diff options
| -rw-r--r-- | include/linux/audit.h | 15 | ||||
| -rw-r--r-- | kernel/auditfilter.c | 50 | ||||
| -rw-r--r-- | kernel/auditsc.c | 10 | ||||
| -rw-r--r-- | security/selinux/ss/services.c | 32 |
4 files changed, 56 insertions, 51 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h index a489104ae3a4..c211f0a2abb4 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h | |||
| @@ -151,12 +151,17 @@ | |||
| 151 | #define AUDIT_PERS 10 | 151 | #define AUDIT_PERS 10 |
| 152 | #define AUDIT_ARCH 11 | 152 | #define AUDIT_ARCH 11 |
| 153 | #define AUDIT_MSGTYPE 12 | 153 | #define AUDIT_MSGTYPE 12 |
| 154 | #define AUDIT_SE_USER 13 /* security label user */ | 154 | #define AUDIT_SUBJ_USER 13 /* security label user */ |
| 155 | #define AUDIT_SE_ROLE 14 /* security label role */ | 155 | #define AUDIT_SUBJ_ROLE 14 /* security label role */ |
| 156 | #define AUDIT_SE_TYPE 15 /* security label type */ | 156 | #define AUDIT_SUBJ_TYPE 15 /* security label type */ |
| 157 | #define AUDIT_SE_SEN 16 /* security label sensitivity label */ | 157 | #define AUDIT_SUBJ_SEN 16 /* security label sensitivity label */ |
| 158 | #define AUDIT_SE_CLR 17 /* security label clearance label */ | 158 | #define AUDIT_SUBJ_CLR 17 /* security label clearance label */ |
| 159 | #define AUDIT_PPID 18 | 159 | #define AUDIT_PPID 18 |
| 160 | #define AUDIT_OBJ_USER 19 | ||
| 161 | #define AUDIT_OBJ_ROLE 20 | ||
| 162 | #define AUDIT_OBJ_TYPE 21 | ||
| 163 | #define AUDIT_OBJ_LEV_LOW 22 | ||
| 164 | #define AUDIT_OBJ_LEV_HIGH 23 | ||
| 160 | 165 | ||
| 161 | /* These are ONLY useful when checking | 166 | /* These are ONLY useful when checking |
| 162 | * at syscall exit time (AUDIT_AT_EXIT). */ | 167 | * at syscall exit time (AUDIT_AT_EXIT). */ |
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index e98db08fc6df..40a9931a13e2 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c | |||
| @@ -470,11 +470,11 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, | |||
| 470 | case AUDIT_ARG2: | 470 | case AUDIT_ARG2: |
| 471 | case AUDIT_ARG3: | 471 | case AUDIT_ARG3: |
| 472 | break; | 472 | break; |
| 473 | case AUDIT_SE_USER: | 473 | case AUDIT_SUBJ_USER: |
| 474 | case AUDIT_SE_ROLE: | 474 | case AUDIT_SUBJ_ROLE: |
| 475 | case AUDIT_SE_TYPE: | 475 | case AUDIT_SUBJ_TYPE: |
| 476 | case AUDIT_SE_SEN: | 476 | case AUDIT_SUBJ_SEN: |
| 477 | case AUDIT_SE_CLR: | 477 | case AUDIT_SUBJ_CLR: |
| 478 | str = audit_unpack_string(&bufp, &remain, f->val); | 478 | str = audit_unpack_string(&bufp, &remain, f->val); |
| 479 | if (IS_ERR(str)) | 479 | if (IS_ERR(str)) |
| 480 | goto exit_free; | 480 | goto exit_free; |
| @@ -611,11 +611,11 @@ static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) | |||
| 611 | data->fields[i] = f->type; | 611 | data->fields[i] = f->type; |
| 612 | data->fieldflags[i] = f->op; | 612 | data->fieldflags[i] = f->op; |
| 613 | switch(f->type) { | 613 | switch(f->type) { |
| 614 | case AUDIT_SE_USER: | 614 | case AUDIT_SUBJ_USER: |
| 615 | case AUDIT_SE_ROLE: | 615 | case AUDIT_SUBJ_ROLE: |
