mirror of
https://github.com/edk2-porting/linux-next.git
synced 2025-01-07 05:04:04 +08:00
SELinux: unify the selinux_audit_data and selinux_late_audit_data
We no longer need the distinction. We only need data after we decide to do an audit. So turn the "late" audit data into just "data" and remove what we currently have as "data". Signed-off-by: Eric Paris <eparis@redhat.com>
This commit is contained in:
parent
1d34929271
commit
899838b25f
@ -436,9 +436,9 @@ static void avc_audit_pre_callback(struct audit_buffer *ab, void *a)
|
|||||||
{
|
{
|
||||||
struct common_audit_data *ad = a;
|
struct common_audit_data *ad = a;
|
||||||
audit_log_format(ab, "avc: %s ",
|
audit_log_format(ab, "avc: %s ",
|
||||||
ad->selinux_audit_data->slad->denied ? "denied" : "granted");
|
ad->selinux_audit_data->denied ? "denied" : "granted");
|
||||||
avc_dump_av(ab, ad->selinux_audit_data->slad->tclass,
|
avc_dump_av(ab, ad->selinux_audit_data->tclass,
|
||||||
ad->selinux_audit_data->slad->audited);
|
ad->selinux_audit_data->audited);
|
||||||
audit_log_format(ab, " for ");
|
audit_log_format(ab, " for ");
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -452,9 +452,9 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a)
|
|||||||
{
|
{
|
||||||
struct common_audit_data *ad = a;
|
struct common_audit_data *ad = a;
|
||||||
audit_log_format(ab, " ");
|
audit_log_format(ab, " ");
|
||||||
avc_dump_query(ab, ad->selinux_audit_data->slad->ssid,
|
avc_dump_query(ab, ad->selinux_audit_data->ssid,
|
||||||
ad->selinux_audit_data->slad->tsid,
|
ad->selinux_audit_data->tsid,
|
||||||
ad->selinux_audit_data->slad->tclass);
|
ad->selinux_audit_data->tclass);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* This is the slow part of avc audit with big stack footprint */
|
/* This is the slow part of avc audit with big stack footprint */
|
||||||
@ -464,13 +464,11 @@ noinline int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass,
|
|||||||
unsigned flags)
|
unsigned flags)
|
||||||
{
|
{
|
||||||
struct common_audit_data stack_data;
|
struct common_audit_data stack_data;
|
||||||
struct selinux_audit_data sad = {0,};
|
struct selinux_audit_data sad;
|
||||||
struct selinux_late_audit_data slad;
|
|
||||||
|
|
||||||
if (!a) {
|
if (!a) {
|
||||||
a = &stack_data;
|
a = &stack_data;
|
||||||
a->type = LSM_AUDIT_DATA_NONE;
|
a->type = LSM_AUDIT_DATA_NONE;
|
||||||
a->selinux_audit_data = &sad;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -484,14 +482,15 @@ noinline int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass,
|
|||||||
(flags & MAY_NOT_BLOCK))
|
(flags & MAY_NOT_BLOCK))
|
||||||
return -ECHILD;
|
return -ECHILD;
|
||||||
|
|
||||||
slad.tclass = tclass;
|
sad.tclass = tclass;
|
||||||
slad.requested = requested;
|
sad.requested = requested;
|
||||||
slad.ssid = ssid;
|
sad.ssid = ssid;
|
||||||
slad.tsid = tsid;
|
sad.tsid = tsid;
|
||||||
slad.audited = audited;
|
sad.audited = audited;
|
||||||
slad.denied = denied;
|
sad.denied = denied;
|
||||||
|
|
||||||
|
a->selinux_audit_data = &sad;
|
||||||
|
|
||||||
a->selinux_audit_data->slad = &slad;
|
|
||||||
common_lsm_audit(a, avc_audit_pre_callback, avc_audit_post_callback);
|
common_lsm_audit(a, avc_audit_pre_callback, avc_audit_post_callback);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
@ -1420,7 +1420,6 @@ static int cred_has_capability(const struct cred *cred,
|
|||||||
int cap, int audit)
|
int cap, int audit)
|
||||||
{
|
{
|
||||||
struct common_audit_data ad;
|
struct common_audit_data ad;
|
||||||
struct selinux_audit_data sad = {0,};
|
|
||||||
struct av_decision avd;
|
struct av_decision avd;
|
||||||
u16 sclass;
|
u16 sclass;
|
||||||
u32 sid = cred_sid(cred);
|
u32 sid = cred_sid(cred);
|
||||||
@ -1428,7 +1427,6 @@ static int cred_has_capability(const struct cred *cred,
|
|||||||
int rc;
|
int rc;
|
||||||
|
|
||||||
ad.type = LSM_AUDIT_DATA_CAP;
|
ad.type = LSM_AUDIT_DATA_CAP;
|
||||||
ad.selinux_audit_data = &sad;
|
|
||||||
ad.u.cap = cap;
|
ad.u.cap = cap;
|
||||||
|
|
||||||
switch (CAP_TO_INDEX(cap)) {
|
switch (CAP_TO_INDEX(cap)) {
|
||||||
