6 files changed, 302 insertions, 10 deletions
diff --git a/security/selinux/Makefile b/security/selinux/Makefile
index 688c0a267b62..faf2e02e4410 100644
--- a/security/selinux/Makefile
+++ b/security/selinux/Makefile
@@ -4,7 +4,7 @@
 obj-$(CONFIG_SECURITY_SELINUX) := selinux.o ss/
-selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o
+selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o exports.o
 selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index ac5d69bb3377..a300702da527 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -800,7 +800,7 @@ out:
 int avc_ss_reset(u32 seqno)
 {
        struct avc_callback_node *c;
-        int i, rc = 0;
+        int i, rc = 0, tmprc;
        unsigned long flag;
        struct avc_node *node;
@@ -813,15 +813,16 @@ int avc_ss_reset(u32 seqno)
        for (c = avc_callbacks; c; c = c->next) {
                if (c->events & AVC_CALLBACK_RESET) {
-                        rc = c->callback(AVC_CALLBACK_RESET,
+                        tmprc = c->callback(AVC_CALLBACK_RESET,
-                                         0, 0, 0, 0, NULL);
+                                            0, 0, 0, 0, NULL);
-                        if (rc)
+                        /* save the first error encountered for the return
-                                goto out;
+                           value and continue processing the callbacks */
+                        if (!rc)
+                                rc = tmprc;
                }
        }
        avc_latest_notif_update(seqno, 0);
-out:
        return rc;
 }
diff --git a/security/selinux/exports.c b/security/selinux/exports.c
new file mode 100644
index 000000000000..333c4c7824d8
--- /dev/null
+++ b/security/selinux/exports.c
@@ -0,0 +1,28 @@
+/*
+ * SELinux services exported to the rest of the kernel.
+ *
+ * Author: James Morris <jmorris@redhat.com>
+ *
+ * Copyright (C) 2005 Red Hat, Inc., James Morris <jmorris@redhat.com>
+ * Copyright (C) 2006 Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2,
+ * as published by the Free Software Foundation.
+ */
+#include <linux/types.h>
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/selinux.h>
+#include "security.h"
+#include "objsec.h"
+void selinux_task_ctxid(struct task_struct *tsk, u32 *ctxid)
+{
+        struct task_security_struct *tsec = tsk->security;
+        if (selinux_enabled)
+                *ctxid = tsec->sid;
+        else
+                *ctxid = 0;
+}
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
index 84047f69f9c1..7bc5b6440f70 100644
--- a/security/selinux/ss/mls.c
+++ b/security/selinux/ss/mls.c
@@ -8,7 +8,7 @@
 *
 *      Support for enhanced MLS infrastructure.
 *
- * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
+ * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
 */
 #include <linux/kernel.h>
@@ -385,6 +385,34 @@ out:
 }
 /*
+ * Set the MLS fields in the security context structure
+ * `context' based on the string representation in
+ * the string `str'.  This function will allocate temporary memory with the
+ * given constraints of gfp_mask.
+ */
+int mls_from_string(char *str, struct context *context, gfp_t gfp_mask)
+{
+        char *tmpstr, *freestr;
+        int rc;
+        if (!selinux_mls_enabled)
+                return -EINVAL;
+        /* we need freestr because mls_context_to_sid will change
+           the value of tmpstr */
+        tmpstr = freestr = kstrdup(str, gfp_mask);
+        if (!tmpstr) {
+                rc = -ENOMEM;
+        } else {
+                rc = mls_context_to_sid(':', &tmpstr, context,
+                                        NULL, SECSID_NULL);
+                kfree(freestr);
+        }
+        return rc;
+}
+/*
 * Copies the effective MLS range from `src' into `dst'.
 */
 static inline int mls_scopy_context(struct context *dst,
diff --git a/security/selinux/ss/mls.h b/security/selinux/ss/mls.h
index 03de697c8058..fbb42f07dd7c 100644
--- a/security/selinux/ss/mls.h
+++ b/security/selinux/ss/mls.h
@@ -8,7 +8,7 @@
 *
 *      Support for enhanced MLS infrastructure.
