diff options
-rw-r--r-- | include/linux/audit.h | 6 | ||||
-rw-r--r-- | include/net/cipso_ipv4.h | 5 | ||||
-rw-r--r-- | include/net/netlabel.h | 2 | ||||
-rw-r--r-- | net/ipv4/cipso_ipv4.c | 8 | ||||
-rw-r--r-- | net/netlabel/netlabel_cipso_v4.c | 43 | ||||
-rw-r--r-- | net/netlabel/netlabel_domainhash.c | 54 | ||||
-rw-r--r-- | net/netlabel/netlabel_domainhash.h | 6 | ||||
-rw-r--r-- | net/netlabel/netlabel_mgmt.c | 14 | ||||
-rw-r--r-- | net/netlabel/netlabel_unlabeled.c | 36 | ||||
-rw-r--r-- | net/netlabel/netlabel_user.c | 91 | ||||
-rw-r--r-- | net/netlabel/netlabel_user.h | 6 |
11 files changed, 235 insertions, 36 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h index 40a6c26294ae..42719d07612a 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h | |||
@@ -95,6 +95,12 @@ | |||
95 | #define AUDIT_MAC_POLICY_LOAD 1403 /* Policy file load */ | 95 | #define AUDIT_MAC_POLICY_LOAD 1403 /* Policy file load */ |
96 | #define AUDIT_MAC_STATUS 1404 /* Changed enforcing,permissive,off */ | 96 | #define AUDIT_MAC_STATUS 1404 /* Changed enforcing,permissive,off */ |
97 | #define AUDIT_MAC_CONFIG_CHANGE 1405 /* Changes to booleans */ | 97 | #define AUDIT_MAC_CONFIG_CHANGE 1405 /* Changes to booleans */ |
98 | #define AUDIT_MAC_UNLBL_ACCEPT 1406 /* NetLabel: allow unlabeled traffic */ | ||
99 | #define AUDIT_MAC_UNLBL_DENY 1407 /* NetLabel: deny unlabeled traffic */ | ||
100 | #define AUDIT_MAC_CIPSOV4_ADD 1408 /* NetLabel: add CIPSOv4 DOI entry */ | ||
101 | #define AUDIT_MAC_CIPSOV4_DEL 1409 /* NetLabel: del CIPSOv4 DOI entry */ | ||
102 | #define AUDIT_MAC_MAP_ADD 1410 /* NetLabel: add LSM domain mapping */ | ||
103 | #define AUDIT_MAC_MAP_DEL 1411 /* NetLabel: del LSM domain mapping */ | ||
98 | 104 | ||
99 | #define AUDIT_FIRST_KERN_ANOM_MSG 1700 | 105 | #define AUDIT_FIRST_KERN_ANOM_MSG 1700 |
100 | #define AUDIT_LAST_KERN_ANOM_MSG 1799 | 106 | #define AUDIT_LAST_KERN_ANOM_MSG 1799 |
diff --git a/include/net/cipso_ipv4.h b/include/net/cipso_ipv4.h index 2d72496c2029..5d6ae1b2b196 100644 --- a/include/net/cipso_ipv4.h +++ b/include/net/cipso_ipv4.h | |||
@@ -128,7 +128,9 @@ extern int cipso_v4_rbm_strictvalid; | |||
128 | 128 | ||
129 | #ifdef CONFIG_NETLABEL | 129 | #ifdef CONFIG_NETLABEL |
130 | int cipso_v4_doi_add(struct cipso_v4_doi *doi_def); | 130 | int cipso_v4_doi_add(struct cipso_v4_doi *doi_def); |
131 | int cipso_v4_doi_remove(u32 doi, void (*callback) (struct rcu_head * head)); | 131 | int cipso_v4_doi_remove(u32 doi, |
132 | u32 audit_secid, | ||
133 | void (*callback) (struct rcu_head * head)); | ||
132 | struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi); | 134 | struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi); |
133 | int cipso_v4_doi_walk(u32 *skip_cnt, | 135 | int cipso_v4_doi_walk(u32 *skip_cnt, |
134 | int (*callback) (struct cipso_v4_doi *doi_def, void *arg), | 136 | int (*callback) (struct cipso_v4_doi *doi_def, void *arg), |
@@ -143,6 +145,7 @@ static inline int cipso_v4_doi_add(struct cipso_v4_doi *doi_def) | |||
143 | } | 145 | } |
144 | 146 | ||
145 | static inline int cipso_v4_doi_remove(u32 doi, | 147 | static inline int cipso_v4_doi_remove(u32 doi, |
148 | u32 audit_secid, | ||
146 | void (*callback) (struct rcu_head * head)) | 149 | void (*callback) (struct rcu_head * head)) |
147 | { | 150 | { |
148 | return 0; | 151 | return 0; |
diff --git a/include/net/netlabel.h b/include/net/netlabel.h index 6692430063fd..190bfdbbdba6 100644 --- a/include/net/netlabel.h +++ b/include/net/netlabel.h | |||
@@ -96,7 +96,7 @@ | |||
96 | struct netlbl_dom_map; | 96 | struct netlbl_dom_map; |
97 | 97 | ||
98 | /* Domain mapping operations */ | 98 | /* Domain mapping operations */ |
99 | int netlbl_domhsh_remove(const char *domain); | 99 | int netlbl_domhsh_remove(const char *domain, u32 audit_secid); |
