aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--include/linux/audit.h6
-rw-r--r--include/net/cipso_ipv4.h5
-rw-r--r--include/net/netlabel.h2
-rw-r--r--net/ipv4/cipso_ipv4.c8
-rw-r--r--net/netlabel/netlabel_cipso_v4.c43
-rw-r--r--net/netlabel/netlabel_domainhash.c54
-rw-r--r--net/netlabel/netlabel_domainhash.h6
-rw-r--r--net/netlabel/netlabel_mgmt.c14
-rw-r--r--net/netlabel/netlabel_unlabeled.c36
-rw-r--r--net/netlabel/netlabel_user.c91
-rw-r--r--net/netlabel/netlabel_user.h6
11 files changed, 235 insertions, 36 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 40a6c26294ae..42719d07612a 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -95,6 +95,12 @@
95#define AUDIT_MAC_POLICY_LOAD 1403 /* Policy file load */ 95#define AUDIT_MAC_POLICY_LOAD 1403 /* Policy file load */
96#define AUDIT_MAC_STATUS 1404 /* Changed enforcing,permissive,off */ 96#define AUDIT_MAC_STATUS 1404 /* Changed enforcing,permissive,off */
97#define AUDIT_MAC_CONFIG_CHANGE 1405 /* Changes to booleans */ 97#define AUDIT_MAC_CONFIG_CHANGE 1405 /* Changes to booleans */
98#define AUDIT_MAC_UNLBL_ACCEPT 1406 /* NetLabel: allow unlabeled traffic */
99#define AUDIT_MAC_UNLBL_DENY 1407 /* NetLabel: deny unlabeled traffic */
100#define AUDIT_MAC_CIPSOV4_ADD 1408 /* NetLabel: add CIPSOv4 DOI entry */
101#define AUDIT_MAC_CIPSOV4_DEL 1409 /* NetLabel: del CIPSOv4 DOI entry */
102#define AUDIT_MAC_MAP_ADD 1410 /* NetLabel: add LSM domain mapping */
103#define AUDIT_MAC_MAP_DEL 1411 /* NetLabel: del LSM domain mapping */
98 104
99#define AUDIT_FIRST_KERN_ANOM_MSG 1700 105#define AUDIT_FIRST_KERN_ANOM_MSG 1700
100#define AUDIT_LAST_KERN_ANOM_MSG 1799 106#define AUDIT_LAST_KERN_ANOM_MSG 1799
diff --git a/include/net/cipso_ipv4.h b/include/net/cipso_ipv4.h
index 2d72496c2029..5d6ae1b2b196 100644
--- a/include/net/cipso_ipv4.h
+++ b/include/net/cipso_ipv4.h
@@ -128,7 +128,9 @@ extern int cipso_v4_rbm_strictvalid;
128 128
129#ifdef CONFIG_NETLABEL 129#ifdef CONFIG_NETLABEL
130int cipso_v4_doi_add(struct cipso_v4_doi *doi_def); 130int cipso_v4_doi_add(struct cipso_v4_doi *doi_def);
131int cipso_v4_doi_remove(u32 doi, void (*callback) (struct rcu_head * head)); 131int cipso_v4_doi_remove(u32 doi,
132 u32 audit_secid,
133 void (*callback) (struct rcu_head * head));
132struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi); 134struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi);
133int cipso_v4_doi_walk(u32 *skip_cnt, 135int cipso_v4_doi_walk(u32 *skip_cnt,
134 int (*callback) (struct cipso_v4_doi *doi_def, void *arg), 136 int (*callback) (struct cipso_v4_doi *doi_def, void *arg),
@@ -143,6 +145,7 @@ static inline int cipso_v4_doi_add(struct cipso_v4_doi *doi_def)
143} 145}
144 146
145static inline int cipso_v4_doi_remove(u32 doi, 147static inline int cipso_v4_doi_remove(u32 doi,
148 u32 audit_secid,
146 void (*callback) (struct rcu_head * head)) 149 void (*callback) (struct rcu_head * head))
147{ 150{
148 return 0; 151 return 0;
diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index 6692430063fd..190bfdbbdba6 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -96,7 +96,7 @@
96struct netlbl_dom_map; 96struct netlbl_dom_map;
97 97
98/* Domain mapping operations */ 98/* Domain mapping operations */
99int netlbl_domhsh_remove(const char *domain); 99int netlbl_domhsh_remove(const char *domain, u32 audit_secid);
100 100
101/* LSM security attributes */ 101/* LSM security attributes */
102struct netlbl_lsm_cache { 102struct netlbl_lsm_cache {
diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
index e6ce0b3ba62a..c4e469ff842d 100644
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -474,6 +474,7 @@ doi_add_failure_rlock:
474/** 474/**
475 * cipso_v4_doi_remove - Remove an existing DOI from the CIPSO protocol engine 475 * cipso_v4_doi_remove - Remove an existing DOI from the CIPSO protocol engine
476 * @doi: the DOI value 476 * @doi: the DOI value
477 * @audit_secid: the LSM secid to use in the audit message
477 * @callback: the DOI cleanup/free callback 478 * @callback: the DOI cleanup/free callback
478 * 479 *
479 * Description: 480 * Description:
@@ -483,7 +484,9 @@ doi_add_failure_rlock:
483 * success and negative values on failure. 484 * success and negative values on failure.
484 * 485 *
485 */ 486 */
486int cipso_v4_doi_remove(u32 doi, void (*callback) (struct rcu_head * head)) 487int cipso_v4_doi_remove(u32 doi,
488 u32 audit_secid,
489 void (*callback) (struct rcu_head * head))
487{ 490{
488 struct cipso_v4_doi *doi_def; 491 struct cipso_v4_doi *doi_def;
489 struct cipso_v4_domhsh_entry *dom_iter; 492 struct cipso_v4_domhsh_entry *dom_iter;
@@ -502,7 +505,8 @@ int cipso_v4_doi_remove(u32 doi, void (*callback) (struct rcu_head * head))
502 spin_unlock(&cipso_v4_doi_list_lock); 505 spin_unlock(&cipso_v4_doi_list_lock);
503 list_for_each_entry_rcu(dom_iter, &doi_def->dom_list, list) 506 list_for_each_entry_rcu(dom_iter, &doi_def->dom_list, list)
504 if (dom_iter->valid) 507 if (dom_iter->valid)
505 netlbl_domhsh_remove(dom_iter->domain); 508 netlbl_domhsh_remove(dom_iter->domain,
509 audit_secid);
506 cipso_v4_cache_invalidate(); 510 cipso_v4_cache_invalidate();
507 rcu_read_unlock(); 511 rcu_read_unlock();
508 512
diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c
index 4125a55f469f..09986ca962a6 100644
--- a/net/netlabel/netlabel_cipso_v4.c
+++ b/net/netlabel/netlabel_cipso_v4.c
@@ -32,6 +32,7 @@
32#include <linux/socket.h> 32#include <linux/socket.h>
33#include <linux/string.h> 33#include <linux/string.h>
34#include <linux/skbuff.h> 34#include <linux/skbuff.h>
35#include <linux/audit.h>
35#include <net/sock.h> 36#include <net/sock.h>
36#include <net/netlink.h> 37#include <net/netlink.h>
37#include <net/genetlink.h> 38#include <net/genetlink.h>
@@ -162,8 +163,7 @@ static int netlbl_cipsov4_add_std(struct genl_info *info)
162 int nla_a_rem; 163 int nla_a_rem;
163 int nla_b_rem; 164 int nla_b_rem;
164 165
165 if (!info->attrs[NLBL_CIPSOV4_A_DOI] || 166 if (!info->attrs[NLBL_CIPSOV4_A_TAGLST] ||
166 !info->attrs[NLBL_CIPSOV4_A_TAGLST] ||
167 !info->attrs[NLBL_CIPSOV4_A_MLSLVLLST]) 167 !info->attrs[NLBL_CIPSOV4_A_MLSLVLLST])
168 return -EINVAL; 168 return -EINVAL;
169 169
@@ -344,8 +344,7 @@ static int netlbl_cipsov4_add_pass(struct genl_info *info)
344 int ret_val; 344 int ret_val;
345 struct cipso_v4_doi *doi_def = NULL; 345 struct cipso_v4_doi *doi_def = NULL;
346 346
347 if (!info->attrs[NLBL_CIPSOV4_A_DOI] || 347 if (!info->attrs[NLBL_CIPSOV4_A_TAGLST])
348 !info->attrs[NLBL_CIPSOV4_A_TAGLST])
349 return -EINVAL; 348 return -EINVAL;
350 349
351 doi_def = kmalloc(sizeof(*doi_def), GFP_KERNEL); 350 doi_def = kmalloc(sizeof(*doi_def), GFP_KERNEL);
@@ -381,21 +380,35 @@ static int netlbl_cipsov4_add(struct sk_buff *skb, struct genl_info *info)
381 380
382{ 381{
383 int ret_val = -EINVAL; 382 int ret_val = -EINVAL;
384 u32 map_type; 383 u32 type;
384 u32 doi;
385 const char *type_str = "(unknown)";
386 struct audit_buffer *audit_buf;
385 387
386 if (!info->attrs[NLBL_CIPSOV4_A_MTYPE]) 388 if (!info->attrs[NLBL_CIPSOV4_A_DOI] ||
389 !info->attrs[NLBL_CIPSOV4_A_MTYPE])
387 return -EINVAL; 390 return -EINVAL;
388 391
389 map_type = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE]); 392 type = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE]);
390 switch (map_type) { 393 switch (type) {