@ -1496,11 +1494,9 @@ static inline int dentry_has_perm(const struct cred *cred,
|
|||||||
{
|
{
|
||||||
struct inode *inode = dentry->d_inode;
|
struct inode *inode = dentry->d_inode;
|
||||||
struct common_audit_data ad;
|
struct common_audit_data ad;
|
||||||
struct selinux_audit_data sad = {0,};
|
|
||||||
|
|
||||||
ad.type = LSM_AUDIT_DATA_DENTRY;
|
ad.type = LSM_AUDIT_DATA_DENTRY;
|
||||||
ad.u.dentry = dentry;
|
ad.u.dentry = dentry;
|
||||||
ad.selinux_audit_data = &sad;
|
|
||||||
return inode_has_perm(cred, inode, av, &ad, 0);
|
return inode_has_perm(cred, inode, av, &ad, 0);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1513,11 +1509,9 @@ static inline int path_has_perm(const struct cred *cred,
|
|||||||
{
|
{
|
||||||
struct inode *inode = path->dentry->d_inode;
|
struct inode *inode = path->dentry->d_inode;
|
||||||
struct common_audit_data ad;
|
struct common_audit_data ad;
|
||||||
struct selinux_audit_data sad = {0,};
|
|
||||||
|
|
||||||
ad.type = LSM_AUDIT_DATA_PATH;
|
ad.type = LSM_AUDIT_DATA_PATH;
|
||||||
ad.u.path = *path;
|
ad.u.path = *path;
|
||||||
ad.selinux_audit_data = &sad;
|
|
||||||
return inode_has_perm(cred, inode, av, &ad, 0);
|
return inode_has_perm(cred, inode, av, &ad, 0);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1536,13 +1530,11 @@ static int file_has_perm(const struct cred *cred,
|
|||||||
struct file_security_struct *fsec = file->f_security;
|
struct file_security_struct *fsec = file->f_security;
|
||||||
struct inode *inode = file->f_path.dentry->d_inode;
|
struct inode *inode = file->f_path.dentry->d_inode;
|
||||||
struct common_audit_data ad;
|
struct common_audit_data ad;
|
||||||
struct selinux_audit_data sad = {0,};
|
|
||||||
u32 sid = cred_sid(cred);
|
u32 sid = cred_sid(cred);
|
||||||
int rc;
|
int rc;
|
||||||
|
|
||||||
ad.type = LSM_AUDIT_DATA_PATH;
|
ad.type = LSM_AUDIT_DATA_PATH;
|
||||||
ad.u.path = file->f_path;
|
ad.u.path = file->f_path;
|
||||||
ad.selinux_audit_data = &sad;
|
|
||||||
|
|
||||||
if (sid != fsec->sid) {
|
if (sid != fsec->sid) {
|
||||||
rc = avc_has_perm(sid, fsec->sid,
|
rc = avc_has_perm(sid, fsec->sid,
|
||||||
@ -1572,7 +1564,6 @@ static int may_create(struct inode *dir,
|
|||||||
struct superblock_security_struct *sbsec;
|
struct superblock_security_struct *sbsec;
|
||||||
u32 sid, newsid;
|
u32 sid, newsid;
|
||||||
struct common_audit_data ad;
|
struct common_audit_data ad;
|
||||||
struct selinux_audit_data sad = {0,};
|
|
||||||
int rc;
|
int rc;
|
||||||
|
|
||||||
dsec = dir->i_security;
|
dsec = dir->i_security;
|
||||||
@ -1583,7 +1574,6 @@ static int may_create(struct inode *dir,
|
|||||||
|
|
||||||
ad.type = LSM_AUDIT_DATA_DENTRY;
|
ad.type = LSM_AUDIT_DATA_DENTRY;
|
||||||
ad.u.dentry = dentry;
|
ad.u.dentry = dentry;
|
||||||
ad.selinux_audit_data = &sad;
|
|
||||||
|
|
||||||
rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
|
rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
|
||||||
DIR__ADD_NAME | DIR__SEARCH,
|
DIR__ADD_NAME | DIR__SEARCH,
|
||||||
@ -1628,7 +1618,6 @@ static int may_link(struct inode *dir,
|
|||||||
{
|
{
|
||||||
struct inode_security_struct *dsec, *isec;
|
struct inode_security_struct *dsec, *isec;
|
||||||
struct common_audit_data ad;
|
struct common_audit_data ad;
|
||||||
struct selinux_audit_data sad = {0,};
|
|
||||||
u32 sid = current_sid();
|
u32 sid = current_sid();
|
||||||
u32 av;
|
u32 av;
|
||||||
int rc;
|
int rc;
|
||||||
@ -1638,7 +1627,6 @@ static int may_link(struct inode *dir,
|
|||||||
|
|
||||||
ad.type = LSM_AUDIT_DATA_DENTRY;
|
ad.type = LSM_AUDIT_DATA_DENTRY;
|
||||||
ad.u.dentry = dentry;
|
ad.u.dentry = dentry;
|
||||||
ad.selinux_audit_data = &sad;
|
|
||||||
|
|
||||||
av = DIR__SEARCH;
|
av = DIR__SEARCH;
|
||||||
av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
|
av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
|
||||||
@ -1673,7 +1661,6 @@ static inline int may_rename(struct inode *old_dir,
|
|||||||
{
|
{
|
||||||
struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
|
struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
|
