aboutsummaryrefslogtreecommitdiffstats
path: root/kernel
diff options
context:
space:
mode:
Diffstat (limited to 'kernel')
-rw-r--r--kernel/audit.c24
-rw-r--r--kernel/audit.h25
-rw-r--r--kernel/auditfilter.c99
-rw-r--r--kernel/auditsc.c74
4 files changed, 85 insertions, 137 deletions
diff --git a/kernel/audit.c b/kernel/audit.c
index b782b046543d..a7b16086d36f 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -21,7 +21,7 @@
21 * 21 *
22 * Written by Rickard E. (Rik) Faith <faith@redhat.com> 22 * Written by Rickard E. (Rik) Faith <faith@redhat.com>
23 * 23 *
24 * Goals: 1) Integrate fully with SELinux. 24 * Goals: 1) Integrate fully with Security Modules.
25 * 2) Minimal run-time overhead: 25 * 2) Minimal run-time overhead:
26 * a) Minimal when syscall auditing is disabled (audit_enable=0). 26 * a) Minimal when syscall auditing is disabled (audit_enable=0).
27 * b) Small when syscall auditing is enabled and no audit record 27 * b) Small when syscall auditing is enabled and no audit record
@@ -55,7 +55,6 @@
55#include <net/netlink.h> 55#include <net/netlink.h>
56#include <linux/skbuff.h> 56#include <linux/skbuff.h>
57#include <linux/netlink.h> 57#include <linux/netlink.h>
58#include <linux/selinux.h>
59#include <linux/inotify.h> 58#include <linux/inotify.h>
60#include <linux/freezer.h> 59#include <linux/freezer.h>
61#include <linux/tty.h> 60#include <linux/tty.h>
@@ -265,13 +264,13 @@ static int audit_log_config_change(char *function_name, int new, int old,
265 char *ctx = NULL; 264 char *ctx = NULL;
266 u32 len; 265 u32 len;
267 266
268 rc = selinux_sid_to_string(sid, &ctx, &len); 267 rc = security_secid_to_secctx(sid, &ctx, &len);
269 if (rc) { 268 if (rc) {
270 audit_log_format(ab, " sid=%u", sid); 269 audit_log_format(ab, " sid=%u", sid);
271 allow_changes = 0; /* Something weird, deny request */ 270 allow_changes = 0; /* Something weird, deny request */
272 } else { 271 } else {
273 audit_log_format(ab, " subj=%s", ctx); 272 audit_log_format(ab, " subj=%s", ctx);
274 kfree(ctx); 273 security_release_secctx(ctx, len);
275 } 274 }
276 } 275 }
277 audit_log_format(ab, " res=%d", allow_changes); 276 audit_log_format(ab, " res=%d", allow_changes);
@@ -550,12 +549,13 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
550 audit_log_format(*ab, "user pid=%d uid=%u auid=%u", 549 audit_log_format(*ab, "user pid=%d uid=%u auid=%u",
551 pid, uid, auid); 550 pid, uid, auid);
552 if (sid) { 551 if (sid) {
553 rc = selinux_sid_to_string(sid, &ctx, &len); 552 rc = security_secid_to_secctx(sid, &ctx, &len);
554 if (rc) 553 if (rc)
555 audit_log_format(*ab, " ssid=%u", sid); 554 audit_log_format(*ab, " ssid=%u", sid);
556 else 555 else {
557 audit_log_format(*ab, " subj=%s", ctx); 556 audit_log_format(*ab, " subj=%s", ctx);
558 kfree(ctx); 557 security_release_secctx(ctx, len);
558 }
559 } 559 }
560 560
561 return rc; 561 return rc;
@@ -758,18 +758,18 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
758 break; 758 break;
759 } 759 }
760 case AUDIT_SIGNAL_INFO: 760 case AUDIT_SIGNAL_INFO:
761 err = selinux_sid_to_string(audit_sig_sid, &ctx, &len); 761 err = security_secid_to_secctx(audit_sig_sid, &ctx, &len);
762 if (err) 762 if (err)
763 return err; 763 return err;
764 sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL); 764 sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL);
765 if (!sig_data) { 765 if (!sig_data) {
766 kfree(ctx); 766 security_release_secctx(ctx, len);
767 return -ENOMEM; 767 return -ENOMEM;
768 } 768 }
769 sig_data->uid = audit_sig_uid; 769 sig_data->uid = audit_sig_uid;
770 sig_data->pid = audit_sig_pid; 770 sig_data->pid = audit_sig_pid;
