aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/selinux/avc.c40
-rw-r--r--security/selinux/hooks.c2
-rw-r--r--security/selinux/nlmsgtab.c10
-rw-r--r--security/selinux/ss/services.c4
4 files changed, 32 insertions, 24 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 85a6f66a87..451502467a 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -242,7 +242,7 @@ void __init avc_init(void)
242 avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node), 242 avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node),
243 0, SLAB_PANIC, NULL, NULL); 243 0, SLAB_PANIC, NULL, NULL);
244 244
245 audit_log(current->audit_context, "AVC INITIALIZED\n"); 245 audit_log(current->audit_context, AUDIT_KERNEL, "AVC INITIALIZED\n");
246} 246}
247 247
248int avc_get_hash_stats(char *page) 248int avc_get_hash_stats(char *page)
@@ -532,6 +532,7 @@ void avc_audit(u32 ssid, u32 tsid,
532 u16 tclass, u32 requested, 532 u16 tclass, u32 requested,
533 struct av_decision *avd, int result, struct avc_audit_data *a) 533 struct av_decision *avd, int result, struct avc_audit_data *a)
534{ 534{
535 struct task_struct *tsk = current;
535 struct inode *inode = NULL; 536 struct inode *inode = NULL;
536 u32 denied, audited; 537 u32 denied, audited;
537 struct audit_buffer *ab; 538 struct audit_buffer *ab;
@@ -549,12 +550,18 @@ void avc_audit(u32 ssid, u32 tsid,
549 return; 550 return;
550 } 551 }
551 552
552 ab = audit_log_start(current->audit_context); 553 ab = audit_log_start(current->audit_context, AUDIT_AVC);
553 if (!ab) 554 if (!ab)
554 return; /* audit_panic has been called */ 555 return; /* audit_panic has been called */
555 audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted"); 556 audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted");
556 avc_dump_av(ab, tclass,audited); 557 avc_dump_av(ab, tclass,audited);
557 audit_log_format(ab, " for "); 558 audit_log_format(ab, " for ");
559 if (a && a->tsk)
560 tsk = a->tsk;
561 if (tsk && tsk->pid) {
562 audit_log_format(ab, " pid=%d comm=", tsk->pid);
563 audit_log_untrustedstring(ab, tsk->comm);
564 }
558 if (a) { 565 if (a) {
559 switch (a->type) { 566 switch (a->type) {
560 case AVC_AUDIT_DATA_IPC: 567 case AVC_AUDIT_DATA_IPC:
@@ -566,21 +573,18 @@ void avc_audit(u32 ssid, u32 tsid,
566 case AVC_AUDIT_DATA_FS: 573 case AVC_AUDIT_DATA_FS:
567 if (a->u.fs.dentry) { 574 if (a->u.fs.dentry) {
568 struct dentry *dentry = a->u.fs.dentry; 575 struct dentry *dentry = a->u.fs.dentry;
569 if (a->u.fs.mnt) { 576 if (a->u.fs.mnt)
570 audit_log_d_path(ab, "path=", dentry, 577 audit_avc_path(dentry, a->u.fs.mnt);
571 a->u.fs.mnt); 578 audit_log_format(ab, " name=");
572 } else { 579 audit_log_untrustedstring(ab, dentry->d_name.name);
573 audit_log_format(ab, " name=%s",
574 dentry->d_name.name);
575 }
576 inode = dentry->d_inode; 580 inode = dentry->d_inode;
577 } else if (a->u.fs.inode) { 581 } else if (a->u.fs.inode) {
578 struct dentry *dentry; 582 struct dentry *dentry;
579 inode = a->u.fs.inode; 583 inode = a->u.fs.inode;
580 dentry = d_find_alias(inode); 584 dentry = d_find_alias(inode);
581 if (dentry) { 585 if (dentry) {
582 audit_log_format(ab, " name=%s", 586 audit_log_format(ab, " name=");
583 dentry->d_name.name); 587 audit_log_untrustedstring(ab, dentry->d_name.name);
584 dput(dentry); 588 dput(dentry);
585 } 589 }
586 } 590 }
@@ -623,22 +627,20 @@ void avc_audit(u32 ssid, u32 tsid,
623 case AF_UNIX: 627 case AF_UNIX:
624 u = unix_sk(sk); 628 u = unix_sk(sk);
625 if (u->dentry) { 629 if (u->dentry) {
626 audit_log_d_path(ab, "path=", 630 audit_avc_path(u->dentry, u->mnt);
627 u->dentry, u->mnt); 631 audit_log_format(ab, " name=");
632 audit_log_untrustedstring(ab, u->dentry->d_name.name);
628 break; 633 break;
629 } 634 }
630 if (!u->addr) 635 if (!u->addr)
631 break; 636 break;
632 len = u->addr->len-sizeof(short); 637 len = u->addr->len-sizeof(short);
633 p = &u->addr->name->sun_path[0]; 638 p = &u->addr->name->sun_path[0];
639 audit_log_format(ab, " path=");
634 if (*p) 640 if (*p)
635 audit_log_format(ab, 641 audit_log_untrustedstring(ab, p);
636 "path=%*.*s", len,
637 len, p);
638 else 642 else
639 audit_log_format(ab, 643 audit_log_hex(ab, p, len);
640 "path=@%*.*s", len-1,
641 len-1, p+1);
642 break; 644 break;
643 } 645 }
644 } 646 }
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index aae1e794fe..db845cbd58 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3419,7 +3419,7 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3419 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm); 3419 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3420 if (err) { 3420 if (err) {
3421 if (err == -EINVAL) { 3421 if (err == -EINVAL) {
3422 audit_log(current->audit_context, 3422 audit_log(current->audit_context, AUDIT_SELINUX_ERR,
3423 "SELinux: unrecognized netlink message" 3423 "SELinux: unrecognized netlink message"
3424 " type=%hu for sclass=%hu\n", 3424 " type=%hu for sclass=%hu\n",
3425 nlh->nlmsg_type, isec->sclass); 3425 nlh->nlmsg_type, isec->sclass);
diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
index b3adb481bc..f0fb6d76f7 100644
--- a/security/selinux/nlmsgtab.c
+++ b/security/selinux/nlmsgtab.c
@@ -97,6 +97,7 @@ static struct nlmsg_perm nlmsg_audit_perms[] =
97 { AUDIT_ADD, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, 97 { AUDIT_ADD, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
98 { AUDIT_DEL, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, 98 { AUDIT_DEL, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
99 { AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, 99 { AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_RELAY },
100 { AUDIT_SIGNAL_INFO, NETLINK_AUDIT_SOCKET__NLMSG_READ },
100}; 101};
101 102
102 103
@@ -141,8 +142,13 @@ int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm)
141 break; 142 break;
142 143
143 case SECCLASS_NETLINK_AUDIT_SOCKET: 144 case SECCLASS_NETLINK_AUDIT_SOCKET:
144 err = nlmsg_perm(nlmsg_type, perm, nlmsg_audit_perms, 145 if (nlmsg_type >= AUDIT_FIRST_USER_MSG &&
145 sizeof(nlmsg_audit_perms)); 146 nlmsg_type <= AUDIT_LAST_USER_MSG) {
147 *perm = NETLINK_AUDIT_SOCKET__NLMSG_RELAY;
148 } else {
149 err = nlmsg_perm(nlmsg_type, perm, nlmsg_audit_perms,
150 sizeof(nlmsg_audit_perms));
151 }
146 break; 152 break;
147 153
148 /* No messaging from userspace, or class unknown/unhandled */ 154 /* No messaging from userspace, or class unknown/unhandled */
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 8449d667b0..b6149147d5 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -365,7 +365,7 @@ static int security_validtrans_handle_fail(struct context *ocontext,
365 goto out; 365 goto out;
366 if (context_struct_to_string(tcontext, &t, &tlen) < 0) 366 if (context_struct_to_string(tcontext, &t, &tlen) < 0)
367 goto out; 367 goto out;
368 audit_log(current->audit_context, 368 audit_log(current->audit_context, AUDIT_SELINUX_ERR,
369 "security_validate_transition: denied for" 369 "security_validate_transition: denied for"
370 " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", 370 " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
371 o, n, t, policydb.p_class_val_to_name[tclass-1]); 371 o, n, t, policydb.p_class_val_to_name[tclass-1]);
@@ -742,7 +742,7 @@ static int compute_sid_handle_invalid_context(
742 goto out; 742 goto out;
743 if (context_struct_to_string(newcontext, &n, &nlen) < 0) 743 if (context_struct_to_string(newcontext, &n, &nlen) < 0)
744 goto out; 744 goto out;
745 audit_log(current->audit_context, 745 audit_log(current->audit_context, AUDIT_SELINUX_ERR,
746 "security_compute_sid: invalid context %s" 746 "security_compute_sid: invalid context %s"
747 " for scontext=%s" 747 " for scontext=%s"
748 " tcontext=%s" 748 " tcontext=%s"
generated by cgit v1.2.2 (git 2.25.0) at 2025-03-26 14:09:58 -0400