||||||
struct common_audit_data ad;
|
struct common_audit_data ad;
|
||||||
struct selinux_audit_data sad = {0,};
|
|
||||||
u32 sid = current_sid();
|
u32 sid = current_sid();
|
||||||
u32 av;
|
u32 av;
|
||||||
int old_is_dir, new_is_dir;
|
int old_is_dir, new_is_dir;
|
||||||
@ -1685,7 +1672,6 @@ static inline int may_rename(struct inode *old_dir,
|
|||||||
new_dsec = new_dir->i_security;
|
new_dsec = new_dir->i_security;
|
||||||
|
|
||||||
ad.type = LSM_AUDIT_DATA_DENTRY;
|
ad.type = LSM_AUDIT_DATA_DENTRY;
|
||||||
ad.selinux_audit_data = &sad;
|
|
||||||
|
|
||||||
ad.u.dentry = old_dentry;
|
ad.u.dentry = old_dentry;
|
||||||
rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
|
rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
|
||||||
@ -1971,7 +1957,6 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
|
|||||||
struct task_security_struct *new_tsec;
|
struct task_security_struct *new_tsec;
|
||||||
struct inode_security_struct *isec;
|
struct inode_security_struct *isec;
|
||||||
struct common_audit_data ad;
|
struct common_audit_data ad;
|
||||||
struct selinux_audit_data sad = {0,};
|
|
||||||
struct inode *inode = bprm->file->f_path.dentry->d_inode;
|
struct inode *inode = bprm->file->f_path.dentry->d_inode;
|
||||||
int rc;
|
int rc;
|
||||||
|
|
||||||
@ -2011,7 +1996,6 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
|
|||||||
}
|
}
|
||||||
|
|
||||||
ad.type = LSM_AUDIT_DATA_PATH;
|
ad.type = LSM_AUDIT_DATA_PATH;
|
||||||
ad.selinux_audit_data = &sad;
|
|
||||||
ad.u.path = bprm->file->f_path;
|
ad.u.path = bprm->file->f_path;
|
||||||
|
|
||||||
if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
|
if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
|
||||||
@ -2101,7 +2085,6 @@ static inline void flush_unauthorized_files(const struct cred *cred,
|
|||||||
struct files_struct *files)
|
struct files_struct *files)
|
||||||
{
|
{
|
||||||
struct common_audit_data ad;
|
struct common_audit_data ad;
|
||||||
struct selinux_audit_data sad = {0,};
|
|
||||||
struct file *file, *devnull = NULL;
|
struct file *file, *devnull = NULL;
|
||||||
struct tty_struct *tty;
|
struct tty_struct *tty;
|
||||||
struct fdtable *fdt;
|
struct fdtable *fdt;
|
||||||
@ -2135,7 +2118,6 @@ static inline void flush_unauthorized_files(const struct cred *cred,
|
|||||||
/* Revalidate access to inherited open files. */
|
/* Revalidate access to inherited open files. */
|
||||||
|
|
||||||
ad.type = LSM_AUDIT_DATA_INODE;
|
ad.type = LSM_AUDIT_DATA_INODE;
|
||||||
ad.selinux_audit_data = &sad;
|
|
||||||
|
|
||||||
spin_lock(&files->file_lock);
|
spin_lock(&files->file_lock);
|
||||||
for (;;) {
|
for (;;) {
|
||||||
@ -2473,7 +2455,6 @@ static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
|
|||||||
{
|
{
|
||||||
const struct cred *cred = current_cred();
|
const struct cred *cred = current_cred();
|
||||||
struct common_audit_data ad;
|
struct common_audit_data ad;
|
||||||
struct selinux_audit_data sad = {0,};
|
|
||||||
int rc;
|
int rc;
|
||||||
|
|
||||||
rc = superblock_doinit(sb, data);
|
rc = superblock_doinit(sb, data);
|
||||||
@ -2485,7 +2466,6 @@ static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
|
|||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
ad.type = LSM_AUDIT_DATA_DENTRY;
|
ad.type = LSM_AUDIT_DATA_DENTRY;
|
||||||
ad.selinux_audit_data = &sad;
|
|
||||||
ad.u.dentry = sb->s_root;
|
ad.u.dentry = sb->s_root;
|
||||||
return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
|
return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
|
||||||
}
|
}
|
||||||
@ -2494,10 +2474,8 @@ static int selinux_sb_statfs(struct dentry *dentry)
|
|||||||
{
|
{
|
||||||
const struct cred *cred = current_cred();
|
const struct cred *cred = current_cred();
|
||||||
struct common_audit_data ad;
|
struct common_audit_data ad;
|
||||||
struct selinux_audit_data sad = {0,};
|
|
||||||
|
|
||||||
ad.type = LSM_AUDIT_DATA_DENTRY;
|
ad.type = LSM_AUDIT_DATA_DENTRY;
|
||||||
ad.selinux_audit_data = &sad;
|
|
||||||
ad.u.dentry = dentry->d_sb->s_root;
|
ad.u.dentry = dentry->d_sb->s_root;
|
||||||
