audit: use a consistent audit helper to log lsm information
We have a number of places we were reimplementing the same code to write out lsm labels. Just do it one darn place. Signed-off-by: Eric Paris <eparis@redhat.com>
This commit is contained in:
Eric Paris
parent
152f497b9b
commit
b122c3767c
|
|
@ -188,7 +188,7 @@ static inline int audit_get_sessionid(struct task_struct *tsk)
|
||||||
return tsk->sessionid;
|
return tsk->sessionid;
|
||||||
}
|
}
|
||||||
|
|
||||||
extern void audit_log_task_context(struct audit_buffer *ab);
|
extern int audit_log_task_context(struct audit_buffer *ab);
|
||||||
extern void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk);
|
extern void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk);
|
||||||
extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);
|
extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);
|
||||||
extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode);
|
extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode);
|
||||||
|
|
@ -344,8 +344,10 @@ static inline int audit_get_sessionid(struct task_struct *tsk)
|
||||||
{
|
{
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
static inline void audit_log_task_context(struct audit_buffer *ab)
|
static int void audit_log_task_context(struct audit_buffer *ab)
|
||||||
{ }
|
{
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
static inline void audit_log_task_info(struct audit_buffer *ab,
|
static inline void audit_log_task_info(struct audit_buffer *ab,
|
||||||
struct task_struct *tsk)
|
struct task_struct *tsk)
|
||||||
{ }
|
{ }
|
||||||
|
|
|
||||||
|
|
@ -271,29 +271,15 @@ static int audit_log_config_change(char *function_name, int new, int old,
|
||||||
int rc = 0;
|
int rc = 0;
|
||||||
u32 sessionid = audit_get_sessionid(current);
|
u32 sessionid = audit_get_sessionid(current);
|
||||||
uid_t auid = from_kuid(&init_user_ns, audit_get_loginuid(current));
|
uid_t auid = from_kuid(&init_user_ns, audit_get_loginuid(current));
|
||||||
u32 sid;
|
|
||||||
|
|
||||||
|
|
||||||
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
|
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
|
||||||
if (unlikely(!ab))
|
if (unlikely(!ab))
|
||||||
return rc;
|
return rc;
|
||||||
audit_log_format(ab, "%s=%d old=%d auid=%u ses=%u", function_name, new,
|
audit_log_format(ab, "%s=%d old=%d auid=%u ses=%u", function_name, new,
|
||||||
old, auid, sessionid);
|
old, auid, sessionid);
|
||||||
|
rc = audit_log_task_context(ab);
|
||||||
security_task_getsecid(current, &sid);
|
if (rc)
|
||||||
if (sid) {
|
allow_changes = 0; /* Something weird, deny request */
|
||||||
char *ctx = NULL;
|
|
||||||
u32 len;
|
|
||||||
|
|
||||||
rc = security_secid_to_secctx(sid, &ctx, &len);
|
|
||||||
if (rc) {
|
|
||||||
audit_log_format(ab, " sid=%u", sid);
|
|
||||||
allow_changes = 0; /* Something weird, deny request */
|
|
||||||
} else {
|
|
||||||
audit_log_format(ab, " subj=%s", ctx);
|
|
||||||
security_release_secctx(ctx, len);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
audit_log_format(ab, " res=%d", allow_changes);
|
audit_log_format(ab, " res=%d", allow_changes);
|
||||||
audit_log_end(ab);
|
audit_log_end(ab);
|
||||||
return rc;
|
return rc;
|
||||||
|
|
@ -625,12 +611,9 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
|
||||||
static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
|
static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
|
||||||
{
|
{
|
||||||
int rc = 0;
|
int rc = 0;
|
||||||
char *ctx = NULL;
|
|
||||||
u32 len;
|
|
||||||
u32 sessionid = audit_get_sessionid(current);
|
u32 sessionid = audit_get_sessionid(current);
|
||||||
uid_t uid = from_kuid(&init_user_ns, current_uid());
|
uid_t uid = from_kuid(&init_user_ns, current_uid());
|
||||||
uid_t auid = from_kuid(&init_user_ns, audit_get_loginuid(current));
|
uid_t auid = from_kuid(&init_user_ns, audit_get_loginuid(current));