100 | 100 | ||
101 | /* LSM security attributes */ | 101 | /* LSM security attributes */ |
102 | struct netlbl_lsm_cache { | 102 | struct netlbl_lsm_cache { |
diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c index e6ce0b3ba62a..c4e469ff842d 100644 --- a/net/ipv4/cipso_ipv4.c +++ b/net/ipv4/cipso_ipv4.c | |||
@@ -474,6 +474,7 @@ doi_add_failure_rlock: | |||
474 | /** | 474 | /** |
475 | * cipso_v4_doi_remove - Remove an existing DOI from the CIPSO protocol engine | 475 | * cipso_v4_doi_remove - Remove an existing DOI from the CIPSO protocol engine |
476 | * @doi: the DOI value | 476 | * @doi: the DOI value |
477 | * @audit_secid: the LSM secid to use in the audit message | ||
477 | * @callback: the DOI cleanup/free callback | 478 | * @callback: the DOI cleanup/free callback |
478 | * | 479 | * |
479 | * Description: | 480 | * Description: |
@@ -483,7 +484,9 @@ doi_add_failure_rlock: | |||
483 | * success and negative values on failure. | 484 | * success and negative values on failure. |
484 | * | 485 | * |
485 | */ | 486 | */ |
486 | int cipso_v4_doi_remove(u32 doi, void (*callback) (struct rcu_head * head)) | 487 | int cipso_v4_doi_remove(u32 doi, |
488 | u32 audit_secid, | ||
489 | void (*callback) (struct rcu_head * head)) | ||
487 | { | 490 | { |
488 | struct cipso_v4_doi *doi_def; | 491 | struct cipso_v4_doi *doi_def; |
489 | struct cipso_v4_domhsh_entry *dom_iter; | 492 | struct cipso_v4_domhsh_entry *dom_iter; |
@@ -502,7 +505,8 @@ int cipso_v4_doi_remove(u32 doi, void (*callback) (struct rcu_head * head)) | |||
502 | spin_unlock(&cipso_v4_doi_list_lock); | 505 | spin_unlock(&cipso_v4_doi_list_lock); |
503 | list_for_each_entry_rcu(dom_iter, &doi_def->dom_list, list) | 506 | list_for_each_entry_rcu(dom_iter, &doi_def->dom_list, list) |
504 | if (dom_iter->valid) | 507 | if (dom_iter->valid) |
505 | netlbl_domhsh_remove(dom_iter->domain); | 508 | netlbl_domhsh_remove(dom_iter->domain, |
509 | audit_secid); | ||
506 | cipso_v4_cache_invalidate(); | 510 | cipso_v4_cache_invalidate(); |
507 | rcu_read_unlock(); | 511 | rcu_read_unlock(); |
508 | 512 | ||
diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c index 4125a55f469f..09986ca962a6 100644 --- a/net/netlabel/netlabel_cipso_v4.c +++ b/net/netlabel/netlabel_cipso_v4.c | |||
@@ -32,6 +32,7 @@ | |||
32 | #include <linux/socket.h> | 32 | #include <linux/socket.h> |
33 | #include <linux/string.h> | 33 | #include <linux/string.h> |
34 | #include <linux/skbuff.h> | 34 | #include <linux/skbuff.h> |
35 | #include <linux/audit.h> | ||
35 | #include <net/sock.h> | 36 | #include <net/sock.h> |
36 | #include <net/netlink.h> | 37 | #include <net/netlink.h> |
37 | #include <net/genetlink.h> | 38 | #include <net/genetlink.h> |
@@ -162,8 +163,7 @@ static int netlbl_cipsov4_add_std(struct genl_info *info) | |||
162 | int nla_a_rem; | 163 | int nla_a_rem; |
163 | int nla_b_rem; | 164 | int nla_b_rem; |
164 | 165 | ||
165 | if (!info->attrs[NLBL_CIPSOV4_A_DOI] || | 166 | if (!info->attrs[NLBL_CIPSOV4_A_TAGLST] || |
166 | !info->attrs[NLBL_CIPSOV4_A_TAGLST] || | ||
167 | !info->attrs[NLBL_CIPSOV4_A_MLSLVLLST]) | 167 | !info->attrs[NLBL_CIPSOV4_A_MLSLVLLST]) |
168 | return -EINVAL; | 168 | return -EINVAL; |
169 | 169 | ||
@@ -344,8 +344,7 @@ static int netlbl_cipsov4_add_pass(struct genl_info *info) | |||
344 | int ret_val; | 344 | int ret_val; |
345 | struct cipso_v4_doi *doi_def = NULL; | 345 | struct cipso_v4_doi *doi_def = NULL; |
346 | 346 | ||
347 | if (!info->attrs[NLBL_CIPSOV4_A_DOI] || | 347 | if (!info->attrs[NLBL_CIPSOV4_A_TAGLST]) |
348 | !info->attrs[NLBL_CIPSOV4_A_TAGLST]) | ||
349 | return -EINVAL; | 348 | return -EINVAL; |
350 | 349 | ||
351 | doi_def = kmalloc(sizeof(*doi_def), GFP_KERNEL); | 350 | doi_def = kmalloc(sizeof(*doi_def), GFP_KERNEL); |
