Audit: internally use the new LSM audit hooks

 *

 * Written by Rickard E. (Rik) Faith <faith@redhat.com>

 *

 * Goals: 1) Integrate fully with SELinux.

 * Goals: 1) Integrate fully with Security Modules.

 *	  2) Minimal run-time overhead:

 *	     a) Minimal when syscall auditing is disabled (audit_enable=0).

 *	     b) Small when syscall auditing is enabled and no audit record

#include <net/netlink.h>

#include <linux/skbuff.h>

#include <linux/netlink.h>

#include <linux/selinux.h>

#include <linux/inotify.h>

#include <linux/freezer.h>

#include <linux/tty.h>

	audit_enabled = audit_default;

	audit_ever_enabled |= !!audit_default;

	/* Register the callback with selinux.  This callback will be invoked

	 * when a new policy is loaded. */

	selinux_audit_set_callback(&selinux_audit_rule_update);

	audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL, "initialized");

#ifdef CONFIG_AUDITSYSCALL

#include <linux/sched.h>

#include <linux/inotify.h>

#include <linux/security.h>

#include <linux/selinux.h>

#include "audit.h"

/*

 * 		Synchronizes writes and blocking reads of audit's filterlist

 * 		data.  Rcu is used to traverse the filterlist and access

 * 		contents of structs audit_entry, audit_watch and opaque

 * 		selinux rules during filtering.  If modified, these structures

 * 		LSM rules during filtering.  If modified, these structures

 * 		must be copied and replace their counterparts in the filterlist.

 * 		An audit_parent struct is not accessed during filtering, so may

 * 		be written directly provided audit_filter_mutex is held.

		for (i = 0; i < e->rule.field_count; i++) {

			struct audit_field *f = &e->rule.fields[i];

			kfree(f->se_str);

			selinux_audit_rule_free(f->se_rule);

			security_audit_rule_free(f->se_rule);

		}

	kfree(e->rule.fields);

	kfree(e->rule.filterkey);

				goto exit_free;

			entry->rule.buflen += f->val;

			err = selinux_audit_rule_init(f->type, f->op, str,

						      &f->se_rule);

			err = security_audit_rule_init(f->type, f->op, str,

						       (void **)&f->se_rule);

			/* Keep currently invalid fields around in case they

			 * become valid after a policy reload. */

			if (err == -EINVAL) {

				printk(KERN_WARNING "audit rule for selinux "

				printk(KERN_WARNING "audit rule for LSM "

				       "\'%s\' is invalid\n",  str);

				err = 0;

			}

	return new;

}

/* Duplicate selinux field information.  The se_rule is opaque, so must be

/* Duplicate LSM field information.  The se_rule is opaque, so must be

 * re-initialized. */

static inline int audit_dupe_selinux_field(struct audit_field *df,

static inline int audit_dupe_lsm_field(struct audit_field *df,

					   struct audit_field *sf)

{

	int ret = 0;

	df->se_str = se_str;

	/* our own (refreshed) copy of se_rule */

	ret = selinux_audit_rule_init(df->type, df->op, df->se_str,

				      &df->se_rule);

	ret = security_audit_rule_init(df->type, df->op, df->se_str,

				       (void **)&df->se_rule);

	/* Keep currently invalid fields around in case they

	 * become valid after a policy reload. */

	if (ret == -EINVAL) {

		printk(KERN_WARNING "audit rule for selinux \'%s\' is "

		printk(KERN_WARNING "audit rule for LSM \'%s\' is "

		       "invalid\n", df->se_str);

		ret = 0;

	}

}

/* Duplicate an audit rule.  This will be a deep copy with the exception

 * of the watch - that pointer is carried over.  The selinux specific fields

 * of the watch - that pointer is carried over.  The LSM specific fields

 * will be updated in the copy.  The point is to be able to replace the old

 * rule with the new rule in the filterlist, then free the old rule.

 * The rlist element is undefined; list manipulations are handled apart from

		case AUDIT_OBJ_TYPE:

		case AUDIT_OBJ_LEV_LOW:

		case AUDIT_OBJ_LEV_HIGH:

			err = audit_dupe_selinux_field(&new->fields[i],

			err = audit_dupe_lsm_field(&new->fields[i],

						       &old->fields[i]);

			break;

		case AUDIT_FILTERKEY:

	return result;

}

/* Check to see if the rule contains any selinux fields.  Returns 1 if there

   are selinux fields specified in the rule, 0 otherwise. */

static inline int audit_rule_has_selinux(struct audit_krule *rule)

{

	int i;

	for (i = 0; i < rule->field_count; i++) {

		struct audit_field *f = &rule->fields[i];

		switch (f->type) {

		case AUDIT_SUBJ_USER:

		case AUDIT_SUBJ_ROLE:

		case AUDIT_SUBJ_TYPE:

		case AUDIT_SUBJ_SEN:

		case AUDIT_SUBJ_CLR:

		case AUDIT_OBJ_USER:

		case AUDIT_OBJ_ROLE:

		case AUDIT_OBJ_TYPE:

		case AUDIT_OBJ_LEV_LOW:

		case AUDIT_OBJ_LEV_HIGH:

			return 1;

		}

	}

	return 0;

}

/* This function will re-initialize the se_rule field of all applicable rules.

 * It will traverse the filter lists serarching for rules that contain selinux

 * It will traverse the filter lists serarching for rules that contain LSM

 * specific filter fields.  When such a rule is found, it is copied, the

 * selinux field is re-initialized, and the old rule is replaced with the

 * LSM field is re-initialized, and the old rule is replaced with the

 * updated rule. */

int selinux_audit_rule_update(void)

int audit_update_lsm_rules(void)

{

	struct audit_entry *entry, *n, *nentry;

	struct audit_watch *watch;

	for (i = 0; i < AUDIT_NR_FILTERS; i++) {

		list_for_each_entry_safe(entry, n, &audit_filter_list[i], list) {

			if (!audit_rule_has_selinux(&entry->rule))

			if (!security_audit_rule_known(&entry->rule))

				continue;

			watch = entry->rule.watch;

				 * return value */

				if (!err)

					err = PTR_ERR(nentry);

				audit_panic("error updating selinux filters");

				audit_panic("error updating LSM filters");

				if (watch)

					list_del(&entry->rule.rlist);

				list_del_rcu(&entry->list);

#include <linux/security.h>

#include <linux/list.h>

#include <linux/tty.h>

#include <linux/selinux.h>

#include <linux/binfmts.h>

#include <linux/highmem.h>

#include <linux/syscalls.h>

					security_task_getsecid(tsk, &sid);

					need_sid = 0;

				}

				result = selinux_audit_rule_match(sid, f->type,

				result = security_audit_rule_match(sid, f->type,

				                                  f->op,

				                                  f->se_rule,

				                                  ctx);

			if (f->se_rule) {

				/* Find files that match */

				if (name) {

					result = selinux_audit_rule_match(

					result = security_audit_rule_match(

					           name->osid, f->type, f->op,

					           f->se_rule, ctx);

				} else if (ctx) {

					for (j = 0; j < ctx->name_count; j++) {

						if (selinux_audit_rule_match(

						if (security_audit_rule_match(

						      ctx->names[j].osid,

						      f->type, f->op,

						      f->se_rule, ctx)) {

					     aux = aux->next) {

						if (aux->type == AUDIT_IPC) {

							struct audit_aux_data_ipcctl *axi = (void *)aux;

							if (selinux_audit_rule_match(axi->osid, f->type, f->op, f->se_rule, ctx)) {

							if (security_audit_rule_match(axi->osid, f->type, f->op, f->se_rule, ctx)) {

								++result;

								break;

							}