diff options
Diffstat (limited to 'security')
-rw-r--r-- | security/selinux/ss/services.c | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 92e80b99d183..d2e80e62ff0c 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
@@ -1848,12 +1848,17 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, | |||
1848 | case AUDIT_SUBJ_USER: | 1848 | case AUDIT_SUBJ_USER: |
1849 | case AUDIT_SUBJ_ROLE: | 1849 | case AUDIT_SUBJ_ROLE: |
1850 | case AUDIT_SUBJ_TYPE: | 1850 | case AUDIT_SUBJ_TYPE: |
1851 | case AUDIT_OBJ_USER: | ||
1852 | case AUDIT_OBJ_ROLE: | ||
1853 | case AUDIT_OBJ_TYPE: | ||
1851 | /* only 'equals' and 'not equals' fit user, role, and type */ | 1854 | /* only 'equals' and 'not equals' fit user, role, and type */ |
1852 | if (op != AUDIT_EQUAL && op != AUDIT_NOT_EQUAL) | 1855 | if (op != AUDIT_EQUAL && op != AUDIT_NOT_EQUAL) |
1853 | return -EINVAL; | 1856 | return -EINVAL; |
1854 | break; | 1857 | break; |
1855 | case AUDIT_SUBJ_SEN: | 1858 | case AUDIT_SUBJ_SEN: |
1856 | case AUDIT_SUBJ_CLR: | 1859 | case AUDIT_SUBJ_CLR: |
1860 | case AUDIT_OBJ_LEV_LOW: | ||
1861 | case AUDIT_OBJ_LEV_HIGH: | ||
1857 | /* we do not allow a range, indicated by the presense of '-' */ | 1862 | /* we do not allow a range, indicated by the presense of '-' */ |
1858 | if (strchr(rulestr, '-')) | 1863 | if (strchr(rulestr, '-')) |
1859 | return -EINVAL; | 1864 | return -EINVAL; |
@@ -1875,6 +1880,7 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, | |||
1875 | 1880 | ||
1876 | switch (field) { | 1881 | switch (field) { |
1877 | case AUDIT_SUBJ_USER: | 1882 | case AUDIT_SUBJ_USER: |
1883 | case AUDIT_OBJ_USER: | ||
1878 | userdatum = hashtab_search(policydb.p_users.table, rulestr); | 1884 | userdatum = hashtab_search(policydb.p_users.table, rulestr); |
1879 | if (!userdatum) | 1885 | if (!userdatum) |
1880 | rc = -EINVAL; | 1886 | rc = -EINVAL; |
@@ -1882,6 +1888,7 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, | |||
1882 | tmprule->au_ctxt.user = userdatum->value; | 1888 | tmprule->au_ctxt.user = userdatum->value; |
1883 | break; | 1889 | break; |
1884 | case AUDIT_SUBJ_ROLE: | 1890 | case AUDIT_SUBJ_ROLE: |
1891 | case AUDIT_OBJ_ROLE: | ||
1885 | roledatum = hashtab_search(policydb.p_roles.table, rulestr); | 1892 | roledatum = hashtab_search(policydb.p_roles.table, rulestr); |
1886 | if (!roledatum) | 1893 | if (!roledatum) |
1887 | rc = -EINVAL; | 1894 | rc = -EINVAL; |
@@ -1889,6 +1896,7 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, | |||
1889 | tmprule->au_ctxt.role = roledatum->value; | 1896 | tmprule->au_ctxt.role = roledatum->value; |
1890 | break; | 1897 | break; |
1891 | case AUDIT_SUBJ_TYPE: | 1898 | case AUDIT_SUBJ_TYPE: |
1899 | case AUDIT_OBJ_TYPE: | ||
1892 | typedatum = hashtab_search(policydb.p_types.table, rulestr); | 1900 | typedatum = hashtab_search(policydb.p_types.table, rulestr); |
1893 | if (!typedatum) | 1901 | if (!typedatum) |
1894 | rc = -EINVAL; | 1902 | rc = -EINVAL; |
@@ -1897,6 +1905,8 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, | |||
1897 | break; | 1905 | break; |
1898 | case AUDIT_SUBJ_SEN: | 1906 | case AUDIT_SUBJ_SEN: |
1899 | case AUDIT_SUBJ_CLR: | 1907 | case AUDIT_SUBJ_CLR: |
1908 | case AUDIT_OBJ_LEV_LOW: | ||
1909 | case AUDIT_OBJ_LEV_HIGH: | ||
1900 | rc = mls_from_string(rulestr, &tmprule->au_ctxt, GFP_ATOMIC); | 1910 | rc = mls_from_string(rulestr, &tmprule->au_ctxt, GFP_ATOMIC); |
1901 | break; | 1911 | break; |
1902 | } | 1912 | } |
@@ -1949,6 +1959,7 @@ int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op, | |||
1949 | without a match */ | 1959 | without a match */ |
1950 | switch (field) { | 1960 | switch (field) { |
1951 | case AUDIT_SUBJ_USER: | 1961 | case AUDIT_SUBJ_USER: |
1962 | case AUDIT_OBJ_USER: | ||
1952 | switch (op) { | 1963 | switch (op) { |
1953 | case AUDIT_EQUAL: | 1964 | case AUDIT_EQUAL: |
1954 | match = (ctxt->user == rule->au_ctxt.user); | 1965 | match = (ctxt->user == rule->au_ctxt.user); |
@@ -1959,6 +1970,7 @@ int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op, | |||
1959 | } | 1970 | } |
1960 | break; | 1971 | break; |
1961 | case AUDIT_SUBJ_ROLE: | 1972 | case AUDIT_SUBJ_ROLE: |
1973 | case AUDIT_OBJ_ROLE: | ||
1962 | switch (op) { | 1974 | switch (op) { |
1963 | case AUDIT_EQUAL: | 1975 | case AUDIT_EQUAL: |
1964 | match = (ctxt->role == rule->au_ctxt.role); | 1976 | match = (ctxt->role == rule->au_ctxt.role); |
@@ -1969,6 +1981,7 @@ int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op, | |||
1969 | } | 1981 | } |
1970 | break; | 1982 | break; |
1971 | case AUDIT_SUBJ_TYPE: | 1983 | case AUDIT_SUBJ_TYPE: |
1984 | case AUDIT_OBJ_TYPE: | ||
1972 | switch (op) { | 1985 | switch (op) { |
1973 | case AUDIT_EQUAL: | 1986 | case AUDIT_EQUAL: |
1974 | match = (ctxt->type == rule->au_ctxt.type); | 1987 | match = (ctxt->type == rule->au_ctxt.type); |
@@ -1980,7 +1993,10 @@ int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op, | |||
1980 | break; | 1993 | break; |
1981 | case AUDIT_SUBJ_SEN: | 1994 | case AUDIT_SUBJ_SEN: |
1982 | case AUDIT_SUBJ_CLR: | 1995 | case AUDIT_SUBJ_CLR: |
1983 | level = (field == AUDIT_SUBJ_SEN ? | 1996 | case AUDIT_OBJ_LEV_LOW: |
1997 | case AUDIT_OBJ_LEV_HIGH: | ||
1998 | level = ((field == AUDIT_SUBJ_SEN || | ||
1999 | field == AUDIT_OBJ_LEV_LOW) ? | ||
1984 | &ctxt->range.level[0] : &ctxt->range.level[1]); | 2000 | &ctxt->range.level[0] : &ctxt->range.level[1]); |
1985 | switch (op) { | 2001 | switch (op) { |
1986 | case AUDIT_EQUAL: | 2002 | case AUDIT_EQUAL: |