audit: change context data from secid to lsm_prop

Change the LSM data stored in the audit transactions from a secid
to an LSM prop. This is done in struct audit_context and struct
audit_aux_data_pids. Several cases of scaffolding can be removed.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
[PM: subj line tweak]
Signed-off-by: Paul Moore <paul@paul-moore.com>

diff --git a/kernel/audit.h b/kernel/audit.h
index 8e6f886a83a4af79aee11e7ced0f61c7d1311fb2..0211cb307d3028f805fa130bcd68331b5d64c62c 100644 (file)
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -144,7 +144,7 @@ struct audit_context {
        kuid_t              target_auid;
        kuid_t              target_uid;
        unsigned int        target_sessionid;
-       u32                 target_sid;
+       struct lsm_prop     target_ref;
        char                target_comm[TASK_COMM_LEN];
 
        struct audit_tree_refs *trees, *first_trees;

diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index a7de3dabe6e16aac434c8fee5496285a4a1a9f7d..bceb9f58a09ee709217ab082c2eddf9da15e0adc 100644 (file)
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1370,7 +1370,6 @@ int audit_filter(int msgtype, unsigned int listtype)
                        case AUDIT_SUBJ_SEN:
                        case AUDIT_SUBJ_CLR:
                                if (f->lsm_rule) {
-                                       /* scaffolding */
                                        security_current_getlsmprop_subj(&prop);
                                        result = security_audit_rule_match(
                                                   &prop, f->type, f->op,

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 53fbd2e5d93441cc92ef242eea89abf0039e6118..f28fd513d047d0fe7dbfc85a492031c8ee2fbbc1 100644 (file)
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -100,7 +100,7 @@ struct audit_aux_data_pids {
        kuid_t                  target_auid[AUDIT_AUX_PIDS];
        kuid_t                  target_uid[AUDIT_AUX_PIDS];
        unsigned int            target_sessionid[AUDIT_AUX_PIDS];
-       u32                     target_sid[AUDIT_AUX_PIDS];
+       struct lsm_prop         target_ref[AUDIT_AUX_PIDS];
        char                    target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
        int                     pid_count;
 };
@@ -1019,7 +1019,7 @@ static void audit_reset_context(struct audit_context *ctx)
        ctx->target_pid = 0;
        ctx->target_auid = ctx->target_uid = KUIDT_INIT(0);
        ctx->target_sessionid = 0;
-       ctx->target_sid = 0;
+       lsmprop_init(&ctx->target_ref);
        ctx->target_comm[0] = '\0';
        unroll_tree_refs(ctx, NULL, 0);
        WARN_ON(!list_empty(&ctx->killed_trees));
@@ -1093,8 +1093,9 @@ static inline void audit_free_context(struct audit_context *context)
 }
 
 static int audit_log_pid_context(struct audit_context *context, pid_t pid,
-                                kuid_t auid, kuid_t uid, unsigned int sessionid,
-                                u32 sid, char *comm)
+                                kuid_t auid, kuid_t uid,
+                                unsigned int sessionid, struct lsm_prop *prop,
+                                char *comm)
 {
        struct audit_buffer *ab;
        char *ctx = NULL;
@@ -1108,8 +1109,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
        audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
                         from_kuid(&init_user_ns, auid),
                         from_kuid(&init_user_ns, uid), sessionid);
-       if (sid) {
-               if (security_secid_to_secctx(sid, &ctx, &len)) {
+       if (lsmprop_is_set(prop)) {
+               if (security_lsmprop_to_secctx(prop, &ctx, &len)) {
                        audit_log_format(ab, " obj=(none)");
                        rc = 1;
                } else {
@@ -1778,7 +1779,7 @@ static void audit_log_exit(void)
                                                  axs->target_auid[i],
                                                  axs->target_uid[i],
                                                  axs->target_sessionid[i],
-                                                 axs->target_sid[i],
+                                                 &axs->target_ref[i],
                                                  axs->target_comm[i]))
                                call_panic = 1;
        }
@@ -1787,7 +1788,7 @@ static void audit_log_exit(void)
            audit_log_pid_context(context, context->target_pid,
                                  context->target_auid, context->target_uid,
                                  context->target_sessionid,
-                                 context->target_sid, context->target_comm))
+                                 &context->target_ref, context->target_comm))
                        call_panic = 1;
 
        if (context->pwd.dentry && context->pwd.mnt) {
@@ -2722,15 +2723,12 @@ int __audit_sockaddr(int len, void *a)
 void __audit_ptrace(struct task_struct *t)
 {
        struct audit_context *context = audit_context();
-       struct lsm_prop prop;
 
        context->target_pid = task_tgid_nr(t);
        context->target_auid = audit_get_loginuid(t);
        context->target_uid = task_uid(t);
        context->target_sessionid = audit_get_sessionid(t);
-       security_task_getlsmprop_obj(t, &prop);
-       /* scaffolding */
-       context->target_sid = prop.scaffold.secid;
+       security_task_getlsmprop_obj(t, &context->target_ref);
        memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
 }
 
@@ -2746,7 +2744,6 @@ int audit_signal_info_syscall(struct task_struct *t)
        struct audit_aux_data_pids *axp;
        struct audit_context *ctx = audit_context();
        kuid_t t_uid = task_uid(t);
-       struct lsm_prop prop;
 
        if (!audit_signals || audit_dummy_context())
                return 0;
@@ -2758,9 +2755,7 @@ int audit_signal_info_syscall(struct task_struct *t)
                ctx->target_auid = audit_get_loginuid(t);
                ctx->target_uid = t_uid;
                ctx->target_sessionid = audit_get_sessionid(t);
-               security_task_getlsmprop_obj(t, &prop);
-               /* scaffolding */
-               ctx->target_sid = prop.scaffold.secid;
+               security_task_getlsmprop_obj(t, &ctx->target_ref);
                memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
                return 0;
        }
@@ -2781,9 +2776,7 @@ int audit_signal_info_syscall(struct task_struct *t)
        axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
        axp->target_uid[axp->pid_count] = t_uid;
        axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
-       security_task_getlsmprop_obj(t, &prop);
-       /* scaffolding */
-       axp->target_sid[axp->pid_count] = prop.scaffold.secid;
+       security_task_getlsmprop_obj(t, &axp->target_ref[axp->pid_count]);
        memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
        axp->pid_count++;