[PATCH v2 09/13] Audit: use an lsmblob in audit_names
Casey Schaufler
casey at schaufler-ca.com
Fri Aug 30 00:34:07 UTC 2024
Replace the osid field in the audit_names structure with a
lsmblob structure. This accommodates the use of an lsmblob in
security_audit_rule_match() and security_inode_getsecid().
Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
---
kernel/audit.h | 2 +-
kernel/auditsc.c | 20 +++++---------------
2 files changed, 6 insertions(+), 16 deletions(-)
diff --git a/kernel/audit.h b/kernel/audit.h
index b1f2de4d4f1e..6c664aed8f89 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -82,7 +82,7 @@ struct audit_names {
kuid_t uid;
kgid_t gid;
dev_t rdev;
- u32 osid;
+ struct lsmblob oblob;
struct audit_cap_data fcap;
unsigned int fcap_ver;
unsigned char type; /* record type */
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index eb1c64a2af31..886564532bbe 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -698,19 +698,15 @@ static int audit_filter_rules(struct task_struct *tsk,
if (f->lsm_rule) {
/* Find files that match */
if (name) {
- /* scaffolding */
- blob.scaffold.secid = name->osid;
result = security_audit_rule_match(
- &blob,
+ &name->oblob,
f->type,
f->op,
f->lsm_rule);
} else if (ctx) {
list_for_each_entry(n, &ctx->names_list, list) {
- /* scaffolding */
- blob.scaffold.secid = n->osid;
if (security_audit_rule_match(
- &blob,
+ &n->oblob,
f->type,
f->op,
f->lsm_rule)) {
@@ -1562,13 +1558,11 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n,
from_kgid(&init_user_ns, n->gid),
MAJOR(n->rdev),
MINOR(n->rdev));
- if (n->osid != 0) {
+ if (lsmblob_is_set(&n->oblob)) {
char *ctx = NULL;
u32 len;
- if (security_secid_to_secctx(
- n->osid, &ctx, &len)) {
- audit_log_format(ab, " osid=%u", n->osid);
+ if (security_lsmblob_to_secctx(&n->oblob, &ctx, &len)) {
if (call_panic)
*call_panic = 2;
} else {
@@ -2276,17 +2270,13 @@ static void audit_copy_inode(struct audit_names *name,
const struct dentry *dentry,
struct inode *inode, unsigned int flags)
{
- struct lsmblob blob;
-
name->ino = inode->i_ino;
name->dev = inode->i_sb->s_dev;
name->mode = inode->i_mode;
name->uid = inode->i_uid;
name->gid = inode->i_gid;
name->rdev = inode->i_rdev;
- security_inode_getlsmblob(inode, &blob);
- /* scaffolding */
- name->osid = blob.scaffold.secid;
+ security_inode_getlsmblob(inode, &name->oblob);
if (flags & AUDIT_INODE_NOEVAL) {
name->fcap_ver = -1;
return;
--
2.46.0
More information about the Linux-security-module-archive
mailing list