771 memcpy(sig_data->ctx, ctx, len); 771 memcpy(sig_data->ctx, ctx, len);
772 kfree(ctx); 772 security_release_secctx(ctx, len);
773 audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_SIGNAL_INFO, 773 audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_SIGNAL_INFO,
774 0, 0, sig_data, sizeof(*sig_data) + len); 774 0, 0, sig_data, sizeof(*sig_data) + len);
775 kfree(sig_data); 775 kfree(sig_data);
@@ -881,10 +881,6 @@ static int __init audit_init(void)
881 audit_enabled = audit_default; 881 audit_enabled = audit_default;
882 audit_ever_enabled |= !!audit_default; 882 audit_ever_enabled |= !!audit_default;
883 883
884 /* Register the callback with selinux. This callback will be invoked
885 * when a new policy is loaded. */
886 selinux_audit_set_callback(&selinux_audit_rule_update);
887
888 audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL, "initialized"); 884 audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL, "initialized");
889 885
890#ifdef CONFIG_AUDITSYSCALL 886#ifdef CONFIG_AUDITSYSCALL
diff --git a/kernel/audit.h b/kernel/audit.h
index 2554bd524fd1..3cfc54ee3e1f 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -65,34 +65,9 @@ struct audit_watch {
65 struct list_head rules; /* associated rules */ 65 struct list_head rules; /* associated rules */
66}; 66};
67 67
68struct audit_field {
69 u32 type;
70 u32 val;
71 u32 op;
72 char *se_str;
73 struct selinux_audit_rule *se_rule;
74};
75
76struct audit_tree; 68struct audit_tree;
77struct audit_chunk; 69struct audit_chunk;
78 70
79struct audit_krule {
80 int vers_ops;
81 u32 flags;
82 u32 listnr;
83 u32 action;
84 u32 mask[AUDIT_BITMASK_SIZE];
85 u32 buflen; /* for data alloc on list rules */
86 u32 field_count;
87 char *filterkey; /* ties events to rules */
88 struct audit_field *fields;
89 struct audit_field *arch_f; /* quick access to arch field */
90 struct audit_field *inode_f; /* quick access to an inode field */
91 struct audit_watch *watch; /* associated watch */
92 struct audit_tree *tree; /* associated watched tree */
93 struct list_head rlist; /* entry in audit_{watch,tree}.rules list */
94};
95
96struct audit_entry { 71struct audit_entry {
97 struct list_head list; 72 struct list_head list;
98 struct rcu_head rcu; 73 struct rcu_head rcu;
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 2f2914b7cc30..28fef6bf8534 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -28,7 +28,7 @@
28#include <linux/netlink.h> 28#include <linux/netlink.h>
29#include <linux/sched.h> 29#include <linux/sched.h>
30#include <linux/inotify.h> 30#include <linux/inotify.h>
31#include <linux/selinux.h> 31#include <linux/security.h>
32#include "audit.h" 32#include "audit.h"
33 33
34/* 34/*
@@ -38,7 +38,7 @@
38 * Synchronizes writes and blocking reads of audit's filterlist 38 * Synchronizes writes and blocking reads of audit's filterlist
39 * data. Rcu is used to traverse the filterlist and access 39 * data. Rcu is used to traverse the filterlist and access
40 * contents of structs audit_entry, audit_watch and opaque 40 * contents of structs audit_entry, audit_watch and opaque
41 * selinux rules during filtering. If modified, these structures 41 * LSM rules during filtering. If modified, these structures
42 * must be copied and replace their counterparts in the filterlist. 42 * must be copied and replace their counterparts in the filterlist.
43 * An audit_parent struct is not accessed during filtering, so may 43 * An audit_parent struct is not accessed during filtering, so may
44 * be written directly provided audit_filter_mutex is held. 44 * be written directly provided audit_filter_mutex is held.
