Commit c53fa1ed92cd671a1dfb1e7569e9ab672612ddc6
Committed by
David S. Miller
David S. Miller
1 parent
06dc94b1ed
Exists in
master
and in
20 other branches
netlink: kill loginuid/sessionid/sid members from struct netlink_skb_parms
Netlink message processing in the kernel is synchronous these days, the session information can be collected when needed. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Showing 7 changed files with 49 additions and 41 deletions Side-by-side Diff
include/linux/netlink.h
| ... | ... | @@ -161,9 +161,6 @@ |
| 161 | 161 | __u32 pid; |
| 162 | 162 | __u32 dst_group; |
| 163 | 163 | kernel_cap_t eff_cap; |
| 164 | - __u32 loginuid; /* Login (audit) uid */ | |
| 165 | - __u32 sessionid; /* Session id (audit) */ | |
| 166 | - __u32 sid; /* SELinux security id */ | |
| 167 | 164 | }; |
| 168 | 165 | |
| 169 | 166 | #define NETLINK_CB(skb) (*(struct netlink_skb_parms*)&((skb)->cb)) |
kernel/audit.c
| ... | ... | @@ -673,9 +673,9 @@ |
| 673 | 673 | |
| 674 | 674 | pid = NETLINK_CREDS(skb)->pid; |
| 675 | 675 | uid = NETLINK_CREDS(skb)->uid; |
| 676 | - loginuid = NETLINK_CB(skb).loginuid; | |
| 677 | - sessionid = NETLINK_CB(skb).sessionid; | |
| 678 | - sid = NETLINK_CB(skb).sid; | |
| 676 | + loginuid = audit_get_loginuid(current); | |
| 677 | + sessionid = audit_get_sessionid(current); | |
| 678 | + security_task_getsecid(current, &sid); | |
| 679 | 679 | seq = nlh->nlmsg_seq; |
| 680 | 680 | data = NLMSG_DATA(nlh); |
| 681 | 681 |
kernel/auditfilter.c
| ... | ... | @@ -1238,6 +1238,7 @@ |
| 1238 | 1238 | for (i = 0; i < rule->field_count; i++) { |
| 1239 | 1239 | struct audit_field *f = &rule->fields[i]; |
| 1240 | 1240 | int result = 0; |
| 1241 | + u32 sid; | |
| 1241 | 1242 | |
| 1242 | 1243 | switch (f->type) { |
| 1243 | 1244 | case AUDIT_PID: |
| 1244 | 1245 | |
| 1245 | 1246 | |
| ... | ... | @@ -1250,19 +1251,22 @@ |
| 1250 | 1251 | result = audit_comparator(cb->creds.gid, f->op, f->val); |
| 1251 | 1252 | break; |
| 1252 | 1253 | case AUDIT_LOGINUID: |
| 1253 | - result = audit_comparator(cb->loginuid, f->op, f->val); | |
| 1254 | + result = audit_comparator(audit_get_loginuid(current), | |
| 1255 | + f->op, f->val); | |
| 1254 | 1256 | break; |
| 1255 | 1257 | case AUDIT_SUBJ_USER: |
| 1256 | 1258 | case AUDIT_SUBJ_ROLE: |
| 1257 | 1259 | case AUDIT_SUBJ_TYPE: |
| 1258 | 1260 | case AUDIT_SUBJ_SEN: |
| 1259 | 1261 | case AUDIT_SUBJ_CLR: |
| 1260 | - if (f->lsm_rule) | |
| 1261 | - result = security_audit_rule_match(cb->sid, | |
| 1262 | + if (f->lsm_rule) { | |
| 1263 | + security_task_getsecid(current, &sid); | |
| 1264 | + result = security_audit_rule_match(sid, | |
| 1262 | 1265 | f->type, |
| 1263 | 1266 | f->op, |
| 1264 | 1267 | f->lsm_rule, |