391 case CIPSO_V4_MAP_STD: 394 case CIPSO_V4_MAP_STD:
395 type_str = "std";
392 ret_val = netlbl_cipsov4_add_std(info); 396 ret_val = netlbl_cipsov4_add_std(info);
393 break; 397 break;
394 case CIPSO_V4_MAP_PASS: 398 case CIPSO_V4_MAP_PASS:
399 type_str = "pass";
395 ret_val = netlbl_cipsov4_add_pass(info); 400 ret_val = netlbl_cipsov4_add_pass(info);
396 break; 401 break;
397 } 402 }
398 403
404 if (ret_val == 0) {
405 doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]);
406 audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD,
407 NETLINK_CB(skb).sid);
408 audit_log_format(audit_buf, " doi=%u type=%s", doi, type_str);
409 audit_log_end(audit_buf);
410 }
411
399 return ret_val; 412 return ret_val;
400} 413}
401 414
@@ -653,11 +666,21 @@ static int netlbl_cipsov4_listall(struct sk_buff *skb,
653static int netlbl_cipsov4_remove(struct sk_buff *skb, struct genl_info *info) 666static int netlbl_cipsov4_remove(struct sk_buff *skb, struct genl_info *info)
654{ 667{
655 int ret_val = -EINVAL; 668 int ret_val = -EINVAL;
656 u32 doi; 669 u32 doi = 0;
670 struct audit_buffer *audit_buf;
657 671
658 if (info->attrs[NLBL_CIPSOV4_A_DOI]) { 672 if (info->attrs[NLBL_CIPSOV4_A_DOI]) {
659 doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]); 673 doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]);
660 ret_val = cipso_v4_doi_remove(doi, netlbl_cipsov4_doi_free); 674 ret_val = cipso_v4_doi_remove(doi,
675 NETLINK_CB(skb).sid,
676 netlbl_cipsov4_doi_free);
677 }
678
679 if (ret_val == 0) {
680 audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_DEL,
681 NETLINK_CB(skb).sid);
682 audit_log_format(audit_buf, " doi=%u", doi);
683 audit_log_end(audit_buf);
661 } 684 }
662 685
663 return ret_val; 686 return ret_val;
diff --git a/net/netlabel/netlabel_domainhash.c b/net/netlabel/netlabel_domainhash.c
index f56d7a8ac7b7..d64e2ae3b129 100644
--- a/net/netlabel/netlabel_domainhash.c
+++ b/net/netlabel/netlabel_domainhash.c
@@ -35,12 +35,14 @@
35#include <linux/skbuff.h> 35#include <linux/skbuff.h>
36#include <linux/spinlock.h> 36#include <linux/spinlock.h>
37#include <linux/string.h> 37#include <linux/string.h>
38#include <linux/audit.h>
38#include <net/netlabel.h> 39#include <net/netlabel.h>
39#include <net/cipso_ipv4.h> 40#include <net/cipso_ipv4.h>
40#include <asm/bug.h> 41#include <asm/bug.h>
41 42
42#include "netlabel_mgmt.h" 43#include "netlabel_mgmt.h"
43#include "netlabel_domainhash.h" 44#include "netlabel_domainhash.h"
45#include "netlabel_user.h"
44 46
45struct netlbl_domhsh_tbl { 47struct netlbl_domhsh_tbl {
46 struct list_head *tbl; 48 struct list_head *tbl;
@@ -186,6 +188,7 @@ int netlbl_domhsh_init(u32 size)
186/** 188/**
187 * netlbl_domhsh_add - Adds a entry to the domain hash table 189 * netlbl_domhsh_add - Adds a entry to the domain hash table
188 * @entry: the entry to add 190 * @entry: the entry to add
191 * @audit_secid: the LSM secid to use in the audit message
189 * 192 *
190 * Description: 193 * Description:
191 * Adds a new entry to the domain hash table and handles any updates to the 194 * Adds a new entry to the domain hash table and handles any updates to the
@@ -193,10 +196,12 @@ int netlbl_domhsh_init(u32 size)
193 * negative on failure. 196 * negative on failure.
194 * 197 *
195 */ 198 */
196int netlbl_domhsh_add(struct netlbl_dom_map *entry) 199int netlbl_domhsh_add(struct netlbl_dom_map *entry, u32 audit_secid)
197{ 200{
198 int ret_val; 201 int ret_val;
199 u32 bkt; 202 u32 bkt;
203 struct audit_buffer *audit_buf;
204 char *audit_domain;
200 205
201 switch (entry->type) { 206 switch (entry->type) {
202 case NETLBL_NLTYPE_UNLABELED: 207 case NETLBL_NLTYPE_UNLABELED:
@@ -236,6 +241,26 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry)
236 spin_unlock(&netlbl_domhsh_def_lock); 241 spin_unlock(&netlbl_domhsh_def_lock);
237 } else 242 } else
238 ret_val = -EINVAL; 243 ret_val = -EINVAL;
244 if (ret_val == 0) {
245 if (entry->domain != NULL)
246 audit_domain = entry->domain;
247 else
248 audit_domain = "(default)";
249 audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_ADD,
250 audit_secid);
251 audit_log_format(audit_buf, " domain=%s", audit_domain);
252 switch (entry->type) {
253 case NETLBL_NLTYPE_UNLABELED:
254 audit_log_format(audit_buf, " protocol=unlbl");
255 break;
256 case NETLBL_NLTYPE_CIPSOV4:
257 audit_log_format(audit_buf,
258 " protocol=cipsov4 doi=%u",
259 entry->type_def.cipsov4->doi);
260 break;
261 }
262 audit_log_end(audit_buf);
263 }
239 rcu_read_unlock(); 264 rcu_read_unlock();
240 265
241 if (ret_val != 0) { 266 if (ret_val != 0) {
@@ -254,6 +279,7 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry)
254/** 279/**
255 * netlbl_domhsh_add_default - Adds the default entry to the domain hash table 280 * netlbl_domhsh_add_default - Adds the default entry to the domain hash table
256 * @entry: the entry to add 281 * @entry: the entry to add
282 * @audit_secid: the LSM secid to use in the audit message
257 * 283 *
258 * Description: 284 * Description:
259 * Adds a new default entry to the domain hash table and handles any updates 285 * Adds a new default entry to the domain hash table and handles any updates
@@ -261,14 +287,15 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry)
261 * negative on failure. 287 * negative on failure.
262 * 288 *
263 */ 289 */
264int netlbl_domhsh_add_default(struct netlbl_dom_map *entry) 290int netlbl_domhsh_add_default(struct netlbl_dom_map *entry, u32 audit_secid)
265{ 291{
266 return netlbl_domhsh_add(entry); 292 return netlbl_domhsh_add(entry, audit_secid);
267} 293}
268 294
269/** 295/**
270 * netlbl_domhsh_remove - Removes an entry from the domain hash table 296 * netlbl_domhsh_remove - Removes an entry from the domain hash table
271 * @domain: the domain to remove 297 * @domain: the domain to remove
298 * @audit_secid: the LSM secid to use in the audit message
272 * 299 *
273 * Description: 300 * Description:
274 * Removes an entry from the domain hash table and handles any updates to the 301 * Removes an entry from the domain hash table and handles any updates to the
@@ -276,10 +303,12 @@ int netlbl_domhsh_add_default(struct netlbl_dom_map *entry)
276 * negative on failure. 303 * negative on failure.
