aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--drivers/char/tty_audit.c7
-rw-r--r--include/linux/audit.h3
-rw-r--r--include/linux/netlink.h1
-rw-r--r--include/linux/tty.h4
-rw-r--r--include/net/netlabel.h1
-rw-r--r--include/net/xfrm.h23
-rw-r--r--kernel/audit.c72
-rw-r--r--kernel/auditfilter.c16
-rw-r--r--net/key/af_key.c17
-rw-r--r--net/netlabel/netlabel_unlabeled.c1
-rw-r--r--net/netlabel/netlabel_user.c4
-rw-r--r--net/netlabel/netlabel_user.h1
-rw-r--r--net/netlink/af_netlink.c1
-rw-r--r--net/xfrm/xfrm_policy.c12
-rw-r--r--net/xfrm/xfrm_state.c13
-rw-r--r--net/xfrm/xfrm_user.c41
-rw-r--r--security/smack/smackfs.c2
17 files changed, 132 insertions, 87 deletions
diff --git a/drivers/char/tty_audit.c b/drivers/char/tty_audit.c
index 7722466e052f..9739bbfc8f70 100644
--- a/drivers/char/tty_audit.c
+++ b/drivers/char/tty_audit.c
@@ -151,14 +151,9 @@ void tty_audit_fork(struct signal_struct *sig)
151/** 151/**
152 * tty_audit_push_task - Flush task's pending audit data 152 * tty_audit_push_task - Flush task's pending audit data
153 */ 153 */
154void tty_audit_push_task(struct task_struct *tsk, uid_t loginuid) 154void tty_audit_push_task(struct task_struct *tsk, uid_t loginuid, u32 sessionid)
155{ 155{
156 struct tty_audit_buf *buf; 156 struct tty_audit_buf *buf;
157 /* FIXME I think this is correct. Check against netlink once that is
158 * I really need to read this code more closely. But that's for
159 * another patch.
160 */
161 unsigned int sessionid = audit_get_sessionid(tsk);
162 157
163 spin_lock_irq(&tsk->sighand->siglock); 158 spin_lock_irq(&tsk->sighand->siglock);
164 buf = tsk->signal->tty_audit_buf; 159 buf = tsk->signal->tty_audit_buf;
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 4ccb048cae1d..25f6ae30dd4b 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -569,7 +569,8 @@ extern int audit_update_lsm_rules(void);
569extern int audit_filter_user(struct netlink_skb_parms *cb, int type); 569extern int audit_filter_user(struct netlink_skb_parms *cb, int type);
570extern int audit_filter_type(int type); 570extern int audit_filter_type(int type);
571extern int audit_receive_filter(int type, int pid, int uid, int seq, 571extern int audit_receive_filter(int type, int pid, int uid, int seq,
572 void *data, size_t datasz, uid_t loginuid, u32 sid); 572 void *data, size_t datasz, uid_t loginuid,
573 u32 sessionid, u32 sid);
573extern int audit_enabled; 574extern int audit_enabled;
574#else 575#else
575#define audit_log(c,g,t,f,...) do { ; } while (0) 576#define audit_log(c,g,t,f,...) do { ; } while (0)
diff --git a/include/linux/netlink.h b/include/linux/netlink.h
index fb0713b6ffaf..bec1062a25a1 100644
--- a/include/linux/netlink.h
+++ b/include/linux/netlink.h
@@ -166,6 +166,7 @@ struct netlink_skb_parms
166 __u32 dst_group; 166 __u32 dst_group;
167 kernel_cap_t eff_cap; 167 kernel_cap_t eff_cap;
168 __u32 loginuid; /* Login (audit) uid */ 168 __u32 loginuid; /* Login (audit) uid */
169 __u32 sessionid; /* Session id (audit) */
169 __u32 sid; /* SELinux security id */ 170 __u32 sid; /* SELinux security id */
170}; 171};
171 172
diff --git a/include/linux/tty.h b/include/linux/tty.h
index dd8e08fe8855..430624504ca0 100644
--- a/include/linux/tty.h
+++ b/include/linux/tty.h
@@ -351,7 +351,7 @@ extern void tty_audit_add_data(struct tty_struct *tty, unsigned char *data,
351extern void tty_audit_exit(void); 351extern void tty_audit_exit(void);
352extern void tty_audit_fork(struct signal_struct *sig); 352extern void tty_audit_fork(struct signal_struct *sig);
353extern void tty_audit_push(struct tty_struct *tty); 353extern void tty_audit_push(struct tty_struct *tty);
354extern void tty_audit_push_task(struct task_struct *tsk, uid_t loginuid); 354extern void tty_audit_push_task(struct task_struct *tsk, uid_t loginuid, u32 sessionid);
355extern void tty_audit_opening(void); 355extern void tty_audit_opening(void);
356#else 356#else
357static inline void tty_audit_add_data(struct tty_struct *tty, 357static inline void tty_audit_add_data(struct tty_struct *tty,
@@ -367,7 +367,7 @@ static inline void tty_audit_fork(struct signal_struct *sig)
367static inline void tty_audit_push(struct tty_struct *tty) 367static inline void tty_audit_push(struct tty_struct *tty)
368{ 368{
369} 369}
370static inline void tty_audit_push_task(struct task_struct *tsk, uid_t loginuid) 370static inline void tty_audit_push_task(struct task_struct *tsk, uid_t loginuid, u32 sessionid)
371{ 371{
372} 372}
373static inline void tty_audit_opening(void) 373static inline void tty_audit_opening(void)
diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index 5e53a85b5ca1..e4d2d6baa983 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -103,6 +103,7 @@ struct cipso_v4_doi;
103struct netlbl_audit { 103struct netlbl_audit {
104 u32 secid; 104 u32 secid;
105 uid_t loginuid; 105 uid_t loginuid;
106 u32 sessionid;
106}; 107};
107 108
108/* 109/*
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index baa9f372cfd1..d1350bcccb03 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -597,8 +597,9 @@ struct xfrm_spi_skb_cb {
597/* Audit Information */ 597/* Audit Information */
598struct xfrm_audit 598struct xfrm_audit
599{ 599{
600 u32 loginuid;
601 u32 secid; 600 u32 secid;
601 uid_t loginuid;
602 u32 sessionid;
602}; 603};
603 604
604#ifdef CONFIG_AUDITSYSCALL 605#ifdef CONFIG_AUDITSYSCALL
@@ -616,13 +617,13 @@ static inline struct audit_buffer *xfrm_audit_start(const char *op)
616 return audit_buf; 617 return audit_buf;
617} 618}
618 619