 *
- * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
+ * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
 */
 #ifndef _SS_MLS_H_
@@ -27,6 +27,8 @@ int mls_context_to_sid(char oldc,
                       struct sidtab *s,
                       u32 def_sid);
+int mls_from_string(char *str, struct context *context, gfp_t gfp_mask);
 int mls_convert_context(struct policydb *oldp,
                        struct policydb *newp,
                        struct context *context);
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 61492485de84..7177e98df7f3 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -7,12 +7,13 @@
 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
 *
 *      Support for enhanced MLS infrastructure.
+ *      Support for context based audit filters.
 *
 * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
 *
 *      Added conditional policy language extensions
 *
- * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
+ * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
 * Copyright (C) 2003 - 2004 Tresys Technology, LLC
 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
 *      This program is free software; you can redistribute it and/or modify
@@ -1811,3 +1812,235 @@ out:
        POLICY_RDUNLOCK;
        return rc;
 }
+struct selinux_audit_rule {
+        u32 au_seqno;
+        struct context au_ctxt;
+};
+void selinux_audit_rule_free(struct selinux_audit_rule *rule)
+{
+        if (rule) {
+                context_destroy(&rule->au_ctxt);
+                kfree(rule);
+        }
+}
+int selinux_audit_rule_init(u32 field, u32 op, char *rulestr,
+                            struct selinux_audit_rule **rule)
+{
+        struct selinux_audit_rule *tmprule;
+        struct role_datum *roledatum;
+        struct type_datum *typedatum;
+        struct user_datum *userdatum;
+        int rc = 0;
+        *rule = NULL;
+        if (!ss_initialized)
+                return -ENOTSUPP;
+        switch (field) {
+        case AUDIT_SE_USER:
+        case AUDIT_SE_ROLE:
+        case AUDIT_SE_TYPE:
+                /* only 'equals' and 'not equals' fit user, role, and type */
+                if (op != AUDIT_EQUAL && op != AUDIT_NOT_EQUAL)
+                        return -EINVAL;
+                break;
+        case AUDIT_SE_SEN:
+        case AUDIT_SE_CLR:
+                /* we do not allow a range, indicated by the presense of '-' */
+                if (strchr(rulestr, '-'))
+                        return -EINVAL;
+                break;
+        default:
+                /* only the above fields are valid */
+                return -EINVAL;
+        }
+        tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL);
+        if (!tmprule)
+                return -ENOMEM;
+        context_init(&tmprule->au_ctxt);
+        POLICY_RDLOCK;
+        tmprule->au_seqno = latest_granting;
+        switch (field) {
+        case AUDIT_SE_USER:
+                userdatum = hashtab_search(policydb.p_users.table, rulestr);
+                if (!userdatum)
+                        rc = -EINVAL;
+                else
+                        tmprule->au_ctxt.user = userdatum->value;
+                break;
+        case AUDIT_SE_ROLE:
+                roledatum = hashtab_search(policydb.p_roles.table, rulestr);
+                if (!roledatum)
+                        rc = -EINVAL;
+                else
+                        tmprule->au_ctxt.role = roledatum->value;
+                break;
+        case AUDIT_SE_TYPE:
+                typedatum = hashtab_search(policydb.p_types.table, rulestr);
+                if (!typedatum)
+                        rc = -EINVAL;
+                else
+                        tmprule->au_ctxt.type = typedatum->value;
+                break;
+        case AUDIT_SE_SEN:
+        case AUDIT_SE_CLR:
+                rc = mls_from_string(rulestr, &tmprule->au_ctxt, GFP_ATOMIC);
+                break;
+        }
+        POLICY_RDUNLOCK;
+        if (rc) {
+                selinux_audit_rule_free(tmprule);
+                tmprule = NULL;
