1 files changed, 102 insertions, 30 deletions
diff --git a/kernel/audit.c b/kernel/audit.c
index 7ec9ccae1299..df57b493e1cb 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -230,49 +230,103 @@ void audit_log_lost(const char *message)
        }
 }
-static int audit_set_rate_limit(int limit, uid_t loginuid)
+static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid)
 {
-        int old          = audit_rate_limit;
+        int old = audit_rate_limit;
-        audit_rate_limit = limit;
-        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, 
+        if (sid) {
+                char *ctx = NULL;
+                u32 len;
+                int rc;
+                if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
+                        return rc;
+                else
+                        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+                                "audit_rate_limit=%d old=%d by auid=%u subj=%s",
+                                limit, old, loginuid, ctx);
+                kfree(ctx);
+        } else
+                audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
                        "audit_rate_limit=%d old=%d by auid=%u",
-                        audit_rate_limit, old, loginuid);
+                        limit, old, loginuid);
+        audit_rate_limit = limit;
        return old;
 }
-static int audit_set_backlog_limit(int limit, uid_t loginuid)
+static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid)
 {
-        int old          = audit_backlog_limit;
+        int old = audit_backlog_limit;
-        audit_backlog_limit = limit;
-        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+        if (sid) {
+                char *ctx = NULL;
+                u32 len;
+                int rc;
+                if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
+                        return rc;
+                else
+                        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+                            "audit_backlog_limit=%d old=%d by auid=%u subj=%s",
+                                limit, old, loginuid, ctx);
+                kfree(ctx);
+        } else
+                audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
                        "audit_backlog_limit=%d old=%d by auid=%u",
-                        audit_backlog_limit, old, loginuid);
+                        limit, old, loginuid);
+        audit_backlog_limit = limit;
        return old;
 }
-static int audit_set_enabled(int state, uid_t loginuid)
+static int audit_set_enabled(int state, uid_t loginuid, u32 sid)
 {
-        int old          = audit_enabled;
+        int old = audit_enabled;
        if (state != 0 && state != 1)
                return -EINVAL;
-        audit_enabled = state;
-        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+        if (sid) {
+                char *ctx = NULL;
+                u32 len;
+                int rc;
+                if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
+                        return rc;
+                else
+                        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+                                "audit_enabled=%d old=%d by auid=%u subj=%s",
+                                state, old, loginuid, ctx);
+                kfree(ctx);
+        } else
+                audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
                        "audit_enabled=%d old=%d by auid=%u",
-                        audit_enabled, old, loginuid);
+                        state, old, loginuid);
+        audit_enabled = state;
        return old;
 }
-static int audit_set_failure(int state, uid_t loginuid)
+static int audit_set_failure(int state, uid_t loginuid, u32 sid)
 {
-        int old          = audit_failure;
+        int old = audit_failure;
        if (state != AUDIT_FAIL_SILENT
            && state != AUDIT_FAIL_PRINTK
            && state != AUDIT_FAIL_PANIC)
                return -EINVAL;
-        audit_failure = state;
-        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+        if (sid) {
+                char *ctx = NULL;
+                u32 len;
+                int rc;
+                if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
+                        return rc;
+                else
+                        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+                                "audit_failure=%d old=%d by auid=%u subj=%s",
+                                state, old, loginuid, ctx);
+                kfree(ctx);
+        } else
+                audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
                        "audit_failure=%d old=%d by auid=%u",
-                        audit_failure, old, loginuid);
+                        state, old, loginuid);
+        audit_failure = state;
        return old;
 }
@@ -437,25 +491,43 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                        return -EINVAL;
                status_get   = (struct audit_status *)data;
                if (status_get->mask & AUDIT_STATUS_ENABLED) {
-                        err = audit_set_enabled(status_get->enabled, loginuid);
+                        err = audit_set_enabled(status_get->enabled,
+                                                        loginuid, sid);
                        if (err < 0) return err;
                }
                if (status_get->mask & AUDIT_STATUS_FAILURE) {
-                        err = audit_set_failure(status_get->failure, loginuid);
+                        err = audit_set_failure(status_get->failure,
+                                                         loginuid, sid);
                        if (err < 0) return err;
                }
                if (status_get->mask & AUDIT_STATUS_PID) {
                        int old   = audit_pid;
