[PATCH 23/59] Audit: Change audit_sig_sid to audit_sig_lsm
Casey Schaufler
casey at schaufler-ca.com
Tue Apr 9 21:39:10 UTC 2019
Remove lsm_export scaffolding around audit_sig_sid by
changing the u32 secid into an lsm_export structure named
audit_sig_lsm.
Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
---
include/linux/security.h | 7 +++++++
kernel/audit.c | 18 ++++++++----------
kernel/audit.h | 2 +-
kernel/auditsc.c | 3 +--
4 files changed, 17 insertions(+), 13 deletions(-)
diff --git a/include/linux/security.h b/include/linux/security.h
index 40aa7b9f3c83..e76d7a9dbe50 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -93,6 +93,13 @@ static inline void lsm_export_init(struct lsm_export *l)
memset(l, 0, sizeof(*l));
}
+static inline bool lsm_export_any(struct lsm_export *l)
+{
+ return (((l->flags & LSM_EXPORT_SELINUX) && l->selinux) ||
+ ((l->flags & LSM_EXPORT_SMACK) && l->smack) ||
+ ((l->flags & LSM_EXPORT_APPARMOR) && l->apparmor));
+}
+
/**
* lsm_export_secid - pull the useful secid out of a lsm_export
* @data: the containing data structure
diff --git a/kernel/audit.c b/kernel/audit.c
index fa4c5544eb37..5226e2af9498 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -135,9 +135,9 @@ static u32 audit_backlog_limit = 64;
static u32 audit_backlog_wait_time = AUDIT_BACKLOG_WAIT_TIME;
/* The identity of the user shutting down the audit system. */
-kuid_t audit_sig_uid = INVALID_UID;
-pid_t audit_sig_pid = -1;
-u32 audit_sig_sid = 0;
+kuid_t audit_sig_uid = INVALID_UID;
+pid_t audit_sig_pid = -1;
+struct lsm_export audit_sig_lsm;
/* Records can be lost in several ways:
0) [suppressed in audit_alloc]
@@ -1429,23 +1429,21 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
}
case AUDIT_SIGNAL_INFO:
len = 0;
- if (audit_sig_sid) {
- struct lsm_export le;
-
- lsm_export_to_all(&le, audit_sig_sid);
- err = security_secid_to_secctx(&le, &ctx, &len);
+ if (lsm_export_any(&audit_sig_lsm)) {
+ err = security_secid_to_secctx(&audit_sig_lsm, &ctx,
+ &len);
if (err)
return err;
}
sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL);
if (!sig_data) {
- if (audit_sig_sid)
+ if (lsm_export_any(&audit_sig_lsm))
security_release_secctx(ctx, len);
return -ENOMEM;
}
sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid);
sig_data->pid = audit_sig_pid;
- if (audit_sig_sid) {
+ if (lsm_export_any(&audit_sig_lsm)) {
memcpy(sig_data->ctx, ctx, len);
security_release_secctx(ctx, len);
}
diff --git a/kernel/audit.h b/kernel/audit.h
index 958d5b8fc1b3..64498850c52b 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -338,7 +338,7 @@ extern char *audit_unpack_string(void **bufp, size_t *remain, size_t len);
extern pid_t audit_sig_pid;
extern kuid_t audit_sig_uid;
-extern u32 audit_sig_sid;
+extern struct lsm_export audit_sig_lsm;
extern int audit_filter(int msgtype, unsigned int listtype);
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 71daead619e5..41f540037a93 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2398,8 +2398,7 @@ int audit_signal_info(int sig, struct task_struct *t)
audit_sig_uid = auid;
else
audit_sig_uid = uid;
- security_task_getsecid(current, &le);
- lsm_export_secid(&le, &audit_sig_sid);
+ security_task_getsecid(current, &audit_sig_lsm);
}
if (!audit_signals || audit_dummy_context())
--
2.19.1
More information about the Linux-security-module-archive
mailing list