@@ -139,8 +139,8 @@ static inline void audit_free_rule(struct audit_entry *e)
139 if (e->rule.fields) 139 if (e->rule.fields)
140 for (i = 0; i < e->rule.field_count; i++) { 140 for (i = 0; i < e->rule.field_count; i++) {
141 struct audit_field *f = &e->rule.fields[i]; 141 struct audit_field *f = &e->rule.fields[i];
142 kfree(f->se_str); 142 kfree(f->lsm_str);
143 selinux_audit_rule_free(f->se_rule); 143 security_audit_rule_free(f->lsm_rule);
144 } 144 }
145 kfree(e->rule.fields); 145 kfree(e->rule.fields);
146 kfree(e->rule.filterkey); 146 kfree(e->rule.filterkey);
@@ -554,8 +554,8 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
554 f->op = data->fieldflags[i] & AUDIT_OPERATORS; 554 f->op = data->fieldflags[i] & AUDIT_OPERATORS;
555 f->type = data->fields[i]; 555 f->type = data->fields[i];
556 f->val = data->values[i]; 556 f->val = data->values[i];
557 f->se_str = NULL; 557 f->lsm_str = NULL;
558 f->se_rule = NULL; 558 f->lsm_rule = NULL;
559 switch(f->type) { 559 switch(f->type) {
560 case AUDIT_PID: 560 case AUDIT_PID:
561 case AUDIT_UID: 561 case AUDIT_UID:
@@ -597,12 +597,12 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
597 goto exit_free; 597 goto exit_free;
598 entry->rule.buflen += f->val; 598 entry->rule.buflen += f->val;
599 599
600 err = selinux_audit_rule_init(f->type, f->op, str, 600 err = security_audit_rule_init(f->type, f->op, str,
601 &f->se_rule); 601 (void **)&f->lsm_rule);
602 /* Keep currently invalid fields around in case they 602 /* Keep currently invalid fields around in case they
603 * become valid after a policy reload. */ 603 * become valid after a policy reload. */
604 if (err == -EINVAL) { 604 if (err == -EINVAL) {
605 printk(KERN_WARNING "audit rule for selinux " 605 printk(KERN_WARNING "audit rule for LSM "
606 "\'%s\' is invalid\n", str); 606 "\'%s\' is invalid\n", str);
607 err = 0; 607 err = 0;
608 } 608 }
@@ -610,7 +610,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
610 kfree(str); 610 kfree(str);
611 goto exit_free; 611 goto exit_free;
612 } else 612 } else
613 f->se_str = str; 613 f->lsm_str = str;
614 break; 614 break;
615 case AUDIT_WATCH: 615 case AUDIT_WATCH:
616 str = audit_unpack_string(&bufp, &remain, f->val); 616 str = audit_unpack_string(&bufp, &remain, f->val);
@@ -754,7 +754,7 @@ static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)
754 case AUDIT_OBJ_LEV_LOW: 754 case AUDIT_OBJ_LEV_LOW:
755 case AUDIT_OBJ_LEV_HIGH: 755 case AUDIT_OBJ_LEV_HIGH:
756 data->buflen += data->values[i] = 756 data->buflen += data->values[i] =
757 audit_pack_string(&bufp, f->se_str); 757 audit_pack_string(&bufp, f->lsm_str);
758 break; 758 break;
759 case AUDIT_WATCH: 759 case AUDIT_WATCH:
760 data->buflen += data->values[i] = 760 data->buflen += data->values[i] =
@@ -806,7 +806,7 @@ static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b)
806 case AUDIT_OBJ_TYPE: 806 case AUDIT_OBJ_TYPE:
807 case AUDIT_OBJ_LEV_LOW: 807 case AUDIT_OBJ_LEV_LOW:
808 case AUDIT_OBJ_LEV_HIGH: 808 case AUDIT_OBJ_LEV_HIGH:
809 if (strcmp(a->fields[i].se_str, b->fields[i].se_str)) 809 if (strcmp(a->fields[i].lsm_str, b->fields[i].lsm_str))
810 return 1; 810 return 1;
811 break; 811 break;
812 case AUDIT_WATCH: 812 case AUDIT_WATCH:
@@ -862,28 +862,28 @@ out:
862 return new; 862 return new;
863} 863}
864 864
865/* Duplicate selinux field information. The se_rule is opaque, so must be 865/* Duplicate LSM field information. The lsm_rule is opaque, so must be
866 * re-initialized. */ 866 * re-initialized. */
867static inline int audit_dupe_selinux_field(struct audit_field *df, 867static inline int audit_dupe_lsm_field(struct audit_field *df,
868 struct audit_field *sf) 868 struct audit_field *sf)
869{ 869{
870 int ret = 0; 870 int ret = 0;
871 char *se_str; 871 char *lsm_str;
872 872
873 /* our own copy of se_str */ 873 /* our own copy of lsm_str */
874 se_str = kstrdup(sf->se_str, GFP_KERNEL); 874 lsm_str = kstrdup(sf->lsm_str, GFP_KERNEL);
