[NetLabel]: add audit support for configuration changes
This patch adds audit support to NetLabel, including six new audit message
types shown below.
#define AUDIT_MAC_UNLBL_ACCEPT 1406
#define AUDIT_MAC_UNLBL_DENY 1407
#define AUDIT_MAC_CIPSOV4_ADD 1408
#define AUDIT_MAC_CIPSOV4_DEL 1409
#define AUDIT_MAC_MAP_ADD 1410
#define AUDIT_MAC_MAP_DEL 1411
Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c
index eeb7d76..c2343af 100644
--- a/net/netlabel/netlabel_user.c
+++ b/net/netlabel/netlabel_user.c
@@ -32,6 +32,9 @@
#include <linux/types.h>
#include <linux/list.h>
#include <linux/socket.h>
+#include <linux/audit.h>
+#include <linux/tty.h>
+#include <linux/security.h>
#include <net/sock.h>
#include <net/netlink.h>
#include <net/genetlink.h>
@@ -74,3 +77,91 @@
return 0;
}
+
+/*
+ * NetLabel Audit Functions
+ */
+
+/**
+ * netlbl_audit_start_common - Start an audit message
+ * @type: audit message type
+ * @secid: LSM context ID
+ *
+ * Description:
+ * Start an audit message using the type specified in @type and fill the audit
+ * message with some fields common to all NetLabel audit messages. Returns
+ * a pointer to the audit buffer on success, NULL on failure.
+ *
+ */
+struct audit_buffer *netlbl_audit_start_common(int type, u32 secid)
+{
+ struct audit_context *audit_ctx = current->audit_context;
+ struct audit_buffer *audit_buf;
+ uid_t audit_loginuid;
+ const char *audit_tty;
+ char audit_comm[sizeof(current->comm)];
+ struct vm_area_struct *vma;
+ char *secctx;
+ u32 secctx_len;
+
+ audit_buf = audit_log_start(audit_ctx, GFP_ATOMIC, type);
+ if (audit_buf == NULL)
+ return NULL;
+
+ audit_loginuid = audit_get_loginuid(audit_ctx);
+ if (current->signal &&
+ current->signal->tty &&
+ current->signal->tty->name)
+ audit_tty = current->signal->tty->name;
+ else
+ audit_tty = "(none)";
+ get_task_comm(audit_comm, current);
+
+ audit_log_format(audit_buf,
+ "netlabel: auid=%u uid=%u tty=%s pid=%d",
+ audit_loginuid,
+ current->uid,
+ audit_tty,
+ current->pid);
+ audit_log_format(audit_buf, " comm=");
+ audit_log_untrustedstring(audit_buf, audit_comm);
+ if (current->mm) {
+ down_read(¤t->mm->mmap_sem);
+ vma = current->mm->mmap;
+ while (vma) {
+ if ((vma->vm_flags & VM_EXECUTABLE) &&
+ vma->vm_file) {
+ audit_log_d_path(audit_buf,
+ " exe=",
+ vma->vm_file->f_dentry,
+ vma->vm_file->f_vfsmnt);
+ break;
+ }
+ vma = vma->vm_next;
+ }
+ up_read(¤t->mm->mmap_sem);
+ }
+
+ if (secid != 0 &&
+ security_secid_to_secctx(secid, &secctx, &secctx_len) == 0)
+ audit_log_format(audit_buf, " subj=%s", secctx);
+
+ return audit_buf;
+}
+
+/**
+ * netlbl_audit_nomsg - Send an audit message without additional text
+ * @type: audit message type
+ * @secid: LSM context ID
+ *
+ * Description:
+ * Send an audit message with only the common NetLabel audit fields.
+ *
+ */
+void netlbl_audit_nomsg(int type, u32 secid)
+{
+ struct audit_buffer *audit_buf;
+
+ audit_buf = netlbl_audit_start_common(type, secid);
+ audit_log_end(audit_buf);
+}