619static inline void xfrm_audit_helper_usrinfo(u32 auid, u32 secid, 620static inline void xfrm_audit_helper_usrinfo(uid_t auid, u32 ses, u32 secid,
620 struct audit_buffer *audit_buf) 621 struct audit_buffer *audit_buf)
621{ 622{
622 char *secctx; 623 char *secctx;
623 u32 secctx_len; 624 u32 secctx_len;
624 625
625 audit_log_format(audit_buf, " auid=%u", auid); 626 audit_log_format(audit_buf, " auid=%u ses=%u", auid, ses);
626 if (secid != 0 && 627 if (secid != 0 &&
627 security_secid_to_secctx(secid, &secctx, &secctx_len) == 0) { 628 security_secid_to_secctx(secid, &secctx, &secctx_len) == 0) {
628 audit_log_format(audit_buf, " subj=%s", secctx); 629 audit_log_format(audit_buf, " subj=%s", secctx);
@@ -632,13 +633,13 @@ static inline void xfrm_audit_helper_usrinfo(u32 auid, u32 secid,
632} 633}
633 634
634extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, 635extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
635 u32 auid, u32 secid); 636 u32 auid, u32 ses, u32 secid);
636extern void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, 637extern void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
637 u32 auid, u32 secid); 638 u32 auid, u32 ses, u32 secid);
638extern void xfrm_audit_state_add(struct xfrm_state *x, int result, 639extern void xfrm_audit_state_add(struct xfrm_state *x, int result,
639 u32 auid, u32 secid); 640 u32 auid, u32 ses, u32 secid);
640extern void xfrm_audit_state_delete(struct xfrm_state *x, int result, 641extern void xfrm_audit_state_delete(struct xfrm_state *x, int result,
641 u32 auid, u32 secid); 642 u32 auid, u32 ses, u32 secid);
642extern void xfrm_audit_state_replay_overflow(struct xfrm_state *x, 643extern void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
643 struct sk_buff *skb); 644 struct sk_buff *skb);
644extern void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family); 645extern void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family);
@@ -647,10 +648,10 @@ extern void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
647extern void xfrm_audit_state_icvfail(struct xfrm_state *x, 648extern void xfrm_audit_state_icvfail(struct xfrm_state *x,
648 struct sk_buff *skb, u8 proto); 649 struct sk_buff *skb, u8 proto);
649#else 650#else
650#define xfrm_audit_policy_add(x, r, a, s) do { ; } while (0) 651#define xfrm_audit_policy_add(x, r, a, se, s) do { ; } while (0)
651#define xfrm_audit_policy_delete(x, r, a, s) do { ; } while (0) 652#define xfrm_audit_policy_delete(x, r, a, se, s) do { ; } while (0)
652#define xfrm_audit_state_add(x, r, a, s) do { ; } while (0) 653#define xfrm_audit_state_add(x, r, a, se, s) do { ; } while (0)
653#define xfrm_audit_state_delete(x, r, a, s) do { ; } while (0) 654#define xfrm_audit_state_delete(x, r, a, se, s) do { ; } while (0)
654#define xfrm_audit_state_replay_overflow(x, s) do { ; } while (0) 655#define xfrm_audit_state_replay_overflow(x, s) do { ; } while (0)
655#define xfrm_audit_state_notfound_simple(s, f) do { ; } while (0) 656#define xfrm_audit_state_notfound_simple(s, f) do { ; } while (0)
656#define xfrm_audit_state_notfound(s, f, sp, sq) do { ; } while (0) 657#define xfrm_audit_state_notfound(s, f, sp, sq) do { ; } while (0)
diff --git a/kernel/audit.c b/kernel/audit.c
index a7b16086d36f..ad6d1abfa1d2 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -252,14 +252,15 @@ void audit_log_lost(const char *message)
252} 252}
253 253
254static int audit_log_config_change(char *function_name, int new, int old, 254static int audit_log_config_change(char *function_name, int new, int old,
255 uid_t loginuid, u32 sid, int allow_changes) 255 uid_t loginuid, u32 sessionid, u32 sid,
256 int allow_changes)
256{ 257{
257 struct audit_buffer *ab; 258 struct audit_buffer *ab;
258 int rc = 0; 259 int rc = 0;
259 260
260 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 261 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
261 audit_log_format(ab, "%s=%d old=%d by auid=%u", function_name, new, 262 audit_log_format(ab, "%s=%d old=%d auid=%u ses=%u", function_name, new,
262 old, loginuid); 263 old, loginuid, sessionid);
263 if (sid) { 264 if (sid) {
264 char *ctx = NULL; 265 char *ctx = NULL;
265 u32 len; 266 u32 len;
@@ -279,7 +280,8 @@ static int audit_log_config_change(char *function_name, int new, int old,
279} 280}
280 281
281static int audit_do_config_change(char *function_name, int *to_change, 282static int audit_do_config_change(char *function_name, int *to_change,
282 int new, uid_t loginuid, u32 sid) 283 int new, uid_t loginuid, u32 sessionid,
284 u32 sid)
283{ 285{
284 int allow_changes, rc = 0, old = *to_change; 286 int allow_changes, rc = 0, old = *to_change;
285 287
@@ -290,8 +292,8 @@ static int audit_do_config_change(char *function_name, int *to_change,
290 allow_changes = 1; 292 allow_changes = 1;
291 293
292 if (audit_enabled != AUDIT_OFF) { 294 if (audit_enabled != AUDIT_OFF) {
293 rc = audit_log_config_change(function_name, new, old, 295 rc = audit_log_config_change(function_name, new, old, loginuid,
294 loginuid, sid, allow_changes); 296 sessionid, sid, allow_changes);
295 if (rc) 297 if (rc)
296 allow_changes = 0; 298 allow_changes = 0;
297 } 299 }
@@ -305,26 +307,28 @@ static int audit_do_config_change(char *function_name, int *to_change,
305 return rc; 307 return rc;
306} 308}
307 309
308static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid) 310static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sessionid,
311 u32 sid)
309{ 312{
310 return audit_do_config_change("audit_rate_limit", &audit_rate_limit, 313 return audit_do_config_change("audit_rate_limit", &audit_rate_limit,
