[RFC PATCH v9 09/18] SELinux: Only store the network interface's ifindex

Fri, 21 Dec 2007 09:27:46 -0800 

Instead of storing the packet's network interface name store the ifindex.  This
allows us to defer the need to lookup the net_device structure until the audit
record is generated meaning that in the majority of cases we never need to
bother with this at all.

Signed-off-by: Paul Moore <[EMAIL PROTECTED]>
---

 security/selinux/avc.c         |   15 ++++++++++++---
 security/selinux/hooks.c       |    4 ++--
 security/selinux/include/avc.h |    2 +-
 3 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 81b3dff..e8529e2 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -661,9 +661,18 @@ void avc_audit(u32 ssid, u32 tsid,
                                                    "daddr", "dest");
                                break;
                        }
-                       if (a->u.net.netif)
-                               audit_log_format(ab, " netif=%s",
-                                       a->u.net.netif);
+                       if (a->u.net.netif > 0) {
+                               struct net_device *dev;
+
+                               /* NOTE: we always use init's namespace */
+                               dev = dev_get_by_index(&init_net,
+                                                      a->u.net.netif);
+                               if (dev) {
+                                       audit_log_format(ab, " netif=%s",
+                                                        dev->name);
+                                       dev_put(dev);
+                               }
+                       }
                        break;
                }
        }
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 8336c93..b451b4c 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3691,7 +3691,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, 
struct sk_buff *skb)
                family = PF_INET;
 
        AVC_AUDIT_DATA_INIT(&ad, NET);
-       ad.u.net.netif = skb->dev ? skb->dev->name : "[unknown]";
+       ad.u.net.netif = skb->iif;
        ad.u.net.family = family;
 
        err = selinux_parse_skb(skb, &ad, &addrp, &len, 1, NULL);
@@ -4022,7 +4022,7 @@ static unsigned int selinux_ip_postroute_last(unsigned 
int hooknum,
        sksec = sk->sk_security;
 
        AVC_AUDIT_DATA_INIT(&ad, NET);
-       ad.u.net.netif = dev->name;
+       ad.u.net.netif = dev->ifindex;
        ad.u.net.family = family;
 
        err = selinux_parse_skb(skb, &ad, &addrp, &len, 0, &proto);
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index 553607a..80c28fa 100644
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -51,7 +51,7 @@ struct avc_audit_data {
                        struct inode *inode;
                } fs;
                struct {
-                       char *netif;
+                       int netif;
                        struct sock *sk;
                        u16 family;
                        __be16 dport;

-
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to