Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
linux
Commits
19fa95e9
Commit
19fa95e9
authored
Jun 18, 2005
by
Linus Torvalds
Browse files
Options
Browse Files
Download
Plain Diff
Merge master.kernel.org:/pub/scm/linux/kernel/git/dwmw2/audit-2.6
parents
ba483d57
0107b3cf
Changes
16
Expand all
Show whitespace changes
Inline
Side-by-side
Showing
16 changed files
with
674 additions
and
433 deletions
+674
-433
arch/ppc/Kconfig
arch/ppc/Kconfig
+17
-0
arch/ppc/kernel/entry.S
arch/ppc/kernel/entry.S
+9
-7
arch/ppc/kernel/ppc_ksyms.c
arch/ppc/kernel/ppc_ksyms.c
+0
-2
arch/ppc/kernel/ptrace.c
arch/ppc/kernel/ptrace.c
+36
-4
include/asm-ppc/seccomp.h
include/asm-ppc/seccomp.h
+10
-0
include/asm-ppc/thread_info.h
include/asm-ppc/thread_info.h
+7
-0
include/linux/audit.h
include/linux/audit.h
+70
-24
init/Kconfig
init/Kconfig
+2
-1
kernel/audit.c
kernel/audit.c
+294
-293
kernel/auditsc.c
kernel/auditsc.c
+184
-75
kernel/signal.c
kernel/signal.c
+6
-1
net/socket.c
net/socket.c
+7
-2
security/selinux/avc.c
security/selinux/avc.c
+21
-19
security/selinux/hooks.c
security/selinux/hooks.c
+1
-1
security/selinux/nlmsgtab.c
security/selinux/nlmsgtab.c
+8
-2
security/selinux/ss/services.c
security/selinux/ss/services.c
+2
-2
No files found.
arch/ppc/Kconfig
View file @
19fa95e9
...
...
@@ -1083,6 +1083,23 @@ source "drivers/zorro/Kconfig"
source kernel/power/Kconfig
config SECCOMP
bool "Enable seccomp to safely compute untrusted bytecode"
depends on PROC_FS
default y
help
This kernel feature is useful for number crunching applications
that may need to compute untrusted bytecode during their
execution. By using pipes or other transports made available to
the process as file descriptors supporting the read/write
syscalls, it's possible to isolate those applications in
their own address space using seccomp. Once seccomp is
enabled via /proc/<pid>/seccomp, it cannot be disabled
and the task is only allowed to execute a few safe syscalls
defined by each seccomp mode.
If unsure, say Y. Only embedded should say N here.
endmenu
config ISA_DMA_API
...
...
arch/ppc/kernel/entry.S
View file @
19fa95e9
...
...
@@ -202,7 +202,7 @@ _GLOBAL(DoSyscall)
rlwinm
r11
,
r11
,
0
,
~
_TIFL_FORCE_NOERROR
stw
r11
,
TI_LOCAL_FLAGS
(
r10
)
lwz
r11
,
TI_FLAGS
(
r10
)
andi
.
r11
,
r11
,
_TIF_SYSCALL_T
RACE
andi
.
r11
,
r11
,
_TIF_SYSCALL_T
_OR_A
bne
-
syscall_dotrace
syscall_dotrace_cont
:
cmplwi
0
,
r0
,
NR_syscalls
...
...
@@ -237,7 +237,7 @@ ret_from_syscall:
SYNC
MTMSRD
(
r10
)
lwz
r9
,
TI_FLAGS
(
r12
)
andi
.
r0
,
r9
,(
_TIF_SYSCALL_T
RACE
|_TIF_SIGPENDING|_TIF_NEED_RESCHED
)
andi
.
r0
,
r9
,(
_TIF_SYSCALL_T
_OR_A
|_TIF_SIGPENDING|_TIF_NEED_RESCHED
)
bne
-
syscall_exit_work
syscall_exit_cont
:
#if defined(CONFIG_4xx) || defined(CONFIG_BOOKE)
...
...
@@ -277,7 +277,8 @@ syscall_dotrace:
SAVE_NVGPRS
(
r1
)
li
r0
,
0xc00
stw
r0
,
TRAP
(
r1
)
bl
do_syscall_trace
addi
r3
,
r1
,
STACK_FRAME_OVERHEAD
bl
do_syscall_trace_enter
lwz
r0
,
GPR0
(
r1
)
/*
Restore
original
registers
*/
lwz
r3
,
GPR3
(
r1
)
lwz
r4
,
GPR4
(
r1
)
...