| 1265 | 1268 | NULL); |
| 1269 | + } | |
| 1266 | 1270 | break; |
| 1267 | 1271 | } |
| 1268 | 1272 |
net/netlabel/netlabel_user.h
| ... | ... | @@ -49,9 +49,9 @@ |
| 49 | 49 | static inline void netlbl_netlink_auditinfo(struct sk_buff *skb, |
| 50 | 50 | struct netlbl_audit *audit_info) |
| 51 | 51 | { |
| 52 | - audit_info->secid = NETLINK_CB(skb).sid; | |
| 53 | - audit_info->loginuid = NETLINK_CB(skb).loginuid; | |
| 54 | - audit_info->sessionid = NETLINK_CB(skb).sessionid; | |
| 52 | + security_task_getsecid(current, &audit_info->secid); | |
| 53 | + audit_info->loginuid = audit_get_loginuid(current); | |
| 54 | + audit_info->sessionid = audit_get_sessionid(current); | |
| 55 | 55 | } |
| 56 | 56 | |
| 57 | 57 | /* NetLabel NETLINK I/O functions */ |
net/netlink/af_netlink.c
| ... | ... | @@ -1362,9 +1362,6 @@ |
| 1362 | 1362 | |
| 1363 | 1363 | NETLINK_CB(skb).pid = nlk->pid; |
| 1364 | 1364 | NETLINK_CB(skb).dst_group = dst_group; |
| 1365 | - NETLINK_CB(skb).loginuid = audit_get_loginuid(current); | |
| 1366 | - NETLINK_CB(skb).sessionid = audit_get_sessionid(current); | |
| 1367 | - security_task_getsecid(current, &(NETLINK_CB(skb).sid)); | |
| 1368 | 1365 | memcpy(NETLINK_CREDS(skb), &siocb->scm->creds, sizeof(struct ucred)); |
| 1369 | 1366 | |
| 1370 | 1367 | /* What can I do? Netlink is asynchronous, so that |
net/xfrm/xfrm_user.c
| ... | ... | @@ -497,9 +497,9 @@ |
| 497 | 497 | struct xfrm_state *x; |
| 498 | 498 | int err; |
| 499 | 499 | struct km_event c; |
| 500 | - uid_t loginuid = NETLINK_CB(skb).loginuid; | |
| 501 | - u32 sessionid = NETLINK_CB(skb).sessionid; | |
| 502 | - u32 sid = NETLINK_CB(skb).sid; | |
| 500 | + uid_t loginuid = audit_get_loginuid(current); | |
| 501 | + u32 sessionid = audit_get_sessionid(current); | |
| 502 | + u32 sid; | |
| 503 | 503 | |
| 504 | 504 | err = verify_newsa_info(p, attrs); |
| 505 | 505 | if (err) |
| ... | ... | @@ -515,6 +515,7 @@ |
| 515 | 515 | else |
| 516 | 516 | err = xfrm_state_update(x); |
| 517 | 517 | |
| 518 | + security_task_getsecid(current, &sid); | |
| 518 | 519 | xfrm_audit_state_add(x, err ? 0 : 1, loginuid, sessionid, sid); |
| 519 | 520 | |
| 520 | 521 | if (err < 0) { |
| ... | ... | @@ -575,9 +576,9 @@ |
| 575 | 576 | int err = -ESRCH; |
| 576 | 577 | struct km_event c; |
| 577 | 578 | struct xfrm_usersa_id *p = nlmsg_data(nlh); |
| 578 | - uid_t loginuid = NETLINK_CB(skb).loginuid; | |
| 579 | - u32 sessionid = NETLINK_CB(skb).sessionid; | |
| 580 | - u32 sid = NETLINK_CB(skb).sid; | |
| 579 | + uid_t loginuid = audit_get_loginuid(current); | |
| 580 | + u32 sessionid = audit_get_sessionid(current); | |
| 581 | + u32 sid; | |
| 581 | 582 | |
| 582 | 583 | x = xfrm_user_state_lookup(net, p, attrs, &err); |
| 583 | 584 | if (x == NULL) |
| ... | ... | @@ -602,6 +603,7 @@ |
| 602 | 603 | km_state_notify(x, &c); |
| 603 | 604 | |
| 604 | 605 | out: |
| 606 | + security_task_getsecid(current, &sid); | |
| 605 | 607 | xfrm_audit_state_delete(x, err ? 0 : 1, loginuid, sessionid, sid); |
| 606 | 608 | xfrm_state_put(x); |
| 607 | 609 | return err; |
| ... | ... | @@ -1265,9 +1267,9 @@ |
| 1265 | 1267 | struct km_event c; |
| 1266 | 1268 | int err; |
| 1267 | 1269 | int excl; |
| 1268 | - uid_t loginuid = NETLINK_CB(skb).loginuid; | |
| 1269 | - u32 sessionid = NETLINK_CB(skb).sessionid; | |
| 1270 | - u32 sid = NETLINK_CB(skb).sid; | |
| 1270 | + uid_t loginuid = audit_get_loginuid(current); | |
| 1271 | + u32 sessionid = audit_get_sessionid(current); | |
| 1272 | + u32 sid; | |
| 1271 | 1273 | |
| 1272 | 1274 | err = verify_newpolicy_info(p); |
| 1273 | 1275 | if (err) |
| ... | ... | @@ -1286,6 +1288,7 @@ |
| 1286 | 1288 | * a type XFRM_MSG_UPDPOLICY - JHS */ |
| 1287 | 1289 | excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; |
| 1288 | 1290 | err = xfrm_policy_insert(p->dir, xp, excl); |
| 1291 | + security_task_getsecid(current, &sid); | |
| 1289 | 1292 | xfrm_audit_policy_add(xp, err ? 0 : 1, loginuid, sessionid, sid); |
| 1290 | 1293 | |
| 1291 | 1294 | if (err) { |
| 1292 | 1295 | |
| ... | ... | @@ -1522,10 +1525,11 @@ |
| 1522 | 1525 | NETLINK_CB(skb).pid); |
| 1523 | 1526 | } |
| 1524 | 1527 | } else { |
| 1525 | - uid_t loginuid = NETLINK_CB(skb).loginuid; | |
| 1526 | - u32 sessionid = NETLINK_CB(skb).sessionid; | |
| 1527 | - u32 sid = NETLINK_CB(skb).sid; | |
| 1528 | + uid_t loginuid = audit_get_loginuid(current); | |
| 1529 | + u32 sessionid = audit_get_sessionid(current); | |
| 1530 | + u32 sid; | |
| 1528 | 1531 | |
| 1532 | + security_task_getsecid(current, &sid); | |
| 1529 | 1533 | xfrm_audit_policy_delete(xp, err ? 0 : 1, loginuid, sessionid, |
| 1530 | 1534 | sid); |
| 1531 | 1535 | |
| ... | ... | @@ -1553,9 +1557,9 @@ |
| 1553 | 1557 | struct xfrm_audit audit_info; |
| 1554 | 1558 | int err; |
| 1555 | 1559 | |
| 1556 | - audit_info.loginuid = NETLINK_CB(skb).loginuid; | |
| 1557 | - audit_info.sessionid = NETLINK_CB(skb).sessionid; | |
| 1558 | - audit_info.secid = NETLINK_CB(skb).sid; | |
| 1560 | + audit_info.loginuid = audit_get_loginuid(current); | |
| 1561 | + audit_info.sessionid = audit_get_sessionid(current); | |
| 1562 | + security_task_getsecid(current, &audit_info.secid); | |
| 1559 | 1563 | err = xfrm_state_flush(net, p->proto, &audit_info); |
| 1560 | 1564 | if (err) { |
| 1561 | 1565 | if (err == -ESRCH) /* empty table */ |
| ... | ... | @@ -1720,9 +1724,9 @@ |
| 1720 | 1724 | if (err) |
| 1721 | 1725 | return err; |
| 1722 | 1726 | |
| 1723 | - audit_info.loginuid = NETLINK_CB(skb).loginuid; | |
| 1724 | - audit_info.sessionid = NETLINK_CB(skb).sessionid; | |
| 1725 | - audit_info.secid = NETLINK_CB(skb).sid; | |
| 1727 | + audit_info.loginuid = audit_get_loginuid(current); | |
| 1728 | + audit_info.sessionid = audit_get_sessionid(current); | |
| 1729 | + security_task_getsecid(current, &audit_info.secid); | |
| 1726 | 1730 | err = xfrm_policy_flush(net, type, &audit_info); |
| 1727 | 1731 | if (err) { |
| 1728 | 1732 | if (err == -ESRCH) /* empty table */ |
| ... | ... | @@ -1789,9 +1793,11 @@ |
| 1789 | 1793 | |
| 1790 | 1794 | err = 0; |
| 1791 | 1795 | if (up->hard) { |
| 1792 | - uid_t loginuid = NETLINK_CB(skb).loginuid; | |
| 1793 | - uid_t sessionid = NETLINK_CB(skb).sessionid; | |
| 1794 | - u32 sid = NETLINK_CB(skb).sid; | |
| 1796 | + uid_t loginuid = audit_get_loginuid(current); | |
| 1797 | + u32 sessionid = audit_get_sessionid(current); | |
| 1798 | + u32 sid; | |
| 1799 | + | |
| 1800 | + security_task_getsecid(current, &sid); | |
| 1795 | 1801 | xfrm_policy_delete(xp, p->dir); |
| 1796 | 1802 | xfrm_audit_policy_delete(xp, 1, loginuid, sessionid, sid); |
| 1797 | 1803 | |
| ... | ... | @@ -1830,9 +1836,11 @@ |
| 1830 | 1836 | km_state_expired(x, ue->hard, current->pid); |
| 1831 | 1837 | |
| 1832 | 1838 | if (ue->hard) { |
| 1833 | - uid_t loginuid = NETLINK_CB(skb).loginuid; | |
| 1834 | - uid_t sessionid = NETLINK_CB(skb).sessionid; | |
| 1835 | - u32 sid = NETLINK_CB(skb).sid; | |
| 1839 | + uid_t loginuid = audit_get_loginuid(current); | |
| 1840 | + u32 sessionid = audit_get_sessionid(current); | |
| 1841 | + u32 sid; | |
| 1842 | + | |
| 1843 | + security_task_getsecid(current, &sid); | |
| 1836 | 1844 | __xfrm_state_delete(x); |
| 1837 | 1845 | xfrm_audit_state_delete(x, 1, loginuid, sessionid, sid); |
| 1838 | 1846 | } |
security/selinux/hooks.c
| ... | ... | @@ -4669,6 +4669,7 @@ |
| 4669 | 4669 | { |
| 4670 | 4670 | int err; |
| 4671 | 4671 | struct common_audit_data ad; |
| 4672 | + u32 sid; | |
| 4672 | 4673 | |
| 4673 | 4674 | err = cap_netlink_recv(skb, capability); |
| 4674 | 4675 | if (err) |
| ... | ... | @@ -4677,8 +4678,9 @@ |
| 4677 | 4678 | COMMON_AUDIT_DATA_INIT(&ad, CAP); |
| 4678 | 4679 | ad.u.cap = capability; |
| 4679 | 4680 | |
| 4680 | - return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid, | |
| 4681 | - SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad); | |
| 4681 | + security_task_getsecid(current, &sid); | |
| 4682 | + return avc_has_perm(sid, sid, SECCLASS_CAPABILITY, | |
| 4683 | + CAP_TO_MASK(capability), &ad); | |
| 4682 | 4684 | } |
| 4683 | 4685 | |
| 4684 | 4686 | static int ipc_alloc_security(struct task_struct *task, |