875 if (unlikely(!se_str)) 875 if (unlikely(!lsm_str))
876 return -ENOMEM; 876 return -ENOMEM;
877 df->se_str = se_str; 877 df->lsm_str = lsm_str;
878 878
879 /* our own (refreshed) copy of se_rule */ 879 /* our own (refreshed) copy of lsm_rule */
880 ret = selinux_audit_rule_init(df->type, df->op, df->se_str, 880 ret = security_audit_rule_init(df->type, df->op, df->lsm_str,
881 &df->se_rule); 881 (void **)&df->lsm_rule);
882 /* Keep currently invalid fields around in case they 882 /* Keep currently invalid fields around in case they
883 * become valid after a policy reload. */ 883 * become valid after a policy reload. */
884 if (ret == -EINVAL) { 884 if (ret == -EINVAL) {
885 printk(KERN_WARNING "audit rule for selinux \'%s\' is " 885 printk(KERN_WARNING "audit rule for LSM \'%s\' is "
886 "invalid\n", df->se_str); 886 "invalid\n", df->lsm_str);
887 ret = 0; 887 ret = 0;
888 } 888 }
889 889
@@ -891,7 +891,7 @@ static inline int audit_dupe_selinux_field(struct audit_field *df,
891} 891}
892 892
893/* Duplicate an audit rule. This will be a deep copy with the exception 893/* Duplicate an audit rule. This will be a deep copy with the exception
894 * of the watch - that pointer is carried over. The selinux specific fields 894 * of the watch - that pointer is carried over. The LSM specific fields
895 * will be updated in the copy. The point is to be able to replace the old 895 * will be updated in the copy. The point is to be able to replace the old
896 * rule with the new rule in the filterlist, then free the old rule. 896 * rule with the new rule in the filterlist, then free the old rule.
897 * The rlist element is undefined; list manipulations are handled apart from 897 * The rlist element is undefined; list manipulations are handled apart from
@@ -930,7 +930,7 @@ static struct audit_entry *audit_dupe_rule(struct audit_krule *old,
930 new->tree = old->tree; 930 new->tree = old->tree;
931 memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount); 931 memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount);
932 932
933 /* deep copy this information, updating the se_rule fields, because 933 /* deep copy this information, updating the lsm_rule fields, because
934 * the originals will all be freed when the old rule is freed. */ 934 * the originals will all be freed when the old rule is freed. */
935 for (i = 0; i < fcount; i++) { 935 for (i = 0; i < fcount; i++) {
936 switch (new->fields[i].type) { 936 switch (new->fields[i].type) {
@@ -944,7 +944,7 @@ static struct audit_entry *audit_dupe_rule(struct audit_krule *old,
944 case AUDIT_OBJ_TYPE: 944 case AUDIT_OBJ_TYPE:
945 case AUDIT_OBJ_LEV_LOW: 945 case AUDIT_OBJ_LEV_LOW:
946 case AUDIT_OBJ_LEV_HIGH: 946 case AUDIT_OBJ_LEV_HIGH:
947 err = audit_dupe_selinux_field(&new->fields[i], 947 err = audit_dupe_lsm_field(&new->fields[i],
948 &old->fields[i]); 948 &old->fields[i]);
949 break; 949 break;
950 case AUDIT_FILTERKEY: 950 case AUDIT_FILTERKEY:
@@ -1515,11 +1515,12 @@ static void audit_log_rule_change(uid_t loginuid, u32 sid, char *action,
1515 if (sid) { 1515 if (sid) {
1516 char *ctx = NULL; 1516 char *ctx = NULL;
1517 u32 len; 1517 u32 len;
1518 if (selinux_sid_to_string(sid, &ctx, &len)) 1518 if (security_secid_to_secctx(sid, &ctx, &len))
1519 audit_log_format(ab, " ssid=%u", sid); 1519 audit_log_format(ab, " ssid=%u", sid);
1520 else 1520 else {
1521 audit_log_format(ab, " subj=%s", ctx); 1521 audit_log_format(ab, " subj=%s", ctx);
1522 kfree(ctx); 1522 security_release_secctx(ctx, len);
1523 }
1523 } 1524 }
1524 audit_log_format(ab, " op=%s rule key=", action); 1525 audit_log_format(ab, " op=%s rule key=", action);
1525 if (rule->filterkey) 1526 if (rule->filterkey)
@@ -1761,38 +1762,12 @@ unlock_and_return:
1761 return result; 1762 return result;
1762} 1763}
1763 1764
1764/* Check to see if the rule contains any selinux fields. Returns 1 if there 1765/* This function will re-initialize the lsm_rule field of all applicable rules.
