diff options
Diffstat (limited to 'security')
| -rw-r--r-- | security/Makefile | 4 | ||||
| -rw-r--r-- | security/selinux/avc.c | 218 | ||||
| -rw-r--r-- | security/selinux/hooks.c | 142 | ||||
| -rw-r--r-- | security/selinux/include/avc.h | 49 | ||||
| -rw-r--r-- | security/selinux/include/netlabel.h | 4 | ||||
| -rw-r--r-- | security/selinux/include/xfrm.h | 8 | ||||
| -rw-r--r-- | security/selinux/netlabel.c | 2 | ||||
| -rw-r--r-- | security/selinux/xfrm.c | 4 |
8 files changed, 297 insertions, 134 deletions
diff --git a/security/Makefile b/security/Makefile index 8dcc1fdcdc69..c67557cdaa85 100644 --- a/security/Makefile +++ b/security/Makefile | |||
| @@ -16,7 +16,9 @@ obj-$(CONFIG_SECURITYFS) += inode.o | |||
| 16 | # Must precede capability.o in order to stack properly. | 16 | # Must precede capability.o in order to stack properly. |
| 17 | obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o | 17 | obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o |
| 18 | obj-$(CONFIG_SECURITY_SMACK) += smack/built-in.o | 18 | obj-$(CONFIG_SECURITY_SMACK) += smack/built-in.o |
| 19 | obj-$(CONFIG_AUDIT) += lsm_audit.o | 19 | ifeq ($(CONFIG_AUDIT),y) |
| 20 | obj-$(CONFIG_SECURITY_SMACK) += lsm_audit.o | ||
| 21 | endif | ||
| 20 | obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/built-in.o | 22 | obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/built-in.o |
| 21 | obj-$(CONFIG_SECURITY_ROOTPLUG) += root_plug.o | 23 | obj-$(CONFIG_SECURITY_ROOTPLUG) += root_plug.o |
| 22 | obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o | 24 | obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o |
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index d9fd22488ef8..236aaa2ea86d 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c | |||
| @@ -492,50 +492,23 @@ out: | |||
| 492 | return node; | 492 | return node; |
| 493 | } | 493 | } |
| 494 | 494 | ||
| 495 | /** | 495 | static inline void avc_print_ipv6_addr(struct audit_buffer *ab, |
| 496 | * avc_audit_pre_callback - SELinux specific information | 496 | struct in6_addr *addr, __be16 port, |
| 497 | * will be called by generic audit code | 497 | char *name1, char *name2) |
| 498 | * @ab: the audit buffer | ||
| 499 | * @a: audit_data | ||
| 500 | */ | ||
| 501 | static void avc_audit_pre_callback(struct audit_buffer *ab, void *a) | ||
| 502 | { | 498 | { |
| 503 | struct common_audit_data *ad = a; | 499 | if (!ipv6_addr_any(addr)) |
| 504 | struct av_decision *avd = ad->selinux_audit_data.avd; | 500 | audit_log_format(ab, " %s=%pI6", name1, addr); |
| 505 | u32 requested = ad->selinux_audit_data.requested; | 501 | if (port) |
| 506 | int result = ad->selinux_audit_data.result; | 502 | audit_log_format(ab, " %s=%d", name2, ntohs(port)); |
| 507 | u32 denied, audited; | ||
| 508 | denied = requested & ~avd->allowed; | ||
| 509 | if (denied) { | ||
| 510 | audited = denied; | ||
| 511 | if (!(audited & avd->auditdeny)) | ||
| 512 | return; | ||
| 513 | } else if (result) { | ||
| 514 | audited = denied = requested; | ||
| 515 | } else { | ||
| 516 | audited = requested; | ||
| 517 | if (!(audited & avd->auditallow)) | ||
| 518 | return; | ||
| 519 | } | ||
| 520 | audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted"); | ||
| 521 | avc_dump_av(ab, ad->selinux_audit_data.tclass, | ||
| 522 | ad->selinux_audit_data.audited); | ||
| 523 | audit_log_format(ab, " for "); | ||
| 524 | } | 503 | } |
| 525 | 504 | ||
| 526 | /** | 505 | static inline void avc_print_ipv4_addr(struct audit_buffer *ab, __be32 addr, |
| 527 | * avc_audit_post_callback - SELinux specific information | 506 | __be16 port, char *name1, char *name2) |
| 528 | * will be called by generic audit code | ||
| 529 | * @ab: the audit buffer | ||
| 530 | * @a: audit_data | ||
| 531 | */ | ||
| 532 | static void avc_audit_post_callback(struct audit_buffer *ab, void *a) | ||
| 533 | { | 507 | { |
| 534 | struct common_audit_data *ad = a; | 508 | if (addr) |
| 535 | audit_log_format(ab, " "); | 509 | audit_log_format(ab, " %s=%pI4", name1, &addr); |
| 536 | avc_dump_query(ab, ad->selinux_audit_data.ssid, | 510 | if (port) |
| 537 | ad->selinux_audit_data.tsid, | 511 | audit_log_format(ab, " %s=%d", name2, ntohs(port)); |
| 538 | ad->selinux_audit_data.tclass); | ||
| 539 | } | 512 | } |
| 540 | 513 | ||
| 541 | /** | 514 | /** |
| @@ -559,14 +532,163 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a) | |||
| 559 | */ | 532 | */ |
| 560 | void avc_audit(u32 ssid, u32 tsid, | 533 | void avc_audit(u32 ssid, u32 tsid, |
| 561 | u16 tclass, u32 requested, | 534 | u16 tclass, u32 requested, |
| 562 | struct av_decision *avd, int result, struct common_audit_data *a) | 535 | struct av_decision *avd, int result, struct avc_audit_data *a) |
| 563 | { | 536 | { |
| 564 | a->selinux_audit_data.avd = avd; | 537 | struct task_struct *tsk = current; |
| 565 | a->selinux_audit_data.tclass = tclass; | 538 | struct inode *inode = NULL; |
| 566 | a->selinux_audit_data.requested = requested; | 539 | u32 denied, audited; |
| 567 | a->lsm_pre_audit = avc_audit_pre_callback; | 540 | struct audit_buffer *ab; |
| 568 | a->lsm_post_audit = avc_audit_post_callback; | 541 | |
| 569 | common_lsm_audit(a); | 542 | denied = requested & ~avd->allowed; |
| 543 | if (denied) { | ||
| 544 | audited = denied; | ||
| 545 | if (!(audited & avd->auditdeny)) | ||
| 546 | return; | ||
| 547 | } else if (result) { | ||
| 548 | audited = denied = requested; | ||
| 549 | } else { | ||
| 550 | audited = requested; | ||
| 551 | if (!(audited & avd->auditallow)) | ||
| 552 | return; | ||
| 553 | } | ||
| 554 | |||
| 555 | ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_AVC); | ||
| 556 | if (!ab) | ||
| 557 | return; /* audit_panic has been called */ | ||
| 558 | audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted"); | ||
| 559 | avc_dump_av(ab, tclass, audited); | ||
| 560 | audit_log_format(ab, " for "); | ||
| 561 | if (a && a->tsk) | ||
| 562 | tsk = a->tsk; | ||
| 563 | if (tsk && tsk->pid) { | ||
| 564 | audit_log_format(ab, " pid=%d comm=", tsk->pid); | ||
| 565 | audit_log_untrustedstring(ab, tsk->comm); | ||
| 566 | } | ||
| 567 | if (a) { | ||
| 568 | switch (a->type) { | ||
| 569 | case AVC_AUDIT_DATA_IPC: | ||
| 570 | audit_log_format(ab, " key=%d", a->u.ipc_id); | ||
| 571 | break; | ||
| 572 | case AVC_AUDIT_DATA_CAP: | ||
| 573 | audit_log_format(ab, " capability=%d", a->u.cap); | ||
| 574 | break; | ||
| 575 | case AVC_AUDIT_DATA_FS: | ||
| 576 | if (a->u.fs.path.dentry) { | ||
| 577 | struct dentry *dentry = a->u.fs.path.dentry; | ||
| 578 | if (a->u.fs.path.mnt) { | ||
| 579 | audit_log_d_path(ab, "path=", | ||
| 580 | &a->u.fs.path); | ||
| 581 | } else { | ||
| 582 | audit_log_format(ab, " name="); | ||
| 583 | audit_log_untrustedstring(ab, dentry->d_name.name); | ||
| 584 | } | ||