+        }
+        *rule = tmprule;
+        return rc;
+}
+int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op,
+                             struct selinux_audit_rule *rule,
+                             struct audit_context *actx)
+{
+        struct context *ctxt;
+        struct mls_level *level;
+        int match = 0;
+        if (!rule) {
+                audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
+                          "selinux_audit_rule_match: missing rule\n");
+                return -ENOENT;
+        }
+        POLICY_RDLOCK;
+        if (rule->au_seqno < latest_granting) {
+                audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
+                          "selinux_audit_rule_match: stale rule\n");
+                match = -ESTALE;
+                goto out;
+        }
+        ctxt = sidtab_search(&sidtab, ctxid);
+        if (!ctxt) {
+                audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
+                          "selinux_audit_rule_match: unrecognized SID %d\n",
+                          ctxid);
+                match = -ENOENT;
+                goto out;
+        }
+        /* a field/op pair that is not caught here will simply fall through
+           without a match */
+        switch (field) {
+        case AUDIT_SE_USER:
+                switch (op) {
+                case AUDIT_EQUAL:
+                        match = (ctxt->user == rule->au_ctxt.user);
+                        break;
+                case AUDIT_NOT_EQUAL:
+                        match = (ctxt->user != rule->au_ctxt.user);
+                        break;
+                }
+                break;
+        case AUDIT_SE_ROLE:
+                switch (op) {
+                case AUDIT_EQUAL:
+                        match = (ctxt->role == rule->au_ctxt.role);
+                        break;
+                case AUDIT_NOT_EQUAL:
+                        match = (ctxt->role != rule->au_ctxt.role);
+                        break;
+                }
+                break;
+        case AUDIT_SE_TYPE:
+                switch (op) {
+                case AUDIT_EQUAL:
+                        match = (ctxt->type == rule->au_ctxt.type);
+                        break;
+                case AUDIT_NOT_EQUAL:
+                        match = (ctxt->type != rule->au_ctxt.type);
+                        break;
+                }
+                break;
+        case AUDIT_SE_SEN:
+        case AUDIT_SE_CLR:
+                level = (op == AUDIT_SE_SEN ?
+                         &ctxt->range.level[0] : &ctxt->range.level[1]);
+                switch (op) {
+                case AUDIT_EQUAL:
+                        match = mls_level_eq(&rule->au_ctxt.range.level[0],
+                                             level);
+                        break;
+                case AUDIT_NOT_EQUAL:
+                        match = !mls_level_eq(&rule->au_ctxt.range.level[0],
+                                              level);
+                        break;
+                case AUDIT_LESS_THAN:
+                        match = (mls_level_dom(&rule->au_ctxt.range.level[0],
+                                               level) &&
+                                 !mls_level_eq(&rule->au_ctxt.range.level[0],
+                                               level));
+                        break;
+                case AUDIT_LESS_THAN_OR_EQUAL:
+                        match = mls_level_dom(&rule->au_ctxt.range.level[0],
+                                              level);
+                        break;
+                case AUDIT_GREATER_THAN:
+                        match = (mls_level_dom(level,
+                                              &rule->au_ctxt.range.level[0]) &&
+                                 !mls_level_eq(level,
+                                               &rule->au_ctxt.range.level[0]));
+                        break;
+                case AUDIT_GREATER_THAN_OR_EQUAL:
+                        match = mls_level_dom(level,
+                                              &rule->au_ctxt.range.level[0]);
+                        break;
+                }
+        }
+out:
+        POLICY_RDUNLOCK;
+        return match;
+}
+static int (*aurule_callback)(void) = NULL;
+static int aurule_avc_callback(u32 event, u32 ssid, u32 tsid,
+                               u16 class, u32 perms, u32 *retained)
+{
+        int err = 0;
+        if (event == AVC_CALLBACK_RESET && aurule_callback)
+                err = aurule_callback();
+        return err;
+}
+static int __init aurule_init(void)
+{
+        int err;
+        err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET,
+                               SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0);
+        if (err)
+                panic("avc_add_callback() failed, error %d\n", err);
+        return err;
+}
+__initcall(aurule_init);
+void selinux_audit_set_callback(int (*callback)(void))
+{
+        aurule_callback = callback;
+}

diff --git a/security/selinux/Makefile b/security/selinux/Makefile index 688c0a267b62..faf2e02e4410 100644 --- a/security/selinux/Makefile +++ b/security/selinux/Makefile
@@ -4,7 +4,7 @@
4		4
5	obj-$(CONFIG_SECURITY_SELINUX) := selinux.o ss/	5	obj-$(CONFIG_SECURITY_SELINUX) := selinux.o ss/
6		6
7	selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o	7	selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o exports.o
8		8
9	selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o	9	selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o
10		10


diff --git a/security/selinux/avc.c b/security/selinux/avc.c index ac5d69bb3377..a300702da527 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c
@@ -800,7 +800,7 @@ out:
800	int avc_ss_reset(u32 seqno)	800	int avc_ss_reset(u32 seqno)
801	{	801	{
802	struct avc_callback_node *c;	802	struct avc_callback_node *c;
803	int i, rc = 0;	803	int i, rc = 0, tmprc;
804	unsigned long flag;	804	unsigned long flag;
805	struct avc_node *node;	805	struct avc_node *node;
806		806
@@ -813,15 +813,16 @@ int avc_ss_reset(u32 seqno)
813		813
814	for (c = avc_callbacks; c; c = c->next) {	814	for (c = avc_callbacks; c; c = c->next) {
815	if (c->events & AVC_CALLBACK_RESET) {	815	if (c->events & AVC_CALLBACK_RESET) {
816	rc = c->callback(AVC_CALLBACK_RESET,	816	tmprc = c->callback(AVC_CALLBACK_RESET,
817	0, 0, 0, 0, NULL);	817	0, 0, 0, 0, NULL);
818	if (rc)	818	/* save the first error encountered for the return
819	goto out;	819	value and continue processing the callbacks */
		820	if (!rc)
		821	rc = tmprc;
820	}	822	}
821	}	823	}
822		824
823	avc_latest_notif_update(seqno, 0);	825	avc_latest_notif_update(seqno, 0);
824	out:
825	return rc;	826	return rc;
826	}	827	}
827		828


diff --git a/security/selinux/exports.c b/security/selinux/exports.c new file mode 100644 index 000000000000..333c4c7824d8 --- /dev/null +++ b/security/selinux/exports.c
@@ -0,0 +1,28 @@
		1	/*
		2	* SELinux services exported to the rest of the kernel.
		3	*
		4	* Author: James Morris <jmorris@redhat.com>
		5	*
		6	* Copyright (C) 2005 Red Hat, Inc., James Morris <jmorris@redhat.com>
		7	* Copyright (C) 2006 Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
		8	*
		9	* This program is free software; you can redistribute it and/or modify
		10	* it under the terms of the GNU General Public License version 2,
		11	* as published by the Free Software Foundation.
		12	*/
		13	#include <linux/types.h>
		14	#include <linux/kernel.h>
		15	#include <linux/module.h>
		16	#include <linux/selinux.h>
		17
		18	#include "security.h"
		19	#include "objsec.h"
		20
		21	void selinux_task_ctxid(struct task_struct tsk, u32 ctxid)
		22	{
		23	struct task_security_struct *tsec = tsk->security;
		24	if (selinux_enabled)
		25	*ctxid = tsec->sid;
		26	else
		27	*ctxid = 0;
		28	}


diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c index 84047f69f9c1..7bc5b6440f70 100644 --- a/security/selinux/ss/mls.c +++ b/security/selinux/ss/mls.c
@@ -8,7 +8,7 @@
8	*	8	*
9	* Support for enhanced MLS infrastructure.	9	* Support for enhanced MLS infrastructure.