277 * 304 *
278 */ 305 */
279int netlbl_domhsh_remove(const char *domain) 306int netlbl_domhsh_remove(const char *domain, u32 audit_secid)
280{ 307{
281 int ret_val = -ENOENT; 308 int ret_val = -ENOENT;
282 struct netlbl_dom_map *entry; 309 struct netlbl_dom_map *entry;
310 struct audit_buffer *audit_buf;
311 char *audit_domain;
283 312
284 rcu_read_lock(); 313 rcu_read_lock();
285 if (domain != NULL) 314 if (domain != NULL)
@@ -316,8 +345,18 @@ int netlbl_domhsh_remove(const char *domain)
316 ret_val = -ENOENT; 345 ret_val = -ENOENT;
317 spin_unlock(&netlbl_domhsh_def_lock); 346 spin_unlock(&netlbl_domhsh_def_lock);
318 } 347 }
319 if (ret_val == 0) 348 if (ret_val == 0) {
349 if (entry->domain != NULL)
350 audit_domain = entry->domain;
351 else
352 audit_domain = "(default)";
353 audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_DEL,
354 audit_secid);
355 audit_log_format(audit_buf, " domain=%s", audit_domain);
356 audit_log_end(audit_buf);
357
320 call_rcu(&entry->rcu, netlbl_domhsh_free_entry); 358 call_rcu(&entry->rcu, netlbl_domhsh_free_entry);
359 }
321 360
322remove_return: 361remove_return:
323 rcu_read_unlock(); 362 rcu_read_unlock();
@@ -326,6 +365,7 @@ remove_return:
326 365
327/** 366/**
328 * netlbl_domhsh_remove_default - Removes the default entry from the table 367 * netlbl_domhsh_remove_default - Removes the default entry from the table
368 * @audit_secid: the LSM secid to use in the audit message
329 * 369 *
330 * Description: 370 * Description:
331 * Removes/resets the default entry for the domain hash table and handles any 371 * Removes/resets the default entry for the domain hash table and handles any
@@ -333,9 +373,9 @@ remove_return:
333 * success, non-zero on failure. 373 * success, non-zero on failure.
334 * 374 *
335 */ 375 */
336int netlbl_domhsh_remove_default(void) 376int netlbl_domhsh_remove_default(u32 audit_secid)
337{ 377{
338 return netlbl_domhsh_remove(NULL); 378 return netlbl_domhsh_remove(NULL, audit_secid);
339} 379}
340 380
341/** 381/**
diff --git a/net/netlabel/netlabel_domainhash.h b/net/netlabel/netlabel_domainhash.h
index 02af72a7877c..d50f13cacdca 100644
--- a/net/netlabel/netlabel_domainhash.h
+++ b/net/netlabel/netlabel_domainhash.h
@@ -57,9 +57,9 @@ struct netlbl_dom_map {
57int netlbl_domhsh_init(u32 size); 57int netlbl_domhsh_init(u32 size);
58 58
59/* Manipulate the domain hash table */ 59/* Manipulate the domain hash table */
60int netlbl_domhsh_add(struct netlbl_dom_map *entry); 60int netlbl_domhsh_add(struct netlbl_dom_map *entry, u32 audit_secid);
61int netlbl_domhsh_add_default(struct netlbl_dom_map *entry); 61int netlbl_domhsh_add_default(struct netlbl_dom_map *entry, u32 audit_secid);
62int netlbl_domhsh_remove_default(void); 62int netlbl_domhsh_remove_default(u32 audit_secid);
63struct netlbl_dom_map *netlbl_domhsh_getentry(const char *domain); 63struct netlbl_dom_map *netlbl_domhsh_getentry(const char *domain);
64int netlbl_domhsh_walk(u32 *skip_bkt, 64int netlbl_domhsh_walk(u32 *skip_bkt,
65 u32 *skip_chain, 65 u32 *skip_chain,
diff --git a/net/netlabel/netlabel_mgmt.c b/net/netlabel/netlabel_mgmt.c
index 8626c9f678eb..0ac314f18ad1 100644
--- a/net/netlabel/netlabel_mgmt.c
+++ b/net/netlabel/netlabel_mgmt.c
@@ -108,7 +108,7 @@ static int netlbl_mgmt_add(struct sk_buff *skb, struct genl_info *info)
108 108
109 switch (entry->type) { 109 switch (entry->type) {
110 case NETLBL_NLTYPE_UNLABELED: 110 case NETLBL_NLTYPE_UNLABELED:
111 ret_val = netlbl_domhsh_add(entry); 111 ret_val = netlbl_domhsh_add(entry, NETLINK_CB(skb).sid);
112 break; 112 break;
113 case NETLBL_NLTYPE_CIPSOV4: 113 case NETLBL_NLTYPE_CIPSOV4:
114 if (!info->attrs[NLBL_MGMT_A_CV4DOI]) 114 if (!info->attrs[NLBL_MGMT_A_CV4DOI])
@@ -125,7 +125,7 @@ static int netlbl_mgmt_add(struct sk_buff *skb, struct genl_info *info)
125 rcu_read_unlock(); 125 rcu_read_unlock();
126 goto add_failure; 126 goto add_failure;
127 } 127 }
128 ret_val = netlbl_domhsh_add(entry); 128 ret_val = netlbl_domhsh_add(entry, NETLINK_CB(skb).sid);
129 rcu_read_unlock(); 129 rcu_read_unlock();
130 break; 130 break;
131 default: 131 default:
@@ -161,7 +161,7 @@ static int netlbl_mgmt_remove(struct sk_buff *skb, struct genl_info *info)
161 return -EINVAL; 161 return -EINVAL;
162 162
163 domain = nla_data(info->attrs[NLBL_MGMT_A_DOMAIN]); 163 domain = nla_data(info->attrs[NLBL_MGMT_A_DOMAIN]);
164 return netlbl_domhsh_remove(domain); 164 return netlbl_domhsh_remove(domain, NETLINK_CB(skb).sid);
165} 165}
166 166
167/** 167/**
@@ -277,7 +277,8 @@ static int netlbl_mgmt_adddef(struct sk_buff *skb, struct genl_info *info)
277 277
278 switch (entry->type) { 278 switch (entry->type) {
279 case NETLBL_NLTYPE_UNLABELED: 279 case NETLBL_NLTYPE_UNLABELED:
280 ret_val = netlbl_domhsh_add_default(entry); 280 ret_val = netlbl_domhsh_add_default(entry,
281 NETLINK_CB(skb).sid);
281 break; 282 break;
282 case NETLBL_NLTYPE_CIPSOV4: 283 case NETLBL_NLTYPE_CIPSOV4:
283 if (!info->attrs[NLBL_MGMT_A_CV4DOI]) 284 if (!info->attrs[NLBL_MGMT_A_CV4DOI])
@@ -294,7 +295,8 @@ static int netlbl_mgmt_adddef(struct sk_buff *skb, struct genl_info *info)
294 rcu_read_unlock(); 295 rcu_read_unlock();
295 goto adddef_failure; 296 goto adddef_failure;
296 } 297 }
297 ret_val = netlbl_domhsh_add_default(entry); 298 ret_val = netlbl_domhsh_add_default(entry,
299 NETLINK_CB(skb).sid);
298 rcu_read_unlock(); 300 rcu_read_unlock();
299 break; 301 break;
300 default: 302 default:
@@ -322,7 +324,7 @@ adddef_failure:
322 */ 324 */
323static int netlbl_mgmt_removedef(struct sk_buff *skb, struct genl_info *info) 325static int netlbl_mgmt_removedef(struct sk_buff *skb, struct genl_info *info)
324{ 326{
325 return netlbl_domhsh_remove_default(); 327 return netlbl_domhsh_remove_default(NETLINK_CB(skb).sid);
326} 328}
327 329
328/** 330/**
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index 440f5c4e1e2d..ab36675fee8c 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -64,6 +64,27 @@ static struct nla_policy netlbl_unlabel_genl_policy[NLBL_UNLABEL_A_MAX + 1] = {
64}; 64};
65 65
66/* 66/*
67 * Helper Functions
68 */
69
70/**
71 * netlbl_unlabel_acceptflg_set - Set the unlabeled accept flag
72 * @value: desired value
73 * @audit_secid: the LSM secid to use in the audit message
74 *
75 * Description:
76 * Set the value of the unlabeled accept flag to @value.