311 limit, loginuid, sid); 314 limit, loginuid, sessionid, sid);
312} 315}
313 316
314static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid) 317static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sessionid,
318 u32 sid)
315{ 319{
316 return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit, 320 return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit,
317 limit, loginuid, sid); 321 limit, loginuid, sessionid, sid);
318} 322}
319 323
320static int audit_set_enabled(int state, uid_t loginuid, u32 sid) 324static int audit_set_enabled(int state, uid_t loginuid, u32 sessionid, u32 sid)
321{ 325{
322 int rc; 326 int rc;
323 if (state < AUDIT_OFF || state > AUDIT_LOCKED) 327 if (state < AUDIT_OFF || state > AUDIT_LOCKED)
324 return -EINVAL; 328 return -EINVAL;
325 329
326 rc = audit_do_config_change("audit_enabled", &audit_enabled, state, 330 rc = audit_do_config_change("audit_enabled", &audit_enabled, state,
327 loginuid, sid); 331 loginuid, sessionid, sid);
328 332
329 if (!rc) 333 if (!rc)
330 audit_ever_enabled |= !!state; 334 audit_ever_enabled |= !!state;
@@ -332,7 +336,7 @@ static int audit_set_enabled(int state, uid_t loginuid, u32 sid)
332 return rc; 336 return rc;
333} 337}
334 338
335static int audit_set_failure(int state, uid_t loginuid, u32 sid) 339static int audit_set_failure(int state, uid_t loginuid, u32 sessionid, u32 sid)
336{ 340{
337 if (state != AUDIT_FAIL_SILENT 341 if (state != AUDIT_FAIL_SILENT
338 && state != AUDIT_FAIL_PRINTK 342 && state != AUDIT_FAIL_PRINTK
@@ -340,7 +344,7 @@ static int audit_set_failure(int state, uid_t loginuid, u32 sid)
340 return -EINVAL; 344 return -EINVAL;
341 345
342 return audit_do_config_change("audit_failure", &audit_failure, state, 346 return audit_do_config_change("audit_failure", &audit_failure, state,
343 loginuid, sid); 347 loginuid, sessionid, sid);
344} 348}
345 349
346static int kauditd_thread(void *dummy) 350static int kauditd_thread(void *dummy)
@@ -385,7 +389,7 @@ static int kauditd_thread(void *dummy)
385 return 0; 389 return 0;
386} 390}
387 391
388static int audit_prepare_user_tty(pid_t pid, uid_t loginuid) 392static int audit_prepare_user_tty(pid_t pid, uid_t loginuid, u32 sessionid)
389{ 393{
390 struct task_struct *tsk; 394 struct task_struct *tsk;
391 int err; 395 int err;
@@ -404,7 +408,7 @@ static int audit_prepare_user_tty(pid_t pid, uid_t loginuid)
404 if (err) 408 if (err)
405 goto out; 409 goto out;
406 410
407 tty_audit_push_task(tsk, loginuid); 411 tty_audit_push_task(tsk, loginuid, sessionid);
408out: 412out:
409 read_unlock(&tasklist_lock); 413 read_unlock(&tasklist_lock);
410 return err; 414 return err;
@@ -534,7 +538,8 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
534} 538}
535 539
536static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type, 540static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
537 u32 pid, u32 uid, uid_t auid, u32 sid) 541 u32 pid, u32 uid, uid_t auid, u32 ses,
542 u32 sid)
538{ 543{
539 int rc = 0; 544 int rc = 0;
540 char *ctx = NULL; 545 char *ctx = NULL;
@@ -546,8 +551,8 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
546 } 551 }
547 552
548 *ab = audit_log_start(NULL, GFP_KERNEL, msg_type); 553 *ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
549 audit_log_format(*ab, "user pid=%d uid=%u auid=%u", 554 audit_log_format(*ab, "user pid=%d uid=%u auid=%u ses=%u",
550 pid, uid, auid); 555 pid, uid, auid, ses);
551 if (sid) { 556 if (sid) {
552 rc = security_secid_to_secctx(sid, &ctx, &len); 557 rc = security_secid_to_secctx(sid, &ctx, &len);
553 if (rc) 558 if (rc)
@@ -570,6 +575,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
570 struct audit_buffer *ab; 575 struct audit_buffer *ab;
571 u16 msg_type = nlh->nlmsg_type; 576 u16 msg_type = nlh->nlmsg_type;
572 uid_t loginuid; /* loginuid of sender */ 577 uid_t loginuid; /* loginuid of sender */
578 u32 sessionid;
573 struct audit_sig_info *sig_data; 579 struct audit_sig_info *sig_data;
574 char *ctx = NULL; 580 char *ctx = NULL;
575 u32 len; 581 u32 len;
@@ -591,6 +597,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
591 pid = NETLINK_CREDS(skb)->pid; 597 pid = NETLINK_CREDS(skb)->pid;
592 uid = NETLINK_CREDS(skb)->uid; 598 uid = NETLINK_CREDS(skb)->uid;
593 loginuid = NETLINK_CB(skb).loginuid; 599 loginuid = NETLINK_CB(skb).loginuid;
600 sessionid = NETLINK_CB(skb).sessionid;
594 sid = NETLINK_CB(skb).sid; 601 sid = NETLINK_CB(skb).sid;
595 seq = nlh->nlmsg_seq; 602 seq = nlh->nlmsg_seq;
596 data = NLMSG_DATA(nlh); 603 data = NLMSG_DATA(nlh);
@@ -613,12 +620,12 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
613 status_get = (struct audit_status *)data; 620 status_get = (struct audit_status *)data;
614 if (status_get->mask & AUDIT_STATUS_ENABLED) { 621 if (status_get->mask & AUDIT_STATUS_ENABLED) {
615 err = audit_set_enabled(status_get->enabled, 622 err = audit_set_enabled(status_get->enabled,
616 loginuid, sid); 623 loginuid, sessionid, sid);
617 if (err < 0) return err; 624 if (err < 0) return err;
618 } 625 }
619 if (status_get->mask & AUDIT_STATUS_FAILURE) { 626 if (status_get->mask & AUDIT_STATUS_FAILURE) {
620 err = audit_set_failure(status_get->failure, 627 err = audit_set_failure(status_get->failure,
621 loginuid, sid); 628 loginuid, sessionid, sid);
622 if (err < 0) return err; 629 if (err < 0) return err;
623 } 630 }
624 if (status_get->mask & AUDIT_STATUS_PID) { 631 if (status_get->mask & AUDIT_STATUS_PID) {
@@ -627,17 +634,17 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
627 if (audit_enabled != AUDIT_OFF) 634 if (audit_enabled != AUDIT_OFF)
