Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 44707fdf authored by Jan Blunck's avatar Jan Blunck Committed by Linus Torvalds
Browse files

d_path: Use struct path in struct avc_audit_data 



audit_log_d_path() is a d_path() wrapper that is used by the audit code.  To
use a struct path in audit_log_d_path() I need to embed it into struct
avc_audit_data.

[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: default avatarJan Blunck <jblunck@suse.de>
Acked-by: default avatarChristoph Hellwig <hch@infradead.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: "J. Bruce Fields" <bfields@fieldses.org>
Cc: Neil Brown <neilb@suse.de>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: James Morris <jmorris@namei.org>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent a03a8a70

include/linux/audit.h

+2 −3
Original line number Diff line number Diff line
@@ -534,8 +534,7 @@ extern void audit_log_n_untrustedstring(struct audit_buffer *ab, 
							const char *string);

extern void		    audit_log_d_path(struct audit_buffer *ab,

					     const char *prefix,

					     struct dentry *dentry,

					     struct vfsmount *vfsmnt);

					     struct path *path);

extern void		    audit_log_lost(const char *message);

				/* Private API (for audit.c only) */

extern int audit_filter_user(struct netlink_skb_parms *cb, int type);
@@ -552,7 +551,7 @@ extern int audit_enabled; 
#define audit_log_hex(a,b,l) do { ; } while (0)

#define audit_log_untrustedstring(a,s) do { ; } while (0)

#define audit_log_n_untrustedstring(a,n,s) do { ; } while (0)

#define audit_log_d_path(b,p,d,v) do { ; } while (0)

#define audit_log_d_path(b, p, d) do { ; } while (0)

#define audit_enabled 0

#endif

#endif

kernel/audit.c

+6 −6
Original line number Diff line number Diff line
@@ -1312,26 +1312,26 @@ void audit_log_untrustedstring(struct audit_buffer *ab, const char *string) 


/* This is a helper-function to print the escaped d_path */

void audit_log_d_path(struct audit_buffer *ab, const char *prefix,

		      struct dentry *dentry, struct vfsmount *vfsmnt)

		      struct path *path)

{

	char *p, *path;

	char *p, *pathname;



	if (prefix)

		audit_log_format(ab, " %s", prefix);



	/* We will allow 11 spaces for ' (deleted)' to be appended */

	path = kmalloc(PATH_MAX+11, ab->gfp_mask);

	if (!path) {

	pathname = kmalloc(PATH_MAX+11, ab->gfp_mask);

	if (!pathname) {

		audit_log_format(ab, "<no memory>");

		return;

	}

	p = d_path(dentry, vfsmnt, path, PATH_MAX+11);

	p = d_path(path->dentry, path->mnt, pathname, PATH_MAX+11);

	if (IS_ERR(p)) { /* Should never happen since we send PATH_MAX */

		/* FIXME: can we save some information here? */

		audit_log_format(ab, "<too long>");

	} else

		audit_log_untrustedstring(ab, p);

	kfree(path);

	kfree(pathname);

}



/**

kernel/auditsc.c

+11 −17
Original line number Diff line number Diff line
@@ -208,8 +208,7 @@ struct audit_context { 
	int		    name_count;

	struct audit_names  names[AUDIT_NAMES];

	char *		    filterkey;	/* key for rule that triggered record */

	struct dentry *	    pwd;

	struct vfsmount *   pwdmnt;

	struct path	    pwd;

	struct audit_context *previous; /* For nested syscalls */

	struct audit_aux_data *aux;

	struct audit_aux_data *aux_pids;
@@ -786,12 +785,9 @@ static inline void audit_free_names(struct audit_context *context) 
			__putname(context->names[i].name);

	}

	context->name_count = 0;

	if (context->pwd)

		dput(context->pwd);

	if (context->pwdmnt)

		mntput(context->pwdmnt);

	context->pwd = NULL;

	context->pwdmnt = NULL;

	path_put(&context->pwd);

	context->pwd.dentry = NULL;

	context->pwd.mnt = NULL;

}



static inline void audit_free_aux(struct audit_context *context)
@@ -930,8 +926,7 @@ static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk 
			if ((vma->vm_flags & VM_EXECUTABLE) &&

			    vma->vm_file) {

				audit_log_d_path(ab, "exe=",

						 vma->vm_file->f_path.dentry,

						 vma->vm_file->f_path.mnt);

						 &vma->vm_file->f_path);

				break;

			}

			vma = vma->vm_next;
@@ -1341,10 +1336,10 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts 
				  context->target_sid, context->target_comm))

			call_panic = 1;



	if (context->pwd && context->pwdmnt) {

	if (context->pwd.dentry && context->pwd.mnt) {

		ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);

		if (ab) {

			audit_log_d_path(ab, "cwd=", context->pwd, context->pwdmnt);

			audit_log_d_path(ab, "cwd=", &context->pwd);

			audit_log_end(ab);

		}

	}
@@ -1367,8 +1362,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts 
			case 0:

				/* name was specified as a relative path and the

				 * directory component is the cwd */

				audit_log_d_path(ab, " name=", context->pwd,

						 context->pwdmnt);

				audit_log_d_path(ab, " name=", &context->pwd);

				break;

			default:

				/* log the name's directory component */
@@ -1695,10 +1689,10 @@ void __audit_getname(const char *name) 
	context->names[context->name_count].ino  = (unsigned long)-1;

	context->names[context->name_count].osid = 0;

	++context->name_count;

	if (!context->pwd) {

	if (!context->pwd.dentry) {

		read_lock(&current->fs->lock);

		context->pwd = dget(current->fs->pwd.dentry);

		context->pwdmnt = mntget(current->fs->pwd.mnt);

		context->pwd = current->fs->pwd;

		path_get(&current->fs->pwd);

		read_unlock(&current->fs->lock);