1765 are selinux fields specified in the rule, 0 otherwise. */ 1766 * It will traverse the filter lists serarching for rules that contain LSM
1766static inline int audit_rule_has_selinux(struct audit_krule *rule)
1767{
1768 int i;
1769
1770 for (i = 0; i < rule->field_count; i++) {
1771 struct audit_field *f = &rule->fields[i];
1772 switch (f->type) {
1773 case AUDIT_SUBJ_USER:
1774 case AUDIT_SUBJ_ROLE:
1775 case AUDIT_SUBJ_TYPE:
1776 case AUDIT_SUBJ_SEN:
1777 case AUDIT_SUBJ_CLR:
1778 case AUDIT_OBJ_USER:
1779 case AUDIT_OBJ_ROLE:
1780 case AUDIT_OBJ_TYPE:
1781 case AUDIT_OBJ_LEV_LOW:
1782 case AUDIT_OBJ_LEV_HIGH:
1783 return 1;
1784 }
1785 }
1786
1787 return 0;
1788}
1789
1790/* This function will re-initialize the se_rule field of all applicable rules.
1791 * It will traverse the filter lists serarching for rules that contain selinux
1792 * specific filter fields. When such a rule is found, it is copied, the 1767 * specific filter fields. When such a rule is found, it is copied, the
1793 * selinux field is re-initialized, and the old rule is replaced with the 1768 * LSM field is re-initialized, and the old rule is replaced with the
1794 * updated rule. */ 1769 * updated rule. */
1795int selinux_audit_rule_update(void) 1770int audit_update_lsm_rules(void)
1796{ 1771{
1797 struct audit_entry *entry, *n, *nentry; 1772 struct audit_entry *entry, *n, *nentry;
1798 struct audit_watch *watch; 1773 struct audit_watch *watch;
@@ -1804,7 +1779,7 @@ int selinux_audit_rule_update(void)
1804 1779
1805 for (i = 0; i < AUDIT_NR_FILTERS; i++) { 1780 for (i = 0; i < AUDIT_NR_FILTERS; i++) {
1806 list_for_each_entry_safe(entry, n, &audit_filter_list[i], list) { 1781 list_for_each_entry_safe(entry, n, &audit_filter_list[i], list) {
1807 if (!audit_rule_has_selinux(&entry->rule)) 1782 if (!security_audit_rule_known(&entry->rule))
1808 continue; 1783 continue;
1809 1784
1810 watch = entry->rule.watch; 1785 watch = entry->rule.watch;
@@ -1815,7 +1790,7 @@ int selinux_audit_rule_update(void)
1815 * return value */ 1790 * return value */
1816 if (!err) 1791 if (!err)
1817 err = PTR_ERR(nentry); 1792 err = PTR_ERR(nentry);
1818 audit_panic("error updating selinux filters"); 1793 audit_panic("error updating LSM filters");
1819 if (watch) 1794 if (watch)
1820 list_del(&entry->rule.rlist); 1795 list_del(&entry->rule.rlist);
1821 list_del_rcu(&entry->list); 1796 list_del_rcu(&entry->list);
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 782262e4107d..56e56ed594a8 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -61,7 +61,6 @@
61#include <linux/security.h> 61#include <linux/security.h>
62#include <linux/list.h> 62#include <linux/list.h>
63#include <linux/tty.h> 63#include <linux/tty.h>
64#include <linux/selinux.h>
65#include <linux/binfmts.h> 64#include <linux/binfmts.h>
66#include <linux/highmem.h> 65#include <linux/highmem.h>
67#include <linux/syscalls.h> 66#include <linux/syscalls.h>
@@ -528,14 +527,14 @@ static int audit_filter_rules(struct task_struct *tsk,
528 match for now to avoid losing information that 527 match for now to avoid losing information that
529 may be wanted. An error message will also be 528 may be wanted. An error message will also be
530 logged upon error */ 529 logged upon error */
531 if (f->se_rule) { 530 if (f->lsm_rule) {
532 if (need_sid) { 531 if (need_sid) {