628 audit_log_config_change("audit_pid", new_pid, 635 audit_log_config_change("audit_pid", new_pid,
629 audit_pid, loginuid, 636 audit_pid, loginuid,
630 sid, 1); 637 sessionid, sid, 1);
631 638
632 audit_pid = new_pid; 639 audit_pid = new_pid;
633 audit_nlk_pid = NETLINK_CB(skb).pid; 640 audit_nlk_pid = NETLINK_CB(skb).pid;
634 } 641 }
635 if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) 642 if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
636 err = audit_set_rate_limit(status_get->rate_limit, 643 err = audit_set_rate_limit(status_get->rate_limit,
637 loginuid, sid); 644 loginuid, sessionid, sid);
638 if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT) 645 if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT)
639 err = audit_set_backlog_limit(status_get->backlog_limit, 646 err = audit_set_backlog_limit(status_get->backlog_limit,
640 loginuid, sid); 647 loginuid, sessionid, sid);
641 break; 648 break;
642 case AUDIT_USER: 649 case AUDIT_USER:
643 case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG: 650 case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
@@ -649,12 +656,13 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
649 if (err == 1) { 656 if (err == 1) {
650 err = 0; 657 err = 0;
651 if (msg_type == AUDIT_USER_TTY) { 658 if (msg_type == AUDIT_USER_TTY) {
652 err = audit_prepare_user_tty(pid, loginuid); 659 err = audit_prepare_user_tty(pid, loginuid,
660 sessionid);
653 if (err) 661 if (err)
654 break; 662 break;
655 } 663 }
656 audit_log_common_recv_msg(&ab, msg_type, pid, uid, 664 audit_log_common_recv_msg(&ab, msg_type, pid, uid,
657 loginuid, sid); 665 loginuid, sessionid, sid);
658 666
659 if (msg_type != AUDIT_USER_TTY) 667 if (msg_type != AUDIT_USER_TTY)
660 audit_log_format(ab, " msg='%.1024s'", 668 audit_log_format(ab, " msg='%.1024s'",
@@ -677,7 +685,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
677 return -EINVAL; 685 return -EINVAL;
678 if (audit_enabled == AUDIT_LOCKED) { 686 if (audit_enabled == AUDIT_LOCKED) {
679 audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid, 687 audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid,
680 uid, loginuid, sid); 688 uid, loginuid, sessionid, sid);
681 689
682 audit_log_format(ab, " audit_enabled=%d res=0", 690 audit_log_format(ab, " audit_enabled=%d res=0",
683 audit_enabled); 691 audit_enabled);
@@ -688,7 +696,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
688 case AUDIT_LIST: 696 case AUDIT_LIST:
689 err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid, 697 err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,
690 uid, seq, data, nlmsg_len(nlh), 698 uid, seq, data, nlmsg_len(nlh),
691 loginuid, sid); 699 loginuid, sessionid, sid);
692 break; 700 break;
693 case AUDIT_ADD_RULE: 701 case AUDIT_ADD_RULE:
694 case AUDIT_DEL_RULE: 702 case AUDIT_DEL_RULE:
@@ -696,7 +704,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
696 return -EINVAL; 704 return -EINVAL;
697 if (audit_enabled == AUDIT_LOCKED) { 705 if (audit_enabled == AUDIT_LOCKED) {
698 audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid, 706 audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid,
699 uid, loginuid, sid); 707 uid, loginuid, sessionid, sid);
700 708
701 audit_log_format(ab, " audit_enabled=%d res=0", 709 audit_log_format(ab, " audit_enabled=%d res=0",
702 audit_enabled); 710 audit_enabled);
@@ -707,13 +715,13 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
707 case AUDIT_LIST_RULES: 715 case AUDIT_LIST_RULES:
708 err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid, 716 err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,
709 uid, seq, data, nlmsg_len(nlh), 717 uid, seq, data, nlmsg_len(nlh),
710 loginuid, sid); 718 loginuid, sessionid, sid);
711 break; 719 break;
712 case AUDIT_TRIM: 720 case AUDIT_TRIM:
713 audit_trim_trees(); 721 audit_trim_trees();
714 722
715 audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid, 723 audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid,
716 uid, loginuid, sid); 724 uid, loginuid, sessionid, sid);
717 725
718 audit_log_format(ab, " op=trim res=1"); 726 audit_log_format(ab, " op=trim res=1");
719 audit_log_end(ab); 727 audit_log_end(ab);
@@ -745,7 +753,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
745 err = audit_tag_tree(old, new); 753 err = audit_tag_tree(old, new);
746 754
747 audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid, 755 audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid,
748 uid, loginuid, sid); 756 uid, loginuid, sessionid, sid);
749 757
750 audit_log_format(ab, " op=make_equiv old="); 758 audit_log_format(ab, " op=make_equiv old=");
751 audit_log_untrustedstring(ab, old); 759 audit_log_untrustedstring(ab, old);
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 28fef6bf8534..af3ae91c47b1 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1500,8 +1500,9 @@ static void audit_list_rules(int pid, int seq, struct sk_buff_head *q)
1500} 1500}
1501 1501
1502/* Log rule additions and removals */ 1502/* Log rule additions and removals */
1503static void audit_log_rule_change(uid_t loginuid, u32 sid, char *action, 1503static void audit_log_rule_change(uid_t loginuid, u32 sessionid, u32 sid,
1504 struct audit_krule *rule, int res) 1504 char *action, struct audit_krule *rule,
1505 int res)
1505{ 1506{
1506 struct audit_buffer *ab; 1507 struct audit_buffer *ab;
1507 1508
@@ -1511,7 +1512,7 @@ static void audit_log_rule_change(uid_t loginuid, u32 sid, char *action,
