#include <net/netlabel.h>
#include <net/cipso_ipv4.h>
#include <linux/audit.h>
-
#include "smack.h"
#define task_security(task) (task_cred_xxx((task), security))
static int smack_ptrace_may_access(struct task_struct *ctp, unsigned int mode)
{
int rc;
+ struct smk_audit_info ad;
+ char *sp, *tsp;
rc = cap_ptrace_may_access(ctp, mode);
if (rc != 0)
return rc;
- rc = smk_access(current_security(), task_security(ctp), MAY_READWRITE);
+ sp = current_security();
+ tsp = task_security(ctp);
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
+ smk_ad_setfield_u_tsk(&ad, ctp);
+
+ /* we won't log here, because rc can be overriden */
+ rc = smk_access(sp, tsp, MAY_READWRITE, NULL);
if (rc != 0 && capable(CAP_MAC_OVERRIDE))
- return 0;
+ rc = 0;
+
+ smack_log(sp, tsp, MAY_READWRITE, rc, &ad);
return rc;
}
static int smack_ptrace_traceme(struct task_struct *ptp)
{
int rc;
+ struct smk_audit_info ad;
+ char *sp, *tsp;
rc = cap_ptrace_traceme(ptp);
if (rc != 0)
return rc;
- rc = smk_access(task_security(ptp), current_security(), MAY_READWRITE);
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
+ smk_ad_setfield_u_tsk(&ad, ptp);
+
+ sp = current_security();
+ tsp = task_security(ptp);
+ /* we won't log here, because rc can be overriden */
+ rc = smk_access(tsp, sp, MAY_READWRITE, NULL);
if (rc != 0 && has_capability(ptp, CAP_MAC_OVERRIDE))
- return 0;
+ rc = 0;
+
+ smack_log(tsp, sp, MAY_READWRITE, rc, &ad);
return rc;
}
static int smack_sb_statfs(struct dentry *dentry)
{
struct superblock_smack *sbp = dentry->d_sb->s_security;
+ int rc;
+ struct smk_audit_info ad;
+
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
+ smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
- return smk_curacc(sbp->smk_floor, MAY_READ);
+ rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad);
+ return rc;
}
/**
char *type, unsigned long flags, void *data)
{
struct superblock_smack *sbp = path->mnt->mnt_sb->s_security;
+ struct smk_audit_info ad;
+
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
+ smk_ad_setfield_u_fs_path(&ad, *path);
- return smk_curacc(sbp->smk_floor, MAY_WRITE);
+ return smk_curacc(sbp->smk_floor, MAY_WRITE, &ad);
}
/**
static int smack_sb_umount(struct vfsmount *mnt, int flags)
{
struct superblock_smack *sbp;
+ struct smk_audit_info ad;
- sbp = mnt->mnt_sb->s_security;
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
+ smk_ad_setfield_u_fs_path_dentry(&ad, mnt->mnt_mountpoint);
+ smk_ad_setfield_u_fs_path_mnt(&ad, mnt);
- return smk_curacc(sbp->smk_floor, MAY_WRITE);
+ sbp = mnt->mnt_sb->s_security;
+ return smk_curacc(sbp->smk_floor, MAY_WRITE, &ad);
}
/*
static int smack_inode_link(struct dentry *old_dentry, struct inode *dir,
struct dentry *new_dentry)
{
- int rc;
char *isp;
+ struct smk_audit_info ad;
+ int rc;
+
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
+ smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry);
isp = smk_of_inode(old_dentry->d_inode);
- rc = smk_curacc(isp, MAY_WRITE);
+ rc = smk_curacc(isp, MAY_WRITE, &ad);
if (rc == 0 && new_dentry->d_inode != NULL) {
isp = smk_of_inode(new_dentry->d_inode);
- rc = smk_curacc(isp, MAY_WRITE);
+ smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry);
+ rc = smk_curacc(isp, MAY_WRITE, &ad);
}
return rc;
static int smack_inode_unlink(struct inode *dir, struct dentry *dentry)
{
struct inode *ip = dentry->d_inode;
+ struct smk_audit_info ad;
int rc;
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
+ smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
+
/*
* You need write access to the thing you're unlinking
*/
- rc = smk_curacc(smk_of_inode(ip), MAY_WRITE);
- if (rc == 0)
+ rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad);
+ if (rc == 0) {
/*
* You also need write access to the containing directory
*/
- rc = smk_curacc(smk_of_inode(dir), MAY_WRITE);
-
+ smk_ad_setfield_u_fs_path_dentry(&ad, NULL);
+ smk_ad_setfield_u_fs_inode(&ad, dir);
+ rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad);
+ }
return rc;
}
*/
static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry)
{
+ struct smk_audit_info ad;
int rc;
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
+ smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
+
/*
* You need write access to the thing you're removing
*/
- rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE);
- if (rc == 0)
+ rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad);
+ if (rc == 0) {
/*
* You also need write access to the containing directory
*/
- rc = smk_curacc(smk_of_inode(dir), MAY_WRITE);
+ smk_ad_setfield_u_fs_path_dentry(&ad, NULL);
+ smk_ad_setfield_u_fs_inode(&ad, dir);
+ rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad);
+ }
return rc;
}
{
int rc;
char *isp;
+ struct smk_audit_info ad;
+
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
+ smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry);
isp = smk_of_inode(old_dentry->d_inode);
- rc = smk_curacc(isp, MAY_READWRITE);
+ rc = smk_curacc(isp, MAY_READWRITE, &ad);
if (rc == 0 && new_dentry->d_inode != NULL) {
isp = smk_of_inode(new_dentry->d_inode);
- rc = smk_curacc(isp, MAY_READWRITE);
+ smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry);
+ rc = smk_curacc(isp, MAY_READWRITE, &ad);
}
-
return rc;
}
*/
static int smack_inode_permission(struct inode *inode, int mask)
{
+ struct smk_audit_info ad;
/*
* No permission to check. Existence test. Yup, it's there.
*/
if (mask == 0)
return 0;
-
- return smk_curacc(smk_of_inode(inode), mask);
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
+ smk_ad_setfield_u_fs_inode(&ad, inode);
+ return smk_curacc(smk_of_inode(inode), mask, &ad);
}
/**
*/
static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr)
{
+ struct smk_audit_info ad;
/*
* Need to allow for clearing the setuid bit.
*/
if (iattr->ia_valid & ATTR_FORCE)
return 0;
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
+ smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
- return smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE);
+ return smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad);
}
/**
*/
static int smack_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
{
- return smk_curacc(smk_of_inode(dentry->d_inode), MAY_READ);
+ struct smk_audit_info ad;
+
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
+ smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
+ smk_ad_setfield_u_fs_path_mnt(&ad, mnt);
+ return smk_curacc(smk_of_inode(dentry->d_inode), MAY_READ, &ad);
}
/**
static int smack_inode_setxattr(struct dentry *dentry, const char *name,
const void *value, size_t size, int flags)
{
+ struct smk_audit_info ad;
int rc = 0;
if (strcmp(name, XATTR_NAME_SMACK) == 0 ||
strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) {
if (!capable(CAP_MAC_ADMIN))
rc = -EPERM;
- /* a label cannot be void and cannot begin with '-' */
- if (size == 0 || (size > 0 && ((char *)value)[0] == '-'))
+ /*
+ * check label validity here so import wont fail on
+ * post_setxattr
+ */
+ if (size == 0 || size >= SMK_LABELLEN ||
+ smk_import(value, size) == NULL)
rc = -EINVAL;
} else
rc = cap_inode_setxattr(dentry, name, value, size, flags);
