LSM: shrink the common_audit_data data union
After shrinking the common_audit_data stack usage for private LSM data I'm not going to shrink the data union. To do this I'm going to move anything larger than 2 void * ptrs to it's own structure and require it to be declared separately on the calling stack. Thus hot paths which don't need more than a couple pointer don't have to declare space to hold large unneeded structures. I could get this down to one void * by dealing with the key struct and the struct path. We'll see if that is helpful after taking care of networking. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
parent
3b3b0e4fc1
commit
48c62af68a
|
@ -22,6 +22,23 @@
|
|||
#include <linux/key.h>
|
||||
#include <linux/skbuff.h>
|
||||
|
||||
struct lsm_network_audit {
|
||||
int netif;
|
||||
struct sock *sk;
|
||||
u16 family;
|
||||
__be16 dport;
|
||||
__be16 sport;
|
||||
union {
|
||||
struct {
|
||||
__be32 daddr;
|
||||
__be32 saddr;
|
||||
} v4;
|
||||
struct {
|
||||
struct in6_addr daddr;
|
||||
struct in6_addr saddr;
|
||||
} v6;
|
||||
} fam;
|
||||
};
|
||||
|
||||
/* Auxiliary data to use in generating the audit record. */
|
||||
struct common_audit_data {
|
||||
|
@ -41,23 +58,7 @@ struct common_audit_data {
|
|||
struct path path;
|
||||
struct dentry *dentry;
|
||||
struct inode *inode;
|
||||
struct {
|
||||
int netif;
|
||||
struct sock *sk;
|
||||
u16 family;
|
||||
__be16 dport;
|
||||
__be16 sport;
|
||||
union {
|
||||
struct {
|
||||
__be32 daddr;
|
||||
__be32 saddr;
|
||||
} v4;
|
||||
struct {
|
||||
struct in6_addr daddr;
|
||||
struct in6_addr saddr;
|
||||
} v6;
|
||||
} fam;
|
||||
} net;
|
||||
struct lsm_network_audit *net;
|
||||
int cap;
|
||||
int ipc_id;
|
||||
struct task_struct *tsk;
|
||||
|
|
|
@ -49,8 +49,8 @@ int ipv4_skb_to_auditdata(struct sk_buff *skb,
|
|||
if (ih == NULL)
|
||||
return -EINVAL;
|
||||
|
||||
ad->u.net.v4info.saddr = ih->saddr;
|
||||
ad->u.net.v4info.daddr = ih->daddr;
|
||||
ad->u.net->v4info.saddr = ih->saddr;
|
||||
ad->u.net->v4info.daddr = ih->daddr;
|
||||
|
||||
if (proto)
|
||||
*proto = ih->protocol;
|
||||
|
@ -64,8 +64,8 @@ int ipv4_skb_to_auditdata(struct sk_buff *skb,
|
|||
if (th == NULL)
|
||||
break;
|
||||
|
||||
ad->u.net.sport = th->source;
|
||||
ad->u.net.dport = th->dest;
|
||||
ad->u.net->sport = th->source;
|
||||
ad->u.net->dport = th->dest;
|
||||
break;
|
||||
}
|
||||
case IPPROTO_UDP: {
|
||||
|
@ -73,8 +73,8 @@ int ipv4_skb_to_auditdata(struct sk_buff *skb,
|
|||
if (uh == NULL)
|
||||
break;
|
||||
|
||||
ad->u.net.sport = uh->source;
|
||||
ad->u.net.dport = uh->dest;
|
||||
ad->u.net->sport = uh->source;
|
||||
ad->u.net->dport = uh->dest;
|
||||
break;
|
||||
}
|
||||
case IPPROTO_DCCP: {
|
||||
|
@ -82,16 +82,16 @@ int ipv4_skb_to_auditdata(struct sk_buff *skb,
|
|||
if (dh == NULL)
|
||||
break;
|
||||
|
||||
ad->u.net.sport = dh->dccph_sport;
|
||||
ad->u.net.dport = dh->dccph_dport;
|
||||
ad->u.net->sport = dh->dccph_sport;
|
||||
ad->u.net->dport = dh->dccph_dport;
|
||||
break;
|
||||
}
|
||||
case IPPROTO_SCTP: {
|
||||
struct sctphdr *sh = sctp_hdr(skb);
|
||||
if (sh == NULL)
|
||||
break;
|
||||
ad->u.net.sport = sh->source;
|
||||
ad->u.net.dport = sh->dest;
|
||||
ad->u.net->sport = sh->source;
|
||||
ad->u.net->dport = sh->dest;
|
||||
break;
|
||||
}
|
||||
default:
|
||||
|
@ -119,8 +119,8 @@ int ipv6_skb_to_auditdata(struct sk_buff *skb,
|
|||
ip6 = ipv6_hdr(skb);
|
||||
if (ip6 == NULL)
|
||||
return -EINVAL;
|
||||
ad->u.net.v6info.saddr = ip6->saddr;
|
||||
ad->u.net.v6info.daddr = ip6->daddr;
|
||||
ad->u.net->v6info.saddr = ip6->saddr;
|
||||
ad->u.net->v6info.daddr = ip6->daddr;
|
||||
ret = 0;
|
||||
/* IPv6 can have several extension header before the Transport header
|
||||
* skip them */
|
||||
|
@ -140,8 +140,8 @@ int ipv6_skb_to_auditdata(struct sk_buff *skb,
|
|||
if (th == NULL)
|
||||
break;
|
||||
|
||||
ad->u.net.sport = th->source;
|
||||
ad->u.net.dport = th->dest;
|
||||
ad->u.net->sport = th->source;
|
||||
ad->u.net->dport = th->dest;
|
||||
break;
|
||||
}
|
||||
case IPPROTO_UDP: {
|
||||
|
@ -151,8 +151,8 @@ int ipv6_skb_to_auditdata(struct sk_buff *skb,
|
|||
if (uh == NULL)
|
||||
break;
|
||||
|
||||
ad->u.net.sport = uh->source;
|
||||
ad->u.net.dport = uh->dest;
|
||||
ad->u.net->sport = uh->source;
|
||||
ad->u.net->dport = uh->dest;
|
||||
break;
|
||||
}
|
||||
case IPPROTO_DCCP: {
|
||||
|
@ -162,8 +162,8 @@ int ipv6_skb_to_auditdata(struct sk_buff *skb,
|
|||
if (dh == NULL)
|
||||
break;
|
||||
|
||||
ad->u.net.sport = dh->dccph_sport;
|
||||
ad->u.net.dport = dh->dccph_dport;
|
||||
ad->u.net->sport = dh->dccph_sport;
|
||||
ad->u.net->dport = dh->dccph_dport;
|
||||
break;
|
||||
}
|
||||
case IPPROTO_SCTP: {
|
||||
|
@ -172,8 +172,8 @@ int ipv6_skb_to_auditdata(struct sk_buff *skb,
|
|||
sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
|
||||
if (sh == NULL)
|
||||
break;
|
||||
ad->u.net.sport = sh->source;
|
||||
ad->u.net.dport = sh->dest;
|
||||
ad->u.net->sport = sh->source;
|
||||
ad->u.net->dport = sh->dest;
|
||||
break;
|
||||
}
|
||||
default:
|
||||
|
@ -281,8 +281,8 @@ static void dump_common_audit_data(struct audit_buffer *ab,
|
|||
}
|
||||
break;
|
||||
case LSM_AUDIT_DATA_NET:
|
||||
if (a->u.net.sk) {
|
||||
struct sock *sk = a->u.net.sk;
|
||||
if (a->u.net->sk) {
|
||||
struct sock *sk = a->u.net->sk;
|
||||
struct unix_sock *u;
|
||||
int len = 0;
|
||||
char *p = NULL;
|
||||
|
@ -330,29 +330,29 @@ static void dump_common_audit_data(struct audit_buffer *ab,
|
|||
}
|
||||
}
|
||||
|
||||
switch (a->u.net.family) {
|
||||
switch (a->u.net->family) {
|
||||
case AF_INET:
|
||||
print_ipv4_addr(ab, a->u.net.v4info.saddr,
|
||||
a->u.net.sport,
|
||||
print_ipv4_addr(ab, a->u.net->v4info.saddr,
|
||||
a->u.net->sport,
|
||||
"saddr", "src");
|
||||
print_ipv4_addr(ab, a->u.net.v4info.daddr,
|
||||
a->u.net.dport,
|
||||
print_ipv4_addr(ab, a->u.net->v4info.daddr,
|
||||
a->u.net->dport,
|
||||
"daddr", "dest");
|
||||
break;
|
||||
case AF_INET6:
|
||||
print_ipv6_addr(ab, &a->u.net.v6info.saddr,
|
||||
a->u.net.sport,
|
||||
print_ipv6_addr(ab, &a->u.net->v6info.saddr,
|
||||
a->u.net->sport,
|
||||
"saddr", "src");
|
||||
print_ipv6_addr(ab, &a->u.net.v6info.daddr,
|
||||
a->u.net.dport,
|
||||
print_ipv6_addr(ab, &a->u.net->v6info.daddr,
|
||||
a->u.net->dport,
|
||||
"daddr", "dest");
|
||||
break;
|
||||
}
|
||||
if (a->u.net.netif > 0) {
|
||||
if (a->u.net->netif > 0) {
|
||||
struct net_device *dev;
|
||||
|
||||
/* NOTE: we always use init's namespace */
|
||||
dev = dev_get_by_index(&init_net, a->u.net.netif);
|
||||
dev = dev_get_by_index(&init_net, a->u.net->netif);
|
||||
if (dev) {
|
||||
audit_log_format(ab, " netif=%s", dev->name);
|
||||
dev_put(dev);
|
||||
|
|
|
@ -3517,8 +3517,8 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb,
|
|||
if (ihlen < sizeof(_iph))
|
||||
goto out;
|
||||
|
||||
ad->u.net.v4info.saddr = ih->saddr;
|
||||
ad->u.net.v4info.daddr = ih->daddr;
|
||||
ad->u.net->v4info.saddr = ih->saddr;
|
||||
ad->u.net->v4info.daddr = ih->daddr;
|
||||
ret = 0;
|
||||
|
||||
if (proto)
|
||||
|
@ -3536,8 +3536,8 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb,
|
|||
if (th == NULL)
|
||||
break;
|
||||
|
||||
ad->u.net.sport = th->source;
|
||||
ad->u.net.dport = th->dest;
|
||||
ad->u.net->sport = th->source;
|
||||
ad->u.net->dport = th->dest;
|
||||
break;
|
||||
}
|
||||
|
||||
|
@ -3552,8 +3552,8 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb,
|
|||
if (uh == NULL)
|
||||
break;
|
||||
|
||||
ad->u.net.sport = uh->source;
|
||||
ad->u.net.dport = uh->dest;
|
||||
ad->u.net->sport = uh->source;
|
||||
ad->u.net->dport = uh->dest;
|
||||
break;
|
||||
}
|
||||
|
||||
|
@ -3568,8 +3568,8 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb,
|
|||
if (dh == NULL)
|
||||
break;
|
||||
|
||||
ad->u.net.sport = dh->dccph_sport;
|
||||
ad->u.net.dport = dh->dccph_dport;
|
||||
ad->u.net->sport = dh->dccph_sport;
|
||||
ad->u.net->dport = dh->dccph_dport;
|
||||
break;
|
||||
}
|
||||
|
||||
|
@ -3596,8 +3596,8 @@ static int selinux_parse_skb_ipv6(struct sk_buff *skb,
|
|||
if (ip6 == NULL)
|
||||
goto out;
|
||||
|
||||
ad->u.net.v6info.saddr = ip6->saddr;
|
||||
ad->u.net.v6info.daddr = ip6->daddr;
|
||||
ad->u.net->v6info.saddr = ip6->saddr;
|
||||
ad->u.net->v6info.daddr = ip6->daddr;
|
||||
ret = 0;
|
||||
|
||||
nexthdr = ip6->nexthdr;
|
||||
|
@ -3617,8 +3617,8 @@ static int selinux_parse_skb_ipv6(struct sk_buff *skb,
|
|||
if (th == NULL)
|
||||
break;
|
||||
|
||||
ad->u.net.sport = th->source;
|
||||
ad->u.net.dport = th->dest;
|
||||
ad->u.net->sport = th->source;
|
||||
ad->u.net->dport = th->dest;
|
||||
break;
|
||||
}
|
||||
|
||||
|
@ -3629,8 +3629,8 @@ static int selinux_parse_skb_ipv6(struct sk_buff *skb,
|
|||
if (uh == NULL)
|
||||
break;
|
||||
|
||||
ad->u.net.sport = uh->source;
|
||||
ad->u.net.dport = uh->dest;
|
||||
ad->u.net->sport = uh->source;
|
||||
ad->u.net->dport = uh->dest;
|
||||
break;
|
||||
}
|
||||
|
||||
|
@ -3641,8 +3641,8 @@ static int selinux_parse_skb_ipv6(struct sk_buff *skb,
|
|||
if (dh == NULL)
|
||||
break;
|
||||
|
||||
ad->u.net.sport = dh->dccph_sport;
|
||||
ad->u.net.dport = dh->dccph_dport;
|
||||
ad->u.net->sport = dh->dccph_sport;
|
||||
ad->u.net->dport = dh->dccph_dport;
|
||||
break;
|
||||
}
|
||||
|
||||
|
@ -3662,13 +3662,13 @@ static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
|
|||
char *addrp;
|
||||
int ret;
|
||||
|
||||
switch (ad->u.net.family) {
|
||||
switch (ad->u.net->family) {
|
||||
case PF_INET:
|
||||
ret = selinux_parse_skb_ipv4(skb, ad, proto);
|
||||
if (ret)
|
||||
goto parse_error;
|
||||
addrp = (char *)(src ? &ad->u.net.v4info.saddr :
|
||||
&ad->u.net.v4info.daddr);
|
||||
addrp = (char *)(src ? &ad->u.net->v4info.saddr :
|
||||
&ad->u.net->v4info.daddr);
|
||||
goto okay;
|
||||
|
||||
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
|
||||
|
@ -3676,8 +3676,8 @@ static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
|
|||
ret = selinux_parse_skb_ipv6(skb, ad, proto);
|
||||
if (ret)
|
||||
goto parse_error;
|
||||
addrp = (char *)(src ? &ad->u.net.v6info.saddr :
|
||||
&ad->u.net.v6info.daddr);
|
||||
addrp = (char *)(src ? &ad->u.net->v6info.saddr :
|
||||
&ad->u.net->v6info.daddr);
|
||||
goto okay;
|
||||
#endif /* IPV6 */
|
||||
default:
|
||||
|
@ -3752,6 +3752,7 @@ static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
|
|||
struct sk_security_struct *sksec = sk->sk_security;
|
||||
struct common_audit_data ad;
|
||||
struct selinux_audit_data sad = {0,};
|
||||
struct lsm_network_audit net = {0,};
|
||||
u32 tsid = task_sid(task);
|
||||
|
||||
if (sksec->sid == SECINITSID_KERNEL)
|
||||
|
@ -3759,7 +3760,8 @@ static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
|
|||
|
||||
COMMON_AUDIT_DATA_INIT(&ad, NET);
|
||||
ad.selinux_audit_data = &sad;
|
||||
ad.u.net.sk = sk;
|
||||
ad.u.net = &net;
|
||||
ad.u.net->sk = sk;
|
||||
|
||||
return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
|
||||
}
|
||||
|
@ -3838,6 +3840,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
|
|||
struct sk_security_struct *sksec = sk->sk_security;
|
||||
struct common_audit_data ad;
|
||||
struct selinux_audit_data sad = {0,};
|
||||
struct lsm_network_audit net = {0,};
|
||||
struct sockaddr_in *addr4 = NULL;
|
||||
struct sockaddr_in6 *addr6 = NULL;
|
||||
unsigned short snum;
|
||||
|
@ -3865,8 +3868,9 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
|
|||
goto out;
|
||||
COMMON_AUDIT_DATA_INIT(&ad, NET);
|
||||
ad.selinux_audit_data = &sad;
|
||||
ad.u.net.sport = htons(snum);
|
||||
ad.u.net.family = family;
|
||||
ad.u.net = &net;
|
||||
ad.u.net->sport = htons(snum);
|
||||
ad.u.net->family = family;
|
||||
err = avc_has_perm(sksec->sid, sid,
|
||||
sksec->sclass,
|
||||
SOCKET__NAME_BIND, &ad);
|
||||
|
@ -3899,13 +3903,14 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
|
|||
|
||||
COMMON_AUDIT_DATA_INIT(&ad, NET);
|
||||
ad.selinux_audit_data = &sad;
|
||||
ad.u.net.sport = htons(snum);
|
||||
ad.u.net.family = family;
|
||||
ad.u.net = &net;
|
||||
ad.u.net->sport = htons(snum);
|
||||
ad.u.net->family = family;
|
||||
|
||||
if (family == PF_INET)
|
||||
ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
|
||||
ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
|
||||
else
|
||||
ad.u.net.v6info.saddr = addr6->sin6_addr;
|
||||
ad.u.net->v6info.saddr = addr6->sin6_addr;
|
||||
|
||||
err = avc_has_perm(sksec->sid, sid,
|
||||
sksec->sclass, node_perm, &ad);
|
||||
|
@ -3933,6 +3938,7 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address,
|
|||
sksec->sclass == SECCLASS_DCCP_SOCKET) {
|
||||
struct common_audit_data ad;
|
||||
struct selinux_audit_data sad = {0,};
|
||||
struct lsm_network_audit net = {0,};
|