...
@@ -291,7 +292,7 @@ syscall_dotrace:
syscall_exit_work
:
stw
r6
,
RESULT
(
r1
)
/*
Save
result
*/
stw
r3
,
GPR3
(
r1
)
/*
Update
return
value
*/
andi
.
r0
,
r9
,
_TIF_SYSCALL_T
RACE
andi
.
r0
,
r9
,
_TIF_SYSCALL_T
_OR_A
beq
5
f
ori
r10
,
r10
,
MSR_EE
SYNC
...
...
@@ -303,7 +304,8 @@ syscall_exit_work:
li
r4
,
0xc00
stw
r4
,
TRAP
(
r1
)
4
:
bl
do_syscall_trace
addi
r3
,
r1
,
STACK_FRAME_OVERHEAD
bl
do_syscall_trace_leave
REST_NVGPRS
(
r1
)
2
:
lwz
r3
,
GPR3
(
r1
)
...
...
@@ -627,8 +629,8 @@ sigreturn_exit:
subi
r1
,
r3
,
STACK_FRAME_OVERHEAD
rlwinm
r12
,
r1
,
0
,
0
,
18
/*
current_thread_info
()
*/
lwz
r9
,
TI_FLAGS
(
r12
)
andi
.
r0
,
r9
,
_TIF_SYSCALL_T
RACE
bnel
-
do_syscall_trace
andi
.
r0
,
r9
,
_TIF_SYSCALL_T
_OR_A
bnel
-
do_syscall_trace
_leave
/
*
fall
through
*/
.
globl
ret_from_except_full
...
...
arch/ppc/kernel/ppc_ksyms.c
View file @
19fa95e9
...
...
@@ -55,7 +55,6 @@
#define EXPORT_SYMTAB_STROPS
extern
void
transfer_to_handler
(
void
);
extern
void
do_syscall_trace
(
void
);
extern
void
do_IRQ
(
struct
pt_regs
*
regs
);
extern
void
MachineCheckException
(
struct
pt_regs
*
regs
);
extern
void
AlignmentException
(
struct
pt_regs
*
regs
);
...
...
@@ -74,7 +73,6 @@ extern unsigned long mm_ptov (unsigned long paddr);
EXPORT_SYMBOL
(
clear_pages
);
EXPORT_SYMBOL
(
clear_user_page
);
EXPORT_SYMBOL
(
do_signal
);
EXPORT_SYMBOL
(
do_syscall_trace
);
EXPORT_SYMBOL
(
transfer_to_handler
);
EXPORT_SYMBOL
(
do_IRQ
);
EXPORT_SYMBOL
(
MachineCheckException
);
...
...
arch/ppc/kernel/ptrace.c
View file @
19fa95e9
...
...
@@ -27,6 +27,9 @@
#include <linux/user.h>
#include <linux/security.h>
#include <linux/signal.h>
#include <linux/seccomp.h>
#include <linux/audit.h>
#include <linux/module.h>
#include <asm/uaccess.h>
#include <asm/page.h>
...
...
@@ -455,11 +458,10 @@ int sys_ptrace(long request, long pid, long addr, long data)
return
ret
;
}
void
do_syscall_trace
(
void
)
static
void
do_syscall_trace
(
void
)
{
if
(
!
test_thread_flag
(
TIF_SYSCALL_TRACE
)
||
!
(
current
->
ptrace
&
PT_PTRACED
))
return
;
/* the 0x80 provides a way for the tracing parent to distinguish
between a syscall stop and SIGTRAP delivery */
ptrace_notify
(
SIGTRAP
|
((
current
->
ptrace
&
PT_TRACESYSGOOD
)
?
0x80
:
0
));
...
...
