Skip to content

Commit

Permalink
[PATCH] More user space subject labels
Browse files Browse the repository at this point in the history 
Hi,

The patch below builds upon the patch sent earlier and adds subject label to
all audit events generated via the netlink interface. It also cleans up a few
other minor things.

Signed-off-by: Steve Grubb <[email protected]>

Signed-off-by: Al Viro <[email protected]>
  • Loading branch information
@RH-steve-grubb
RH-steve-grubb authored and Al Viro committed May 1, 2006
1 parent e7c3497 commit ce29b68
Show file tree
Hide file tree
Showing 4 changed files with 142 additions and 40 deletions.
2 changes: 1 addition & 1 deletion include/linux/audit.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -371,7 +371,7 @@ extern void audit_log_d_path(struct audit_buffer *ab,
extern int audit_filter_user(struct netlink_skb_parms *cb, int type);
extern int audit_filter_type(int type);
extern int audit_receive_filter(int type, int pid, int uid, int seq,
void *data, size_t datasz, uid_t loginuid);
void *data, size_t datasz, uid_t loginuid, u32 sid);
#else
#define audit_log(c,g,t,f,...) do { ; } while (0)
#define audit_log_start(c,g,t) ({ NULL; })
Expand Down
132 changes: 102 additions & 30 deletions kernel/audit.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -230,49 +230,103 @@ void audit_log_lost(const char *message)
}
}

static int audit_set_rate_limit(int limit, uid_t loginuid)
static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid)
{
int old = audit_rate_limit;
audit_rate_limit = limit;
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
int old = audit_rate_limit;

if (sid) {
char *ctx = NULL;
u32 len;
int rc;
if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
return rc;
else
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"audit_rate_limit=%d old=%d by auid=%u subj=%s",
limit, old, loginuid, ctx);
kfree(ctx);
} else
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"audit_rate_limit=%d old=%d by auid=%u",
audit_rate_limit, old, loginuid);
limit, old, loginuid);
audit_rate_limit = limit;
return old;
}

static int audit_set_backlog_limit(int limit, uid_t loginuid)
static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid)
{
int old = audit_backlog_limit;
audit_backlog_limit = limit;
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
int old = audit_backlog_limit;

if (sid) {
char *ctx = NULL;
u32 len;
int rc;
if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
return rc;
else
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"audit_backlog_limit=%d old=%d by auid=%u subj=%s",
limit, old, loginuid, ctx);
kfree(ctx);
} else
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"audit_backlog_limit=%d old=%d by auid=%u",
audit_backlog_limit, old, loginuid);
limit, old, loginuid);
audit_backlog_limit = limit;
return old;
}

static int audit_set_enabled(int state, uid_t loginuid)
static int audit_set_enabled(int state, uid_t loginuid, u32 sid)
{
int old = audit_enabled;
int old = audit_enabled;

if (state != 0 && state != 1)
return -EINVAL;
audit_enabled = state;
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,

if (sid) {
char *ctx = NULL;
u32 len;
int rc;
if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
return rc;
else
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"audit_enabled=%d old=%d by auid=%u subj=%s",
state, old, loginuid, ctx);
kfree(ctx);
} else
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"audit_enabled=%d old=%d by auid=%u",
audit_enabled, old, loginuid);
state, old, loginuid);
audit_enabled = state;
return old;
}

static int audit_set_failure(int state, uid_t loginuid)
static int audit_set_failure(int state, uid_t loginuid, u32 sid)
{
int old = audit_failure;
int old = audit_failure;

if (state != AUDIT_FAIL_SILENT
&& state != AUDIT_FAIL_PRINTK
&& state != AUDIT_FAIL_PANIC)
return -EINVAL;
audit_failure = state;
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,

if (sid) {
char *ctx = NULL;
u32 len;
int rc;
if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
return rc;
else
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"audit_failure=%d old=%d by auid=%u subj=%s",
state, old, loginuid, ctx);
kfree(ctx);
} else
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"audit_failure=%d old=%d by auid=%u",
audit_failure, old, loginuid);
state, old, loginuid);
audit_failure = state;
return old;
}

