 | u32 peer_sid; | 4364 | u32 peer_sid; |
4365 | struct avc_audit_data ad; | 4365 | struct common_audit_data ad; |
4366 | u8 secmark_active; | 4366 | u8 secmark_active; |
4367 | u8 netlbl_active; | 4367 | u8 netlbl_active; |
4368 | u8 peerlbl_active; | 4368 | u8 peerlbl_active; |
@@ -4379,7 +4379,7 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex, | |||
4379 | if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) | 4379 | if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) |
4380 | return NF_DROP; | 4380 | return NF_DROP; |
4381 | 4381 | ||
4382 | AVC_AUDIT_DATA_INIT(&ad, NET); | 4382 | COMMON_AUDIT_DATA_INIT(&ad, NET); |
4383 | ad.u.net.netif = ifindex; | 4383 | ad.u.net.netif = ifindex; |
4384 | ad.u.net.family = family; | 4384 | ad.u.net.family = family; |
4385 | if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) | 4385 | if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) |
@@ -4467,7 +4467,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, | |||
4467 | { | 4467 | { |
4468 | struct sock *sk = skb->sk; | 4468 | struct sock *sk = skb->sk; |
4469 | struct sk_security_struct *sksec; | 4469 | struct sk_security_struct *sksec; |
4470 | struct avc_audit_data ad; | 4470 | struct common_audit_data ad; |
4471 | char *addrp; | 4471 | char *addrp; |
4472 | u8 proto; | 4472 | u8 proto; |
4473 | 4473 | ||
@@ -4475,7 +4475,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, | |||
4475 | return NF_ACCEPT; | 4475 | return NF_ACCEPT; |
4476 | sksec = sk->sk_security; | 4476 | sksec = sk->sk_security; |
4477 | 4477 | ||
4478 | AVC_AUDIT_DATA_INIT(&ad, NET); | 4478 | COMMON_AUDIT_DATA_INIT(&ad, NET); |
4479 | ad.u.net.netif = ifindex; | 4479 | ad.u.net.netif = ifindex; |
4480 | ad.u.net.family = family; | 4480 | ad.u.net.family = family; |
4481 | if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) | 4481 | if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) |
@@ -4499,7 +4499,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, | |||
4499 | u32 secmark_perm; | 4499 | u32 secmark_perm; |
4500 | u32 peer_sid; | 4500 | u32 peer_sid; |
4501 | struct sock *sk; | 4501 | struct sock *sk; |
4502 | struct avc_audit_data ad; | 4502 | struct common_audit_data ad; |
4503 | char *addrp; | 4503 | char *addrp; |
4504 | u8 secmark_active; | 4504 | u8 secmark_active; |
4505 | u8 peerlbl_active; | 4505 | u8 peerlbl_active; |
@@ -4558,7 +4558,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, | |||
4558 | secmark_perm = PACKET__SEND; | 4558 | secmark_perm = PACKET__SEND; |
4559 | } | 4559 | } |
4560 | 4560 | ||
4561 | AVC_AUDIT_DATA_INIT(&ad, NET); | 4561 | COMMON_AUDIT_DATA_INIT(&ad, NET); |
4562 | ad.u.net.netif = ifindex; | 4562 | ad.u.net.netif = ifindex; |
4563 | ad.u.net.family = family; | 4563 | ad.u.net.family = family; |
4564 | if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) | 4564 | if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) |
@@ -4628,13 +4628,13 @@ static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) | |||
4628 | static int selinux_netlink_recv(struct sk_buff *skb, int capability) | 4628 | static int selinux_netlink_recv(struct sk_buff *skb, int capability) |
4629 | { | 4629 | { |
4630 | int err; | 4630 | int err; |
4631 | struct avc_audit_data ad; | 4631 | struct common_audit_data ad; |
4632 | 4632 | ||
4633 | err = cap_netlink_recv(skb, capability); | 4633 | err = cap_netlink_recv(skb, capability); |