1511 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); 1512 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
1512 if (!ab) 1513 if (!ab)
1513 return; 1514 return;
1514 audit_log_format(ab, "auid=%u", loginuid); 1515 audit_log_format(ab, "auid=%u ses=%u", loginuid, sessionid);
1515 if (sid) { 1516 if (sid) {
1516 char *ctx = NULL; 1517 char *ctx = NULL;
1517 u32 len; 1518 u32 len;
@@ -1543,7 +1544,7 @@ static void audit_log_rule_change(uid_t loginuid, u32 sid, char *action,
1543 * @sid: SE Linux Security ID of sender 1544 * @sid: SE Linux Security ID of sender
1544 */ 1545 */
1545int audit_receive_filter(int type, int pid, int uid, int seq, void *data, 1546int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
1546 size_t datasz, uid_t loginuid, u32 sid) 1547 size_t datasz, uid_t loginuid, u32 sessionid, u32 sid)
1547{ 1548{
1548 struct task_struct *tsk; 1549 struct task_struct *tsk;
1549 struct audit_netlink_list *dest; 1550 struct audit_netlink_list *dest;
@@ -1590,7 +1591,8 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
1590 1591
1591 err = audit_add_rule(entry, 1592 err = audit_add_rule(entry,
1592 &audit_filter_list[entry->rule.listnr]); 1593 &audit_filter_list[entry->rule.listnr]);
1593 audit_log_rule_change(loginuid, sid, "add", &entry->rule, !err); 1594 audit_log_rule_change(loginuid, sessionid, sid, "add",
1595 &entry->rule, !err);
1594 1596
1595 if (err) 1597 if (err)
1596 audit_free_rule(entry); 1598 audit_free_rule(entry);
@@ -1606,8 +1608,8 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
1606 1608
1607 err = audit_del_rule(entry, 1609 err = audit_del_rule(entry,
1608 &audit_filter_list[entry->rule.listnr]); 1610 &audit_filter_list[entry->rule.listnr]);
1609 audit_log_rule_change(loginuid, sid, "remove", &entry->rule, 1611 audit_log_rule_change(loginuid, sessionid, sid, "remove",
1610 !err); 1612 &entry->rule, !err);
1611 1613
1612 audit_free_rule(entry); 1614 audit_free_rule(entry);
1613 break; 1615 break;
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 2403a31fe0f6..9e7236ff6bcc 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1498,7 +1498,8 @@ static int pfkey_add(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr,
1498 err = xfrm_state_update(x); 1498 err = xfrm_state_update(x);
1499 1499
1500 xfrm_audit_state_add(x, err ? 0 : 1, 1500 xfrm_audit_state_add(x, err ? 0 : 1,
1501 audit_get_loginuid(current), 0); 1501 audit_get_loginuid(current),
1502 audit_get_sessionid(current), 0);
1502 1503
1503 if (err < 0) { 1504 if (err < 0) {
1504 x->km.state = XFRM_STATE_DEAD; 1505 x->km.state = XFRM_STATE_DEAD;
@@ -1552,7 +1553,8 @@ static int pfkey_delete(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h
1552 km_state_notify(x, &c); 1553 km_state_notify(x, &c);
1553out: 1554out:
1554 xfrm_audit_state_delete(x, err ? 0 : 1, 1555 xfrm_audit_state_delete(x, err ? 0 : 1,
1555 audit_get_loginuid(current), 0); 1556 audit_get_loginuid(current),
1557 audit_get_sessionid(current), 0);
1556 xfrm_state_put(x); 1558 xfrm_state_put(x);
1557 1559
1558 return err; 1560 return err;
@@ -1728,6 +1730,7 @@ static int pfkey_flush(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hd
1728 return -EINVAL; 1730 return -EINVAL;
1729 1731
1730 audit_info.loginuid = audit_get_loginuid(current); 1732 audit_info.loginuid = audit_get_loginuid(current);
1733 audit_info.sessionid = audit_get_sessionid(current);
1731 audit_info.secid = 0; 1734 audit_info.secid = 0;
1732 err = xfrm_state_flush(proto, &audit_info); 1735 err = xfrm_state_flush(proto, &audit_info);
1733 if (err) 1736 if (err)
@@ -2324,7 +2327,8 @@ static int pfkey_spdadd(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h
2324 hdr->sadb_msg_type != SADB_X_SPDUPDATE); 2327 hdr->sadb_msg_type != SADB_X_SPDUPDATE);
2325 2328
2326 xfrm_audit_policy_add(xp, err ? 0 : 1, 2329 xfrm_audit_policy_add(xp, err ? 0 : 1,
2327 audit_get_loginuid(current), 0); 2330 audit_get_loginuid(current),
2331 audit_get_sessionid(current), 0);
2328 2332
2329 if (err) 2333 if (err)
2330 goto out; 2334 goto out;
@@ -2406,7 +2410,8 @@ static int pfkey_spddelete(struct sock *sk, struct sk_buff *skb, struct sadb_msg
2406 return -ENOENT; 2410 return -ENOENT;
2407 2411
2408 xfrm_audit_policy_delete(xp, err ? 0 : 1, 2412 xfrm_audit_policy_delete(xp, err ? 0 : 1,
2409 audit_get_loginuid(current), 0); 2413 audit_get_loginuid(current),
2414 audit_get_sessionid(current), 0);
2410 2415
2411 if (err) 2416 if (err)
2412 goto out; 2417 goto out;
@@ -2667,7 +2672,8 @@ static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h
2667 2672
2668 if (delete) { 2673 if (delete) {
2669 xfrm_audit_policy_delete(xp, err ? 0 : 1, 2674 xfrm_audit_policy_delete(xp, err ? 0 : 1,
2670 audit_get_loginuid(current), 0); 2675 audit_get_loginuid(current),
2676 audit_get_sessionid(current), 0);
2671 2677
2672 if (err) 2678 if (err)
2673 goto out; 2679 goto out;
@@ -2767,6 +2773,7 @@ static int pfkey_spdflush(struct sock *sk, struct sk_buff *skb, struct sadb_msg
2767 int err; 2773 int err;
2768 2774
2769 audit_info.loginuid = audit_get_loginuid(current); 2775 audit_info.loginuid = audit_get_loginuid(current);
2776 audit_info.sessionid = audit_get_sessionid(current);
2770 audit_info.secid = 0; 2777 audit_info.secid = 0;
2771 err = xfrm_policy_flush(XFRM_POLICY_TYPE_MAIN, &audit_info); 2778 err = xfrm_policy_flush(XFRM_POLICY_TYPE_MAIN, &audit_info);
2772 if (err) 2779 if (err)
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index d282ad1570a7..0099da5b2591 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -1780,6 +1780,7 @@ int __init netlbl_unlabel_defconf(void)
