]> err.no Git - linux-2.6/blobdiff - kernel/auditsc.c
projects / linux-2.6 / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
[PATCH] change lspp ipc auditing
[linux-2.6] / kernel / auditsc.c
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index d3d97d28b69aacb31a78beada6fe7a6e0c5af2a0..b4f7223811fe41174168ad509fc5b59c5b9ff7bf 100644 (file)
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -90,7 +90,7 @@ struct audit_names {
        uid_t           uid;
        gid_t           gid;
        dev_t           rdev;
-       char            *ctx;
+       u32             osid;
 };
 
 struct audit_aux_data {
@@ -107,7 +107,7 @@ struct audit_aux_data_ipcctl {
        uid_t                   uid;
        gid_t                   gid;
        mode_t                  mode;
-       char                    *ctx;
+       u32                     osid;
 };
 
 struct audit_aux_data_socketcall {
@@ -410,9 +410,6 @@ static inline void audit_free_names(struct audit_context *context)
 #endif
 
        for (i = 0; i < context->name_count; i++) {
-               char *p = context->names[i].ctx;
-               context->names[i].ctx = NULL;
-               kfree(p);
                if (context->names[i].name)
                        __putname(context->names[i].name);
        }
@@ -435,11 +432,6 @@ static inline void audit_free_aux(struct audit_context *context)
                        dput(axi->dentry);
                        mntput(axi->mnt);
                }
-               if ( aux->type == AUDIT_IPC ) {
-                       struct audit_aux_data_ipcctl *axi = (void *)aux;
-                       if (axi->ctx)
-                               kfree(axi->ctx);
-               }
 
                context->aux = aux->next;
                kfree(aux);
@@ -587,7 +579,7 @@ static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk
 
 static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
 {
-       int i;
+       int i, call_panic = 0;
        struct audit_buffer *ab;
        struct audit_aux_data *aux;
        const char *tty;
@@ -638,8 +630,20 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
                case AUDIT_IPC: {
                        struct audit_aux_data_ipcctl *axi = (void *)aux;
                        audit_log_format(ab, 
-                                        " qbytes=%lx iuid=%u igid=%u mode=%x obj=%s",
-                                        axi->qbytes, axi->uid, axi->gid, axi->mode, axi->ctx);
+                                " qbytes=%lx iuid=%u igid=%u mode=%x",
+                                axi->qbytes, axi->uid, axi->gid, axi->mode);
+                       if (axi->osid != 0) {
+                               char *ctx = NULL;
+                               u32 len;
+                               if (selinux_ctxid_to_string(
+                                               axi->osid, &ctx, &len)) {
+                                       audit_log_format(ab, " obj=%u",
+                                                       axi->osid);
+                                       call_panic = 1;
+                               } else
+                                       audit_log_format(ab, " obj=%s", ctx);
+                               kfree(ctx);
+                       }
                        break; }
 
                case AUDIT_SOCKETCALL: {
@@ -703,13 +707,23 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
                                         context->names[i].gid, 
                                         MAJOR(context->names[i].rdev), 
                                         MINOR(context->names[i].rdev));
-               if (context->names[i].ctx) {
-                       audit_log_format(ab, " obj=%s",
-                                       context->names[i].ctx);
+               if (context->names[i].osid != 0) {
+                       char *ctx = NULL;
+                       u32 len;
+                       if (selinux_ctxid_to_string(
+                               context->names[i].osid, &ctx, &len)) {
+                               audit_log_format(ab, " obj=%u",
+                                               context->names[i].osid);
+                               call_panic = 2;
+                       } else
+                               audit_log_format(ab, " obj=%s", ctx);
+                       kfree(ctx);
                }
 
                audit_log_end(ab);
        }
+       if (call_panic)
+               audit_panic("error converting sid to string");
 }
 
 /**
@@ -943,40 +957,11 @@ void audit_putname(const char *name)
 #endif
 }
 
-void audit_inode_context(int idx, const struct inode *inode)
+static void audit_inode_context(int idx, const struct inode *inode)
 {
        struct audit_context *context = current->audit_context;
-       const char *suffix = security_inode_xattr_getsuffix();
-       char *ctx = NULL;
-       int len = 0;
-
-       if (!suffix)
-               goto ret;
-
-       len = security_inode_getsecurity(inode, suffix, NULL, 0, 0);
-       if (len == -EOPNOTSUPP)
-               goto ret;
-       if (len < 0) 
-               goto error_path;
-
-       ctx = kmalloc(len, GFP_KERNEL);
-       if (!ctx) 
-               goto error_path;
-
-       len = security_inode_getsecurity(inode, suffix, ctx, len, 0);
-       if (len < 0)
-               goto error_path;
-
-       kfree(context->names[idx].ctx);
-       context->names[idx].ctx = ctx;
-       goto ret;
 
-error_path:
-       if (ctx)
-               kfree(ctx);
-       audit_panic("error in audit_inode_context");
-ret:
-       return;
+       selinux_get_inode_sid(inode, &context->names[idx].osid);
 }
 
 
@@ -1162,38 +1147,6 @@ uid_t audit_get_loginuid(struct audit_context *ctx)
        return ctx ? ctx->loginuid : -1;
 }
 
-static char *audit_ipc_context(struct kern_ipc_perm *ipcp)
-{
-       struct audit_context *context = current->audit_context;
-       char *ctx = NULL;
-       int len = 0;
-
-       if (likely(!context))
-               return NULL;
-
-       len = security_ipc_getsecurity(ipcp, NULL, 0);
-       if (len == -EOPNOTSUPP)
-               goto ret;
-       if (len < 0)
-               goto error_path;
-
-       ctx = kmalloc(len, GFP_ATOMIC);
-       if (!ctx)
-               goto error_path;
-
-       len = security_ipc_getsecurity(ipcp, ctx, len);
-       if (len < 0)
-               goto error_path;
-
-       return ctx;
-
-error_path:
-       kfree(ctx);
-       audit_panic("error in audit_ipc_context");
-ret:
-       return NULL;
-}
-
 /**
  * audit_ipc_perms - record audit data for ipc
  * @qbytes: msgq bytes
@@ -1219,7 +1172,7 @@ int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode, str
        ax->uid = uid;
        ax->gid = gid;
        ax->mode = mode;
-       ax->ctx = audit_ipc_context(ipcp);
+       selinux_get_ipc_sid(ipcp, &ax->osid);
 
        ax->d.type = AUDIT_IPC;
        ax->d.next = context->aux;
Linux 2.6 source tree