Commit de64688f authored by Paul Moore's avatar Paul Moore Committed by David S. Miller

NetLabel: honor the audit_enabled flag

The audit_enabled flag is used to signal when syscall auditing is to be
performed.  While NetLabel uses a Netlink interface instead of syscalls, it is
reasonable to consider the NetLabel Netlink interface as a form of syscall so
pay attention to the audit_enabled flag when generating audit messages in
NetLabel.
Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
parent 3de4bab5
...@@ -407,12 +407,14 @@ static int netlbl_cipsov4_add(struct sk_buff *skb, struct genl_info *info) ...@@ -407,12 +407,14 @@ static int netlbl_cipsov4_add(struct sk_buff *skb, struct genl_info *info)
audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD, audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD,
&audit_info); &audit_info);
audit_log_format(audit_buf, if (audit_buf != NULL) {
" cipso_doi=%u cipso_type=%s res=%u", audit_log_format(audit_buf,
doi, " cipso_doi=%u cipso_type=%s res=%u",
type_str, doi,
ret_val == 0 ? 1 : 0); type_str,
audit_log_end(audit_buf); ret_val == 0 ? 1 : 0);
audit_log_end(audit_buf);
}
return ret_val; return ret_val;
} }
...@@ -680,11 +682,13 @@ static int netlbl_cipsov4_remove(struct sk_buff *skb, struct genl_info *info) ...@@ -680,11 +682,13 @@ static int netlbl_cipsov4_remove(struct sk_buff *skb, struct genl_info *info)
audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_DEL, audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_DEL,
&audit_info); &audit_info);
audit_log_format(audit_buf, if (audit_buf != NULL) {
" cipso_doi=%u res=%u", audit_log_format(audit_buf,
doi, " cipso_doi=%u res=%u",
ret_val == 0 ? 1 : 0); doi,
audit_log_end(audit_buf); ret_val == 0 ? 1 : 0);
audit_log_end(audit_buf);
}
return ret_val; return ret_val;
} }
......
...@@ -202,7 +202,6 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry, ...@@ -202,7 +202,6 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry,
int ret_val; int ret_val;
u32 bkt; u32 bkt;
struct audit_buffer *audit_buf; struct audit_buffer *audit_buf;
char *audit_domain;
switch (entry->type) { switch (entry->type) {
case NETLBL_NLTYPE_UNLABELED: case NETLBL_NLTYPE_UNLABELED:
...@@ -243,24 +242,24 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry, ...@@ -243,24 +242,24 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry,
} else } else
ret_val = -EINVAL; ret_val = -EINVAL;
if (entry->domain != NULL)
audit_domain = entry->domain;
else
audit_domain = "(default)";
audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_ADD, audit_info); audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_ADD, audit_info);
audit_log_format(audit_buf, " nlbl_domain=%s", audit_domain); if (audit_buf != NULL) {
switch (entry->type) {
case NETLBL_NLTYPE_UNLABELED:
audit_log_format(audit_buf, " nlbl_protocol=unlbl");
break;
case NETLBL_NLTYPE_CIPSOV4:
audit_log_format(audit_buf, audit_log_format(audit_buf,
" nlbl_protocol=cipsov4 cipso_doi=%u", " nlbl_domain=%s",
entry->type_def.cipsov4->doi); entry->domain ? entry->domain : "(default)");
break; switch (entry->type) {
case NETLBL_NLTYPE_UNLABELED:
audit_log_format(audit_buf, " nlbl_protocol=unlbl");
break;
case NETLBL_NLTYPE_CIPSOV4:
audit_log_format(audit_buf,
" nlbl_protocol=cipsov4 cipso_doi=%u",
entry->type_def.cipsov4->doi);
break;
}
audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0);
audit_log_end(audit_buf);
} }
audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0);
audit_log_end(audit_buf);
rcu_read_unlock(); rcu_read_unlock();
...@@ -310,7 +309,6 @@ int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info) ...@@ -310,7 +309,6 @@ int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info)
int ret_val = -ENOENT; int ret_val = -ENOENT;
struct netlbl_dom_map *entry; struct netlbl_dom_map *entry;
struct audit_buffer *audit_buf; struct audit_buffer *audit_buf;
char *audit_domain;
rcu_read_lock(); rcu_read_lock();
if (domain != NULL) if (domain != NULL)
...@@ -348,16 +346,14 @@ int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info) ...@@ -348,16 +346,14 @@ int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info)
spin_unlock(&netlbl_domhsh_def_lock); spin_unlock(&netlbl_domhsh_def_lock);
} }
if (entry->domain != NULL)
audit_domain = entry->domain;
else
audit_domain = "(default)";
audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_DEL, audit_info); audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_DEL, audit_info);
audit_log_format(audit_buf, if (audit_buf != NULL) {
" nlbl_domain=%s res=%u", audit_log_format(audit_buf,
audit_domain, " nlbl_domain=%s res=%u",
ret_val == 0 ? 1 : 0); entry->domain ? entry->domain : "(default)",
audit_log_end(audit_buf); ret_val == 0 ? 1 : 0);
audit_log_end(audit_buf);
}
if (ret_val == 0) if (ret_val == 0)
call_rcu(&entry->rcu, netlbl_domhsh_free_entry); call_rcu(&entry->rcu, netlbl_domhsh_free_entry);
......
...@@ -35,6 +35,7 @@ ...@@ -35,6 +35,7 @@
#include <linux/socket.h> #include <linux/socket.h>
#include <linux/string.h> #include <linux/string.h>
#include <linux/skbuff.h> #include <linux/skbuff.h>
#include <linux/audit.h>
#include <net/sock.h> #include <net/sock.h>
#include <net/netlink.h> #include <net/netlink.h>
#include <net/genetlink.h> #include <net/genetlink.h>
...@@ -92,8 +93,11 @@ static void netlbl_unlabel_acceptflg_set(u8 value, ...@@ -92,8 +93,11 @@ static void netlbl_unlabel_acceptflg_set(u8 value,
audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_ALLOW, audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_ALLOW,
audit_info); audit_info);
audit_log_format(audit_buf, " unlbl_accept=%u old=%u", value, old_val); if (audit_buf != NULL) {
audit_log_end(audit_buf); audit_log_format(audit_buf,
" unlbl_accept=%u old=%u", value, old_val);
audit_log_end(audit_buf);
}
} }
/* /*
......
...@@ -46,6 +46,10 @@ ...@@ -46,6 +46,10 @@
#include "netlabel_cipso_v4.h" #include "netlabel_cipso_v4.h"
#include "netlabel_user.h" #include "netlabel_user.h"
/* do not do any auditing if audit_enabled == 0, see kernel/audit.c for
* details */
extern int audit_enabled;
/* /*
* NetLabel NETLINK Setup Functions * NetLabel NETLINK Setup Functions
*/ */
...@@ -101,6 +105,9 @@ struct audit_buffer *netlbl_audit_start_common(int type, ...@@ -101,6 +105,9 @@ struct audit_buffer *netlbl_audit_start_common(int type,
char *secctx; char *secctx;
u32 secctx_len; u32 secctx_len;
if (audit_enabled == 0)
return NULL;
audit_buf = audit_log_start(audit_ctx, GFP_ATOMIC, type); audit_buf = audit_log_start(audit_ctx, GFP_ATOMIC, type);
if (audit_buf == NULL) if (audit_buf == NULL)
return NULL; return NULL;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment