Audit: Final renamings and cleanup

Rename the se_str and se_rule audit fields elements to
lsm_str and lsm_rule to avoid confusion.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com>
Acked-by: James Morris <jmorris@namei.org>
This commit is contained in:
Ahmed S. Darwish 2008-04-19 09:59:43 +10:00 committed by James Morris
parent 9d57a7f9e2
commit 04305e4aff
4 changed files with 93 additions and 28 deletions

View File

@ -377,8 +377,8 @@ struct audit_field {
u32 type; u32 type;
u32 val; u32 val;
u32 op; u32 op;
char *se_str; char *lsm_str;
void *se_rule; void *lsm_rule;
}; };
#define AUDITSC_INVALID 0 #define AUDITSC_INVALID 0

View File

@ -139,8 +139,8 @@ static inline void audit_free_rule(struct audit_entry *e)
if (e->rule.fields) if (e->rule.fields)
for (i = 0; i < e->rule.field_count; i++) { for (i = 0; i < e->rule.field_count; i++) {
struct audit_field *f = &e->rule.fields[i]; struct audit_field *f = &e->rule.fields[i];
kfree(f->se_str); kfree(f->lsm_str);
security_audit_rule_free(f->se_rule); security_audit_rule_free(f->lsm_rule);
} }
kfree(e->rule.fields); kfree(e->rule.fields);
kfree(e->rule.filterkey); kfree(e->rule.filterkey);
@ -554,8 +554,8 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
f->op = data->fieldflags[i] & AUDIT_OPERATORS; f->op = data->fieldflags[i] & AUDIT_OPERATORS;
f->type = data->fields[i]; f->type = data->fields[i];
f->val = data->values[i]; f->val = data->values[i];
f->se_str = NULL; f->lsm_str = NULL;
f->se_rule = NULL; f->lsm_rule = NULL;
switch(f->type) { switch(f->type) {
case AUDIT_PID: case AUDIT_PID:
case AUDIT_UID: case AUDIT_UID:
@ -598,7 +598,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
entry->rule.buflen += f->val; entry->rule.buflen += f->val;
err = security_audit_rule_init(f->type, f->op, str, err = security_audit_rule_init(f->type, f->op, str,
(void **)&f->se_rule); (void **)&f->lsm_rule);
/* Keep currently invalid fields around in case they /* Keep currently invalid fields around in case they
* become valid after a policy reload. */ * become valid after a policy reload. */
if (err == -EINVAL) { if (err == -EINVAL) {
@ -610,7 +610,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
kfree(str); kfree(str);
goto exit_free; goto exit_free;
} else } else
f->se_str = str; f->lsm_str = str;
break; break;
case AUDIT_WATCH: case AUDIT_WATCH:
str = audit_unpack_string(&bufp, &remain, f->val); str = audit_unpack_string(&bufp, &remain, f->val);
@ -754,7 +754,7 @@ static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)
case AUDIT_OBJ_LEV_LOW: case AUDIT_OBJ_LEV_LOW:
case AUDIT_OBJ_LEV_HIGH: case AUDIT_OBJ_LEV_HIGH:
data->buflen += data->values[i] = data->buflen += data->values[i] =
audit_pack_string(&bufp, f->se_str); audit_pack_string(&bufp, f->lsm_str);
break; break;
case AUDIT_WATCH: case AUDIT_WATCH:
data->buflen += data->values[i] = data->buflen += data->values[i] =
@ -806,7 +806,7 @@ static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b)
case AUDIT_OBJ_TYPE: case AUDIT_OBJ_TYPE:
case AUDIT_OBJ_LEV_LOW: case AUDIT_OBJ_LEV_LOW:
case AUDIT_OBJ_LEV_HIGH: case AUDIT_OBJ_LEV_HIGH:
if (strcmp(a->fields[i].se_str, b->fields[i].se_str)) if (strcmp(a->fields[i].lsm_str, b->fields[i].lsm_str))
return 1; return 1;
break; break;
case AUDIT_WATCH: case AUDIT_WATCH:
@ -862,28 +862,28 @@ out:
return new; return new;
} }
/* Duplicate LSM field information. The se_rule is opaque, so must be /* Duplicate LSM field information. The lsm_rule is opaque, so must be
* re-initialized. */ * re-initialized. */
static inline int audit_dupe_lsm_field(struct audit_field *df, static inline int audit_dupe_lsm_field(struct audit_field *df,
struct audit_field *sf) struct audit_field *sf)
{ {
int ret = 0; int ret = 0;
char *se_str; char *lsm_str;
/* our own copy of se_str */ /* our own copy of lsm_str */
se_str = kstrdup(sf->se_str, GFP_KERNEL); lsm_str = kstrdup(sf->lsm_str, GFP_KERNEL);
if (unlikely(!se_str)) if (unlikely(!lsm_str))
return -ENOMEM; return -ENOMEM;
df->se_str = se_str; df->lsm_str = lsm_str;
/* our own (refreshed) copy of se_rule */ /* our own (refreshed) copy of lsm_rule */
ret = security_audit_rule_init(df->type, df->op, df->se_str, ret = security_audit_rule_init(df->type, df->op, df->lsm_str,
(void **)&df->se_rule); (void **)&df->lsm_rule);
/* Keep currently invalid fields around in case they /* Keep currently invalid fields around in case they
* become valid after a policy reload. */ * become valid after a policy reload. */
if (ret == -EINVAL) { if (ret == -EINVAL) {
printk(KERN_WARNING "audit rule for LSM \'%s\' is " printk(KERN_WARNING "audit rule for LSM \'%s\' is "
"invalid\n", df->se_str); "invalid\n", df->lsm_str);
ret = 0; ret = 0;
} }
@ -930,7 +930,7 @@ static struct audit_entry *audit_dupe_rule(struct audit_krule *old,
new->tree = old->tree; new->tree = old->tree;
memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount); memcpy(new->fields, old->fields, sizeof(struct audit_field) * fcount);
/* deep copy this information, updating the se_rule fields, because /* deep copy this information, updating the lsm_rule fields, because
* the originals will all be freed when the old rule is freed. */ * the originals will all be freed when the old rule is freed. */
for (i = 0; i < fcount; i++) { for (i = 0; i < fcount; i++) {
switch (new->fields[i].type) { switch (new->fields[i].type) {
@ -1762,7 +1762,7 @@ unlock_and_return:
return result; return result;
} }
/* This function will re-initialize the se_rule field of all applicable rules. /* This function will re-initialize the lsm_rule field of all applicable rules.
* It will traverse the filter lists serarching for rules that contain LSM * It will traverse the filter lists serarching for rules that contain LSM
* specific filter fields. When such a rule is found, it is copied, the * specific filter fields. When such a rule is found, it is copied, the
* LSM field is re-initialized, and the old rule is replaced with the * LSM field is re-initialized, and the old rule is replaced with the