@@ -473,3 +475,33 @@ void do_syscall_trace(void)
current
->
exit_code
=
0
;
}
}
void
do_syscall_trace_enter
(
struct
pt_regs
*
regs
)
{
if
(
test_thread_flag
(
TIF_SYSCALL_TRACE
)
&&
(
current
->
ptrace
&
PT_PTRACED
))
do_syscall_trace
();
if
(
unlikely
(
current
->
audit_context
))
audit_syscall_entry
(
current
,
AUDIT_ARCH_PPC
,
regs
->
gpr
[
0
],
regs
->
gpr
[
3
],
regs
->
gpr
[
4
],
regs
->
gpr
[
5
],
regs
->
gpr
[
6
]);
}
void
do_syscall_trace_leave
(
struct
pt_regs
*
regs
)
{
secure_computing
(
regs
->
gpr
[
0
]);
if
(
unlikely
(
current
->
audit_context
))
audit_syscall_exit
(
current
,
(
regs
->
ccr
&
0x1000
)
?
AUDITSC_FAILURE
:
AUDITSC_SUCCESS
,
regs
->
result
);
if
((
test_thread_flag
(
TIF_SYSCALL_TRACE
))
&&
(
current
->
ptrace
&
PT_PTRACED
))
do_syscall_trace
();
}
EXPORT_SYMBOL
(
do_syscall_trace_enter
);
EXPORT_SYMBOL
(
do_syscall_trace_leave
);
include/asm-ppc/seccomp.h
0 → 100644
View file @
19fa95e9
#ifndef _ASM_SECCOMP_H
#include <linux/unistd.h>
#define __NR_seccomp_read __NR_read
#define __NR_seccomp_write __NR_write
#define __NR_seccomp_exit __NR_exit
#define __NR_seccomp_sigreturn __NR_rt_sigreturn
#endif
/* _ASM_SECCOMP_H */
include/asm-ppc/thread_info.h
View file @
19fa95e9
...
...
@@ -77,12 +77,19 @@ static inline struct thread_info *current_thread_info(void)
#define TIF_POLLING_NRFLAG 4
/* true if poll_idle() is polling
TIF_NEED_RESCHED */
#define TIF_MEMDIE 5
#define TIF_SYSCALL_AUDIT 6
/* syscall auditing active */
#define TIF_SECCOMP 7
/* secure computing */
/* as above, but as bit values */
#define _TIF_SYSCALL_TRACE (1<<TIF_SYSCALL_TRACE)
#define _TIF_NOTIFY_RESUME (1<<TIF_NOTIFY_RESUME)
#define _TIF_SIGPENDING (1<<TIF_SIGPENDING)
#define _TIF_NEED_RESCHED (1<<TIF_NEED_RESCHED)
#define _TIF_POLLING_NRFLAG (1<<TIF_POLLING_NRFLAG)
#define _TIF_SYSCALL_AUDIT (1<<TIF_SYSCALL_AUDIT)
#define _TIF_SECCOMP (1<<TIF_SECCOMP)
#define _TIF_SYSCALL_T_OR_A (_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT|_TIF_SECCOMP)
/*
* Non racy (local) flags bit numbers
...
...
include/linux/audit.h
View file @
19fa95e9
...
...
@@ -27,14 +27,51 @@
#include <linux/sched.h>
#include <linux/elf.h>
/* Request and reply types */
/* The netlink messages for the audit system is divided into blocks:
* 1000 - 1099 are for commanding the audit system
* 1100 - 1199 user space trusted application messages
* 1200 - 1299 messages internal to the audit daemon
* 1300 - 1399 audit event messages
* 1400 - 1499 SE Linux use
* 1500 - 1999 future use
* 2000 is for otherwise unclassified kernel audit messages
*
* Messages from 1000-1199 are bi-directional. 1200-1299 are exclusively user
* space. Anything over that is kernel --> user space communication.
*/
#define AUDIT_GET 1000
/* Get status */
#define AUDIT_SET 1001
/* Set status (enable/disable/auditd) */
#define AUDIT_LIST 1002
/* List filtering rules */
#define AUDIT_ADD 1003
/* Add filtering rule */
#define AUDIT_DEL 1004
/* Delete filtering rule */
#define AUDIT_USER 1005
/* Send a message from user-space */
#define AUDIT_LOGIN 1006
/* Define the login id and informaiton */
#define AUDIT_LIST 1002
/* List syscall filtering rules */
#define AUDIT_ADD 1003
/* Add syscall filtering rule */
#define AUDIT_DEL 1004
/* Delete syscall filtering rule */
#define AUDIT_USER 1005
/* Message from userspace -- deprecated */
#define AUDIT_LOGIN 1006
/* Define the login id and information */
#define AUDIT_WATCH_INS 1007
/* Insert file/dir watch entry */
#define AUDIT_WATCH_REM 1008
/* Remove file/dir watch entry */
#define AUDIT_WATCH_LIST 1009
/* List all file/dir watches */
#define AUDIT_SIGNAL_INFO 1010
/* Get info about sender of signal to auditd */
#define AUDIT_FIRST_USER_MSG 1100
/* Userspace messages uninteresting to kernel */
#define AUDIT_LAST_USER_MSG 1199
#define AUDIT_DAEMON_START 1200
/* Daemon startup record */
#define AUDIT_DAEMON_END 1201
/* Daemon normal stop record */
#define AUDIT_DAEMON_ABORT 1202
/* Daemon error stop record */
#define AUDIT_DAEMON_CONFIG 1203
/* Daemon config change */
#define AUDIT_SYSCALL 1300
/* Syscall event */
#define AUDIT_FS_WATCH 1301
/* Filesystem watch event */
#define AUDIT_PATH 1302
/* Filename path information */
#define AUDIT_IPC 1303
/* IPC record */
#define AUDIT_SOCKETCALL 1304
/* sys_socketcall arguments */
#define AUDIT_CONFIG_CHANGE 1305
/* Audit system configuration change */
#define AUDIT_SOCKADDR 1306
/* sockaddr copied as syscall arg */
#define AUDIT_CWD 1307
/* Current working directory */
#define AUDIT_AVC 1400
/* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401
/* Internal SE Linux Errors */
#define AUDIT_AVC_PATH 1402
/* dentry, vfsmount pair from avc */
#define AUDIT_KERNEL 2000
/* Asynchronous audit record. NOT A REQUEST. */
/* Rule flags */
...
...
@@ -132,16 +169,9 @@
#define AUDIT_ARCH_V850 (EM_V850|__AUDIT_ARCH_LE)
#define AUDIT_ARCH_X86_64 (EM_X86_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
#ifndef __KERNEL__
struct
audit_message
{
struct
nlmsghdr
nlh
;
char
data
[
1200
];
};
#endif
struct
audit_status
{
__u32
mask
;
/* Bit mask for valid entries */
__u32
enabled
;
/* 1 = enabled, 0 = dis
ba
led */
__u32
enabled
;
/* 1 = enabled, 0 = dis
ab
led */
__u32
failure
;
/* Failure-to-log action */
__u32
pid
;
/* pid of auditd process */
__u32
rate_limit
;
/* messages rate limit (per second) */
...
...
@@ -161,6 +191,11 @@ struct audit_rule { /* for AUDIT_LIST, AUDIT_ADD, and AUDIT_DEL */
#ifdef __KERNEL__
struct
audit_sig_info
{
uid_t
uid
;
pid_t
pid
;
};
struct
audit_buffer
;
struct
audit_context
;
struct
inode
;
...
...
@@ -185,11 +220,16 @@ extern void audit_inode(const char *name, const struct inode *inode);
/* Private API (for audit.c only) */
extern
int
audit_receive_filter
(
int
type
,
int
pid
,
int
uid
,
int
seq
,
void
*
data
,
uid_t
loginuid
);
extern
void
audit_get_stamp
(
struct
audit_context
*
ctx
,
extern
unsigned
int
audit_serial
(
void
);
extern
void
auditsc_get_stamp
(
struct
audit_context
*
ctx
,
struct
timespec
*
t
,
unsigned
int
*
serial
);
extern
int
audit_set_loginuid
(
struct
task_struct
*
task
,
uid_t
loginuid
);
extern
uid_t
audit_get_loginuid
(
struct
audit_context
*
ctx
);
extern
int
audit_ipc_perms
(
unsigned
long
qbytes
,
uid_t
uid
,
gid_t
gid
,
mode_t
mode
);
extern
int
audit_socketcall
(
int
nargs
,
unsigned
long
*
args
);
extern
int
audit_sockaddr
(
int
len
,
void
*
addr
);
extern
int
audit_avc_path
(
struct
dentry
*
dentry
,
struct
vfsmount
*
mnt
);
extern
void
audit_signal_info
(
int
sig
,
struct
task_struct
*
t
);
#else
#define audit_alloc(t) ({ 0; })
#define audit_free(t) do { ; } while (0)
...
...