10	*	10	*
11	* Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.	11	* Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
12	*/	12	*/
13		13
14	#include <linux/kernel.h>	14	#include <linux/kernel.h>
@@ -385,6 +385,34 @@ out:
385	}	385	}
386		386
387	/*	387	/*
		388	* Set the MLS fields in the security context structure
		389	* `context' based on the string representation in
		390	* the string `str'. This function will allocate temporary memory with the
		391	* given constraints of gfp_mask.
		392	*/
		393	int mls_from_string(char str, struct context context, gfp_t gfp_mask)
		394	{
		395	char tmpstr, freestr;
		396	int rc;
		397
		398	if (!selinux_mls_enabled)
		399	return -EINVAL;
		400
		401	/* we need freestr because mls_context_to_sid will change
		402	the value of tmpstr */
		403	tmpstr = freestr = kstrdup(str, gfp_mask);
		404	if (!tmpstr) {
		405	rc = -ENOMEM;
		406	} else {
		407	rc = mls_context_to_sid(':', &tmpstr, context,
		408	NULL, SECSID_NULL);
		409	kfree(freestr);
		410	}
		411
		412	return rc;
		413	}
		414
		415	/*
388	* Copies the effective MLS range from `src' into `dst'.	416	* Copies the effective MLS range from `src' into `dst'.
389	*/	417	*/
390	static inline int mls_scopy_context(struct context *dst,	418	static inline int mls_scopy_context(struct context *dst,


diff --git a/security/selinux/ss/mls.h b/security/selinux/ss/mls.h index 03de697c8058..fbb42f07dd7c 100644 --- a/security/selinux/ss/mls.h +++ b/security/selinux/ss/mls.h
@@ -8,7 +8,7 @@
8	*	8	*
9	* Support for enhanced MLS infrastructure.	9	* Support for enhanced MLS infrastructure.
10	*	10	*
11	* Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.	11	* Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
12	*/	12	*/
13		13
14	#ifndef _SS_MLS_H_	14	#ifndef _SS_MLS_H_
@@ -27,6 +27,8 @@ int mls_context_to_sid(char oldc,
27	struct sidtab *s,	27	struct sidtab *s,
28	u32 def_sid);	28	u32 def_sid);
29		29
		30	int mls_from_string(char str, struct context context, gfp_t gfp_mask);
		31
30	int mls_convert_context(struct policydb *oldp,	32	int mls_convert_context(struct policydb *oldp,
31	struct policydb *newp,	33	struct policydb *newp,
32	struct context *context);	34	struct context *context);


diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 61492485de84..7177e98df7f3 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c
@@ -7,12 +7,13 @@
7	* Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>	7	* Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
8	*	8	*
9	* Support for enhanced MLS infrastructure.	9	* Support for enhanced MLS infrastructure.
		10	* Support for context based audit filters.