+                        if (sid) {
+                                char *ctx = NULL;
+                                u32 len;
+                                int rc;
+                                if ((rc = selinux_ctxid_to_string(
+                                                sid, &ctx, &len)))
+                                        return rc;
+                                else
+                                        audit_log(NULL, GFP_KERNEL,
+                                                AUDIT_CONFIG_CHANGE,
+                                                "audit_pid=%d old=%d by auid=%u subj=%s",
+                                                status_get->pid, old,
+                                                loginuid, ctx);
+                                kfree(ctx);
+                        } else
+                                audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+                                        "audit_pid=%d old=%d by auid=%u",
+                                          status_get->pid, old, loginuid);
                        audit_pid = status_get->pid;
-                        audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
-                                "audit_pid=%d old=%d by auid=%u",
-                                  audit_pid, old, loginuid);
                }
                if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
-                        audit_set_rate_limit(status_get->rate_limit, loginuid);
+                        audit_set_rate_limit(status_get->rate_limit,
+                                                         loginuid, sid);
                if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT)
                        audit_set_backlog_limit(status_get->backlog_limit,
-                                                        loginuid);
+                                                        loginuid, sid);
                break;
        case AUDIT_USER:
        case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG:
@@ -477,7 +549,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                                        if (selinux_ctxid_to_string(
                                                        sid, &ctx, &len)) {
                                                audit_log_format(ab, 
-                                                        " subj=%u", sid);
+                                                        " ssid=%u", sid);
                                                /* Maybe call audit_panic? */
                                        } else
                                                audit_log_format(ab, 
@@ -499,7 +571,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
        case AUDIT_LIST:
                err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,
                                           uid, seq, data, nlmsg_len(nlh),
-                                           loginuid);
+                                           loginuid, sid);
                break;
        case AUDIT_ADD_RULE:
        case AUDIT_DEL_RULE:
@@ -509,7 +581,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
        case AUDIT_LIST_RULES:
                err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,
                                           uid, seq, data, nlmsg_len(nlh),
-                                           loginuid);
+                                           loginuid, sid);
                break;
        case AUDIT_SIGNAL_INFO:
                sig_data.uid = audit_sig_uid;

diff --git a/kernel/audit.c b/kernel/audit.c index 7ec9ccae1299..df57b493e1cb 100644 --- a/kernel/audit.c +++ b/kernel/audit.c
@@ -230,49 +230,103 @@ void audit_log_lost(const char *message)
230	}	230	}
231	}	231	}
232		232
233	static int audit_set_rate_limit(int limit, uid_t loginuid)	233	static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid)
234	{	234	{
235	int old = audit_rate_limit;	235	int old = audit_rate_limit;
236	audit_rate_limit = limit;	236
237	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,	237	if (sid) {
		238	char *ctx = NULL;
		239	u32 len;
		240	int rc;
		241	if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
		242	return rc;
		243	else
		244	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
		245	"audit_rate_limit=%d old=%d by auid=%u subj=%s",
		246	limit, old, loginuid, ctx);
		247	kfree(ctx);
		248	} else
		249	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
238	"audit_rate_limit=%d old=%d by auid=%u",	250	"audit_rate_limit=%d old=%d by auid=%u",
239	audit_rate_limit, old, loginuid);	251	limit, old, loginuid);
		252	audit_rate_limit = limit;
240	return old;	253	return old;
241	}	254	}
242		255
243	static int audit_set_backlog_limit(int limit, uid_t loginuid)	256	static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid)
244	{	257	{
245	int old = audit_backlog_limit;	258	int old = audit_backlog_limit;
246	audit_backlog_limit = limit;	259
247	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,	260	if (sid) {
		261	char *ctx = NULL;
		262	u32 len;
		263	int rc;
		264	if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
		265	return rc;
		266	else
		267	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
		268	"audit_backlog_limit=%d old=%d by auid=%u subj=%s",
		269	limit, old, loginuid, ctx);
		270	kfree(ctx);
		271	} else
		272	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
248	"audit_backlog_limit=%d old=%d by auid=%u",	273	"audit_backlog_limit=%d old=%d by auid=%u",
249	audit_backlog_limit, old, loginuid);	274	limit, old, loginuid);
		275	audit_backlog_limit = limit;
250	return old;	276	return old;
251	}	277	}
252		278
253	static int audit_set_enabled(int state, uid_t loginuid)	279	static int audit_set_enabled(int state, uid_t loginuid, u32 sid)
254	{	280	{