return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
|
return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
|
||||||
}
|
}
|
||||||
@ -2662,12 +2640,10 @@ static noinline int audit_inode_permission(struct inode *inode,
|
|||||||
unsigned flags)
|
unsigned flags)
|
||||||
{
|
{
|
||||||
struct common_audit_data ad;
|
struct common_audit_data ad;
|
||||||
struct selinux_audit_data sad = {0,};
|
|
||||||
struct inode_security_struct *isec = inode->i_security;
|
struct inode_security_struct *isec = inode->i_security;
|
||||||
int rc;
|
int rc;
|
||||||
|
|
||||||
ad.type = LSM_AUDIT_DATA_INODE;
|
ad.type = LSM_AUDIT_DATA_INODE;
|
||||||
ad.selinux_audit_data = &sad;
|
|
||||||
ad.u.inode = inode;
|
ad.u.inode = inode;
|
||||||
|
|
||||||
rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
|
rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
|
||||||
@ -2782,7 +2758,6 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
|
|||||||
struct inode_security_struct *isec = inode->i_security;
|
struct inode_security_struct *isec = inode->i_security;
|
||||||
struct superblock_security_struct *sbsec;
|
struct superblock_security_struct *sbsec;
|
||||||
struct common_audit_data ad;
|
struct common_audit_data ad;
|
||||||
struct selinux_audit_data sad = {0,};
|
|
||||||
u32 newsid, sid = current_sid();
|
u32 newsid, sid = current_sid();
|
||||||
int rc = 0;
|
int rc = 0;
|
||||||
|
|
||||||
@ -2797,7 +2772,6 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
|
|||||||
return -EPERM;
|
return -EPERM;
|
||||||
|
|
||||||
ad.type = LSM_AUDIT_DATA_DENTRY;
|
ad.type = LSM_AUDIT_DATA_DENTRY;
|
||||||
ad.selinux_audit_data = &sad;
|
|
||||||
ad.u.dentry = dentry;
|
ad.u.dentry = dentry;
|
||||||
|
|
||||||
rc = avc_has_perm(sid, isec->sid, isec->sclass,
|
rc = avc_has_perm(sid, isec->sid, isec->sclass,
|
||||||
@ -3407,12 +3381,10 @@ static int selinux_kernel_module_request(char *kmod_name)
|
|||||||
{
|
{
|
||||||
u32 sid;
|
u32 sid;
|
||||||
struct common_audit_data ad;
|
struct common_audit_data ad;
|
||||||
struct selinux_audit_data sad = {0,};
|
|
||||||
|
|
||||||
sid = task_sid(current);
|
sid = task_sid(current);
|
||||||
|
|
||||||
ad.type = LSM_AUDIT_DATA_KMOD;
|
ad.type = LSM_AUDIT_DATA_KMOD;
|
||||||
ad.selinux_audit_data = &sad;
|
|
||||||
ad.u.kmod_name = kmod_name;
|
ad.u.kmod_name = kmod_name;
|
||||||
|
|
||||||
return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
|
return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
|
||||||
@ -3785,7 +3757,6 @@ static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
|
|||||||
{
|
{
|
||||||
struct sk_security_struct *sksec = sk->sk_security;
|
struct sk_security_struct *sksec = sk->sk_security;
|
||||||
struct common_audit_data ad;
|
struct common_audit_data ad;
|
||||||
struct selinux_audit_data sad = {0,};
|
|
||||||
struct lsm_network_audit net = {0,};
|
struct lsm_network_audit net = {0,};
|
||||||
u32 tsid = task_sid(task);
|
u32 tsid = task_sid(task);
|
||||||
|
|
||||||
@ -3793,7 +3764,6 @@ static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
|
|||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
ad.type = LSM_AUDIT_DATA_NET;
|
ad.type = LSM_AUDIT_DATA_NET;
|
||||||
ad.selinux_audit_data = &sad;
|
|
||||||
ad.u.net = &net;
|
ad.u.net = &net;
|
||||||
ad.u.net->sk = sk;
|
ad.u.net->sk = sk;
|
||||||
|
|
||||||
@ -3873,7 +3843,6 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
|
|||||||
char *addrp;
|
char *addrp;
|
||||||
struct sk_security_struct *sksec = sk->sk_security;
|
struct sk_security_struct *sksec = sk->sk_security;
|
||||||
struct common_audit_data ad;
|
struct common_audit_data ad;
|
||||||
struct selinux_audit_data sad = {0,};
|
|
||||||
struct lsm_network_audit net = {0,};
|
struct lsm_network_audit net = {0,};
|
||||||
struct sockaddr_in *addr4 = NULL;
|
struct sockaddr_in *addr4 = NULL;
|
||||||
struct sockaddr_in6 *addr6 = NULL;
|
struct sockaddr_in6 *addr6 = NULL;
|
||||||
@ -3901,7 +3870,6 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
|
|||||||
if (err)
|
if (err)
|
||||||
goto out;
|
goto out;
|
||||||
ad.type = LSM_AUDIT_DATA_NET;
|
ad.type = LSM_AUDIT_DATA_NET;
|
||||||
ad.selinux_audit_data = &sad;
|
|
||||||
ad.u.net = &net;
|
ad.u.net = &net;
|
||||||
ad.u.net->sport = htons(snum);
|
ad.u.net->sport = htons(snum);
|
||||||
ad.u.net->family = family;
|
ad.u.net->family = family;
|
||||||
@ -3936,7 +3904,6 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
|
|||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
ad.type = LSM_AUDIT_DATA_NET;
|
ad.type = LSM_AUDIT_DATA_NET;
|
||||||
ad.selinux_audit_data = &sad;
|
|
||||||
ad.u.net = &net;
|
ad.u.net = &net;
|
||||||
ad.u.net->sport = htons(snum);
|
ad.u.net->sport = htons(snum);
|
||||||
ad.u.net->family = family;
|
ad.u.net->family = family;
|
||||||
@ -3971,7 +3938,6 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address,
|
|||||||
if (sksec->sclass == SECCLASS_TCP_SOCKET ||
|
if (sksec->sclass == SECCLASS_TCP_SOCKET ||
|
||||||
sksec->sclass == SECCLASS_DCCP_SOCKET) {
|
sksec->sclass == SECCLASS_DCCP_SOCKET) {
|
||||||
struct common_audit_data ad;
|
struct common_audit_data ad;
|
||||||
struct selinux_audit_data sad = {0,};
|
|
||||||
struct lsm_network_audit net = {0,};
|
struct lsm_network_audit net = {0,};
|
||||||
struct sockaddr_in *addr4 = NULL;
|
struct sockaddr_in *addr4 = NULL;
|
||||||
struct sockaddr_in6 *addr6 = NULL;
|
struct sockaddr_in6 *addr6 = NULL;
|
||||||
@ -3998,7 +3964,6 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address,
|
|||||||
TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
|
TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
|
||||||
|
|
||||||
ad.type = LSM_AUDIT_DATA_NET;
|
ad.type = LSM_AUDIT_DATA_NET;
|
||||||
ad.selinux_audit_data = &sad;
|
|
||||||
ad.u.net = &net;
|
ad.u.net = &net;
|
||||||
ad.u.net->dport = htons(snum);
|
ad.u.net->dport = htons(snum);
|
||||||
ad.u.net->family = sk->sk_family;
|
ad.u.net->family = sk->sk_family;
|
||||||
@ -4090,12 +4055,10 @@ static int selinux_socket_unix_stream_connect(struct sock *sock,
|
|||||||
struct sk_security_struct *sksec_other = other->sk_security;
|
struct sk_security_struct *sksec_other = other->sk_security;
|
||||||
struct sk_security_struct *sksec_new = newsk->sk_security;
|
struct sk_security_struct *sksec_new = newsk->sk_security;
|
||||||
struct common_audit_data ad;
|
struct common_audit_data ad;
|
||||||
struct selinux_audit_data sad = {0,};
|
|
||||||
struct lsm_network_audit net = {0,};
|
struct lsm_network_audit net = {0,};
|
||||||
int err;
|
int err;
|
||||||
|
|
||||||
ad.type = LSM_AUDIT_DATA_NET;
|
ad.type = LSM_AUDIT_DATA_NET;
|
||||||
ad.selinux_audit_data = &sad;
|
|
||||||
ad.u.net = &net;
|
ad.u.net = &net;
|
||||||
ad.u.net->sk = other;
|
ad.u.net->sk = other;
|
||||||
|
|
||||||
@ -4124,11 +4087,9 @@ static int selinux_socket_unix_may_send(struct socket *sock,
|
|||||||
struct sk_security_struct *ssec = sock->sk->sk_security;
|
struct sk_security_struct *ssec = sock->sk->sk_security;
|
||||||
struct sk_security_struct *osec = other->sk->sk_security;
|
struct sk_security_struct *osec = other->sk->sk_security;
|
||||||
struct common_audit_data ad;
|
struct common_audit_data ad;
|
||||||
struct selinux_audit_data sad = {0,};
|
|
||||||
struct lsm_network_audit net = {0,};
|
struct lsm_network_audit net = {0,};
|
||||||
|
|
||||||
ad.type = LSM_AUDIT_DATA_NET;
|
ad.type = LSM_AUDIT_DATA_NET;
|
||||||
ad.selinux_audit_data = &sad;
|
|
||||||
ad.u.net = &net;
|
ad.u.net = &net;
|
||||||
ad.u.net->sk = other->sk;
|
ad.u.net->sk = other->sk;
|
||||||
|
|
||||||
@ -4166,12 +4127,10 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
|
|||||||
struct sk_security_struct *sksec = sk->sk_security;
|
struct sk_security_struct *sksec = sk->sk_security;
|
||||||
u32 sk_sid = sksec->sid;
|
u32 sk_sid = sksec->sid;
|
||||||
struct common_audit_data ad;
|
struct common_audit_data ad;
|
||||||
struct selinux_audit_data sad = {0,};
|
|
||||||
struct lsm_network_audit net = {0,};
|
struct lsm_network_audit net = {0,};
|
||||||
char *addrp;
|
char *addrp;
|
||||||
|
|
||||||
ad.type = LSM_AUDIT_DATA_NET;
|
ad.type = LSM_AUDIT_DATA_NET;
|
||||||