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
+ smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
+
if (rc == 0)
- rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE);
+ rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad);
return rc;
}
if (strcmp(name, XATTR_NAME_SMACK))
return;
- if (size >= SMK_LABELLEN)
- return;
-
isp = dentry->d_inode->i_security;
/*
*/
static int smack_inode_getxattr(struct dentry *dentry, const char *name)
{
- return smk_curacc(smk_of_inode(dentry->d_inode), MAY_READ);
+ struct smk_audit_info ad;
+
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
+ smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
+
+ return smk_curacc(smk_of_inode(dentry->d_inode), MAY_READ, &ad);
}
/*
*/
static int smack_inode_removexattr(struct dentry *dentry, const char *name)
{
+ struct smk_audit_info ad;
int rc = 0;
if (strcmp(name, XATTR_NAME_SMACK) == 0 ||
} else
rc = cap_inode_removexattr(dentry, name);
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
+ smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
if (rc == 0)
- rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE);
+ rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad);
return rc;
}
unsigned long arg)
{
int rc = 0;
+ struct smk_audit_info ad;
+
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
+ smk_ad_setfield_u_fs_path(&ad, file->f_path);
if (_IOC_DIR(cmd) & _IOC_WRITE)
- rc = smk_curacc(file->f_security, MAY_WRITE);
+ rc = smk_curacc(file->f_security, MAY_WRITE, &ad);
if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ))
- rc = smk_curacc(file->f_security, MAY_READ);
+ rc = smk_curacc(file->f_security, MAY_READ, &ad);
return rc;
}
*/
static int smack_file_lock(struct file *file, unsigned int cmd)
{
- return smk_curacc(file->f_security, MAY_WRITE);
+ struct smk_audit_info ad;
+
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
+ smk_ad_setfield_u_fs_path_dentry(&ad, file->f_path.dentry);
+ return smk_curacc(file->f_security, MAY_WRITE, &ad);
}
/**
static int smack_file_fcntl(struct file *file, unsigned int cmd,
unsigned long arg)
{
+ struct smk_audit_info ad;
int rc;
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
+ smk_ad_setfield_u_fs_path(&ad, file->f_path);
+
switch (cmd) {
case F_DUPFD:
case F_GETFD:
case F_GETLK:
case F_GETOWN:
case F_GETSIG:
- rc = smk_curacc(file->f_security, MAY_READ);
+ rc = smk_curacc(file->f_security, MAY_READ, &ad);
break;
case F_SETFD:
case F_SETFL:
case F_SETLKW:
case F_SETOWN:
case F_SETSIG:
- rc = smk_curacc(file->f_security, MAY_WRITE);
+ rc = smk_curacc(file->f_security, MAY_WRITE, &ad);
break;
default:
- rc = smk_curacc(file->f_security, MAY_READWRITE);
+ rc = smk_curacc(file->f_security, MAY_READWRITE, &ad);
}
return rc;
{
struct file *file;
int rc;
+ char *tsp = tsk->cred->security;
+ struct smk_audit_info ad;
/*
* struct fown_struct is never outside the context of a struct file
*/
file = container_of(fown, struct file, f_owner);
- rc = smk_access(file->f_security, tsk->cred->security, MAY_WRITE);
+ /* we don't log here as rc can be overriden */
+ rc = smk_access(file->f_security, tsp, MAY_WRITE, NULL);
if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE))
- return 0;
+ rc = 0;
+
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
+ smk_ad_setfield_u_tsk(&ad, tsk);
+ smack_log(file->f_security, tsp, MAY_WRITE, rc, &ad);
return rc;
}
static int smack_file_receive(struct file *file)
{
int may = 0;
+ struct smk_audit_info ad;
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
+ smk_ad_setfield_u_fs_path(&ad, file->f_path);
/*
* This code relies on bitmasks.
*/
if (file->f_mode & FMODE_WRITE)
may |= MAY_WRITE;
- return smk_curacc(file->f_security, may);
+ return smk_curacc(file->f_security, may, &ad);
}
/*
return 0;
}
+/**
+ * smk_curacc_on_task - helper to log task related access
+ * @p: the task object
+ * @access : the access requested
+ *
+ * Return 0 if access is permitted
+ */
+static int smk_curacc_on_task(struct task_struct *p, int access)
+{
+ struct smk_audit_info ad;
+
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
+ smk_ad_setfield_u_tsk(&ad, p);
+ return smk_curacc(task_security(p), access, &ad);
+}
+
/**
* smack_task_setpgid - Smack check on setting pgid
* @p: the task object
*/
static int smack_task_setpgid(struct task_struct *p, pid_t pgid)
{
- return smk_curacc(task_security(p), MAY_WRITE);
+ return smk_curacc_on_task(p, MAY_WRITE);
}
/**
*/
static int smack_task_getpgid(struct task_struct *p)
{
- return smk_curacc(task_security(p), MAY_READ);
+ return smk_curacc_on_task(p, MAY_READ);
}
/**
*/
static int smack_task_getsid(struct task_struct *p)
{
- return smk_curacc(task_security(p), MAY_READ);
+ return smk_curacc_on_task(p, MAY_READ);
}
/**
rc = cap_task_setnice(p, nice);
if (rc == 0)
- rc = smk_curacc(task_security(p), MAY_WRITE);
+ rc = smk_curacc_on_task(p, MAY_WRITE);
return rc;
}
rc = cap_task_setioprio(p, ioprio);
if (rc == 0)
- rc = smk_curacc(task_security(p), MAY_WRITE);
+ rc = smk_curacc_on_task(p, MAY_WRITE);
return rc;
}
*/
static int smack_task_getioprio(struct task_struct *p)
{
- return smk_curacc(task_security(p), MAY_READ);
+ return smk_curacc_on_task(p, MAY_READ);
}
/**
rc = cap_task_setscheduler(p, policy, lp);
if (rc == 0)
- rc = smk_curacc(task_security(p), MAY_WRITE);
+ rc = smk_curacc_on_task(p, MAY_WRITE);
return rc;
}
*/
static int smack_task_getscheduler(struct task_struct *p)
{
- return smk_curacc(task_security(p), MAY_READ);
+ return smk_curacc_on_task(p, MAY_READ);
}
/**
*/
static int smack_task_movememory(struct task_struct *p)
{
- return smk_curacc(task_security(p), MAY_WRITE);
+ return smk_curacc_on_task(p, MAY_WRITE);
}
/**
static int smack_task_kill(struct task_struct *p, struct siginfo *info,
int sig, u32 secid)
{
+ struct smk_audit_info ad;
+
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
+ smk_ad_setfield_u_tsk(&ad, p);
/*
* Sending a signal requires that the sender
* can write the receiver.
*/
if (secid == 0)
- return smk_curacc(task_security(p), MAY_WRITE);
+ return smk_curacc(task_security(p), MAY_WRITE, &ad);
/*
* If the secid isn't 0 we're dealing with some USB IO
* specific behavior. This is not clean. For one thing
* we can't take privilege into account.
*/
- return smk_access(smack_from_secid(secid), task_security(p), MAY_WRITE);
+ return smk_access(smack_from_secid(secid), task_security(p),
+ MAY_WRITE, &ad);
}
/**
*/
static int smack_task_wait(struct task_struct *p)
{
+ struct smk_audit_info ad;
+ char *sp = current_security();
+ char *tsp = task_security(p);
int rc;
- rc = smk_access(current_security(), task_security(p), MAY_WRITE);
+ /* we don't log here, we can be overriden */
+ rc = smk_access(sp, tsp, MAY_WRITE, NULL);
if (rc == 0)
- return 0;
+ goto out_log;
/*
* Allow the operation to succeed if either task
* the smack value.
*/
if (capable(CAP_MAC_OVERRIDE) || has_capability(p, CAP_MAC_OVERRIDE))
- return 0;
-
+ rc = 0;
+ /* we log only if we didn't get overriden */
+ out_log:
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
+ smk_ad_setfield_u_tsk(&ad, p);
+ smack_log(sp, tsp, MAY_WRITE, rc, &ad);
return rc;
}
int sk_lbl;
char *hostsp;
struct socket_smack *ssp = sk->sk_security;
+ struct smk_audit_info ad;
rcu_read_lock();
hostsp = smack_host_label(sap);
if (hostsp != NULL) {
sk_lbl = SMACK_UNLABELED_SOCKET;
- rc = smk_access(ssp->smk_out, hostsp, MAY_WRITE);
+#ifdef CONFIG_AUDIT
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET);
+ ad.a.u.net.family = sap->sin_family;
+ ad.a.u.net.dport = sap->sin_port;
+ ad.a.u.net.v4info.daddr = sap->sin_addr.s_addr;
+#endif
+ rc = smk_access(ssp->smk_out, hostsp, MAY_WRITE, &ad);
} else {
sk_lbl = SMACK_CIPSO_SOCKET;
rc = 0;
isp->security = NULL;
}
+/**
+ * smk_curacc_shm : check if current has access on shm
+ * @shp : the object
+ * @access : access requested
+ *
+ * Returns 0 if current has the requested access, error code otherwise
+ */
+static int smk_curacc_shm(struct shmid_kernel *shp, int access)
+{
+ char *ssp = smack_of_shm(shp);
+ struct smk_audit_info ad;
+
+#ifdef CONFIG_AUDIT
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC);
+ ad.a.u.ipc_id = shp->shm_perm.id;
+#endif
+ return smk_curacc(ssp, access, &ad);
+}
+
/**
* smack_shm_associate - Smack access check for shm
* @shp: the object
*/
static int smack_shm_associate(struct shmid_kernel *shp, int shmflg)
{
- char *ssp = smack_of_shm(shp);
int may;
may = smack_flags_to_may(shmflg);
- return smk_curacc(ssp, may);
+ return smk_curacc_shm(shp, may);
}
/**
*/
static int smack_shm_shmctl(struct shmid_kernel *shp, int cmd)
{
- char *ssp;
int may;
switch (cmd) {
default:
return -EINVAL;
}
-
- ssp = smack_of_shm(shp);
- return smk_curacc(ssp, may);
+ return smk_curacc_shm(shp, may);
}
/**
static int smack_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr,
int shmflg)
{
- char *ssp = smack_of_shm(shp);
int may;
may = smack_flags_to_may(shmflg);
- return smk_curacc(ssp, may);
+ return smk_curacc_shm(shp, may);
}
/**
isp->security = NULL;
}
+/**
+ * smk_curacc_sem : check if current has access on sem
+ * @sma : the object
+ * @access : access requested
+ *
+ * Returns 0 if current has the requested access, error code otherwise
+ */
+static int smk_curacc_sem(struct sem_array *sma, int access)
+{
+ char *ssp = smack_of_sem(sma);
+ struct smk_audit_info ad;
+
+#ifdef CONFIG_AUDIT
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC);
+ ad.a.u.ipc_id = sma->sem_perm.id;
+#endif
+ return smk_curacc(ssp, access, &ad);
+}
+
/**
* smack_sem_associate - Smack access check for sem
* @sma: the object
*/
static int smack_sem_associate(struct sem_array *sma, int semflg)
{
- char *ssp = smack_of_sem(sma);
int may;
may = smack_flags_to_may(semflg);
- return smk_curacc(ssp, may);
+ return smk_curacc_sem(sma, may);
}
/**
*/
static int smack_sem_semctl(struct sem_array *sma, int cmd)
{
- char *ssp;
int may;
switch (cmd) {
return -EINVAL;
}
- ssp = smack_of_sem(sma);
- return smk_curacc(ssp, may);
+ return smk_curacc_sem(sma, may);
}
/**
static int smack_sem_semop(struct sem_array *sma, struct sembuf *sops,
unsigned nsops, int alter)
{
- char *ssp = smack_of_sem(sma);
-
- return smk_curacc(ssp, MAY_READWRITE);
+ return smk_curacc_sem(sma, MAY_READWRITE);
}
/**
return (char *)msq->q_perm.security;
}
+/**
+ * smk_curacc_msq : helper to check if current has access on msq
+ * @msq : the msq
+ * @access : access requested
+ *
+ * return 0 if current has access, error otherwise
+ */
+static int smk_curacc_msq(struct msg_queue *msq, int access)
+{
+ char *msp = smack_of_msq(msq);
+ struct smk_audit_info ad;
+
+#ifdef CONFIG_AUDIT
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC);
+ ad.a.u.ipc_id = msq->q_perm.id;
+#endif
+ return smk_curacc(msp, access, &ad);
+}
+
/**
* smack_msg_queue_associate - Smack access check for msg_queue
* @msq: the object
*/
static int smack_msg_queue_associate(struct msg_queue *msq, int msqflg)
{
- char *msp = smack_of_msq(msq);
int may;
may = smack_flags_to_may(msqflg);
- return smk_curacc(msp, may);
+ return smk_curacc_msq(msq, may);
}
/**
*/
static int smack_msg_queue_msgctl(struct msg_queue *msq, int cmd)
{
- char *msp;
int may;
switch (cmd) {
return -EINVAL;
}
- msp = smack_of_msq(msq);
- return smk_curacc(msp, may);
+ return smk_curacc_msq(msq, may);
}
/**
static int smack_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
int msqflg)
{
- char *msp = smack_of_msq(msq);
- int rc;
+ int may;
- rc = smack_flags_to_may(msqflg);
- return smk_curacc(msp, rc);
+ may = smack_flags_to_may(msqflg);
+ return smk_curacc_msq(msq, may);
}
/**
static int smack_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
struct task_struct *target, long type, int mode)
{
- char *msp = smack_of_msq(msq);
-
- return smk_curacc(msp, MAY_READWRITE);
+ return smk_curacc_msq(msq, MAY_READWRITE);
}
/**
static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag)
{
char *isp = ipp->security;
- int may;
+ int may = smack_flags_to_may(flag);
+ struct smk_audit_info ad;
- may = smack_flags_to_may(flag);
- return smk_curacc(isp, may);
+#ifdef CONFIG_AUDIT
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC);
+ ad.a.u.ipc_id = ipp->id;
+#endif
+ return smk_curacc(isp, may, &ad);
}
/**
{
struct inode *sp = SOCK_INODE(sock);
struct inode *op = SOCK_INODE(other);
+ struct smk_audit_info ad;
- return smk_access(smk_of_inode(sp), smk_of_inode(op), MAY_READWRITE);
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET);
+ smk_ad_setfield_u_net_sk(&ad, other->sk);
+ return smk_access(smk_of_inode(sp), smk_of_inode(op),
+ MAY_READWRITE, &ad);
}
/**
{
struct inode *sp = SOCK_INODE(sock);
struct inode *op = SOCK_INODE(other);
+ struct smk_audit_info ad;
- return smk_access(smk_of_inode(sp), smk_of_inode(op), MAY_WRITE);
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET);
+ smk_ad_setfield_u_net_sk(&ad, other->sk);
+ return smk_access(smk_of_inode(sp), smk_of_inode(op), MAY_WRITE, &ad);
}
/**
char smack[SMK_LABELLEN];
char *csp;
int rc;
-
+ struct smk_audit_info ad;
if (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)
return 0;
netlbl_secattr_destroy(&secattr);
+#ifdef CONFIG_AUDIT
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET);
+ ad.a.u.net.family = sk->sk_family;
+ ad.a.u.net.netif = skb->iif;
+ ipv4_skb_to_auditdata(skb, &ad.a, NULL);
+#endif
/*
* Receiving a packet requires that the other end
* be able to write here. Read access is not required.
* This is the simplist possible security model
* for networking.
*/
- rc = smk_access(csp, ssp->smk_in, MAY_WRITE);
+ rc = smk_access(csp, ssp->smk_in, MAY_WRITE, &ad);
if (rc != 0)
netlbl_skbuff_err(skb, rc, 0);
return rc;
struct iphdr *hdr;
char smack[SMK_LABELLEN];
int rc;
+ struct smk_audit_info ad;
/* handle mapped IPv4 packets arriving via IPv6 sockets */
if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
strncpy(smack, smack_known_huh.smk_known, SMK_MAXLEN);
netlbl_secattr_destroy(&secattr);
+#ifdef CONFIG_AUDIT
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET);
+ ad.a.u.net.family = family;
+ ad.a.u.net.netif = skb->iif;
+ ipv4_skb_to_auditdata(skb, &ad.a, NULL);
+#endif
/*
* Receiving a packet requires that the other end be able to write
* here. Read access is not required.
*/
- rc = smk_access(smack, ssp->smk_in, MAY_WRITE);
+ rc = smk_access(smack, ssp->smk_in, MAY_WRITE, &ad);
if (rc != 0)
return rc;
const struct cred *cred, key_perm_t perm)
{
struct key *keyp;
+ struct smk_audit_info ad;
keyp = key_ref_to_ptr(key_ref);
if (keyp == NULL)
*/
if (cred->security == NULL)
return -EACCES;
-
- return smk_access(cred->security, keyp->security, MAY_READWRITE);
+#ifdef CONFIG_AUDIT
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY);
+ ad.a.u.key_struct.key = keyp->serial;
+ ad.a.u.key_struct.key_desc = keyp->description;
+#endif
+ return smk_access(cred->security, keyp->security,
+ MAY_READWRITE, &ad);
}
#endif /* CONFIG_KEYS */