Commit ce29b682e228c70cdc91a1b2935c5adb2087bab8

Authored by Steve Grubb
Committed by Al Viro
1 parent e7c3497013

[PATCH] More user space subject labels

Hi,

The patch below builds upon the patch sent earlier and adds subject label to
all audit events generated via the netlink interface. It also cleans up a few
other minor things.

Signed-off-by: Steve Grubb <sgrubb@redhat.com>

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

Showing 4 changed files with 142 additions and 40 deletions Side-by-side Diff

include/linux/audit.h
... ... @@ -371,7 +371,7 @@
371 371 extern int audit_filter_user(struct netlink_skb_parms *cb, int type);
372 372 extern int audit_filter_type(int type);
373 373 extern int audit_receive_filter(int type, int pid, int uid, int seq,
374   - void *data, size_t datasz, uid_t loginuid);
  374 + void *data, size_t datasz, uid_t loginuid, u32 sid);
375 375 #else
376 376 #define audit_log(c,g,t,f,...) do { ; } while (0)
377 377 #define audit_log_start(c,g,t) ({ NULL; })
... ... @@ -230,49 +230,103 @@
230 230 }
231 231 }
232 232  
233   -static int audit_set_rate_limit(int limit, uid_t loginuid)
  233 +static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid)
234 234 {
235   - int old = audit_rate_limit;
236   - audit_rate_limit = limit;
237   - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
  235 + int old = audit_rate_limit;
  236 +
  237 + if (sid) {
  238 + char *ctx = NULL;
  239 + u32 len;
  240 + int rc;
  241 + if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
  242 + return rc;
  243 + else
  244 + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
  245 + "audit_rate_limit=%d old=%d by auid=%u subj=%s",
  246 + limit, old, loginuid, ctx);
  247 + kfree(ctx);
  248 + } else
  249 + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
238 250 "audit_rate_limit=%d old=%d by auid=%u",
239   - audit_rate_limit, old, loginuid);
  251 + limit, old, loginuid);
  252 + audit_rate_limit = limit;
240 253 return old;
241 254 }
242 255  
243   -static int audit_set_backlog_limit(int limit, uid_t loginuid)
  256 +static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid)
244 257 {
245   - int old = audit_backlog_limit;
246   - audit_backlog_limit = limit;
247   - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
  258 + int old = audit_backlog_limit;
  259 +
  260 + if (sid) {
  261 + char *ctx = NULL;
  262 + u32 len;
  263 + int rc;
  264 + if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
  265 + return rc;
  266 + else
  267 + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
  268 + "audit_backlog_limit=%d old=%d by auid=%u subj=%s",
  269 + limit, old, loginuid, ctx);
  270 + kfree(ctx);
  271 + } else
  272 + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
248 273 "audit_backlog_limit=%d old=%d by auid=%u",
249   - audit_backlog_limit, old, loginuid);
  274 + limit, old, loginuid);
  275 + audit_backlog_limit = limit;
250 276 return old;
251 277 }
252 278  
253   -static int audit_set_enabled(int state, uid_t loginuid)
  279 +static int audit_set_enabled(int state, uid_t loginuid, u32 sid)
254 280 {
255   - int old = audit_enabled;
  281 + int old = audit_enabled;
  282 +
256 283 if (state != 0 && state != 1)
257 284 return -EINVAL;
258   - audit_enabled = state;
259   - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
  285 +
  286 + if (sid) {
  287 + char *ctx = NULL;
  288 + u32 len;
  289 + int rc;
  290 + if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
  291 + return rc;
  292 + else
  293 + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
