Re: Reworked patch for labels on user space messages

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: "Timothy R. Chavez" <tinytim@us.ibm.com>
Cc: redhat-lspp@redhat.com, linux-audit@redhat.com
Subject: Re: Reworked patch for labels on user space messages
Date: Mon, 3 Apr 2006 09:08:13 -0400	[thread overview]
Message-ID: <200604030908.13813.sgrubb@redhat.com> (raw)
In-Reply-To: <1144045500.26109.7.camel@localhost.localdomain>

On Monday 03 April 2006 02:25, Timothy R. Chavez wrote:
> On Sat, 2006-04-01 at 10:02 -0500, Steve Grubb wrote:
> > The below patch should be applied after the inode and ipc sid patches.
> > This patch is a reworking of Tim's patch that has been updated to match
> > the inode and ipc patches since its similar.
>
> Hey thanks for doing this.  I have just one comment below.
>
> +     __u32                   sid;            /* SELinux security id */
>
> I think we agreed not to call this 'sid' as that has another meaning
> (namely "session id") outside of SELinux.

Yeah...right...updated patch below.

Signed-off-by: Steve Grubb <sgrubb@redhat.com>


diff -urp linux-2.6.16.x86_64.orig/include/linux/netlink.h linux-2.6.16.x86_64/include/linux/netlink.h
--- linux-2.6.16.x86_64.orig/include/linux/netlink.h	2006-04-01 08:19:04.000000000 -0500
+++ linux-2.6.16.x86_64/include/linux/netlink.h	2006-04-01 08:00:26.000000000 -0500
@@ -143,6 +143,7 @@ struct netlink_skb_parms
 	__u32			dst_group;
 	kernel_cap_t		eff_cap;
 	__u32			loginuid;	/* Login (audit) uid */
+	__u32			secid;		/* SELinux security id */
 };
 
 #define NETLINK_CB(skb)		(*(struct netlink_skb_parms*)&((skb)->cb))
diff -urp linux-2.6.16.x86_64.orig/include/linux/selinux.h linux-2.6.16.x86_64/include/linux/selinux.h
--- linux-2.6.16.x86_64.orig/include/linux/selinux.h	2006-04-01 08:19:05.000000000 -0500
+++ linux-2.6.16.x86_64/include/linux/selinux.h	2006-04-01 07:56:15.000000000 -0500
@@ -5,6 +5,7 @@
  *
  * Copyright (C) 2005 Red Hat, Inc., James Morris <jmorris@redhat.com>
  * Copyright (C) 2006 Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
+ * Copyright (C) 2006 IBM Corporation, Timothy R. Chavez <tinytim@us.ibm.com>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2,
@@ -108,6 +109,16 @@ void selinux_get_inode_sid(const struct 
  */
 void selinux_get_ipc_sid(const struct kern_ipc_perm *ipcp, u32 *sid);
 
+/**
+ *     selinux_get_task_sid - return the SID of task
+ *     @tsk: the task whose SID will be returned
+ *     @sid: pointer to security context ID to be filled in.
+ *
+ *     Returns nothing
+ */
+void selinux_get_task_sid(struct task_struct *tsk, u32 *sid);
+
+
 #else
 
 static inline int selinux_audit_rule_init(u32 field, u32 op,
@@ -156,6 +167,11 @@ static inline void selinux_get_ipc_sid(c
 	*sid = 0;
 }
 
+static inline void selinux_get_task_sid(struct task_struct *tsk, u32 *sid)
+{
+	*sid = 0;
+}
+
 #endif	/* CONFIG_SECURITY_SELINUX */
 
 #endif /* _LINUX_SELINUX_H */
diff -urp linux-2.6.16.x86_64.orig/kernel/audit.c linux-2.6.16.x86_64/kernel/audit.c
--- linux-2.6.16.x86_64.orig/kernel/audit.c	2006-04-01 08:19:12.000000000 -0500
+++ linux-2.6.16.x86_64/kernel/audit.c	2006-04-01 08:08:55.000000000 -0500
@@ -389,7 +389,7 @@ static int audit_netlink_ok(kernel_cap_t
 
 static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 {
-	u32			uid, pid, seq;
+	u32			uid, pid, seq, sid;
 	void			*data;
 	struct audit_status	*status_get, status_set;
 	int			err;
@@ -415,6 +415,7 @@ static int audit_receive_msg(struct sk_b
 	pid  = NETLINK_CREDS(skb)->pid;
 	uid  = NETLINK_CREDS(skb)->uid;
 	loginuid = NETLINK_CB(skb).loginuid;
+	sid  = NETLINK_CB(skb).secid;
 	seq  = nlh->nlmsg_seq;
 	data = NLMSG_DATA(nlh);
 
@@ -467,8 +468,23 @@ static int audit_receive_msg(struct sk_b
 			ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
 			if (ab) {
 				audit_log_format(ab,
-						 "user pid=%d uid=%u auid=%u msg='%.1024s'",
-						 pid, uid, loginuid, (char *)data);
+						 "user pid=%d uid=%u auid=%u",
+						 pid, uid, loginuid);
+				if (sid) {
+					char *ctx = NULL;
+					u32 len;
+					if (selinux_ctxid_to_string(
+							sid, &ctx, &len)) {
+						audit_log_format(ab, 
+							" subj=%u", sid);
+						/* Maybe call audit_panic? */
+					} else
+						audit_log_format(ab, 
+							" subj=%s", ctx);
+					kfree(ctx);
+				}
+				audit_log_format(ab, " msg='%.1024s'",
+					 (char *)data);
 				audit_set_pid(ab, pid);
 				audit_log_end(ab);
 			}
diff -urp linux-2.6.16.x86_64.orig/net/netlink/af_netlink.c linux-2.6.16.x86_64/net/netlink/af_netlink.c
--- linux-2.6.16.x86_64.orig/net/netlink/af_netlink.c	2006-04-01 08:19:13.000000000 -0500
+++ linux-2.6.16.x86_64/net/netlink/af_netlink.c	2006-04-01 08:11:09.000000000 -0500
@@ -56,6 +56,7 @@
 #include <linux/mm.h>
 #include <linux/types.h>
 #include <linux/audit.h>
+#include <linux/selinux.h>
 
 #include <net/sock.h>
 #include <net/scm.h>
@@ -1122,6 +1123,7 @@ static int netlink_sendmsg(struct kiocb 
 	NETLINK_CB(skb).dst_pid = dst_pid;
 	NETLINK_CB(skb).dst_group = dst_group;
 	NETLINK_CB(skb).loginuid = audit_get_loginuid(current->audit_context);
+	selinux_get_task_sid(current, &(NETLINK_CB(skb).secid));
 	memcpy(NETLINK_CREDS(skb), &siocb->scm->creds, sizeof(struct ucred));
 
 	/* What can I do? Netlink is asynchronous, so that
diff -urp linux-2.6.16.x86_64.orig/security/selinux/exports.c linux-2.6.16.x86_64/security/selinux/exports.c
--- linux-2.6.16.x86_64.orig/security/selinux/exports.c	2006-04-01 08:19:14.000000000 -0500
+++ linux-2.6.16.x86_64/security/selinux/exports.c	2006-04-01 08:18:28.000000000 -0500
@@ -5,6 +5,7 @@
  *
  * Copyright (C) 2005 Red Hat, Inc., James Morris <jmorris@redhat.com>
  * Copyright (C) 2006 Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
+ * Copyright (C) 2006 IBM Corporation, Timothy R. Chavez <tinytim@us.ibm.com>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2,
@@ -61,3 +62,13 @@ void selinux_get_ipc_sid(const struct ke
 	*sid = 0;
 }
 
+void selinux_get_task_sid(struct task_struct *tsk, u32 *sid)
+{
+	if (selinux_enabled) {
+		struct task_security_struct *isec = tsk->security;
+		*sid = isec->sid;
+		return;
+	}
+	*sid = 0;
+}
+

     prev parent reply	other threads:[~2006-04-03 13:08 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-04-01 15:02 Reworked patch for labels on user space messages Steve Grubb
2006-04-03  6:25 ` Timothy R. Chavez
2006-04-03 13:08   ` Steve Grubb [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200604030908.13813.sgrubb@redhat.com \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    --cc=redhat-lspp@redhat.com \
    --cc=tinytim@us.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.