diff options
Diffstat (limited to 'kernel/audit.c')
| -rw-r--r-- | kernel/audit.c | 24 |
1 files changed, 10 insertions, 14 deletions
diff --git a/kernel/audit.c b/kernel/audit.c index b782b046543d..a7b16086d36f 100644 --- a/kernel/audit.c +++ b/kernel/audit.c | |||
| @@ -21,7 +21,7 @@ | |||
| 21 | * | 21 | * |
| 22 | * Written by Rickard E. (Rik) Faith <faith@redhat.com> | 22 | * Written by Rickard E. (Rik) Faith <faith@redhat.com> |
| 23 | * | 23 | * |
| 24 | * Goals: 1) Integrate fully with SELinux. | 24 | * Goals: 1) Integrate fully with Security Modules. |
| 25 | * 2) Minimal run-time overhead: | 25 | * 2) Minimal run-time overhead: |
| 26 | * a) Minimal when syscall auditing is disabled (audit_enable=0). | 26 | * a) Minimal when syscall auditing is disabled (audit_enable=0). |
| 27 | * b) Small when syscall auditing is enabled and no audit record | 27 | * b) Small when syscall auditing is enabled and no audit record |
| @@ -55,7 +55,6 @@ | |||
| 55 | #include <net/netlink.h> | 55 | #include <net/netlink.h> |
| 56 | #include <linux/skbuff.h> | 56 | #include <linux/skbuff.h> |
| 57 | #include <linux/netlink.h> | 57 | #include <linux/netlink.h> |
| 58 | #include <linux/selinux.h> | ||
| 59 | #include <linux/inotify.h> | 58 | #include <linux/inotify.h> |
| 60 | #include <linux/freezer.h> | 59 | #include <linux/freezer.h> |
| 61 | #include <linux/tty.h> | 60 | #include <linux/tty.h> |
| @@ -265,13 +264,13 @@ static int audit_log_config_change(char *function_name, int new, int old, | |||
| 265 | char *ctx = NULL; | 264 | char *ctx = NULL; |
| 266 | u32 len; | 265 | u32 len; |
| 267 | 266 | ||
| 268 | rc = selinux_sid_to_string(sid, &ctx, &len); | 267 | rc = security_secid_to_secctx(sid, &ctx, &len); |
| 269 | if (rc) { | 268 | if (rc) { |
| 270 | audit_log_format(ab, " sid=%u", sid); | 269 | audit_log_format(ab, " sid=%u", sid); |
| 271 | allow_changes = 0; /* Something weird, deny request */ | 270 | allow_changes = 0; /* Something weird, deny request */ |
| 272 | } else { | 271 | } else { |
| 273 | audit_log_format(ab, " subj=%s", ctx); | 272 | audit_log_format(ab, " subj=%s", ctx); |
| 274 | kfree(ctx); | 273 | security_release_secctx(ctx, len); |
| 275 | } | 274 | } |
| 276 | } | 275 | } |
| 277 | audit_log_format(ab, " res=%d", allow_changes); | 276 | audit_log_format(ab, " res=%d", allow_changes); |
| @@ -550,12 +549,13 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type, | |||
| 550 | audit_log_format(*ab, "user pid=%d uid=%u auid=%u", | 549 | audit_log_format(*ab, "user pid=%d uid=%u auid=%u", |
| 551 | pid, uid, auid); | 550 | pid, uid, auid); |
| 552 | if (sid) { | 551 | if (sid) { |
| 553 | rc = selinux_sid_to_string(sid, &ctx, &len); | 552 | rc = security_secid_to_secctx(sid, &ctx, &len); |
| 554 | if (rc) | 553 | if (rc) |
| 555 | audit_log_format(*ab, " ssid=%u", sid); | 554 | audit_log_format(*ab, " ssid=%u", sid); |
| 556 | else | 555 | else { |
| 557 | audit_log_format(*ab, " subj=%s", ctx); | 556 | audit_log_format(*ab, " subj=%s", ctx); |
| 558 | kfree(ctx); | 557 | security_release_secctx(ctx, len); |
| 558 | } | ||
| 559 | } | 559 | } |
| 560 | 560 | ||
| 561 | return rc; | 561 | return rc; |
| @@ -758,18 +758,18 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |||
| 758 | break; | 758 | break; |
| 759 | } | 759 | } |
| 760 | case AUDIT_SIGNAL_INFO: | 760 | case AUDIT_SIGNAL_INFO: |
| 761 | err = selinux_sid_to_string(audit_sig_sid, &ctx, &len); | 761 | err = security_secid_to_secctx(audit_sig_sid, &ctx, &len); |
| 762 | if (err) | 762 | if (err) |
| 763 | return err; | 763 | return err; |
| 764 | sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL); | 764 | sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL); |
| 765 | if (!sig_data) { | 765 | if (!sig_data) { |
| 766 | kfree(ctx); | 766 | security_release_secctx(ctx, len); |
| 767 | return -ENOMEM; | 767 | return -ENOMEM; |
| 768 | } | 768 | } |
| 769 | sig_data->uid = audit_sig_uid; | 769 | sig_data->uid = audit_sig_uid; |
| 770 | sig_data->pid = audit_sig_pid; | 770 | sig_data->pid = audit_sig_pid; |
| 771 | memcpy(sig_data->ctx, ctx, len); | 771 | memcpy(sig_data->ctx, ctx, len); |
| 772 | kfree(ctx); | 772 | security_release_secctx(ctx, len); |
| 773 | audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_SIGNAL_INFO, | 773 | audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_SIGNAL_INFO, |
| 774 | 0, 0, sig_data, sizeof(*sig_data) + len); | 774 | 0, 0, sig_data, sizeof(*sig_data) + len); |
| 775 | kfree(sig_data); | 775 | kfree(sig_data); |
| @@ -881,10 +881,6 @@ static int __init audit_init(void) | |||
| 881 | audit_enabled = audit_default; | 881 | audit_enabled = audit_default; |
| 882 | audit_ever_enabled |= !!audit_default; | 882 | audit_ever_enabled |= !!audit_default; |
| 883 | 883 | ||
| 884 | /* Register the callback with selinux. This callback will be invoked | ||
| 885 | * when a new policy is loaded. */ | ||
| 886 | selinux_audit_set_callback(&selinux_audit_rule_update); | ||
| 887 | |||
| 888 | audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL, "initialized"); | 884 | audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL, "initialized"); |
| 889 | 885 | ||
| 890 | #ifdef CONFIG_AUDITSYSCALL | 886 | #ifdef CONFIG_AUDITSYSCALL |