533 selinux_get_task_sid(tsk, &sid); 532 security_task_getsecid(tsk, &sid);
534 need_sid = 0; 533 need_sid = 0;
535 } 534 }
536 result = selinux_audit_rule_match(sid, f->type, 535 result = security_audit_rule_match(sid, f->type,
537 f->op, 536 f->op,
538 f->se_rule, 537 f->lsm_rule,
539 ctx); 538 ctx);
540 } 539 }
541 break; 540 break;
@@ -546,18 +545,18 @@ static int audit_filter_rules(struct task_struct *tsk,
546 case AUDIT_OBJ_LEV_HIGH: 545 case AUDIT_OBJ_LEV_HIGH:
547 /* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR 546 /* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR
548 also applies here */ 547 also applies here */
549 if (f->se_rule) { 548 if (f->lsm_rule) {
550 /* Find files that match */ 549 /* Find files that match */
551 if (name) { 550 if (name) {
552 result = selinux_audit_rule_match( 551 result = security_audit_rule_match(
553 name->osid, f->type, f->op, 552 name->osid, f->type, f->op,
554 f->se_rule, ctx); 553 f->lsm_rule, ctx);
555 } else if (ctx) { 554 } else if (ctx) {
556 for (j = 0; j < ctx->name_count; j++) { 555 for (j = 0; j < ctx->name_count; j++) {
557 if (selinux_audit_rule_match( 556 if (security_audit_rule_match(
558 ctx->names[j].osid, 557 ctx->names[j].osid,
559 f->type, f->op, 558 f->type, f->op,
560 f->se_rule, ctx)) { 559 f->lsm_rule, ctx)) {
561 ++result; 560 ++result;
562 break; 561 break;
563 } 562 }
@@ -570,7 +569,7 @@ static int audit_filter_rules(struct task_struct *tsk,
570 aux = aux->next) { 569 aux = aux->next) {
571 if (aux->type == AUDIT_IPC) { 570 if (aux->type == AUDIT_IPC) {
572 struct audit_aux_data_ipcctl *axi = (void *)aux; 571 struct audit_aux_data_ipcctl *axi = (void *)aux;
573 if (selinux_audit_rule_match(axi->osid, f->type, f->op, f->se_rule, ctx)) { 572 if (security_audit_rule_match(axi->osid, f->type, f->op, f->lsm_rule, ctx)) {
574 ++result; 573 ++result;
575 break; 574 break;
576 } 575 }
@@ -885,11 +884,11 @@ void audit_log_task_context(struct audit_buffer *ab)
885 int error; 884 int error;
886 u32 sid; 885 u32 sid;
887 886
888 selinux_get_task_sid(current, &sid); 887 security_task_getsecid(current, &sid);
889 if (!sid) 888 if (!sid)
890 return; 889 return;
891 890
892 error = selinux_sid_to_string(sid, &ctx, &len); 891 error = security_secid_to_secctx(sid, &ctx, &len);
893 if (error) { 892 if (error) {
894 if (error != -EINVAL) 893 if (error != -EINVAL)
895 goto error_path; 894 goto error_path;
@@ -897,7 +896,7 @@ void audit_log_task_context(struct audit_buffer *ab)
897 } 896 }
898 897
899 audit_log_format(ab, " subj=%s", ctx); 898 audit_log_format(ab, " subj=%s", ctx);
900 kfree(ctx); 899 security_release_secctx(ctx, len);
901 return; 900 return;
902 901
903error_path: 902error_path:
@@ -941,7 +940,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
941 u32 sid, char *comm) 940 u32 sid, char *comm)
942{ 941{
943 struct audit_buffer *ab; 942 struct audit_buffer *ab;
944 char *s = NULL; 943 char *ctx = NULL;
945 u32 len; 944 u32 len;
946 int rc = 0; 945 int rc = 0;
947 946
@@ -951,15 +950,16 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
951 950
952 audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, auid, 951 audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, auid,
953 uid, sessionid); 952 uid, sessionid);