  294 + "audit_enabled=%d old=%d by auid=%u subj=%s",
  295 + state, old, loginuid, ctx);
  296 + kfree(ctx);
  297 + } else
  298 + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
260 299 "audit_enabled=%d old=%d by auid=%u",
261   - audit_enabled, old, loginuid);
  300 + state, old, loginuid);
  301 + audit_enabled = state;
262 302 return old;
263 303 }
264 304  
265   -static int audit_set_failure(int state, uid_t loginuid)
  305 +static int audit_set_failure(int state, uid_t loginuid, u32 sid)
266 306 {
267   - int old = audit_failure;
  307 + int old = audit_failure;
  308 +
268 309 if (state != AUDIT_FAIL_SILENT
269 310 && state != AUDIT_FAIL_PRINTK
270 311 && state != AUDIT_FAIL_PANIC)
271 312 return -EINVAL;
272   - audit_failure = state;
273   - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
  313 +
  314 + if (sid) {
  315 + char *ctx = NULL;
  316 + u32 len;
  317 + int rc;
  318 + if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
  319 + return rc;
  320 + else
  321 + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
  322 + "audit_failure=%d old=%d by auid=%u subj=%s",
  323 + state, old, loginuid, ctx);
  324 + kfree(ctx);
  325 + } else
  326 + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
274 327 "audit_failure=%d old=%d by auid=%u",
275   - audit_failure, old, loginuid);
  328 + state, old, loginuid);
  329 + audit_failure = state;
276 330 return old;
277 331 }
278 332  
279 333  
280 334  
281 335  
282 336  
283 337  
... ... @@ -437,25 +491,43 @@
437 491 return -EINVAL;
438 492 status_get = (struct audit_status *)data;
439 493 if (status_get->mask & AUDIT_STATUS_ENABLED) {
440   - err = audit_set_enabled(status_get->enabled, loginuid);
  494 + err = audit_set_enabled(status_get->enabled,
  495 + loginuid, sid);
441 496 if (err < 0) return err;
442 497 }
443 498 if (status_get->mask & AUDIT_STATUS_FAILURE) {
444   - err = audit_set_failure(status_get->failure, loginuid);
  499 + err = audit_set_failure(status_get->failure,
  500 + loginuid, sid);
445 501 if (err < 0) return err;
446 502 }
447 503 if (status_get->mask & AUDIT_STATUS_PID) {
448 504 int old = audit_pid;
  505 + if (sid) {
  506 + char *ctx = NULL;
  507 + u32 len;
  508 + int rc;
  509 + if ((rc = selinux_ctxid_to_string(
  510 + sid, &ctx, &len)))
  511 + return rc;
  512 + else
  513 + audit_log(NULL, GFP_KERNEL,
  514 + AUDIT_CONFIG_CHANGE,
  515 + "audit_pid=%d old=%d by auid=%u subj=%s",
  516 + status_get->pid, old,
  517 + loginuid, ctx);
  518 + kfree(ctx);
  519 + } else
  520 + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
  521 + "audit_pid=%d old=%d by auid=%u",
  522 + status_get->pid, old, loginuid);
449 523 audit_pid = status_get->pid;
450   - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
451   - "audit_pid=%d old=%d by auid=%u",
452   - audit_pid, old, loginuid);
453 524 }
454 525 if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
455   - audit_set_rate_limit(status_get->rate_limit, loginuid);
  526 + audit_set_rate_limit(status_get->rate_limit,
  527 + loginuid, sid);
456 528 if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT)
457 529 audit_set_backlog_limit(status_get->backlog_limit,
458   - loginuid);
  530 + loginuid, sid);
459 531 break;
460 532 case AUDIT_USER:
461 533 case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG:
... ... @@ -477,7 +549,7 @@
477 549 if (selinux_ctxid_to_string(
478 550 sid, &ctx, &len)) {
479 551 audit_log_format(ab,
480   - " subj=%u", sid);
  552 + " ssid=%u", sid);
481 553 /* Maybe call audit_panic? */
482 554 } else
483 555 audit_log_format(ab,
... ... @@ -499,7 +571,7 @@
499 571 case AUDIT_LIST:
500 572 err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,
501 573 uid, seq, data, nlmsg_len(nlh),
502   - loginuid);
  574 + loginuid, sid);
503 575 break;
504 576 case AUDIT_ADD_RULE:
505 577 case AUDIT_DEL_RULE:
... ... @@ -509,7 +581,7 @@
509 581 case AUDIT_LIST_RULES:
510 582 err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,
511 583 uid, seq, data, nlmsg_len(nlh),
512   - loginuid);
  584 + loginuid, sid);
513 585 break;
514 586 case AUDIT_SIGNAL_INFO:
515 587 sig_data.uid = audit_sig_uid;
kernel/auditfilter.c
... ... @@ -586,9 +586,10 @@
586 586 * @data: payload data
587 587 * @datasz: size of payload data
588 588 * @loginuid: loginuid of sender
  589 + * @sid: SE Linux Security ID of sender
589 590 */
590 591 int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
591   - size_t datasz, uid_t loginuid)
  592 + size_t datasz, uid_t loginuid, u32 sid)
592 593 {
593 594 struct task_struct *tsk;
594 595 int *dest;
... ... @@ -631,9 +632,23 @@
631 632  
632 633 err = audit_add_rule(entry,
633 634 &audit_filter_list[entry->rule.listnr]);
634   - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
635   - "auid=%u add rule to list=%d res=%d\n",
636   - loginuid, entry->rule.listnr, !err);
  635 + if (sid) {
  636 + char *ctx = NULL;
  637 + u32 len;
  638 + if (selinux_ctxid_to_string(sid, &ctx, &len)) {
  639 + /* Maybe call audit_panic? */
  640 + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
  641 + "auid=%u ssid=%u add rule to list=%d res=%d",
  642 + loginuid, sid, entry->rule.listnr, !err);
  643 + } else
  644 + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
  645 + "auid=%u subj=%s add rule to list=%d res=%d",
  646 + loginuid, ctx, entry->rule.listnr, !err);
  647 + kfree(ctx);
  648 + } else
  649 + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
  650 + "auid=%u add rule to list=%d res=%d",
  651 + loginuid, entry->rule.listnr, !err);
637 652  
638 653 if (err)
639 654 audit_free_rule(entry);
... ... @@ -649,9 +664,24 @@
649 664  
650 665 err = audit_del_rule(entry,
651 666 &audit_filter_list[entry->rule.listnr]);
652   - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
653   - "auid=%u remove rule from list=%d res=%d\n",
654   - loginuid, entry->rule.listnr, !err);
  667 +
  668 + if (sid) {
  669 + char *ctx = NULL;
  670 + u32 len;
  671 + if (selinux_ctxid_to_string(sid, &ctx, &len)) {
  672 + /* Maybe call audit_panic? */
  673 + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
  674 + "auid=%u ssid=%u remove rule from list=%d res=%d",
  675 + loginuid, sid, entry->rule.listnr, !err);
  676 + } else
  677 + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
  678 + "auid=%u subj=%s remove rule from list=%d res=%d",
  679 + loginuid, ctx, entry->rule.listnr, !err);
  680 + kfree(ctx);
  681 + } else
  682 + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
  683 + "auid=%u remove rule from list=%d res=%d",
  684 + loginuid, entry->rule.listnr, !err);
655 685  
656 686 audit_free_rule(entry);
657 687 break;
... ... @@ -637,7 +637,7 @@
637 637 u32 len;
638 638 if (selinux_ctxid_to_string(
639 639 axi->osid, &ctx, &len)) {
640   - audit_log_format(ab, " obj=%u",
  640 + audit_log_format(ab, " osid=%u",
641 641 axi->osid);
642 642 call_panic = 1;
643 643 } else
... ... @@ -712,7 +712,7 @@
712 712 u32 len;
713 713 if (selinux_ctxid_to_string(
714 714 context->names[i].osid, &ctx, &len)) {
715   - audit_log_format(ab, " obj=%u",
  715 + audit_log_format(ab, " osid=%u",
716 716 context->names[i].osid);
717 717 call_panic = 2;
718 718 } else