From 43157332c6c90c9ea026ee975c23c3ae2ddf5d0b Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Tue, 3 Apr 2012 09:38:00 -0700 Subject: [PATCH] --- yaml --- r: 298599 b: refs/heads/master c: 3f0882c48286e7bdb0bbdec9c4bfa934e0db8e09 h: refs/heads/master i: 298597: 8cdc920007e632236e8a165ee351ec014357e595 298595: 4c3e6880a801746ef4cee7e1ced22e6a9b2b4e15 298591: 2c228a283d41415aa84f8e06e7d72518720f0a29 v: v3 --- [refs] | 2 +- trunk/security/selinux/avc.c | 27 +++++++++++++++------------ trunk/security/selinux/include/avc.h | 14 ++++++++++++-- 3 files changed, 28 insertions(+), 15 deletions(-) diff --git a/[refs] b/[refs] index 43d419b2b1ac..ea1bcf31f80d 100644 --- a/[refs] +++ b/[refs] @@ -1,2 +1,2 @@ --- -refs/heads/master: f8294f1144ad0630075918df4bf94075f5384604 +refs/heads/master: 3f0882c48286e7bdb0bbdec9c4bfa934e0db8e09 diff --git a/trunk/security/selinux/avc.c b/trunk/security/selinux/avc.c index b5545a84448a..36c42bb52d81 100644 --- a/trunk/security/selinux/avc.c +++ b/trunk/security/selinux/avc.c @@ -436,9 +436,9 @@ static void avc_audit_pre_callback(struct audit_buffer *ab, void *a) { struct common_audit_data *ad = a; audit_log_format(ab, "avc: %s ", - ad->selinux_audit_data->denied ? "denied" : "granted"); - avc_dump_av(ab, ad->selinux_audit_data->tclass, - ad->selinux_audit_data->audited); + ad->selinux_audit_data->slad->denied ? "denied" : "granted"); + avc_dump_av(ab, ad->selinux_audit_data->slad->tclass, + ad->selinux_audit_data->slad->audited); audit_log_format(ab, " for "); } @@ -452,9 +452,9 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a) { struct common_audit_data *ad = a; audit_log_format(ab, " "); - avc_dump_query(ab, ad->selinux_audit_data->ssid, - ad->selinux_audit_data->tsid, - ad->selinux_audit_data->tclass); + avc_dump_query(ab, ad->selinux_audit_data->slad->ssid, + ad->selinux_audit_data->slad->tsid, + ad->selinux_audit_data->slad->tclass); } /* This is the slow part of avc audit with big stack footprint */ @@ -465,6 +465,7 @@ static noinline int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass, { struct common_audit_data stack_data; struct selinux_audit_data sad = {0,}; + struct selinux_late_audit_data slad; if (!a) { a = &stack_data; @@ -483,12 +484,14 @@ static noinline int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass, (flags & MAY_NOT_BLOCK)) return -ECHILD; - a->selinux_audit_data->tclass = tclass; - a->selinux_audit_data->requested = requested; - a->selinux_audit_data->ssid = ssid; - a->selinux_audit_data->tsid = tsid; - a->selinux_audit_data->audited = audited; - a->selinux_audit_data->denied = denied; + slad.tclass = tclass; + slad.requested = requested; + slad.ssid = ssid; + slad.tsid = tsid; + slad.audited = audited; + slad.denied = denied; + + a->selinux_audit_data->slad = &slad; a->lsm_pre_audit = avc_audit_pre_callback; a->lsm_post_audit = avc_audit_post_callback; common_lsm_audit(a); diff --git a/trunk/security/selinux/include/avc.h b/trunk/security/selinux/include/avc.h index 09c3eda12128..1931370233d7 100644 --- a/trunk/security/selinux/include/avc.h +++ b/trunk/security/selinux/include/avc.h @@ -46,19 +46,29 @@ struct avc_cache_stats { unsigned int frees; }; -struct selinux_audit_data { +/* + * We only need this data after we have decided to send an audit message. + */ +struct selinux_late_audit_data { u32 ssid; u32 tsid; u16 tclass; u32 requested; u32 audited; u32 denied; + int result; +}; + +/* + * We collect this at the beginning or during an selinux security operation + */ +struct selinux_audit_data { /* * auditdeny is a bit tricky and unintuitive. See the * comments in avc.c for it's meaning and usage. */ u32 auditdeny; - int result; + struct selinux_late_audit_data *slad; }; /*