Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 95d4e6be authored by Paul Moore's avatar Paul Moore Committed by David S. Miller
Browse files

[NetLabel]: audit fixups due to delayed feedback 



Fix some issues Steve Grubb had with the way NetLabel was using the audit
subsystem.  This should make NetLabel more consistent with other kernel
generated audit messages specifying configuration changes.

Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
Acked-by: default avatarSteve Grubb <sgrubb@redhat.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent d6c64102

include/linux/audit.h

+5 −6
Original line number Diff line number Diff line
@@ -95,12 +95,11 @@ 
#define AUDIT_MAC_POLICY_LOAD	1403	/* Policy file load */

#define AUDIT_MAC_STATUS	1404	/* Changed enforcing,permissive,off */

#define AUDIT_MAC_CONFIG_CHANGE	1405	/* Changes to booleans */

#define AUDIT_MAC_UNLBL_ACCEPT	1406	/* NetLabel: allow unlabeled traffic */

#define AUDIT_MAC_UNLBL_DENY	1407	/* NetLabel: deny unlabeled traffic */

#define AUDIT_MAC_CIPSOV4_ADD	1408	/* NetLabel: add CIPSOv4 DOI entry */

#define AUDIT_MAC_CIPSOV4_DEL	1409	/* NetLabel: del CIPSOv4 DOI entry */

#define AUDIT_MAC_MAP_ADD	1410	/* NetLabel: add LSM domain mapping */

#define AUDIT_MAC_MAP_DEL	1411	/* NetLabel: del LSM domain mapping */

#define AUDIT_MAC_UNLBL_ALLOW	1406	/* NetLabel: allow unlabeled traffic */

#define AUDIT_MAC_CIPSOV4_ADD	1407	/* NetLabel: add CIPSOv4 DOI entry */

#define AUDIT_MAC_CIPSOV4_DEL	1408	/* NetLabel: del CIPSOv4 DOI entry */

#define AUDIT_MAC_MAP_ADD	1409	/* NetLabel: add LSM domain mapping */

#define AUDIT_MAC_MAP_DEL	1410	/* NetLabel: del LSM domain mapping */



#define AUDIT_FIRST_KERN_ANOM_MSG   1700

#define AUDIT_LAST_KERN_ANOM_MSG    1799

include/net/cipso_ipv4.h

+2 −2
Original line number Diff line number Diff line
@@ -129,7 +129,7 @@ extern int cipso_v4_rbm_strictvalid; 
#ifdef CONFIG_NETLABEL

int cipso_v4_doi_add(struct cipso_v4_doi *doi_def);

int cipso_v4_doi_remove(u32 doi,

			u32 audit_secid,

			struct netlbl_audit *audit_info,

			void (*callback) (struct rcu_head * head));

struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi);

int cipso_v4_doi_walk(u32 *skip_cnt,
@@ -145,7 +145,7 @@ static inline int cipso_v4_doi_add(struct cipso_v4_doi *doi_def) 
}



static inline int cipso_v4_doi_remove(u32 doi,

				    u32 audit_secid,

				    struct netlbl_audit *audit_info,

				    void (*callback) (struct rcu_head * head))

{

	return 0;

include/net/netlabel.h

+7 −1
Original line number Diff line number Diff line
@@ -92,11 +92,17 @@ 
 *

 */



/* NetLabel audit information */

struct netlbl_audit {

	u32 secid;

	uid_t loginuid;

};



/* Domain mapping definition struct */

struct netlbl_dom_map;



/* Domain mapping operations */

int netlbl_domhsh_remove(const char *domain, u32 audit_secid);

int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info);



/* LSM security attributes */

struct netlbl_lsm_cache {

net/ipv4/cipso_ipv4.c

+2 −2
Original line number Diff line number Diff line
@@ -485,7 +485,7 @@ int cipso_v4_doi_add(struct cipso_v4_doi *doi_def) 
 *

 */

int cipso_v4_doi_remove(u32 doi,

			u32 audit_secid,

			struct netlbl_audit *audit_info,

			void (*callback) (struct rcu_head * head))

{

	struct cipso_v4_doi *doi_def;
@@ -506,7 +506,7 @@ int cipso_v4_doi_remove(u32 doi, 
		list_for_each_entry_rcu(dom_iter, &doi_def->dom_list, list)

			if (dom_iter->valid)

				netlbl_domhsh_remove(dom_iter->domain,

						     audit_secid);

						     audit_info);

		cipso_v4_cache_invalidate();

		rcu_read_unlock();

net/netlabel/netlabel_cipso_v4.c

+29 −19
Original line number Diff line number Diff line
@@ -384,11 +384,15 @@ static int netlbl_cipsov4_add(struct sk_buff *skb, struct genl_info *info) 
	u32 doi;

	const char *type_str = "(unknown)";

	struct audit_buffer *audit_buf;

	struct netlbl_audit audit_info;



	if (!info->attrs[NLBL_CIPSOV4_A_DOI] ||

	    !info->attrs[NLBL_CIPSOV4_A_MTYPE])

		return -EINVAL;



	doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]);

	netlbl_netlink_auditinfo(skb, &audit_info);



	type = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE]);

	switch (type) {

	case CIPSO_V4_MAP_STD:
@@ -401,13 +405,14 @@ static int netlbl_cipsov4_add(struct sk_buff *skb, struct genl_info *info) 
		break;

	}



	if (ret_val == 0) {

		doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]);

	audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD,

						      NETLINK_CB(skb).sid);

		audit_log_format(audit_buf, " doi=%u type=%s", doi, type_str);

					      &audit_info);

	audit_log_format(audit_buf,

			 " cipso_doi=%u cipso_type=%s res=%u",

			 doi,

			 type_str,

			 ret_val == 0 ? 1 : 0);

	audit_log_end(audit_buf);

	}



	return ret_val;

}
@@ -668,20 +673,25 @@ static int netlbl_cipsov4_remove(struct sk_buff *skb, struct genl_info *info) 
	int ret_val = -EINVAL;

	u32 doi = 0;

	struct audit_buffer *audit_buf;

	struct netlbl_audit audit_info;



	if (!info->attrs[NLBL_CIPSOV4_A_DOI])

		return -EINVAL;



	if (info->attrs[NLBL_CIPSOV4_A_DOI]) {

	doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]);

	netlbl_netlink_auditinfo(skb, &audit_info);



	ret_val = cipso_v4_doi_remove(doi,

					      NETLINK_CB(skb).sid,

				      &audit_info,

				      netlbl_cipsov4_doi_free);

	}



	if (ret_val == 0) {

	audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_DEL,

						      NETLINK_CB(skb).sid);

		audit_log_format(audit_buf, " doi=%u", doi);

					      &audit_info);

	audit_log_format(audit_buf,

			 " cipso_doi=%u res=%u",

			 doi,

			 ret_val == 0 ? 1 : 0);

	audit_log_end(audit_buf);

	}



	return ret_val;

}