4634 | if (err) | 4634 | if (err) |
4635 | return err; | 4635 | return err; |
4636 | 4636 | ||
4637 | AVC_AUDIT_DATA_INIT(&ad, CAP); | 4637 | COMMON_AUDIT_DATA_INIT(&ad, CAP); |
4638 | ad.u.cap = capability; | 4638 | ad.u.cap = capability; |
4639 | 4639 | ||
4640 | return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid, | 4640 | return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid, |
@@ -4693,12 +4693,12 @@ static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, | |||
4693 | u32 perms) | 4693 | u32 perms) |
4694 | { | 4694 | { |
4695 | struct ipc_security_struct *isec; | 4695 | struct ipc_security_struct *isec; |
4696 | struct avc_audit_data ad; | 4696 | struct common_audit_data ad; |
4697 | u32 sid = current_sid(); | 4697 | u32 sid = current_sid(); |
4698 | 4698 | ||
4699 | isec = ipc_perms->security; | 4699 | isec = ipc_perms->security; |
4700 | 4700 | ||
4701 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 4701 | COMMON_AUDIT_DATA_INIT(&ad, IPC); |
4702 | ad.u.ipc_id = ipc_perms->key; | 4702 | ad.u.ipc_id = ipc_perms->key; |
4703 | 4703 | ||
4704 | return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); | 4704 | return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); |
@@ -4718,7 +4718,7 @@ static void selinux_msg_msg_free_security(struct msg_msg *msg) | |||
4718 | static int selinux_msg_queue_alloc_security(struct msg_queue *msq) | 4718 | static int selinux_msg_queue_alloc_security(struct msg_queue *msq) |
4719 | { | 4719 | { |
4720 | struct ipc_security_struct *isec; | 4720 | struct ipc_security_struct *isec; |
4721 | struct avc_audit_data ad; | 4721 | struct common_audit_data ad; |
4722 | u32 sid = current_sid(); | 4722 | u32 sid = current_sid(); |
4723 | int rc; | 4723 | int rc; |
4724 | 4724 | ||
@@ -4728,7 +4728,7 @@ static int selinux_msg_queue_alloc_security(struct msg_queue *msq) | |||
4728 | 4728 | ||
4729 | isec = msq->q_perm.security; | 4729 | isec = msq->q_perm.security; |
4730 | 4730 | ||
4731 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 4731 | COMMON_AUDIT_DATA_INIT(&ad, IPC); |
4732 | ad.u.ipc_id = msq->q_perm.key; | 4732 | ad.u.ipc_id = msq->q_perm.key; |
4733 | 4733 | ||
4734 | rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, | 4734 | rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, |
@@ -4748,12 +4748,12 @@ static void selinux_msg_queue_free_security(struct msg_queue *msq) | |||
4748 | static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) | 4748 | static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) |
4749 | { | 4749 | { |
4750 | struct ipc_security_struct *isec; | 4750 | struct ipc_security_struct *isec; |
4751 | struct avc_audit_data ad; | 4751 | struct common_audit_data ad; |
4752 | u32 sid = current_sid(); | 4752 | u32 sid = current_sid(); |
4753 | 4753 | ||
4754 | isec = msq->q_perm.security; | 4754 | isec = msq->q_perm.security; |
4755 | 4755 | ||
4756 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 4756 | COMMON_AUDIT_DATA_INIT(&ad, IPC); |
4757 | ad.u.ipc_id = msq->q_perm.key; | 4757 | ad.u.ipc_id = msq->q_perm.key; |
4758 | 4758 | ||
4759 | return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, | 4759 | return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, |
@@ -4792,7 +4792,7 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, | |||
4792 | { | 4792 | { |
4793 | struct ipc_security_struct *isec; | 4793 | struct ipc_security_struct *isec; |
4794 | struct msg_security_struct *msec; | 4794 | struct msg_security_struct *msec; |
4795 | struct avc_audit_data ad; | 4795 | struct common_audit_data ad; |
4796 | u32 sid = current_sid(); | 4796 | u32 sid = current_sid(); |
4797 | int rc; | 4797 | int rc; |
4798 | 4798 | ||
@@ -4813,7 +4813,7 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, | |||
4813 | return rc; | 4813 | return rc; |
4814 | } | 4814 | } |
4815 | 4815 | ||
4816 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 4816 | COMMON_AUDIT_DATA_INIT(&ad, IPC); |
4817 | ad.u.ipc_id = msq->q_perm.key; | 4817 | ad.u.ipc_id = msq->q_perm.key; |
4818 | 4818 | ||
4819 | /* Can this process write to the queue? */ | 4819 | /* Can this process write to the queue? */ |
@@ -4837,14 +4837,14 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, | |||
4837 | { | 4837 | { |
4838 | struct ipc_security_struct *isec; | 4838 | struct ipc_security_struct *isec; |
4839 | struct msg_security_struct *msec; | 4839 | struct msg_security_struct *msec; |
4840 | struct avc_audit_data ad; | 4840 | struct common_audit_data ad; |
4841 | u32 sid = task_sid(target); | 4841 | u32 sid = task_sid(target); |
4842 | int rc; | 4842 | int rc; |
4843 | 4843 | ||
4844 | isec = msq->q_perm.security; | 4844 | isec = msq->q_perm.security; |
4845 | msec = msg->security; | 4845 | msec = msg->security; |
4846 | 4846 | ||
4847 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 4847 | COMMON_AUDIT_DATA_INIT(&ad, IPC); |
4848 | ad.u.ipc_id = msq->q_perm.key; | 4848 | ad.u.ipc_id = msq->q_perm.key; |
4849 | 4849 | ||
4850 | rc = avc_has_perm(sid, isec->sid, | 4850 | rc = avc_has_perm(sid, isec->sid, |
@@ -4859,7 +4859,7 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, | |||
4859 | static int selinux_shm_alloc_security(struct shmid_kernel *shp) | 4859 | static int selinux_shm_alloc_security(struct shmid_kernel *shp) |
4860 | { | 4860 | { |
4861 | struct ipc_security_struct *isec; | 4861 | struct ipc_security_struct *isec; |
4862 | struct avc_audit_data ad; | 4862 | struct common_audit_data ad; |
4863 | u32 sid = current_sid(); | 4863 | u32 sid = current_sid(); |
4864 | int rc; | 4864 | int rc; |
4865 | 4865 | ||
@@ -4869,7 +4869,7 @@ static int selinux_shm_alloc_security(struct shmid_kernel *shp) | |||
4869 | 4869 | ||
4870 | isec = shp->shm_perm.security; | 4870 | isec = shp->shm_perm.security; |
4871 | 4871 | ||
4872 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 4872 | COMMON_AUDIT_DATA_INIT(&ad, IPC); |
4873 | ad.u.ipc_id = shp->shm_perm.key; | 4873 | ad.u.ipc_id = shp->shm_perm.key; |
4874 | 4874 | ||
4875 | rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM, | 4875 | rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM, |
@@ -4889,12 +4889,12 @@ static void selinux_shm_free_security(struct shmid_kernel *shp) | |||
4889 | static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) | 4889 | static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) |
4890 | { | 4890 | { |
4891 | struct ipc_security_struct *isec; | 4891 | struct ipc_security_struct *isec; |
4892 | struct avc_audit_data ad; | 4892 | struct common_audit_data ad; |
4893 | u32 sid = current_sid(); | 4893 | u32 sid = current_sid(); |
4894 | 4894 | ||
4895 | isec = shp->shm_perm.security; | 4895 | isec = shp->shm_perm.security; |
4896 | 4896 | ||