255	int old = audit_enabled;	281	int old = audit_enabled;
		282
256	if (state != 0 && state != 1)	283	if (state != 0 && state != 1)
257	return -EINVAL;	284	return -EINVAL;
258	audit_enabled = state;	285
259	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,	286	if (sid) {
		287	char *ctx = NULL;
		288	u32 len;
		289	int rc;
		290	if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
		291	return rc;
		292	else
		293	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
		294	"audit_enabled=%d old=%d by auid=%u subj=%s",
		295	state, old, loginuid, ctx);
		296	kfree(ctx);
		297	} else
		298	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
260	"audit_enabled=%d old=%d by auid=%u",	299	"audit_enabled=%d old=%d by auid=%u",
261	audit_enabled, old, loginuid);	300	state, old, loginuid);
		301	audit_enabled = state;
262	return old;	302	return old;
263	}	303	}
264		304
265	static int audit_set_failure(int state, uid_t loginuid)	305	static int audit_set_failure(int state, uid_t loginuid, u32 sid)
266	{	306	{
267	int old = audit_failure;	307	int old = audit_failure;
		308
268	if (state != AUDIT_FAIL_SILENT	309	if (state != AUDIT_FAIL_SILENT
269	&& state != AUDIT_FAIL_PRINTK	310	&& state != AUDIT_FAIL_PRINTK
270	&& state != AUDIT_FAIL_PANIC)	311	&& state != AUDIT_FAIL_PANIC)
271	return -EINVAL;	312	return -EINVAL;
272	audit_failure = state;	313
273	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,	314	if (sid) {
		315	char *ctx = NULL;
		316	u32 len;
		317	int rc;
		318	if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
		319	return rc;
		320	else
		321	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
		322	"audit_failure=%d old=%d by auid=%u subj=%s",
		323	state, old, loginuid, ctx);
		324	kfree(ctx);
		325	} else
		326	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
274	"audit_failure=%d old=%d by auid=%u",	327	"audit_failure=%d old=%d by auid=%u",
275	audit_failure, old, loginuid);	328	state, old, loginuid);
		329	audit_failure = state;
276	return old;	330	return old;
277	}	331	}
278		332
@@ -437,25 +491,43 @@ static int audit_receive_msg(struct sk_buff skb, struct nlmsghdr nlh)
437	return -EINVAL;	491	return -EINVAL;
438	status_get = (struct audit_status *)data;	492	status_get = (struct audit_status *)data;
439	if (status_get->mask & AUDIT_STATUS_ENABLED) {	493	if (status_get->mask & AUDIT_STATUS_ENABLED) {
440	err = audit_set_enabled(status_get->enabled, loginuid);	494	err = audit_set_enabled(status_get->enabled,
		495	loginuid, sid);
441	if (err < 0) return err;	496	if (err < 0) return err;
442	}	497	}
443	if (status_get->mask & AUDIT_STATUS_FAILURE) {	498	if (status_get->mask & AUDIT_STATUS_FAILURE) {
444	err = audit_set_failure(status_get->failure, loginuid);	499	err = audit_set_failure(status_get->failure,
		500	loginuid, sid);
445	if (err < 0) return err;	501	if (err < 0) return err;
446	}	502	}
447	if (status_get->mask & AUDIT_STATUS_PID) {	503	if (status_get->mask & AUDIT_STATUS_PID) {
448	int old = audit_pid;	504	int old = audit_pid;
		505	if (sid) {
		506	char *ctx = NULL;
		507	u32 len;
		508	int rc;
		509	if ((rc = selinux_ctxid_to_string(
		510	sid, &ctx, &len)))
		511	return rc;
		512	else
		513	audit_log(NULL, GFP_KERNEL,
		514	AUDIT_CONFIG_CHANGE,
		515	"audit_pid=%d old=%d by auid=%u subj=%s",
		516	status_get->pid, old,
		517	loginuid, ctx);
		518	kfree(ctx);
		519	} else
		520	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
		521	"audit_pid=%d old=%d by auid=%u",
		522	status_get->pid, old, loginuid);
449	audit_pid = status_get->pid;	523	audit_pid = status_get->pid;
450	audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
451	"audit_pid=%d old=%d by auid=%u",
452	audit_pid, old, loginuid);
453	}	524	}
454	if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)	525	if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
455	audit_set_rate_limit(status_get->rate_limit, loginuid);	526	audit_set_rate_limit(status_get->rate_limit,
		527	loginuid, sid);
456	if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT)	528	if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT)
457	audit_set_backlog_limit(status_get->backlog_limit,	529	audit_set_backlog_limit(status_get->backlog_limit,
458	loginuid);	530	loginuid, sid);
459	break;	531	break;
460	case AUDIT_USER:	532	case AUDIT_USER:
461	case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG:	533	case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG:
@@ -477,7 +549,7 @@ static int audit_receive_msg(struct sk_buff skb, struct nlmsghdr nlh)
477	if (selinux_ctxid_to_string(	549	if (selinux_ctxid_to_string(
478	sid, &ctx, &len)) {	550	sid, &ctx, &len)) {
479	audit_log_format(ab,	551	audit_log_format(ab,
480	" subj=%u", sid);	552	" ssid=%u", sid);
481	/* Maybe call audit_panic? */	553	/* Maybe call audit_panic? */
482	} else	554	} else
483	audit_log_format(ab,	555	audit_log_format(ab,
@@ -499,7 +571,7 @@ static int audit_receive_msg(struct sk_buff skb, struct nlmsghdr nlh)
499	case AUDIT_LIST:	571	case AUDIT_LIST:
500	err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,	572	err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,
501	uid, seq, data, nlmsg_len(nlh),	573	uid, seq, data, nlmsg_len(nlh),
502	loginuid);	574	loginuid, sid);
503	break;	575	break;
504	case AUDIT_ADD_RULE:	576	case AUDIT_ADD_RULE:
505	case AUDIT_DEL_RULE:	577	case AUDIT_DEL_RULE:
@@ -509,7 +581,7 @@ static int audit_receive_msg(struct sk_buff skb, struct nlmsghdr nlh)
509	case AUDIT_LIST_RULES:	581	case AUDIT_LIST_RULES:
510	err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,	582	err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,
511	uid, seq, data, nlmsg_len(nlh),	583	uid, seq, data, nlmsg_len(nlh),
512	loginuid);	584	loginuid, sid);
513	break;	585	break;
514	case AUDIT_SIGNAL_INFO:	586	case AUDIT_SIGNAL_INFO:
515	sig_data.uid = audit_sig_uid;	587	sig_data.uid = audit_sig_uid;