1780 * messages so don't worry to much about these values. */ 1780 * messages so don't worry to much about these values. */
1781 security_task_getsecid(current, &audit_info.secid); 1781 security_task_getsecid(current, &audit_info.secid);
1782 audit_info.loginuid = 0; 1782 audit_info.loginuid = 0;
1783 audit_info.sessionid = 0;
1783 1784
1784 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 1785 entry = kzalloc(sizeof(*entry), GFP_KERNEL);
1785 if (entry == NULL) 1786 if (entry == NULL)
diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c
index b17d4203806e..68706b4e3bf8 100644
--- a/net/netlabel/netlabel_user.c
+++ b/net/netlabel/netlabel_user.c
@@ -107,7 +107,9 @@ struct audit_buffer *netlbl_audit_start_common(int type,
107 if (audit_buf == NULL) 107 if (audit_buf == NULL)
108 return NULL; 108 return NULL;
109 109
110 audit_log_format(audit_buf, "netlabel: auid=%u", audit_info->loginuid); 110 audit_log_format(audit_buf, "netlabel: auid=%u ses=%u",
111 audit_info->loginuid,
112 audit_info->sessionid);
111 113
112 if (audit_info->secid != 0 && 114 if (audit_info->secid != 0 &&
113 security_secid_to_secctx(audit_info->secid, 115 security_secid_to_secctx(audit_info->secid,
diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h
index 6d7f4ab46c2b..6caef8b20611 100644
--- a/net/netlabel/netlabel_user.h
+++ b/net/netlabel/netlabel_user.h
@@ -51,6 +51,7 @@ static inline void netlbl_netlink_auditinfo(struct sk_buff *skb,
51{ 51{
52 audit_info->secid = NETLINK_CB(skb).sid; 52 audit_info->secid = NETLINK_CB(skb).sid;
53 audit_info->loginuid = NETLINK_CB(skb).loginuid; 53 audit_info->loginuid = NETLINK_CB(skb).loginuid;
54 audit_info->sessionid = NETLINK_CB(skb).sessionid;
54} 55}
55 56
56/* NetLabel NETLINK I/O functions */ 57/* NetLabel NETLINK I/O functions */
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 46f3e44bb83a..9b97f8006c9c 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1248,6 +1248,7 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
1248 NETLINK_CB(skb).pid = nlk->pid; 1248 NETLINK_CB(skb).pid = nlk->pid;
1249 NETLINK_CB(skb).dst_group = dst_group; 1249 NETLINK_CB(skb).dst_group = dst_group;
1250 NETLINK_CB(skb).loginuid = audit_get_loginuid(current); 1250 NETLINK_CB(skb).loginuid = audit_get_loginuid(current);
1251 NETLINK_CB(skb).sessionid = audit_get_sessionid(current);
1251 security_task_getsecid(current, &(NETLINK_CB(skb).sid)); 1252 security_task_getsecid(current, &(NETLINK_CB(skb).sid));
1252 memcpy(NETLINK_CREDS(skb), &siocb->scm->creds, sizeof(struct ucred)); 1253 memcpy(NETLINK_CREDS(skb), &siocb->scm->creds, sizeof(struct ucred));
1253 1254
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index e0c0390613c0..cae9fd815543 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -762,6 +762,7 @@ xfrm_policy_flush_secctx_check(u8 type, struct xfrm_audit *audit_info)
762 if (err) { 762 if (err) {
763 xfrm_audit_policy_delete(pol, 0, 763 xfrm_audit_policy_delete(pol, 0,
764 audit_info->loginuid, 764 audit_info->loginuid,
765 audit_info->sessionid,
765 audit_info->secid); 766 audit_info->secid);
766 return err; 767 return err;
767 } 768 }
@@ -777,6 +778,7 @@ xfrm_policy_flush_secctx_check(u8 type, struct xfrm_audit *audit_info)
777 if (err) { 778 if (err) {
778 xfrm_audit_policy_delete(pol, 0, 779 xfrm_audit_policy_delete(pol, 0,
779 audit_info->loginuid, 780 audit_info->loginuid,
781 audit_info->sessionid,
780 audit_info->secid); 782 audit_info->secid);
781 return err; 783 return err;
782 } 784 }
@@ -819,6 +821,7 @@ int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info)
819 write_unlock_bh(&xfrm_policy_lock); 821 write_unlock_bh(&xfrm_policy_lock);
820 822
821 xfrm_audit_policy_delete(pol, 1, audit_info->loginuid, 823 xfrm_audit_policy_delete(pol, 1, audit_info->loginuid,
824 audit_info->sessionid,
822 audit_info->secid); 825 audit_info->secid);
823 826
824 xfrm_policy_kill(pol); 827 xfrm_policy_kill(pol);
@@ -841,6 +844,7 @@ int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info)
841 844
842 xfrm_audit_policy_delete(pol, 1, 845 xfrm_audit_policy_delete(pol, 1,
843 audit_info->loginuid, 846 audit_info->loginuid,
847 audit_info->sessionid,
844 audit_info->secid); 848 audit_info->secid);
845 xfrm_policy_kill(pol); 849 xfrm_policy_kill(pol);
846 killed++; 850 killed++;
@@ -2472,14 +2476,14 @@ static void xfrm_audit_common_policyinfo(struct xfrm_policy *xp,
2472} 2476}
2473 2477
2474void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, 2478void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
2475 u32 auid, u32 secid) 2479 uid_t auid, u32 sessionid, u32 secid)
2476{ 2480{
2477 struct audit_buffer *audit_buf; 2481 struct audit_buffer *audit_buf;
2478 2482
2479 audit_buf = xfrm_audit_start("SPD-add"); 2483 audit_buf = xfrm_audit_start("SPD-add");
2480 if (audit_buf == NULL) 2484 if (audit_buf == NULL)
2481 return; 2485 return;
2482 xfrm_audit_helper_usrinfo(auid, secid, audit_buf); 2486 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf);
2483 audit_log_format(audit_buf, " res=%u", result); 2487 audit_log_format(audit_buf, " res=%u", result);
2484 xfrm_audit_common_policyinfo(xp, audit_buf); 2488 xfrm_audit_common_policyinfo(xp, audit_buf);
2485 audit_log_end(audit_buf); 2489 audit_log_end(audit_buf);
@@ -2487,14 +2491,14 @@ void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
2487EXPORT_SYMBOL_GPL(xfrm_audit_policy_add); 2491EXPORT_SYMBOL_GPL(xfrm_audit_policy_add);
2488 2492
2489void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, 2493void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
