1 files changed, 30 insertions, 1 deletions
diff --git a/kernel/audit.c b/kernel/audit.c
index 939500317066..0a1355ca3d79 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -43,7 +43,7 @@
 #include <linux/init.h>
 #include <asm/types.h>
-#include <asm/atomic.h>
+#include <linux/atomic.h>
 #include <linux/mm.h>
 #include <linux/module.h>
 #include <linux/slab.h>
@@ -55,6 +55,9 @@
 #include <net/sock.h>
 #include <net/netlink.h>
 #include <linux/skbuff.h>
+#ifdef CONFIG_SECURITY
+#include <linux/security.h>
+#endif
 #include <linux/netlink.h>
 #include <linux/freezer.h>
 #include <linux/tty.h>
@@ -1502,6 +1505,32 @@ void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
        }
 }
+#ifdef CONFIG_SECURITY
+/**
+ * audit_log_secctx - Converts and logs SELinux context
+ * @ab: audit_buffer
+ * @secid: security number
+ *
+ * This is a helper function that calls security_secid_to_secctx to convert
+ * secid to secctx and then adds the (converted) SELinux context to the audit
+ * log by calling audit_log_format, thus also preventing leak of internal secid
+ * to userspace. If secid cannot be converted audit_panic is called.
+ */
+void audit_log_secctx(struct audit_buffer *ab, u32 secid)
+{
+        u32 len;
+        char *secctx;
+        if (security_secid_to_secctx(secid, &secctx, &len)) {
+                audit_panic("Cannot convert secid to context");
+        } else {
+                audit_log_format(ab, " obj=%s", secctx);
+                security_release_secctx(secctx, len);
+        }
+}
+EXPORT_SYMBOL(audit_log_secctx);
+#endif
 EXPORT_SYMBOL(audit_log_start);
 EXPORT_SYMBOL(audit_log_end);
 EXPORT_SYMBOL(audit_log_format);

diff --git a/kernel/audit.c b/kernel/audit.c index 939500317066..0a1355ca3d79 100644 --- a/kernel/audit.c +++ b/kernel/audit.c
@@ -43,7 +43,7 @@
43		43
44	#include <linux/init.h>	44	#include <linux/init.h>
45	#include <asm/types.h>	45	#include <asm/types.h>
46	#include <asm/atomic.h>	46	#include <linux/atomic.h>
47	#include <linux/mm.h>	47	#include <linux/mm.h>
48	#include <linux/module.h>	48	#include <linux/module.h>
49	#include <linux/slab.h>	49	#include <linux/slab.h>
@@ -55,6 +55,9 @@
55	#include <net/sock.h>	55	#include <net/sock.h>
56	#include <net/netlink.h>	56	#include <net/netlink.h>
57	#include <linux/skbuff.h>	57	#include <linux/skbuff.h>
		58	#ifdef CONFIG_SECURITY
		59	#include <linux/security.h>
		60	#endif
58	#include <linux/netlink.h>	61	#include <linux/netlink.h>
59	#include <linux/freezer.h>	62	#include <linux/freezer.h>
60	#include <linux/tty.h>	63	#include <linux/tty.h>
@@ -1502,6 +1505,32 @@ void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
1502	}	1505	}
1503	}	1506	}
1504		1507
		1508	#ifdef CONFIG_SECURITY
		1509	/**
		1510	* audit_log_secctx - Converts and logs SELinux context
		1511	* @ab: audit_buffer
		1512	* @secid: security number
		1513	*
		1514	* This is a helper function that calls security_secid_to_secctx to convert
		1515	* secid to secctx and then adds the (converted) SELinux context to the audit
		1516	* log by calling audit_log_format, thus also preventing leak of internal secid
		1517	* to userspace. If secid cannot be converted audit_panic is called.
		1518	*/
		1519	void audit_log_secctx(struct audit_buffer *ab, u32 secid)
		1520	{
		1521	u32 len;
		1522	char *secctx;
		1523
		1524	if (security_secid_to_secctx(secid, &secctx, &len)) {
		1525	audit_panic("Cannot convert secid to context");
		1526	} else {
		1527	audit_log_format(ab, " obj=%s", secctx);
		1528	security_release_secctx(secctx, len);
		1529	}
		1530	}
		1531	EXPORT_SYMBOL(audit_log_secctx);
		1532	#endif
		1533
1505	EXPORT_SYMBOL(audit_log_start);	1534	EXPORT_SYMBOL(audit_log_start);
1506	EXPORT_SYMBOL(audit_log_end);	1535	EXPORT_SYMBOL(audit_log_end);
1507	EXPORT_SYMBOL(audit_log_format);	1536	EXPORT_SYMBOL(audit_log_format);