| 616 | case AUDIT_SE_TYPE: | 616 | case AUDIT_SUBJ_TYPE: |
| 617 | case AUDIT_SE_SEN: | 617 | case AUDIT_SUBJ_SEN: |
| 618 | case AUDIT_SE_CLR: | 618 | case AUDIT_SUBJ_CLR: |
| 619 | data->buflen += data->values[i] = | 619 | data->buflen += data->values[i] = |
| 620 | audit_pack_string(&bufp, f->se_str); | 620 | audit_pack_string(&bufp, f->se_str); |
| 621 | break; | 621 | break; |
| @@ -654,11 +654,11 @@ static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b) | |||
| 654 | return 1; | 654 | return 1; |
| 655 | 655 | ||
| 656 | switch(a->fields[i].type) { | 656 | switch(a->fields[i].type) { |
| 657 | case AUDIT_SE_USER: | 657 | case AUDIT_SUBJ_USER: |
| 658 | case AUDIT_SE_ROLE: | 658 | case AUDIT_SUBJ_ROLE: |
| 659 | case AUDIT_SE_TYPE: | 659 | case AUDIT_SUBJ_TYPE: |
| 660 | case AUDIT_SE_SEN: | 660 | case AUDIT_SUBJ_SEN: |
| 661 | case AUDIT_SE_CLR: | 661 | case AUDIT_SUBJ_CLR: |
| 662 | if (strcmp(a->fields[i].se_str, b->fields[i].se_str)) | 662 | if (strcmp(a->fields[i].se_str, b->fields[i].se_str)) |
| 663 | return 1; | 663 | return 1; |
| 664 | break; | 664 | break; |
| @@ -774,11 +774,11 @@ static struct audit_entry *audit_dupe_rule(struct audit_krule *old, | |||
| 774 | * the originals will all be freed when the old rule is freed. */ | 774 | * the originals will all be freed when the old rule is freed. */ |
| 775 | for (i = 0; i < fcount; i++) { | 775 | for (i = 0; i < fcount; i++) { |
| 776 | switch (new->fields[i].type) { | 776 | switch (new->fields[i].type) { |
| 777 | case AUDIT_SE_USER: | 777 | case AUDIT_SUBJ_USER: |
| 778 | case AUDIT_SE_ROLE: | 778 | case AUDIT_SUBJ_ROLE: |
| 779 | case AUDIT_SE_TYPE: | 779 | case AUDIT_SUBJ_TYPE: |
| 780 | case AUDIT_SE_SEN: | 780 | case AUDIT_SUBJ_SEN: |
| 781 | case AUDIT_SE_CLR: | 781 | case AUDIT_SUBJ_CLR: |
| 782 | err = audit_dupe_selinux_field(&new->fields[i], | 782 | err = audit_dupe_selinux_field(&new->fields[i], |
| 783 | &old->fields[i]); | 783 | &old->fields[i]); |
| 784 | break; | 784 | break; |
| @@ -1537,11 +1537,11 @@ static inline int audit_rule_has_selinux(struct audit_krule *rule) | |||
| 1537 | for (i = 0; i < rule->field_count; i++) { | 1537 | for (i = 0; i < rule->field_count; i++) { |
| 1538 | struct audit_field *f = &rule->fields[i]; | 1538 | struct audit_field *f = &rule->fields[i]; |
| 1539 | switch (f->type) { | 1539 | switch (f->type) { |
| 1540 | case AUDIT_SE_USER: | 1540 | case AUDIT_SUBJ_USER: |
| 1541 | case AUDIT_SE_ROLE: | 1541 | case AUDIT_SUBJ_ROLE: |
| 1542 | case AUDIT_SE_TYPE: | 1542 | case AUDIT_SUBJ_TYPE: |
| 1543 | case AUDIT_SE_SEN: | 1543 | case AUDIT_SUBJ_SEN: |
| 1544 | case AUDIT_SE_CLR: | 1544 | case AUDIT_SUBJ_CLR: |
| 1545 | return 1; | 1545 | return 1; |
| 1546 | } | 1546 | } |
| 1547 | } | 1547 | } |
diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 316657855165..1d24fade17e6 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c | |||
| @@ -321,11 +321,11 @@ static int audit_filter_rules(struct task_struct *tsk, | |||
| 321 | if (ctx) | 321 | if (ctx) |
| 322 | result = audit_comparator(ctx->loginuid, f->op, f->val); | 322 | result = audit_comparator(ctx->loginuid, f->op, f->val); |
| 323 | break; | 323 | break; |
| 324 | case AUDIT_SE_USER: | 324 | case AUDIT_SUBJ_USER: |
| 325 | case AUDIT_SE_ROLE: | 325 | case AUDIT_SUBJ_ROLE: |
| 326 | case AUDIT_SE_TYPE: | 326 | case AUDIT_SUBJ_TYPE: |
| 327 | case AUDIT_SE_SEN: | 327 | case AUDIT_SUBJ_SEN: |
| 328 | case AUDIT_SE_CLR: | 328 | case AUDIT_SUBJ_CLR: |
| 329 | /* NOTE: this may return negative values indicating | 329 | /* NOTE: this may return negative values indicating |
| 330 | a temporary error. We simply treat this as a | 330 | a temporary error. We simply treat this as a |
| 331 | match for now to avoid losing information that | 331 | match for now to avoid losing information that |
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index e9548bc049e1..92e80b99d183 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
| @@ -1845,15 +1845,15 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, | |||
| 1845 | return -ENOTSUPP; | 1845 | return -ENOTSUPP; |
| 1846 | 1846 | ||
| 1847 | switch (field) { | 1847 | switch (field) { |
| 1848 | case AUDIT_SE_USER: | 1848 | case AUDIT_SUBJ_USER: |
| 1849 | case AUDIT_SE_ROLE: | 1849 | case AUDIT_SUBJ_ROLE: |
| 1850 | case AUDIT_SE_TYPE: | 1850 | case AUDIT_SUBJ_TYPE: |
| 1851 | /* only 'equals' and 'not equals' fit user, role, and type */ | 1851 | /* only 'equals' and 'not equals' fit user, role, and type */ |
| 1852 | if (op != AUDIT_EQUAL && op != AUDIT_NOT_EQUAL) | 1852 | if (op != AUDIT_EQUAL && op != AUDIT_NOT_EQUAL) |
| 1853 | return -EINVAL; | 1853 | return -EINVAL; |
| 1854 | break; | 1854 | break; |
| 1855 | case AUDIT_SE_SEN: | 1855 | case AUDIT_SUBJ_SEN: |
| 1856 | case AUDIT_SE_CLR: | 1856 | case AUDIT_SUBJ_CLR: |
| 1857 | /* we do not allow a range, indicated by the presense of '-' */ | 1857 | /* we do not allow a range, indicated by the presense of '-' */ |
| 1858 | if (strchr(rulestr, '-')) | 1858 | if (strchr(rulestr, '-')) |
| 1859 | return -EINVAL; | 1859 | return -EINVAL; |
| @@ -1874,29 +1874,29 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, | |||
| 1874 | tmprule->au_seqno = latest_granting; | 1874 | tmprule->au_seqno = latest_granting; |
| 1875 | 1875 | ||
| 1876 | switch (field) { | 1876 | switch (field) { |
| 1877 | case AUDIT_SE_USER: | 1877 | case AUDIT_SUBJ_USER: |
| 1878 | userdatum = hashtab_search(policydb.p_users.table, rulestr); | 1878 | userdatum = hashtab_search(policydb.p_users.table, rulestr); |
| 1879 | if (!userdatum) | 1879 | if (!userdatum) |
| 1880 | rc = -EINVAL; | 1880 | rc = -EINVAL; |
| 1881 | else | 1881 | else |
| 1882 | tmprule->au_ctxt.user = userdatum->value; | 1882 | tmprule->au_ctxt.user = userdatum->value; |
| 1883 | break; | 1883 | break; |
| 1884 | case AUDIT_SE_ROLE: | 1884 | case AUDIT_SUBJ_ROLE: |
| 1885 | roledatum = hashtab_search(policydb.p_roles.table, rulestr); | 1885 | roledatum = hashtab_search(policydb.p_roles.table, rulestr); |
| 1886 | if (!roledatum) | 1886 | if (!roledatum) |
| 1887 | rc = -EINVAL; | 1887 | rc = -EINVAL; |
| 1888 | else | 1888 | else |