View File

@ -527,14 +527,14 @@ static int audit_filter_rules(struct task_struct *tsk,
match for now to avoid losing information that match for now to avoid losing information that
may be wanted. An error message will also be may be wanted. An error message will also be
logged upon error */ logged upon error */
if (f->se_rule) { if (f->lsm_rule) {
if (need_sid) { if (need_sid) {
security_task_getsecid(tsk, &sid); security_task_getsecid(tsk, &sid);
need_sid = 0; need_sid = 0;
} }
result = security_audit_rule_match(sid, f->type, result = security_audit_rule_match(sid, f->type,
f->op, f->op,
f->se_rule, f->lsm_rule,
ctx); ctx);
} }
break; break;
@ -545,18 +545,18 @@ static int audit_filter_rules(struct task_struct *tsk,
case AUDIT_OBJ_LEV_HIGH: case AUDIT_OBJ_LEV_HIGH:
/* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR /* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR
also applies here */ also applies here */
if (f->se_rule) { if (f->lsm_rule) {
/* Find files that match */ /* Find files that match */
if (name) { if (name) {
result = security_audit_rule_match( result = security_audit_rule_match(
name->osid, f->type, f->op, name->osid, f->type, f->op,
f->se_rule, ctx); f->lsm_rule, ctx);
} else if (ctx) { } else if (ctx) {
for (j = 0; j < ctx->name_count; j++) { for (j = 0; j < ctx->name_count; j++) {
if (security_audit_rule_match( if (security_audit_rule_match(
ctx->names[j].osid, ctx->names[j].osid,
f->type, f->op, f->type, f->op,
f->se_rule, ctx)) { f->lsm_rule, ctx)) {
++result; ++result;
break; break;
} }
@ -569,7 +569,7 @@ static int audit_filter_rules(struct task_struct *tsk,
aux = aux->next) { aux = aux->next) {
if (aux->type == AUDIT_IPC) { if (aux->type == AUDIT_IPC) {
struct audit_aux_data_ipcctl *axi = (void *)aux; struct audit_aux_data_ipcctl *axi = (void *)aux;
if (security_audit_rule_match(axi->osid, f->type, f->op, f->se_rule, ctx)) { if (security_audit_rule_match(axi->osid, f->type, f->op, f->lsm_rule, ctx)) {
++result; ++result;
break; break;
} }

View File

@ -0,0 +1,65 @@
/*
* SELinux support for the Audit LSM hooks
*
* Most of below header was moved from include/linux/selinux.h which
* is released under below copyrights:
*
* Author: James Morris <jmorris@redhat.com>
*
* Copyright (C) 2005 Red Hat, Inc., James Morris <jmorris@redhat.com>
* Copyright (C) 2006 Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
* Copyright (C) 2006 IBM Corporation, Timothy R. Chavez <tinytim@us.ibm.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2,
* as published by the Free Software Foundation.
*/
#ifndef _SELINUX_AUDIT_H
#define _SELINUX_AUDIT_H
/**
* selinux_audit_rule_init - alloc/init an selinux audit rule structure.
* @field: the field this rule refers to
* @op: the operater the rule uses
* @rulestr: the text "target" of the rule
* @rule: pointer to the new rule structure returned via this
*
* Returns 0 if successful, -errno if not. On success, the rule structure
* will be allocated internally. The caller must free this structure with
* selinux_audit_rule_free() after use.
*/
int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **rule);
/**
* selinux_audit_rule_free - free an selinux audit rule structure.
* @rule: pointer to the audit rule to be freed
*
* This will free all memory associated with the given rule.
* If @rule is NULL, no operation is performed.
*/
void selinux_audit_rule_free(void *rule);
/**
* selinux_audit_rule_match - determine if a context ID matches a rule.
* @sid: the context ID to check
* @field: the field this rule refers to
* @op: the operater the rule uses
* @rule: pointer to the audit rule to check against
* @actx: the audit context (can be NULL) associated with the check
*
* Returns 1 if the context id matches the rule, 0 if it does not, and
* -errno on failure.
*/
int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *rule,
struct audit_context *actx);
/**
* selinux_audit_rule_known - check to see if rule contains selinux fields.
* @rule: rule to be checked
* Returns 1 if there are selinux fields specified in the rule, 0 otherwise.
*/
int selinux_audit_rule_known(struct audit_krule *krule);
#endif /* _SELINUX_AUDIT_H */