954 if (selinux_sid_to_string(sid, &s, &len)) { 953 if (security_secid_to_secctx(sid, &ctx, &len)) {
955 audit_log_format(ab, " obj=(none)"); 954 audit_log_format(ab, " obj=(none)");
956 rc = 1; 955 rc = 1;
957 } else 956 } else {
958 audit_log_format(ab, " obj=%s", s); 957 audit_log_format(ab, " obj=%s", ctx);
958 security_release_secctx(ctx, len);
959 }
959 audit_log_format(ab, " ocomm="); 960 audit_log_format(ab, " ocomm=");
960 audit_log_untrustedstring(ab, comm); 961 audit_log_untrustedstring(ab, comm);
961 audit_log_end(ab); 962 audit_log_end(ab);
962 kfree(s);
963 963
964 return rc; 964 return rc;
965} 965}
@@ -1271,14 +1271,15 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
1271 if (axi->osid != 0) { 1271 if (axi->osid != 0) {
1272 char *ctx = NULL; 1272 char *ctx = NULL;
1273 u32 len; 1273 u32 len;
1274 if (selinux_sid_to_string( 1274 if (security_secid_to_secctx(
1275 axi->osid, &ctx, &len)) { 1275 axi->osid, &ctx, &len)) {
1276 audit_log_format(ab, " osid=%u", 1276 audit_log_format(ab, " osid=%u",
1277 axi->osid); 1277 axi->osid);
1278 call_panic = 1; 1278 call_panic = 1;
1279 } else 1279 } else {
1280 audit_log_format(ab, " obj=%s", ctx); 1280 audit_log_format(ab, " obj=%s", ctx);
1281 kfree(ctx); 1281 security_release_secctx(ctx, len);
1282 }
1282 } 1283 }
1283 break; } 1284 break; }
1284 1285
@@ -1392,13 +1393,14 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
1392 if (n->osid != 0) { 1393 if (n->osid != 0) {
1393 char *ctx = NULL; 1394 char *ctx = NULL;
1394 u32 len; 1395 u32 len;
1395 if (selinux_sid_to_string( 1396 if (security_secid_to_secctx(
1396 n->osid, &ctx, &len)) { 1397 n->osid, &ctx, &len)) {
1397 audit_log_format(ab, " osid=%u", n->osid); 1398 audit_log_format(ab, " osid=%u", n->osid);
1398 call_panic = 2; 1399 call_panic = 2;
1399 } else 1400 } else {
1400 audit_log_format(ab, " obj=%s", ctx); 1401 audit_log_format(ab, " obj=%s", ctx);
1401 kfree(ctx); 1402 security_release_secctx(ctx, len);
1403 }
1402 } 1404 }
1403 1405
1404 audit_log_end(ab); 1406 audit_log_end(ab);
@@ -1775,7 +1777,7 @@ static void audit_copy_inode(struct audit_names *name, const struct inode *inode
1775 name->uid = inode->i_uid; 1777 name->uid = inode->i_uid;
1776 name->gid = inode->i_gid; 1778 name->gid = inode->i_gid;
1777 name->rdev = inode->i_rdev; 1779 name->rdev = inode->i_rdev;
1778 selinux_get_inode_sid(inode, &name->osid); 1780 security_inode_getsecid(inode, &name->osid);
1779} 1781}
1780 1782
1781/** 1783/**
@@ -2190,8 +2192,7 @@ int __audit_ipc_obj(struct kern_ipc_perm *ipcp)
2190 ax->uid = ipcp->uid; 2192 ax->uid = ipcp->uid;
2191 ax->gid = ipcp->gid; 2193 ax->gid = ipcp->gid;
2192 ax->mode = ipcp->mode; 2194 ax->mode = ipcp->mode;
2193 selinux_get_ipc_sid(ipcp, &ax->osid); 2195 security_ipc_getsecid(ipcp, &ax->osid);
2194
2195 ax->d.type = AUDIT_IPC; 2196 ax->d.type = AUDIT_IPC;
2196 ax->d.next = context->aux; 2197 ax->d.next = context->aux;
2197 context->aux = (void *)ax; 2198 context->aux = (void *)ax;
@@ -2343,7 +2344,7 @@ void __audit_ptrace(struct task_struct *t)
2343 context->target_auid = audit_get_loginuid(t); 2344 context->target_auid = audit_get_loginuid(t);
2344 context->target_uid = t->uid; 2345 context->target_uid = t->uid;
2345 context->target_sessionid = audit_get_sessionid(t); 2346 context->target_sessionid = audit_get_sessionid(t);
2346 selinux_get_task_sid(t, &context->target_sid); 2347 security_task_getsecid(t, &context->target_sid);
2347 memcpy(context->target_comm, t->comm, TASK_COMM_LEN); 2348 memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
2348} 2349}
2349 2350
@@ -2371,7 +2372,7 @@ int __audit_signal_info(int sig, struct task_struct *t)
2371 audit_sig_uid = tsk->loginuid; 2372 audit_sig_uid = tsk->loginuid;
2372 else 2373 else
2373 audit_sig_uid = tsk->uid; 2374 audit_sig_uid = tsk->uid;
2374 selinux_get_task_sid(tsk, &audit_sig_sid); 2375 security_task_getsecid(tsk, &audit_sig_sid);
2375 } 2376 }
2376 if (!audit_signals || audit_dummy_context()) 2377 if (!audit_signals || audit_dummy_context())
2377 return 0; 2378 return 0;
@@ -2384,7 +2385,7 @@ int __audit_signal_info(int sig, struct task_struct *t)
2384 ctx->target_auid = audit_get_loginuid(t); 2385 ctx->target_auid = audit_get_loginuid(t);
2385 ctx->target_uid = t->uid; 2386 ctx->target_uid = t->uid;
2386 ctx->target_sessionid = audit_get_sessionid(t); 2387 ctx->target_sessionid = audit_get_sessionid(t);
2387 selinux_get_task_sid(t, &ctx->target_sid); 2388 security_task_getsecid(t, &ctx->target_sid);
2388 memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN); 2389 memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
2389 return 0; 2390 return 0;
2390 } 2391 }
@@ -2405,7 +2406,7 @@ int __audit_signal_info(int sig, struct task_struct *t)
2405 axp->target_auid[axp->pid_count] = audit_get_loginuid(t); 2406 axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
2406 axp->target_uid[axp->pid_count] = t->uid; 2407 axp->target_uid[axp->pid_count] = t->uid;
2407 axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t); 2408 axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
2408 selinux_get_task_sid(t, &axp->target_sid[axp->pid_count]); 2409 security_task_getsecid(t, &axp->target_sid[axp->pid_count]);
2409 memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN); 2410 memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
2410 axp->pid_count++; 2411 axp->pid_count++;
2411 2412
@@ -2435,16 +2436,17 @@ void audit_core_dumps(long signr)
2435 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND); 2436 ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
2436 audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u", 2437 audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
2437 auid, current->uid, current->gid, sessionid); 2438 auid, current->uid, current->gid, sessionid);
2438 selinux_get_task_sid(current, &sid); 2439 security_task_getsecid(current, &sid);
2439 if (sid) { 2440 if (sid) {
2440 char *ctx = NULL; 2441 char *ctx = NULL;
2441 u32 len; 2442 u32 len;
2442 2443
2443 if (selinux_sid_to_string(sid, &ctx, &len)) 2444 if (security_secid_to_secctx(sid, &ctx, &len))
2444 audit_log_format(ab, " ssid=%u", sid); 2445 audit_log_format(ab, " ssid=%u", sid);
2445 else 2446 else {
2446 audit_log_format(ab, " subj=%s", ctx); 2447 audit_log_format(ab, " subj=%s", ctx);
2447 kfree(ctx); 2448 security_release_secctx(ctx, len);
2449 }
2448 } 2450 }
2449 audit_log_format(ab, " pid=%d comm=", current->pid); 2451 audit_log_format(ab, " pid=%d comm=", current->pid);
2450 audit_log_untrustedstring(ab, current->comm); 2452 audit_log_untrustedstring(ab, current->comm);
generated by cgit v1.2.2 (git 2.25.0) at 2025-01-21 13:23:04 -0500