1 files changed, 41 insertions, 156 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 236aaa2ea86d..e3d19014259b 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -492,23 +492,35 @@ out:
        return node;
 }
-static inline void avc_print_ipv6_addr(struct audit_buffer *ab,
+/**
-                                       struct in6_addr *addr, __be16 port,
+ * avc_audit_pre_callback - SELinux specific information
-                                       char *name1, char *name2)
+ * will be called by generic audit code
+ * @ab: the audit buffer
+ * @a: audit_data
+ */
+static void avc_audit_pre_callback(struct audit_buffer *ab, void *a)
 {
-        if (!ipv6_addr_any(addr))
+        struct common_audit_data *ad = a;
-                audit_log_format(ab, " %s=%pI6", name1, addr);
+        audit_log_format(ab, "avc:  %s ",
-        if (port)
+                         ad->selinux_audit_data.denied ? "denied" : "granted");
-                audit_log_format(ab, " %s=%d", name2, ntohs(port));
+        avc_dump_av(ab, ad->selinux_audit_data.tclass,
+                        ad->selinux_audit_data.audited);
+        audit_log_format(ab, " for ");
 }
-static inline void avc_print_ipv4_addr(struct audit_buffer *ab, __be32 addr,
+/**
-                                       __be16 port, char *name1, char *name2)
+ * avc_audit_post_callback - SELinux specific information
+ * will be called by generic audit code
+ * @ab: the audit buffer
+ * @a: audit_data
+ */
+static void avc_audit_post_callback(struct audit_buffer *ab, void *a)
 {
-        if (addr)
+        struct common_audit_data *ad = a;
-                audit_log_format(ab, " %s=%pI4", name1, &addr);
+        audit_log_format(ab, " ");
-        if (port)
+        avc_dump_query(ab, ad->selinux_audit_data.ssid,
-                audit_log_format(ab, " %s=%d", name2, ntohs(port));
+                           ad->selinux_audit_data.tsid,
+                           ad->selinux_audit_data.tclass);
 }
 /**
@@ -532,13 +544,10 @@ static inline void avc_print_ipv4_addr(struct audit_buffer *ab, __be32 addr,
 */
 void avc_audit(u32 ssid, u32 tsid,
               u16 tclass, u32 requested,
-               struct av_decision *avd, int result, struct avc_audit_data *a)
+               struct av_decision *avd, int result, struct common_audit_data *a)
 {
-        struct task_struct *tsk = current;
+        struct common_audit_data stack_data;
-        struct inode *inode = NULL;
        u32 denied, audited;
-        struct audit_buffer *ab;
        denied = requested & ~avd->allowed;
        if (denied) {
                audited = denied;
@@ -551,144 +560,20 @@ void avc_audit(u32 ssid, u32 tsid,
                if (!(audited & avd->auditallow))
                        return;
        }
+        if (!a) {
-        ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_AVC);
+                a = &stack_data;
-        if (!ab)
+                memset(a, 0, sizeof(*a));
-                return;         /* audit_panic has been called */
+                a->type = LSM_AUDIT_NO_AUDIT;
-        audit_log_format(ab, "avc:  %s ", denied ? "denied" : "granted");
-        avc_dump_av(ab, tclass, audited);
-        audit_log_format(ab, " for ");
-        if (a && a->tsk)
-                tsk = a->tsk;
-        if (tsk && tsk->pid) {
-                audit_log_format(ab, " pid=%d comm=", tsk->pid);
-                audit_log_untrustedstring(ab, tsk->comm);
-        }
-        if (a) {
-                switch (a->type) {
-                case AVC_AUDIT_DATA_IPC:
-                        audit_log_format(ab, " key=%d", a->u.ipc_id);
-                        break;
-                case AVC_AUDIT_DATA_CAP:
-                        audit_log_format(ab, " capability=%d", a->u.cap);
-                        break;
-                case AVC_AUDIT_DATA_FS:
-                        if (a->u.fs.path.dentry) {
-                                struct dentry *dentry = a->u.fs.path.dentry;
-                                if (a->u.fs.path.mnt) {
-                                        audit_log_d_path(ab, "path=",
-                                                         &a->u.fs.path);
-                                } else {
-                                        audit_log_format(ab, " name=");
-                                        audit_log_untrustedstring(ab, dentry->d_name.name);
-                                }
-                                inode = dentry->d_inode;
-                        } else if (a->u.fs.inode) {
-                                struct dentry *dentry;
-                                inode = a->u.fs.inode;
-                                dentry = d_find_alias(inode);
-                                if (dentry) {
-                                        audit_log_format(ab, " name=");
-                                        audit_log_untrustedstring(ab, dentry->d_name.name);
-                                        dput(dentry);
-                                }
-                        }
-                        if (inode)
-                                audit_log_format(ab, " dev=%s ino=%lu",
-                                                 inode->i_sb->s_id,
-                                                 inode->i_ino);
-                        break;
-                case AVC_AUDIT_DATA_NET:
-                        if (a->u.net.sk) {
-                                struct sock *sk = a->u.net.sk;
