From 32f50cdee666333168b5203c7864bede159f789e Mon Sep 17 00:00:00 2001
From: Paul Moore <paul.moore@hp.com>
Date: Thu, 28 Sep 2006 14:51:47 -0700
Subject: [NetLabel]: add audit support for configuration changes

This patch adds audit support to NetLabel, including six new audit message
types shown below.

 #define AUDIT_MAC_UNLBL_ACCEPT 1406
 #define AUDIT_MAC_UNLBL_DENY   1407
 #define AUDIT_MAC_CIPSOV4_ADD  1408
 #define AUDIT_MAC_CIPSOV4_DEL  1409
 #define AUDIT_MAC_MAP_ADD      1410
 #define AUDIT_MAC_MAP_DEL      1411

Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
 net/netlabel/netlabel_user.c | 91 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 91 insertions(+)

(limited to 'net/netlabel/netlabel_user.c')

diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c
index eeb7d768d2b..c2343af584c 100644
--- a/net/netlabel/netlabel_user.c
+++ b/net/netlabel/netlabel_user.c
@@ -32,6 +32,9 @@
 #include <linux/types.h>
 #include <linux/list.h>
 #include <linux/socket.h>
+#include <linux/audit.h>
+#include <linux/tty.h>
+#include <linux/security.h>
 #include <net/sock.h>
 #include <net/netlink.h>
 #include <net/genetlink.h>
@@ -74,3 +77,91 @@ int netlbl_netlink_init(void)
 
 	return 0;
 }
+
+/*
+ * NetLabel Audit Functions
+ */
+
+/**
+ * netlbl_audit_start_common - Start an audit message
+ * @type: audit message type
+ * @secid: LSM context ID
+ *
+ * Description:
+ * Start an audit message using the type specified in @type and fill the audit
+ * message with some fields common to all NetLabel audit messages.  Returns
+ * a pointer to the audit buffer on success, NULL on failure.
+ *
+ */
+struct audit_buffer *netlbl_audit_start_common(int type, u32 secid)
+{
+	struct audit_context *audit_ctx = current->audit_context;
+	struct audit_buffer *audit_buf;
+	uid_t audit_loginuid;
+	const char *audit_tty;
+	char audit_comm[sizeof(current->comm)];
+	struct vm_area_struct *vma;
+	char *secctx;
+	u32 secctx_len;
+
+	audit_buf = audit_log_start(audit_ctx, GFP_ATOMIC, type);
+	if (audit_buf == NULL)
+		return NULL;
+
+	audit_loginuid = audit_get_loginuid(audit_ctx);
+	if (current->signal &&
+	    current->signal->tty &&
+	    current->signal->tty->name)
+		audit_tty = current->signal->tty->name;
+	else
+		audit_tty = "(none)";
+	get_task_comm(audit_comm, current);
+
+	audit_log_format(audit_buf,
+			 "netlabel: auid=%u uid=%u tty=%s pid=%d",
+			 audit_loginuid,
+			 current->uid,
+			 audit_tty,
+			 current->pid);
+	audit_log_format(audit_buf, " comm=");
+	audit_log_untrustedstring(audit_buf, audit_comm);
+	if (current->mm) {
+		down_read(&current->mm->mmap_sem);
+		vma = current->mm->mmap;
+		while (vma) {
+			if ((vma->vm_flags & VM_EXECUTABLE) &&
+			    vma->vm_file) {
+				audit_log_d_path(audit_buf,
+						 " exe=",
+						 vma->vm_file->f_dentry,
+						 vma->vm_file->f_vfsmnt);
+				break;
+			}
+			vma = vma->vm_next;
+		}
+		up_read(&current->mm->mmap_sem);
+	}
+
+	if (secid != 0 &&
+	    security_secid_to_secctx(secid, &secctx, &secctx_len) == 0)
+		audit_log_format(audit_buf, " subj=%s", secctx);
+
+	return audit_buf;
+}
+
+/**
+ * netlbl_audit_nomsg - Send an audit message without additional text
+ * @type: audit message type
+ * @secid: LSM context ID
+ *
+ * Description:
+ * Send an audit message with only the common NetLabel audit fields.
+ *
+ */
+void netlbl_audit_nomsg(int type, u32 secid)
+{
+	struct audit_buffer *audit_buf;
+
+	audit_buf = netlbl_audit_start_common(type, secid);
+	audit_log_end(audit_buf);
+}
-- 
cgit v1.2.3