Expand Down Expand Up @@ -437,25 +491,43 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
return -EINVAL;
status_get = (struct audit_status *)data;
if (status_get->mask & AUDIT_STATUS_ENABLED) {
err = audit_set_enabled(status_get->enabled, loginuid);
err = audit_set_enabled(status_get->enabled,
loginuid, sid);
if (err < 0) return err;
}
if (status_get->mask & AUDIT_STATUS_FAILURE) {
err = audit_set_failure(status_get->failure, loginuid);
err = audit_set_failure(status_get->failure,
loginuid, sid);
if (err < 0) return err;
}
if (status_get->mask & AUDIT_STATUS_PID) {
int old = audit_pid;
if (sid) {
char *ctx = NULL;
u32 len;
int rc;
if ((rc = selinux_ctxid_to_string(
sid, &ctx, &len)))
return rc;
else
audit_log(NULL, GFP_KERNEL,
AUDIT_CONFIG_CHANGE,
"audit_pid=%d old=%d by auid=%u subj=%s",
status_get->pid, old,
loginuid, ctx);
kfree(ctx);
} else
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"audit_pid=%d old=%d by auid=%u",
status_get->pid, old, loginuid);
audit_pid = status_get->pid;
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"audit_pid=%d old=%d by auid=%u",
audit_pid, old, loginuid);
}
if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
audit_set_rate_limit(status_get->rate_limit, loginuid);
audit_set_rate_limit(status_get->rate_limit,
loginuid, sid);
if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT)
audit_set_backlog_limit(status_get->backlog_limit,
loginuid);
loginuid, sid);
break;
case AUDIT_USER:
case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG:
Expand All @@ -477,7 +549,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
if (selinux_ctxid_to_string(
sid, &ctx, &len)) {
audit_log_format(ab,
" subj=%u", sid);
" ssid=%u", sid);
/* Maybe call audit_panic? */
} else
audit_log_format(ab,
Expand All @@ -499,7 +571,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
case AUDIT_LIST:
err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,
uid, seq, data, nlmsg_len(nlh),
loginuid);
loginuid, sid);
break;
case AUDIT_ADD_RULE:
case AUDIT_DEL_RULE:
Expand All @@ -509,7 +581,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
case AUDIT_LIST_RULES:
err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,
uid, seq, data, nlmsg_len(nlh),
loginuid);
loginuid, sid);
break;
case AUDIT_SIGNAL_INFO:
sig_data.uid = audit_sig_uid;
Expand Down
44 changes: 37 additions & 7 deletions kernel/auditfilter.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -586,9 +586,10 @@ static int audit_list_rules(void *_dest)
* @data: payload data
* @datasz: size of payload data
* @loginuid: loginuid of sender
* @sid: SE Linux Security ID of sender
*/
int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
size_t datasz, uid_t loginuid)
size_t datasz, uid_t loginuid, u32 sid)
{
struct task_struct *tsk;
int *dest;
Expand Down Expand Up @@ -631,9 +632,23 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data,

err = audit_add_rule(entry,
&audit_filter_list[entry->rule.listnr]);
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"auid=%u add rule to list=%d res=%d\n",
loginuid, entry->rule.listnr, !err);
if (sid) {
char *ctx = NULL;
u32 len;
if (selinux_ctxid_to_string(sid, &ctx, &len)) {
/* Maybe call audit_panic? */
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"auid=%u ssid=%u add rule to list=%d res=%d",
loginuid, sid, entry->rule.listnr, !err);
} else
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"auid=%u subj=%s add rule to list=%d res=%d",
loginuid, ctx, entry->rule.listnr, !err);
kfree(ctx);
} else
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"auid=%u add rule to list=%d res=%d",
loginuid, entry->rule.listnr, !err);

if (err)
audit_free_rule(entry);
Expand All @@ -649,9 +664,24 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data,

err = audit_del_rule(entry,
&audit_filter_list[entry->rule.listnr]);
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"auid=%u remove rule from list=%d res=%d\n",
loginuid, entry->rule.listnr, !err);

if (sid) {
char *ctx = NULL;
u32 len;
if (selinux_ctxid_to_string(sid, &ctx, &len)) {
/* Maybe call audit_panic? */
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"auid=%u ssid=%u remove rule from list=%d res=%d",
loginuid, sid, entry->rule.listnr, !err);
} else
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"auid=%u subj=%s remove rule from list=%d res=%d",
loginuid, ctx, entry->rule.listnr, !err);
kfree(ctx);
} else
audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"auid=%u remove rule from list=%d res=%d",
loginuid, entry->rule.listnr, !err);

audit_free_rule(entry);
break;
Expand Down
4 changes: 2 additions & 2 deletions kernel/auditsc.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -637,7 +637,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
u32 len;
if (selinux_ctxid_to_string(
axi->osid, &ctx, &len)) {
audit_log_format(ab, " obj=%u",
audit_log_format(ab, " osid=%u",
axi->osid);
call_panic = 1;
} else
Expand Down Expand Up @@ -712,7 +712,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
u32 len;
if (selinux_ctxid_to_string(
context->names[i].osid, &ctx, &len)) {
audit_log_format(ab, " obj=%u",
audit_log_format(ab, " osid=%u",
context->names[i].osid);
call_panic = 2;
} else
Expand Down

0 comments on commit ce29b68

Please sign in to comment.