u32 av = CAP_TO_MASK(cap);
int rc;
- COMMON_AUDIT_DATA_INIT(&ad, CAP);
+ COMMON_AUDIT_DATA_INIT(&ad, LSM_AUDIT_DATA_CAP);
ad.selinux_audit_data = &sad;
- ad.tsk = current;
ad.u.cap = cap;
switch (CAP_TO_INDEX(cap)) {
struct common_audit_data ad;
struct selinux_audit_data sad = {0,};
- COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
+ COMMON_AUDIT_DATA_INIT(&ad, LSM_AUDIT_DATA_DENTRY);
ad.u.dentry = dentry;
ad.selinux_audit_data = &sad;
return inode_has_perm(cred, inode, av, &ad, 0);
struct common_audit_data ad;
struct selinux_audit_data sad = {0,};
- COMMON_AUDIT_DATA_INIT(&ad, PATH);
+ COMMON_AUDIT_DATA_INIT(&ad, LSM_AUDIT_DATA_PATH);
ad.u.path = *path;
ad.selinux_audit_data = &sad;
return inode_has_perm(cred, inode, av, &ad, 0);
u32 sid = cred_sid(cred);
int rc;
- COMMON_AUDIT_DATA_INIT(&ad, PATH);
+ COMMON_AUDIT_DATA_INIT(&ad, LSM_AUDIT_DATA_PATH);
ad.u.path = file->f_path;
ad.selinux_audit_data = &sad;
sid = tsec->sid;
newsid = tsec->create_sid;
- COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
+ COMMON_AUDIT_DATA_INIT(&ad, LSM_AUDIT_DATA_DENTRY);
ad.u.dentry = dentry;
ad.selinux_audit_data = &sad;
dsec = dir->i_security;
isec = dentry->d_inode->i_security;
- COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
+ COMMON_AUDIT_DATA_INIT(&ad, LSM_AUDIT_DATA_DENTRY);
ad.u.dentry = dentry;
ad.selinux_audit_data = &sad;
old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
new_dsec = new_dir->i_security;
- COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
+ COMMON_AUDIT_DATA_INIT(&ad, LSM_AUDIT_DATA_DENTRY);
ad.selinux_audit_data = &sad;
ad.u.dentry = old_dentry;
return rc;
}
- COMMON_AUDIT_DATA_INIT(&ad, PATH);
+ COMMON_AUDIT_DATA_INIT(&ad, LSM_AUDIT_DATA_PATH);
ad.selinux_audit_data = &sad;
ad.u.path = bprm->file->f_path;
/* Revalidate access to inherited open files. */
- COMMON_AUDIT_DATA_INIT(&ad, INODE);
+ COMMON_AUDIT_DATA_INIT(&ad, LSM_AUDIT_DATA_INODE);
ad.selinux_audit_data = &sad;
spin_lock(&files->file_lock);
if (flags & MS_KERNMOUNT)
return 0;
- COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
+ COMMON_AUDIT_DATA_INIT(&ad, LSM_AUDIT_DATA_DENTRY);
ad.selinux_audit_data = &sad;
ad.u.dentry = sb->s_root;
return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
struct common_audit_data ad;
struct selinux_audit_data sad = {0,};
- COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
+ COMMON_AUDIT_DATA_INIT(&ad, LSM_AUDIT_DATA_DENTRY);
ad.selinux_audit_data = &sad;
ad.u.dentry = dentry->d_sb->s_root;
return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
return dentry_has_perm(cred, dentry, FILE__READ);
}
-static int selinux_inode_permission(struct inode *inode, int mask)
+static noinline int audit_inode_permission(struct inode *inode,
+ u32 perms, u32 audited, u32 denied,
+ unsigned flags)
{
- const struct cred *cred = current_cred();
struct common_audit_data ad;
struct selinux_audit_data sad = {0,};
+ struct inode_security_struct *isec = inode->i_security;
+ int rc;
+
+ COMMON_AUDIT_DATA_INIT(&ad, LSM_AUDIT_DATA_INODE);
+ ad.selinux_audit_data = &sad;
+ ad.u.inode = inode;
+
+ rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
+ audited, denied, &ad, flags);
+ if (rc)
+ return rc;
+ return 0;
+}
+
+static int selinux_inode_permission(struct inode *inode, int mask)
+{
+ const struct cred *cred = current_cred();
u32 perms;
bool from_access;
unsigned flags = mask & MAY_NOT_BLOCK;
if (likely(!audited))
return rc;
- COMMON_AUDIT_DATA_INIT(&ad, INODE);
- ad.selinux_audit_data = &sad;
- ad.u.inode = inode;
-
- if (from_access)
- ad.selinux_audit_data->auditdeny |= FILE__AUDIT_ACCESS;
-
- rc2 = slow_avc_audit(sid, isec->sid, isec->sclass, perms,
- audited, denied, &ad, flags);
+ rc2 = audit_inode_permission(inode, perms, audited, denied, flags);
if (rc2)
return rc2;
return rc;
if (!inode_owner_or_capable(inode))
return -EPERM;
- COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
+ COMMON_AUDIT_DATA_INIT(&ad, LSM_AUDIT_DATA_DENTRY);
ad.selinux_audit_data = &sad;
ad.u.dentry = dentry;
sid = task_sid(current);
- COMMON_AUDIT_DATA_INIT(&ad, KMOD);
+ COMMON_AUDIT_DATA_INIT(&ad, LSM_AUDIT_DATA_KMOD);
ad.selinux_audit_data = &sad;
ad.u.kmod_name = kmod_name;
if (sksec->sid == SECINITSID_KERNEL)
return 0;
- COMMON_AUDIT_DATA_INIT(&ad, NET);
+ COMMON_AUDIT_DATA_INIT(&ad, LSM_AUDIT_DATA_NET);
ad.selinux_audit_data = &sad;
ad.u.net = &net;
ad.u.net->sk = sk;
snum, &sid);
if (err)
goto out;
- COMMON_AUDIT_DATA_INIT(&ad, NET);
+ COMMON_AUDIT_DATA_INIT(&ad, LSM_AUDIT_DATA_NET);
ad.selinux_audit_data = &sad;
ad.u.net = &net;
ad.u.net->sport = htons(snum);
if (err)
goto out;
- COMMON_AUDIT_DATA_INIT(&ad, NET);
+ COMMON_AUDIT_DATA_INIT(&ad, LSM_AUDIT_DATA_NET);
ad.selinux_audit_data = &sad;
ad.u.net = &net;
ad.u.net->sport = htons(snum);
perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
- COMMON_AUDIT_DATA_INIT(&ad, NET);
+ COMMON_AUDIT_DATA_INIT(&ad, LSM_AUDIT_DATA_NET);
ad.selinux_audit_data = &sad;
ad.u.net = &net;
ad.u.net->dport = htons(snum);
struct lsm_network_audit net = {0,};
int err;
- COMMON_AUDIT_DATA_INIT(&ad, NET);
+ COMMON_AUDIT_DATA_INIT(&ad, LSM_AUDIT_DATA_NET);
ad.selinux_audit_data = &sad;
ad.u.net = &net;
ad.u.net->sk = other;
struct selinux_audit_data sad = {0,};
struct lsm_network_audit net = {0,};
- COMMON_AUDIT_DATA_INIT(&ad, NET);
+ COMMON_AUDIT_DATA_INIT(&ad, LSM_AUDIT_DATA_NET);
ad.selinux_audit_data = &sad;
ad.u.net = &net;
ad.u.net->sk = other->sk;
struct lsm_network_audit net = {0,};
char *addrp;
- COMMON_AUDIT_DATA_INIT(&ad, NET);
+ COMMON_AUDIT_DATA_INIT(&ad, LSM_AUDIT_DATA_NET);
ad.selinux_audit_data = &sad;
ad.u.net = &net;
ad.u.net->netif = skb->skb_iif;
if (!secmark_active && !peerlbl_active)
return 0;
- COMMON_AUDIT_DATA_INIT(&ad, NET);
+ COMMON_AUDIT_DATA_INIT(&ad, LSM_AUDIT_DATA_NET);
ad.selinux_audit_data = &sad;
ad.u.net = &net;
ad.u.net->netif = skb->skb_iif;
if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
return NF_DROP;
- COMMON_AUDIT_DATA_INIT(&ad, NET);
+ COMMON_AUDIT_DATA_INIT(&ad, LSM_AUDIT_DATA_NET);
ad.selinux_audit_data = &sad;
ad.u.net = &net;
ad.u.net->netif = ifindex;
return NF_ACCEPT;
sksec = sk->sk_security;
- COMMON_AUDIT_DATA_INIT(&ad, NET);
+ COMMON_AUDIT_DATA_INIT(&ad, LSM_AUDIT_DATA_NET);
ad.selinux_audit_data = &sad;
ad.u.net = &net;
ad.u.net->netif = ifindex;
secmark_perm = PACKET__SEND;
}
- COMMON_AUDIT_DATA_INIT(&ad, NET);
+ COMMON_AUDIT_DATA_INIT(&ad, LSM_AUDIT_DATA_NET);
ad.selinux_audit_data = &sad;
ad.u.net = &net;
ad.u.net->netif = ifindex;
isec = ipc_perms->security;
- COMMON_AUDIT_DATA_INIT(&ad, IPC);
+ COMMON_AUDIT_DATA_INIT(&ad, LSM_AUDIT_DATA_IPC);
ad.selinux_audit_data = &sad;
ad.u.ipc_id = ipc_perms->key;
isec = msq->q_perm.security;
- COMMON_AUDIT_DATA_INIT(&ad, IPC);
+ COMMON_AUDIT_DATA_INIT(&ad, LSM_AUDIT_DATA_IPC);
ad.selinux_audit_data = &sad;
ad.u.ipc_id = msq->q_perm.key;
isec = msq->q_perm.security;
- COMMON_AUDIT_DATA_INIT(&ad, IPC);
+ COMMON_AUDIT_DATA_INIT(&ad, LSM_AUDIT_DATA_IPC);
ad.selinux_audit_data = &sad;
ad.u.ipc_id = msq->q_perm.key;
return rc;
}
- COMMON_AUDIT_DATA_INIT(&ad, IPC);
+ COMMON_AUDIT_DATA_INIT(&ad, LSM_AUDIT_DATA_IPC);
ad.selinux_audit_data = &sad;
ad.u.ipc_id = msq->q_perm.key;
isec = msq->q_perm.security;
msec = msg->security;
- COMMON_AUDIT_DATA_INIT(&ad, IPC);
+ COMMON_AUDIT_DATA_INIT(&ad, LSM_AUDIT_DATA_IPC);
ad.selinux_audit_data = &sad;
ad.u.ipc_id = msq->q_perm.key;
isec = shp->shm_perm.security;
- COMMON_AUDIT_DATA_INIT(&ad, IPC);
+ COMMON_AUDIT_DATA_INIT(&ad, LSM_AUDIT_DATA_IPC);
ad.selinux_audit_data = &sad;
ad.u.ipc_id = shp->shm_perm.key;
isec = shp->shm_perm.security;
- COMMON_AUDIT_DATA_INIT(&ad, IPC);
+ COMMON_AUDIT_DATA_INIT(&ad, LSM_AUDIT_DATA_IPC);
ad.selinux_audit_data = &sad;
ad.u.ipc_id = shp->shm_perm.key;
isec = sma->sem_perm.security;
- COMMON_AUDIT_DATA_INIT(&ad, IPC);
+ COMMON_AUDIT_DATA_INIT(&ad, LSM_AUDIT_DATA_IPC);
ad.selinux_audit_data = &sad;
ad.u.ipc_id = sma->sem_perm.key;
isec = sma->sem_perm.security;
- COMMON_AUDIT_DATA_INIT(&ad, IPC);
+ COMMON_AUDIT_DATA_INIT(&ad, LSM_AUDIT_DATA_IPC);
ad.selinux_audit_data = &sad;
ad.u.ipc_id = sma->sem_perm.key;