From 95d4e6be25a68cd9fbe8c0d356b585504d8db1c7 Mon Sep 17 00:00:00 2001
From: Paul Moore <paul.moore@hp.com>
Date: Fri, 29 Sep 2006 17:05:05 -0700
Subject: [NetLabel]: audit fixups due to delayed feedback

Fix some issues Steve Grubb had with the way NetLabel was using the audit
subsystem.  This should make NetLabel more consistent with other kernel
generated audit messages specifying configuration changes.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: Steve Grubb <sgrubb@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
 net/netlabel/netlabel_user.c | 66 ++++++--------------------------------------
 1 file changed, 8 insertions(+), 58 deletions(-)

(limited to 'net/netlabel/netlabel_user.c')

diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c
index c2343af584c..98a416381e6 100644
--- a/net/netlabel/netlabel_user.c
+++ b/net/netlabel/netlabel_user.c
@@ -85,7 +85,7 @@ int netlbl_netlink_init(void)
 /**
  * netlbl_audit_start_common - Start an audit message
  * @type: audit message type
- * @secid: LSM context ID
+ * @audit_info: NetLabel audit information
  *
  * Description:
  * Start an audit message using the type specified in @type and fill the audit
@@ -93,14 +93,11 @@ int netlbl_netlink_init(void)
  * a pointer to the audit buffer on success, NULL on failure.
  *
  */
-struct audit_buffer *netlbl_audit_start_common(int type, u32 secid)
+struct audit_buffer *netlbl_audit_start_common(int type,
+					       struct netlbl_audit *audit_info)
 {
 	struct audit_context *audit_ctx = current->audit_context;
 	struct audit_buffer *audit_buf;
-	uid_t audit_loginuid;
-	const char *audit_tty;
-	char audit_comm[sizeof(current->comm)];
-	struct vm_area_struct *vma;
 	char *secctx;
 	u32 secctx_len;
 
@@ -108,60 +105,13 @@ struct audit_buffer *netlbl_audit_start_common(int type, u32 secid)
 	if (audit_buf == NULL)
 		return NULL;
 
-	audit_loginuid = audit_get_loginuid(audit_ctx);
-	if (current->signal &&
-	    current->signal->tty &&
-	    current->signal->tty->name)
-		audit_tty = current->signal->tty->name;
-	else
-		audit_tty = "(none)";
-	get_task_comm(audit_comm, current);
+	audit_log_format(audit_buf, "netlabel: auid=%u", audit_info->loginuid);
 
-	audit_log_format(audit_buf,
-			 "netlabel: auid=%u uid=%u tty=%s pid=%d",
-			 audit_loginuid,
-			 current->uid,
-			 audit_tty,
-			 current->pid);
-	audit_log_format(audit_buf, " comm=");
-	audit_log_untrustedstring(audit_buf, audit_comm);
-	if (current->mm) {
-		down_read(&current->mm->mmap_sem);
-		vma = current->mm->mmap;
-		while (vma) {
-			if ((vma->vm_flags & VM_EXECUTABLE) &&
-			    vma->vm_file) {
-				audit_log_d_path(audit_buf,
-						 " exe=",
-						 vma->vm_file->f_dentry,
-						 vma->vm_file->f_vfsmnt);
-				break;
-			}
-			vma = vma->vm_next;
-		}
-		up_read(&current->mm->mmap_sem);
-	}
-
-	if (secid != 0 &&
-	    security_secid_to_secctx(secid, &secctx, &secctx_len) == 0)
+	if (audit_info->secid != 0 &&
+	    security_secid_to_secctx(audit_info->secid,
+				     &secctx,
+				     &secctx_len) == 0)
 		audit_log_format(audit_buf, " subj=%s", secctx);
 
 	return audit_buf;
 }
-
-/**
- * netlbl_audit_nomsg - Send an audit message without additional text
- * @type: audit message type
- * @secid: LSM context ID
- *
- * Description:
- * Send an audit message with only the common NetLabel audit fields.
- *
- */
-void netlbl_audit_nomsg(int type, u32 secid)
-{
-	struct audit_buffer *audit_buf;
-
-	audit_buf = netlbl_audit_start_common(type, secid);
-	audit_log_end(audit_buf);
-}
-- 
cgit v1.2.3