[NetLabel]: add audit support for configuration changes
This patch adds audit support to NetLabel, including six new audit message types shown below. #define AUDIT_MAC_UNLBL_ACCEPT 1406 #define AUDIT_MAC_UNLBL_DENY 1407 #define AUDIT_MAC_CIPSOV4_ADD 1408 #define AUDIT_MAC_CIPSOV4_DEL 1409 #define AUDIT_MAC_MAP_ADD 1410 #define AUDIT_MAC_MAP_DEL 1411 Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Paul Moore
committed by
David S. Miller
David S. Miller
parent
8ea333eb5d
commit
32f50cdee6
@@ -35,12 +35,14 @@
|
||||
#include <linux/skbuff.h>
|
||||
#include <linux/spinlock.h>
|
||||
#include <linux/string.h>
|
||||
#include <linux/audit.h>
|
||||
#include <net/netlabel.h>
|
||||
#include <net/cipso_ipv4.h>
|
||||
#include <asm/bug.h>
|
||||
|
||||
#include "netlabel_mgmt.h"
|
||||
#include "netlabel_domainhash.h"
|
||||
#include "netlabel_user.h"
|
||||
|
||||
struct netlbl_domhsh_tbl {
|
||||
struct list_head *tbl;
|
||||
@@ -186,6 +188,7 @@ int netlbl_domhsh_init(u32 size)
|
||||
/**
|
||||
* netlbl_domhsh_add - Adds a entry to the domain hash table
|
||||
* @entry: the entry to add
|
||||
* @audit_secid: the LSM secid to use in the audit message
|
||||
*
|
||||
* Description:
|
||||
* Adds a new entry to the domain hash table and handles any updates to the
|
||||
@@ -193,10 +196,12 @@ int netlbl_domhsh_init(u32 size)
|
||||
* negative on failure.
|
||||
*
|
||||
*/
|
||||
int netlbl_domhsh_add(struct netlbl_dom_map *entry)
|
||||
int netlbl_domhsh_add(struct netlbl_dom_map *entry, u32 audit_secid)
|
||||
{
|
||||
int ret_val;
|
||||
u32 bkt;
|
||||
struct audit_buffer *audit_buf;
|
||||
char *audit_domain;
|
||||
|
||||
switch (entry->type) {
|
||||
case NETLBL_NLTYPE_UNLABELED:
|
||||
@@ -236,6 +241,26 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry)
|
||||
spin_unlock(&netlbl_domhsh_def_lock);
|
||||
} else
|
||||
ret_val = -EINVAL;
|
||||
if (ret_val == 0) {
|
||||
if (entry->domain != NULL)
|
||||
audit_domain = entry->domain;
|
||||
else
|
||||
audit_domain = "(default)";
|
||||
audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_ADD,
|
||||
audit_secid);
|
||||
audit_log_format(audit_buf, " domain=%s", audit_domain);
|
||||
switch (entry->type) {
|
||||
case NETLBL_NLTYPE_UNLABELED:
|
||||
audit_log_format(audit_buf, " protocol=unlbl");
|
||||
break;
|
||||
case NETLBL_NLTYPE_CIPSOV4:
|
||||
audit_log_format(audit_buf,
|
||||
" protocol=cipsov4 doi=%u",
|
||||
entry->type_def.cipsov4->doi);
|
||||
break;
|
||||
}
|
||||
audit_log_end(audit_buf);
|
||||
}
|
||||
rcu_read_unlock();
|
||||
|
||||
if (ret_val != 0) {
|
||||
@@ -254,6 +279,7 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry)
|
||||
/**
|
||||
* netlbl_domhsh_add_default - Adds the default entry to the domain hash table
|
||||
* @entry: the entry to add
|
||||
* @audit_secid: the LSM secid to use in the audit message
|
||||
*
|
||||
* Description:
|
||||
* Adds a new default entry to the domain hash table and handles any updates
|
||||
@@ -261,14 +287,15 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry)
|
||||
* negative on failure.
|
||||
*
|
||||
*/
|
||||
int netlbl_domhsh_add_default(struct netlbl_dom_map *entry)
|
||||
int netlbl_domhsh_add_default(struct netlbl_dom_map *entry, u32 audit_secid)
|
||||
{
|
||||
return netlbl_domhsh_add(entry);
|
||||
return netlbl_domhsh_add(entry, audit_secid);
|
||||
}
|
||||
|
||||
/**
|
||||
* netlbl_domhsh_remove - Removes an entry from the domain hash table
|
||||
* @domain: the domain to remove
|
||||
* @audit_secid: the LSM secid to use in the audit message
|
||||
*
|
||||
* Description:
|
||||
* Removes an entry from the domain hash table and handles any updates to the
|
||||
@@ -276,10 +303,12 @@ int netlbl_domhsh_add_default(struct netlbl_dom_map *entry)
|
||||
* negative on failure.
|
||||
*
|
||||
*/
|
||||
int netlbl_domhsh_remove(const char *domain)
|
||||
int netlbl_domhsh_remove(const char *domain, u32 audit_secid)
|
||||
{
|
||||
int ret_val = -ENOENT;
|
||||
struct netlbl_dom_map *entry;
|
||||
struct audit_buffer *audit_buf;
|
||||
char *audit_domain;
|
||||
|
||||
rcu_read_lock();
|
||||
if (domain != NULL)
|
||||
@@ -316,8 +345,18 @@ int netlbl_domhsh_remove(const char *domain)
|
||||
ret_val = -ENOENT;
|
||||
spin_unlock(&netlbl_domhsh_def_lock);
|
||||
}
|
||||
if (ret_val == 0)
|
||||
if (ret_val == 0) {
|
||||
if (entry->domain != NULL)
|
||||
audit_domain = entry->domain;
|
||||
else
|
||||
audit_domain = "(default)";
|
||||
audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_DEL,
|
||||
audit_secid);
|
||||
audit_log_format(audit_buf, " domain=%s", audit_domain);
|
||||
audit_log_end(audit_buf);
|
||||
|
||||
call_rcu(&entry->rcu, netlbl_domhsh_free_entry);
|
||||
}
|
||||
|
||||
remove_return:
|
||||
rcu_read_unlock();
|
||||
@@ -326,6 +365,7 @@ remove_return:
|
||||
|
||||
/**
|
||||
* netlbl_domhsh_remove_default - Removes the default entry from the table
|
||||
* @audit_secid: the LSM secid to use in the audit message
|
||||
*
|
||||
* Description:
|
||||
* Removes/resets the default entry for the domain hash table and handles any
|
||||
@@ -333,9 +373,9 @@ remove_return:
|
||||
* success, non-zero on failure.
|
||||
*
|
||||
*/
|
||||
int netlbl_domhsh_remove_default(void)
|
||||
int netlbl_domhsh_remove_default(u32 audit_secid)
|
||||
{
|
||||
return netlbl_domhsh_remove(NULL);
|
||||
return netlbl_domhsh_remove(NULL, audit_secid);
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
Reference in New Issue
Block a user