@@ -381,21 +380,35 @@ static int netlbl_cipsov4_add(struct sk_buff *skb, struct genl_info *info) | |||
381 | 380 | ||
382 | { | 381 | { |
383 | int ret_val = -EINVAL; | 382 | int ret_val = -EINVAL; |
384 | u32 map_type; | 383 | u32 type; |
384 | u32 doi; | ||
385 | const char *type_str = "(unknown)"; | ||
386 | struct audit_buffer *audit_buf; | ||
385 | 387 | ||
386 | if (!info->attrs[NLBL_CIPSOV4_A_MTYPE]) | 388 | if (!info->attrs[NLBL_CIPSOV4_A_DOI] || |
389 | !info->attrs[NLBL_CIPSOV4_A_MTYPE]) | ||
387 | return -EINVAL; | 390 | return -EINVAL; |
388 | 391 | ||
389 | map_type = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE]); | 392 | type = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE]); |
390 | switch (map_type) { | 393 | switch (type) { |
391 | case CIPSO_V4_MAP_STD: | 394 | case CIPSO_V4_MAP_STD: |
395 | type_str = "std"; | ||
392 | ret_val = netlbl_cipsov4_add_std(info); | 396 | ret_val = netlbl_cipsov4_add_std(info); |
393 | break; | 397 | break; |
394 | case CIPSO_V4_MAP_PASS: | 398 | case CIPSO_V4_MAP_PASS: |
399 | type_str = "pass"; | ||
395 | ret_val = netlbl_cipsov4_add_pass(info); | 400 | ret_val = netlbl_cipsov4_add_pass(info); |
396 | break; | 401 | break; |
397 | } | 402 | } |
398 | 403 | ||
404 | if (ret_val == 0) { | ||
405 | doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]); | ||
406 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD, | ||
407 | NETLINK_CB(skb).sid); | ||
408 | audit_log_format(audit_buf, " doi=%u type=%s", doi, type_str); | ||
409 | audit_log_end(audit_buf); | ||
410 | } | ||
411 | |||
399 | return ret_val; | 412 | return ret_val; |
400 | } | 413 | } |
401 | 414 | ||
@@ -653,11 +666,21 @@ static int netlbl_cipsov4_listall(struct sk_buff *skb, | |||
653 | static int netlbl_cipsov4_remove(struct sk_buff *skb, struct genl_info *info) | 666 | static int netlbl_cipsov4_remove(struct sk_buff *skb, struct genl_info *info) |
654 | { | 667 | { |
655 | int ret_val = -EINVAL; | 668 | int ret_val = -EINVAL; |
656 | u32 doi; | 669 | u32 doi = 0; |
670 | struct audit_buffer *audit_buf; | ||
657 | 671 | ||
658 | if (info->attrs[NLBL_CIPSOV4_A_DOI]) { | 672 | if (info->attrs[NLBL_CIPSOV4_A_DOI]) { |
659 | doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]); | 673 | doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]); |
660 | ret_val = cipso_v4_doi_remove(doi, netlbl_cipsov4_doi_free); | 674 | ret_val = cipso_v4_doi_remove(doi, |
675 | NETLINK_CB(skb).sid, | ||
676 | netlbl_cipsov4_doi_free); | ||
677 | } | ||
678 | |||
679 | if (ret_val == 0) { | ||
680 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_DEL, | ||
681 | NETLINK_CB(skb).sid); | ||
682 | audit_log_format(audit_buf, " doi=%u", doi); | ||
683 | audit_log_end(audit_buf); | ||
661 | } | 684 | } |
662 | 685 | ||
663 | return ret_val; | 686 | return ret_val; |
diff --git a/net/netlabel/netlabel_domainhash.c b/net/netlabel/netlabel_domainhash.c index f56d7a8ac7b7..d64e2ae3b129 100644 --- a/net/netlabel/netlabel_domainhash.c +++ b/net/netlabel/netlabel_domainhash.c | |||
@@ -35,12 +35,14 @@ | |||
35 | #include <linux/skbuff.h> | 35 | #include <linux/skbuff.h> |
36 | #include <linux/spinlock.h> | 36 | #include <linux/spinlock.h> |
37 | #include <linux/string.h> | 37 | #include <linux/string.h> |
38 | #include <linux/audit.h> | ||
38 | #include <net/netlabel.h> | 39 | #include <net/netlabel.h> |
39 | #include <net/cipso_ipv4.h> | 40 | #include <net/cipso_ipv4.h> |
40 | #include <asm/bug.h> | 41 | #include <asm/bug.h> |
41 | 42 | ||
42 | #include "netlabel_mgmt.h" | 43 | #include "netlabel_mgmt.h" |
43 | #include "netlabel_domainhash.h" | 44 | #include "netlabel_domainhash.h" |
45 | #include "netlabel_user.h" | ||
44 | 46 | ||
