diff options
Diffstat (limited to 'security/apparmor/file.c')
| -rw-r--r-- | security/apparmor/file.c | 54 |
1 files changed, 28 insertions, 26 deletions
diff --git a/security/apparmor/file.c b/security/apparmor/file.c index 5d176f2530c9..2f8fcba9ce4b 100644 --- a/security/apparmor/file.c +++ b/security/apparmor/file.c | |||
| @@ -67,22 +67,22 @@ static void file_audit_cb(struct audit_buffer *ab, void *va) | |||
| 67 | struct common_audit_data *sa = va; | 67 | struct common_audit_data *sa = va; |
| 68 | uid_t fsuid = current_fsuid(); | 68 | uid_t fsuid = current_fsuid(); |
| 69 | 69 | ||
| 70 | if (sa->aad.fs.request & AA_AUDIT_FILE_MASK) { | 70 | if (sa->aad->fs.request & AA_AUDIT_FILE_MASK) { |
| 71 | audit_log_format(ab, " requested_mask="); | 71 | audit_log_format(ab, " requested_mask="); |
| 72 | audit_file_mask(ab, sa->aad.fs.request); | 72 | audit_file_mask(ab, sa->aad->fs.request); |
| 73 | } | 73 | } |
| 74 | if (sa->aad.fs.denied & AA_AUDIT_FILE_MASK) { | 74 | if (sa->aad->fs.denied & AA_AUDIT_FILE_MASK) { |
| 75 | audit_log_format(ab, " denied_mask="); | 75 | audit_log_format(ab, " denied_mask="); |
| 76 | audit_file_mask(ab, sa->aad.fs.denied); | 76 | audit_file_mask(ab, sa->aad->fs.denied); |
| 77 | } | 77 | } |
| 78 | if (sa->aad.fs.request & AA_AUDIT_FILE_MASK) { | 78 | if (sa->aad->fs.request & AA_AUDIT_FILE_MASK) { |
| 79 | audit_log_format(ab, " fsuid=%d", fsuid); | 79 | audit_log_format(ab, " fsuid=%d", fsuid); |
| 80 | audit_log_format(ab, " ouid=%d", sa->aad.fs.ouid); | 80 | audit_log_format(ab, " ouid=%d", sa->aad->fs.ouid); |
| 81 | } | 81 | } |
| 82 | 82 | ||
| 83 | if (sa->aad.fs.target) { | 83 | if (sa->aad->fs.target) { |
| 84 | audit_log_format(ab, " target="); | 84 | audit_log_format(ab, " target="); |
| 85 | audit_log_untrustedstring(ab, sa->aad.fs.target); | 85 | audit_log_untrustedstring(ab, sa->aad->fs.target); |
| 86 | } | 86 | } |
| 87 | } | 87 | } |
| 88 | 88 | ||
| @@ -107,45 +107,47 @@ int aa_audit_file(struct aa_profile *profile, struct file_perms *perms, | |||
| 107 | { | 107 | { |
| 108 | int type = AUDIT_APPARMOR_AUTO; | 108 | int type = AUDIT_APPARMOR_AUTO; |
| 109 | struct common_audit_data sa; | 109 | struct common_audit_data sa; |
| 110 | struct apparmor_audit_data aad = {0,}; | ||
| 110 | COMMON_AUDIT_DATA_INIT(&sa, NONE); | 111 | COMMON_AUDIT_DATA_INIT(&sa, NONE); |
| 111 | sa.aad.op = op, | 112 | sa.aad = &aad; |
| 112 | sa.aad.fs.request = request; | 113 | aad.op = op, |
| 113 | sa.aad.name = name; | 114 | aad.fs.request = request; |
| 114 | sa.aad.fs.target = target; | 115 | aad.name = name; |
| 115 | sa.aad.fs.ouid = ouid; | 116 | aad.fs.target = target; |
| 116 | sa.aad.info = info; | 117 | aad.fs.ouid = ouid; |
| 117 | sa.aad.error = error; | 118 | aad.info = info; |
| 118 | 119 | aad.error = error; | |
| 119 | if (likely(!sa.aad.error)) { | 120 | |
| 121 | if (likely(!sa.aad->error)) { | ||
| 120 | u32 mask = perms->audit; | 122 | u32 mask = perms->audit; |
| 121 | 123 | ||
| 122 | if (unlikely(AUDIT_MODE(profile) == AUDIT_ALL)) | 124 | if (unlikely(AUDIT_MODE(profile) == AUDIT_ALL)) |
| 123 | mask = 0xffff; | 125 | mask = 0xffff; |
| 124 | 126 | ||
| 125 | /* mask off perms that are not being force audited */ | 127 | /* mask off perms that are not being force audited */ |
| 126 | sa.aad.fs.request &= mask; | 128 | sa.aad->fs.request &= mask; |
| 127 | 129 | ||
| 128 | if (likely(!sa.aad.fs.request)) | 130 | if (likely(!sa.aad->fs.request)) |
| 129 | return 0; | 131 | return 0; |
| 130 | type = AUDIT_APPARMOR_AUDIT; | 132 | type = AUDIT_APPARMOR_AUDIT; |
| 131 | } else { | 133 | } else { |
| 132 | /* only report permissions that were denied */ | 134 | /* only report permissions that were denied */ |
| 133 | sa.aad.fs.request = sa.aad.fs.request & ~perms->allow; | 135 | sa.aad->fs.request = sa.aad->fs.request & ~perms->allow; |
| 134 | 136 | ||
| 135 | if (sa.aad.fs.request & perms->kill) | 137 | if (sa.aad->fs.request & perms->kill) |
| 136 | type = AUDIT_APPARMOR_KILL; | 138 | type = AUDIT_APPARMOR_KILL; |
| 137 | 139 | ||
| 138 | /* quiet known rejects, assumes quiet and kill do not overlap */ | 140 | /* quiet known rejects, assumes quiet and kill do not overlap */ |
| 139 | if ((sa.aad.fs.request & perms->quiet) && | 141 | if ((sa.aad->fs.request & perms->quiet) && |
| 140 | AUDIT_MODE(profile) != AUDIT_NOQUIET && | 142 | AUDIT_MODE(profile) != AUDIT_NOQUIET && |
| 141 | AUDIT_MODE(profile) != AUDIT_ALL) | 143 | AUDIT_MODE(profile) != AUDIT_ALL) |
| 142 | sa.aad.fs.request &= ~perms->quiet; | 144 | sa.aad->fs.request &= ~perms->quiet; |
| 143 | 145 | ||
| 144 | if (!sa.aad.fs.request) | 146 | if (!sa.aad->fs.request) |
| 145 | return COMPLAIN_MODE(profile) ? 0 : sa.aad.error; | 147 | return COMPLAIN_MODE(profile) ? 0 : sa.aad->error; |
| 146 | } | 148 | } |
| 147 | 149 | ||
| 148 | sa.aad.fs.denied = sa.aad.fs.request & ~perms->allow; | 150 | sa.aad->fs.denied = sa.aad->fs.request & ~perms->allow; |
| 149 | return aa_audit(type, profile, gfp, &sa, file_audit_cb); | 151 | return aa_audit(type, profile, gfp, &sa, file_audit_cb); |
| 150 | } | 152 | } |
| 151 | 153 | ||