| 1889 | tmprule->au_ctxt.role = roledatum->value; | 1889 | tmprule->au_ctxt.role = roledatum->value; |
| 1890 | break; | 1890 | break; |
| 1891 | case AUDIT_SE_TYPE: | 1891 | case AUDIT_SUBJ_TYPE: |
| 1892 | typedatum = hashtab_search(policydb.p_types.table, rulestr); | 1892 | typedatum = hashtab_search(policydb.p_types.table, rulestr); |
| 1893 | if (!typedatum) | 1893 | if (!typedatum) |
| 1894 | rc = -EINVAL; | 1894 | rc = -EINVAL; |
| 1895 | else | 1895 | else |
| 1896 | tmprule->au_ctxt.type = typedatum->value; | 1896 | tmprule->au_ctxt.type = typedatum->value; |
| 1897 | break; | 1897 | break; |
| 1898 | case AUDIT_SE_SEN: | 1898 | case AUDIT_SUBJ_SEN: |
| 1899 | case AUDIT_SE_CLR: | 1899 | case AUDIT_SUBJ_CLR: |
| 1900 | rc = mls_from_string(rulestr, &tmprule->au_ctxt, GFP_ATOMIC); | 1900 | rc = mls_from_string(rulestr, &tmprule->au_ctxt, GFP_ATOMIC); |
| 1901 | break; | 1901 | break; |
| 1902 | } | 1902 | } |
| @@ -1948,7 +1948,7 @@ int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op, | |||
| 1948 | /* a field/op pair that is not caught here will simply fall through | 1948 | /* a field/op pair that is not caught here will simply fall through |
| 1949 | without a match */ | 1949 | without a match */ |
| 1950 | switch (field) { | 1950 | switch (field) { |
| 1951 | case AUDIT_SE_USER: | 1951 | case AUDIT_SUBJ_USER: |
| 1952 | switch (op) { | 1952 | switch (op) { |
| 1953 | case AUDIT_EQUAL: | 1953 | case AUDIT_EQUAL: |
| 1954 | match = (ctxt->user == rule->au_ctxt.user); | 1954 | match = (ctxt->user == rule->au_ctxt.user); |
| @@ -1958,7 +1958,7 @@ int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op, | |||
| 1958 | break; | 1958 | break; |
| 1959 | } | 1959 | } |
| 1960 | break; | 1960 | break; |
| 1961 | case AUDIT_SE_ROLE: | 1961 | case AUDIT_SUBJ_ROLE: |
| 1962 | switch (op) { | 1962 | switch (op) { |
| 1963 | case AUDIT_EQUAL: | 1963 | case AUDIT_EQUAL: |
| 1964 | match = (ctxt->role == rule->au_ctxt.role); | 1964 | match = (ctxt->role == rule->au_ctxt.role); |
| @@ -1968,7 +1968,7 @@ int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op, | |||
| 1968 | break; | 1968 | break; |
| 1969 | } | 1969 | } |
| 1970 | break; | 1970 | break; |
| 1971 | case AUDIT_SE_TYPE: | 1971 | case AUDIT_SUBJ_TYPE: |
| 1972 | switch (op) { | 1972 | switch (op) { |
| 1973 | case AUDIT_EQUAL: | 1973 | case AUDIT_EQUAL: |
| 1974 | match = (ctxt->type == rule->au_ctxt.type); | 1974 | match = (ctxt->type == rule->au_ctxt.type); |
| @@ -1978,9 +1978,9 @@ int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op, | |||
| 1978 | break; | 1978 | break; |
| 1979 | } | 1979 | } |
| 1980 | break; | 1980 | break; |
| 1981 | case AUDIT_SE_SEN: | 1981 | case AUDIT_SUBJ_SEN: |
| 1982 | case AUDIT_SE_CLR: | 1982 | case AUDIT_SUBJ_CLR: |
| 1983 | level = (field == AUDIT_SE_SEN ? | 1983 | level = (field == AUDIT_SUBJ_SEN ? |
| 1984 | &ctxt->range.level[0] : &ctxt->range.level[1]); | 1984 | &ctxt->range.level[0] : &ctxt->range.level[1]); |
| 1985 | switch (op) { | 1985 | switch (op) { |
| 1986 | case AUDIT_EQUAL: | 1986 | case AUDIT_EQUAL: |