2490 u32 auid, u32 secid) 2494 uid_t auid, u32 sessionid, u32 secid)
2491{ 2495{
2492 struct audit_buffer *audit_buf; 2496 struct audit_buffer *audit_buf;
2493 2497
2494 audit_buf = xfrm_audit_start("SPD-delete"); 2498 audit_buf = xfrm_audit_start("SPD-delete");
2495 if (audit_buf == NULL) 2499 if (audit_buf == NULL)
2496 return; 2500 return;
2497 xfrm_audit_helper_usrinfo(auid, secid, audit_buf); 2501 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf);
2498 audit_log_format(audit_buf, " res=%u", result); 2502 audit_log_format(audit_buf, " res=%u", result);
2499 xfrm_audit_common_policyinfo(xp, audit_buf); 2503 xfrm_audit_common_policyinfo(xp, audit_buf);
2500 audit_log_end(audit_buf); 2504 audit_log_end(audit_buf);
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 5dcc10b93c86..c3f5f70934ec 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -496,7 +496,8 @@ expired:
496 km_state_expired(x, 1, 0); 496 km_state_expired(x, 1, 0);
497 497
498 xfrm_audit_state_delete(x, err ? 0 : 1, 498 xfrm_audit_state_delete(x, err ? 0 : 1,
499 audit_get_loginuid(current), 0); 499 audit_get_loginuid(current),
500 audit_get_sessionid(current), 0);
500 501
501out: 502out:
502 spin_unlock(&x->lock); 503 spin_unlock(&x->lock);
@@ -603,6 +604,7 @@ xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info)
603 (err = security_xfrm_state_delete(x)) != 0) { 604 (err = security_xfrm_state_delete(x)) != 0) {
604 xfrm_audit_state_delete(x, 0, 605 xfrm_audit_state_delete(x, 0,
605 audit_info->loginuid, 606 audit_info->loginuid,
607 audit_info->sessionid,
606 audit_info->secid); 608 audit_info->secid);
607 return err; 609 return err;
608 } 610 }
@@ -641,6 +643,7 @@ restart:
641 err = xfrm_state_delete(x); 643 err = xfrm_state_delete(x);
642 xfrm_audit_state_delete(x, err ? 0 : 1, 644 xfrm_audit_state_delete(x, err ? 0 : 1,
643 audit_info->loginuid, 645 audit_info->loginuid,
646 audit_info->sessionid,
644 audit_info->secid); 647 audit_info->secid);
645 xfrm_state_put(x); 648 xfrm_state_put(x);
646 649
@@ -2123,14 +2126,14 @@ static void xfrm_audit_helper_pktinfo(struct sk_buff *skb, u16 family,
2123} 2126}
2124 2127
2125void xfrm_audit_state_add(struct xfrm_state *x, int result, 2128void xfrm_audit_state_add(struct xfrm_state *x, int result,
2126 u32 auid, u32 secid) 2129 uid_t auid, u32 sessionid, u32 secid)
2127{ 2130{
2128 struct audit_buffer *audit_buf; 2131 struct audit_buffer *audit_buf;
2129 2132
2130 audit_buf = xfrm_audit_start("SAD-add"); 2133 audit_buf = xfrm_audit_start("SAD-add");
2131 if (audit_buf == NULL) 2134 if (audit_buf == NULL)
2132 return; 2135 return;
2133 xfrm_audit_helper_usrinfo(auid, secid, audit_buf); 2136 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf);
2134 xfrm_audit_helper_sainfo(x, audit_buf); 2137 xfrm_audit_helper_sainfo(x, audit_buf);
2135 audit_log_format(audit_buf, " res=%u", result); 2138 audit_log_format(audit_buf, " res=%u", result);
2136 audit_log_end(audit_buf); 2139 audit_log_end(audit_buf);
@@ -2138,14 +2141,14 @@ void xfrm_audit_state_add(struct xfrm_state *x, int result,
2138EXPORT_SYMBOL_GPL(xfrm_audit_state_add); 2141EXPORT_SYMBOL_GPL(xfrm_audit_state_add);
2139 2142
2140void xfrm_audit_state_delete(struct xfrm_state *x, int result, 2143void xfrm_audit_state_delete(struct xfrm_state *x, int result,
2141 u32 auid, u32 secid) 2144 uid_t auid, u32 sessionid, u32 secid)
2142{ 2145{
2143 struct audit_buffer *audit_buf; 2146 struct audit_buffer *audit_buf;
2144 2147
2145 audit_buf = xfrm_audit_start("SAD-delete"); 2148 audit_buf = xfrm_audit_start("SAD-delete");
2146 if (audit_buf == NULL) 2149 if (audit_buf == NULL)
2147 return; 2150 return;
2148 xfrm_audit_helper_usrinfo(auid, secid, audit_buf); 2151 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf);
2149 xfrm_audit_helper_sainfo(x, audit_buf); 2152 xfrm_audit_helper_sainfo(x, audit_buf);
2150 audit_log_format(audit_buf, " res=%u", result); 2153 audit_log_format(audit_buf, " res=%u", result);
2151 audit_log_end(audit_buf); 2154 audit_log_end(audit_buf);
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 22a30ae582a2..a1b0fbe3ea35 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -407,6 +407,9 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
407 struct xfrm_state *x; 407 struct xfrm_state *x;
408 int err; 408 int err;
409 struct km_event c; 409 struct km_event c;
410 uid_t loginuid = NETLINK_CB(skb).loginuid;
411 u32 sessionid = NETLINK_CB(skb).sessionid;
412 u32 sid = NETLINK_CB(skb).sid;
410 413
411 err = verify_newsa_info(p, attrs); 414 err = verify_newsa_info(p, attrs);
412 if (err) 415 if (err)
@@ -422,8 +425,7 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
422 else 425 else
423 err = xfrm_state_update(x); 426 err = xfrm_state_update(x);
424 427
425 xfrm_audit_state_add(x, err ? 0 : 1, NETLINK_CB(skb).loginuid, 428 xfrm_audit_state_add(x, err ? 0 : 1, loginuid, sessionid, sid);
426 NETLINK_CB(skb).sid);
427 429
428 if (err < 0) { 430 if (err < 0) {
429 x->km.state = XFRM_STATE_DEAD; 431 x->km.state = XFRM_STATE_DEAD;
@@ -478,6 +480,9 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
478 int err = -ESRCH; 480 int err = -ESRCH;
479 struct km_event c; 481 struct km_event c;
480 struct xfrm_usersa_id *p = nlmsg_data(nlh); 482 struct xfrm_usersa_id *p = nlmsg_data(nlh);
483 uid_t loginuid = NETLINK_CB(skb).loginuid;
484 u32 sessionid = NETLINK_CB(skb).sessionid;
485 u32 sid = NETLINK_CB(skb).sid;
481 486
482 x = xfrm_user_state_lookup(p, attrs, &err); 487 x = xfrm_user_state_lookup(p, attrs, &err);
483 if (x == NULL) 488 if (x == NULL)