ad.selinux_audit_data = &sad;
|
|
||||||
ad.u.net = &net;
|
ad.u.net = &net;
|
||||||
ad.u.net->netif = skb->skb_iif;
|
ad.u.net->netif = skb->skb_iif;
|
||||||
ad.u.net->family = family;
|
ad.u.net->family = family;
|
||||||
@ -4201,7 +4160,6 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
|
|||||||
u16 family = sk->sk_family;
|
u16 family = sk->sk_family;
|
||||||
u32 sk_sid = sksec->sid;
|
u32 sk_sid = sksec->sid;
|
||||||
struct common_audit_data ad;
|
struct common_audit_data ad;
|
||||||
struct selinux_audit_data sad = {0,};
|
|
||||||
struct lsm_network_audit net = {0,};
|
struct lsm_network_audit net = {0,};
|
||||||
char *addrp;
|
char *addrp;
|
||||||
u8 secmark_active;
|
u8 secmark_active;
|
||||||
@ -4227,7 +4185,6 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
|
|||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
ad.type = LSM_AUDIT_DATA_NET;
|
ad.type = LSM_AUDIT_DATA_NET;
|
||||||
ad.selinux_audit_data = &sad;
|
|
||||||
ad.u.net = &net;
|
ad.u.net = &net;
|
||||||
ad.u.net->netif = skb->skb_iif;
|
ad.u.net->netif = skb->skb_iif;
|
||||||
ad.u.net->family = family;
|
ad.u.net->family = family;
|
||||||
@ -4565,7 +4522,6 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
|
|||||||
char *addrp;
|
char *addrp;
|
||||||
u32 peer_sid;
|
u32 peer_sid;
|
||||||
struct common_audit_data ad;
|
struct common_audit_data ad;
|
||||||
struct selinux_audit_data sad = {0,};
|
|
||||||
struct lsm_network_audit net = {0,};
|
struct lsm_network_audit net = {0,};
|
||||||
u8 secmark_active;
|
u8 secmark_active;
|
||||||
u8 netlbl_active;
|
u8 netlbl_active;
|
||||||
@ -4584,7 +4540,6 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
|
|||||||
return NF_DROP;
|
return NF_DROP;
|
||||||
|
|
||||||
ad.type = LSM_AUDIT_DATA_NET;
|
ad.type = LSM_AUDIT_DATA_NET;
|
||||||
ad.selinux_audit_data = &sad;
|
|
||||||
ad.u.net = &net;
|
ad.u.net = &net;
|
||||||
ad.u.net->netif = ifindex;
|
ad.u.net->netif = ifindex;
|
||||||
ad.u.net->family = family;
|
ad.u.net->family = family;
|
||||||
@ -4674,7 +4629,6 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
|
|||||||
struct sock *sk = skb->sk;
|
struct sock *sk = skb->sk;
|
||||||
struct sk_security_struct *sksec;
|
struct sk_security_struct *sksec;
|
||||||
struct common_audit_data ad;
|
struct common_audit_data ad;
|
||||||
struct selinux_audit_data sad = {0,};
|
|
||||||
struct lsm_network_audit net = {0,};
|
struct lsm_network_audit net = {0,};
|
||||||
char *addrp;
|
char *addrp;
|
||||||
u8 proto;
|
u8 proto;
|
||||||
@ -4684,7 +4638,6 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
|
|||||||
sksec = sk->sk_security;
|
sksec = sk->sk_security;
|
||||||
|
|
||||||
ad.type = LSM_AUDIT_DATA_NET;
|
ad.type = LSM_AUDIT_DATA_NET;
|
||||||
ad.selinux_audit_data = &sad;
|
|
||||||
ad.u.net = &net;
|
ad.u.net = &net;
|
||||||
ad.u.net->netif = ifindex;
|
ad.u.net->netif = ifindex;
|
||||||
ad.u.net->family = family;
|
ad.u.net->family = family;
|
||||||
@ -4709,7 +4662,6 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
|
|||||||
u32 peer_sid;
|
u32 peer_sid;
|
||||||
struct sock *sk;
|
struct sock *sk;
|
||||||
struct common_audit_data ad;
|
struct common_audit_data ad;
|
||||||
struct selinux_audit_data sad = {0,};
|
|
||||||
struct lsm_network_audit net = {0,};
|
struct lsm_network_audit net = {0,};
|
||||||
char *addrp;
|
char *addrp;
|
||||||
u8 secmark_active;
|
u8 secmark_active;
|
||||||
@ -4757,7 +4709,6 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
|
|||||||
}
|
}
|
||||||
|
|
||||||
ad.type = LSM_AUDIT_DATA_NET;
|
ad.type = LSM_AUDIT_DATA_NET;
|
||||||
ad.selinux_audit_data = &sad;
|
|
||||||
ad.u.net = &net;
|
ad.u.net = &net;
|
||||||
ad.u.net->netif = ifindex;
|
ad.u.net->netif = ifindex;
|
||||||
ad.u.net->family = family;
|
ad.u.net->family = family;
|
||||||
@ -4875,13 +4826,11 @@ static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
|
|||||||
{
|
{
|
||||||
struct ipc_security_struct *isec;
|
struct ipc_security_struct *isec;
|
||||||
struct common_audit_data ad;
|
struct common_audit_data ad;
|
||||||
struct selinux_audit_data sad = {0,};
