Commit c53fa1ed92cd671a1dfb1e7569e9ab672612ddc6
Committed by
David S. Miller
1 parent
06dc94b1ed
Exists in
master
and in
20 other branches
netlink: kill loginuid/sessionid/sid members from struct netlink_skb_parms
Netlink message processing in the kernel is synchronous these days, the session information can be collected when needed. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Showing 7 changed files with 49 additions and 41 deletions Side-by-side Diff
include/linux/netlink.h
... | ... | @@ -161,9 +161,6 @@ |
161 | 161 | __u32 pid; |
162 | 162 | __u32 dst_group; |
163 | 163 | kernel_cap_t eff_cap; |
164 | - __u32 loginuid; /* Login (audit) uid */ | |
165 | - __u32 sessionid; /* Session id (audit) */ | |
166 | - __u32 sid; /* SELinux security id */ | |
167 | 164 | }; |
168 | 165 | |
169 | 166 | #define NETLINK_CB(skb) (*(struct netlink_skb_parms*)&((skb)->cb)) |
kernel/audit.c
... | ... | @@ -673,9 +673,9 @@ |
673 | 673 | |
674 | 674 | pid = NETLINK_CREDS(skb)->pid; |
675 | 675 | uid = NETLINK_CREDS(skb)->uid; |
676 | - loginuid = NETLINK_CB(skb).loginuid; | |
677 | - sessionid = NETLINK_CB(skb).sessionid; | |
678 | - sid = NETLINK_CB(skb).sid; | |
676 | + loginuid = audit_get_loginuid(current); | |
677 | + sessionid = audit_get_sessionid(current); | |
678 | + security_task_getsecid(current, &sid); | |
679 | 679 | seq = nlh->nlmsg_seq; |
680 | 680 | data = NLMSG_DATA(nlh); |
681 | 681 |
kernel/auditfilter.c
... | ... | @@ -1238,6 +1238,7 @@ |
1238 | 1238 | for (i = 0; i < rule->field_count; i++) { |
1239 | 1239 | struct audit_field *f = &rule->fields[i]; |
1240 | 1240 | int result = 0; |
1241 | + u32 sid; | |
1241 | 1242 | |
1242 | 1243 | switch (f->type) { |
1243 | 1244 | case AUDIT_PID: |
1244 | 1245 | |
1245 | 1246 | |
... | ... | @@ -1250,19 +1251,22 @@ |
1250 | 1251 | result = audit_comparator(cb->creds.gid, f->op, f->val); |
1251 | 1252 | break; |
1252 | 1253 | case AUDIT_LOGINUID: |
1253 | - result = audit_comparator(cb->loginuid, f->op, f->val); | |
1254 | + result = audit_comparator(audit_get_loginuid(current), | |
1255 | + f->op, f->val); | |
1254 | 1256 | break; |
1255 | 1257 | case AUDIT_SUBJ_USER: |
1256 | 1258 | case AUDIT_SUBJ_ROLE: |
1257 | 1259 | case AUDIT_SUBJ_TYPE: |
1258 | 1260 | case AUDIT_SUBJ_SEN: |
1259 | 1261 | case AUDIT_SUBJ_CLR: |
1260 | - if (f->lsm_rule) | |
1261 | - result = security_audit_rule_match(cb->sid, | |
1262 | + if (f->lsm_rule) { | |
1263 | + security_task_getsecid(current, &sid); | |
1264 | + result = security_audit_rule_match(sid, | |
1262 | 1265 | f->type, |
1263 | 1266 | f->op, |
1264 | 1267 | f->lsm_rule, |
1265 | 1268 | NULL); |
1269 | + } | |
1266 | 1270 | break; |
1267 | 1271 | } |
1268 | 1272 |
net/netlabel/netlabel_user.h
... | ... | @@ -49,9 +49,9 @@ |
49 | 49 | static inline void netlbl_netlink_auditinfo(struct sk_buff *skb, |
50 | 50 | struct netlbl_audit *audit_info) |
51 | 51 | { |
52 | - audit_info->secid = NETLINK_CB(skb).sid; | |
53 | - audit_info->loginuid = NETLINK_CB(skb).loginuid; | |
54 | - audit_info->sessionid = NETLINK_CB(skb).sessionid; | |
52 | + security_task_getsecid(current, &audit_info->secid); | |
53 | + audit_info->loginuid = audit_get_loginuid(current); | |
54 | + audit_info->sessionid = audit_get_sessionid(current); | |
55 | 55 | } |
56 | 56 | |
57 | 57 | /* NetLabel NETLINK I/O functions */ |
net/netlink/af_netlink.c
... | ... | @@ -1362,9 +1362,6 @@ |
1362 | 1362 | |
1363 | 1363 | NETLINK_CB(skb).pid = nlk->pid; |
1364 | 1364 | NETLINK_CB(skb).dst_group = dst_group; |
1365 | - NETLINK_CB(skb).loginuid = audit_get_loginuid(current); | |
1366 | - NETLINK_CB(skb).sessionid = audit_get_sessionid(current); | |
1367 | - security_task_getsecid(current, &(NETLINK_CB(skb).sid)); | |
1368 | 1365 | memcpy(NETLINK_CREDS(skb), &siocb->scm->creds, sizeof(struct ucred)); |
1369 | 1366 | |
1370 | 1367 | /* What can I do? Netlink is asynchronous, so that |
net/xfrm/xfrm_user.c
... | ... | @@ -497,9 +497,9 @@ |
497 | 497 | struct xfrm_state *x; |
498 | 498 | int err; |
499 | 499 | struct km_event c; |
500 | - uid_t loginuid = NETLINK_CB(skb).loginuid; | |
501 | - u32 sessionid = NETLINK_CB(skb).sessionid; | |
502 | - u32 sid = NETLINK_CB(skb).sid; | |
500 | + uid_t loginuid = audit_get_loginuid(current); | |
501 | + u32 sessionid = audit_get_sessionid(current); | |
502 | + u32 sid; | |
503 | 503 | |
504 | 504 | err = verify_newsa_info(p, attrs); |
505 | 505 | if (err) |
... | ... | @@ -515,6 +515,7 @@ |
515 | 515 | else |
516 | 516 | err = xfrm_state_update(x); |
517 | 517 | |
518 | + security_task_getsecid(current, &sid); | |
518 | 519 | xfrm_audit_state_add(x, err ? 0 : 1, loginuid, sessionid, sid); |
519 | 520 | |
520 | 521 | if (err < 0) { |
... | ... | @@ -575,9 +576,9 @@ |
575 | 576 | int err = -ESRCH; |
576 | 577 | struct km_event c; |
577 | 578 | struct xfrm_usersa_id *p = nlmsg_data(nlh); |
578 | - uid_t loginuid = NETLINK_CB(skb).loginuid; | |
579 | - u32 sessionid = NETLINK_CB(skb).sessionid; | |
580 | - u32 sid = NETLINK_CB(skb).sid; | |
579 | + uid_t loginuid = audit_get_loginuid(current); | |
580 | + u32 sessionid = audit_get_sessionid(current); | |
581 | + u32 sid; | |
581 | 582 | |
582 | 583 | x = xfrm_user_state_lookup(net, p, attrs, &err); |
583 | 584 | if (x == NULL) |
... | ... | @@ -602,6 +603,7 @@ |
602 | 603 | km_state_notify(x, &c); |
603 | 604 | |
604 | 605 | out: |
606 | + security_task_getsecid(current, &sid); | |
605 | 607 | xfrm_audit_state_delete(x, err ? 0 : 1, loginuid, sessionid, sid); |
606 | 608 | xfrm_state_put(x); |
607 | 609 | return err; |
... | ... | @@ -1265,9 +1267,9 @@ |
1265 | 1267 | struct km_event c; |
1266 | 1268 | int err; |
1267 | 1269 | int excl; |
1268 | - uid_t loginuid = NETLINK_CB(skb).loginuid; | |
1269 | - u32 sessionid = NETLINK_CB(skb).sessionid; | |
1270 | - u32 sid = NETLINK_CB(skb).sid; | |
1270 | + uid_t loginuid = audit_get_loginuid(current); | |
1271 | + u32 sessionid = audit_get_sessionid(current); | |
1272 | + u32 sid; | |
1271 | 1273 | |
1272 | 1274 | err = verify_newpolicy_info(p); |
1273 | 1275 | if (err) |
... | ... | @@ -1286,6 +1288,7 @@ |
1286 | 1288 | * a type XFRM_MSG_UPDPOLICY - JHS */ |
1287 | 1289 | excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; |
1288 | 1290 | err = xfrm_policy_insert(p->dir, xp, excl); |
1291 | + security_task_getsecid(current, &sid); | |
1289 | 1292 | xfrm_audit_policy_add(xp, err ? 0 : 1, loginuid, sessionid, sid); |
1290 | 1293 | |
1291 | 1294 | if (err) { |
1292 | 1295 | |
... | ... | @@ -1522,10 +1525,11 @@ |
1522 | 1525 | NETLINK_CB(skb).pid); |
1523 | 1526 | } |
1524 | 1527 | } else { |
1525 | - uid_t loginuid = NETLINK_CB(skb).loginuid; | |
1526 | - u32 sessionid = NETLINK_CB(skb).sessionid; | |
1527 | - u32 sid = NETLINK_CB(skb).sid; | |
1528 | + uid_t loginuid = audit_get_loginuid(current); | |
1529 | + u32 sessionid = audit_get_sessionid(current); | |
1530 | + u32 sid; | |
1528 | 1531 | |
1532 | + security_task_getsecid(current, &sid); | |
1529 | 1533 | xfrm_audit_policy_delete(xp, err ? 0 : 1, loginuid, sessionid, |
1530 | 1534 | sid); |
1531 | 1535 | |
... | ... | @@ -1553,9 +1557,9 @@ |
1553 | 1557 | struct xfrm_audit audit_info; |
1554 | 1558 | int err; |
1555 | 1559 | |
1556 | - audit_info.loginuid = NETLINK_CB(skb).loginuid; | |
1557 | - audit_info.sessionid = NETLINK_CB(skb).sessionid; | |
1558 | - audit_info.secid = NETLINK_CB(skb).sid; | |
1560 | + audit_info.loginuid = audit_get_loginuid(current); | |
1561 | + audit_info.sessionid = audit_get_sessionid(current); | |
1562 | + security_task_getsecid(current, &audit_info.secid); | |
1559 | 1563 | err = xfrm_state_flush(net, p->proto, &audit_info); |
1560 | 1564 | if (err) { |
1561 | 1565 | if (err == -ESRCH) /* empty table */ |
... | ... | @@ -1720,9 +1724,9 @@ |
1720 | 1724 | if (err) |
1721 | 1725 | return err; |
1722 | 1726 | |
1723 | - audit_info.loginuid = NETLINK_CB(skb).loginuid; | |
1724 | - audit_info.sessionid = NETLINK_CB(skb).sessionid; | |
1725 | - audit_info.secid = NETLINK_CB(skb).sid; | |
1727 | + audit_info.loginuid = audit_get_loginuid(current); | |
1728 | + audit_info.sessionid = audit_get_sessionid(current); | |
1729 | + security_task_getsecid(current, &audit_info.secid); | |
1726 | 1730 | err = xfrm_policy_flush(net, type, &audit_info); |
1727 | 1731 | if (err) { |
1728 | 1732 | if (err == -ESRCH) /* empty table */ |
... | ... | @@ -1789,9 +1793,11 @@ |
1789 | 1793 | |
1790 | 1794 | err = 0; |
1791 | 1795 | if (up->hard) { |
1792 | - uid_t loginuid = NETLINK_CB(skb).loginuid; | |
1793 | - uid_t sessionid = NETLINK_CB(skb).sessionid; | |
1794 | - u32 sid = NETLINK_CB(skb).sid; | |
1796 | + uid_t loginuid = audit_get_loginuid(current); | |
1797 | + u32 sessionid = audit_get_sessionid(current); | |
1798 | + u32 sid; | |
1799 | + | |
1800 | + security_task_getsecid(current, &sid); | |
1795 | 1801 | xfrm_policy_delete(xp, p->dir); |
1796 | 1802 | xfrm_audit_policy_delete(xp, 1, loginuid, sessionid, sid); |
1797 | 1803 | |
... | ... | @@ -1830,9 +1836,11 @@ |
1830 | 1836 | km_state_expired(x, ue->hard, current->pid); |
1831 | 1837 | |
1832 | 1838 | if (ue->hard) { |
1833 | - uid_t loginuid = NETLINK_CB(skb).loginuid; | |
1834 | - uid_t sessionid = NETLINK_CB(skb).sessionid; | |
1835 | - u32 sid = NETLINK_CB(skb).sid; | |
1839 | + uid_t loginuid = audit_get_loginuid(current); | |
1840 | + u32 sessionid = audit_get_sessionid(current); | |
1841 | + u32 sid; | |
1842 | + | |
1843 | + security_task_getsecid(current, &sid); | |
1836 | 1844 | __xfrm_state_delete(x); |
1837 | 1845 | xfrm_audit_state_delete(x, 1, loginuid, sessionid, sid); |
1838 | 1846 | } |
security/selinux/hooks.c
... | ... | @@ -4669,6 +4669,7 @@ |
4669 | 4669 | { |
4670 | 4670 | int err; |
4671 | 4671 | struct common_audit_data ad; |
4672 | + u32 sid; | |
4672 | 4673 | |
4673 | 4674 | err = cap_netlink_recv(skb, capability); |
4674 | 4675 | if (err) |
... | ... | @@ -4677,8 +4678,9 @@ |
4677 | 4678 | COMMON_AUDIT_DATA_INIT(&ad, CAP); |
4678 | 4679 | ad.u.cap = capability; |
4679 | 4680 | |
4680 | - return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid, | |
4681 | - SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad); | |
4681 | + security_task_getsecid(current, &sid); | |
4682 | + return avc_has_perm(sid, sid, SECCLASS_CAPABILITY, | |
4683 | + CAP_TO_MASK(capability), &ad); | |
4682 | 4684 | } |
4683 | 4685 | |
4684 | 4686 | static int ipc_alloc_security(struct task_struct *task, |