	}

security/selinux/avc.c

+10 −5
Original line number Diff line number Diff line
@@ -568,10 +568,11 @@ void avc_audit(u32 ssid, u32 tsid, 
			audit_log_format(ab, " capability=%d", a->u.cap);

			break;

		case AVC_AUDIT_DATA_FS:

			if (a->u.fs.dentry) {

				struct dentry *dentry = a->u.fs.dentry;

				if (a->u.fs.mnt) {

					audit_log_d_path(ab, "path=", dentry, a->u.fs.mnt);

			if (a->u.fs.path.dentry) {

				struct dentry *dentry = a->u.fs.path.dentry;

				if (a->u.fs.path.mnt) {

					audit_log_d_path(ab, "path=",

							 &a->u.fs.path);

				} else {

					audit_log_format(ab, " name=");

					audit_log_untrustedstring(ab, dentry->d_name.name);
@@ -626,8 +627,12 @@ void avc_audit(u32 ssid, u32 tsid, 
				case AF_UNIX:

					u = unix_sk(sk);

					if (u->dentry) {

						struct path path = {

							.dentry = u->dentry,

							.mnt = u->mnt

						};

						audit_log_d_path(ab, "path=",

								 u->dentry, u->mnt);

								 &path);

						break;

					}

					if (!u->addr)

security/selinux/hooks.c

+12 −16
Original line number Diff line number Diff line
@@ -1356,8 +1356,8 @@ static inline int dentry_has_perm(struct task_struct *tsk, 
	struct inode *inode = dentry->d_inode;

	struct avc_audit_data ad;

	AVC_AUDIT_DATA_INIT(&ad,FS);

	ad.u.fs.mnt = mnt;

	ad.u.fs.dentry = dentry;

	ad.u.fs.path.mnt = mnt;

	ad.u.fs.path.dentry = dentry;

	return inode_has_perm(tsk, inode, av, &ad);

}
@@ -1375,15 +1375,12 @@ static int file_has_perm(struct task_struct *tsk, 
{

	struct task_security_struct *tsec = tsk->security;

	struct file_security_struct *fsec = file->f_security;

	struct vfsmount *mnt = file->f_path.mnt;

	struct dentry *dentry = file->f_path.dentry;

	struct inode *inode = dentry->d_inode;

	struct inode *inode = file->f_path.dentry->d_inode;

	struct avc_audit_data ad;

	int rc;



	AVC_AUDIT_DATA_INIT(&ad, FS);

	ad.u.fs.mnt = mnt;

	ad.u.fs.dentry = dentry;

	ad.u.fs.path = file->f_path;



	if (tsec->sid != fsec->sid) {

		rc = avc_has_perm(tsec->sid, fsec->sid,
@@ -1418,7 +1415,7 @@ static int may_create(struct inode *dir, 
	sbsec = dir->i_sb->s_security;



	AVC_AUDIT_DATA_INIT(&ad, FS);

	ad.u.fs.dentry = dentry;

	ad.u.fs.path.dentry = dentry;



	rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,

			  DIR__ADD_NAME | DIR__SEARCH,
@@ -1476,7 +1473,7 @@ static int may_link(struct inode *dir, 
	isec = dentry->d_inode->i_security;



	AVC_AUDIT_DATA_INIT(&ad, FS);

	ad.u.fs.dentry = dentry;

	ad.u.fs.path.dentry = dentry;



	av = DIR__SEARCH;

	av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
@@ -1523,7 +1520,7 @@ static inline int may_rename(struct inode *old_dir, 


	AVC_AUDIT_DATA_INIT(&ad, FS);



	ad.u.fs.dentry = old_dentry;

	ad.u.fs.path.dentry = old_dentry;

	rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,

			  DIR__REMOVE_NAME | DIR__SEARCH, &ad);

	if (rc)
@@ -1539,7 +1536,7 @@ static inline int may_rename(struct inode *old_dir, 
			return rc;

	}



	ad.u.fs.dentry = new_dentry;

	ad.u.fs.path.dentry = new_dentry;

	av = DIR__ADD_NAME | DIR__SEARCH;

	if (new_dentry->d_inode)

		av |= DIR__REMOVE_NAME;
@@ -1918,8 +1915,7 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm) 
	}



	AVC_AUDIT_DATA_INIT(&ad, FS);

	ad.u.fs.mnt = bprm->file->f_path.mnt;

	ad.u.fs.dentry = bprm->file->f_path.dentry;

	ad.u.fs.path = bprm->file->f_path;



	if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)

		newsid = tsec->sid;
@@ -2315,7 +2311,7 @@ static int selinux_sb_kern_mount(struct super_block *sb, void *data) 
		return rc;



	AVC_AUDIT_DATA_INIT(&ad,FS);

	ad.u.fs.dentry = sb->s_root;

	ad.u.fs.path.dentry = sb->s_root;

	return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);

}
@@ -2324,7 +2320,7 @@ static int selinux_sb_statfs(struct dentry *dentry) 
	struct avc_audit_data ad;



	AVC_AUDIT_DATA_INIT(&ad,FS);

	ad.u.fs.dentry = dentry->d_sb->s_root;

	ad.u.fs.path.dentry = dentry->d_sb->s_root;

	return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);

}
@@ -2587,7 +2583,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value 
		return -EPERM;



	AVC_AUDIT_DATA_INIT(&ad,FS);

	ad.u.fs.dentry = dentry;

	ad.u.fs.path.dentry = dentry;



	rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,

			  FILE__RELABELFROM, &ad);