diff options
Diffstat (limited to 'security/selinux/avc.c')
| -rw-r--r-- | security/selinux/avc.c | 40 |
1 files changed, 21 insertions, 19 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 85a6f66a873f..451502467a9b 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c | |||
| @@ -242,7 +242,7 @@ void __init avc_init(void) | |||
| 242 | avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node), | 242 | avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node), |
| 243 | 0, SLAB_PANIC, NULL, NULL); | 243 | 0, SLAB_PANIC, NULL, NULL); |
| 244 | 244 | ||
| 245 | audit_log(current->audit_context, "AVC INITIALIZED\n"); | 245 | audit_log(current->audit_context, AUDIT_KERNEL, "AVC INITIALIZED\n"); |
| 246 | } | 246 | } |
| 247 | 247 | ||
| 248 | int avc_get_hash_stats(char *page) | 248 | int avc_get_hash_stats(char *page) |
| @@ -532,6 +532,7 @@ void avc_audit(u32 ssid, u32 tsid, | |||
| 532 | u16 tclass, u32 requested, | 532 | u16 tclass, u32 requested, |
| 533 | struct av_decision *avd, int result, struct avc_audit_data *a) | 533 | struct av_decision *avd, int result, struct avc_audit_data *a) |
| 534 | { | 534 | { |
| 535 | struct task_struct *tsk = current; | ||
| 535 | struct inode *inode = NULL; | 536 | struct inode *inode = NULL; |
| 536 | u32 denied, audited; | 537 | u32 denied, audited; |
| 537 | struct audit_buffer *ab; | 538 | struct audit_buffer *ab; |
| @@ -549,12 +550,18 @@ void avc_audit(u32 ssid, u32 tsid, | |||
| 549 | return; | 550 | return; |
| 550 | } | 551 | } |
| 551 | 552 | ||
| 552 | ab = audit_log_start(current->audit_context); | 553 | ab = audit_log_start(current->audit_context, AUDIT_AVC); |
| 553 | if (!ab) | 554 | if (!ab) |
| 554 | return; /* audit_panic has been called */ | 555 | return; /* audit_panic has been called */ |
| 555 | audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted"); | 556 | audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted"); |
| 556 | avc_dump_av(ab, tclass,audited); | 557 | avc_dump_av(ab, tclass,audited); |
| 557 | audit_log_format(ab, " for "); | 558 | audit_log_format(ab, " for "); |
| 559 | if (a && a->tsk) | ||
| 560 | tsk = a->tsk; | ||
| 561 | if (tsk && tsk->pid) { | ||
| 562 | audit_log_format(ab, " pid=%d comm=", tsk->pid); | ||
| 563 | audit_log_untrustedstring(ab, tsk->comm); | ||
| 564 | } | ||
| 558 | if (a) { | 565 | if (a) { |
| 559 | switch (a->type) { | 566 | switch (a->type) { |
| 560 | case AVC_AUDIT_DATA_IPC: | 567 | case AVC_AUDIT_DATA_IPC: |
| @@ -566,21 +573,18 @@ void avc_audit(u32 ssid, u32 tsid, | |||
| 566 | case AVC_AUDIT_DATA_FS: | 573 | case AVC_AUDIT_DATA_FS: |
| 567 | if (a->u.fs.dentry) { | 574 | if (a->u.fs.dentry) { |
| 568 | struct dentry *dentry = a->u.fs.dentry; | 575 | struct dentry *dentry = a->u.fs.dentry; |
| 569 | if (a->u.fs.mnt) { | 576 | if (a->u.fs.mnt) |
| 570 | audit_log_d_path(ab, "path=", dentry, | 577 | audit_avc_path(dentry, a->u.fs.mnt); |
| 571 | a->u.fs.mnt); | 578 | audit_log_format(ab, " name="); |
| 572 | } else { | 579 | audit_log_untrustedstring(ab, dentry->d_name.name); |
| 573 | audit_log_format(ab, " name=%s", | ||
| 574 | dentry->d_name.name); | ||
| 575 | } | ||
| 576 | inode = dentry->d_inode; | 580 | inode = dentry->d_inode; |
| 577 | } else if (a->u.fs.inode) { | 581 | } else if (a->u.fs.inode) { |
| 578 | struct dentry *dentry; | 582 | struct dentry *dentry; |
| 579 | inode = a->u.fs.inode; | 583 | inode = a->u.fs.inode; |
| 580 | dentry = d_find_alias(inode); | 584 | dentry = d_find_alias(inode); |
| 581 | if (dentry) { | 585 | if (dentry) { |
| 582 | audit_log_format(ab, " name=%s", | 586 | audit_log_format(ab, " name="); |
| 583 | dentry->d_name.name); | 587 | audit_log_untrustedstring(ab, dentry->d_name.name); |
| 584 | dput(dentry); | 588 | dput(dentry); |
| 585 | } | 589 | } |
| 586 | } | 590 | } |
| @@ -623,22 +627,20 @@ void avc_audit(u32 ssid, u32 tsid, | |||
| 623 | case AF_UNIX: | 627 | case AF_UNIX: |
| 624 | u = unix_sk(sk); | 628 | u = unix_sk(sk); |
| 625 | if (u->dentry) { | 629 | if (u->dentry) { |
| 626 | audit_log_d_path(ab, "path=", | 630 | audit_avc_path(u->dentry, u->mnt); |
| 627 | u->dentry, u->mnt); | 631 | audit_log_format(ab, " name="); |
| 632 | audit_log_untrustedstring(ab, u->dentry->d_name.name); | ||
| 628 | break; | 633 | break; |
| 629 | } | 634 | } |
| 630 | if (!u->addr) | 635 | if (!u->addr) |
| 631 | break; | 636 | break; |
| 632 | len = u->addr->len-sizeof(short); | 637 | len = u->addr->len-sizeof(short); |
| 633 | p = &u->addr->name->sun_path[0]; | 638 | p = &u->addr->name->sun_path[0]; |
| 639 | audit_log_format(ab, " path="); | ||
| 634 | if (*p) | 640 | if (*p) |
| 635 | audit_log_format(ab, | 641 | audit_log_untrustedstring(ab, p); |
| 636 | "path=%*.*s", len, | ||
| 637 | len, p); | ||
| 638 | else | 642 | else |
| 639 | audit_log_format(ab, | 643 | audit_log_hex(ab, p, len); |
| 640 | "path=@%*.*s", len-1, | ||
| 641 | len-1, p+1); | ||
| 642 | break; | 644 | break; |
| 643 | } | 645 | } |
| 644 | } | 646 | } |