|
|
||||||
u32 sid = current_sid();
|
u32 sid = current_sid();
|
||||||
|
|
||||||
isec = ipc_perms->security;
|
isec = ipc_perms->security;
|
||||||
|
|
||||||
ad.type = LSM_AUDIT_DATA_IPC;
|
ad.type = LSM_AUDIT_DATA_IPC;
|
||||||
ad.selinux_audit_data = &sad;
|
|
||||||
ad.u.ipc_id = ipc_perms->key;
|
ad.u.ipc_id = ipc_perms->key;
|
||||||
|
|
||||||
return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
|
return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
|
||||||
@ -4902,7 +4851,6 @@ static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
|
|||||||
{
|
{
|
||||||
struct ipc_security_struct *isec;
|
struct ipc_security_struct *isec;
|
||||||
struct common_audit_data ad;
|
struct common_audit_data ad;
|
||||||
struct selinux_audit_data sad = {0,};
|
|
||||||
u32 sid = current_sid();
|
u32 sid = current_sid();
|
||||||
int rc;
|
int rc;
|
||||||
|
|
||||||
@ -4913,7 +4861,6 @@ static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
|
|||||||
isec = msq->q_perm.security;
|
isec = msq->q_perm.security;
|
||||||
|
|
||||||
ad.type = LSM_AUDIT_DATA_IPC;
|
ad.type = LSM_AUDIT_DATA_IPC;
|
||||||
ad.selinux_audit_data = &sad;
|
|
||||||
ad.u.ipc_id = msq->q_perm.key;
|
ad.u.ipc_id = msq->q_perm.key;
|
||||||
|
|
||||||
rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
|
rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
|
||||||
@ -4934,13 +4881,11 @@ static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
|
|||||||
{
|
{
|
||||||
struct ipc_security_struct *isec;
|
struct ipc_security_struct *isec;
|
||||||
struct common_audit_data ad;
|
struct common_audit_data ad;
|
||||||
struct selinux_audit_data sad = {0,};
|
|
||||||
u32 sid = current_sid();
|
u32 sid = current_sid();
|
||||||
|
|
||||||
isec = msq->q_perm.security;
|
isec = msq->q_perm.security;
|
||||||
|
|
||||||
ad.type = LSM_AUDIT_DATA_IPC;
|
ad.type = LSM_AUDIT_DATA_IPC;
|
||||||
ad.selinux_audit_data = &sad;
|
|
||||||
ad.u.ipc_id = msq->q_perm.key;
|
ad.u.ipc_id = msq->q_perm.key;
|
||||||
|
|
||||||
return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
|
return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
|
||||||
@ -4980,7 +4925,6 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
|
|||||||
struct ipc_security_struct *isec;
|
struct ipc_security_struct *isec;
|
||||||
struct msg_security_struct *msec;
|
struct msg_security_struct *msec;
|
||||||
struct common_audit_data ad;
|
struct common_audit_data ad;
|
||||||
struct selinux_audit_data sad = {0,};
|
|
||||||
u32 sid = current_sid();
|
u32 sid = current_sid();
|
||||||
int rc;
|
int rc;
|
||||||
|
|
||||||
@ -5002,7 +4946,6 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
|
|||||||
}
|
}
|
||||||
|
|
||||||
ad.type = LSM_AUDIT_DATA_IPC;
|
ad.type = LSM_AUDIT_DATA_IPC;
|
||||||
ad.selinux_audit_data = &sad;
|
|
||||||
ad.u.ipc_id = msq->q_perm.key;
|
ad.u.ipc_id = msq->q_perm.key;
|
||||||
|
|
||||||
/* Can this process write to the queue? */
|
/* Can this process write to the queue? */
|
||||||
@ -5027,7 +4970,6 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
|
|||||||
struct ipc_security_struct *isec;
|
struct ipc_security_struct *isec;
|
||||||
struct msg_security_struct *msec;
|
struct msg_security_struct *msec;
|
||||||
struct common_audit_data ad;
|
struct common_audit_data ad;
|
||||||
struct selinux_audit_data sad = {0,};
|
|
||||||
u32 sid = task_sid(target);
|
u32 sid = task_sid(target);
|
||||||
int rc;
|
int rc;
|
||||||
|
|
||||||
@ -5035,7 +4977,6 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
|
|||||||
msec = msg->security;
|
msec = msg->security;
|
||||||
|
|
||||||
ad.type = LSM_AUDIT_DATA_IPC;
|
ad.type = LSM_AUDIT_DATA_IPC;
|
||||||
ad.selinux_audit_data = &sad;
|
|
||||||
ad.u.ipc_id = msq->q_perm.key;
|
ad.u.ipc_id = msq->q_perm.key;
|
||||||
|
|
||||||
rc = avc_has_perm(sid, isec->sid,
|
rc = avc_has_perm(sid, isec->sid,
|
||||||
@ -5051,7 +4992,6 @@ static int selinux_shm_alloc_security(struct shmid_kernel *shp)
|
|||||||
{
|
{
|
||||||
struct ipc_security_struct *isec;
|
struct ipc_security_struct *isec;
|
||||||