4897 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 4897 | COMMON_AUDIT_DATA_INIT(&ad, IPC); |
4898 | ad.u.ipc_id = shp->shm_perm.key; | 4898 | ad.u.ipc_id = shp->shm_perm.key; |
4899 | 4899 | ||
4900 | return avc_has_perm(sid, isec->sid, SECCLASS_SHM, | 4900 | return avc_has_perm(sid, isec->sid, SECCLASS_SHM, |
@@ -4951,7 +4951,7 @@ static int selinux_shm_shmat(struct shmid_kernel *shp, | |||
4951 | static int selinux_sem_alloc_security(struct sem_array *sma) | 4951 | static int selinux_sem_alloc_security(struct sem_array *sma) |
4952 | { | 4952 | { |
4953 | struct ipc_security_struct *isec; | 4953 | struct ipc_security_struct *isec; |
4954 | struct avc_audit_data ad; | 4954 | struct common_audit_data ad; |
4955 | u32 sid = current_sid(); | 4955 | u32 sid = current_sid(); |
4956 | int rc; | 4956 | int rc; |
4957 | 4957 | ||
@@ -4961,7 +4961,7 @@ static int selinux_sem_alloc_security(struct sem_array *sma) | |||
4961 | 4961 | ||
4962 | isec = sma->sem_perm.security; | 4962 | isec = sma->sem_perm.security; |
4963 | 4963 | ||
4964 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 4964 | COMMON_AUDIT_DATA_INIT(&ad, IPC); |
4965 | ad.u.ipc_id = sma->sem_perm.key; | 4965 | ad.u.ipc_id = sma->sem_perm.key; |
4966 | 4966 | ||
4967 | rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM, | 4967 | rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM, |
@@ -4981,12 +4981,12 @@ static void selinux_sem_free_security(struct sem_array *sma) | |||
4981 | static int selinux_sem_associate(struct sem_array *sma, int semflg) | 4981 | static int selinux_sem_associate(struct sem_array *sma, int semflg) |
4982 | { | 4982 | { |
4983 | struct ipc_security_struct *isec; | 4983 | struct ipc_security_struct *isec; |
4984 | struct avc_audit_data ad; | 4984 | struct common_audit_data ad; |
4985 | u32 sid = current_sid(); | 4985 | u32 sid = current_sid(); |
4986 | 4986 | ||
4987 | isec = sma->sem_perm.security; | 4987 | isec = sma->sem_perm.security; |
4988 | 4988 | ||
4989 | AVC_AUDIT_DATA_INIT(&ad, IPC); | 4989 | COMMON_AUDIT_DATA_INIT(&ad, IPC); |
4990 | ad.u.ipc_id = sma->sem_perm.key; | 4990 | ad.u.ipc_id = sma->sem_perm.key; |
4991 | 4991 | ||
4992 | return avc_has_perm(sid, isec->sid, SECCLASS_SEM, | 4992 | return avc_has_perm(sid, isec->sid, SECCLASS_SEM, |
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h index ae4c3a0e2c1a..e94e82f73818 100644 --- a/security/selinux/include/avc.h +++ b/security/selinux/include/avc.h | |||
@@ -13,6 +13,7 @@ | |||
13 | #include <linux/spinlock.h> | 13 | #include <linux/spinlock.h> |
14 | #include <linux/init.h> | 14 | #include <linux/init.h> |
15 | #include <linux/audit.h> | 15 | #include <linux/audit.h> |
16 | #include <linux/lsm_audit.h> | ||
16 | #include <linux/in6.h> | 17 | #include <linux/in6.h> |
17 | #include <linux/path.h> | 18 | #include <linux/path.h> |
18 | #include <asm/system.h> | 19 | #include <asm/system.h> |
@@ -36,48 +37,6 @@ struct inode; | |||
36 | struct sock; | 37 | struct sock; |
37 | struct sk_buff; | 38 | struct sk_buff; |
38 | 39 | ||
39 | /* Auxiliary data to use in generating the audit record. */ | ||
40 | struct avc_audit_data { | ||
41 | char type; | ||
42 | #define AVC_AUDIT_DATA_FS 1 | ||
43 | #define AVC_AUDIT_DATA_NET 2 | ||
44 | #define AVC_AUDIT_DATA_CAP 3 | ||
45 | #define AVC_AUDIT_DATA_IPC 4 | ||
46 | struct task_struct *tsk; | ||
47 | union { | ||
48 | struct { | ||
49 | struct path path; | ||
