[PATCH 1/2] SELinux Context Label based audit filtering

Fri Feb 17 16:49:14 UTC 2006

Dustin Kirkland wrote:
> 
> Darrel: I realize now that your selinux_audit_rule structure duplicates a 
> little data that it doesn't need to, such as au_op and au_field.  I could
> very easily pass those to you when I call selinux_audit_rule_match.  I think
> that would be a little cleaner.  Just a suggestion.

Sure - I can't remember what I did earlier that made me want my own copy.
I have a few othre changes to make. I'll include that change.

> --- a/kernel/audit.h
> +++ b/kernel/audit.h
> @@ -59,9 +59,10 @@ struct audit_watch {
>  };
>  
>  struct audit_field {
> -	u32			type;
> -	u32			val;
> -	u32			op;
> +	u32				type;
> +	u32				val;
> +	u32				op;
> +	struct selinux_audit_rule	*se_rule;
>  };
>  
>  struct audit_krule {

This will require that <linux/selinux.h> be included before "audit.h".
Maybe just include selinux.h from this file to get the structure
declaration.

> @@ -58,6 +58,7 @@
>  #include <linux/security.h>
>  #include <linux/list.h>
>  #include <linux/tty.h>
> +#include <linux/selinux.h>
>  
>  #include "audit.h"
>  
> @@ -165,7 +166,8 @@ struct audit_context {
>  static int audit_filter_rules(struct task_struct *tsk,
>  			      struct audit_krule *rule,
>  			      struct audit_context *ctx,
> -			      enum audit_state *state)
> +			      enum audit_state *state,
> +			      u32 sid)
>  {
>  	int i, j;
>  

The sid can be obtained from tsk within this function to avoid modifying the
callers to get the sid and pass it in.

> @@ -258,6 +260,13 @@ static int audit_filter_rules(struct tas
>  			if (ctx)
>  				result = audit_comparator(ctx->loginuid, f->op, f->val);
>  			break;
> +		case AUDIT_SE_USER:
> +		case AUDIT_SE_ROLE:
> +		case AUDIT_SE_TYPE:
> +		case AUDIT_SE_SEN:
> +		case AUDIT_SE_CLR:
> +			result = selinux_audit_rule_match(sid, f->se_rule);
> +			break;
>  		case AUDIT_ARG0:
>  		case AUDIT_ARG1:
>  		case AUDIT_ARG2:

What about the error (result < 0) cases here?  For this to error, something
pretty bad has happened (a sid couldn't be mapped or an atomic memory allocation
failed).  That being said, do we want to go all out and audit_panic?

> @@ -286,10 +295,13 @@ static enum audit_state audit_filter_tas
>  {
>  	struct audit_entry *e;
>  	enum audit_state   state;
> +	u32 sid;
> +
> +	selinux_task_ctxid(tsk, &sid);
>  
>  	rcu_read_lock();
>  	list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_TASK], list) {
> -		if (audit_filter_rules(tsk, &e->rule, NULL, &state)) {
> +		if (audit_filter_rules(tsk, &e->rule, NULL, &state, sid)) {
>  			rcu_read_unlock();
>  			return state;
>  		}
> @@ -309,6 +321,9 @@ static enum audit_state audit_filter_sys
>  {
>  	struct audit_entry *e;
>  	enum audit_state state;
> +	u32 sid;
> +
> +	selinux_task_ctxid(tsk, &sid);
>  
>  	if (audit_pid && tsk->tgid == audit_pid)
>  		return AUDIT_DISABLED;
> @@ -320,7 +335,8 @@ static enum audit_state audit_filter_sys
>  
>  		list_for_each_entry_rcu(e, list, list) {
>  			if ((e->rule.mask[word] & bit) == bit
> -					&& audit_filter_rules(tsk, &e->rule, ctx, &state)) {
> +					&& audit_filter_rules(tsk, &e->rule, 
> +							ctx, &state, sid)) {
>  				rcu_read_unlock();
>  				return state;
>  			}
> 
> 

These are the changes that can go away if audit_filter_rules gets the sid.

-- 

Darrel