@@ -198,18 +238,24 @@ extern int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mo
#define audit_getname(n) do { ; } while (0)
#define audit_putname(n) do { ; } while (0)
#define audit_inode(n,i) do { ; } while (0)
#define audit_receive_filter(t,p,u,s,d,l) ({ -EOPNOTSUPP; })
#define auditsc_get_stamp(c,t,s) do { BUG(); } while (0)
#define audit_get_loginuid(c) ({ -1; })
#define audit_ipc_perms(q,u,g,m) ({ 0; })
#define audit_socketcall(n,a) ({ 0; })
#define audit_sockaddr(len, addr) ({ 0; })
#define audit_avc_path(dentry, mnt) ({ 0; })
#define audit_signal_info(s,t) do { ; } while (0)
#endif
#ifdef CONFIG_AUDIT
/* These are defined in audit.c */
/* Public API */
extern
void
audit_log
(
struct
audit_context
*
ctx
,
extern
void
audit_log
(
struct
audit_context
*
ctx
,
int
type
,
const
char
*
fmt
,
...)
__attribute__
((
format
(
printf
,
2
,
3
)));
__attribute__
((
format
(
printf
,
3
,
4
)));
extern
struct
audit_buffer
*
audit_log_start
(
struct
audit_context
*
ctx
);
extern
struct
audit_buffer
*
audit_log_start
(
struct
audit_context
*
ctx
,
int
type
);
extern
void
audit_log_format
(
struct
audit_buffer
*
ab
,
const
char
*
fmt
,
...)
__attribute__
((
format
(
printf
,
2
,
3
)));
...
...
@@ -229,8 +275,8 @@ extern void audit_send_reply(int pid, int seq, int type,
void
*
payload
,
int
size
);
extern
void
audit_log_lost
(
const
char
*
message
);
#else
#define audit_log(t,f,...) do { ; } while (0)
#define audit_log_start(t) ({ NULL; })
#define audit_log(
c,
t,f,...) do { ; } while (0)
#define audit_log_start(
c,
t) ({ NULL; })
#define audit_log_vformat(b,f,a) do { ; } while (0)
#define audit_log_format(b,f,...) do { ; } while (0)
#define audit_log_end(b) do { ; } while (0)
...
...
init/Kconfig
View file @
19fa95e9
...
...
@@ -164,6 +164,7 @@ config SYSCTL
config AUDIT
bool "Auditing support"
depends on NET
default y if SECURITY_SELINUX
help
Enable auditing infrastructure that can be used with another
...
...
@@ -173,7 +174,7 @@ config AUDIT
config AUDITSYSCALL
bool "Enable system-call auditing support"
depends on AUDIT && (X86 || PPC64 || ARCH_S390 || IA64 || UML)
depends on AUDIT && (X86 || PPC
|| PPC
64 || ARCH_S390 || IA64 || UML)
default y if SECURITY_SELINUX
help
Enable low-overhead system-call auditing infrastructure that
...
...
kernel/audit.c
View file @
19fa95e9
This diff is collapsed.
Click to expand it.
kernel/auditsc.c
View file @
19fa95e9
This diff is collapsed.
Click to expand it.
kernel/signal.c
View file @
19fa95e9
...
...
@@ -24,6 +24,7 @@
#include <linux/ptrace.h>
#include <linux/posix-timers.h>
#include <linux/signal.h>
#include <linux/audit.h>
#include <asm/param.h>
#include <asm/uaccess.h>
#include <asm/unistd.h>
...
...
@@ -667,7 +668,11 @@ static int check_kill_permission(int sig, struct siginfo *info,
&&
(
current
->
uid
^
t
->
suid
)
&&
(
current
->
uid
^
t
->
uid
)
&&
!
capable
(
CAP_KILL
))
return
error
;
return
security_task_kill
(
t
,
info
,
sig
);
error
=
security_task_kill
(
t
,
info
,
sig
);
if
(
!
error
)
audit_signal_info
(
sig
,
t
);
/* Let audit system see the signal */
return
error
;
}
/* forward decl */
...
...
net/socket.c
View file @
19fa95e9
...
...
@@ -81,6 +81,7 @@
#include <linux/syscalls.h>
#include <linux/compat.h>
#include <linux/kmod.h>
#include <linux/audit.h>
#ifdef CONFIG_NET_RADIO
#include <linux/wireless.h>
/* Note : will define WIRELESS_EXT */
...