|
||||||
u32 sid;
|
|
||||||
|
|
||||||
if (!audit_enabled) {
|
if (!audit_enabled) {
|
||||||
*ab = NULL;
|
*ab = NULL;
|
||||||
|
|
@ -642,16 +625,7 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
|
||||||
return rc;
|
return rc;
|
||||||
audit_log_format(*ab, "pid=%d uid=%u auid=%u ses=%u",
|
audit_log_format(*ab, "pid=%d uid=%u auid=%u ses=%u",
|
||||||
task_tgid_vnr(current), uid, auid, sessionid);
|
task_tgid_vnr(current), uid, auid, sessionid);
|
||||||
security_task_getsecid(current, &sid);
|
audit_log_task_context(*ab);
|
||||||
if (sid) {
|
|
||||||
rc = security_secid_to_secctx(sid, &ctx, &len);
|
|
||||||
if (rc)
|
|
||||||
audit_log_format(*ab, " ssid=%u", sid);
|
|
||||||
else {
|
|
||||||
audit_log_format(*ab, " subj=%s", ctx);
|
|
||||||
security_release_secctx(ctx, len);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -985,7 +985,6 @@ static void audit_log_rule_change(char *action, struct audit_krule *rule, int re
|
||||||
struct audit_buffer *ab;
|
struct audit_buffer *ab;
|
||||||
uid_t loginuid = from_kuid(&init_user_ns, audit_get_loginuid(current));
|
uid_t loginuid = from_kuid(&init_user_ns, audit_get_loginuid(current));
|
||||||
u32 sessionid = audit_get_sessionid(current);
|
u32 sessionid = audit_get_sessionid(current);
|
||||||
u32 sid;
|
|
||||||
|
|
||||||
if (!audit_enabled)
|
if (!audit_enabled)
|
||||||
return;
|
return;
|
||||||
|
|
@ -994,17 +993,7 @@ static void audit_log_rule_change(char *action, struct audit_krule *rule, int re
|
||||||
if (!ab)
|
if (!ab)
|
||||||
return;
|
return;
|
||||||
audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid);
|
audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid);
|
||||||
security_task_getsecid(current, &sid);
|
audit_log_task_context(ab);
|
||||||
if (sid) {
|
|
||||||
char *ctx = NULL;
|
|
||||||
u32 len;
|
|
||||||
if (security_secid_to_secctx(sid, &ctx, &len))
|
|
||||||
audit_log_format(ab, " ssid=%u", sid);
|
|
||||||
else {
|
|
||||||
audit_log_format(ab, " subj=%s", ctx);
|
|
||||||
security_release_secctx(ctx, len);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
audit_log_format(ab, " op=");
|
audit_log_format(ab, " op=");
|
||||||
audit_log_string(ab, action);
|
audit_log_string(ab, action);
|
||||||
audit_log_key(ab, rule->filterkey);
|
audit_log_key(ab, rule->filterkey);
|
||||||
|
|
|
||||||
|
|
@ -1109,7 +1109,7 @@ static inline void audit_free_context(struct audit_context *context)
|
||||||
kfree(context);
|
kfree(context);
|
||||||
}
|
}
|
||||||
|
|
||||||
void audit_log_task_context(struct audit_buffer *ab)
|
int audit_log_task_context(struct audit_buffer *ab)
|
||||||
{
|
{
|
||||||
char *ctx = NULL;
|
char *ctx = NULL;
|
||||||
unsigned len;
|
unsigned len;
|
||||||
|
|
@ -1118,22 +1118,22 @@ void audit_log_task_context(struct audit_buffer *ab)
|
||||||
|
|
||||||
security_task_getsecid(current, &sid);
|
security_task_getsecid(current, &sid);
|
||||||
if (!sid)
|
if (!sid)
|
||||||
return;
|
return 0;
|
||||||
|
|
||||||
error = security_secid_to_secctx(sid, &ctx, &len);
|
error = security_secid_to_secctx(sid, &ctx, &len);
|
||||||
if (error) {
|
if (error) {
|
||||||
if (error != -EINVAL)
|
if (error != -EINVAL)
|
||||||
goto error_path;
|
goto error_path;
|
||||||
return;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
audit_log_format(ab, " subj=%s", ctx);
|
audit_log_format(ab, " subj=%s", ctx);
|
||||||
security_release_secctx(ctx, len);
|
security_release_secctx(ctx, len);
|
||||||
return;
|
return 0;
|
||||||
|
|
||||||
error_path:
|
error_path:
|
||||||
audit_panic("error in audit_log_task_context");
|
audit_panic("error in audit_log_task_context");
|
||||||
return;
|
return error;
|
||||||
}
|
}
|
||||||
|
|
||||||
EXPORT_SYMBOL(audit_log_task_context);
|
EXPORT_SYMBOL(audit_log_task_context);
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue