Skip to content

Commit

Permalink
---
Browse files Browse the repository at this point in the history 
yaml
---
r: 26454
b: refs/heads/master
c: ce29b68
h: refs/heads/master
v: v3
  • Loading branch information
Steve Grubb authored and Al Viro committed May 1, 2006
1 parent 3a9dca7 commit 4962f97
Show file tree
Hide file tree
Showing 5 changed files with 143 additions and 41 deletions.
2 changes: 1 addition & 1 deletion [refs]
View file
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
---
refs/heads/master: e7c3497013a7e5496ce3d5fd3c73b5cf5af7a56e
refs/heads/master: ce29b682e228c70cdc91a1b2935c5adb2087bab8
2 changes: 1 addition & 1 deletion trunk/include/linux/audit.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -371,7 +371,7 @@ extern void audit_log_d_path(struct audit_buffer *ab,
extern int audit_filter_user(struct netlink_skb_parms *cb, int type);
extern int audit_filter_type(int type);
extern int audit_receive_filter(int type, int pid, int uid, int seq,
void *data, size_t datasz, uid_t loginuid);
void *data, size_t datasz, uid_t loginuid, u32 sid);
#else
#define audit_log(c,g,t,f,...) do { ; } while (0)
#define audit_log_start(c,g,t) ({ NULL; })
Expand Down
132 changes: 102 additions & 30 deletions trunk/kernel/audit.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -230,49 +230,103 @@ void audit_log_lost(const char *message)
}
}

static int audit_set_rate_limit(int limit, uid_t loginuid)
static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid)
{
int old = audit_rate_limit;
audit_rate_limit = limit;
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
int old = audit_rate_limit;

if (sid) {
char *ctx = NULL;
u32 len;
int rc;
if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
return rc;
else
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"audit_rate_limit=%d old=%d by auid=%u subj=%s",
limit, old, loginuid, ctx);
kfree(ctx);
} else
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"audit_rate_limit=%d old=%d by auid=%u",
audit_rate_limit, old, loginuid);
limit, old, loginuid);
audit_rate_limit = limit;
return old;
}

static int audit_set_backlog_limit(int limit, uid_t loginuid)
static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid)
{
int old = audit_backlog_limit;
audit_backlog_limit = limit;
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
int old = audit_backlog_limit;

if (sid) {
char *ctx = NULL;
u32 len;
int rc;
if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
return rc;
else
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"audit_backlog_limit=%d old=%d by auid=%u subj=%s",
limit, old, loginuid, ctx);
kfree(ctx);
} else
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"audit_backlog_limit=%d old=%d by auid=%u",
audit_backlog_limit, old, loginuid);
limit, old, loginuid);
audit_backlog_limit = limit;
return old;
}

static int audit_set_enabled(int state, uid_t loginuid)
static int audit_set_enabled(int state, uid_t loginuid, u32 sid)
{
int old = audit_enabled;
int old = audit_enabled;

if (state != 0 && state != 1)
return -EINVAL;
audit_enabled = state;
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,

if (sid) {
char *ctx = NULL;
u32 len;
int rc;
if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
return rc;
else
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"audit_enabled=%d old=%d by auid=%u subj=%s",
state, old, loginuid, ctx);
kfree(ctx);
} else
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"audit_enabled=%d old=%d by auid=%u",
audit_enabled, old, loginuid);
state, old, loginuid);
audit_enabled = state;
return old;
}

static int audit_set_failure(int state, uid_t loginuid)
static int audit_set_failure(int state, uid_t loginuid, u32 sid)
{
int old = audit_failure;
int old = audit_failure;

if (state != AUDIT_FAIL_SILENT
&& state != AUDIT_FAIL_PRINTK
&& state != AUDIT_FAIL_PANIC)
return -EINVAL;
audit_failure = state;
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,

if (sid) {
char *ctx = NULL;
u32 len;
int rc;
if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
return rc;
else
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"audit_failure=%d old=%d by auid=%u subj=%s",
state, old, loginuid, ctx);
kfree(ctx);
} else
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"audit_failure=%d old=%d by auid=%u",
audit_failure, old, loginuid);
state, old, loginuid);
audit_failure = state;
return old;
}

Expand Down Expand Up @@ -437,25 +491,43 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
return -EINVAL;
status_get = (struct audit_status *)data;
if (status_get->mask & AUDIT_STATUS_ENABLED) {
err = audit_set_enabled(status_get->enabled, loginuid);
err = audit_set_enabled(status_get->enabled,
loginuid, sid);
if (err < 0) return err;
}
if (status_get->mask & AUDIT_STATUS_FAILURE) {
err = audit_set_failure(status_get->failure, loginuid);
err = audit_set_failure(status_get->failure,
loginuid, sid);
if (err < 0) return err;
}
if (status_get->mask & AUDIT_STATUS_PID) {
int old = audit_pid;
if (sid) {
char *ctx = NULL;
u32 len;
int rc;
if ((rc = selinux_ctxid_to_string(
sid, &ctx, &len)))
return rc;
else
audit_log(NULL, GFP_KERNEL,
AUDIT_CONFIG_CHANGE,
"audit_pid=%d old=%d by auid=%u subj=%s",
status_get->pid, old,
loginuid, ctx);
kfree(ctx);
} else
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"audit_pid=%d old=%d by auid=%u",
status_get->pid, old, loginuid);
audit_pid = status_get->pid;
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"audit_pid=%d old=%d by auid=%u",
audit_pid, old, loginuid);
}
if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
audit_set_rate_limit(status_get->rate_limit, loginuid);
audit_set_rate_limit(status_get->rate_limit,
loginuid, sid);
if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT)
audit_set_backlog_limit(status_get->backlog_limit,
loginuid);
loginuid, sid);
break;
case AUDIT_USER:
case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG:
Expand All @@ -477,7 +549,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
if (selinux_ctxid_to_string(
sid, &ctx, &len)) {
audit_log_format(ab,
" subj=%u", sid);
" ssid=%u", sid);
/* Maybe call audit_panic? */
} else
audit_log_format(ab,
Expand All @@ -499,7 +571,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
case AUDIT_LIST:
err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,
uid, seq, data, nlmsg_len(nlh),
loginuid);
loginuid, sid);
break;
case AUDIT_ADD_RULE:
case AUDIT_DEL_RULE:
Expand All @@ -509,7 +581,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
case AUDIT_LIST_RULES:
err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,
uid, seq, data, nlmsg_len(nlh),
loginuid);
loginuid, sid);
break;
case AUDIT_SIGNAL_INFO:
sig_data.uid = audit_sig_uid;
Expand Down
44 changes: 37 additions & 7 deletions trunk/kernel/auditfilter.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -586,9 +586,10 @@ static int audit_list_rules(void *_dest)
* @data: payload data
* @datasz: size of payload data
* @loginuid: loginuid of sender
* @sid: SE Linux Security ID of sender
*/
int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
size_t datasz, uid_t loginuid)
size_t datasz, uid_t loginuid, u32 sid)
{
struct task_struct *tsk;
int *dest;
Expand Down Expand Up @@ -631,9 +632,23 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data,

err = audit_add_rule(entry,
&audit_filter_list[entry->rule.listnr]);
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"auid=%u add rule to list=%d res=%d\n",
loginuid, entry->rule.listnr, !err);
if (sid) {
char *ctx = NULL;
u32 len;
if (selinux_ctxid_to_string(sid, &ctx, &len)) {
/* Maybe call audit_panic? */
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"auid=%u ssid=%u add rule to list=%d res=%d",
loginuid, sid, entry->rule.listnr, !err);
} else
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"auid=%u subj=%s add rule to list=%d res=%d",
loginuid, ctx, entry->rule.listnr, !err);
kfree(ctx);
} else
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"auid=%u add rule to list=%d res=%d",
loginuid, entry->rule.listnr, !err);

if (err)
audit_free_rule(entry);
Expand All @@ -649,9 +664,24 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data,

err = audit_del_rule(entry,
&audit_filter_list[entry->rule.listnr]);
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"auid=%u remove rule from list=%d res=%d\n",
loginuid, entry->rule.listnr, !err);

if (sid) {
char *ctx = NULL;
u32 len;
if (selinux_ctxid_to_string(sid, &ctx, &len)) {
/* Maybe call audit_panic? */
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"auid=%u ssid=%u remove rule from list=%d res=%d",
loginuid, sid, entry->rule.listnr, !err);
} else
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"auid=%u subj=%s remove rule from list=%d res=%d",
loginuid, ctx, entry->rule.listnr, !err);
kfree(ctx);
} else
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"auid=%u remove rule from list=%d res=%d",
loginuid, entry->rule.listnr, !err);

audit_free_rule(entry);
break;
Expand Down
4 changes: 2 additions & 2 deletions trunk/kernel/auditsc.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -637,7 +637,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
u32 len;
if (selinux_ctxid_to_string(
axi->osid, &ctx, &len)) {
audit_log_format(ab, " obj=%u",
audit_log_format(ab, " osid=%u",
axi->osid);
call_panic = 1;
} else
Expand Down Expand Up @@ -712,7 +712,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
u32 len;
if (selinux_ctxid_to_string(
context->names[i].osid, &ctx, &len)) {
audit_log_format(ab, " obj=%u",
audit_log_format(ab, " osid=%u",
context->names[i].osid);
call_panic = 2;
} else
Expand Down

0 comments on commit 4962f97

Please sign in to comment.