| 585 | inode = dentry->d_inode; | ||
| 586 | } else if (a->u.fs.inode) { | ||
| 587 | struct dentry *dentry; | ||
| 588 | inode = a->u.fs.inode; | ||
| 589 | dentry = d_find_alias(inode); | ||
| 590 | if (dentry) { | ||
| 591 | audit_log_format(ab, " name="); | ||
| 592 | audit_log_untrustedstring(ab, dentry->d_name.name); | ||
| 593 | dput(dentry); | ||
| 594 | } | ||
| 595 | } | ||
| 596 | if (inode) | ||
| 597 | audit_log_format(ab, " dev=%s ino=%lu", | ||
| 598 | inode->i_sb->s_id, | ||
| 599 | inode->i_ino); | ||
| 600 | break; | ||
| 601 | case AVC_AUDIT_DATA_NET: | ||
| 602 | if (a->u.net.sk) { | ||
| 603 | struct sock *sk = a->u.net.sk; | ||
| 604 | struct unix_sock *u; | ||
| 605 | int len = 0; | ||
| 606 | char *p = NULL; | ||
| 607 | |||
| 608 | switch (sk->sk_family) { | ||
| 609 | case AF_INET: { | ||
| 610 | struct inet_sock *inet = inet_sk(sk); | ||
| 611 | |||
| 612 | avc_print_ipv4_addr(ab, inet->rcv_saddr, | ||
| 613 | inet->sport, | ||
| 614 | "laddr", "lport"); | ||
| 615 | avc_print_ipv4_addr(ab, inet->daddr, | ||
| 616 | inet->dport, | ||
| 617 | "faddr", "fport"); | ||
| 618 | break; | ||
| 619 | } | ||
| 620 | case AF_INET6: { | ||
| 621 | struct inet_sock *inet = inet_sk(sk); | ||
| 622 | struct ipv6_pinfo *inet6 = inet6_sk(sk); | ||
| 623 | |||
| 624 | avc_print_ipv6_addr(ab, &inet6->rcv_saddr, | ||
| 625 | inet->sport, | ||
| 626 | "laddr", "lport"); | ||
| 627 | avc_print_ipv6_addr(ab, &inet6->daddr, | ||
| 628 | inet->dport, | ||
| 629 | "faddr", "fport"); | ||
| 630 | break; | ||
| 631 | } | ||
| 632 | case AF_UNIX: | ||
| 633 | u = unix_sk(sk); | ||
| 634 | if (u->dentry) { | ||
| 635 | struct path path = { | ||
| 636 | .dentry = u->dentry, | ||
| 637 | .mnt = u->mnt | ||
| 638 | }; | ||
| 639 | audit_log_d_path(ab, "path=", | ||
| 640 | &path); | ||
| 641 | break; | ||
| 642 | } | ||
| 643 | if (!u->addr) | ||
| 644 | break; | ||
| 645 | len = u->addr->len-sizeof(short); | ||
| 646 | p = &u->addr->name->sun_path[0]; | ||
| 647 | audit_log_format(ab, " path="); | ||
| 648 | if (*p) | ||
| 649 | audit_log_untrustedstring(ab, p); | ||
| 650 | else | ||
| 651 | audit_log_n_hex(ab, p, len); | ||
| 652 | break; | ||
| 653 | } | ||
| 654 | } | ||
| 655 | |||
| 656 | switch (a->u.net.family) { | ||
| 657 | case AF_INET: | ||
| 658 | avc_print_ipv4_addr(ab, a->u.net.v4info.saddr, | ||
| 659 | a->u.net.sport, | ||
| 660 | "saddr", "src"); | ||
| 661 | avc_print_ipv4_addr(ab, a->u.net.v4info.daddr, | ||
| 662 | a->u.net.dport, | ||
| 663 | "daddr", "dest"); | ||
| 664 | break; | ||
| 665 | case AF_INET6: | ||
| 666 | avc_print_ipv6_addr(ab, &a->u.net.v6info.saddr, | ||
| 667 | a->u.net.sport, | ||
| 668 | "saddr", "src"); | ||
| 669 | avc_print_ipv6_addr(ab, &a->u.net.v6info.daddr, | ||
| 670 | a->u.net.dport, | ||
| 671 | "daddr", "dest"); | ||
| 672 | break; | ||
| 673 | } | ||
| 674 | if (a->u.net.netif > 0) { | ||
| 675 | struct net_device *dev; | ||
| 676 | |||
| 677 | /* NOTE: we always use init's namespace */ | ||
| 678 | dev = dev_get_by_index(&init_net, | ||
| 679 | a->u.net.netif); | ||
| 680 | if (dev) { | ||
| 681 | audit_log_format(ab, " netif=%s", | ||
| 682 | dev->name); | ||
| 683 | dev_put(dev); | ||
| 684 | } | ||
| 685 | } | ||
| 686 | break; | ||
| 687 | } | ||
| 688 | } | ||
| 689 | audit_log_format(ab, " "); | ||
| 690 | avc_dump_query(ab, ssid, tsid, tclass); | ||
| 691 | audit_log_end(ab); | ||
| 570 | } | 692 | } |
| 571 | 693 | ||
| 572 | /** | 694 | /** |
| @@ -834,7 +956,7 @@ out: | |||
| 834 | * another -errno upon other errors. | 956 | * another -errno upon other errors. |
| 835 | */ | 957 | */ |
| 836 | int avc_has_perm(u32 ssid, u32 tsid, u16 tclass, | 958 | int avc_has_perm(u32 ssid, u32 tsid, u16 tclass, |
| 837 | u32 requested, struct common_audit_data *auditdata) | 959 | u32 requested, struct avc_audit_data *auditdata) |
| 838 | { | 960 | { |
| 839 | struct av_decision avd; | 961 | struct av_decision avd; |
| 840 | int rc; | 962 | int rc; |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index a7de261e167f..2081055f6783 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -1478,14 +1478,14 @@ static int task_has_capability(struct task_struct *tsk, | |||
| 1478 | const struct cred *cred, | 1478 | const struct cred *cred, |
| 1479 | int cap, int audit) | 1479 | int cap, int audit) |
| 1480 | { | 1480 | { |
| 1481 | struct common_audit_data ad; | 1481 | struct avc_audit_data ad; |
| 1482 | struct av_decision avd; | 1482 | struct av_decision avd; |
| 1483 | u16 sclass; | 1483 | u16 sclass; |
| 1484 | u32 sid = cred_sid(cred); | 1484 | u32 sid = cred_sid(cred); |
| 1485 | u32 av = CAP_TO_MASK(cap); | 1485 | u32 av = CAP_TO_MASK(cap); |
| 1486 | int rc; | 1486 | int rc; |
| 1487 | 1487 | ||
| 1488 | COMMON_AUDIT_DATA_INIT(&ad, CAP); | 1488 | AVC_AUDIT_DATA_INIT(&ad, CAP); |
| 1489 | ad.tsk = tsk; | 1489 | ad.tsk = tsk; |
| 1490 | ad.u.cap = cap; | 1490 | ad.u.cap = cap; |
| 1491 | 1491 | ||
| @@ -1524,10 +1524,10 @@ static int task_has_system(struct task_struct *tsk, | |||
| 1524 | static int inode_has_perm(const struct cred *cred, | 1524 | static int inode_has_perm(const struct cred *cred, |
| 1525 | struct inode *inode, | 1525 | struct inode *inode, |
| 1526 | u32 perms, | 1526 | u32 perms, |
| 1527 | struct common_audit_data *adp) | 1527 | struct avc_audit_data *adp) |
| 1528 | { | 1528 | { |
| 1529 | struct inode_security_struct *isec; | 1529 | struct inode_security_struct *isec; |
| 1530 | struct common_audit_data ad; | 1530 | struct avc_audit_data ad; |
| 1531 | u32 sid; | 1531 | u32 sid; |
| 1532 | 1532 | ||
| 1533 | if (unlikely(IS_PRIVATE(inode))) | 1533 | if (unlikely(IS_PRIVATE(inode))) |
| @@ -1538,7 +1538,7 @@ static int inode_has_perm(const struct cred *cred, | |||
| 1538 | 1538 | ||
| 1539 | if (!adp) { | 1539 | if (!adp) { |
| 1540 | adp = &ad; | 1540 | adp = &ad; |
| 1541 | COMMON_AUDIT_DATA_INIT(&ad, FS); | 1541 | AVC_AUDIT_DATA_INIT(&ad, FS); |
| 1542 | ad.u.fs.inode = inode; | 1542 | ad.u.fs.inode = inode; |
| 1543 | } | 1543 | } |
| 1544 | 1544 | ||
| @@ -1554,9 +1554,9 @@ static inline int dentry_has_perm(const struct cred *cred, | |||
| 1554 | u32 av) | 1554 | u32 av) |
| 1555 | { | 1555 | { |
| 1556 | struct inode *inode = dentry->d_inode; | 1556 | struct inode *inode = dentry->d_inode; |
| 1557 | struct common_audit_data ad; | 1557 | struct avc_audit_data ad; |
| 1558 | 1558 | ||
| 1559 | COMMON_AUDIT_DATA_INIT(&ad, FS); | 1559 | AVC_AUDIT_DATA_INIT(&ad, FS); |
| 1560 | ad.u.fs.path.mnt = mnt; | 1560 | ad.u.fs.path.mnt = mnt; |
| 1561 | ad.u.fs.path.dentry = dentry; | 1561 | ad.u.fs.path.dentry = dentry; |
| 1562 | return inode_has_perm(cred, inode, av, &ad); | 1562 | return inode_has_perm(cred, inode, av, &ad); |
| @@ -1576,11 +1576,11 @@ static int file_has_perm(const struct cred *cred, | |||
| 1576 | { | 1576 | { |
