Eric Lee / linux-smarc-t335x-v3.2

Download as
Browse Code ยป

Commit d7a96f3a1ae279a2129653d6cb18d722f2f00f91

Authored by Ahmed S. Darwish
Committed by James Morris
1 parent 03d37d25e0
Exists in master and in 4 other branches v3.2_AM335xPSP_04.06.00.11, v3.2_NEWT335xPSP_04.06.00.11, v3.2_SBC_SMARTMEN, v3.2_SMARCT335xPSP_04.06.00.11

Audit: internally use the new LSM audit hooks 

Convert Audit to use the new LSM Audit hooks instead of
the exported SELinux interface.

Basically, use:
security_audit_rule_init
secuirty_audit_rule_free
security_audit_rule_known
security_audit_rule_match

instad of (respectively) :
selinux_audit_rule_init
selinux_audit_rule_free
audit_rule_has_selinux
selinux_audit_rule_match

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com>
Acked-by: James Morris <jmorris@namei.org>

Showing 3 changed files with 22 additions and 55 deletions Side-by-side Diff

... ... @@ -21,7 +21,7 @@
21 21 *
22 22 * Written by Rickard E. (Rik) Faith <faith@redhat.com>
23 23 *
24   - * Goals: 1) Integrate fully with SELinux.
  24 + * Goals: 1) Integrate fully with Security Modules.
25 25 * 2) Minimal run-time overhead:
26 26 * a) Minimal when syscall auditing is disabled (audit_enable=0).
27 27 * b) Small when syscall auditing is enabled and no audit record
... ... @@ -55,7 +55,6 @@
55 55 #include <net/netlink.h>
56 56 #include <linux/skbuff.h>
57 57 #include <linux/netlink.h>
58   -#include <linux/selinux.h>
59 58 #include <linux/inotify.h>
60 59 #include <linux/freezer.h>
61 60 #include <linux/tty.h>
... ... @@ -881,10 +880,6 @@
881 880 audit_initialized = 1;
882 881 audit_enabled = audit_default;
883 882 audit_ever_enabled |= !!audit_default;
884   -
885   - /* Register the callback with selinux. This callback will be invoked
886   - * when a new policy is loaded. */
887   - selinux_audit_set_callback(&selinux_audit_rule_update);
888 883  
889 884 audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL, "initialized");
890 885  
kernel/auditfilter.c
Diff comments   View file @ d7a96f3
... ... @@ -29,7 +29,6 @@
29 29 #include <linux/sched.h>
30 30 #include <linux/inotify.h>
31 31 #include <linux/security.h>
32   -#include <linux/selinux.h>
33 32 #include "audit.h"
34 33  
35 34 /*
... ... @@ -39,7 +38,7 @@
39 38 * Synchronizes writes and blocking reads of audit's filterlist
40 39 * data. Rcu is used to traverse the filterlist and access
41 40 * contents of structs audit_entry, audit_watch and opaque
42   - * selinux rules during filtering. If modified, these structures
  41 + * LSM rules during filtering. If modified, these structures
43 42 * must be copied and replace their counterparts in the filterlist.
44 43 * An audit_parent struct is not accessed during filtering, so may
45 44 * be written directly provided audit_filter_mutex is held.
... ... @@ -141,7 +140,7 @@
141 140 for (i = 0; i < e->rule.field_count; i++) {
142 141 struct audit_field *f = &e->rule.fields[i];
143 142 kfree(f->se_str);
144   - selinux_audit_rule_free(f->se_rule);
  143 + security_audit_rule_free(f->se_rule);
145 144 }
146 145 kfree(e->rule.fields);
147 146 kfree(e->rule.filterkey);
148 147  
... ... @@ -598,12 +597,12 @@
598 597 goto exit_free;
599 598 entry->rule.buflen += f->val;
600 599  
601   - err = selinux_audit_rule_init(f->type, f->op, str,
602   - &f->se_rule);
  600 + err = security_audit_rule_init(f->type, f->op, str,
  601 + (void **)&f->se_rule);
603 602 /* Keep currently invalid fields around in case they
604 603 * become valid after a policy reload. */
605 604 if (err == -EINVAL) {
606   - printk(KERN_WARNING "audit rule for selinux "
  605 + printk(KERN_WARNING "audit rule for LSM "
607 606 "\'%s\' is invalid\n", str);
608 607 err = 0;
609 608 }
610 609  
... ... @@ -863,9 +862,9 @@
863 862 return new;
864 863 }
865 864  
866   -/* Duplicate selinux field information. The se_rule is opaque, so must be
  865 +/* Duplicate LSM field information. The se_rule is opaque, so must be
867 866 * re-initialized. */
868   -static inline int audit_dupe_selinux_field(struct audit_field *df,
  867 +static inline int audit_dupe_lsm_field(struct audit_field *df,
869 868 struct audit_field *sf)
870 869 {
871 870 int ret = 0;
872 871  
... ... @@ -878,12 +877,12 @@
878 877 df->se_str = se_str;
879 878  
880 879 /* our own (refreshed) copy of se_rule */
881   - ret = selinux_audit_rule_init(df->type, df->op, df->se_str,
882   - &df->se_rule);
  880 + ret = security_audit_rule_init(df->type, df->op, df->se_str,
  881 + (void **)&df->se_rule);
883 882 /* Keep currently invalid fields around in case they
884 883 * become valid after a policy reload. */
885 884 if (ret == -EINVAL) {
886   - printk(KERN_WARNING "audit rule for selinux %s is "
  885 + printk(KERN_WARNING "audit rule for LSM %s is "
887 886 "invalid\n", df->se_str);
888 887 ret = 0;
889 888 }
... ... @@ -892,7 +891,7 @@
892 891 }
893 892  
894 893 /* Duplicate an audit rule. This will be a deep copy with the exception
895   - * of the watch - that pointer is carried over. The selinux specific fields
  894 + * of the watch - that pointer is carried over. The LSM specific fields
896 895 * will be updated in the copy. The point is to be able to replace the old
897 896 * rule with the new rule in the filterlist, then free the old rule.
898 897 * The rlist element is undefined; list manipulations are handled apart from
... ... @@ -945,7 +944,7 @@
945 944 case AUDIT_OBJ_TYPE:
946 945 case AUDIT_OBJ_LEV_LOW:
947 946 case AUDIT_OBJ_LEV_HIGH:
948   - err = audit_dupe_selinux_field(&new->fields[i],
  947 + err = audit_dupe_lsm_field(&new->fields[i],
949 948 &old->fields[i]);
950 949 break;
951 950 case AUDIT_FILTERKEY:
952 951  
953 952  
954 953  
... ... @@ -1763,38 +1762,12 @@
1763 1762 return result;
1764 1763 }
1765 1764  
1766   -/* Check to see if the rule contains any selinux fields. Returns 1 if there
1767   - are selinux fields specified in the rule, 0 otherwise. */
1768   -static inline int audit_rule_has_selinux(struct audit_krule *rule)
1769   -{
1770   - int i;
1771   -
1772   - for (i = 0; i < rule->field_count; i++) {
1773   - struct audit_field *f = &rule->fields[i];
1774   - switch (f->type) {
1775   - case AUDIT_SUBJ_USER:
1776   - case AUDIT_SUBJ_ROLE:
1777   - case AUDIT_SUBJ_TYPE:
1778   - case AUDIT_SUBJ_SEN:
1779   - case AUDIT_SUBJ_CLR:
1780   - case AUDIT_OBJ_USER:
1781   - case AUDIT_OBJ_ROLE:
1782   - case AUDIT_OBJ_TYPE:
1783   - case AUDIT_OBJ_LEV_LOW:
1784   - case AUDIT_OBJ_LEV_HIGH:
1785   - return 1;
1786   - }
1787   - }
1788   -
1789   - return 0;
1790   -}
1791   -
1792 1765 /* This function will re-initialize the se_rule field of all applicable rules.
1793   - * It will traverse the filter lists serarching for rules that contain selinux
  1766 + * It will traverse the filter lists serarching for rules that contain LSM
1794 1767 * specific filter fields. When such a rule is found, it is copied, the
1795   - * selinux field is re-initialized, and the old rule is replaced with the
  1768 + * LSM field is re-initialized, and the old rule is replaced with the
1796 1769 * updated rule. */
1797   -int selinux_audit_rule_update(void)
  1770 +int audit_update_lsm_rules(void)
1798 1771 {
1799 1772 struct audit_entry *entry, *n, *nentry;
1800 1773 struct audit_watch *watch;
... ... @@ -1806,7 +1779,7 @@
1806 1779  
1807 1780 for (i = 0; i < AUDIT_NR_FILTERS; i++) {
1808 1781 list_for_each_entry_safe(entry, n, &audit_filter_list[i], list) {
1809   - if (!audit_rule_has_selinux(&entry->rule))
  1782 + if (!security_audit_rule_known(&entry->rule))
1810 1783 continue;
1811 1784  
1812 1785 watch = entry->rule.watch;
... ... @@ -1817,7 +1790,7 @@
1817 1790 * return value */
1818 1791 if (!err)
1819 1792 err = PTR_ERR(nentry);
1820   - audit_panic("error updating selinux filters");
  1793 + audit_panic("error updating LSM filters");
1821 1794 if (watch)
1822 1795 list_del(&entry->rule.rlist);
1823 1796 list_del_rcu(&entry->list);
... ... @@ -61,7 +61,6 @@
61 61 #include <linux/security.h>
62 62 #include <linux/list.h>
63 63 #include <linux/tty.h>
64   -#include <linux/selinux.h>
65 64 #include <linux/binfmts.h>
66 65 #include <linux/highmem.h>
67 66 #include <linux/syscalls.h>
... ... @@ -533,7 +532,7 @@
533 532 security_task_getsecid(tsk, &sid);
534 533 need_sid = 0;
535 534 }
536   - result = selinux_audit_rule_match(sid, f->type,
  535 + result = security_audit_rule_match(sid, f->type,
537 536 f->op,
538 537 f->se_rule,
539 538 ctx);
540 539  
... ... @@ -549,12 +548,12 @@
549 548 if (f->se_rule) {
550 549 /* Find files that match */
551 550 if (name) {
552   - result = selinux_audit_rule_match(
  551 + result = security_audit_rule_match(
553 552 name->osid, f->type, f->op,
554 553 f->se_rule, ctx);
555 554 } else if (ctx) {
556 555 for (j = 0; j < ctx->name_count; j++) {
557   - if (selinux_audit_rule_match(
  556 + if (security_audit_rule_match(
558 557 ctx->names[j].osid,
559 558 f->type, f->op,
560 559 f->se_rule, ctx)) {
... ... @@ -570,7 +569,7 @@
570 569 aux = aux->next) {
571 570 if (aux->type == AUDIT_IPC) {
572 571 struct audit_aux_data_ipcctl *axi = (void *)aux;
573   - if (selinux_audit_rule_match(axi->osid, f->type, f->op, f->se_rule, ctx)) {
  572 + if (security_audit_rule_match(axi->osid, f->type, f->op, f->se_rule, ctx)) {
574 573 ++result;
575 574 break;
576 575 }