-                                struct unix_sock *u;
-                                int len = 0;
-                                char *p = NULL;
-                                switch (sk->sk_family) {
-                                case AF_INET: {
-                                        struct inet_sock *inet = inet_sk(sk);
-                                        avc_print_ipv4_addr(ab, inet->rcv_saddr,
-                                                            inet->sport,
-                                                            "laddr", "lport");
-                                        avc_print_ipv4_addr(ab, inet->daddr,
-                                                            inet->dport,
-                                                            "faddr", "fport");
-                                        break;
-                                }
-                                case AF_INET6: {
-                                        struct inet_sock *inet = inet_sk(sk);
-                                        struct ipv6_pinfo *inet6 = inet6_sk(sk);
-                                        avc_print_ipv6_addr(ab, &inet6->rcv_saddr,
-                                                            inet->sport,
-                                                            "laddr", "lport");
-                                        avc_print_ipv6_addr(ab, &inet6->daddr,
-                                                            inet->dport,
-                                                            "faddr", "fport");
-                                        break;
-                                }
-                                case AF_UNIX:
-                                        u = unix_sk(sk);
-                                        if (u->dentry) {
-                                                struct path path = {
-                                                        .dentry = u->dentry,
-                                                        .mnt = u->mnt
-                                                };
-                                                audit_log_d_path(ab, "path=",
-                                                                 &path);
-                                                break;
-                                        }
-                                        if (!u->addr)
-                                                break;
-                                        len = u->addr->len-sizeof(short);
-                                        p = &u->addr->name->sun_path[0];
-                                        audit_log_format(ab, " path=");
-                                        if (*p)
-                                                audit_log_untrustedstring(ab, p);
-                                        else
-                                                audit_log_n_hex(ab, p, len);
-                                        break;
-                                }
-                        }
-                        switch (a->u.net.family) {
-                        case AF_INET:
-                                avc_print_ipv4_addr(ab, a->u.net.v4info.saddr,
-                                                    a->u.net.sport,
-                                                    "saddr", "src");
-                                avc_print_ipv4_addr(ab, a->u.net.v4info.daddr,
-                                                    a->u.net.dport,
-                                                    "daddr", "dest");
-                                break;
-                        case AF_INET6:
-                                avc_print_ipv6_addr(ab, &a->u.net.v6info.saddr,
-                                                    a->u.net.sport,
-                                                    "saddr", "src");
-                                avc_print_ipv6_addr(ab, &a->u.net.v6info.daddr,
-                                                    a->u.net.dport,
-                                                    "daddr", "dest");
-                                break;
-                        }
-                        if (a->u.net.netif > 0) {
-                                struct net_device *dev;
-                                /* NOTE: we always use init's namespace */
-                                dev = dev_get_by_index(&init_net,
-                                                       a->u.net.netif);
-                                if (dev) {
-                                        audit_log_format(ab, " netif=%s",
-                                                         dev->name);
-                                        dev_put(dev);
-                                }
-                        }
-                        break;
-                }
        }
-        audit_log_format(ab, " ");
+        a->selinux_audit_data.tclass = tclass;
-        avc_dump_query(ab, ssid, tsid, tclass);
+        a->selinux_audit_data.requested = requested;
-        audit_log_end(ab);
+        a->selinux_audit_data.ssid = ssid;
+        a->selinux_audit_data.tsid = tsid;
+        a->selinux_audit_data.audited = audited;
+        a->selinux_audit_data.denied = denied;
+        a->lsm_pre_audit = avc_audit_pre_callback;
+        a->lsm_post_audit = avc_audit_post_callback;
+        common_lsm_audit(a);
 }
 /**
@@ -956,7 +841,7 @@ out:
 * another -errno upon other errors.
 */
 int avc_has_perm(u32 ssid, u32 tsid, u16 tclass,
-                 u32 requested, struct avc_audit_data *auditdata)
+                 u32 requested, struct common_audit_data *auditdata)
 {
        struct av_decision avd;
        int rc;

diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 236aaa2ea86d..e3d19014259b 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c
@@ -492,23 +492,35 @@ out:
492	return node;	492	return node;
493	}	493	}
494		494
495	static inline void avc_print_ipv6_addr(struct audit_buffer *ab,	495	/**
496	struct in6_addr *addr, __be16 port,	496	* avc_audit_pre_callback - SELinux specific information
497	char name1, char name2)	497	* will be called by generic audit code
		498	* @ab: the audit buffer
		499	* @a: audit_data
		500	*/
		501	static void avc_audit_pre_callback(struct audit_buffer ab, void a)
498	{	502	{
499	if (!ipv6_addr_any(addr))	503	struct common_audit_data *ad = a;
500	audit_log_format(ab, " %s=%pI6", name1, addr);	504	audit_log_format(ab, "avc: %s ",
501	if (port)	505	ad->selinux_audit_data.denied ? "denied" : "granted");
502	audit_log_format(ab, " %s=%d", name2, ntohs(port));	506	avc_dump_av(ab, ad->selinux_audit_data.tclass,
		507	ad->selinux_audit_data.audited);
		508	audit_log_format(ab, " for ");
503	}	509	}
504		510
505	static inline void avc_print_ipv4_addr(struct audit_buffer *ab, __be32 addr,	511	/**
506	__be16 port, char name1, char name2)	512	* avc_audit_post_callback - SELinux specific information
		513	* will be called by generic audit code
		514	* @ab: the audit buffer
		515	* @a: audit_data
		516	*/
		517	static void avc_audit_post_callback(struct audit_buffer ab, void a)
507	{	518	{
508	if (addr)	519	struct common_audit_data *ad = a;
509	audit_log_format(ab, " %s=%pI4", name1, &addr);	520	audit_log_format(ab, " ");
510	if (port)	521	avc_dump_query(ab, ad->selinux_audit_data.ssid,
511	audit_log_format(ab, " %s=%d", name2, ntohs(port));	522	ad->selinux_audit_data.tsid,
		523	ad->selinux_audit_data.tclass);
512	}	524	}
513		525
514	/**	526	/**
@@ -532,13 +544,10 @@ static inline void avc_print_ipv4_addr(struct audit_buffer *ab, __be32 addr,
532	*/	544	*/
533	void avc_audit(u32 ssid, u32 tsid,	545	void avc_audit(u32 ssid, u32 tsid,
534	u16 tclass, u32 requested,	546	u16 tclass, u32 requested,
535	struct av_decision avd, int result, struct avc_audit_data a)	547	struct av_decision avd, int result, struct common_audit_data a)
536	{	548	{
537	struct task_struct *tsk = current;	549	struct common_audit_data stack_data;
538	struct inode *inode = NULL;
539	u32 denied, audited;	550	u32 denied, audited;
540	struct audit_buffer *ab;
541
542	denied = requested & ~avd->allowed;	551	denied = requested & ~avd->allowed;
543	if (denied) {	552	if (denied) {
544	audited = denied;	553	audited = denied;
@@ -551,144 +560,20 @@ void avc_audit(u32 ssid, u32 tsid,
551	if (!(audited & avd->auditallow))	560	if (!(audited & avd->auditallow))
552	return;	561	return;
553	}	562	}
554		563	if (!a) {
555	ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_AVC);	564	a = &stack_data;
556	if (!ab)	565	memset(a, 0, sizeof(*a));
557	return; /* audit_panic has been called */	566	a->type = LSM_AUDIT_NO_AUDIT;
558	audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted");
559	avc_dump_av(ab, tclass, audited);
560	audit_log_format(ab, " for ");
561	if (a && a->tsk)
562	tsk = a->tsk;
563	if (tsk && tsk->pid) {
564	audit_log_format(ab, " pid=%d comm=", tsk->pid);
565	audit_log_untrustedstring(ab, tsk->comm);
566	}
567	if (a) {
568	switch (a->type) {
569	case AVC_AUDIT_DATA_IPC:
570	audit_log_format(ab, " key=%d", a->u.ipc_id);
571	break;
572	case AVC_AUDIT_DATA_CAP:
573	audit_log_format(ab, " capability=%d", a->u.cap);
574	break;
575	case AVC_AUDIT_DATA_FS:
576	if (a->u.fs.path.dentry) {
577	struct dentry *dentry = a->u.fs.path.dentry;
578	if (a->u.fs.path.mnt) {
579	audit_log_d_path(ab, "path=",
580	&a->u.fs.path);
581	} else {
582	audit_log_format(ab, " name=");
583	audit_log_untrustedstring(ab, dentry->d_name.name);
584	}
585	inode = dentry->d_inode;
586	} else if (a->u.fs.inode) {
587	struct dentry *dentry;
588	inode = a->u.fs.inode;
589	dentry = d_find_alias(inode);
590	if (dentry) {
591	audit_log_format(ab, " name=");
592	audit_log_untrustedstring(ab, dentry->d_name.name);
593	dput(dentry);
594	}
595	}
596	if (inode)
597	audit_log_format(ab, " dev=%s ino=%lu",
598	inode->i_sb->s_id,
599	inode->i_ino);
600	break;
601	case AVC_AUDIT_DATA_NET:
602	if (a->u.net.sk) {
603	struct sock *sk = a->u.net.sk;
604	struct unix_sock *u;
605	int len = 0;
606	char *p = NULL;
607
608	switch (sk->sk_family) {
609	case AF_INET: {
610	struct inet_sock *inet = inet_sk(sk);
611
612	avc_print_ipv4_addr(ab, inet->rcv_saddr,
613	inet->sport,
614	"laddr", "lport");
615	avc_print_ipv4_addr(ab, inet->daddr,
616	inet->dport,
617	"faddr", "fport");
618	break;
619	}
620	case AF_INET6: {
621	struct inet_sock *inet = inet_sk(sk);
622	struct ipv6_pinfo *inet6 = inet6_sk(sk);
623
624	avc_print_ipv6_addr(ab, &inet6->rcv_saddr,
625	inet->sport,
626	"laddr", "lport");
627	avc_print_ipv6_addr(ab, &inet6->daddr,
628	inet->dport,
629	"faddr", "fport");
630	break;
631	}
632	case AF_UNIX:
633	u = unix_sk(sk);
634	if (u->dentry) {
635	struct path path = {
636	.dentry = u->dentry,
637	.mnt = u->mnt
638	};
639	audit_log_d_path(ab, "path=",
640	&path);
641	break;
642	}
643	if (!u->addr)
644	break;
645	len = u->addr->len-sizeof(short);
646	p = &u->addr->name->sun_path[0];
647	audit_log_format(ab, " path=");
648	if (*p)
649	audit_log_untrustedstring(ab, p);
650	else
651	audit_log_n_hex(ab, p, len);
652	break;
653	}
654	}
655
656	switch (a->u.net.family) {
657	case AF_INET:
658	avc_print_ipv4_addr(ab, a->u.net.v4info.saddr,
659	a->u.net.sport,
660	"saddr", "src");
661	avc_print_ipv4_addr(ab, a->u.net.v4info.daddr,
662	a->u.net.dport,
663	"daddr", "dest");
664	break;
665	case AF_INET6:
666	avc_print_ipv6_addr(ab, &a->u.net.v6info.saddr,
667	a->u.net.sport,
668	"saddr", "src");
669	avc_print_ipv6_addr(ab, &a->u.net.v6info.daddr,
670	a->u.net.dport,
671	"daddr", "dest");
672	break;
673	}
674	if (a->u.net.netif > 0) {
675	struct net_device *dev;
676
677	/* NOTE: we always use init's namespace */
678	dev = dev_get_by_index(&init_net,
679	a->u.net.netif);
680	if (dev) {
681	audit_log_format(ab, " netif=%s",
682	dev->name);
683	dev_put(dev);
684	}
685	}
686	break;
687	}
688	}	567	}
689	audit_log_format(ab, " ");	568	a->selinux_audit_data.tclass = tclass;
690	avc_dump_query(ab, ssid, tsid, tclass);	569	a->selinux_audit_data.requested = requested;
691	audit_log_end(ab);	570	a->selinux_audit_data.ssid = ssid;
		571	a->selinux_audit_data.tsid = tsid;
		572	a->selinux_audit_data.audited = audited;
		573	a->selinux_audit_data.denied = denied;
		574	a->lsm_pre_audit = avc_audit_pre_callback;
		575	a->lsm_post_audit = avc_audit_post_callback;
		576	common_lsm_audit(a);
692	}	577	}
693		578
694	/**	579	/**
@@ -956,7 +841,7 @@ out:
956	* another -errno upon other errors.	841	* another -errno upon other errors.
957	*/	842	*/
958	int avc_has_perm(u32 ssid, u32 tsid, u16 tclass,	843	int avc_has_perm(u32 ssid, u32 tsid, u16 tclass,
959	u32 requested, struct avc_audit_data *auditdata)	844	u32 requested, struct common_audit_data *auditdata)
960	{	845	{
961	struct av_decision avd;	846	struct av_decision avd;
962	int rc;	847	int rc;