Refactor audit_log_task_context(), creating a new audit_log_subject_context(). This is used in netlabel auditing to provide multiple subject security contexts as necessary. Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx> --- include/linux/audit.h | 7 +++++++ kernel/audit.c | 26 ++++++++++++++++---------- net/netlabel/netlabel_user.c | 7 +------ 3 files changed, 24 insertions(+), 16 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index a7226989d77e..de661c571401 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -190,6 +190,8 @@ extern void audit_log_path_denied(int type, const char *operation); extern void audit_log_lost(const char *message); +extern int audit_log_subject_context(struct audit_buffer *ab, + struct lsmblob *blob); extern int audit_log_task_context(struct audit_buffer *ab); extern void audit_log_task_info(struct audit_buffer *ab); @@ -250,6 +252,11 @@ static inline void audit_log_key(struct audit_buffer *ab, char *key) { } static inline void audit_log_path_denied(int type, const char *operation) { } +static inline int audit_log_subject_context(struct audit_buffer *ab, + struct lsmblob *blob) +{ + return 0; +} static inline int audit_log_task_context(struct audit_buffer *ab) { return 0; diff --git a/kernel/audit.c b/kernel/audit.c index 2333d7f59285..4ec86d696753 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -2226,20 +2226,17 @@ static void audit_buffer_aux_end(struct audit_buffer *ab) ab->skb = skb_peek(&ab->skb_list); } -int audit_log_task_context(struct audit_buffer *ab) +int audit_log_subject_context(struct audit_buffer *ab, struct lsmblob *blob) { int i; int error; - struct lsmblob blob; struct lsmcontext context; - security_current_getsecid_subj(&blob); - if (!lsmblob_is_set(&blob)) + if (!lsmblob_is_set(blob)) return 0; if (!lsm_multiple_contexts()) { - error = security_secid_to_secctx(&blob, &context, - LSMBLOB_FIRST); + error = security_secid_to_secctx(blob, &context, LSMBLOB_FIRST); if (error) { if (error != -EINVAL) goto error_path; @@ -2254,15 +2251,15 @@ int audit_log_task_context(struct audit_buffer *ab) if (error) goto error_path; for (i = 0; i < LSMBLOB_ENTRIES; i++) { - if (blob.secid[i] == 0) + if (blob->secid[i] == 0) continue; - error = security_secid_to_secctx(&blob, &context, i); + error = security_secid_to_secctx(blob, &context, i); if (error) { audit_log_format(ab, "%ssubj_%s=?", i ? " " : "", lsm_slot_to_name(i)); if (error != -EINVAL) - audit_panic("error in audit_log_task_context"); + audit_panic("error in audit_log_subject_context"); } else { audit_log_format(ab, "%ssubj_%s=%s", i ? " " : "", @@ -2277,9 +2274,18 @@ int audit_log_task_context(struct audit_buffer *ab) return 0; error_path: - audit_panic("error in audit_log_task_context"); + audit_panic("error in audit_log_subject_context"); return error; } +EXPORT_SYMBOL(audit_log_subject_context); + +int audit_log_task_context(struct audit_buffer *ab) +{ + struct lsmblob blob; + + security_current_getsecid_subj(&blob); + return audit_log_subject_context(ab, &blob); +} EXPORT_SYMBOL(audit_log_task_context); void audit_log_d_path_exe(struct audit_buffer *ab, diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index 1941877fd16f..42812bdfc31a 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c @@ -84,7 +84,6 @@ struct audit_buffer *netlbl_audit_start_common(int type, struct netlbl_audit *audit_info) { struct audit_buffer *audit_buf; - struct lsmcontext context; struct lsmblob blob; if (audit_enabled == AUDIT_OFF) @@ -99,11 +98,7 @@ struct audit_buffer *netlbl_audit_start_common(int type, audit_info->sessionid); lsmblob_init(&blob, audit_info->secid); - if (audit_info->secid != 0 && - security_secid_to_secctx(&blob, &context, LSMBLOB_FIRST) == 0) { - audit_log_format(audit_buf, " subj=%s", context.context); - security_release_secctx(&context); - } + audit_log_subject_context(audit_buf, &blob); return audit_buf; } -- 2.35.1