77 *
78 */
79static void netlbl_unlabel_acceptflg_set(u8 value, u32 audit_secid)
80{
81 atomic_set(&netlabel_unlabel_accept_flg, value);
82 netlbl_audit_nomsg((value ?
83 AUDIT_MAC_UNLBL_ACCEPT : AUDIT_MAC_UNLBL_DENY),
84 audit_secid);
85}
86
87/*
67 * NetLabel Command Handlers 88 * NetLabel Command Handlers
68 */ 89 */
69 90
@@ -79,18 +100,18 @@ static struct nla_policy netlbl_unlabel_genl_policy[NLBL_UNLABEL_A_MAX + 1] = {
79 */ 100 */
80static int netlbl_unlabel_accept(struct sk_buff *skb, struct genl_info *info) 101static int netlbl_unlabel_accept(struct sk_buff *skb, struct genl_info *info)
81{ 102{
82 int ret_val = -EINVAL;
83 u8 value; 103 u8 value;
84 104
85 if (info->attrs[NLBL_UNLABEL_A_ACPTFLG]) { 105 if (info->attrs[NLBL_UNLABEL_A_ACPTFLG]) {
86 value = nla_get_u8(info->attrs[NLBL_UNLABEL_A_ACPTFLG]); 106 value = nla_get_u8(info->attrs[NLBL_UNLABEL_A_ACPTFLG]);
87 if (value == 1 || value == 0) { 107 if (value == 1 || value == 0) {
88 atomic_set(&netlabel_unlabel_accept_flg, value); 108 netlbl_unlabel_acceptflg_set(value,
89 ret_val = 0; 109 NETLINK_CB(skb).sid);
110 return 0;
90 } 111 }
91 } 112 }
92 113
93 return ret_val; 114 return -EINVAL;
94} 115}
95 116
96/** 117/**
@@ -229,16 +250,19 @@ int netlbl_unlabel_defconf(void)
229{ 250{
230 int ret_val; 251 int ret_val;
231 struct netlbl_dom_map *entry; 252 struct netlbl_dom_map *entry;
253 u32 secid;
254
255 security_task_getsecid(current, &secid);
232 256
233 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 257 entry = kzalloc(sizeof(*entry), GFP_KERNEL);
234 if (entry == NULL) 258 if (entry == NULL)
235 return -ENOMEM; 259 return -ENOMEM;
236 entry->type = NETLBL_NLTYPE_UNLABELED; 260 entry->type = NETLBL_NLTYPE_UNLABELED;
237 ret_val = netlbl_domhsh_add_default(entry); 261 ret_val = netlbl_domhsh_add_default(entry, secid);
238 if (ret_val != 0) 262 if (ret_val != 0)
239 return ret_val; 263 return ret_val;
240 264
241 atomic_set(&netlabel_unlabel_accept_flg, 1); 265 netlbl_unlabel_acceptflg_set(1, secid);
242 266
243 return 0; 267 return 0;
244} 268}
diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c
index eeb7d768d2bb..c2343af584cb 100644
--- a/net/netlabel/netlabel_user.c
+++ b/net/netlabel/netlabel_user.c
@@ -32,6 +32,9 @@
32#include <linux/types.h> 32#include <linux/types.h>
33#include <linux/list.h> 33#include <linux/list.h>
34#include <linux/socket.h> 34#include <linux/socket.h>
35#include <linux/audit.h>
36#include <linux/tty.h>
37#include <linux/security.h>
35#include <net/sock.h> 38#include <net/sock.h>
36#include <net/netlink.h> 39#include <net/netlink.h>
37#include <net/genetlink.h> 40#include <net/genetlink.h>
@@ -74,3 +77,91 @@ int netlbl_netlink_init(void)
74 77
75 return 0; 78 return 0;
76} 79}
80
81/*
82 * NetLabel Audit Functions
83 */
84
85/**
86 * netlbl_audit_start_common - Start an audit message
87 * @type: audit message type
88 * @secid: LSM context ID
89 *
90 * Description:
91 * Start an audit message using the type specified in @type and fill the audit
92 * message with some fields common to all NetLabel audit messages. Returns
93 * a pointer to the audit buffer on success, NULL on failure.
