summaryrefslogtreecommitdiff
path: root/kernel/auditsc.c
diff options
context:
space:
mode:
authorDarrel Goeddel <dgoeddel@trustedcs.com>2006-03-10 18:14:06 -0600
committerAl Viro <viro@zeniv.linux.org.uk>2006-05-01 06:09:36 -0400
commit3dc7e3153eddfcf7ba8b50628775ba516e5f759f (patch)
tree926957e904739fc6c29e5125b7c1635b9f77548c /kernel/auditsc.c
parent376bd9cb357ec945ac893feaeb63af7370a6e70b (diff)
downloadlwn-3dc7e3153eddfcf7ba8b50628775ba516e5f759f.tar.gz
lwn-3dc7e3153eddfcf7ba8b50628775ba516e5f759f.zip
[PATCH] support for context based audit filtering, part 2
This patch provides the ability to filter audit messages based on the elements of the process' SELinux context (user, role, type, mls sensitivity, and mls clearance). It uses the new interfaces from selinux to opaquely store information related to the selinux context and to filter based on that information. It also uses the callback mechanism provided by selinux to refresh the information when a new policy is loaded. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'kernel/auditsc.c')
-rw-r--r--kernel/auditsc.c20
1 files changed, 20 insertions, 0 deletions
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 8aca4ab4aa27..d3d97d28b69a 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -58,6 +58,7 @@
#include <linux/security.h>
#include <linux/list.h>
#include <linux/tty.h>
+#include <linux/selinux.h>
#include "audit.h"
@@ -168,6 +169,9 @@ static int audit_filter_rules(struct task_struct *tsk,
enum audit_state *state)
{
int i, j;
+ u32 sid;
+
+ selinux_task_ctxid(tsk, &sid);
for (i = 0; i < rule->field_count; i++) {
struct audit_field *f = &rule->fields[i];
@@ -257,6 +261,22 @@ static int audit_filter_rules(struct task_struct *tsk,
if (ctx)
result = audit_comparator(ctx->loginuid, f->op, f->val);
break;
+ case AUDIT_SE_USER:
+ case AUDIT_SE_ROLE:
+ case AUDIT_SE_TYPE:
+ case AUDIT_SE_SEN:
+ case AUDIT_SE_CLR:
+ /* NOTE: this may return negative values indicating
+ a temporary error. We simply treat this as a
+ match for now to avoid losing information that
+ may be wanted. An error message will also be
+ logged upon error */
+ if (f->se_rule)
+ result = selinux_audit_rule_match(sid, f->type,
+ f->op,
+ f->se_rule,
+ ctx);
+ break;
case AUDIT_ARG0:
case AUDIT_ARG1:
case AUDIT_ARG2: