diff options
Diffstat (limited to 'security')
-rw-r--r-- | security/selinux/hooks.c | 8 | ||||
-rw-r--r-- | security/selinux/ss/services.c | 45 |
2 files changed, 42 insertions, 11 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index bfffaa52e0cb..a2f7e9cf78c5 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -83,6 +83,7 @@ | |||
83 | #include "netport.h" | 83 | #include "netport.h" |
84 | #include "xfrm.h" | 84 | #include "xfrm.h" |
85 | #include "netlabel.h" | 85 | #include "netlabel.h" |
86 | #include "audit.h" | ||
86 | 87 | ||
87 | #define XATTR_SELINUX_SUFFIX "selinux" | 88 | #define XATTR_SELINUX_SUFFIX "selinux" |
88 | #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX | 89 | #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX |
@@ -5478,6 +5479,13 @@ static struct security_operations selinux_ops = { | |||
5478 | .key_free = selinux_key_free, | 5479 | .key_free = selinux_key_free, |
5479 | .key_permission = selinux_key_permission, | 5480 | .key_permission = selinux_key_permission, |
5480 | #endif | 5481 | #endif |
5482 | |||
5483 | #ifdef CONFIG_AUDIT | ||
5484 | .audit_rule_init = selinux_audit_rule_init, | ||
5485 | .audit_rule_known = selinux_audit_rule_known, | ||
5486 | .audit_rule_match = selinux_audit_rule_match, | ||
5487 | .audit_rule_free = selinux_audit_rule_free, | ||
5488 | #endif | ||
5481 | }; | 5489 | }; |
5482 | 5490 | ||
5483 | static __init int selinux_init(void) | 5491 | static __init int selinux_init(void) |
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index d75050819b06..1e0df5ec1bcd 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
@@ -57,6 +57,7 @@ | |||
57 | #include "netlabel.h" | 57 | #include "netlabel.h" |
58 | #include "xfrm.h" | 58 | #include "xfrm.h" |
59 | #include "ebitmap.h" | 59 | #include "ebitmap.h" |
60 | #include "audit.h" | ||
60 | 61 | ||
61 | extern void selnl_notify_policyload(u32 seqno); | 62 | extern void selnl_notify_policyload(u32 seqno); |
62 | unsigned int policydb_loaded_version; | 63 | unsigned int policydb_loaded_version; |
@@ -2296,21 +2297,23 @@ struct selinux_audit_rule { | |||
2296 | struct context au_ctxt; | 2297 | struct context au_ctxt; |
2297 | }; | 2298 | }; |
2298 | 2299 | ||
2299 | void selinux_audit_rule_free(struct selinux_audit_rule *rule) | 2300 | void selinux_audit_rule_free(void *vrule) |
2300 | { | 2301 | { |
2302 | struct selinux_audit_rule *rule = vrule; | ||
2303 | |||
2301 | if (rule) { | 2304 | if (rule) { |
2302 | context_destroy(&rule->au_ctxt); | 2305 | context_destroy(&rule->au_ctxt); |
2303 | kfree(rule); | 2306 | kfree(rule); |
2304 | } | 2307 | } |
2305 | } | 2308 | } |
2306 | 2309 | ||
2307 | int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, | 2310 | int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) |
2308 | struct selinux_audit_rule **rule) | ||
2309 | { | 2311 | { |
2310 | struct selinux_audit_rule *tmprule; | 2312 | struct selinux_audit_rule *tmprule; |
2311 | struct role_datum *roledatum; | 2313 | struct role_datum *roledatum; |
2312 | struct type_datum *typedatum; | 2314 | struct type_datum *typedatum; |
2313 | struct user_datum *userdatum; | 2315 | struct user_datum *userdatum; |
2316 | struct selinux_audit_rule **rule = (struct selinux_audit_rule **)vrule; | ||
2314 | int rc = 0; | 2317 | int rc = 0; |
2315 | 2318 | ||
2316 | *rule = NULL; | 2319 | *rule = NULL; |
@@ -2397,12 +2400,37 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, | |||
2397 | return rc; | 2400 | return rc; |
2398 | } | 2401 | } |
2399 | 2402 | ||
2400 | int selinux_audit_rule_match(u32 sid, u32 field, u32 op, | 2403 | /* Check to see if the rule contains any selinux fields */ |
2401 | struct selinux_audit_rule *rule, | 2404 | int selinux_audit_rule_known(struct audit_krule *rule) |
2405 | { | ||
2406 | int i; | ||
2407 | |||
2408 | for (i = 0; i < rule->field_count; i++) { | ||
2409 | struct audit_field *f = &rule->fields[i]; | ||
2410 | switch (f->type) { | ||
2411 | case AUDIT_SUBJ_USER: | ||
2412 | case AUDIT_SUBJ_ROLE: | ||
2413 | case AUDIT_SUBJ_TYPE: | ||
2414 | case AUDIT_SUBJ_SEN: | ||
2415 | case AUDIT_SUBJ_CLR: | ||
2416 | case AUDIT_OBJ_USER: | ||
2417 | case AUDIT_OBJ_ROLE: | ||
2418 | case AUDIT_OBJ_TYPE: | ||
2419 | case AUDIT_OBJ_LEV_LOW: | ||
2420 | case AUDIT_OBJ_LEV_HIGH: | ||
2421 | return 1; | ||
2422 | } | ||
2423 | } | ||
2424 | |||
2425 | return 0; | ||
2426 | } | ||
2427 | |||
2428 | int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, | ||
2402 | struct audit_context *actx) | 2429 | struct audit_context *actx) |
2403 | { | 2430 | { |
2404 | struct context *ctxt; | 2431 | struct context *ctxt; |
2405 | struct mls_level *level; | 2432 | struct mls_level *level; |
2433 | struct selinux_audit_rule *rule = vrule; | ||
2406 | int match = 0; | 2434 | int match = 0; |
2407 | 2435 | ||
2408 | if (!rule) { | 2436 | if (!rule) { |
@@ -2509,7 +2537,7 @@ out: | |||
2509 | return match; | 2537 | return match; |
2510 | } | 2538 | } |
2511 | 2539 | ||
2512 | static int (*aurule_callback)(void) = NULL; | 2540 | static int (*aurule_callback)(void) = audit_update_lsm_rules; |
2513 | 2541 | ||
2514 | static int aurule_avc_callback(u32 event, u32 ssid, u32 tsid, | 2542 | static int aurule_avc_callback(u32 event, u32 ssid, u32 tsid, |
2515 | u16 class, u32 perms, u32 *retained) | 2543 | u16 class, u32 perms, u32 *retained) |
@@ -2534,11 +2562,6 @@ static int __init aurule_init(void) | |||
2534 | } | 2562 | } |
2535 | __initcall(aurule_init); | 2563 | __initcall(aurule_init); |
2536 | 2564 | ||
2537 | void selinux_audit_set_callback(int (*callback)(void)) | ||
2538 | { | ||
2539 | aurule_callback = callback; | ||
2540 | } | ||
2541 | |||
2542 | #ifdef CONFIG_NETLABEL | 2565 | #ifdef CONFIG_NETLABEL |
2543 | /** | 2566 | /** |
2544 | * security_netlbl_cache_add - Add an entry to the NetLabel cache | 2567 | * security_netlbl_cache_add - Add an entry to the NetLabel cache |