Audit: use new LSM hooks instead of SELinux exports

[mv-sheeva.git] / kernel / audit.c

diff --git a/kernel/audit.c b/kernel/audit.c
index 2eeea9a142408a156f0897a75c81343a5619c07c..784a48e9f382923b8fe0e8e37b42911fd867b602 100644 (file)
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -78,9 +78,13 @@ static int   audit_default;
 /* If auditing cannot proceed, audit_failure selects what happens. */
 static int     audit_failure = AUDIT_FAIL_PRINTK;
 
-/* If audit records are to be written to the netlink socket, audit_pid
- * contains the (non-zero) pid. */
+/*
+ * If audit records are to be written to the netlink socket, audit_pid
+ * contains the pid of the auditd process and audit_nlk_pid contains
+ * the pid to use to send netlink messages to that process.
+ */
 int            audit_pid;
+static int     audit_nlk_pid;
 
 /* If audit_rate_limit is non-zero, limit the rate of sending audit records
  * to that number per second.  This prevents DoS attacks, but results in
@@ -170,7 +174,9 @@ void audit_panic(const char *message)
                        printk(KERN_ERR "audit: %s\n", message);
                break;
        case AUDIT_FAIL_PANIC:
-               panic("audit: %s\n", message);
+               /* test audit_pid since printk is always losey, why bother? */
+               if (audit_pid)
+                       panic("audit: %s\n", message);
                break;
        }
 }
@@ -259,13 +265,13 @@ static int audit_log_config_change(char *function_name, int new, int old,
                char *ctx = NULL;
                u32 len;
 
-               rc = selinux_sid_to_string(sid, &ctx, &len);
+               rc = security_secid_to_secctx(sid, &ctx, &len);
                if (rc) {
                        audit_log_format(ab, " sid=%u", sid);
                        allow_changes = 0; /* Something weird, deny request */
                } else {
                        audit_log_format(ab, " subj=%s", ctx);
-                       kfree(ctx);
+                       security_release_secctx(ctx, len);
                }
        }
        audit_log_format(ab, " res=%d", allow_changes);
@@ -348,10 +354,11 @@ static int kauditd_thread(void *dummy)
                wake_up(&audit_backlog_wait);
                if (skb) {
                        if (audit_pid) {
-                               int err = netlink_unicast(audit_sock, skb, audit_pid, 0);
+                               int err = netlink_unicast(audit_sock, skb, audit_nlk_pid, 0);
                                if (err < 0) {
                                        BUG_ON(err != -ECONNREFUSED); /* Shoudn't happen */
                                        printk(KERN_ERR "audit: *NO* daemon at audit_pid=%d\n", audit_pid);
+                                       audit_log_lost("auditd dissapeared\n");
                                        audit_pid = 0;
                                }
                        } else {
@@ -543,12 +550,13 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
        audit_log_format(*ab, "user pid=%d uid=%u auid=%u",
                         pid, uid, auid);
        if (sid) {
-               rc = selinux_sid_to_string(sid, &ctx, &len);
+               rc = security_secid_to_secctx(sid, &ctx, &len);
                if (rc)
                        audit_log_format(*ab, " ssid=%u", sid);
-               else
+               else {
                        audit_log_format(*ab, " subj=%s", ctx);
-               kfree(ctx);
+                       security_release_secctx(ctx, len);
+               }
        }
 
        return rc;
@@ -623,6 +631,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                                                        sid, 1);
 
                        audit_pid = new_pid;
+                       audit_nlk_pid = NETLINK_CB(skb).pid;
                }
                if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
                        err = audit_set_rate_limit(status_get->rate_limit,
@@ -750,18 +759,18 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                break;
        }
        case AUDIT_SIGNAL_INFO:
-               err = selinux_sid_to_string(audit_sig_sid, &ctx, &len);
+               err = security_secid_to_secctx(audit_sig_sid, &ctx, &len);
                if (err)
                        return err;
                sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL);
                if (!sig_data) {
-                       kfree(ctx);
+                       security_release_secctx(ctx, len);
                        return -ENOMEM;
                }
                sig_data->uid = audit_sig_uid;
                sig_data->pid = audit_sig_pid;
                memcpy(sig_data->ctx, ctx, len);
-               kfree(ctx);
+               security_release_secctx(ctx, len);
                audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_SIGNAL_INFO,
                                0, 0, sig_data, sizeof(*sig_data) + len);
                kfree(sig_data);
@@ -1261,8 +1270,8 @@ static void audit_log_n_string(struct audit_buffer *ab, size_t slen,
 
 /**
  * audit_string_contains_control - does a string need to be logged in hex
- * @string - string to be checked
- * @len - max length of the string to check
+ * @string: string to be checked
+ * @len: max length of the string to check
  */
 int audit_string_contains_control(const char *string, size_t len)
 {
@@ -1277,7 +1286,7 @@ int audit_string_contains_control(const char *string, size_t len)
 /**
  * audit_log_n_untrustedstring - log a string that may contain random characters
  * @ab: audit_buffer
- * @len: lenth of string (not including trailing null)
+ * @len: length of string (not including trailing null)
  * @string: string to be logged
  *
  * This code will escape a string that is passed to it if the string
@@ -1350,17 +1359,19 @@ void audit_log_end(struct audit_buffer *ab)
        if (!audit_rate_check()) {
                audit_log_lost("rate limit exceeded");
        } else {
+               struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
                if (audit_pid) {
-                       struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
                        nlh->nlmsg_len = ab->skb->len - NLMSG_SPACE(0);
                        skb_queue_tail(&audit_skb_queue, ab->skb);
                        ab->skb = NULL;
                        wake_up_interruptible(&kauditd_wait);
-               } else if (printk_ratelimit()) {
-                       struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
-                       printk(KERN_NOTICE "type=%d %s\n", nlh->nlmsg_type, ab->skb->data + NLMSG_SPACE(0));
-               } else {
-                       audit_log_lost("printk limit exceeded\n");
+               } else if (nlh->nlmsg_type != AUDIT_EOE) {
+                       if (printk_ratelimit()) {
+                               printk(KERN_NOTICE "type=%d %s\n",
+                                       nlh->nlmsg_type,
+                                       ab->skb->data + NLMSG_SPACE(0));
+                       } else
+                               audit_log_lost("printk limit exceeded\n");
                }
        }
        audit_buffer_free(ab);