Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit da5645a2 authored by Paul Moore's avatar Paul Moore Committed by James Morris
Browse files

SELinux: Only store the network interface's ifindex 



Instead of storing the packet's network interface name store the ifindex.  This
allows us to defer the need to lookup the net_device structure until the audit
record is generated meaning that in the majority of cases we never need to
bother with this at all.

Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
parent e8bfdb9d

security/selinux/avc.c

+12 −3
Original line number Diff line number Diff line
@@ -661,9 +661,18 @@ void avc_audit(u32 ssid, u32 tsid, 
						    "daddr", "dest");

				break;

			}

			if (a->u.net.netif)

				audit_log_format(ab, " netif=%s",

			if (a->u.net.netif > 0) {

				struct net_device *dev;



				/* NOTE: we always use init's namespace */

				dev = dev_get_by_index(&init_net,

						       a->u.net.netif);

				if (dev) {

					audit_log_format(ab, " netif=%s",

							 dev->name);

					dev_put(dev);

				}

			}

			break;

		}

	}

security/selinux/hooks.c

+2 −2
Original line number Diff line number Diff line
@@ -3928,7 +3928,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 
		family = PF_INET;



	AVC_AUDIT_DATA_INIT(&ad, NET);

	ad.u.net.netif = skb->dev ? skb->dev->name : "[unknown]";

	ad.u.net.netif = skb->iif;

	ad.u.net.family = family;



	err = selinux_parse_skb(skb, &ad, &addrp, &len, 1, NULL);
@@ -4259,7 +4259,7 @@ static unsigned int selinux_ip_postroute_last(unsigned int hooknum, 
	sksec = sk->sk_security;



	AVC_AUDIT_DATA_INIT(&ad, NET);

	ad.u.net.netif = dev->name;

	ad.u.net.netif = dev->ifindex;

	ad.u.net.family = family;



	err = selinux_parse_skb(skb, &ad, &addrp, &len, 0, &proto);

security/selinux/include/avc.h

+1 −1
Original line number Diff line number Diff line
@@ -51,7 +51,7 @@ struct avc_audit_data { 
			struct inode *inode;

		} fs;

		struct {

			char *netif;

			int netif;

			struct sock *sk;

			u16 family;

			__be16 dport;