| 1577 | struct file_security_struct *fsec = file->f_security; | 1577 | struct file_security_struct *fsec = file->f_security; |
| 1578 | struct inode *inode = file->f_path.dentry->d_inode; | 1578 | struct inode *inode = file->f_path.dentry->d_inode; |
| 1579 | struct common_audit_data ad; | 1579 | struct avc_audit_data ad; |
| 1580 | u32 sid = cred_sid(cred); | 1580 | u32 sid = cred_sid(cred); |
| 1581 | int rc; | 1581 | int rc; |
| 1582 | 1582 | ||
| 1583 | COMMON_AUDIT_DATA_INIT(&ad, FS); | 1583 | AVC_AUDIT_DATA_INIT(&ad, FS); |
| 1584 | ad.u.fs.path = file->f_path; | 1584 | ad.u.fs.path = file->f_path; |
| 1585 | 1585 | ||
| 1586 | if (sid != fsec->sid) { | 1586 | if (sid != fsec->sid) { |
| @@ -1611,7 +1611,7 @@ static int may_create(struct inode *dir, | |||
| 1611 | struct inode_security_struct *dsec; | 1611 | struct inode_security_struct *dsec; |
| 1612 | struct superblock_security_struct *sbsec; | 1612 | struct superblock_security_struct *sbsec; |
| 1613 | u32 sid, newsid; | 1613 | u32 sid, newsid; |
| 1614 | struct common_audit_data ad; | 1614 | struct avc_audit_data ad; |
| 1615 | int rc; | 1615 | int rc; |
| 1616 | 1616 | ||
| 1617 | dsec = dir->i_security; | 1617 | dsec = dir->i_security; |
| @@ -1620,7 +1620,7 @@ static int may_create(struct inode *dir, | |||
| 1620 | sid = tsec->sid; | 1620 | sid = tsec->sid; |
| 1621 | newsid = tsec->create_sid; | 1621 | newsid = tsec->create_sid; |
| 1622 | 1622 | ||
| 1623 | COMMON_AUDIT_DATA_INIT(&ad, FS); | 1623 | AVC_AUDIT_DATA_INIT(&ad, FS); |
| 1624 | ad.u.fs.path.dentry = dentry; | 1624 | ad.u.fs.path.dentry = dentry; |
| 1625 | 1625 | ||
| 1626 | rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, | 1626 | rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, |
| @@ -1664,7 +1664,7 @@ static int may_link(struct inode *dir, | |||
| 1664 | 1664 | ||
| 1665 | { | 1665 | { |
| 1666 | struct inode_security_struct *dsec, *isec; | 1666 | struct inode_security_struct *dsec, *isec; |
| 1667 | struct common_audit_data ad; | 1667 | struct avc_audit_data ad; |
| 1668 | u32 sid = current_sid(); | 1668 | u32 sid = current_sid(); |
| 1669 | u32 av; | 1669 | u32 av; |
| 1670 | int rc; | 1670 | int rc; |
| @@ -1672,7 +1672,7 @@ static int may_link(struct inode *dir, | |||
| 1672 | dsec = dir->i_security; | 1672 | dsec = dir->i_security; |
| 1673 | isec = dentry->d_inode->i_security; | 1673 | isec = dentry->d_inode->i_security; |
| 1674 | 1674 | ||
| 1675 | COMMON_AUDIT_DATA_INIT(&ad, FS); | 1675 | AVC_AUDIT_DATA_INIT(&ad, FS); |
| 1676 | ad.u.fs.path.dentry = dentry; | 1676 | ad.u.fs.path.dentry = dentry; |
| 1677 | 1677 | ||
| 1678 | av = DIR__SEARCH; | 1678 | av = DIR__SEARCH; |
| @@ -1707,7 +1707,7 @@ static inline int may_rename(struct inode *old_dir, | |||
| 1707 | struct dentry *new_dentry) | 1707 | struct dentry *new_dentry) |
| 1708 | { | 1708 | { |
| 1709 | struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; | 1709 | struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; |
| 1710 | struct common_audit_data ad; | 1710 | struct avc_audit_data ad; |
| 1711 | u32 sid = current_sid(); | 1711 | u32 sid = current_sid(); |
| 1712 | u32 av; | 1712 | u32 av; |
| 1713 | int old_is_dir, new_is_dir; | 1713 | int old_is_dir, new_is_dir; |
| @@ -1718,7 +1718,7 @@ static inline int may_rename(struct inode *old_dir, | |||
| 1718 | old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode); | 1718 | old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode); |
| 1719 | new_dsec = new_dir->i_security; | 1719 | new_dsec = new_dir->i_security; |
| 1720 | 1720 | ||
| 1721 | COMMON_AUDIT_DATA_INIT(&ad, FS); | 1721 | AVC_AUDIT_DATA_INIT(&ad, FS); |
| 1722 | 1722 | ||
| 1723 | ad.u.fs.path.dentry = old_dentry; | 1723 | ad.u.fs.path.dentry = old_dentry; |
| 1724 | rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR, | 1724 | rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR, |
| @@ -1760,7 +1760,7 @@ static inline int may_rename(struct inode *old_dir, | |||
| 1760 | static int superblock_has_perm(const struct cred *cred, | 1760 | static int superblock_has_perm(const struct cred *cred, |
| 1761 | struct super_block *sb, | 1761 | struct super_block *sb, |
| 1762 | u32 perms, | 1762 | u32 perms, |
| 1763 | struct common_audit_data *ad) | 1763 | struct avc_audit_data *ad) |
| 1764 | { | 1764 | { |
| 1765 | struct superblock_security_struct *sbsec; | 1765 | struct superblock_security_struct *sbsec; |
| 1766 | u32 sid = cred_sid(cred); | 1766 | u32 sid = cred_sid(cred); |
| @@ -2100,7 +2100,7 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) | |||
| 2100 | const struct task_security_struct *old_tsec; | 2100 | const struct task_security_struct *old_tsec; |
| 2101 | struct task_security_struct *new_tsec; | 2101 | struct task_security_struct *new_tsec; |
| 2102 | struct inode_security_struct *isec; | 2102 | struct inode_security_struct *isec; |
| 2103 | struct common_audit_data ad; | 2103 | struct avc_audit_data ad; |
| 2104 | struct inode *inode = bprm->file->f_path.dentry->d_inode; | 2104 | struct inode *inode = bprm->file->f_path.dentry->d_inode; |
| 2105 | int rc; | 2105 | int rc; |
| 2106 | 2106 | ||
| @@ -2138,7 +2138,7 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) | |||
| 2138 | return rc; | 2138 | return rc; |
| 2139 | } | 2139 | } |
| 2140 | 2140 | ||
| 2141 | COMMON_AUDIT_DATA_INIT(&ad, FS); | 2141 | AVC_AUDIT_DATA_INIT(&ad, FS); |
| 2142 | ad.u.fs.path = bprm->file->f_path; | 2142 | ad.u.fs.path = bprm->file->f_path; |
| 2143 | 2143 | ||
| 2144 | if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) | 2144 | if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) |
| @@ -2231,7 +2231,7 @@ extern struct dentry *selinux_null; | |||
| 2231 | static inline void flush_unauthorized_files(const struct cred *cred, | 2231 | static inline void flush_unauthorized_files(const struct cred *cred, |
| 2232 | struct files_struct *files) | 2232 | struct files_struct *files) |
| 2233 | { | 2233 | { |
| 2234 | struct common_audit_data ad; | 2234 | struct avc_audit_data ad; |
| 2235 | struct file *file, *devnull = NULL; | 2235 | struct file *file, *devnull = NULL; |
| 2236 | struct tty_struct *tty; | 2236 | struct tty_struct *tty; |
| 2237 | struct fdtable *fdt; | 2237 | struct fdtable *fdt; |
| @@ -2265,7 +2265,7 @@ static inline void flush_unauthorized_files(const struct cred *cred, | |||
| 2265 | 2265 | ||
| 2266 | /* Revalidate access to inherited open files. */ | 2266 | /* Revalidate access to inherited open files. */ |
| 2267 | 2267 | ||
| 2268 | COMMON_AUDIT_DATA_INIT(&ad, FS); | 2268 | AVC_AUDIT_DATA_INIT(&ad, FS); |
| 2269 | 2269 | ||
| 2270 | spin_lock(&files->file_lock); | 2270 | spin_lock(&files->file_lock); |
| 2271 | for (;;) { | 2271 | for (;;) { |
| @@ -2514,7 +2514,7 @@ out: | |||
| 2514 | static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) | 2514 | static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) |
| 2515 | { | 2515 | { |
| 2516 | const struct cred *cred = current_cred(); | 2516 | const struct cred *cred = current_cred(); |
| 2517 | struct common_audit_data ad; | 2517 | struct avc_audit_data ad; |
| 2518 | int rc; | 2518 | int rc; |
| 2519 | 2519 | ||
| 2520 | rc = superblock_doinit(sb, data); | 2520 | rc = superblock_doinit(sb, data); |
| @@ -2525,7 +2525,7 @@ static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) | |||
| 2525 | if (flags & MS_KERNMOUNT) | 2525 | if (flags & MS_KERNMOUNT) |
| 2526 | return 0; | 2526 | return 0; |
| 2527 | 2527 | ||
| 2528 | COMMON_AUDIT_DATA_INIT(&ad, FS); | 2528 | AVC_AUDIT_DATA_INIT(&ad, FS); |
| 2529 | ad.u.fs.path.dentry = sb->s_root; | 2529 | ad.u.fs.path.dentry = sb->s_root; |
| 2530 | return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); | 2530 | return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); |
| 2531 | } | 2531 | } |
| @@ -2533,9 +2533,9 @@ static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) | |||
| 2533 | static int selinux_sb_statfs(struct dentry *dentry) | 2533 | static int selinux_sb_statfs(struct dentry *dentry) |
| 2534 | { | 2534 | { |
| 2535 | const struct cred *cred = current_cred(); | 2535 | const struct cred *cred = current_cred(); |
| 2536 | struct common_audit_data ad; | 2536 | struct avc_audit_data ad; |
| 2537 | 2537 | ||
| 2538 | COMMON_AUDIT_DATA_INIT(&ad, FS); | 2538 | AVC_AUDIT_DATA_INIT(&ad, FS); |
| 2539 | ad.u.fs.path.dentry = dentry->d_sb->s_root; | 2539 | ad.u.fs.path.dentry = dentry->d_sb->s_root; |
| 2540 | return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); | 2540 | return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); |
| 2541 | } | 2541 | } |
| @@ -2755,7 +2755,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name, | |||
| 2755 | struct inode *inode = dentry->d_inode; | 2755 | struct inode *inode = dentry->d_inode; |
| 2756 | struct inode_security_struct *isec = inode->i_security; | 2756 | struct inode_security_struct *isec = inode->i_security; |
| 2757 | struct superblock_security_struct *sbsec; | 2757 | struct superblock_security_struct *sbsec; |
| 2758 | struct common_audit_data ad; | 2758 | struct avc_audit_data ad; |
| 2759 | u32 newsid, sid = current_sid(); | 2759 | u32 newsid, sid = current_sid(); |
| 2760 | int rc = 0; | 2760 | int rc = 0; |
| 2761 | 2761 | ||
| @@ -2769,7 +2769,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name, | |||
| 2769 | if (!is_owner_or_cap(inode)) | 2769 | if (!is_owner_or_cap(inode)) |
| 2770 | return -EPERM; | 2770 | return -EPERM; |
| 2771 | 2771 | ||
| 2772 | COMMON_AUDIT_DATA_INIT(&ad, FS); | 2772 | AVC_AUDIT_DATA_INIT(&ad, FS); |
| 2773 | ad.u.fs.path.dentry = dentry; | 2773 | ad.u.fs.path.dentry = dentry; |
| 2774 | 2774 | ||
| 2775 | rc = avc_has_perm(sid, isec->sid, isec->sclass, | 2775 | rc = avc_has_perm(sid, isec->sid, isec->sclass, |
| @@ -3401,7 +3401,7 @@ static void selinux_task_to_inode(struct task_struct *p, | |||
| 3401 | 3401 | ||
| 3402 | /* Returns error only if unable to parse addresses */ | 3402 | /* Returns error only if unable to parse addresses */ |
| 3403 | static int selinux_parse_skb_ipv4(struct sk_buff *skb, | 3403 | static int selinux_parse_skb_ipv4(struct sk_buff *skb, |
| 3404 | struct common_audit_data *ad, u8 *proto) | 3404 | struct avc_audit_data *ad, u8 *proto) |
| 3405 | { | 3405 | { |
| 3406 | int offset, ihlen, ret = -EINVAL; | 3406 | int offset, ihlen, ret = -EINVAL; |
| 3407 | struct iphdr _iph, *ih; | 3407 | struct iphdr _iph, *ih; |
| @@ -3482,7 +3482,7 @@ out: | |||
| 3482 | 3482 | ||
| 3483 | /* Returns error only if unable to parse addresses */ | 3483 | /* Returns error only if unable to parse addresses */ |
| 3484 | static int selinux_parse_skb_ipv6(struct sk_buff *skb, | 3484 | static int selinux_parse_skb_ipv6(struct sk_buff *skb, |
| 3485 | struct common_audit_data *ad, u8 *proto) | 3485 | struct avc_audit_data *ad, u8 *proto) |
| 3486 | { | 3486 | { |
| 3487 | u8 nexthdr; | 3487 | u8 nexthdr; |
| 3488 | int ret = -EINVAL, offset; | 3488 | int ret = -EINVAL, offset; |
| @@ -3553,7 +3553,7 @@ out: | |||
| 3553 | 3553 | ||
| 3554 | #endif /* IPV6 */ | 3554 | #endif /* IPV6 */ |
| 3555 | 3555 | ||
| 3556 | static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad, | 3556 | static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad, |
| 3557 | char **_addrp, int src, u8 *proto) | 3557 | char **_addrp, int src, u8 *proto) |
| 3558 | { | 3558 | { |
| 3559 | char *addrp; | 3559 | char *addrp; |
| @@ -3635,7 +3635,7 @@ static int socket_has_perm(struct task_struct *task, struct socket *sock, | |||
| 3635 | u32 perms) | 3635 | u32 perms) |
| 3636 | { | 3636 | { |
| 3637 | struct inode_security_struct *isec; | 3637 | struct inode_security_struct *isec; |
| 3638 | struct common_audit_data ad; | 3638 | struct avc_audit_data ad; |
| 3639 | u32 sid; | 3639 | u32 sid; |
| 3640 | int err = 0; | 3640 | int err = 0; |
| 3641 | 3641 | ||
| @@ -3645,7 +3645,7 @@ static int socket_has_perm(struct task_struct *task, struct socket *sock, | |||
| 3645 | goto out; | 3645 | goto out; |
| 3646 | sid = task_sid(task); | 3646 | sid = task_sid(task); |
| 3647 | 3647 | ||
| 3648 | COMMON_AUDIT_DATA_INIT(&ad, NET); | 3648 | AVC_AUDIT_DATA_INIT(&ad, NET); |
| 3649 | ad.u.net.sk = sock->sk; | 3649 | ad.u.net.sk = sock->sk; |
| 3650 | err = avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); | 3650 | err = avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); |
| 3651 | 3651 | ||
| @@ -3732,7 +3732,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in | |||
| 3732 | if (family == PF_INET || family == PF_INET6) { | 3732 | if (family == PF_INET || family == PF_INET6) { |
| 3733 | char *addrp; | 3733 | char *addrp; |
| 3734 | struct inode_security_struct *isec; | 3734 | struct inode_security_struct *isec; |
| 3735 | struct common_audit_data ad; | 3735 | struct avc_audit_data ad; |
| 3736 | struct sockaddr_in *addr4 = NULL; | 3736 | struct sockaddr_in *addr4 = NULL; |
| 3737 | struct sockaddr_in6 *addr6 = NULL; | 3737 | struct sockaddr_in6 *addr6 = NULL; |
| 3738 | unsigned short snum; | 3738 | unsigned short snum; |
| @@ -3761,7 +3761,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in | |||
| 3761 | snum, &sid); | 3761 | snum, &sid); |
| 3762 | if (err) | 3762 | if (err) |
| 3763 | goto out; | 3763 | goto out; |
| 3764 | COMMON_AUDIT_DATA_INIT(&ad, NET); | 3764 | AVC_AUDIT_DATA_INIT(&ad, NET); |
| 3765 | ad.u.net.sport = htons(snum); | 3765 | ad.u.net.sport = htons(snum); |
| 3766 | ad.u.net.family = family; | 3766 | ad.u.net.family = family; |
| 3767 | err = avc_has_perm(isec->sid, sid, | 3767 | err = avc_has_perm(isec->sid, sid, |
| @@ -3794,7 +3794,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in | |||
| 3794 | if (err) | 3794 | if (err) |
| 3795 | goto out; | 3795 | goto out; |
| 3796 | 3796 | ||
| 3797 | COMMON_AUDIT_DATA_INIT(&ad, NET); | 3797 | AVC_AUDIT_DATA_INIT(&ad, NET); |
| 3798 | ad.u.net.sport = htons(snum); | 3798 | ad.u.net.sport = htons(snum); |
| 3799 | ad.u.net.family = family; | 3799 | ad.u.net.family = family; |
| 3800 | 3800 | ||
| @@ -3828,7 +3828,7 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, | |||
| 3828 | isec = SOCK_INODE(sock)->i_security; | 3828 | isec = SOCK_INODE(sock)->i_security; |
| 3829 | if (isec->sclass == SECCLASS_TCP_SOCKET || | 3829 | if (isec->sclass == SECCLASS_TCP_SOCKET || |
| 3830 | isec->sclass == SECCLASS_DCCP_SOCKET) { | 3830 | isec->sclass == SECCLASS_DCCP_SOCKET) { |
| 3831 | struct common_audit_data ad; | 3831 | struct avc_audit_data ad; |
| 3832 | struct sockaddr_in *addr4 = NULL; | 3832 | struct sockaddr_in *addr4 = NULL; |
| 3833 | struct sockaddr_in6 *addr6 = NULL; | 3833 | struct sockaddr_in6 *addr6 = NULL; |
| 3834 | unsigned short snum; | 3834 | unsigned short snum; |
| @@ -3853,7 +3853,7 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, | |||
| 3853 | perm = (isec->sclass == SECCLASS_TCP_SOCKET) ? | 3853 | perm = (isec->sclass == SECCLASS_TCP_SOCKET) ? |
| 3854 | TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; | 3854 | TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; |
| 3855 | 3855 | ||
| 3856 | COMMON_AUDIT_DATA_INIT(&ad, NET); | 3856 | AVC_AUDIT_DATA_INIT(&ad, NET); |
| 3857 | ad.u.net.dport = htons(snum); | 3857 | ad.u.net.dport = htons(snum); |
| 3858 | ad.u.net.family = sk->sk_family; | 3858 | ad.u.net.family = sk->sk_family; |
| 3859 | err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad); | 3859 | err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad); |
| @@ -3943,13 +3943,13 @@ static int selinux_socket_unix_stream_connect(struct socket *sock, | |||
| 3943 | struct sk_security_struct *ssec; | 3943 | struct sk_security_struct *ssec; |
| 3944 | struct inode_security_struct *isec; | 3944 | struct inode_security_struct *isec; |
| 3945 | struct inode_security_struct *other_isec; | 3945 | struct inode_security_struct *other_isec; |
| 3946 | struct common_audit_data ad; | 3946 | struct avc_audit_data ad; |
| 3947 | int err; | 3947 | int err; |
| 3948 | 3948 | ||
| 3949 | isec = SOCK_INODE(sock)->i_security; | 3949 | isec = SOCK_INODE(sock)->i_security; |
| 3950 | other_isec = SOCK_INODE(other)->i_security; | 3950 | other_isec = SOCK_INODE(other)->i_security; |
| 3951 | 3951 | ||
| 3952 | COMMON_AUDIT_DATA_INIT(&ad, NET); | 3952 | AVC_AUDIT_DATA_INIT(&ad, NET); |
| 3953 | ad.u.net.sk = other->sk; | 3953 | ad.u.net.sk = other->sk; |
| 3954 | 3954 | ||
| 3955 | err = avc_has_perm(isec->sid, other_isec->sid, | 3955 | err = avc_has_perm(isec->sid, other_isec->sid, |
| @@ -3975,13 +3975,13 @@ static int selinux_socket_unix_may_send(struct socket *sock, | |||
| 3975 | { | 3975 | { |
| 3976 | struct inode_security_struct *isec; | 3976 | struct inode_security_struct *isec; |
| 3977 | struct inode_security_struct *other_isec; | 3977 | struct inode_security_struct *other_isec; |
| 3978 | struct common_audit_data ad; | 3978 | struct avc_audit_data ad; |
| 3979 | int err; | 3979 | int err; |
| 3980 | 3980 | ||
| 3981 | isec = SOCK_INODE(sock)->i_security; | 3981 | isec = SOCK_INODE(sock)->i_security; |
| 3982 | other_isec = SOCK_INODE(other)->i_security; | 3982 | other_isec = SOCK_INODE(other)->i_security; |
| 3983 | 3983 | ||
| 3984 | COMMON_AUDIT_DATA_INIT(&ad, NET); | 3984 | AVC_AUDIT_DATA_INIT(&ad, NET); |
| 3985 | ad.u.net.sk = other->sk; | 3985 | ad.u.net.sk = other->sk; |
| 3986 | 3986 | ||
| 3987 | err = avc_has_perm(isec->sid, other_isec->sid, | 3987 | err = avc_has_perm(isec->sid, other_isec->sid, |
| @@ -3994,7 +3994,7 @@ static int selinux_socket_unix_may_send(struct socket *sock, | |||
| 3994 | 3994 | ||
| 3995 | static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family, | 3995 | static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family, |
| 3996 | u32 peer_sid, | 3996 | u32 peer_sid, |
| 3997 | struct common_audit_data *ad) | 3997 | struct avc_audit_data *ad) |
| 3998 | { | 3998 | { |
| 3999 | int err; | 3999 | int err; |
| 4000 | u32 if_sid; | 4000 | u32 if_sid; |
| @@ -4022,10 +4022,10 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, | |||
| 4022 | struct sk_security_struct *sksec = sk->sk_security; | 4022 | struct sk_security_struct *sksec = sk->sk_security; |
| 4023 | u32 peer_sid; | 4023 | u32 peer_sid; |
| 4024 | u32 sk_sid = sksec->sid; | 4024 | u32 sk_sid = sksec->sid; |
| 4025 | struct common_audit_data ad; | 4025 | struct avc_audit_data ad; |
| 4026 | char *addrp; | 4026 | char *addrp; |
| 4027 | 4027 | ||
| 4028 | COMMON_AUDIT_DATA_INIT(&ad, NET); | 4028 | AVC_AUDIT_DATA_INIT(&ad, NET); |
| 4029 | ad.u.net.netif = skb->iif; | 4029 | ad.u.net.netif = skb->iif; |
| 4030 | ad.u.net.family = family; | 4030 | ad.u.net.family = family; |
| 4031 | err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); | 4031 | err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); |
| @@ -4063,7 +4063,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) | |||
| 4063 | struct sk_security_struct *sksec = sk->sk_security; | 4063 | struct sk_security_struct *sksec = sk->sk_security; |
| 4064 | u16 family = sk->sk_family; | 4064 | u16 family = sk->sk_family; |
| 4065 | u32 sk_sid = sksec->sid; | 4065 | u32 sk_sid = sksec->sid; |
| 4066 | struct common_audit_data ad; | 4066 | struct avc_audit_data ad; |
| 4067 | char *addrp; | 4067 | char *addrp; |
| 4068 | u8 secmark_active; | 4068 | u8 secmark_active; |
| 4069 | u8 peerlbl_active; | 4069 | u8 peerlbl_active; |
| @@ -4087,7 +4087,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) | |||
| 4087 | if (!secmark_active && !peerlbl_active) | 4087 | if (!secmark_active && !peerlbl_active) |
| 4088 | return 0; | 4088 | return 0; |
| 4089 | 4089 | ||
| 4090 | COMMON_AUDIT_DATA_INIT(&ad, NET); | 4090 | AVC_AUDIT_DATA_INIT(&ad, NET); |
| 4091 | ad.u.net.netif = skb->iif; | 4091 | ad.u.net.netif = skb->iif; |
| 4092 | ad.u.net.family = family; | 4092 | ad.u.net.family = family; |
| 4093 | err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); | 4093 | err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); |
| @@ -4345,7 +4345,7 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex, | |||
| 4345 | int err; | 4345 | int err; |
| 4346 | char *addrp; | 4346 | char *addrp; |
| 4347 | u32 peer_sid; | 4347 | u32 peer_sid; |
| 4348 | struct common_audit_data ad; | 4348 | struct avc_audit_data ad; |
| 4349 | u8 secmark_active; | 4349 | u8 secmark_active; |
| 4350 | u8 netlbl_active; | 4350 | u8 netlbl_active; |
| 4351 | u8 peerlbl_active; | 4351 | u8 peerlbl_active; |
| @@ -4362,7 +4362,7 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex, | |||
| 4362 | if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) | 4362 | if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) |
| 4363 | return NF_DROP; | 4363 | return NF_DROP; |
| 4364 | 4364 | ||
| 4365 | COMMON_AUDIT_DATA_INIT(&ad, NET); | 4365 | AVC_AUDIT_DATA_INIT(&ad, NET); |
| 4366 | ad.u.net.netif = ifindex; | 4366 | ad.u.net.netif = ifindex; |
| 4367 | ad.u.net.family = family; | 4367 | ad.u.net.family = family; |
| 4368 | if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) | 4368 | if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) |
| @@ -4450,7 +4450,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, | |||
| 4450 | { | 4450 | { |
| 4451 | struct sock *sk = skb->sk; | 4451 | struct sock *sk = skb->sk; |
| 4452 | struct sk_security_struct *sksec; | 4452 | struct sk_security_struct *sksec; |
| 4453 | struct common_audit_data ad; | 4453 | struct avc_audit_data ad; |
| 4454 | char *addrp; | 4454 | char *addrp; |
| 4455 | u8 proto; | 4455 | u8 proto; |
| 4456 | 4456 | ||
| @@ -4458,7 +4458,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, | |||
| 4458 | return NF_ACCEPT; | 4458 | return NF_ACCEPT; |
| 4459 | sksec = sk->sk_security; | 4459 | sksec = sk->sk_security; |
| 4460 | 4460 | ||
| 4461 | COMMON_AUDIT_DATA_INIT(&ad, NET); | 4461 | AVC_AUDIT_DATA_INIT(&ad, NET); |
| 4462 | ad.u.net.netif = ifindex; | 4462 | ad.u.net.netif = ifindex; |
| 4463 | ad.u.net.family = family; | 4463 | ad.u.net.family = family; |
| 4464 | if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) | 4464 | if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) |
| @@ -4482,7 +4482,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, | |||
| 4482 | u32 secmark_perm; | 4482 | u32 secmark_perm; |
| 4483 | u32 peer_sid; | 4483 | u32 peer_sid; |
| 4484 | struct sock *sk; | 4484 | struct sock *sk; |
| 4485 | struct common_audit_data ad; | 4485 | struct avc_audit_data ad; |
| 4486 | char *addrp; | 4486 | char *addrp; |
| 4487 | u8 secmark_active; | 4487 | u8 secmark_active; |
| 4488 | u8 peerlbl_active; | 4488 | u8 peerlbl_active; |
| @@ -4541,7 +4541,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, | |||
| 4541 | secmark_perm = PACKET__SEND; | 4541 | secmark_perm = PACKET__SEND; |
| 4542 | } | 4542 | } |
| 4543 | 4543 | ||
| 4544 | COMMON_AUDIT_DATA_INIT(&ad, NET); | 4544 | AVC_AUDIT_DATA_INIT(&ad, NET); |
| 4545 | ad.u.net.netif = ifindex; | 4545 | ad.u.net.netif = ifindex; |
| 4546 | ad.u.net.family = family; | 4546 | ad.u.net.family = family; |
| 4547 | if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) | 4547 | if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) |
| @@ -4611,13 +4611,13 @@ static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) | |||
| 4611 | static int selinux_netlink_recv(struct sk_buff *skb, int capability) | 4611 | static int selinux_netlink_recv(struct sk_buff *skb, int capability) |
| 4612 | { | 4612 | { |
| 4613 | int err; | 4613 | int err; |
| 4614 | struct common_audit_data ad; | 4614 | struct avc_audit_data ad; |
| 4615 | 4615 | ||
| 4616 | err = cap_netlink_recv(skb, capability); | 4616 | err = cap_netlink_recv(skb, capability); |
| 4617 | if (err) | 4617 | if (err) |
| 4618 | return err; | 4618 | return err; |
| 4619 | 4619 | ||
| 4620 | COMMON_AUDIT_DATA_INIT(&ad, CAP); | 4620 | AVC_AUDIT_DATA_INIT(&ad, CAP); |
| 4621 | ad.u.cap = capability; | 4621 | ad.u.cap = capability; |
| 4622 | 4622 | ||
| 4623 | return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid, | 4623 | return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid, |
| @@ -4676,12 +4676,12 @@ static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, | |||
| 4676 | u32 perms) | 4676 | u32 perms) |
| 4677 | { | 4677 | { |
| 4678 | struct ipc_security_struct *isec; | 4678 | struct ipc_security_struct *isec; |
| 4679 | struct common_audit_data ad; | 4679 | struct avc_audit_data ad; |
| 4680 | u32 sid = current_sid(); | 4680 | u32 sid = current_sid(); |
| 4681 | 4681 | ||
| 4682 | isec = ipc_perms->security; | 4682 | isec = ipc_perms->security; |
| 4683 | 4683 | ||
| 4684 | COMMON_AUDIT_DATA_INIT(&ad, IPC); | 4684 | AVC_AUDIT_DATA_INIT(&ad, IPC); |
| 4685 | ad.u.ipc_id = ipc_perms->key; | 4685 | ad.u.ipc_id = ipc_perms->key; |
| 4686 | 4686 | ||
| 4687 | return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); | 4687 | return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); |
| @@ -4701,7 +4701,7 @@ static void selinux_msg_msg_free_security(struct msg_msg *msg) | |||
| 4701 | static int selinux_msg_queue_alloc_security(struct msg_queue *msq) | 4701 | static int selinux_msg_queue_alloc_security(struct msg_queue *msq) |
| 4702 | { | 4702 | { |
| 4703 | struct ipc_security_struct *isec; | 4703 | struct ipc_security_struct *isec; |
| 4704 | struct common_audit_data ad; | 4704 | struct avc_audit_data ad; |
| 4705 | u32 sid = current_sid(); | 4705 | u32 sid = current_sid(); |
| 4706 | int rc; | 4706 | int rc; |
| 4707 | 4707 | ||
| @@ -4711,7 +4711,7 @@ static int selinux_msg_queue_alloc_security(struct msg_queue *msq) | |||
| 4711 | 4711 | ||
| 4712 | isec = msq->q_perm.security; | 4712 | isec = msq->q_perm.security; |
| 4713 | 4713 | ||
| 4714 | COMMON_AUDIT_DATA_INIT(&ad, IPC); | 4714 | AVC_AUDIT_DATA_INIT(&ad, IPC); |
| 4715 | ad.u.ipc_id = msq->q_perm.key; | 4715 | ad.u.ipc_id = msq->q_perm.key; |
| 4716 | 4716 | ||
| 4717 | rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, | 4717 | rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, |
| @@ -4731,12 +4731,12 @@ static void selinux_msg_queue_free_security(struct msg_queue *msq) | |||
| 4731 | static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) | 4731 | static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) |
| 4732 | { | 4732 | { |
| 4733 | struct ipc_security_struct *isec; | 4733 | struct ipc_security_struct *isec; |
| 4734 | struct common_audit_data ad; | 4734 | struct avc_audit_data ad; |
| 4735 | u32 sid = current_sid(); | 4735 | u32 sid = current_sid(); |
| 4736 | 4736 | ||
| 4737 | isec = msq->q_perm.security; | 4737 | isec = msq->q_perm.security; |
| 4738 | 4738 | ||
| 4739 | COMMON_AUDIT_DATA_INIT(&ad, IPC); | 4739 | AVC_AUDIT_DATA_INIT(&ad, IPC); |
| 4740 | ad.u.ipc_id = msq->q_perm.key; | 4740 | ad.u.ipc_id = msq->q_perm.key; |
| 4741 | 4741 | ||
| 4742 | return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, | 4742 | return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, |
| @@ -4775,7 +4775,7 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, | |||
| 4775 | { | 4775 | { |
| 4776 | struct ipc_security_struct *isec; | 4776 | struct ipc_security_struct *isec; |
| 4777 | struct msg_security_struct *msec; | 4777 | struct msg_security_struct *msec; |
| 4778 | struct common_audit_data ad; | 4778 | struct avc_audit_data ad; |
| 4779 | u32 sid = current_sid(); | 4779 | u32 sid = current_sid(); |
| 4780 | int rc; | 4780 | int rc; |
| 4781 | 4781 | ||
| @@ -4796,7 +4796,7 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, | |||
| 4796 | return rc; | 4796 | return rc; |
| 4797 | } | 4797 | } |
| 4798 | 4798 | ||
| 4799 | COMMON_AUDIT_DATA_INIT(&ad, IPC); | 4799 | AVC_AUDIT_DATA_INIT(&ad, IPC); |
| 4800 | ad.u.ipc_id = msq->q_perm.key; | 4800 | ad.u.ipc_id = msq->q_perm.key; |
| 4801 | 4801 | ||
| 4802 | /* Can this process write to the queue? */ | 4802 | /* Can this process write to the queue? */ |
| @@ -4820,14 +4820,14 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, | |||
| 4820 | { | 4820 | { |
| 4821 | struct ipc_security_struct *isec; | 4821 | struct ipc_security_struct *isec; |
| 4822 | struct msg_security_struct *msec; | 4822 | struct msg_security_struct *msec; |
| 4823 | struct common_audit_data ad; | 4823 | struct avc_audit_data ad; |
| 4824 | u32 sid = task_sid(target); | 4824 | u32 sid = task_sid(target); |
| 4825 | int rc; | 4825 | int rc; |
| 4826 | 4826 | ||
| 4827 | isec = msq->q_perm.security; | 4827 | isec = msq->q_perm.security; |
| 4828 | msec = msg->security; | 4828 | msec = msg->security; |
| 4829 | 4829 | ||
| 4830 | COMMON_AUDIT_DATA_INIT(&ad, IPC); | 4830 | AVC_AUDIT_DATA_INIT(&ad, IPC); |
| 4831 | ad.u.ipc_id = msq->q_perm.key; | 4831 | ad.u.ipc_id = msq->q_perm.key; |
| 4832 | 4832 | ||
| 4833 | rc = avc_has_perm(sid, isec->sid, | 4833 | rc = avc_has_perm(sid, isec->sid, |
| @@ -4842,7 +4842,7 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, | |||
| 4842 | static int selinux_shm_alloc_security(struct shmid_kernel *shp) | 4842 | static int selinux_shm_alloc_security(struct shmid_kernel *shp) |
| 4843 | { | 4843 | { |
| 4844 | struct ipc_security_struct *isec; | 4844 | struct ipc_security_struct *isec; |
| 4845 | struct common_audit_data ad; | 4845 | struct avc_audit_data ad; |
| 4846 | u32 sid = current_sid(); | 4846 | u32 sid = current_sid(); |
| 4847 | int rc; | 4847 | int rc; |
| 4848 | 4848 | ||
| @@ -4852,7 +4852,7 @@ static int selinux_shm_alloc_security(struct shmid_kernel *shp) | |||
| 4852 | 4852 | ||
| 4853 | isec = shp->shm_perm.security; | 4853 | isec = shp->shm_perm.security; |
| 4854 | 4854 | ||
| 4855 | COMMON_AUDIT_DATA_INIT(&ad, IPC); | 4855 | AVC_AUDIT_DATA_INIT(&ad, IPC); |
| 4856 | ad.u.ipc_id = shp->shm_perm.key; | 4856 | ad.u.ipc_id = shp->shm_perm.key; |
| 4857 | 4857 | ||
| 4858 | rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM, | 4858 | rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM, |
| @@ -4872,12 +4872,12 @@ static void selinux_shm_free_security(struct shmid_kernel *shp) | |||
| 4872 | static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) | 4872 | static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) |
| 4873 | { | 4873 | { |
| 4874 | struct ipc_security_struct *isec; | 4874 | struct ipc_security_struct *isec; |
| 4875 | struct common_audit_data ad; | 4875 | struct avc_audit_data ad; |
| 4876 | u32 sid = current_sid(); | 4876 | u32 sid = current_sid(); |
| 4877 | 4877 | ||
| 4878 | isec = shp->shm_perm.security; | 4878 | isec = shp->shm_perm.security; |
| 4879 | 4879 | ||
| 4880 | COMMON_AUDIT_DATA_INIT(&ad, IPC); | 4880 | AVC_AUDIT_DATA_INIT(&ad, IPC); |
| 4881 | ad.u.ipc_id = shp->shm_perm.key; | 4881 | ad.u.ipc_id = shp->shm_perm.key; |
| 4882 | 4882 | ||
| 4883 | return avc_has_perm(sid, isec->sid, SECCLASS_SHM, | 4883 | return avc_has_perm(sid, isec->sid, SECCLASS_SHM, |
| @@ -4934,7 +4934,7 @@ static int selinux_shm_shmat(struct shmid_kernel *shp, | |||
| 4934 | static int selinux_sem_alloc_security(struct sem_array *sma) | 4934 | static int selinux_sem_alloc_security(struct sem_array *sma) |
| 4935 | { | 4935 | { |
| 4936 | struct ipc_security_struct *isec; | 4936 | struct ipc_security_struct *isec; |
| 4937 | struct common_audit_data ad; | 4937 | struct avc_audit_data ad; |
| 4938 | u32 sid = current_sid(); | 4938 | u32 sid = current_sid(); |
| 4939 | int rc; | 4939 | int rc; |
| 4940 | 4940 | ||
| @@ -4944,7 +4944,7 @@ static int selinux_sem_alloc_security(struct sem_array *sma) | |||
| 4944 | 4944 | ||
| 4945 | isec = sma->sem_perm.security; | 4945 | isec = sma->sem_perm.security; |
| 4946 | 4946 | ||
| 4947 | COMMON_AUDIT_DATA_INIT(&ad, IPC); | 4947 | AVC_AUDIT_DATA_INIT(&ad, IPC); |
| 4948 | ad.u.ipc_id = sma->sem_perm.key; | 4948 | ad.u.ipc_id = sma->sem_perm.key; |
| 4949 | 4949 | ||
| 4950 | rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM, | 4950 | rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM, |
| @@ -4964,12 +4964,12 @@ static void selinux_sem_free_security(struct sem_array *sma) | |||
| 4964 | static int selinux_sem_associate(struct sem_array *sma, int semflg) | 4964 | static int selinux_sem_associate(struct sem_array *sma, int semflg) |
| 4965 | { | 4965 | { |
| 4966 | struct ipc_security_struct *isec; | 4966 | struct ipc_security_struct *isec; |
| 4967 | struct common_audit_data ad; | 4967 | struct avc_audit_data ad; |
| 4968 | u32 sid = current_sid(); | 4968 | u32 sid = current_sid(); |
| 4969 | 4969 | ||
| 4970 | isec = sma->sem_perm.security; | 4970 | isec = sma->sem_perm.security; |
| 4971 | 4971 | ||
| 4972 | COMMON_AUDIT_DATA_INIT(&ad, IPC); | 4972 | AVC_AUDIT_DATA_INIT(&ad, IPC); |
| 4973 | ad.u.ipc_id = sma->sem_perm.key; | 4973 | ad.u.ipc_id = sma->sem_perm.key; |
| 4974 | 4974 | ||
| 4975 | return avc_has_perm(sid, isec->sid, SECCLASS_SEM, | 4975 | return avc_has_perm(sid, isec->sid, SECCLASS_SEM, |
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h index e94e82f73818..ae4c3a0e2c1a 100644 --- a/security/selinux/include/avc.h +++ b/security/selinux/include/avc.h | |||
| @@ -13,7 +13,6 @@ | |||
| 13 | #include <linux/spinlock.h> | 13 | #include <linux/spinlock.h> |
| 14 | #include <linux/init.h> | 14 | #include <linux/init.h> |
| 15 | #include <linux/audit.h> | 15 | #include <linux/audit.h> |
| 16 | #include <linux/lsm_audit.h> | ||
| 17 | #include <linux/in6.h> | 16 | #include <linux/in6.h> |
| 18 | #include <linux/path.h> | 17 | #include <linux/path.h> |
| 19 | #include <asm/system.h> | 18 | #include <asm/system.h> |
| @@ -37,6 +36,48 @@ struct inode; | |||
| 37 | struct sock; | 36 | struct sock; |
| 38 | struct sk_buff; | 37 | struct sk_buff; |
| 39 | 38 | ||
| 39 | /* Auxiliary data to use in generating the audit record. */ | ||
| 40 | struct avc_audit_data { | ||
| 41 | char type; | ||
| 42 | #define AVC_AUDIT_DATA_FS 1 | ||
| 43 | #define AVC_AUDIT_DATA_NET 2 | ||
| 44 | #define AVC_AUDIT_DATA_CAP 3 | ||
| 45 | #define AVC_AUDIT_DATA_IPC 4 | ||
| 46 | struct task_struct *tsk; | ||
| 47 | union { | ||
| 48 | struct { | ||
| 49 | struct path path; | ||
| 50 | struct inode *inode; | ||
| 51 | } fs; | ||
| 52 | struct { | ||
| 53 | int netif; | ||
| 54 | struct sock *sk; | ||
| 55 | u16 family; | ||
| 56 | __be16 dport; | ||
| 57 | __be16 sport; | ||
| 58 | union { | ||
| 59 | struct { | ||
| 60 | __be32 daddr; | ||
| 61 | __be32 saddr; | ||
| 62 | } v4; | ||
| 63 | struct { | ||
| 64 | struct in6_addr daddr; | ||
| 65 | struct in6_addr saddr; | ||
| 66 | } v6; | ||
| 67 | } fam; | ||
| 68 | } net; | ||
| 69 | int cap; | ||
| 70 | int ipc_id; | ||
| 71 | } u; | ||
| 72 | }; | ||
| 73 | |||
| 74 | #define v4info fam.v4 | ||
| 75 | #define v6info fam.v6 | ||
| 76 | |||
| 77 | /* Initialize an AVC audit data structure. */ | ||
| 78 | #define AVC_AUDIT_DATA_INIT(_d,_t) \ | ||
| 79 | { memset((_d), 0, sizeof(struct avc_audit_data)); (_d)->type = AVC_AUDIT_DATA_##_t; } | ||
| 80 | |||
| 40 | /* | 81 | /* |
| 41 | * AVC statistics | 82 | * AVC statistics |
| 42 | */ | 83 | */ |
| @@ -57,9 +98,7 @@ void __init avc_init(void); | |||
| 57 | 98 | ||
| 58 | void avc_audit(u32 ssid, u32 tsid, | 99 | void avc_audit(u32 ssid, u32 tsid, |
| 59 | u16 tclass, u32 requested, | 100 | u16 tclass, u32 requested, |
| 60 | struct av_decision *avd, | 101 | struct av_decision *avd, int result, struct avc_audit_data *auditdata); |
| 61 | int result, | ||
| 62 | struct common_audit_data *a); | ||
| 63 | 102 | ||
| 64 | #define AVC_STRICT 1 /* Ignore permissive mode. */ | 103 | #define AVC_STRICT 1 /* Ignore permissive mode. */ |
| 65 | int avc_has_perm_noaudit(u32 ssid, u32 tsid, | 104 | int avc_has_perm_noaudit(u32 ssid, u32 tsid, |
| @@ -69,7 +108,7 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid, | |||
| 69 | 108 | ||
| 70 | int avc_has_perm(u32 ssid, u32 tsid, | 109 | int avc_has_perm(u32 ssid, u32 tsid, |
| 71 | u16 tclass, u32 requested, | 110 | u16 tclass, u32 requested, |
| 72 | struct common_audit_data *auditdata); | 111 | struct avc_audit_data *auditdata); |
| 73 | 112 | ||
| 74 | u32 avc_policy_seqno(void); | 113 | u32 avc_policy_seqno(void); |
| 75 | 114 | ||
diff --git a/security/selinux/include/netlabel.h b/security/selinux/include/netlabel.h index 8d7384280a7a..b4b5b9b2f0be 100644 --- a/security/selinux/include/netlabel.h +++ b/security/selinux/include/netlabel.h | |||
| @@ -59,7 +59,7 @@ int selinux_netlbl_socket_post_create(struct sock *sk, u16 family); | |||
| 59 | int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, | 59 | int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, |
| 60 | struct sk_buff *skb, | 60 | struct sk_buff *skb, |
| 61 | u16 family, | 61 | u16 family, |
| 62 | struct common_audit_data *ad); | 62 | struct avc_audit_data *ad); |
| 63 | int selinux_netlbl_socket_setsockopt(struct socket *sock, | 63 | int selinux_netlbl_socket_setsockopt(struct socket *sock, |
| 64 | int level, | 64 | int level, |
| 65 | int optname); | 65 | int optname); |
| @@ -129,7 +129,7 @@ static inline int selinux_netlbl_socket_post_create(struct sock *sk, | |||
| 129 | static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, | 129 | static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, |
| 130 | struct sk_buff *skb, | 130 | struct sk_buff *skb, |
| 131 | u16 family, | 131 | u16 family, |
| 132 | struct common_audit_data *ad) | 132 | struct avc_audit_data *ad) |
| 133 | { | 133 | { |
| 134 | return 0; | 134 | return 0; |
| 135 | } | 135 | } |
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h index 13128f9a3e5a..289e24b39e3e 100644 --- a/security/selinux/include/xfrm.h +++ b/security/selinux/include/xfrm.h | |||
| @@ -41,9 +41,9 @@ static inline int selinux_xfrm_enabled(void) | |||
| 41 | } | 41 | } |
| 42 | 42 | ||
| 43 | int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb, | 43 | int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb, |
| 44 | struct common_audit_data *ad); | 44 | struct avc_audit_data *ad); |
| 45 | int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, | 45 | int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, |
| 46 | struct common_audit_data *ad, u8 proto); | 46 | struct avc_audit_data *ad, u8 proto); |
| 47 | int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall); | 47 | int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall); |
| 48 | 48 | ||
| 49 | static inline void selinux_xfrm_notify_policyload(void) | 49 | static inline void selinux_xfrm_notify_policyload(void) |
| @@ -57,13 +57,13 @@ static inline int selinux_xfrm_enabled(void) | |||
| 57 | } | 57 | } |
| 58 | 58 | ||
| 59 | static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, | 59 | static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, |
| 60 | struct common_audit_data *ad) | 60 | struct avc_audit_data *ad) |
| 61 | { | 61 | { |
| 62 | return 0; | 62 | return 0; |
| 63 | } | 63 | } |
| 64 | 64 | ||
| 65 | static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, | 65 | static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, |
| 66 | struct common_audit_data *ad, u8 proto) | 66 | struct avc_audit_data *ad, u8 proto) |
| 67 | { | 67 | { |
| 68 | return 0; | 68 | return 0; |
| 69 | } | 69 | } |
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c index e68823741ad5..2e984413c7b2 100644 --- a/security/selinux/netlabel.c +++ b/security/selinux/netlabel.c | |||
| @@ -342,7 +342,7 @@ int selinux_netlbl_socket_post_create(struct sock *sk, u16 family) | |||
| 342 | int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, | 342 | int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, |
| 343 | struct sk_buff *skb, | 343 | struct sk_buff *skb, |
| 344 | u16 family, | 344 | u16 family, |
| 345 | struct common_audit_data *ad) | 345 | struct avc_audit_data *ad) |
| 346 | { | 346 | { |
| 347 | int rc; | 347 | int rc; |
| 348 | u32 nlbl_sid; | 348 | u32 nlbl_sid; |
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index f3cb9ed731a9..72b18452e1a1 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c | |||
| @@ -401,7 +401,7 @@ int selinux_xfrm_state_delete(struct xfrm_state *x) | |||
| 401 | * gone thru the IPSec process. | 401 | * gone thru the IPSec process. |
| 402 | */ | 402 | */ |
| 403 | int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, | 403 | int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, |
| 404 | struct common_audit_data *ad) | 404 | struct avc_audit_data *ad) |
| 405 | { | 405 | { |
| 406 | int i, rc = 0; | 406 | int i, rc = 0; |
| 407 | struct sec_path *sp; | 407 | struct sec_path *sp; |
| @@ -442,7 +442,7 @@ int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, | |||
| 442 | * checked in the selinux_xfrm_state_pol_flow_match hook above. | 442 | * checked in the selinux_xfrm_state_pol_flow_match hook above. |
| 443 | */ | 443 | */ |
| 444 | int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, | 444 | int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, |
| 445 | struct common_audit_data *ad, u8 proto) | 445 | struct avc_audit_data *ad, u8 proto) |
| 446 | { | 446 | { |
| 447 | struct dst_entry *dst; | 447 | struct dst_entry *dst; |
| 448 | int rc = 0; | 448 | int rc = 0; |