||||
struct sockaddr_in *addr4 = NULL;
|
||||
struct sockaddr_in6 *addr6 = NULL;
|
||||
unsigned short snum;
|
||||
|
@ -3959,8 +3965,9 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address,
|
|||
|
||||
COMMON_AUDIT_DATA_INIT(&ad, NET);
|
||||
ad.selinux_audit_data = &sad;
|
||||
ad.u.net.dport = htons(snum);
|
||||
ad.u.net.family = sk->sk_family;
|
||||
ad.u.net = &net;
|
||||
ad.u.net->dport = htons(snum);
|
||||
ad.u.net->family = sk->sk_family;
|
||||
err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
|
||||
if (err)
|
||||
goto out;
|
||||
|
@ -4050,11 +4057,13 @@ static int selinux_socket_unix_stream_connect(struct sock *sock,
|
|||
struct sk_security_struct *sksec_new = newsk->sk_security;
|
||||
struct common_audit_data ad;
|
||||
struct selinux_audit_data sad = {0,};
|
||||
struct lsm_network_audit net = {0,};
|
||||
int err;
|
||||
|
||||
COMMON_AUDIT_DATA_INIT(&ad, NET);
|
||||
ad.selinux_audit_data = &sad;
|
||||
ad.u.net.sk = other;
|
||||
ad.u.net = &net;
|
||||
ad.u.net->sk = other;
|
||||
|
||||
err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
|
||||
sksec_other->sclass,
|
||||
|
@ -4082,10 +4091,12 @@ static int selinux_socket_unix_may_send(struct socket *sock,
|
|||
struct sk_security_struct *osec = other->sk->sk_security;
|
||||
struct common_audit_data ad;
|
||||
struct selinux_audit_data sad = {0,};
|
||||
struct lsm_network_audit net = {0,};
|
||||
|
||||
COMMON_AUDIT_DATA_INIT(&ad, NET);
|
||||
ad.selinux_audit_data = &sad;
|
||||
ad.u.net.sk = other->sk;
|
||||
ad.u.net = &net;
|
||||
ad.u.net->sk = other->sk;
|
||||
|
||||
return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
|
||||
&ad);
|
||||
|
@ -4122,12 +4133,14 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
|
|||
u32 sk_sid = sksec->sid;
|
||||
struct common_audit_data ad;
|
||||
struct selinux_audit_data sad = {0,};
|
||||
struct lsm_network_audit net = {0,};
|
||||
char *addrp;
|
||||
|
||||
COMMON_AUDIT_DATA_INIT(&ad, NET);
|
||||
ad.selinux_audit_data = &sad;
|
||||
ad.u.net.netif = skb->skb_iif;
|
||||
ad.u.net.family = family;
|
||||
ad.u.net = &net;
|
||||
ad.u.net->netif = skb->skb_iif;
|
||||
ad.u.net->family = family;
|
||||
err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
|
||||
if (err)
|
||||
return err;
|
||||
|
@ -4155,6 +4168,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
|
|||
u32 sk_sid = sksec->sid;
|
||||
struct common_audit_data ad;
|
||||
struct selinux_audit_data sad = {0,};
|
||||
struct lsm_network_audit net = {0,};
|
||||
char *addrp;
|
||||
u8 secmark_active;
|
||||
u8 peerlbl_active;
|
||||
|
@ -4180,8 +4194,9 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
|
|||
|
||||
COMMON_AUDIT_DATA_INIT(&ad, NET);
|
||||
ad.selinux_audit_data = &sad;
|
||||
ad.u.net.netif = skb->skb_iif;
|
||||
ad.u.net.family = family;
|
||||
ad.u.net = &net;
|
||||
ad.u.net->netif = skb->skb_iif;
|
||||
ad.u.net->family = family;
|
||||
err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
|
||||
if (err)
|
||||
return err;
|
||||
|
@ -4517,6 +4532,7 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
|
|||
u32 peer_sid;
|
||||
struct common_audit_data ad;
|
||||
struct selinux_audit_data sad = {0,};
|
||||