struct common_audit_data ad;
|
struct common_audit_data ad;
|
||||||
struct selinux_audit_data sad = {0,};
|
|
||||||
u32 sid = current_sid();
|
u32 sid = current_sid();
|
||||||
int rc;
|
int rc;
|
||||||
|
|
||||||
@ -5062,7 +5002,6 @@ static int selinux_shm_alloc_security(struct shmid_kernel *shp)
|
|||||||
isec = shp->shm_perm.security;
|
isec = shp->shm_perm.security;
|
||||||
|
|
||||||
ad.type = LSM_AUDIT_DATA_IPC;
|
ad.type = LSM_AUDIT_DATA_IPC;
|
||||||
ad.selinux_audit_data = &sad;
|
|
||||||
ad.u.ipc_id = shp->shm_perm.key;
|
ad.u.ipc_id = shp->shm_perm.key;
|
||||||
|
|
||||||
rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
|
rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
|
||||||
@ -5083,13 +5022,11 @@ static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
|
|||||||
{
|
{
|
||||||
struct ipc_security_struct *isec;
|
struct ipc_security_struct *isec;
|
||||||
struct common_audit_data ad;
|
struct common_audit_data ad;
|
||||||
struct selinux_audit_data sad = {0,};
|
|
||||||
u32 sid = current_sid();
|
u32 sid = current_sid();
|
||||||
|
|
||||||
isec = shp->shm_perm.security;
|
isec = shp->shm_perm.security;
|
||||||
|
|
||||||
ad.type = LSM_AUDIT_DATA_IPC;
|
ad.type = LSM_AUDIT_DATA_IPC;
|
||||||
ad.selinux_audit_data = &sad;
|
|
||||||
ad.u.ipc_id = shp->shm_perm.key;
|
ad.u.ipc_id = shp->shm_perm.key;
|
||||||
|
|
||||||
return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
|
return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
|
||||||
@ -5147,7 +5084,6 @@ static int selinux_sem_alloc_security(struct sem_array *sma)
|
|||||||
{
|
{
|
||||||
struct ipc_security_struct *isec;
|
struct ipc_security_struct *isec;
|
||||||
struct common_audit_data ad;
|
struct common_audit_data ad;
|
||||||
struct selinux_audit_data sad = {0,};
|
|
||||||
u32 sid = current_sid();
|
u32 sid = current_sid();
|
||||||
int rc;
|
int rc;
|
||||||
|
|
||||||
@ -5158,7 +5094,6 @@ static int selinux_sem_alloc_security(struct sem_array *sma)
|
|||||||
isec = sma->sem_perm.security;
|
isec = sma->sem_perm.security;
|
||||||
|
|
||||||
ad.type = LSM_AUDIT_DATA_IPC;
|
ad.type = LSM_AUDIT_DATA_IPC;
|
||||||
ad.selinux_audit_data = &sad;
|
|
||||||
ad.u.ipc_id = sma->sem_perm.key;
|
ad.u.ipc_id = sma->sem_perm.key;
|
||||||
|
|
||||||
rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
|
rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
|
||||||
@ -5179,13 +5114,11 @@ static int selinux_sem_associate(struct sem_array *sma, int semflg)
|
|||||||
{
|
{
|
||||||
struct ipc_security_struct *isec;
|
struct ipc_security_struct *isec;
|
||||||
struct common_audit_data ad;
|
struct common_audit_data ad;
|
||||||
struct selinux_audit_data sad = {0,};
|
|
||||||
u32 sid = current_sid();
|
u32 sid = current_sid();
|
||||||
|
|
||||||
isec = sma->sem_perm.security;
|
isec = sma->sem_perm.security;
|
||||||
|
|
||||||
ad.type = LSM_AUDIT_DATA_IPC;
|
ad.type = LSM_AUDIT_DATA_IPC;
|
||||||
ad.selinux_audit_data = &sad;
|
|
||||||
ad.u.ipc_id = sma->sem_perm.key;
|
ad.u.ipc_id = sma->sem_perm.key;
|
||||||
|
|
||||||
return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
|
return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
|
||||||
|
@ -49,7 +49,7 @@ struct avc_cache_stats {
|
|||||||
/*
|
/*
|
||||||
* We only need this data after we have decided to send an audit message.
|
* We only need this data after we have decided to send an audit message.
|
||||||
*/
|
*/
|
||||||
struct selinux_late_audit_data {
|
struct selinux_audit_data {
|
||||||
u32 ssid;
|
u32 ssid;
|
||||||
u32 tsid;
|
u32 tsid;
|
||||||
u16 tclass;
|
u16 tclass;
|
||||||
@ -59,13 +59,6 @@ struct selinux_late_audit_data {
|
|||||||
int result;
|
int result;
|
||||||
};
|
};
|
||||||
|
|
||||||
/*
|
|
||||||
* We collect this at the beginning or during an selinux security operation
|
|
||||||
*/
|
|
||||||
struct selinux_audit_data {
|
|
||||||
struct selinux_late_audit_data *slad;
|
|
||||||
};
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* AVC operations
|
* AVC operations
|
||||||
*/
|
*/
|
||||||
|
Loading…
Reference in New Issue
Block a user