@@ -502,8 +507,7 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
502 km_state_notify(x, &c); 507 km_state_notify(x, &c);
503 508
504out: 509out:
505 xfrm_audit_state_delete(x, err ? 0 : 1, NETLINK_CB(skb).loginuid, 510 xfrm_audit_state_delete(x, err ? 0 : 1, loginuid, sessionid, sid);
506 NETLINK_CB(skb).sid);
507 xfrm_state_put(x); 511 xfrm_state_put(x);
508 return err; 512 return err;
509} 513}
@@ -1123,6 +1127,9 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
1123 struct km_event c; 1127 struct km_event c;
1124 int err; 1128 int err;
1125 int excl; 1129 int excl;
1130 uid_t loginuid = NETLINK_CB(skb).loginuid;
1131 u32 sessionid = NETLINK_CB(skb).sessionid;
1132 u32 sid = NETLINK_CB(skb).sid;
1126 1133
1127 err = verify_newpolicy_info(p); 1134 err = verify_newpolicy_info(p);
1128 if (err) 1135 if (err)
@@ -1141,8 +1148,7 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
1141 * a type XFRM_MSG_UPDPOLICY - JHS */ 1148 * a type XFRM_MSG_UPDPOLICY - JHS */
1142 excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; 1149 excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY;
1143 err = xfrm_policy_insert(p->dir, xp, excl); 1150 err = xfrm_policy_insert(p->dir, xp, excl);
1144 xfrm_audit_policy_add(xp, err ? 0 : 1, NETLINK_CB(skb).loginuid, 1151 xfrm_audit_policy_add(xp, err ? 0 : 1, loginuid, sessionid, sid);
1145 NETLINK_CB(skb).sid);
1146 1152
1147 if (err) { 1153 if (err) {
1148 security_xfrm_policy_free(xp->security); 1154 security_xfrm_policy_free(xp->security);
@@ -1371,9 +1377,12 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
1371 NETLINK_CB(skb).pid); 1377 NETLINK_CB(skb).pid);
1372 } 1378 }
1373 } else { 1379 } else {
1374 xfrm_audit_policy_delete(xp, err ? 0 : 1, 1380 uid_t loginuid = NETLINK_CB(skb).loginuid;
1375 NETLINK_CB(skb).loginuid, 1381 u32 sessionid = NETLINK_CB(skb).sessionid;
1376 NETLINK_CB(skb).sid); 1382 u32 sid = NETLINK_CB(skb).sid;
1383
1384 xfrm_audit_policy_delete(xp, err ? 0 : 1, loginuid, sessionid,
1385 sid);
1377 1386
1378 if (err != 0) 1387 if (err != 0)
1379 goto out; 1388 goto out;
@@ -1399,6 +1408,7 @@ static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
1399 int err; 1408 int err;
1400 1409
1401 audit_info.loginuid = NETLINK_CB(skb).loginuid; 1410 audit_info.loginuid = NETLINK_CB(skb).loginuid;
1411 audit_info.sessionid = NETLINK_CB(skb).sessionid;
1402 audit_info.secid = NETLINK_CB(skb).sid; 1412 audit_info.secid = NETLINK_CB(skb).sid;
1403 err = xfrm_state_flush(p->proto, &audit_info); 1413 err = xfrm_state_flush(p->proto, &audit_info);
1404 if (err) 1414 if (err)
@@ -1546,6 +1556,7 @@ static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
1546 return err; 1556 return err;
1547 1557
1548 audit_info.loginuid = NETLINK_CB(skb).loginuid; 1558 audit_info.loginuid = NETLINK_CB(skb).loginuid;
1559 audit_info.sessionid = NETLINK_CB(skb).sessionid;
1549 audit_info.secid = NETLINK_CB(skb).sid; 1560 audit_info.secid = NETLINK_CB(skb).sid;
1550 err = xfrm_policy_flush(type, &audit_info); 1561 err = xfrm_policy_flush(type, &audit_info);
1551 if (err) 1562 if (err)
@@ -1604,9 +1615,11 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
1604 read_unlock(&xp->lock); 1615 read_unlock(&xp->lock);
1605 err = 0; 1616 err = 0;
1606 if (up->hard) { 1617 if (up->hard) {
1618 uid_t loginuid = NETLINK_CB(skb).loginuid;
1619 uid_t sessionid = NETLINK_CB(skb).sessionid;
1620 u32 sid = NETLINK_CB(skb).sid;
1607 xfrm_policy_delete(xp, p->dir); 1621 xfrm_policy_delete(xp, p->dir);
1608 xfrm_audit_policy_delete(xp, 1, NETLINK_CB(skb).loginuid, 1622 xfrm_audit_policy_delete(xp, 1, loginuid, sessionid, sid);
1609 NETLINK_CB(skb).sid);
1610 1623
1611 } else { 1624 } else {
1612 // reset the timers here? 1625 // reset the timers here?
@@ -1640,9 +1653,11 @@ static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
1640 km_state_expired(x, ue->hard, current->pid); 1653 km_state_expired(x, ue->hard, current->pid);
1641 1654
1642 if (ue->hard) { 1655 if (ue->hard) {
1656 uid_t loginuid = NETLINK_CB(skb).loginuid;
1657 uid_t sessionid = NETLINK_CB(skb).sessionid;
1658 u32 sid = NETLINK_CB(skb).sid;
1643 __xfrm_state_delete(x); 1659 __xfrm_state_delete(x);
1644 xfrm_audit_state_delete(x, 1, NETLINK_CB(skb).loginuid, 1660 xfrm_audit_state_delete(x, 1, loginuid, sessionid, sid);
1645 NETLINK_CB(skb).sid);
1646 } 1661 }
1647 err = 0; 1662 err = 0;
1648out: 1663out:
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 6ba283783b70..5d1bee0fa513 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -324,6 +324,7 @@ void smk_cipso_doi(void)
324 struct netlbl_audit audit_info; 324 struct netlbl_audit audit_info;
325 325
326 audit_info.loginuid = audit_get_loginuid(current); 326 audit_info.loginuid = audit_get_loginuid(current);
327 audit_info.sessionid = audit_get_sessionid(current);
327 audit_info.secid = smack_to_secid(current->security); 328 audit_info.secid = smack_to_secid(current->security);
328 329
329 rc = netlbl_cfg_map_del(NULL, &audit_info); 330 rc = netlbl_cfg_map_del(NULL, &audit_info);
@@ -356,6 +357,7 @@ void smk_unlbl_ambient(char *oldambient)
356 struct netlbl_audit audit_info; 357 struct netlbl_audit audit_info;
357 358
358 audit_info.loginuid = audit_get_loginuid(current); 359 audit_info.loginuid = audit_get_loginuid(current);
360 audit_info.sessionid = audit_get_sessionid(current);
359 audit_info.secid = smack_to_secid(current->security); 361 audit_info.secid = smack_to_secid(current->security);
360 362
361 if (oldambient != NULL) { 363 if (oldambient != NULL) {
generated by cgit v1.2.2 (git 2.25.0) at 2024-11-23 10:38:04 -0500