10	*	11	*
11	* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>	12	* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
12	*	13	*
13	* Added conditional policy language extensions	14	* Added conditional policy language extensions
14	*	15	*
15	* Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.	16	* Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
16	* Copyright (C) 2003 - 2004 Tresys Technology, LLC	17	* Copyright (C) 2003 - 2004 Tresys Technology, LLC
17	* Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>	18	* Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
18	* This program is free software; you can redistribute it and/or modify	19	* This program is free software; you can redistribute it and/or modify
@@ -1811,3 +1812,235 @@ out:
1811	POLICY_RDUNLOCK;	1812	POLICY_RDUNLOCK;
1812	return rc;	1813	return rc;
1813	}	1814	}
		1815
		1816	struct selinux_audit_rule {
		1817	u32 au_seqno;
		1818	struct context au_ctxt;
		1819	};
		1820
		1821	void selinux_audit_rule_free(struct selinux_audit_rule *rule)
		1822	{
		1823	if (rule) {
		1824	context_destroy(&rule->au_ctxt);
		1825	kfree(rule);
		1826	}
		1827	}
		1828
		1829	int selinux_audit_rule_init(u32 field, u32 op, char *rulestr,
		1830	struct selinux_audit_rule **rule)
		1831	{
		1832	struct selinux_audit_rule *tmprule;
		1833	struct role_datum *roledatum;
		1834	struct type_datum *typedatum;
		1835	struct user_datum *userdatum;
		1836	int rc = 0;
		1837
		1838	*rule = NULL;
		1839
		1840	if (!ss_initialized)
		1841	return -ENOTSUPP;
		1842
		1843	switch (field) {
		1844	case AUDIT_SE_USER:
		1845	case AUDIT_SE_ROLE:
		1846	case AUDIT_SE_TYPE:
		1847	/* only 'equals' and 'not equals' fit user, role, and type */
		1848	if (op != AUDIT_EQUAL && op != AUDIT_NOT_EQUAL)
		1849	return -EINVAL;
		1850	break;
		1851	case AUDIT_SE_SEN:
		1852	case AUDIT_SE_CLR:
		1853	/* we do not allow a range, indicated by the presense of '-' */
		1854	if (strchr(rulestr, '-'))
		1855	return -EINVAL;
		1856	break;
		1857	default:
		1858	/* only the above fields are valid */
		1859	return -EINVAL;
		1860	}
		1861
		1862	tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL);
		1863	if (!tmprule)
		1864	return -ENOMEM;
		1865
		1866	context_init(&tmprule->au_ctxt);
		1867
		1868	POLICY_RDLOCK;
		1869
		1870	tmprule->au_seqno = latest_granting;
		1871
		1872	switch (field) {
		1873	case AUDIT_SE_USER:
		1874	userdatum = hashtab_search(policydb.p_users.table, rulestr);
		1875	if (!userdatum)
		1876	rc = -EINVAL;
		1877	else
		1878	tmprule->au_ctxt.user = userdatum->value;
		1879	break;
		1880	case AUDIT_SE_ROLE:
		1881	roledatum = hashtab_search(policydb.p_roles.table, rulestr);
		1882	if (!roledatum)
		1883	rc = -EINVAL;
		1884	else
		1885	tmprule->au_ctxt.role = roledatum->value;
		1886	break;
		1887	case AUDIT_SE_TYPE:
		1888	typedatum = hashtab_search(policydb.p_types.table, rulestr);
		1889	if (!typedatum)
		1890	rc = -EINVAL;
		1891	else
		1892	tmprule->au_ctxt.type = typedatum->value;
		1893	break;
		1894	case AUDIT_SE_SEN:
		1895	case AUDIT_SE_CLR:
		1896	rc = mls_from_string(rulestr, &tmprule->au_ctxt, GFP_ATOMIC);
		1897	break;
		1898	}
		1899
		1900	POLICY_RDUNLOCK;
		1901
		1902	if (rc) {
		1903	selinux_audit_rule_free(tmprule);
		1904	tmprule = NULL;
		1905	}
		1906
		1907	*rule = tmprule;
		1908
		1909	return rc;
		1910	}
		1911
		1912	int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op,
		1913	struct selinux_audit_rule *rule,
		1914	struct audit_context *actx)
		1915	{
		1916	struct context *ctxt;
		1917	struct mls_level *level;
		1918	int match = 0;
		1919
		1920	if (!rule) {
		1921	audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
		1922	"selinux_audit_rule_match: missing rule\n");
		1923	return -ENOENT;
		1924	}
		1925
		1926	POLICY_RDLOCK;
		1927
		1928	if (rule->au_seqno < latest_granting) {
		1929	audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
		1930	"selinux_audit_rule_match: stale rule\n");
		1931	match = -ESTALE;
		1932	goto out;
		1933	}
		1934
		1935	ctxt = sidtab_search(&sidtab, ctxid);
		1936	if (!ctxt) {
		1937	audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
		1938	"selinux_audit_rule_match: unrecognized SID %d\n",
		1939	ctxid);
		1940	match = -ENOENT;
		1941	goto out;
		1942	}
		1943
		1944	/* a field/op pair that is not caught here will simply fall through
		1945	without a match */
		1946	switch (field) {
		1947	case AUDIT_SE_USER:
		1948	switch (op) {
		1949	case AUDIT_EQUAL:
		1950	match = (ctxt->user == rule->au_ctxt.user);
		1951	break;
		1952	case AUDIT_NOT_EQUAL:
		1953	match = (ctxt->user != rule->au_ctxt.user);
		1954	break;
		1955	}
		1956	break;
		1957	case AUDIT_SE_ROLE:
		1958	switch (op) {
		1959	case AUDIT_EQUAL:
		1960	match = (ctxt->role == rule->au_ctxt.role);
		1961	break;
		1962	case AUDIT_NOT_EQUAL:
		1963	match = (ctxt->role != rule->au_ctxt.role);
		1964	break;
		1965	}
		1966	break;
		1967	case AUDIT_SE_TYPE:
		1968	switch (op) {
		1969	case AUDIT_EQUAL:
		1970	match = (ctxt->type == rule->au_ctxt.type);
		1971	break;
		1972	case AUDIT_NOT_EQUAL:
		1973	match = (ctxt->type != rule->au_ctxt.type);
		1974	break;
		1975	}
		1976	break;
		1977	case AUDIT_SE_SEN:
		1978	case AUDIT_SE_CLR:
		1979	level = (op == AUDIT_SE_SEN ?
		1980	&ctxt->range.level[0] : &ctxt->range.level[1]);
		1981	switch (op) {
		1982	case AUDIT_EQUAL:
		1983	match = mls_level_eq(&rule->au_ctxt.range.level[0],
		1984	level);
		1985	break;
		1986	case AUDIT_NOT_EQUAL:
		1987	match = !mls_level_eq(&rule->au_ctxt.range.level[0],
		1988	level);
		1989	break;
		1990	case AUDIT_LESS_THAN:
		1991	match = (mls_level_dom(&rule->au_ctxt.range.level[0],
		1992	level) &&
		1993	!mls_level_eq(&rule->au_ctxt.range.level[0],
		1994	level));
		1995	break;
		1996	case AUDIT_LESS_THAN_OR_EQUAL:
		1997	match = mls_level_dom(&rule->au_ctxt.range.level[0],
		1998	level);
		1999	break;
		2000	case AUDIT_GREATER_THAN:
		2001	match = (mls_level_dom(level,
		2002	&rule->au_ctxt.range.level[0]) &&
		2003	!mls_level_eq(level,
		2004	&rule->au_ctxt.range.level[0]));
		2005	break;
		2006	case AUDIT_GREATER_THAN_OR_EQUAL:
		2007	match = mls_level_dom(level,
		2008	&rule->au_ctxt.range.level[0]);
		2009	break;
		2010	}
		2011	}
		2012
		2013	out:
		2014	POLICY_RDUNLOCK;
		2015	return match;
		2016	}
		2017
		2018	static int (*aurule_callback)(void) = NULL;
		2019
		2020	static int aurule_avc_callback(u32 event, u32 ssid, u32 tsid,
		2021	u16 class, u32 perms, u32 *retained)
		2022	{
		2023	int err = 0;
		2024
		2025	if (event == AVC_CALLBACK_RESET && aurule_callback)
		2026	err = aurule_callback();
		2027	return err;
		2028	}
		2029
		2030	static int __init aurule_init(void)
		2031	{
		2032	int err;
		2033
		2034	err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET,
		2035	SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0);
		2036	if (err)
		2037	panic("avc_add_callback() failed, error %d\n", err);
		2038
		2039	return err;
		2040	}
		2041	__initcall(aurule_init);
		2042
		2043	void selinux_audit_set_callback(int (*callback)(void))
		2044	{
		2045	aurule_callback = callback;
		2046	}