diff options
| author | John Johansen <john.johansen@canonical.com> | 2022-09-19 20:48:48 -0700 |
|---|---|---|
| committer | John Johansen <john.johansen@canonical.com> | 2023-10-18 15:30:38 -0700 |
| commit | 90c436a64a6e20482a9a613c47eb4af2e8a5328e (patch) | |
| tree | b5df0d74b93bb320f34f5b4a109f46a9128ea0b7 /security/apparmor/net.c | |
| parent | d20f5a1a6e792d22199c9989ec7ab9e95c48d60c (diff) | |
| download | lwn-90c436a64a6e20482a9a613c47eb4af2e8a5328e.tar.gz lwn-90c436a64a6e20482a9a613c47eb4af2e8a5328e.zip | |
apparmor: pass cred through to audit info.
The cred is needed to properly audit some messages, and will be needed
in the future for uid conditional mediation. So pass it through to
where the apparmor_audit_data struct gets defined.
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor/net.c')
| -rw-r--r-- | security/apparmor/net.c | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/security/apparmor/net.c b/security/apparmor/net.c index 5e50f80e35db..704c171232ab 100644 --- a/security/apparmor/net.c +++ b/security/apparmor/net.c @@ -135,8 +135,8 @@ int aa_profile_af_perm(struct aa_profile *profile, return aa_check_perms(profile, &perms, request, ad, audit_net_cb); } -int aa_af_perm(struct aa_label *label, const char *op, u32 request, u16 family, - int type, int protocol) +int aa_af_perm(const struct cred *subj_cred, struct aa_label *label, + const char *op, u32 request, u16 family, int type, int protocol) { struct aa_profile *profile; DEFINE_AUDIT_NET(ad, op, NULL, family, type, protocol); @@ -146,7 +146,9 @@ int aa_af_perm(struct aa_label *label, const char *op, u32 request, u16 family, type)); } -static int aa_label_sk_perm(struct aa_label *label, const char *op, u32 request, +static int aa_label_sk_perm(const struct cred *subj_cred, + struct aa_label *label, + const char *op, u32 request, struct sock *sk) { struct aa_sk_ctx *ctx = SK_CTX(sk); @@ -159,6 +161,7 @@ static int aa_label_sk_perm(struct aa_label *label, const char *op, u32 request, struct aa_profile *profile; DEFINE_AUDIT_SK(ad, op, sk); + ad.subj_cred = subj_cred; error = fn_for_each_confined(label, profile, aa_profile_af_sk_perm(profile, &ad, request, sk)); } @@ -176,21 +179,21 @@ int aa_sk_perm(const char *op, u32 request, struct sock *sk) /* TODO: switch to begin_current_label ???? */ label = begin_current_label_crit_section(); - error = aa_label_sk_perm(label, op, request, sk); + error = aa_label_sk_perm(current_cred(), label, op, request, sk); end_current_label_crit_section(label); return error; } -int aa_sock_file_perm(struct aa_label *label, const char *op, u32 request, - struct socket *sock) +int aa_sock_file_perm(const struct cred *subj_cred, struct aa_label *label, + const char *op, u32 request, struct socket *sock) { AA_BUG(!label); AA_BUG(!sock); AA_BUG(!sock->sk); - return aa_label_sk_perm(label, op, request, sock->sk); + return aa_label_sk_perm(subj_cred, label, op, request, sock->sk); } #ifdef CONFIG_NETWORK_SECMARK |