...
@@ -226,7 +227,7 @@ int move_addr_to_kernel(void __user *uaddr, int ulen, void *kaddr)
return
0
;
if
(
copy_from_user
(
kaddr
,
uaddr
,
ulen
))
return
-
EFAULT
;
return
0
;
return
audit_sockaddr
(
ulen
,
kaddr
)
;
}
/**
...
...
@@ -1907,6 +1908,10 @@ asmlinkage long sys_socketcall(int call, unsigned long __user *args)
if
(
copy_from_user
(
a
,
args
,
nargs
[
call
]))
return
-
EFAULT
;
err
=
audit_socketcall
(
nargs
[
call
]
/
sizeof
(
unsigned
long
),
a
);
if
(
err
)
return
err
;
a0
=
a
[
0
];
a1
=
a
[
1
];
...
...
security/selinux/avc.c
View file @
19fa95e9
...
...
@@ -242,7 +242,7 @@ void __init avc_init(void)
avc_node_cachep
=
kmem_cache_create
(
"avc_node"
,
sizeof
(
struct
avc_node
),
0
,
SLAB_PANIC
,
NULL
,
NULL
);
audit_log
(
current
->
audit_context
,
"AVC INITIALIZED
\n
"
);
audit_log
(
current
->
audit_context
,
AUDIT_KERNEL
,
"AVC INITIALIZED
\n
"
);
}
int
avc_get_hash_stats
(
char
*
page
)
...
...
@@ -532,6 +532,7 @@ void avc_audit(u32 ssid, u32 tsid,
u16
tclass
,
u32
requested
,
struct
av_decision
*
avd
,
int
result
,
struct
avc_audit_data
*
a
)
{
struct
task_struct
*
tsk
=
current
;
struct
inode
*
inode
=
NULL
;
u32
denied
,
audited
;
struct
audit_buffer
*
ab
;
...
...
@@ -549,12 +550,18 @@ void avc_audit(u32 ssid, u32 tsid,
return
;
}
ab
=
audit_log_start
(
current
->
audit_context
);
ab
=
audit_log_start
(
current
->
audit_context
,
AUDIT_AVC
);
if
(
!
ab
)
return
;
/* audit_panic has been called */
audit_log_format
(
ab
,
"avc: %s "
,
denied
?
"denied"
:
"granted"
);
avc_dump_av
(
ab
,
tclass
,
audited
);
audit_log_format
(
ab
,
" for "
);
if
(
a
&&
a
->
tsk
)
tsk
=
a
->
tsk
;
if
(
tsk
&&
tsk
->
pid
)
{
audit_log_format
(
ab
,
" pid=%d comm="
,
tsk
->
pid
);
audit_log_untrustedstring
(
ab
,
tsk
->
comm
);
}
if
(
a
)
{
switch
(
a
->
type
)
{
case
AVC_AUDIT_DATA_IPC
:
...
...
@@ -566,21 +573,18 @@ void avc_audit(u32 ssid, u32 tsid,
case
AVC_AUDIT_DATA_FS
:
if
(
a
->
u
.
fs
.
dentry
)
{
struct
dentry
*
dentry
=
a
->
u
.
fs
.
dentry
;
if
(
a
->
u
.
fs
.
mnt
)
{
audit_log_d_path
(
ab
,
"path="
,
dentry
,
a
->
u
.
fs
.
mnt
);
}
else
{
audit_log_format
(
ab
,
" name=%s"
,
dentry
->
d_name
.
name
);
}
if
(
a
->
u
.
fs
.
mnt
)
audit_avc_path
(
dentry
,
a
->
u
.
fs
.
mnt
);
audit_log_format
(
ab
,
" name="
);
audit_log_untrustedstring
(
ab
,
dentry
->
d_name
.
name
);
inode
=
dentry
->
d_inode
;
}
else
if
(
a
->
u
.
fs
.
inode
)
{
struct
dentry
*
dentry
;
inode
=
a
->
u
.
fs
.
inode
;
dentry
=
d_find_alias
(
inode
);
if
(
dentry
)
{
audit_log_format
(
ab
,
" name=
%s"
,
dentry
->
d_name
.
name
);
audit_log_format
(
ab
,
" name=
"
);
audit_log_untrustedstring
(
ab
,
dentry
->
d_name
.
name
);
dput
(
dentry
);
}
}
...
