aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/selinux/ss/services.c48
1 files changed, 32 insertions, 16 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index e9548bc049e1..d2e80e62ff0c 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1845,15 +1845,20 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr,
1845 return -ENOTSUPP; 1845 return -ENOTSUPP;
1846 1846
1847 switch (field) { 1847 switch (field) {
1848 case AUDIT_SE_USER: 1848 case AUDIT_SUBJ_USER:
1849 case AUDIT_SE_ROLE: 1849 case AUDIT_SUBJ_ROLE:
1850 case AUDIT_SE_TYPE: 1850 case AUDIT_SUBJ_TYPE:
1851 case AUDIT_OBJ_USER:
1852 case AUDIT_OBJ_ROLE:
1853 case AUDIT_OBJ_TYPE:
1851 /* only 'equals' and 'not equals' fit user, role, and type */ 1854 /* only 'equals' and 'not equals' fit user, role, and type */
1852 if (op != AUDIT_EQUAL && op != AUDIT_NOT_EQUAL) 1855 if (op != AUDIT_EQUAL && op != AUDIT_NOT_EQUAL)
1853 return -EINVAL; 1856 return -EINVAL;
1854 break; 1857 break;
1855 case AUDIT_SE_SEN: 1858 case AUDIT_SUBJ_SEN:
1856 case AUDIT_SE_CLR: 1859 case AUDIT_SUBJ_CLR:
1860 case AUDIT_OBJ_LEV_LOW:
1861 case AUDIT_OBJ_LEV_HIGH:
1857 /* we do not allow a range, indicated by the presense of '-' */ 1862 /* we do not allow a range, indicated by the presense of '-' */
1858 if (strchr(rulestr, '-')) 1863 if (strchr(rulestr, '-'))
1859 return -EINVAL; 1864 return -EINVAL;
@@ -1874,29 +1879,34 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr,
1874 tmprule->au_seqno = latest_granting; 1879 tmprule->au_seqno = latest_granting;
1875 1880
1876 switch (field) { 1881 switch (field) {
1877 case AUDIT_SE_USER: 1882 case AUDIT_SUBJ_USER:
1883 case AUDIT_OBJ_USER:
1878 userdatum = hashtab_search(policydb.p_users.table, rulestr); 1884 userdatum = hashtab_search(policydb.p_users.table, rulestr);
1879 if (!userdatum) 1885 if (!userdatum)
1880 rc = -EINVAL; 1886 rc = -EINVAL;
1881 else 1887 else
1882 tmprule->au_ctxt.user = userdatum->value; 1888 tmprule->au_ctxt.user = userdatum->value;
1883 break; 1889 break;
1884 case AUDIT_SE_ROLE: 1890 case AUDIT_SUBJ_ROLE:
1891 case AUDIT_OBJ_ROLE:
1885 roledatum = hashtab_search(policydb.p_roles.table, rulestr); 1892 roledatum = hashtab_search(policydb.p_roles.table, rulestr);
1886 if (!roledatum) 1893 if (!roledatum)
1887 rc = -EINVAL; 1894 rc = -EINVAL;
1888 else 1895 else
1889 tmprule->au_ctxt.role = roledatum->value; 1896 tmprule->au_ctxt.role = roledatum->value;
1890 break; 1897 break;
1891 case AUDIT_SE_TYPE: 1898 case AUDIT_SUBJ_TYPE:
1899 case AUDIT_OBJ_TYPE:
1892 typedatum = hashtab_search(policydb.p_types.table, rulestr); 1900 typedatum = hashtab_search(policydb.p_types.table, rulestr);
1893 if (!typedatum) 1901 if (!typedatum)
1894 rc = -EINVAL; 1902 rc = -EINVAL;
1895 else 1903 else
1896 tmprule->au_ctxt.type = typedatum->value; 1904 tmprule->au_ctxt.type = typedatum->value;
1897 break; 1905 break;
1898 case AUDIT_SE_SEN: 1906 case AUDIT_SUBJ_SEN:
1899 case AUDIT_SE_CLR: 1907 case AUDIT_SUBJ_CLR:
1908 case AUDIT_OBJ_LEV_LOW:
1909 case AUDIT_OBJ_LEV_HIGH:
1900 rc = mls_from_string(rulestr, &tmprule->au_ctxt, GFP_ATOMIC); 1910 rc = mls_from_string(rulestr, &tmprule->au_ctxt, GFP_ATOMIC);
1901 break; 1911 break;
1902 } 1912 }
@@ -1948,7 +1958,8 @@ int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op,
1948 /* a field/op pair that is not caught here will simply fall through 1958 /* a field/op pair that is not caught here will simply fall through
1949 without a match */ 1959 without a match */
1950 switch (field) { 1960 switch (field) {
1951 case AUDIT_SE_USER: 1961 case AUDIT_SUBJ_USER:
1962 case AUDIT_OBJ_USER:
1952 switch (op) { 1963 switch (op) {
1953 case AUDIT_EQUAL: 1964 case AUDIT_EQUAL:
1954 match = (ctxt->user == rule->au_ctxt.user); 1965 match = (ctxt->user == rule->au_ctxt.user);
@@ -1958,7 +1969,8 @@ int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op,
1958 break; 1969 break;
1959 } 1970 }
1960 break; 1971 break;
1961 case AUDIT_SE_ROLE: 1972 case AUDIT_SUBJ_ROLE:
1973 case AUDIT_OBJ_ROLE:
1962 switch (op) { 1974 switch (op) {
1963 case AUDIT_EQUAL: 1975 case AUDIT_EQUAL:
1964 match = (ctxt->role == rule->au_ctxt.role); 1976 match = (ctxt->role == rule->au_ctxt.role);
@@ -1968,7 +1980,8 @@ int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op,
1968 break; 1980 break;
1969 } 1981 }
1970 break; 1982 break;
1971 case AUDIT_SE_TYPE: 1983 case AUDIT_SUBJ_TYPE:
1984 case AUDIT_OBJ_TYPE:
1972 switch (op) { 1985 switch (op) {
1973 case AUDIT_EQUAL: 1986 case AUDIT_EQUAL:
1974 match = (ctxt->type == rule->au_ctxt.type); 1987 match = (ctxt->type == rule->au_ctxt.type);
@@ -1978,9 +1991,12 @@ int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op,
1978 break; 1991 break;
1979 } 1992 }
1980 break; 1993 break;
1981 case AUDIT_SE_SEN: 1994 case AUDIT_SUBJ_SEN:
1982 case AUDIT_SE_CLR: 1995 case AUDIT_SUBJ_CLR:
1983 level = (field == AUDIT_SE_SEN ? 1996 case AUDIT_OBJ_LEV_LOW:
1997 case AUDIT_OBJ_LEV_HIGH:
1998 level = ((field == AUDIT_SUBJ_SEN ||
1999 field == AUDIT_OBJ_LEV_LOW) ?
1984 &ctxt->range.level[0] : &ctxt->range.level[1]); 2000 &ctxt->range.level[0] : &ctxt->range.level[1]);
1985 switch (op) { 2001 switch (op) {
1986 case AUDIT_EQUAL: 2002 case AUDIT_EQUAL: