From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Reworked patch for labels on user space messages Date: Sat, 1 Apr 2006 10:02:54 -0500 Message-ID: <200604011002.54245.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: redhat-lspp@redhat.com, linux-audit@redhat.com List-Id: linux-audit@redhat.com Hi, The below patch should be applied after the inode and ipc sid patches. This patch is a reworking of Tim's patch that has been updated to match the inode and ipc patches since its similar. Signed-off-by: Steve Grubb diff -urp linux-2.6.16.x86_64.orig/include/linux/netlink.h linux-2.6.16.x86_64/include/linux/netlink.h --- linux-2.6.16.x86_64.orig/include/linux/netlink.h 2006-04-01 08:19:04.000000000 -0500 +++ linux-2.6.16.x86_64/include/linux/netlink.h 2006-04-01 08:00:26.000000000 -0500 @@ -143,6 +143,7 @@ struct netlink_skb_parms __u32 dst_group; kernel_cap_t eff_cap; __u32 loginuid; /* Login (audit) uid */ + __u32 sid; /* SELinux security id */ }; #define NETLINK_CB(skb) (*(struct netlink_skb_parms*)&((skb)->cb)) diff -urp linux-2.6.16.x86_64.orig/include/linux/selinux.h linux-2.6.16.x86_64/include/linux/selinux.h --- linux-2.6.16.x86_64.orig/include/linux/selinux.h 2006-04-01 08:19:05.000000000 -0500 +++ linux-2.6.16.x86_64/include/linux/selinux.h 2006-04-01 07:56:15.000000000 -0500 @@ -5,6 +5,7 @@ * * Copyright (C) 2005 Red Hat, Inc., James Morris * Copyright (C) 2006 Trusted Computer Solutions, Inc. + * Copyright (C) 2006 IBM Corporation, Timothy R. Chavez * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2, @@ -108,6 +109,16 @@ void selinux_get_inode_sid(const struct */ void selinux_get_ipc_sid(const struct kern_ipc_perm *ipcp, u32 *sid); +/** + * selinux_get_task_sid - return the SID of task + * @tsk: the task whose SID will be returned + * @sid: pointer to security context ID to be filled in. + * + * Returns nothing + */ +void selinux_get_task_sid(struct task_struct *tsk, u32 *sid); + + #else static inline int selinux_audit_rule_init(u32 field, u32 op, @@ -156,6 +167,11 @@ static inline void selinux_get_ipc_sid(c *sid = 0; } +static inline void selinux_get_task_sid(struct task_struct *tsk, u32 *sid) +{ + *sid = 0; +} + #endif /* CONFIG_SECURITY_SELINUX */ #endif /* _LINUX_SELINUX_H */ diff -urp linux-2.6.16.x86_64.orig/kernel/audit.c linux-2.6.16.x86_64/kernel/audit.c --- linux-2.6.16.x86_64.orig/kernel/audit.c 2006-04-01 08:19:12.000000000 -0500 +++ linux-2.6.16.x86_64/kernel/audit.c 2006-04-01 08:08:55.000000000 -0500 @@ -389,7 +389,7 @@ static int audit_netlink_ok(kernel_cap_t static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) { - u32 uid, pid, seq; + u32 uid, pid, seq, sid; void *data; struct audit_status *status_get, status_set; int err; @@ -415,6 +415,7 @@ static int audit_receive_msg(struct sk_b pid = NETLINK_CREDS(skb)->pid; uid = NETLINK_CREDS(skb)->uid; loginuid = NETLINK_CB(skb).loginuid; + sid = NETLINK_CB(skb).sid; seq = nlh->nlmsg_seq; data = NLMSG_DATA(nlh); @@ -467,8 +468,23 @@ static int audit_receive_msg(struct sk_b ab = audit_log_start(NULL, GFP_KERNEL, msg_type); if (ab) { audit_log_format(ab, - "user pid=%d uid=%u auid=%u msg='%.1024s'", - pid, uid, loginuid, (char *)data); + "user pid=%d uid=%u auid=%u", + pid, uid, loginuid); + if (sid) { + char *ctx = NULL; + u32 len; + if (selinux_ctxid_to_string( + sid, &ctx, &len)) { + audit_log_format(ab, + " subj=%u", sid); + /* Maybe call audit_panic? */ + } else + audit_log_format(ab, + " subj=%s", ctx); + kfree(ctx); + } + audit_log_format(ab, " msg='%.1024s'", + (char *)data); audit_set_pid(ab, pid); audit_log_end(ab); } diff -urp linux-2.6.16.x86_64.orig/net/netlink/af_netlink.c linux-2.6.16.x86_64/net/netlink/af_netlink.c --- linux-2.6.16.x86_64.orig/net/netlink/af_netlink.c 2006-04-01 08:19:13.000000000 -0500 +++ linux-2.6.16.x86_64/net/netlink/af_netlink.c 2006-04-01 08:11:09.000000000 -0500 @@ -56,6 +56,7 @@ #include #include #include +#include #include #include @@ -1122,6 +1123,7 @@ static int netlink_sendmsg(struct kiocb NETLINK_CB(skb).dst_pid = dst_pid; NETLINK_CB(skb).dst_group = dst_group; NETLINK_CB(skb).loginuid = audit_get_loginuid(current->audit_context); + selinux_get_task_sid(current, &(NETLINK_CB(skb).sid)); memcpy(NETLINK_CREDS(skb), &siocb->scm->creds, sizeof(struct ucred)); /* What can I do? Netlink is asynchronous, so that diff -urp linux-2.6.16.x86_64.orig/security/selinux/exports.c linux-2.6.16.x86_64/security/selinux/exports.c --- linux-2.6.16.x86_64.orig/security/selinux/exports.c 2006-04-01 08:19:14.000000000 -0500 +++ linux-2.6.16.x86_64/security/selinux/exports.c 2006-04-01 08:18:28.000000000 -0500 @@ -5,6 +5,7 @@ * * Copyright (C) 2005 Red Hat, Inc., James Morris * Copyright (C) 2006 Trusted Computer Solutions, Inc. + * Copyright (C) 2006 IBM Corporation, Timothy R. Chavez * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2, @@ -61,3 +62,13 @@ void selinux_get_ipc_sid(const struct ke *sid = 0; } +void selinux_get_task_sid(struct task_struct *tsk, u32 *sid) +{ + if (selinux_enabled) { + struct task_security_struct *isec = tsk->security; + *sid = isec->sid; + return; + } + *sid = 0; +} +