On Tue, 2009-07-14 at 12:14 -0400, Thomas Liu wrote: > Convert avc_audit in security/selinux/avc.c to use lsm_audit.h, > for better maintainability. > > - changed selinux to use common_audit_data instead of > avc_audit_data > - eliminated code in avc.c and used code from lsm_audit.h instead. > > Had to add a LSM_AUDIT_NO_AUDIT to lsm_audit.h so that avc_audit > can call common_lsm_audit and do the pre and post callbacks without > doing the actual dump. This makes it so that the patched version > behaves the same way as the unpatched version. > > Also added a denied field to the selinux_audit_data private space, > once again to make it so that the patched version behaves like the > unpatched. > > I've tested and confirmed that AVCs look the same before and after > this patch. > > Signed-off-by: Thomas Liu <[email protected]>
Acked-by: Stephen Smalley <[email protected]> Looks like there is also further room for consolidation, e.g. the skb parsing routines. BTW, it looks to my untrained eye as if dump_common_audit_data() allows one to pass a separate target task in the union, in which case we'll get two sets of pid= and comm= data in the same record, one for the subject and one for the target/object. It appears that Smack is already using that facility for things like ptrace, kill, etc, whereas SELinux is not. Two questions: 1) Will the multiple pid= comm= entries get handled correctly by auditd and the audit tools? Do we need separate names for the target vs source pid/comm values? 2) Should we start using ad.u.tsk in SELinux as well to capture the target of a ptrace, kill, wait, ... in the avc audit record? > --- > Sorry about the previous version! > > include/linux/lsm_audit.h | 2 > security/Makefile | 4 - > security/lsm_audit.c | 2 > security/selinux/avc.c | 197 > +++++++---------------------------- > security/selinux/hooks.c | 142 +++++++++++++------------ > security/selinux/include/avc.h | 49 +-------- > security/selinux/include/netlabel.h | 4 - > security/selinux/include/xfrm.h | 8 + > security/selinux/netlabel.c | 2 > security/selinux/xfrm.c | 4 - > 10 files changed, 131 insertions(+), 283 deletions(-) > > > diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h > index a5514a3..190c378 100644 > --- a/include/linux/lsm_audit.h > +++ b/include/linux/lsm_audit.h > @@ -33,6 +33,7 @@ struct common_audit_data { > #define LSM_AUDIT_DATA_IPC 4 > #define LSM_AUDIT_DATA_TASK 5 > #define LSM_AUDIT_DATA_KEY 6 > +#define LSM_AUDIT_NO_AUDIT 7 > struct task_struct *tsk; > union { > struct { > @@ -86,6 +87,7 @@ struct common_audit_data { > u16 tclass; > u32 requested; > u32 audited; > + u32 denied; > struct av_decision *avd; > int result; > } selinux_audit_data; > diff --git a/security/Makefile b/security/Makefile > index c67557c..8dcc1fd 100644 > --- a/security/Makefile > +++ b/security/Makefile > @@ -16,9 +16,7 @@ obj-$(CONFIG_SECURITYFS) += inode.o > # Must precede capability.o in order to stack properly. > obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o > obj-$(CONFIG_SECURITY_SMACK) += smack/built-in.o > -ifeq ($(CONFIG_AUDIT),y) > -obj-$(CONFIG_SECURITY_SMACK) += lsm_audit.o > -endif > +obj-$(CONFIG_AUDIT) += lsm_audit.o > obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/built-in.o > obj-$(CONFIG_SECURITY_ROOTPLUG) += root_plug.o > obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o > diff --git a/security/lsm_audit.c b/security/lsm_audit.c > index 94b8684..500aad0 100644 > --- a/security/lsm_audit.c > +++ b/security/lsm_audit.c > @@ -220,6 +220,8 @@ static void dump_common_audit_data(struct audit_buffer > *ab, > } > > switch (a->type) { > + case LSM_AUDIT_NO_AUDIT: > + return; > case LSM_AUDIT_DATA_IPC: > audit_log_format(ab, " key=%d ", a->u.ipc_id); > break; > diff --git a/security/selinux/avc.c b/security/selinux/avc.c > index 236aaa2..e3d1901 100644 > --- a/security/selinux/avc.c > +++ b/security/selinux/avc.c > @@ -492,23 +492,35 @@ out: > return node; > } > > -static inline void avc_print_ipv6_addr(struct audit_buffer *ab, > - struct in6_addr *addr, __be16 port, > - char *name1, char *name2) > +/** > + * avc_audit_pre_callback - SELinux specific information > + * will be called by generic audit code > + * @ab: the audit buffer > + * @a: audit_data > + */ > +static void avc_audit_pre_callback(struct audit_buffer *ab, void *a) > { > - if (!ipv6_addr_any(addr)) > - audit_log_format(ab, " %s=%pI6", name1, addr); > - if (port) > - audit_log_format(ab, " %s=%d", name2, ntohs(port)); > + struct common_audit_data *ad = a; > + audit_log_format(ab, "avc: %s ", > + ad->selinux_audit_data.denied ? "denied" : "granted"); > + avc_dump_av(ab, ad->selinux_audit_data.tclass, > + ad->selinux_audit_data.audited); > + audit_log_format(ab, " for "); > } > > -static inline void avc_print_ipv4_addr(struct audit_buffer *ab, __be32 addr, > - __be16 port, char *name1, char *name2) > +/** > + * avc_audit_post_callback - SELinux specific information > + * will be called by generic audit code > + * @ab: the audit buffer > + * @a: audit_data > + */ > +static void avc_audit_post_callback(struct audit_buffer *ab, void *a) > { > - if (addr) > - audit_log_format(ab, " %s=%pI4", name1, &addr); > - if (port) > - audit_log_format(ab, " %s=%d", name2, ntohs(port)); > + struct common_audit_data *ad = a; > + audit_log_format(ab, " "); > + avc_dump_query(ab, ad->selinux_audit_data.ssid, > + ad->selinux_audit_data.tsid, > + ad->selinux_audit_data.tclass); > } > > /** > @@ -532,13 +544,10 @@ static inline void avc_print_ipv4_addr(struct > audit_buffer *ab, __be32 addr, > */ > void avc_audit(u32 ssid, u32 tsid, > u16 tclass, u32 requested, > - struct av_decision *avd, int result, struct avc_audit_data *a) > + struct av_decision *avd, int result, struct common_audit_data *a) > { > - struct task_struct *tsk = current; > - struct inode *inode = NULL; > + struct common_audit_data stack_data; > u32 denied, audited; > - struct audit_buffer *ab; > - > denied = requested & ~avd->allowed; > if (denied) { > audited = denied; > @@ -551,144 +560,20 @@ void avc_audit(u32 ssid, u32 tsid, > if (!(audited & avd->auditallow)) > return; > } > - > - ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_AVC); > - if (!ab) > - return; /* audit_panic has been called */ > - audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted"); > - avc_dump_av(ab, tclass, audited); > - audit_log_format(ab, " for "); > - if (a && a->tsk) > - tsk = a->tsk; > - if (tsk && tsk->pid) { > - audit_log_format(ab, " pid=%d comm=", tsk->pid); > - audit_log_untrustedstring(ab, tsk->comm); > - } > - if (a) { > - switch (a->type) { > - case AVC_AUDIT_DATA_IPC: > - audit_log_format(ab, " key=%d", a->u.ipc_id); > - break; > - case AVC_AUDIT_DATA_CAP: > - audit_log_format(ab, " capability=%d", a->u.cap); > - break; > - case AVC_AUDIT_DATA_FS: > - if (a->u.fs.path.dentry) { > - struct dentry *dentry = a->u.fs.path.dentry; > - if (a->u.fs.path.mnt) { > - audit_log_d_path(ab, "path=", > - &a->u.fs.path); > - } else { > - audit_log_format(ab, " name="); > - audit_log_untrustedstring(ab, > dentry->d_name.name); > - } > - inode = dentry->d_inode; > - } else if (a->u.fs.inode) { > - struct dentry *dentry; > - inode = a->u.fs.inode; > - dentry = d_find_alias(inode); > - if (dentry) { > - audit_log_format(ab, " name="); > - audit_log_untrustedstring(ab, > dentry->d_name.name); > - dput(dentry); > - } > - } > - if (inode) > - audit_log_format(ab, " dev=%s ino=%lu", > - inode->i_sb->s_id, > - inode->i_ino); > - break; > - case AVC_AUDIT_DATA_NET: > - if (a->u.net.sk) { > - struct sock *sk = a->u.net.sk; > - struct unix_sock *u; > - int len = 0; > - char *p = NULL; > - > - switch (sk->sk_family) { > - case AF_INET: { > - struct inet_sock *inet = inet_sk(sk); > - > - avc_print_ipv4_addr(ab, inet->rcv_saddr, > - inet->sport, > - "laddr", "lport"); > - avc_print_ipv4_addr(ab, inet->daddr, > - inet->dport, > - "faddr", "fport"); > - break; > - } > - case AF_INET6: { > - struct inet_sock *inet = inet_sk(sk); > - struct ipv6_pinfo *inet6 = inet6_sk(sk); > - > - avc_print_ipv6_addr(ab, > &inet6->rcv_saddr, > - inet->sport, > - "laddr", "lport"); > - avc_print_ipv6_addr(ab, &inet6->daddr, > - inet->dport, > - "faddr", "fport"); > - break; > - } > - case AF_UNIX: > - u = unix_sk(sk); > - if (u->dentry) { > - struct path path = { > - .dentry = u->dentry, > - .mnt = u->mnt > - }; > - audit_log_d_path(ab, "path=", > - &path); > - break; > - } > - if (!u->addr) > - break; > - len = u->addr->len-sizeof(short); > - p = &u->addr->name->sun_path[0]; > - audit_log_format(ab, " path="); > - if (*p) > - audit_log_untrustedstring(ab, > p); > - else > - audit_log_n_hex(ab, p, len); > - break; > - } > - } > - > - switch (a->u.net.family) { > - case AF_INET: > - avc_print_ipv4_addr(ab, a->u.net.v4info.saddr, > - a->u.net.sport, > - "saddr", "src"); > - avc_print_ipv4_addr(ab, a->u.net.v4info.daddr, > - a->u.net.dport, > - "daddr", "dest"); > - break; > - case AF_INET6: > - avc_print_ipv6_addr(ab, &a->u.net.v6info.saddr, > - a->u.net.sport, > - "saddr", "src"); > - avc_print_ipv6_addr(ab, &a->u.net.v6info.daddr, > - a->u.net.dport, > - "daddr", "dest"); > - break; > - } > - if (a->u.net.netif > 0) { > - struct net_device *dev; > - > - /* NOTE: we always use init's namespace */ > - dev = dev_get_by_index(&init_net, > - a->u.net.netif); > - if (dev) { > - audit_log_format(ab, " netif=%s", > - dev->name); > - dev_put(dev); > - } > - } > - break; > - } > + if (!a) { > + a = &stack_data; > + memset(a, 0, sizeof(*a)); > + a->type = LSM_AUDIT_NO_AUDIT; > } > - audit_log_format(ab, " "); > - avc_dump_query(ab, ssid, tsid, tclass); > - audit_log_end(ab); > + a->selinux_audit_data.tclass = tclass; > + a->selinux_audit_data.requested = requested; > + a->selinux_audit_data.ssid = ssid; > + a->selinux_audit_data.tsid = tsid; > + a->selinux_audit_data.audited = audited; > + a->selinux_audit_data.denied = denied; > + a->lsm_pre_audit = avc_audit_pre_callback; > + a->lsm_post_audit = avc_audit_post_callback; > + common_lsm_audit(a); > } > > /** > @@ -956,7 +841,7 @@ out: > * another -errno upon other errors. > */ > int avc_has_perm(u32 ssid, u32 tsid, u16 tclass, > - u32 requested, struct avc_audit_data *auditdata) > + u32 requested, struct common_audit_data *auditdata) > { > struct av_decision avd; > int rc; > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 2081055..a7de261 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -1478,14 +1478,14 @@ static int task_has_capability(struct task_struct > *tsk, > const struct cred *cred, > int cap, int audit) > { > - struct avc_audit_data ad; > + struct common_audit_data ad; > struct av_decision avd; > u16 sclass; > u32 sid = cred_sid(cred); > u32 av = CAP_TO_MASK(cap); > int rc; > > - AVC_AUDIT_DATA_INIT(&ad, CAP); > + COMMON_AUDIT_DATA_INIT(&ad, CAP); > ad.tsk = tsk; > ad.u.cap = cap; > > @@ -1524,10 +1524,10 @@ static int task_has_system(struct task_struct *tsk, > static int inode_has_perm(const struct cred *cred, > struct inode *inode, > u32 perms, > - struct avc_audit_data *adp) > + struct common_audit_data *adp) > { > struct inode_security_struct *isec; > - struct avc_audit_data ad; > + struct common_audit_data ad; > u32 sid; > > if (unlikely(IS_PRIVATE(inode))) > @@ -1538,7 +1538,7 @@ static int inode_has_perm(const struct cred *cred, > > if (!adp) { > adp = &ad; > - AVC_AUDIT_DATA_INIT(&ad, FS); > + COMMON_AUDIT_DATA_INIT(&ad, FS); > ad.u.fs.inode = inode; > } > > @@ -1554,9 +1554,9 @@ static inline int dentry_has_perm(const struct cred > *cred, > u32 av) > { > struct inode *inode = dentry->d_inode; > - struct avc_audit_data ad; > + struct common_audit_data ad; > > - AVC_AUDIT_DATA_INIT(&ad, FS); > + COMMON_AUDIT_DATA_INIT(&ad, FS); > ad.u.fs.path.mnt = mnt; > ad.u.fs.path.dentry = dentry; > return inode_has_perm(cred, inode, av, &ad); > @@ -1576,11 +1576,11 @@ static int file_has_perm(const struct cred *cred, > { > struct file_security_struct *fsec = file->f_security; > struct inode *inode = file->f_path.dentry->d_inode; > - struct avc_audit_data ad; > + struct common_audit_data ad; > u32 sid = cred_sid(cred); > int rc; > > - AVC_AUDIT_DATA_INIT(&ad, FS); > + COMMON_AUDIT_DATA_INIT(&ad, FS); > ad.u.fs.path = file->f_path; > > if (sid != fsec->sid) { > @@ -1611,7 +1611,7 @@ static int may_create(struct inode *dir, > struct inode_security_struct *dsec; > struct superblock_security_struct *sbsec; > u32 sid, newsid; > - struct avc_audit_data ad; > + struct common_audit_data ad; > int rc; > > dsec = dir->i_security; > @@ -1620,7 +1620,7 @@ static int may_create(struct inode *dir, > sid = tsec->sid; > newsid = tsec->create_sid; > > - AVC_AUDIT_DATA_INIT(&ad, FS); > + COMMON_AUDIT_DATA_INIT(&ad, FS); > ad.u.fs.path.dentry = dentry; > > rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, > @@ -1664,7 +1664,7 @@ static int may_link(struct inode *dir, > > { > struct inode_security_struct *dsec, *isec; > - struct avc_audit_data ad; > + struct common_audit_data ad; > u32 sid = current_sid(); > u32 av; > int rc; > @@ -1672,7 +1672,7 @@ static int may_link(struct inode *dir, > dsec = dir->i_security; > isec = dentry->d_inode->i_security; > > - AVC_AUDIT_DATA_INIT(&ad, FS); > + COMMON_AUDIT_DATA_INIT(&ad, FS); > ad.u.fs.path.dentry = dentry; > > av = DIR__SEARCH; > @@ -1707,7 +1707,7 @@ static inline int may_rename(struct inode *old_dir, > struct dentry *new_dentry) > { > struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; > - struct avc_audit_data ad; > + struct common_audit_data ad; > u32 sid = current_sid(); > u32 av; > int old_is_dir, new_is_dir; > @@ -1718,7 +1718,7 @@ static inline int may_rename(struct inode *old_dir, > old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode); > new_dsec = new_dir->i_security; > > - AVC_AUDIT_DATA_INIT(&ad, FS); > + COMMON_AUDIT_DATA_INIT(&ad, FS); > > ad.u.fs.path.dentry = old_dentry; > rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR, > @@ -1760,7 +1760,7 @@ static inline int may_rename(struct inode *old_dir, > static int superblock_has_perm(const struct cred *cred, > struct super_block *sb, > u32 perms, > - struct avc_audit_data *ad) > + struct common_audit_data *ad) > { > struct superblock_security_struct *sbsec; > u32 sid = cred_sid(cred); > @@ -2100,7 +2100,7 @@ static int selinux_bprm_set_creds(struct linux_binprm > *bprm) > const struct task_security_struct *old_tsec; > struct task_security_struct *new_tsec; > struct inode_security_struct *isec; > - struct avc_audit_data ad; > + struct common_audit_data ad; > struct inode *inode = bprm->file->f_path.dentry->d_inode; > int rc; > > @@ -2138,7 +2138,7 @@ static int selinux_bprm_set_creds(struct linux_binprm > *bprm) > return rc; > } > > - AVC_AUDIT_DATA_INIT(&ad, FS); > + COMMON_AUDIT_DATA_INIT(&ad, FS); > ad.u.fs.path = bprm->file->f_path; > > if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) > @@ -2231,7 +2231,7 @@ extern struct dentry *selinux_null; > static inline void flush_unauthorized_files(const struct cred *cred, > struct files_struct *files) > { > - struct avc_audit_data ad; > + struct common_audit_data ad; > struct file *file, *devnull = NULL; > struct tty_struct *tty; > struct fdtable *fdt; > @@ -2265,7 +2265,7 @@ static inline void flush_unauthorized_files(const > struct cred *cred, > > /* Revalidate access to inherited open files. */ > > - AVC_AUDIT_DATA_INIT(&ad, FS); > + COMMON_AUDIT_DATA_INIT(&ad, FS); > > spin_lock(&files->file_lock); > for (;;) { > @@ -2514,7 +2514,7 @@ out: > static int selinux_sb_kern_mount(struct super_block *sb, int flags, void > *data) > { > const struct cred *cred = current_cred(); > - struct avc_audit_data ad; > + struct common_audit_data ad; > int rc; > > rc = superblock_doinit(sb, data); > @@ -2525,7 +2525,7 @@ static int selinux_sb_kern_mount(struct super_block > *sb, int flags, void *data) > if (flags & MS_KERNMOUNT) > return 0; > > - AVC_AUDIT_DATA_INIT(&ad, FS); > + COMMON_AUDIT_DATA_INIT(&ad, FS); > ad.u.fs.path.dentry = sb->s_root; > return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); > } > @@ -2533,9 +2533,9 @@ static int selinux_sb_kern_mount(struct super_block > *sb, int flags, void *data) > static int selinux_sb_statfs(struct dentry *dentry) > { > const struct cred *cred = current_cred(); > - struct avc_audit_data ad; > + struct common_audit_data ad; > > - AVC_AUDIT_DATA_INIT(&ad, FS); > + COMMON_AUDIT_DATA_INIT(&ad, FS); > ad.u.fs.path.dentry = dentry->d_sb->s_root; > return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, > &ad); > } > @@ -2755,7 +2755,7 @@ static int selinux_inode_setxattr(struct dentry > *dentry, const char *name, > struct inode *inode = dentry->d_inode; > struct inode_security_struct *isec = inode->i_security; > struct superblock_security_struct *sbsec; > - struct avc_audit_data ad; > + struct common_audit_data ad; > u32 newsid, sid = current_sid(); > int rc = 0; > > @@ -2769,7 +2769,7 @@ static int selinux_inode_setxattr(struct dentry > *dentry, const char *name, > if (!is_owner_or_cap(inode)) > return -EPERM; > > - AVC_AUDIT_DATA_INIT(&ad, FS); > + COMMON_AUDIT_DATA_INIT(&ad, FS); > ad.u.fs.path.dentry = dentry; > > rc = avc_has_perm(sid, isec->sid, isec->sclass, > @@ -3401,7 +3401,7 @@ static void selinux_task_to_inode(struct task_struct *p, > > /* Returns error only if unable to parse addresses */ > static int selinux_parse_skb_ipv4(struct sk_buff *skb, > - struct avc_audit_data *ad, u8 *proto) > + struct common_audit_data *ad, u8 *proto) > { > int offset, ihlen, ret = -EINVAL; > struct iphdr _iph, *ih; > @@ -3482,7 +3482,7 @@ out: > > /* Returns error only if unable to parse addresses */ > static int selinux_parse_skb_ipv6(struct sk_buff *skb, > - struct avc_audit_data *ad, u8 *proto) > + struct common_audit_data *ad, u8 *proto) > { > u8 nexthdr; > int ret = -EINVAL, offset; > @@ -3553,7 +3553,7 @@ out: > > #endif /* IPV6 */ > > -static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad, > +static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data > *ad, > char **_addrp, int src, u8 *proto) > { > char *addrp; > @@ -3635,7 +3635,7 @@ static int socket_has_perm(struct task_struct *task, > struct socket *sock, > u32 perms) > { > struct inode_security_struct *isec; > - struct avc_audit_data ad; > + struct common_audit_data ad; > u32 sid; > int err = 0; > > @@ -3645,7 +3645,7 @@ static int socket_has_perm(struct task_struct *task, > struct socket *sock, > goto out; > sid = task_sid(task); > > - AVC_AUDIT_DATA_INIT(&ad, NET); > + COMMON_AUDIT_DATA_INIT(&ad, NET); > ad.u.net.sk = sock->sk; > err = avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); > > @@ -3732,7 +3732,7 @@ static int selinux_socket_bind(struct socket *sock, > struct sockaddr *address, in > if (family == PF_INET || family == PF_INET6) { > char *addrp; > struct inode_security_struct *isec; > - struct avc_audit_data ad; > + struct common_audit_data ad; > struct sockaddr_in *addr4 = NULL; > struct sockaddr_in6 *addr6 = NULL; > unsigned short snum; > @@ -3761,7 +3761,7 @@ static int selinux_socket_bind(struct socket *sock, > struct sockaddr *address, in > snum, &sid); > if (err) > goto out; > - AVC_AUDIT_DATA_INIT(&ad, NET); > + COMMON_AUDIT_DATA_INIT(&ad, NET); > ad.u.net.sport = htons(snum); > ad.u.net.family = family; > err = avc_has_perm(isec->sid, sid, > @@ -3794,7 +3794,7 @@ static int selinux_socket_bind(struct socket *sock, > struct sockaddr *address, in > if (err) > goto out; > > - AVC_AUDIT_DATA_INIT(&ad, NET); > + COMMON_AUDIT_DATA_INIT(&ad, NET); > ad.u.net.sport = htons(snum); > ad.u.net.family = family; > > @@ -3828,7 +3828,7 @@ static int selinux_socket_connect(struct socket *sock, > struct sockaddr *address, > isec = SOCK_INODE(sock)->i_security; > if (isec->sclass == SECCLASS_TCP_SOCKET || > isec->sclass == SECCLASS_DCCP_SOCKET) { > - struct avc_audit_data ad; > + struct common_audit_data ad; > struct sockaddr_in *addr4 = NULL; > struct sockaddr_in6 *addr6 = NULL; > unsigned short snum; > @@ -3853,7 +3853,7 @@ static int selinux_socket_connect(struct socket *sock, > struct sockaddr *address, > perm = (isec->sclass == SECCLASS_TCP_SOCKET) ? > TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; > > - AVC_AUDIT_DATA_INIT(&ad, NET); > + COMMON_AUDIT_DATA_INIT(&ad, NET); > ad.u.net.dport = htons(snum); > ad.u.net.family = sk->sk_family; > err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad); > @@ -3943,13 +3943,13 @@ static int selinux_socket_unix_stream_connect(struct > socket *sock, > struct sk_security_struct *ssec; > struct inode_security_struct *isec; > struct inode_security_struct *other_isec; > - struct avc_audit_data ad; > + struct common_audit_data ad; > int err; > > isec = SOCK_INODE(sock)->i_security; > other_isec = SOCK_INODE(other)->i_security; > > - AVC_AUDIT_DATA_INIT(&ad, NET); > + COMMON_AUDIT_DATA_INIT(&ad, NET); > ad.u.net.sk = other->sk; > > err = avc_has_perm(isec->sid, other_isec->sid, > @@ -3975,13 +3975,13 @@ static int selinux_socket_unix_may_send(struct socket > *sock, > { > struct inode_security_struct *isec; > struct inode_security_struct *other_isec; > - struct avc_audit_data ad; > + struct common_audit_data ad; > int err; > > isec = SOCK_INODE(sock)->i_security; > other_isec = SOCK_INODE(other)->i_security; > > - AVC_AUDIT_DATA_INIT(&ad, NET); > + COMMON_AUDIT_DATA_INIT(&ad, NET); > ad.u.net.sk = other->sk; > > err = avc_has_perm(isec->sid, other_isec->sid, > @@ -3994,7 +3994,7 @@ static int selinux_socket_unix_may_send(struct socket > *sock, > > static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family, > u32 peer_sid, > - struct avc_audit_data *ad) > + struct common_audit_data *ad) > { > int err; > u32 if_sid; > @@ -4022,10 +4022,10 @@ static int selinux_sock_rcv_skb_compat(struct sock > *sk, struct sk_buff *skb, > struct sk_security_struct *sksec = sk->sk_security; > u32 peer_sid; > u32 sk_sid = sksec->sid; > - struct avc_audit_data ad; > + struct common_audit_data ad; > char *addrp; > > - AVC_AUDIT_DATA_INIT(&ad, NET); > + COMMON_AUDIT_DATA_INIT(&ad, NET); > ad.u.net.netif = skb->iif; > ad.u.net.family = family; > err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); > @@ -4063,7 +4063,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, > struct sk_buff *skb) > struct sk_security_struct *sksec = sk->sk_security; > u16 family = sk->sk_family; > u32 sk_sid = sksec->sid; > - struct avc_audit_data ad; > + struct common_audit_data ad; > char *addrp; > u8 secmark_active; > u8 peerlbl_active; > @@ -4087,7 +4087,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, > struct sk_buff *skb) > if (!secmark_active && !peerlbl_active) > return 0; > > - AVC_AUDIT_DATA_INIT(&ad, NET); > + COMMON_AUDIT_DATA_INIT(&ad, NET); > ad.u.net.netif = skb->iif; > ad.u.net.family = family; > err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); > @@ -4345,7 +4345,7 @@ static unsigned int selinux_ip_forward(struct sk_buff > *skb, int ifindex, > int err; > char *addrp; > u32 peer_sid; > - struct avc_audit_data ad; > + struct common_audit_data ad; > u8 secmark_active; > u8 netlbl_active; > u8 peerlbl_active; > @@ -4362,7 +4362,7 @@ static unsigned int selinux_ip_forward(struct sk_buff > *skb, int ifindex, > if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) > return NF_DROP; > > - AVC_AUDIT_DATA_INIT(&ad, NET); > + COMMON_AUDIT_DATA_INIT(&ad, NET); > ad.u.net.netif = ifindex; > ad.u.net.family = family; > if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) > @@ -4450,7 +4450,7 @@ static unsigned int selinux_ip_postroute_compat(struct > sk_buff *skb, > { > struct sock *sk = skb->sk; > struct sk_security_struct *sksec; > - struct avc_audit_data ad; > + struct common_audit_data ad; > char *addrp; > u8 proto; > > @@ -4458,7 +4458,7 @@ static unsigned int selinux_ip_postroute_compat(struct > sk_buff *skb, > return NF_ACCEPT; > sksec = sk->sk_security; > > - AVC_AUDIT_DATA_INIT(&ad, NET); > + COMMON_AUDIT_DATA_INIT(&ad, NET); > ad.u.net.netif = ifindex; > ad.u.net.family = family; > if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) > @@ -4482,7 +4482,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff > *skb, int ifindex, > u32 secmark_perm; > u32 peer_sid; > struct sock *sk; > - struct avc_audit_data ad; > + struct common_audit_data ad; > char *addrp; > u8 secmark_active; > u8 peerlbl_active; > @@ -4541,7 +4541,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff > *skb, int ifindex, > secmark_perm = PACKET__SEND; > } > > - AVC_AUDIT_DATA_INIT(&ad, NET); > + COMMON_AUDIT_DATA_INIT(&ad, NET); > ad.u.net.netif = ifindex; > ad.u.net.family = family; > if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) > @@ -4611,13 +4611,13 @@ static int selinux_netlink_send(struct sock *sk, > struct sk_buff *skb) > static int selinux_netlink_recv(struct sk_buff *skb, int capability) > { > int err; > - struct avc_audit_data ad; > + struct common_audit_data ad; > > err = cap_netlink_recv(skb, capability); > if (err) > return err; > > - AVC_AUDIT_DATA_INIT(&ad, CAP); > + COMMON_AUDIT_DATA_INIT(&ad, CAP); > ad.u.cap = capability; > > return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid, > @@ -4676,12 +4676,12 @@ static int ipc_has_perm(struct kern_ipc_perm > *ipc_perms, > u32 perms) > { > struct ipc_security_struct *isec; > - struct avc_audit_data ad; > + struct common_audit_data ad; > u32 sid = current_sid(); > > isec = ipc_perms->security; > > - AVC_AUDIT_DATA_INIT(&ad, IPC); > + COMMON_AUDIT_DATA_INIT(&ad, IPC); > ad.u.ipc_id = ipc_perms->key; > > return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); > @@ -4701,7 +4701,7 @@ static void selinux_msg_msg_free_security(struct > msg_msg *msg) > static int selinux_msg_queue_alloc_security(struct msg_queue *msq) > { > struct ipc_security_struct *isec; > - struct avc_audit_data ad; > + struct common_audit_data ad; > u32 sid = current_sid(); > int rc; > > @@ -4711,7 +4711,7 @@ static int selinux_msg_queue_alloc_security(struct > msg_queue *msq) > > isec = msq->q_perm.security; > > - AVC_AUDIT_DATA_INIT(&ad, IPC); > + COMMON_AUDIT_DATA_INIT(&ad, IPC); > ad.u.ipc_id = msq->q_perm.key; > > rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, > @@ -4731,12 +4731,12 @@ static void selinux_msg_queue_free_security(struct > msg_queue *msq) > static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) > { > struct ipc_security_struct *isec; > - struct avc_audit_data ad; > + struct common_audit_data ad; > u32 sid = current_sid(); > > isec = msq->q_perm.security; > > - AVC_AUDIT_DATA_INIT(&ad, IPC); > + COMMON_AUDIT_DATA_INIT(&ad, IPC); > ad.u.ipc_id = msq->q_perm.key; > > return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, > @@ -4775,7 +4775,7 @@ static int selinux_msg_queue_msgsnd(struct msg_queue > *msq, struct msg_msg *msg, > { > struct ipc_security_struct *isec; > struct msg_security_struct *msec; > - struct avc_audit_data ad; > + struct common_audit_data ad; > u32 sid = current_sid(); > int rc; > > @@ -4796,7 +4796,7 @@ static int selinux_msg_queue_msgsnd(struct msg_queue > *msq, struct msg_msg *msg, > return rc; > } > > - AVC_AUDIT_DATA_INIT(&ad, IPC); > + COMMON_AUDIT_DATA_INIT(&ad, IPC); > ad.u.ipc_id = msq->q_perm.key; > > /* Can this process write to the queue? */ > @@ -4820,14 +4820,14 @@ static int selinux_msg_queue_msgrcv(struct msg_queue > *msq, struct msg_msg *msg, > { > struct ipc_security_struct *isec; > struct msg_security_struct *msec; > - struct avc_audit_data ad; > + struct common_audit_data ad; > u32 sid = task_sid(target); > int rc; > > isec = msq->q_perm.security; > msec = msg->security; > > - AVC_AUDIT_DATA_INIT(&ad, IPC); > + COMMON_AUDIT_DATA_INIT(&ad, IPC); > ad.u.ipc_id = msq->q_perm.key; > > rc = avc_has_perm(sid, isec->sid, > @@ -4842,7 +4842,7 @@ static int selinux_msg_queue_msgrcv(struct msg_queue > *msq, struct msg_msg *msg, > static int selinux_shm_alloc_security(struct shmid_kernel *shp) > { > struct ipc_security_struct *isec; > - struct avc_audit_data ad; > + struct common_audit_data ad; > u32 sid = current_sid(); > int rc; > > @@ -4852,7 +4852,7 @@ static int selinux_shm_alloc_security(struct > shmid_kernel *shp) > > isec = shp->shm_perm.security; > > - AVC_AUDIT_DATA_INIT(&ad, IPC); > + COMMON_AUDIT_DATA_INIT(&ad, IPC); > ad.u.ipc_id = shp->shm_perm.key; > > rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM, > @@ -4872,12 +4872,12 @@ static void selinux_shm_free_security(struct > shmid_kernel *shp) > static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) > { > struct ipc_security_struct *isec; > - struct avc_audit_data ad; > + struct common_audit_data ad; > u32 sid = current_sid(); > > isec = shp->shm_perm.security; > > - AVC_AUDIT_DATA_INIT(&ad, IPC); > + COMMON_AUDIT_DATA_INIT(&ad, IPC); > ad.u.ipc_id = shp->shm_perm.key; > > return avc_has_perm(sid, isec->sid, SECCLASS_SHM, > @@ -4934,7 +4934,7 @@ static int selinux_shm_shmat(struct shmid_kernel *shp, > static int selinux_sem_alloc_security(struct sem_array *sma) > { > struct ipc_security_struct *isec; > - struct avc_audit_data ad; > + struct common_audit_data ad; > u32 sid = current_sid(); > int rc; > > @@ -4944,7 +4944,7 @@ static int selinux_sem_alloc_security(struct sem_array > *sma) > > isec = sma->sem_perm.security; > > - AVC_AUDIT_DATA_INIT(&ad, IPC); > + COMMON_AUDIT_DATA_INIT(&ad, IPC); > ad.u.ipc_id = sma->sem_perm.key; > > rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM, > @@ -4964,12 +4964,12 @@ static void selinux_sem_free_security(struct > sem_array *sma) > static int selinux_sem_associate(struct sem_array *sma, int semflg) > { > struct ipc_security_struct *isec; > - struct avc_audit_data ad; > + struct common_audit_data ad; > u32 sid = current_sid(); > > isec = sma->sem_perm.security; > > - AVC_AUDIT_DATA_INIT(&ad, IPC); > + COMMON_AUDIT_DATA_INIT(&ad, IPC); > ad.u.ipc_id = sma->sem_perm.key; > > return avc_has_perm(sid, isec->sid, SECCLASS_SEM, > diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h > index ae4c3a0..e94e82f 100644 > --- a/security/selinux/include/avc.h > +++ b/security/selinux/include/avc.h > @@ -13,6 +13,7 @@ > #include <linux/spinlock.h> > #include <linux/init.h> > #include <linux/audit.h> > +#include <linux/lsm_audit.h> > #include <linux/in6.h> > #include <linux/path.h> > #include <asm/system.h> > @@ -36,48 +37,6 @@ struct inode; > struct sock; > struct sk_buff; > > -/* Auxiliary data to use in generating the audit record. */ > -struct avc_audit_data { > - char type; > -#define AVC_AUDIT_DATA_FS 1 > -#define AVC_AUDIT_DATA_NET 2 > -#define AVC_AUDIT_DATA_CAP 3 > -#define AVC_AUDIT_DATA_IPC 4 > - struct task_struct *tsk; > - union { > - struct { > - struct path path; > - struct inode *inode; > - } fs; > - struct { > - int netif; > - struct sock *sk; > - u16 family; > - __be16 dport; > - __be16 sport; > - union { > - struct { > - __be32 daddr; > - __be32 saddr; > - } v4; > - struct { > - struct in6_addr daddr; > - struct in6_addr saddr; > - } v6; > - } fam; > - } net; > - int cap; > - int ipc_id; > - } u; > -}; > - > -#define v4info fam.v4 > -#define v6info fam.v6 > - > -/* Initialize an AVC audit data structure. */ > -#define AVC_AUDIT_DATA_INIT(_d,_t) \ > - { memset((_d), 0, sizeof(struct avc_audit_data)); (_d)->type = > AVC_AUDIT_DATA_##_t; } > - > /* > * AVC statistics > */ > @@ -98,7 +57,9 @@ void __init avc_init(void); > > void avc_audit(u32 ssid, u32 tsid, > u16 tclass, u32 requested, > - struct av_decision *avd, int result, struct avc_audit_data > *auditdata); > + struct av_decision *avd, > + int result, > + struct common_audit_data *a); > > #define AVC_STRICT 1 /* Ignore permissive mode. */ > int avc_has_perm_noaudit(u32 ssid, u32 tsid, > @@ -108,7 +69,7 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid, > > int avc_has_perm(u32 ssid, u32 tsid, > u16 tclass, u32 requested, > - struct avc_audit_data *auditdata); > + struct common_audit_data *auditdata); > > u32 avc_policy_seqno(void); > > diff --git a/security/selinux/include/netlabel.h > b/security/selinux/include/netlabel.h > index b4b5b9b..8d73842 100644 > --- a/security/selinux/include/netlabel.h > +++ b/security/selinux/include/netlabel.h > @@ -59,7 +59,7 @@ int selinux_netlbl_socket_post_create(struct sock *sk, u16 > family); > int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, > struct sk_buff *skb, > u16 family, > - struct avc_audit_data *ad); > + struct common_audit_data *ad); > int selinux_netlbl_socket_setsockopt(struct socket *sock, > int level, > int optname); > @@ -129,7 +129,7 @@ static inline int > selinux_netlbl_socket_post_create(struct sock *sk, > static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct > *sksec, > struct sk_buff *skb, > u16 family, > - struct avc_audit_data *ad) > + struct common_audit_data *ad) > { > return 0; > } > diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h > index 289e24b..13128f9 100644 > --- a/security/selinux/include/xfrm.h > +++ b/security/selinux/include/xfrm.h > @@ -41,9 +41,9 @@ static inline int selinux_xfrm_enabled(void) > } > > int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb, > - struct avc_audit_data *ad); > + struct common_audit_data *ad); > int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, > - struct avc_audit_data *ad, u8 proto); > + struct common_audit_data *ad, u8 proto); > int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall); > > static inline void selinux_xfrm_notify_policyload(void) > @@ -57,13 +57,13 @@ static inline int selinux_xfrm_enabled(void) > } > > static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff > *skb, > - struct avc_audit_data *ad) > + struct common_audit_data *ad) > { > return 0; > } > > static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff > *skb, > - struct avc_audit_data *ad, u8 proto) > + struct common_audit_data *ad, u8 proto) > { > return 0; > } > diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c > index 2e98441..e688237 100644 > --- a/security/selinux/netlabel.c > +++ b/security/selinux/netlabel.c > @@ -342,7 +342,7 @@ int selinux_netlbl_socket_post_create(struct sock *sk, > u16 family) > int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, > struct sk_buff *skb, > u16 family, > - struct avc_audit_data *ad) > + struct common_audit_data *ad) > { > int rc; > u32 nlbl_sid; > diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c > index 72b1845..f3cb9ed 100644 > --- a/security/selinux/xfrm.c > +++ b/security/selinux/xfrm.c > @@ -401,7 +401,7 @@ int selinux_xfrm_state_delete(struct xfrm_state *x) > * gone thru the IPSec process. > */ > int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, > - struct avc_audit_data *ad) > + struct common_audit_data *ad) > { > int i, rc = 0; > struct sec_path *sp; > @@ -442,7 +442,7 @@ int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct > sk_buff *skb, > * checked in the selinux_xfrm_state_pol_flow_match hook above. > */ > int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, > - struct avc_audit_data *ad, u8 proto) > + struct common_audit_data *ad, u8 proto) > { > struct dst_entry *dst; > int rc = 0; > > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to [email protected] with > the words "unsubscribe selinux" without quotes as the message. -- Stephen Smalley National Security Agency -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