...
@@ -623,22 +627,20 @@ void avc_audit(u32 ssid, u32 tsid,
case
AF_UNIX
:
u
=
unix_sk
(
sk
);
if
(
u
->
dentry
)
{
audit_log_d_path
(
ab
,
"path="
,
u
->
dentry
,
u
->
mnt
);
audit_avc_path
(
u
->
dentry
,
u
->
mnt
);
audit_log_format
(
ab
,
" name="
);
audit_log_untrustedstring
(
ab
,
u
->
dentry
->
d_name
.
name
);
break
;
}
if
(
!
u
->
addr
)
break
;
len
=
u
->
addr
->
len
-
sizeof
(
short
);
p
=
&
u
->
addr
->
name
->
sun_path
[
0
];
audit_log_format
(
ab
,
" path="
);
if
(
*
p
)
audit_log_format
(
ab
,
"path=%*.*s"
,
len
,
len
,
p
);
audit_log_untrustedstring
(
ab
,
p
);
else
audit_log_format
(
ab
,
"path=@%*.*s"
,
len
-
1
,
len
-
1
,
p
+
1
);
audit_log_hex
(
ab
,
p
,
len
);
break
;
}
}
...
...
security/selinux/hooks.c
View file @
19fa95e9
...
...
@@ -3419,7 +3419,7 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
err
=
selinux_nlmsg_lookup
(
isec
->
sclass
,
nlh
->
nlmsg_type
,
&
perm
);
if
(
err
)
{
if
(
err
==
-
EINVAL
)
{
audit_log
(
current
->
audit_context
,
audit_log
(
current
->
audit_context
,
AUDIT_SELINUX_ERR
,
"SELinux: unrecognized netlink message"
" type=%hu for sclass=%hu
\n
"
,
nlh
->
nlmsg_type
,
isec
->
sclass
);
...
...
security/selinux/nlmsgtab.c
View file @
19fa95e9
...
...
@@ -97,6 +97,7 @@ static struct nlmsg_perm nlmsg_audit_perms[] =
{
AUDIT_ADD
,
NETLINK_AUDIT_SOCKET__NLMSG_WRITE
},
{
AUDIT_DEL
,
NETLINK_AUDIT_SOCKET__NLMSG_WRITE
},
{
AUDIT_USER
,
NETLINK_AUDIT_SOCKET__NLMSG_RELAY
},
{
AUDIT_SIGNAL_INFO
,
NETLINK_AUDIT_SOCKET__NLMSG_READ
},
};
...
...
@@ -141,8 +142,13 @@ int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm)
break
;
case
SECCLASS_NETLINK_AUDIT_SOCKET
:
if
(
nlmsg_type
>=
AUDIT_FIRST_USER_MSG
&&
nlmsg_type
<=
AUDIT_LAST_USER_MSG
)
{
*
perm
=
NETLINK_AUDIT_SOCKET__NLMSG_RELAY
;
}
else
{
err
=
nlmsg_perm
(
nlmsg_type
,
perm
,
nlmsg_audit_perms
,
sizeof
(
nlmsg_audit_perms
));
}
break
;
/* No messaging from userspace, or class unknown/unhandled */
...
...
security/selinux/ss/services.c
View file @
19fa95e9
...
...
@@ -365,7 +365,7 @@ static int security_validtrans_handle_fail(struct context *ocontext,
goto
out
;
if
(
context_struct_to_string
(
tcontext
,
&
t
,
&
tlen
)
<
0
)
goto
out
;
audit_log
(
current
->
audit_context
,
audit_log
(
current
->
audit_context
,
AUDIT_SELINUX_ERR
,
"security_validate_transition: denied for"
" oldcontext=%s newcontext=%s taskcontext=%s tclass=%s"
,
o
,
n
,
t
,
policydb
.
p_class_val_to_name
[
tclass
-
1
]);
...
...
@@ -742,7 +742,7 @@ static int compute_sid_handle_invalid_context(
goto
out
;
if
(
context_struct_to_string
(
newcontext
,
&
n
,
&
nlen
)
<
0
)
goto
out
;
audit_log
(
current
->
audit_context
,
audit_log
(
current
->
audit_context
,
AUDIT_SELINUX_ERR
,
"security_compute_sid: invalid context %s"
" for scontext=%s"
" tcontext=%s"
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment