On 12/9/19 9:28 PM, Paul Moore wrote:
With CONFIG_AUDIT enabled but CONFIG_SECURITY disabled we run into
a problem where the lockdown reason table is missing. This patch
attempts to fix this by hiding the table behind a lookup function.
Shouldn't lsm_audit.c be conditional on both CONFIG_AUDIT and
CONFIG_SECURITY? When/why would we want it built without
CONFIG_SECURITY enabled?
Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
---
include/linux/security.h | 7 +++++++
security/lsm_audit.c | 12 +++++++++---
security/security.c | 5 +++++
3 files changed, 21 insertions(+), 3 deletions(-)
diff --git a/include/linux/security.h b/include/linux/security.h
index 64b19f050343..295509a809d6 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -447,6 +447,8 @@ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
int security_locked_down(enum lockdown_reason what);
+const char *security_locked_reasonstr(enum lockdown_reason what);
+
#else /* CONFIG_SECURITY */
static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
@@ -1274,6 +1276,11 @@ static inline int security_locked_down(enum lockdown_reason what)
{
return 0;
}
+
+static inline const char *security_locked_reasonstr(enum lockdown_reason what)
+{
+ return NULL;
+}
#endif /* CONFIG_SECURITY */
#ifdef CONFIG_SECURITY_NETWORK
diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index 2d2bf49016f4..519ef6046638 100644
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -426,10 +426,16 @@ static void dump_common_audit_data(struct audit_buffer *ab,
a->u.ibendport->dev_name,
a->u.ibendport->port);
break;
- case LSM_AUDIT_DATA_LOCKDOWN:
- audit_log_format(ab, " lockdown_reason=");
- audit_log_string(ab, lockdown_reasons[a->u.reason]);
+ case LSM_AUDIT_DATA_LOCKDOWN: {
+ const char *str = security_locked_reasonstr(a->u.reason);
+
+ if (str) {
+ audit_log_format(ab, " lockdown_reason=");
+ audit_log_string(ab, str);
+ } else
+ audit_log_format(ab, " lockdown_reason=?");
break;
+ }
} /* switch (a->type) */
}
diff --git a/security/security.c b/security/security.c
index 2b5473d92416..2f228fdbebf5 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2438,6 +2438,11 @@ int security_locked_down(enum lockdown_reason what)
}
EXPORT_SYMBOL(security_locked_down);
+const char *security_locked_reasonstr(enum lockdown_reason what)
+{
+ return lockdown_reasons[what];
+}
+
#ifdef CONFIG_PERF_EVENTS
int security_perf_event_open(struct perf_event_attr *attr, int type)
{