50 | struct inode *inode; | ||
51 | } fs; | ||
52 | struct { | ||
53 | int netif; | ||
54 | struct sock *sk; | ||
55 | u16 family; | ||
56 | __be16 dport; | ||
57 | __be16 sport; | ||
58 | union { | ||
59 | struct { | ||
60 | __be32 daddr; | ||
61 | __be32 saddr; | ||
62 | } v4; | ||
63 | struct { | ||
64 | struct in6_addr daddr; | ||
65 | struct in6_addr saddr; | ||
66 | } v6; | ||
67 | } fam; | ||
68 | } net; | ||
69 | int cap; | ||
70 | int ipc_id; | ||
71 | } u; | ||
72 | }; | ||
73 | |||
74 | #define v4info fam.v4 | ||
75 | #define v6info fam.v6 | ||
76 | |||
77 | /* Initialize an AVC audit data structure. */ | ||
78 | #define AVC_AUDIT_DATA_INIT(_d,_t) \ | ||
79 | { memset((_d), 0, sizeof(struct avc_audit_data)); (_d)->type = AVC_AUDIT_DATA_##_t; } | ||
80 | |||
81 | /* | 40 | /* |
82 | * AVC statistics | 41 | * AVC statistics |
83 | */ | 42 | */ |
@@ -98,7 +57,9 @@ void __init avc_init(void); | |||
98 | 57 | ||
99 | void avc_audit(u32 ssid, u32 tsid, | 58 | void avc_audit(u32 ssid, u32 tsid, |
100 | u16 tclass, u32 requested, | 59 | u16 tclass, u32 requested, |
101 | struct av_decision *avd, int result, struct avc_audit_data *auditdata); | 60 | struct av_decision *avd, |
61 | int result, | ||
62 | struct common_audit_data *a); | ||
102 | 63 | ||
103 | #define AVC_STRICT 1 /* Ignore permissive mode. */ | 64 | #define AVC_STRICT 1 /* Ignore permissive mode. */ |
104 | int avc_has_perm_noaudit(u32 ssid, u32 tsid, | 65 | int avc_has_perm_noaudit(u32 ssid, u32 tsid, |
@@ -108,7 +69,7 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid, | |||
108 | 69 | ||
109 | int avc_has_perm(u32 ssid, u32 tsid, | 70 | int avc_has_perm(u32 ssid, u32 tsid, |
110 | u16 tclass, u32 requested, | 71 | u16 tclass, u32 requested, |
111 | struct avc_audit_data *auditdata); | 72 | struct common_audit_data *auditdata); |
112 | 73 | ||
113 | u32 avc_policy_seqno(void); | 74 | u32 avc_policy_seqno(void); |
114 | 75 | ||
diff --git a/security/selinux/include/netlabel.h b/security/selinux/include/netlabel.h index b4b5b9b2f0be..8d7384280a7a 100644 --- a/security/selinux/include/netlabel.h +++ b/security/selinux/include/netlabel.h | |||
@@ -59,7 +59,7 @@ int selinux_netlbl_socket_post_create(struct sock *sk, u16 family); | |||
59 | int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, | 59 | int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, |
60 | struct sk_buff *skb, | 60 | struct sk_buff *skb, |
61 | u16 family, | 61 | u16 family, |
62 | struct avc_audit_data *ad); | 62 | struct common_audit_data *ad); |
63 | int selinux_netlbl_socket_setsockopt(struct socket *sock, | 63 | int selinux_netlbl_socket_setsockopt(struct socket *sock, |
64 | int level, | 64 | int level, |
65 | int optname); | 65 | int optname); |
@@ -129,7 +129,7 @@ static inline int selinux_netlbl_socket_post_create(struct sock *sk, | |||
129 | static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, | 129 | static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, |
130 | struct sk_buff *skb, | 130 | struct sk_buff *skb, |
131 | u16 family, | 131 | u16 family, |
132 | struct avc_audit_data *ad) | 132 | struct common_audit_data *ad) |
133 | { | 133 | { |
134 | return 0; | 134 | return 0; |
135 | } | 135 | } |
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h index 289e24b39e3e..13128f9a3e5a 100644 --- a/security/selinux/include/xfrm.h +++ b/security/selinux/include/xfrm.h | |||