45 | struct netlbl_domhsh_tbl { | 47 | struct netlbl_domhsh_tbl { |
46 | struct list_head *tbl; | 48 | struct list_head *tbl; |
@@ -186,6 +188,7 @@ int netlbl_domhsh_init(u32 size) | |||
186 | /** | 188 | /** |
187 | * netlbl_domhsh_add - Adds a entry to the domain hash table | 189 | * netlbl_domhsh_add - Adds a entry to the domain hash table |
188 | * @entry: the entry to add | 190 | * @entry: the entry to add |
191 | * @audit_secid: the LSM secid to use in the audit message | ||
189 | * | 192 | * |
190 | * Description: | 193 | * Description: |
191 | * Adds a new entry to the domain hash table and handles any updates to the | 194 | * Adds a new entry to the domain hash table and handles any updates to the |
@@ -193,10 +196,12 @@ int netlbl_domhsh_init(u32 size) | |||
193 | * negative on failure. | 196 | * negative on failure. |
194 | * | 197 | * |
195 | */ | 198 | */ |
196 | int netlbl_domhsh_add(struct netlbl_dom_map *entry) | 199 | int netlbl_domhsh_add(struct netlbl_dom_map *entry, u32 audit_secid) |
197 | { | 200 | { |
198 | int ret_val; | 201 | int ret_val; |
199 | u32 bkt; | 202 | u32 bkt; |
203 | struct audit_buffer *audit_buf; | ||
204 | char *audit_domain; | ||
200 | 205 | ||
201 | switch (entry->type) { | 206 | switch (entry->type) { |
202 | case NETLBL_NLTYPE_UNLABELED: | 207 | case NETLBL_NLTYPE_UNLABELED: |
@@ -236,6 +241,26 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry) | |||
236 | spin_unlock(&netlbl_domhsh_def_lock); | 241 | spin_unlock(&netlbl_domhsh_def_lock); |
237 | } else | 242 | } else |
238 | ret_val = -EINVAL; | 243 | ret_val = -EINVAL; |
244 | if (ret_val == 0) { | ||
245 | if (entry->domain != NULL) | ||
246 | audit_domain = entry->domain; | ||
247 | else | ||
248 | audit_domain = "(default)"; | ||
249 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_ADD, | ||
250 | audit_secid); | ||
251 | audit_log_format(audit_buf, " domain=%s", audit_domain); | ||
252 | switch (entry->type) { | ||
253 | case NETLBL_NLTYPE_UNLABELED: | ||
254 | audit_log_format(audit_buf, " protocol=unlbl"); | ||
255 | break; | ||
256 | case NETLBL_NLTYPE_CIPSOV4: | ||
257 | audit_log_format(audit_buf, | ||
258 | " protocol=cipsov4 doi=%u", | ||
259 | entry->type_def.cipsov4->doi); | ||
260 | break; | ||
261 | } | ||
262 | audit_log_end(audit_buf); | ||
263 | } | ||
239 | rcu_read_unlock(); | 264 | rcu_read_unlock(); |
240 | 265 | ||
241 | if (ret_val != 0) { | 266 | if (ret_val != 0) { |
@@ -254,6 +279,7 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry) | |||
254 | /** | 279 | /** |
255 | * netlbl_domhsh_add_default - Adds the default entry to the domain hash table | 280 | * netlbl_domhsh_add_default - Adds the default entry to the domain hash table |
256 | * @entry: the entry to add | 281 | * @entry: the entry to add |
282 | * @audit_secid: the LSM secid to use in the audit message | ||
257 | * | 283 | * |
258 | * Description: | 284 | * Description: |
259 | * Adds a new default entry to the domain hash table and handles any updates | 285 | * Adds a new default entry to the domain hash table and handles any updates |
@@ -261,14 +287,15 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry) | |||
261 | * negative on failure. | 287 | * negative on failure. |
262 | * | 288 | * |
263 | */ | 289 | */ |
264 | int netlbl_domhsh_add_default(struct netlbl_dom_map *entry) | 290 | int netlbl_domhsh_add_default(struct netlbl_dom_map *entry, u32 audit_secid) |
265 | { | 291 | { |
266 | return netlbl_domhsh_add(entry); | 292 | return netlbl_domhsh_add(entry, audit_secid); |
267 | } | 293 | } |
268 | 294 | ||
269 | /** | 295 | /** |
270 | * netlbl_domhsh_remove - Removes an entry from the domain hash table | 296 | * netlbl_domhsh_remove - Removes an entry from the domain hash table |
