diff options
author | Eric Paris <eparis@redhat.com> | 2013-04-19 15:00:33 -0400 |
---|---|---|
committer | Eric Paris <eparis@redhat.com> | 2013-04-30 15:31:28 -0400 |
commit | b122c3767c1d89763b4babca062c3171a71ed97c (patch) | |
tree | 6d11cbca5af63bd1ac4089895d8751f09af28823 | |
parent | 152f497b9b5940f81de3205465840a5eb316458e (diff) | |
download | lwn-b122c3767c1d89763b4babca062c3171a71ed97c.tar.gz lwn-b122c3767c1d89763b4babca062c3171a71ed97c.zip |
audit: use a consistent audit helper to log lsm information
We have a number of places we were reimplementing the same code to write
out lsm labels. Just do it one darn place.
Signed-off-by: Eric Paris <eparis@redhat.com>
-rw-r--r-- | include/linux/audit.h | 8 | ||||
-rw-r--r-- | kernel/audit.c | 34 | ||||
-rw-r--r-- | kernel/auditfilter.c | 13 | ||||
-rw-r--r-- | kernel/auditsc.c | 10 |
4 files changed, 15 insertions, 50 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h index a3a50cca1efb..e2dd9c124140 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -188,7 +188,7 @@ static inline int audit_get_sessionid(struct task_struct *tsk) return tsk->sessionid; } -extern void audit_log_task_context(struct audit_buffer *ab); +extern int audit_log_task_context(struct audit_buffer *ab); extern void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk); extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp); extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode); @@ -344,8 +344,10 @@ static inline int audit_get_sessionid(struct task_struct *tsk) { return -1; } -static inline void audit_log_task_context(struct audit_buffer *ab) -{ } +static int void audit_log_task_context(struct audit_buffer *ab) +{ + return 0; +} static inline void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk) { } diff --git a/kernel/audit.c b/kernel/audit.c index 79b42fd14c22..a3c77b979b5b 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -271,29 +271,15 @@ static int audit_log_config_change(char *function_name, int new, int old, int rc = 0; u32 sessionid = audit_get_sessionid(current); uid_t auid = from_kuid(&init_user_ns, audit_get_loginuid(current)); - u32 sid; - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); if (unlikely(!ab)) return rc; audit_log_format(ab, "%s=%d old=%d auid=%u ses=%u", function_name, new, old, auid, sessionid); - - security_task_getsecid(current, &sid); - if (sid) { - char *ctx = NULL; - u32 len; - - rc = security_secid_to_secctx(sid, &ctx, &len); - if (rc) { - audit_log_format(ab, " sid=%u", sid); - allow_changes = 0; /* Something weird, deny request */ - } else { - audit_log_format(ab, " subj=%s", ctx); - security_release_secctx(ctx, len); - } - } + rc = audit_log_task_context(ab); + if (rc) + allow_changes = 0; /* Something weird, deny request */ audit_log_format(ab, " res=%d", allow_changes); audit_log_end(ab); return rc; @@ -625,12 +611,9 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type) static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type) { int rc = 0; - char *ctx = NULL; - u32 len; u32 sessionid = audit_get_sessionid(current); uid_t uid = from_kuid(&init_user_ns, current_uid()); uid_t auid = from_kuid(&init_user_ns, audit_get_loginuid(current)); - u32 sid; if (!audit_enabled) { *ab = NULL; @@ -642,16 +625,7 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type) return rc; audit_log_format(*ab, "pid=%d uid=%u auid=%u ses=%u", task_tgid_vnr(current), uid, auid, sessionid); - security_task_getsecid(current, &sid); - if (sid) { - rc = security_secid_to_secctx(sid, &ctx, &len); - if (rc) - audit_log_format(*ab, " ssid=%u", sid); - else { - audit_log_format(*ab, " subj=%s", ctx); - security_release_secctx(ctx, len); - } - } + audit_log_task_context(*ab); return rc; } diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index f952234da2ca..478f4602c96b 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -985,7 +985,6 @@ static void audit_log_rule_change(char *action, struct audit_krule *rule, int re struct audit_buffer *ab; uid_t loginuid = from_kuid(&init_user_ns, audit_get_loginuid(current)); u32 sessionid = audit_get_sessionid(current); - u32 sid; if (!audit_enabled) return; @@ -994,17 +993,7 @@ static void audit_log_rule_change(char *action, struct audit_krule *rule, int re if (!ab) return; audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid); - security_task_getsecid(current, &sid); - if (sid) { - char *ctx = NULL; - u32 len; - if (security_secid_to_secctx(sid, &ctx, &len)) - audit_log_format(ab, " ssid=%u", sid); - else { - audit_log_format(ab, " subj=%s", ctx); - security_release_secctx(ctx, len); - } - } + audit_log_task_context(ab); audit_log_format(ab, " op="); audit_log_string(ab, action); audit_log_key(ab, rule->filterkey); diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 4baf61d39836..17e9a260a545 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1109,7 +1109,7 @@ static inline void audit_free_context(struct audit_context *context) kfree(context); } -void audit_log_task_context(struct audit_buffer *ab) +int audit_log_task_context(struct audit_buffer *ab) { char *ctx = NULL; unsigned len; @@ -1118,22 +1118,22 @@ void audit_log_task_context(struct audit_buffer *ab) security_task_getsecid(current, &sid); if (!sid) - return; + return 0; error = security_secid_to_secctx(sid, &ctx, &len); if (error) { if (error != -EINVAL) goto error_path; - return; + return 0; } audit_log_format(ab, " subj=%s", ctx); security_release_secctx(ctx, len); - return; + return 0; error_path: audit_panic("error in audit_log_task_context"); - return; + return error; } EXPORT_SYMBOL(audit_log_task_context); |