Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit de64688f authored by Paul Moore's avatar Paul Moore Committed by David S. Miller
Browse files

NetLabel: honor the audit_enabled flag 



The audit_enabled flag is used to signal when syscall auditing is to be
performed.  While NetLabel uses a Netlink interface instead of syscalls, it is
reasonable to consider the NetLabel Netlink interface as a form of syscall so
pay attention to the audit_enabled flag when generating audit messages in
NetLabel.

Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
parent 3de4bab5

net/netlabel/netlabel_cipso_v4.c

+15 −11
Original line number Diff line number Diff line
@@ -407,12 +407,14 @@ static int netlbl_cipsov4_add(struct sk_buff *skb, struct genl_info *info) 


	audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD,

					      &audit_info);

	if (audit_buf != NULL) {

		audit_log_format(audit_buf,

				 " cipso_doi=%u cipso_type=%s res=%u",

				 doi,

				 type_str,

				 ret_val == 0 ? 1 : 0);

		audit_log_end(audit_buf);

	}



	return ret_val;

}
@@ -680,11 +682,13 @@ static int netlbl_cipsov4_remove(struct sk_buff *skb, struct genl_info *info) 


	audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_DEL,

					      &audit_info);

	if (audit_buf != NULL) {

		audit_log_format(audit_buf,

				 " cipso_doi=%u res=%u",

				 doi,

				 ret_val == 0 ? 1 : 0);

		audit_log_end(audit_buf);

	}



	return ret_val;

}

net/netlabel/netlabel_domainhash.c

+22 −26
Original line number Diff line number Diff line
@@ -202,7 +202,6 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry, 
	int ret_val;

	u32 bkt;

	struct audit_buffer *audit_buf;

	char *audit_domain;



	switch (entry->type) {

	case NETLBL_NLTYPE_UNLABELED:
@@ -243,12 +242,11 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry, 
	} else

		ret_val = -EINVAL;



	if (entry->domain != NULL)

		audit_domain = entry->domain;

	else

		audit_domain = "(default)";

	audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_ADD, audit_info);

	audit_log_format(audit_buf, " nlbl_domain=%s", audit_domain);

	if (audit_buf != NULL) {

		audit_log_format(audit_buf,

				 " nlbl_domain=%s",

				 entry->domain ? entry->domain : "(default)");

		switch (entry->type) {

		case NETLBL_NLTYPE_UNLABELED:

			audit_log_format(audit_buf, " nlbl_protocol=unlbl");
@@ -261,6 +259,7 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry, 
		}

		audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0);

		audit_log_end(audit_buf);

	}



	rcu_read_unlock();
@@ -310,7 +309,6 @@ int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info) 
	int ret_val = -ENOENT;

	struct netlbl_dom_map *entry;

	struct audit_buffer *audit_buf;

	char *audit_domain;



	rcu_read_lock();

	if (domain != NULL)
@@ -348,16 +346,14 @@ int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info) 
		spin_unlock(&netlbl_domhsh_def_lock);

	}



	if (entry->domain != NULL)

		audit_domain = entry->domain;

	else

		audit_domain = "(default)";

	audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_DEL, audit_info);

	if (audit_buf != NULL) {

		audit_log_format(audit_buf,

				 " nlbl_domain=%s res=%u",

			 audit_domain,

				 entry->domain ? entry->domain : "(default)",

				 ret_val == 0 ? 1 : 0);

		audit_log_end(audit_buf);

	}



	if (ret_val == 0)

		call_rcu(&entry->rcu, netlbl_domhsh_free_entry);

net/netlabel/netlabel_unlabeled.c

+6 −2
Original line number Diff line number Diff line
@@ -35,6 +35,7 @@ 
#include <linux/socket.h>

#include <linux/string.h>

#include <linux/skbuff.h>

#include <linux/audit.h>

#include <net/sock.h>

#include <net/netlink.h>

#include <net/genetlink.h>
@@ -92,9 +93,12 @@ static void netlbl_unlabel_acceptflg_set(u8 value, 


	audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_ALLOW,

					      audit_info);

	audit_log_format(audit_buf, " unlbl_accept=%u old=%u", value, old_val);

	if (audit_buf != NULL) {

		audit_log_format(audit_buf,

				 " unlbl_accept=%u old=%u", value, old_val);

		audit_log_end(audit_buf);

	}

}



/*

 * NetLabel Command Handlers

net/netlabel/netlabel_user.c

+7 −0
Original line number Diff line number Diff line
@@ -46,6 +46,10 @@ 
#include "netlabel_cipso_v4.h"

#include "netlabel_user.h"



/* do not do any auditing if audit_enabled == 0, see kernel/audit.c for

 * details */

extern int audit_enabled;



/*

 * NetLabel NETLINK Setup Functions

 */
@@ -101,6 +105,9 @@ struct audit_buffer *netlbl_audit_start_common(int type, 
	char *secctx;

	u32 secctx_len;



	if (audit_enabled == 0)

		return NULL;



	audit_buf = audit_log_start(audit_ctx, GFP_ATOMIC, type);

	if (audit_buf == NULL)

		return NULL;