struct lsm_network_audit net = {0,};
|
||||
u8 secmark_active;
|
||||
u8 netlbl_active;
|
||||
u8 peerlbl_active;
|
||||
|
@ -4535,8 +4551,9 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
|
|||
|
||||
COMMON_AUDIT_DATA_INIT(&ad, NET);
|
||||
ad.selinux_audit_data = &sad;
|
||||
ad.u.net.netif = ifindex;
|
||||
ad.u.net.family = family;
|
||||
ad.u.net = &net;
|
||||
ad.u.net->netif = ifindex;
|
||||
ad.u.net->family = family;
|
||||
if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
|
||||
return NF_DROP;
|
||||
|
||||
|
@ -4624,6 +4641,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
|
|||
struct sk_security_struct *sksec;
|
||||
struct common_audit_data ad;
|
||||
struct selinux_audit_data sad = {0,};
|
||||
struct lsm_network_audit net = {0,};
|
||||
char *addrp;
|
||||
u8 proto;
|
||||
|
||||
|
@ -4633,8 +4651,9 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
|
|||
|
||||
COMMON_AUDIT_DATA_INIT(&ad, NET);
|
||||
ad.selinux_audit_data = &sad;
|
||||
ad.u.net.netif = ifindex;
|
||||
ad.u.net.family = family;
|
||||
ad.u.net = &net;
|
||||
ad.u.net->netif = ifindex;
|
||||
ad.u.net->family = family;
|
||||
if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
|
||||
return NF_DROP;
|
||||
|
||||
|
@ -4657,6 +4676,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
|
|||
struct sock *sk;
|
||||
struct common_audit_data ad;
|
||||
struct selinux_audit_data sad = {0,};
|
||||
struct lsm_network_audit net = {0,};
|
||||
char *addrp;
|
||||
u8 secmark_active;
|
||||
u8 peerlbl_active;
|
||||
|
@ -4704,8 +4724,9 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
|
|||
|
||||
COMMON_AUDIT_DATA_INIT(&ad, NET);
|
||||
ad.selinux_audit_data = &sad;
|
||||
ad.u.net.netif = ifindex;
|
||||
ad.u.net.family = family;
|
||||
ad.u.net = &net;
|
||||
ad.u.net->netif = ifindex;
|
||||
ad.u.net->family = family;
|
||||
if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
|
||||
return NF_DROP;
|
||||
|
||||
|
|
|
@ -325,6 +325,14 @@ static inline void smk_ad_init(struct smk_audit_info *a, const char *func,
|
|||
a->a.smack_audit_data->function = func;
|
||||
}
|
||||
|
||||
static inline void smk_ad_init_net(struct smk_audit_info *a, const char *func,
|
||||
char type, struct lsm_network_audit *net)
|
||||
{
|
||||
smk_ad_init(a, func, type);
|
||||
memset(net, 0, sizeof(*net));
|
||||
a->a.u.net = net;
|
||||
}
|
||||
|
||||
static inline void smk_ad_setfield_u_tsk(struct smk_audit_info *a,
|
||||
struct task_struct *t)
|
||||
{
|
||||
|
@ -348,7 +356,7 @@ static inline void smk_ad_setfield_u_fs_path(struct smk_audit_info *a,
|
|||
static inline void smk_ad_setfield_u_net_sk(struct smk_audit_info *a,
|
||||
struct sock *sk)
|
||||
{
|
||||
a->a.u.net.sk = sk;
|
||||
a->a.u.net->sk = sk;
|
||||
}
|
||||
|
||||
#else /* no AUDIT */
|
||||
|
|
|
@ -1939,16 +1939,17 @@ static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap)
|
|||
char *hostsp;
|
||||
struct socket_smack *ssp = sk->sk_security;
|
||||
struct smk_audit_info ad;
|
||||
struct lsm_network_audit net;
|
||||
|
||||
rcu_read_lock();
|
||||
hostsp = smack_host_label(sap);
|
||||
if (hostsp != NULL) {
|
||||
sk_lbl = SMACK_UNLABELED_SOCKET;
|
||||
#ifdef CONFIG_AUDIT
|
||||
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET);
|
||||
ad.a.u.net.family = sap->sin_family;
|
||||
ad.a.u.net.dport = sap->sin_port;
|
||||
ad.a.u.net.v4info.daddr = sap->sin_addr.s_addr;
|
||||
smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
|
||||
ad.a.u.net->family = sap->sin_family;
|
||||
ad.a.u.net->dport = sap->sin_port;
|
||||
ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr;
|
||||
#endif
|
||||
rc = smk_access(ssp->smk_out, hostsp, MAY_WRITE, &ad);
|
||||
} else {
|
||||
|
@ -2808,9 +2809,10 @@ static int smack_unix_stream_connect(struct sock *sock,
|
|||
struct socket_smack *osp = other->sk_security;
|
||||
struct socket_smack *nsp = newsk->sk_security;
|
||||
struct smk_audit_info ad;
|
||||
struct lsm_network_audit net;
|
||||
int rc = 0;
|
||||
|
||||
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET);
|
||||
smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
|
||||
smk_ad_setfield_u_net_sk(&ad, other);
|
||||
|
||||
if (!capable(CAP_MAC_OVERRIDE))
|
||||
|
@ -2840,9 +2842,10 @@ static int smack_unix_may_send(struct socket *sock, struct socket *other)
|
|||
struct socket_smack *ssp = sock->sk->sk_security;
|
||||
struct socket_smack *osp = other->sk->sk_security;
|
||||
struct smk_audit_info ad;
|
||||
struct lsm_network_audit net;
|
||||
int rc = 0;
|
||||
|
||||
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET);
|
||||
smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
|
||||
smk_ad_setfield_u_net_sk(&ad, other->sk);
|
||||
|
||||
if (!capable(CAP_MAC_OVERRIDE))
|
||||
|
@ -2990,6 +2993,7 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
|
|||
char *csp;
|
||||
int rc;
|
||||
struct smk_audit_info ad;
|
||||
struct lsm_network_audit net;
|
||||
if (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)
|
||||
return 0;
|
||||
|
||||
|
@ -3007,9 +3011,9 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
|
|||
netlbl_secattr_destroy(&secattr);
|
||||
|
||||
#ifdef CONFIG_AUDIT
|
||||
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET);
|
||||
ad.a.u.net.family = sk->sk_family;
|
||||
ad.a.u.net.netif = skb->skb_iif;
|
||||
smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
|
||||
ad.a.u.net->family = sk->sk_family;
|
||||
ad.a.u.net->netif = skb->skb_iif;
|
||||
ipv4_skb_to_auditdata(skb, &ad.a, NULL);
|
||||
#endif
|
||||
/*
|
||||
|
@ -3152,6 +3156,7 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
|
|||
char *sp;
|
||||
int rc;
|
||||
struct smk_audit_info ad;
|
||||
struct lsm_network_audit net;
|
||||
|
||||
/* handle mapped IPv4 packets arriving via IPv6 sockets */
|
||||
if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
|
||||
|
@ -3166,9 +3171,9 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
|
|||
netlbl_secattr_destroy(&secattr);
|
||||
|
||||
#ifdef CONFIG_AUDIT
|
||||
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET);
|
||||
ad.a.u.net.family = family;
|
||||
ad.a.u.net.netif = skb->skb_iif;
|
||||
smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
|
||||
ad.a.u.net->family = family;
|
||||
ad.a.u.net->netif = skb->skb_iif;
|
||||
ipv4_skb_to_auditdata(skb, &ad.a, NULL);
|
||||
#endif
|
||||
/*
|
||||
|
|
Loading…
Reference in New Issue