94 *
95 */
96struct audit_buffer *netlbl_audit_start_common(int type, u32 secid)
97{
98 struct audit_context *audit_ctx = current->audit_context;
99 struct audit_buffer *audit_buf;
100 uid_t audit_loginuid;
101 const char *audit_tty;
102 char audit_comm[sizeof(current->comm)];
103 struct vm_area_struct *vma;
104 char *secctx;
105 u32 secctx_len;
106
107 audit_buf = audit_log_start(audit_ctx, GFP_ATOMIC, type);
108 if (audit_buf == NULL)
109 return NULL;
110
111 audit_loginuid = audit_get_loginuid(audit_ctx);
112 if (current->signal &&
113 current->signal->tty &&
114 current->signal->tty->name)
115 audit_tty = current->signal->tty->name;
116 else
117 audit_tty = "(none)";
118 get_task_comm(audit_comm, current);
119
120 audit_log_format(audit_buf,
121 "netlabel: auid=%u uid=%u tty=%s pid=%d",
122 audit_loginuid,
123 current->uid,
124 audit_tty,
125 current->pid);
126 audit_log_format(audit_buf, " comm=");
127 audit_log_untrustedstring(audit_buf, audit_comm);
128 if (current->mm) {
129 down_read(&current->mm->mmap_sem);
130 vma = current->mm->mmap;
131 while (vma) {
132 if ((vma->vm_flags & VM_EXECUTABLE) &&
133 vma->vm_file) {
134 audit_log_d_path(audit_buf,
135 " exe=",
136 vma->vm_file->f_dentry,
137 vma->vm_file->f_vfsmnt);
138 break;
139 }
140 vma = vma->vm_next;
141 }
142 up_read(&current->mm->mmap_sem);
143 }
144
145 if (secid != 0 &&
146 security_secid_to_secctx(secid, &secctx, &secctx_len) == 0)
147 audit_log_format(audit_buf, " subj=%s", secctx);
148
149 return audit_buf;
150}
151
152/**
153 * netlbl_audit_nomsg - Send an audit message without additional text
154 * @type: audit message type
155 * @secid: LSM context ID
156 *
157 * Description:
158 * Send an audit message with only the common NetLabel audit fields.
159 *
160 */
161void netlbl_audit_nomsg(int type, u32 secid)
162{
163 struct audit_buffer *audit_buf;
164
165 audit_buf = netlbl_audit_start_common(type, secid);
166 audit_log_end(audit_buf);
167}
diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h
index 3f9386b917df..ab840acfc964 100644
--- a/net/netlabel/netlabel_user.h
+++ b/net/netlabel/netlabel_user.h
@@ -34,6 +34,7 @@
34#include <linux/types.h> 34#include <linux/types.h>
35#include <linux/skbuff.h> 35#include <linux/skbuff.h>
36#include <linux/capability.h> 36#include <linux/capability.h>
37#include <linux/audit.h>
37#include <net/netlink.h> 38#include <net/netlink.h>
38#include <net/genetlink.h> 39#include <net/genetlink.h>
39#include <net/netlabel.h> 40#include <net/netlabel.h>
@@ -75,4 +76,9 @@ static inline void *netlbl_netlink_hdr_put(struct sk_buff *skb,
75 76
76int netlbl_netlink_init(void); 77int netlbl_netlink_init(void);
77 78
79/* NetLabel Audit Functions */
80
81struct audit_buffer *netlbl_audit_start_common(int type, u32 secid);
82void netlbl_audit_nomsg(int type, u32 secid);
83
78#endif 84#endif