android/android_kernel_xiaomi_sm8450
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

netlink: kill loginuid/sessionid/sid members from struct netlink_skb_parms

Browse Source 
Netlink message processing in the kernel is synchronous these days, the
session information can be collected when needed.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Patrick McHardy 2011-03-03 10:55:40 -08:00 committed by David S. Miller
parent 06dc94b1ed
commit c53fa1ed92
7 changed files with 49 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
include/linux/netlink.h
View File

@ -161,9 +161,6 @@ struct netlink_skb_parms {
__u32 pid; __u32 pid;
__u32 dst_group; __u32 dst_group;
kernel_cap_t eff_cap; kernel_cap_t eff_cap;
__u32 loginuid; /* Login (audit) uid */
__u32 sessionid; /* Session id (audit) */
__u32 sid; /* SELinux security id */
}; };
#define NETLINK_CB(skb) (*(struct netlink_skb_parms*)&((skb)->cb)) #define NETLINK_CB(skb) (*(struct netlink_skb_parms*)&((skb)->cb))

6
kernel/audit.c
View File

@ -673,9 +673,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
pid = NETLINK_CREDS(skb)->pid; pid = NETLINK_CREDS(skb)->pid;
uid = NETLINK_CREDS(skb)->uid; uid = NETLINK_CREDS(skb)->uid;
loginuid = NETLINK_CB(skb).loginuid; loginuid = audit_get_loginuid(current);
sessionid = NETLINK_CB(skb).sessionid; sessionid = audit_get_sessionid(current);
sid = NETLINK_CB(skb).sid; security_task_getsecid(current, &sid);
seq = nlh->nlmsg_seq; seq = nlh->nlmsg_seq;
data = NLMSG_DATA(nlh); data = NLMSG_DATA(nlh);

10
kernel/auditfilter.c
View File

@ -1238,6 +1238,7 @@ static int audit_filter_user_rules(struct netlink_skb_parms *cb,
for (i = 0; i < rule->field_count; i++) { for (i = 0; i < rule->field_count; i++) {
struct audit_field *f = &rule->fields[i]; struct audit_field *f = &rule->fields[i];
int result = 0; int result = 0;
u32 sid;
switch (f->type) { switch (f->type) {
case AUDIT_PID: case AUDIT_PID:
@ -1250,19 +1251,22 @@ static int audit_filter_user_rules(struct netlink_skb_parms *cb,
result = audit_comparator(cb->creds.gid, f->op, f->val); result = audit_comparator(cb->creds.gid, f->op, f->val);
break; break;
case AUDIT_LOGINUID: case AUDIT_LOGINUID:
result = audit_comparator(cb->loginuid, f->op, f->val); result = audit_comparator(audit_get_loginuid(current),
f->op, f->val);
break; break;
case AUDIT_SUBJ_USER: case AUDIT_SUBJ_USER:
case AUDIT_SUBJ_ROLE: case AUDIT_SUBJ_ROLE:
case AUDIT_SUBJ_TYPE: case AUDIT_SUBJ_TYPE:
case AUDIT_SUBJ_SEN: case AUDIT_SUBJ_SEN:
case AUDIT_SUBJ_CLR: case AUDIT_SUBJ_CLR:
if (f->lsm_rule) if (f->lsm_rule) {
result = security_audit_rule_match(cb->sid, security_task_getsecid(current, &sid);
result = security_audit_rule_match(sid,
f->type, f->type,
f->op, f->op,
f->lsm_rule, f->lsm_rule,
NULL); NULL);
}
break; break;
} }

6
net/netlabel/netlabel_user.h
View File

@ -49,9 +49,9 @@
static inline void netlbl_netlink_auditinfo(struct sk_buff *skb, static inline void netlbl_netlink_auditinfo(struct sk_buff *skb,
struct netlbl_audit *audit_info) struct netlbl_audit *audit_info)
{ {
audit_info->secid = NETLINK_CB(skb).sid; security_task_getsecid(current, &audit_info->secid);
audit_info->loginuid = NETLINK_CB(skb).loginuid; audit_info->loginuid = audit_get_loginuid(current);
audit_info->sessionid = NETLINK_CB(skb).sessionid; audit_info->sessionid = audit_get_sessionid(current);
} }
/* NetLabel NETLINK I/O functions */ /* NetLabel NETLINK I/O functions */

3
net/netlink/af_netlink.c
View File

@ -1362,9 +1362,6 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
NETLINK_CB(skb).pid = nlk->pid; NETLINK_CB(skb).pid = nlk->pid;
NETLINK_CB(skb).dst_group = dst_group; NETLINK_CB(skb).dst_group = dst_group;
NETLINK_CB(skb).loginuid = audit_get_loginuid(current);
NETLINK_CB(skb).sessionid = audit_get_sessionid(current);
security_task_getsecid(current, &(NETLINK_CB(skb).sid));
memcpy(NETLINK_CREDS(skb), &siocb->scm->creds, sizeof(struct ucred)); memcpy(NETLINK_CREDS(skb), &siocb->scm->creds, sizeof(struct ucred));
/* What can I do? Netlink is asynchronous, so that /* What can I do? Netlink is asynchronous, so that

56
net/xfrm/xfrm_user.c
View File

@ -497,9 +497,9 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
struct xfrm_state *x; struct xfrm_state *x;
int err; int err;
struct km_event c; struct km_event c;
uid_t loginuid = NETLINK_CB(skb).loginuid; uid_t loginuid = audit_get_loginuid(current);
u32 sessionid = NETLINK_CB(skb).sessionid; u32 sessionid = audit_get_sessionid(current);
u32 sid = NETLINK_CB(skb).sid; u32 sid;
err = verify_newsa_info(p, attrs); err = verify_newsa_info(p, attrs);
if (err) if (err)
@ -515,6 +515,7 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
else else
err = xfrm_state_update(x); err = xfrm_state_update(x);
security_task_getsecid(current, &sid);
xfrm_audit_state_add(x, err ? 0 : 1, loginuid, sessionid, sid); xfrm_audit_state_add(x, err ? 0 : 1, loginuid, sessionid, sid);
if (err < 0) { if (err < 0) {
@ -575,9 +576,9 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
int err = -ESRCH; int err = -ESRCH;
struct km_event c; struct km_event c;
struct xfrm_usersa_id *p = nlmsg_data(nlh); struct xfrm_usersa_id *p = nlmsg_data(nlh);
uid_t loginuid = NETLINK_CB(skb).loginuid; uid_t loginuid = audit_get_loginuid(current);
u32 sessionid = NETLINK_CB(skb).sessionid; u32 sessionid = audit_get_sessionid(current);
u32 sid = NETLINK_CB(skb).sid; u32 sid;
x = xfrm_user_state_lookup(net, p, attrs, &err); x = xfrm_user_state_lookup(net, p, attrs, &err);
if (x == NULL) if (x == NULL)
@ -602,6 +603,7 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
km_state_notify(x, &c); km_state_notify(x, &c);
out: out:
security_task_getsecid(current, &sid);
xfrm_audit_state_delete(x, err ? 0 : 1, loginuid, sessionid, sid); xfrm_audit_state_delete(x, err ? 0 : 1, loginuid, sessionid, sid);
xfrm_state_put(x); xfrm_state_put(x);
return err; return err;
@ -1265,9 +1267,9 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
struct km_event c; struct km_event c;
int err; int err;
int excl; int excl;
uid_t loginuid = NETLINK_CB(skb).loginuid; uid_t loginuid = audit_get_loginuid(current);
u32 sessionid = NETLINK_CB(skb).sessionid; u32 sessionid = audit_get_sessionid(current);
u32 sid = NETLINK_CB(skb).sid; u32 sid;
err = verify_newpolicy_info(p); err = verify_newpolicy_info(p);
if (err) if (err)
@ -1286,6 +1288,7 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
* a type XFRM_MSG_UPDPOLICY - JHS */ * a type XFRM_MSG_UPDPOLICY - JHS */
excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY;
err = xfrm_policy_insert(p->dir, xp, excl); err = xfrm_policy_insert(p->dir, xp, excl);
security_task_getsecid(current, &sid);
xfrm_audit_policy_add(xp, err ? 0 : 1, loginuid, sessionid, sid); xfrm_audit_policy_add(xp, err ? 0 : 1, loginuid, sessionid, sid);
if (err) { if (err) {
@ -1522,10 +1525,11 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
NETLINK_CB(skb).pid); NETLINK_CB(skb).pid);
} }
} else { } else {
uid_t loginuid = NETLINK_CB(skb).loginuid; uid_t loginuid = audit_get_loginuid(current);
u32 sessionid = NETLINK_CB(skb).sessionid; u32 sessionid = audit_get_sessionid(current);
u32 sid = NETLINK_CB(skb).sid; u32 sid;
security_task_getsecid(current, &sid);
xfrm_audit_policy_delete(xp, err ? 0 : 1, loginuid, sessionid, xfrm_audit_policy_delete(xp, err ? 0 : 1, loginuid, sessionid,
sid); sid);
@ -1553,9 +1557,9 @@ static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
struct xfrm_audit audit_info; struct xfrm_audit audit_info;
int err; int err;
audit_info.loginuid = NETLINK_CB(skb).loginuid; audit_info.loginuid = audit_get_loginuid(current);
audit_info.sessionid = NETLINK_CB(skb).sessionid; audit_info.sessionid = audit_get_sessionid(current);
audit_info.secid = NETLINK_CB(skb).sid; security_task_getsecid(current, &audit_info.secid);
err = xfrm_state_flush(net, p->proto, &audit_info); err = xfrm_state_flush(net, p->proto, &audit_info);
if (err) { if (err) {
if (err == -ESRCH) /* empty table */ if (err == -ESRCH) /* empty table */
@ -1720,9 +1724,9 @@ static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
if (err) if (err)
return err; return err;
audit_info.loginuid = NETLINK_CB(skb).loginuid; audit_info.loginuid = audit_get_loginuid(current);
audit_info.sessionid = NETLINK_CB(skb).sessionid; audit_info.sessionid = audit_get_sessionid(current);
audit_info.secid = NETLINK_CB(skb).sid; security_task_getsecid(current, &audit_info.secid);
err = xfrm_policy_flush(net, type, &audit_info); err = xfrm_policy_flush(net, type, &audit_info);
if (err) { if (err) {
if (err == -ESRCH) /* empty table */ if (err == -ESRCH) /* empty table */
@ -1789,9 +1793,11 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
err = 0; err = 0;
if (up->hard) { if (up->hard) {
uid_t loginuid = NETLINK_CB(skb).loginuid; uid_t loginuid = audit_get_loginuid(current);
uid_t sessionid = NETLINK_CB(skb).sessionid; u32 sessionid = audit_get_sessionid(current);
u32 sid = NETLINK_CB(skb).sid; u32 sid;
security_task_getsecid(current, &sid);
xfrm_policy_delete(xp, p->dir); xfrm_policy_delete(xp, p->dir);
xfrm_audit_policy_delete(xp, 1, loginuid, sessionid, sid); xfrm_audit_policy_delete(xp, 1, loginuid, sessionid, sid);
@ -1830,9 +1836,11 @@ static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
km_state_expired(x, ue->hard, current->pid); km_state_expired(x, ue->hard, current->pid);
if (ue->hard) { if (ue->hard) {
uid_t loginuid = NETLINK_CB(skb).loginuid; uid_t loginuid = audit_get_loginuid(current);
uid_t sessionid = NETLINK_CB(skb).sessionid; u32 sessionid = audit_get_sessionid(current);
u32 sid = NETLINK_CB(skb).sid; u32 sid;
security_task_getsecid(current, &sid);
__xfrm_state_delete(x); __xfrm_state_delete(x);
xfrm_audit_state_delete(x, 1, loginuid, sessionid, sid); xfrm_audit_state_delete(x, 1, loginuid, sessionid, sid);
} }

6
security/selinux/hooks.c
View File

@ -4669,6 +4669,7 @@ static int selinux_netlink_recv(struct sk_buff *skb, int capability)
{ {
int err; int err;
struct common_audit_data ad; struct common_audit_data ad;
u32 sid;
err = cap_netlink_recv(skb, capability); err = cap_netlink_recv(skb, capability);
if (err) if (err)
@ -4677,8 +4678,9 @@ static int selinux_netlink_recv(struct sk_buff *skb, int capability)
COMMON_AUDIT_DATA_INIT(&ad, CAP); COMMON_AUDIT_DATA_INIT(&ad, CAP);
ad.u.cap = capability; ad.u.cap = capability;
return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid, security_task_getsecid(current, &sid);
SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad); return avc_has_perm(sid, sid, SECCLASS_CAPABILITY,
CAP_TO_MASK(capability), &ad);
} }
static int ipc_alloc_security(struct task_struct *task, static int ipc_alloc_security(struct task_struct *task,