SELinux: delay initialization of audit data in selinux_inode_permission

[~andy/linux] / security / selinux / include / avc.h

diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index 1931370233d7b2123dad2947c930c0ecb9722ac5..e4e50bb218ee42f81b2e3583bae85d293f976067 100644 (file)
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -77,11 +77,83 @@ struct selinux_audit_data {
 
 void __init avc_init(void);
 
-int avc_audit(u32 ssid, u32 tsid,
-              u16 tclass, u32 requested,
-              struct av_decision *avd,
-              int result,
-             struct common_audit_data *a, unsigned flags);
+static inline u32 avc_audit_required(u32 requested,
+                             struct av_decision *avd,
+                             int result,
+                             u32 auditdeny,
+                             u32 *deniedp)
+{
+       u32 denied, audited;
+       denied = requested & ~avd->allowed;
+       if (unlikely(denied)) {
+               audited = denied & avd->auditdeny;
+               /*
+                * auditdeny is TRICKY!  Setting a bit in
+                * this field means that ANY denials should NOT be audited if
+                * the policy contains an explicit dontaudit rule for that
+                * permission.  Take notice that this is unrelated to the
+                * actual permissions that were denied.  As an example lets
+                * assume:
+                *
+                * denied == READ
+                * avd.auditdeny & ACCESS == 0 (not set means explicit rule)
+                * auditdeny & ACCESS == 1
+                *
+                * We will NOT audit the denial even though the denied
+                * permission was READ and the auditdeny checks were for
+                * ACCESS
+                */
+               if (auditdeny && !(auditdeny & avd->auditdeny))
+                       audited = 0;
+       } else if (result)
+               audited = denied = requested;
+       else
+               audited = requested & avd->auditallow;
+       *deniedp = denied;
+       return audited;
+}
+
+int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass,
+                  u32 requested, u32 audited, u32 denied,
+                  struct common_audit_data *a,
+                  unsigned flags);
+
+/**
+ * avc_audit - Audit the granting or denial of permissions.
+ * @ssid: source security identifier
+ * @tsid: target security identifier
+ * @tclass: target security class
+ * @requested: requested permissions
+ * @avd: access vector decisions
+ * @result: result from avc_has_perm_noaudit
+ * @a:  auxiliary audit data
+ * @flags: VFS walk flags
+ *
+ * Audit the granting or denial of permissions in accordance
+ * with the policy.  This function is typically called by
+ * avc_has_perm() after a permission check, but can also be
+ * called directly by callers who use avc_has_perm_noaudit()
+ * in order to separate the permission check from the auditing.
+ * For example, this separation is useful when the permission check must
+ * be performed under a lock, to allow the lock to be released
+ * before calling the auditing code.
+ */
+static inline int avc_audit(u32 ssid, u32 tsid,
+                           u16 tclass, u32 requested,
+                           struct av_decision *avd,
+                           int result,
+                           struct common_audit_data *a, unsigned flags)
+{
+       u32 audited, denied;
+       audited = avc_audit_required(requested, avd, result,
+                                    a ? a->selinux_audit_data->auditdeny : 0,
+                                    &denied);
+       if (likely(!audited))
+               return 0;
+       return slow_avc_audit(ssid, tsid, tclass,
+                             requested, audited, denied,
+                             a, flags);
+}
 
 #define AVC_STRICT 1 /* Ignore permissive mode. */
 int avc_has_perm_noaudit(u32 ssid, u32 tsid,