@@ -41,9 +41,9 @@ static inline int selinux_xfrm_enabled(void) | |||
41 | } | 41 | } |
42 | 42 | ||
43 | int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb, | 43 | int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb, |
44 | struct avc_audit_data *ad); | 44 | struct common_audit_data *ad); |
45 | int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, | 45 | int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, |
46 | struct avc_audit_data *ad, u8 proto); | 46 | struct common_audit_data *ad, u8 proto); |
47 | int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall); | 47 | int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall); |
48 | 48 | ||
49 | static inline void selinux_xfrm_notify_policyload(void) | 49 | static inline void selinux_xfrm_notify_policyload(void) |
@@ -57,13 +57,13 @@ static inline int selinux_xfrm_enabled(void) | |||
57 | } | 57 | } |
58 | 58 | ||
59 | static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, | 59 | static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, |
60 | struct avc_audit_data *ad) | 60 | struct common_audit_data *ad) |
61 | { | 61 | { |
62 | return 0; | 62 | return 0; |
63 | } | 63 | } |
64 | 64 | ||
65 | static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, | 65 | static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, |
66 | struct avc_audit_data *ad, u8 proto) | 66 | struct common_audit_data *ad, u8 proto) |
67 | { | 67 | { |
68 | return 0; | 68 | return 0; |
69 | } | 69 | } |
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c index 2e984413c7b2..e68823741ad5 100644 --- a/security/selinux/netlabel.c +++ b/security/selinux/netlabel.c | |||
@@ -342,7 +342,7 @@ int selinux_netlbl_socket_post_create(struct sock *sk, u16 family) | |||
342 | int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, | 342 | int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, |
343 | struct sk_buff *skb, | 343 | struct sk_buff *skb, |
344 | u16 family, | 344 | u16 family, |
345 | struct avc_audit_data *ad) | 345 | struct common_audit_data *ad) |
346 | { | 346 | { |
347 | int rc; | 347 | int rc; |
348 | u32 nlbl_sid; | 348 | u32 nlbl_sid; |
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index 72b18452e1a1..f3cb9ed731a9 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c | |||
@@ -401,7 +401,7 @@ int selinux_xfrm_state_delete(struct xfrm_state *x) | |||
401 | * gone thru the IPSec process. | 401 | * gone thru the IPSec process. |
402 | */ | 402 | */ |
403 | int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, | 403 | int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, |
404 | struct avc_audit_data *ad) | 404 | struct common_audit_data *ad) |
405 | { | 405 | { |
406 | int i, rc = 0; | 406 | int i, rc = 0; |
407 | struct sec_path *sp; | 407 | struct sec_path *sp; |
@@ -442,7 +442,7 @@ int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, | |||
442 | * checked in the selinux_xfrm_state_pol_flow_match hook above. | 442 | * checked in the selinux_xfrm_state_pol_flow_match hook above. |
443 | */ | 443 | */ |
444 | int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, | 444 | int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, |
445 | struct avc_audit_data *ad, u8 proto) | 445 | struct common_audit_data *ad, u8 proto) |
446 | { | 446 | { |
447 | struct dst_entry *dst; | 447 | struct dst_entry *dst; |
448 | int rc = 0; | 448 | int rc = 0; |