[PATCH 12/13] Netlabel: Use lsmblob for audit data
Casey Schaufler
casey at schaufler-ca.com
Sun Aug 25 19:00:47 UTC 2024
Replace the secid in the netlbl_audit structure with an lsmblob.
Remove scaffolding that was required when the value was a secid.
Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
---
include/net/netlabel.h | 2 +-
net/netlabel/netlabel_unlabeled.c | 5 +----
net/netlabel/netlabel_user.c | 7 +++----
net/netlabel/netlabel_user.h | 6 +-----
security/smack/smackfs.c | 4 +---
5 files changed, 7 insertions(+), 17 deletions(-)
diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index 654bc777d2a7..eb6b479c5c06 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -97,7 +97,7 @@ struct calipso_doi;
/* NetLabel audit information */
struct netlbl_audit {
- u32 secid;
+ struct lsmblob blob;
kuid_t loginuid;
unsigned int sessionid;
};
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index 7f38dc9b6b57..7bac13ae07a3 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -1534,14 +1534,11 @@ int __init netlbl_unlabel_defconf(void)
int ret_val;
struct netlbl_dom_map *entry;
struct netlbl_audit audit_info;
- struct lsmblob blob;
/* Only the kernel is allowed to call this function and the only time
* it is called is at bootup before the audit subsystem is reporting
* messages so don't worry to much about these values. */
- security_current_getlsmblob_subj(&blob);
- /* scaffolding */
- audit_info.secid = blob.scaffold.secid;
+ security_current_getlsmblob_subj(&audit_info.blob);
audit_info.loginuid = GLOBAL_ROOT_UID;
audit_info.sessionid = 0;
diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c
index 3ed4fea2a2de..6cd1fcb3902b 100644
--- a/net/netlabel/netlabel_user.c
+++ b/net/netlabel/netlabel_user.c
@@ -98,10 +98,9 @@ struct audit_buffer *netlbl_audit_start_common(int type,
from_kuid(&init_user_ns, audit_info->loginuid),
audit_info->sessionid);
- if (audit_info->secid != 0 &&
- security_secid_to_secctx(audit_info->secid,
- &secctx,
- &secctx_len) == 0) {
+ if (lsmblob_is_set(&audit_info->blob) &&
+ security_lsmblob_to_secctx(&audit_info->blob, &secctx,
+ &secctx_len) == 0) {
audit_log_format(audit_buf, " subj=%s", secctx);
security_release_secctx(secctx, secctx_len);
}
diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h
index 40841d7af1d8..1a9639005d09 100644
--- a/net/netlabel/netlabel_user.h
+++ b/net/netlabel/netlabel_user.h
@@ -32,11 +32,7 @@
*/
static inline void netlbl_netlink_auditinfo(struct netlbl_audit *audit_info)
{
- struct lsmblob blob;
-
- security_current_getlsmblob_subj(&blob);
- /* scaffolding */
- audit_info->secid = blob.scaffold.secid;
+ security_current_getlsmblob_subj(&audit_info->blob);
audit_info->loginuid = audit_get_loginuid(current);
audit_info->sessionid = audit_get_sessionid(current);
}
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index e22aad7604e8..878fe44b662d 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -182,11 +182,9 @@ static inline void smack_catset_bit(unsigned int cat, char *catsetp)
*/
static void smk_netlabel_audit_set(struct netlbl_audit *nap)
{
- struct smack_known *skp = smk_of_current();
-
nap->loginuid = audit_get_loginuid(current);
nap->sessionid = audit_get_sessionid(current);
- nap->secid = skp->smk_secid;
+ nap->blob.smack.skp = smk_of_current();
}
/*
--
2.41.0
More information about the Linux-security-module-archive
mailing list