271 | * @domain: the domain to remove | 297 | * @domain: the domain to remove |
298 | * @audit_secid: the LSM secid to use in the audit message | ||
272 | * | 299 | * |
273 | * Description: | 300 | * Description: |
274 | * Removes an entry from the domain hash table and handles any updates to the | 301 | * Removes an entry from the domain hash table and handles any updates to the |
@@ -276,10 +303,12 @@ int netlbl_domhsh_add_default(struct netlbl_dom_map *entry) | |||
276 | * negative on failure. | 303 | * negative on failure. |
277 | * | 304 | * |
278 | */ | 305 | */ |
279 | int netlbl_domhsh_remove(const char *domain) | 306 | int netlbl_domhsh_remove(const char *domain, u32 audit_secid) |
280 | { | 307 | { |
281 | int ret_val = -ENOENT; | 308 | int ret_val = -ENOENT; |
282 | struct netlbl_dom_map *entry; | 309 | struct netlbl_dom_map *entry; |
310 | struct audit_buffer *audit_buf; | ||
311 | char *audit_domain; | ||
283 | 312 | ||
284 | rcu_read_lock(); | 313 | rcu_read_lock(); |
285 | if (domain != NULL) | 314 | if (domain != NULL) |
@@ -316,8 +345,18 @@ int netlbl_domhsh_remove(const char *domain) | |||
316 | ret_val = -ENOENT; | 345 | ret_val = -ENOENT; |
317 | spin_unlock(&netlbl_domhsh_def_lock); | 346 | spin_unlock(&netlbl_domhsh_def_lock); |
318 | } | 347 | } |
319 | if (ret_val == 0) | 348 | if (ret_val == 0) { |
349 | if (entry->domain != NULL) | ||
350 | audit_domain = entry->domain; | ||
351 | else | ||
352 | audit_domain = "(default)"; | ||
353 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_DEL, | ||
354 | audit_secid); | ||
355 | audit_log_format(audit_buf, " domain=%s", audit_domain); | ||
356 | audit_log_end(audit_buf); | ||
357 | |||
320 | call_rcu(&entry->rcu, netlbl_domhsh_free_entry); | 358 | call_rcu(&entry->rcu, netlbl_domhsh_free_entry); |
359 | } | ||
321 | 360 | ||
322 | remove_return: | 361 | remove_return: |
323 | rcu_read_unlock(); | 362 | rcu_read_unlock(); |
@@ -326,6 +365,7 @@ remove_return: | |||
326 | 365 | ||
327 | /** | 366 | /** |
328 | * netlbl_domhsh_remove_default - Removes the default entry from the table | 367 | * netlbl_domhsh_remove_default - Removes the default entry from the table |
368 | * @audit_secid: the LSM secid to use in the audit message | ||
329 | * | 369 | * |
330 | * Description: | 370 | * Description: |
331 | * Removes/resets the default entry for the domain hash table and handles any | 371 | * Removes/resets the default entry for the domain hash table and handles any |
@@ -333,9 +373,9 @@ remove_return: | |||
333 | * success, non-zero on failure. | 373 | * success, non-zero on failure. |
334 | * | 374 | * |
335 | */ | 375 | */ |
336 | int netlbl_domhsh_remove_default(void) | 376 | int netlbl_domhsh_remove_default(u32 audit_secid) |
337 | { | 377 | { |
338 | return netlbl_domhsh_remove(NULL); | 378 | return netlbl_domhsh_remove(NULL, audit_secid); |
339 | } | 379 | } |
340 | 380 | ||
341 | /** | 381 | /** |
diff --git a/net/netlabel/netlabel_domainhash.h b/net/netlabel/netlabel_domainhash.h index 02af72a7877c..d50f13cacdca 100644 --- a/net/netlabel/netlabel_domainhash.h +++ b/net/netlabel/netlabel_domainhash.h | |||
@@ -57,9 +57,9 @@ struct netlbl_dom_map { | |||
57 | int netlbl_domhsh_init(u32 size); | 57 | int netlbl_domhsh_init(u32 size); |
58 | 58 | ||
59 | /* Manipulate the domain hash table */ | 59 | /* Manipulate the domain hash table */ |
60 | int netlbl_domhsh_add(struct netlbl_dom_map *entry); | 60 | int netlbl_domhsh_add(struct netlbl_dom_map *entry, u32 audit_secid); |
61 | int netlbl_domhsh_add_default(struct netlbl_dom_map *entry); | 61 | int netlbl_domhsh_add_default(struct netlbl_dom_map *entry, u32 audit_secid); |
62 | int netlbl_domhsh_remove_default(void); | 62 | int netlbl_domhsh_remove_default(u32 audit_secid); |
63 | struct netlbl_dom_map *netlbl_domhsh_getentry(const char *domain); | 63 | struct netlbl_dom_map *netlbl_domhsh_getentry(const char *domain); |
64 | int netlbl_domhsh_walk(u32 *skip_bkt, | 64 | int netlbl_domhsh_walk(u32 *skip_bkt, |
65 | u32 *skip_chain, | 65 | u32 *skip_chain, |
diff --git a/net/netlabel/netlabel_mgmt.c b/net/netlabel/netlabel_mgmt.c index 8626c9f678eb..0ac314f18ad1 100644 --- a/net/netlabel/netlabel_mgmt.c +++ b/net/netlabel/netlabel_mgmt.c | |||
@@ -108,7 +108,7 @@ static int netlbl_mgmt_add(struct sk_buff *skb, struct genl_info *info) | |||
108 | 108 | ||
109 | switch (entry->type) { | 109 | switch (entry->type) { |
110 | case NETLBL_NLTYPE_UNLABELED: | 110 | case NETLBL_NLTYPE_UNLABELED: |
111 | ret_val = netlbl_domhsh_add(entry); | 111 | ret_val = netlbl_domhsh_add(entry, NETLINK_CB(skb).sid); |
112 | break; | 112 | break; |
113 | case NETLBL_NLTYPE_CIPSOV4: | 113 | case NETLBL_NLTYPE_CIPSOV4: |
114 | if (!info->attrs[NLBL_MGMT_A_CV4DOI]) | 114 | if (!info->attrs[NLBL_MGMT_A_CV4DOI]) |
@@ -125,7 +125,7 @@ static int netlbl_mgmt_add(struct sk_buff *skb, struct genl_info *info) | |||
125 | rcu_read_unlock(); | 125 | rcu_read_unlock(); |
126 | goto add_failure; | 126 | goto add_failure; |
127 | } | 127 | } |
128 | ret_val = netlbl_domhsh_add(entry); | 128 | ret_val = netlbl_domhsh_add(entry, NETLINK_CB(skb).sid); |
129 | rcu_read_unlock(); | 129 | rcu_read_unlock(); |
130 | break; | 130 | break; |
131 | default: | 131 | default: |
@@ -161,7 +161,7 @@ static int netlbl_mgmt_remove(struct sk_buff *skb, struct genl_info *info) | |||
161 | return -EINVAL; | 161 | return -EINVAL; |
162 | 162 | ||
163 | domain = nla_data(info->attrs[NLBL_MGMT_A_DOMAIN]); | 163 | domain = nla_data(info->attrs[NLBL_MGMT_A_DOMAIN]); |
164 | return netlbl_domhsh_remove(domain); | 164 | return netlbl_domhsh_remove(domain, NETLINK_CB(skb).sid); |
165 | } | 165 | } |
166 | 166 | ||
167 | /** | 167 | /** |
@@ -277,7 +277,8 @@ static int netlbl_mgmt_adddef(struct sk_buff *skb, struct genl_info *info) | |||
277 | 277 | ||
278 | switch (entry->type) { | 278 | switch (entry->type) { |
279 | case NETLBL_NLTYPE_UNLABELED: | 279 | case NETLBL_NLTYPE_UNLABELED: |
280 | ret_val = netlbl_domhsh_add_default(entry); | 280 | ret_val = netlbl_domhsh_add_default(entry, |
281 | NETLINK_CB(skb).sid); | ||
281 | break; | 282 | break; |
282 | case NETLBL_NLTYPE_CIPSOV4: | 283 | case NETLBL_NLTYPE_CIPSOV4: |
283 | if (!info->attrs[NLBL_MGMT_A_CV4DOI]) | 284 | if (!info->attrs[NLBL_MGMT_A_CV4DOI]) |
@@ -294,7 +295,8 @@ static int netlbl_mgmt_adddef(struct sk_buff *skb, struct genl_info *info) | |||
294 | rcu_read_unlock(); | 295 | rcu_read_unlock(); |
295 | goto adddef_failure; | 296 | goto adddef_failure; |
296 | } | 297 | } |
297 | ret_val = netlbl_domhsh_add_default(entry); | 298 | ret_val = netlbl_domhsh_add_default(entry, |
299 | NETLINK_CB(skb).sid); | ||
298 | rcu_read_unlock(); | 300 | rcu_read_unlock(); |
299 | break; | 301 | break; |
300 | default: | 302 | default: |
@@ -322,7 +324,7 @@ adddef_failure: | |||
322 | */ | 324 | */ |
323 | static int netlbl_mgmt_removedef(struct sk_buff *skb, struct genl_info *info) | 325 | static int netlbl_mgmt_removedef(struct sk_buff *skb, struct genl_info *info) |
324 | { | 326 | { |
325 | return netlbl_domhsh_remove_default(); | 327 | return netlbl_domhsh_remove_default(NETLINK_CB(skb).sid); |
326 | } | 328 | } |
327 | 329 | ||
328 | /** | 330 | /** |
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index 440f5c4e1e2d..ab36675fee8c 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c | |||
@@ -64,6 +64,27 @@ static struct nla_policy netlbl_unlabel_genl_policy[NLBL_UNLABEL_A_MAX + 1] = { | |||
64 | }; | 64 | }; |
65 | 65 | ||
66 | /* | 66 | /* |
67 | * Helper Functions | ||
68 | */ | ||
69 | |||
70 | /** | ||
71 | * netlbl_unlabel_acceptflg_set - Set the unlabeled accept flag | ||
72 | * @value: desired value | ||
73 | * @audit_secid: the LSM secid to use in the audit message | ||
74 | * | ||
75 | * Description: | ||
76 | * Set the value of the unlabeled accept flag to @value. | ||
77 | * | ||
78 | */ | ||
79 | static void netlbl_unlabel_acceptflg_set(u8 value, u32 audit_secid) | ||
80 | { | ||
81 | atomic_set(&netlabel_unlabel_accept_flg, value); | ||
82 | netlbl_audit_nomsg((value ? | ||
83 | AUDIT_MAC_UNLBL_ACCEPT : AUDIT_MAC_UNLBL_DENY), | ||
84 | audit_secid); | ||
85 | } | ||
86 | |||
87 | /* | ||
67 | * NetLabel Command Handlers | 88 | * NetLabel Command Handlers |
68 | */ | 89 | */ |
69 | 90 | ||
@@ -79,18 +100,18 @@ static struct nla_policy netlbl_unlabel_genl_policy[NLBL_UNLABEL_A_MAX + 1] = { | |||
79 | */ | 100 | */ |
80 | static int netlbl_unlabel_accept(struct sk_buff *skb, struct genl_info *info) | 101 | static int netlbl_unlabel_accept(struct sk_buff *skb, struct genl_info *info) |
81 | { | 102 | { |
82 | int ret_val = -EINVAL; | ||
83 | u8 value; | 103 | u8 value; |
84 | 104 | ||
85 | if (info->attrs[NLBL_UNLABEL_A_ACPTFLG]) { | 105 | if (info->attrs[NLBL_UNLABEL_A_ACPTFLG]) { |
86 | value = nla_get_u8(info->attrs[NLBL_UNLABEL_A_ACPTFLG]); | 106 | value = nla_get_u8(info->attrs[NLBL_UNLABEL_A_ACPTFLG]); |
87 | if (value == 1 || value == 0) { | 107 | if (value == 1 || value == 0) { |
88 | atomic_set(&netlabel_unlabel_accept_flg, value); | 108 | netlbl_unlabel_acceptflg_set(value, |
89 | ret_val = 0; | 109 | NETLINK_CB(skb).sid); |
110 | return 0; | ||
90 | } | 111 | } |
91 | } | 112 | } |
92 | 113 | ||
93 | return ret_val; | 114 | return -EINVAL; |
94 | } | 115 | } |
95 | 116 | ||
96 | /** | 117 | /** |
@@ -229,16 +250,19 @@ int netlbl_unlabel_defconf(void) | |||
229 | { | 250 | { |
230 | int ret_val; | 251 | int ret_val; |
231 | struct netlbl_dom_map *entry; | 252 | struct netlbl_dom_map *entry; |
253 | u32 secid; | ||
254 | |||
255 | security_task_getsecid(current, &secid); | ||
232 | 256 | ||
233 | entry = kzalloc(sizeof(*entry), GFP_KERNEL); | 257 | entry = kzalloc(sizeof(*entry), GFP_KERNEL); |
234 | if (entry == NULL) | 258 | if (entry == NULL) |
235 | return -ENOMEM; | 259 | return -ENOMEM; |
236 | entry->type = NETLBL_NLTYPE_UNLABELED; | 260 | entry->type = NETLBL_NLTYPE_UNLABELED; |
237 | ret_val = netlbl_domhsh_add_default(entry); | 261 | ret_val = netlbl_domhsh_add_default(entry, secid); |
238 | if (ret_val != 0) | 262 | if (ret_val != 0) |
239 | return ret_val; | 263 | return ret_val; |
240 | 264 | ||
241 | atomic_set(&netlabel_unlabel_accept_flg, 1); | 265 | netlbl_unlabel_acceptflg_set(1, secid); |
242 | 266 | ||
243 | return 0; | 267 | return 0; |
244 | } | 268 | } |
diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index eeb7d768d2bb..c2343af584cb 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c | |||
@@ -32,6 +32,9 @@ | |||
32 | #include <linux/types.h> | 32 | #include <linux/types.h> |
33 | #include <linux/list.h> | 33 | #include <linux/list.h> |
34 | #include <linux/socket.h> | 34 | #include <linux/socket.h> |
35 | #include <linux/audit.h> | ||
36 | #include <linux/tty.h> | ||
37 | #include <linux/security.h> | ||
35 | #include <net/sock.h> | 38 | #include <net/sock.h> |
36 | #include <net/netlink.h> | 39 | #include <net/netlink.h> |
37 | #include <net/genetlink.h> | 40 | #include <net/genetlink.h> |
@@ -74,3 +77,91 @@ int netlbl_netlink_init(void) | |||
74 | 77 | ||
75 | return 0; | 78 | return 0; |
76 | } | 79 | } |
80 | |||
81 | /* | ||
82 | * NetLabel Audit Functions | ||
83 | */ | ||
84 | |||
85 | /** | ||
86 | * netlbl_audit_start_common - Start an audit message | ||
87 | * @type: audit message type | ||
88 | * @secid: LSM context ID | ||
89 | * | ||
90 | * Description: | ||
91 | * Start an audit message using the type specified in @type and fill the audit | ||
92 | * message with some fields common to all NetLabel audit messages. Returns | ||
93 | * a pointer to the audit buffer on success, NULL on failure. | ||
94 | * | ||
95 | */ | ||
96 | struct audit_buffer *netlbl_audit_start_common(int type, u32 secid) | ||
97 | { | ||
98 | struct audit_context *audit_ctx = current->audit_context; | ||
99 | struct audit_buffer *audit_buf; | ||
100 | uid_t audit_loginuid; | ||
101 | const char *audit_tty; | ||
102 | char audit_comm[sizeof(current->comm)]; | ||
103 | struct vm_area_struct *vma; | ||
104 | char *secctx; | ||
105 | u32 secctx_len; | ||
106 | |||
107 | audit_buf = audit_log_start(audit_ctx, GFP_ATOMIC, type); | ||
108 | if (audit_buf == NULL) | ||
109 | return NULL; | ||
110 | |||
111 | audit_loginuid = audit_get_loginuid(audit_ctx); | ||
112 | if (current->signal && | ||
113 | current->signal->tty && | ||
114 | current->signal->tty->name) | ||
115 | audit_tty = current->signal->tty->name; | ||
116 | else | ||
117 | audit_tty = "(none)"; | ||
118 | get_task_comm(audit_comm, current); | ||
119 | |||
120 | audit_log_format(audit_buf, | ||
121 | "netlabel: auid=%u uid=%u tty=%s pid=%d", | ||
122 | audit_loginuid, | ||
123 | current->uid, | ||
124 | audit_tty, | ||
125 | current->pid); | ||
126 | audit_log_format(audit_buf, " comm="); | ||
127 | audit_log_untrustedstring(audit_buf, audit_comm); | ||
128 | if (current->mm) { | ||
129 | down_read(¤t->mm->mmap_sem); | ||
130 | vma = current->mm->mmap; | ||
131 | while (vma) { | ||
132 | if ((vma->vm_flags & VM_EXECUTABLE) && | ||
133 | vma->vm_file) { | ||
134 | audit_log_d_path(audit_buf, | ||
135 | " exe=", | ||
136 | vma->vm_file->f_dentry, | ||
137 | vma->vm_file->f_vfsmnt); | ||
138 | break; | ||
139 | } | ||
140 | vma = vma->vm_next; | ||
141 | } | ||
142 | up_read(¤t->mm->mmap_sem); | ||
143 | } | ||
144 | |||
145 | if (secid != 0 && | ||
146 | security_secid_to_secctx(secid, &secctx, &secctx_len) == 0) | ||
147 | audit_log_format(audit_buf, " subj=%s", secctx); | ||
148 | |||
149 | return audit_buf; | ||
150 | } | ||
151 | |||
152 | /** | ||
153 | * netlbl_audit_nomsg - Send an audit message without additional text | ||
154 | * @type: audit message type | ||
155 | * @secid: LSM context ID | ||
156 | * | ||
157 | * Description: | ||
158 | * Send an audit message with only the common NetLabel audit fields. | ||
159 | * | ||
160 | */ | ||
161 | void netlbl_audit_nomsg(int type, u32 secid) | ||
162 | { | ||
163 | struct audit_buffer *audit_buf; | ||
164 | |||
165 | audit_buf = netlbl_audit_start_common(type, secid); | ||
166 | audit_log_end(audit_buf); | ||
167 | } | ||
diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h index 3f9386b917df..ab840acfc964 100644 --- a/net/netlabel/netlabel_user.h +++ b/net/netlabel/netlabel_user.h | |||
@@ -34,6 +34,7 @@ | |||
34 | #include <linux/types.h> | 34 | #include <linux/types.h> |
35 | #include <linux/skbuff.h> | 35 | #include <linux/skbuff.h> |
36 | #include <linux/capability.h> | 36 | #include <linux/capability.h> |
37 | #include <linux/audit.h> | ||
37 | #include <net/netlink.h> | 38 | #include <net/netlink.h> |
38 | #include <net/genetlink.h> | 39 | #include <net/genetlink.h> |
39 | #include <net/netlabel.h> | 40 | #include <net/netlabel.h> |
@@ -75,4 +76,9 @@ static inline void *netlbl_netlink_hdr_put(struct sk_buff *skb, | |||
75 | 76 | ||
76 | int netlbl_netlink_init(void); | 77 | int netlbl_netlink_init(void); |
77 | 78 | ||
79 | /* NetLabel Audit Functions */ | ||
80 | |||
81 | struct audit_buffer *netlbl_audit_start_common(int type, u32 secid); | ||
82 | void netlbl_audit_nomsg(int type, u32 secid); | ||
83 | |||
78 | #endif | 84 | #endif |