projects
/
firefly-linux-kernel-4.4.55.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6
[firefly-linux-kernel-4.4.55.git]
/
kernel
/
auditfilter.c
diff --git
a/kernel/auditfilter.c
b/kernel/auditfilter.c
index 28fef6bf85348ea0e363a9ecfc1b362df817656e..0e0bd27e65129ec94e087753ba398c42f92acc7e 100644
(file)
--- a/
kernel/auditfilter.c
+++ b/
kernel/auditfilter.c
@@
-89,14
+89,9
@@
struct list_head audit_filter_list[AUDIT_NR_FILTERS] = {
DEFINE_MUTEX(audit_filter_mutex);
DEFINE_MUTEX(audit_filter_mutex);
-/* Inotify handle */
-extern struct inotify_handle *audit_ih;
-
/* Inotify events we care about. */
#define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF
/* Inotify events we care about. */
#define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF
-extern int audit_enabled;
-
void audit_free_parent(struct inotify_watch *i_watch)
{
struct audit_parent *parent;
void audit_free_parent(struct inotify_watch *i_watch)
{
struct audit_parent *parent;
@@
-272,7
+267,7
@@
static int audit_to_watch(struct audit_krule *krule, char *path, int len,
return -EINVAL;
watch = audit_init_watch(path);
return -EINVAL;
watch = audit_init_watch(path);
- if (
unlikely(IS_ERR(watch)
))
+ if (
IS_ERR(watch
))
return PTR_ERR(watch);
audit_get_watch(watch);
return PTR_ERR(watch);
audit_get_watch(watch);
@@
-422,7
+417,7
@@
exit_err:
static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
{
struct audit_entry *entry;
static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
{
struct audit_entry *entry;
- struct audit_field *f;
+ struct audit_field *
ino_
f;
int err = 0;
int i;
int err = 0;
int i;
@@
-483,6
+478,10
@@
static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
if (f->val & ~15)
goto exit_free;
break;
if (f->val & ~15)
goto exit_free;
break;
+ case AUDIT_FILETYPE:
+ if ((f->val & ~S_IFMT) > S_IFMT)
+ goto exit_free;
+ break;
case AUDIT_INODE:
err = audit_to_inode(&entry->rule, f);
if (err)
case AUDIT_INODE:
err = audit_to_inode(&entry->rule, f);
if (err)
@@
-504,9
+503,9
@@
static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
}
}
}
}
- f = entry->rule.inode_f;
- if (f) {
- switch(f->op) {
+
ino_
f = entry->rule.inode_f;
+ if (
ino_
f) {
+ switch(
ino_
f->op) {
case AUDIT_NOT_EQUAL:
entry->rule.inode_f = NULL;
case AUDIT_EQUAL:
case AUDIT_NOT_EQUAL:
entry->rule.inode_f = NULL;
case AUDIT_EQUAL:
@@
-531,7
+530,7
@@
static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
{
int err = 0;
struct audit_entry *entry;
{
int err = 0;
struct audit_entry *entry;
- struct audit_field *f;
+ struct audit_field *
ino_
f;
void *bufp;
size_t remain = datasz - sizeof(struct audit_rule_data);
int i;
void *bufp;
size_t remain = datasz - sizeof(struct audit_rule_data);
int i;
@@
-654,14
+653,18
@@
static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
if (f->val & ~15)
goto exit_free;
break;
if (f->val & ~15)
goto exit_free;
break;
+ case AUDIT_FILETYPE:
+ if ((f->val & ~S_IFMT) > S_IFMT)
+ goto exit_free;
+ break;
default:
goto exit_free;
}
}
default:
goto exit_free;
}
}
- f = entry->rule.inode_f;
- if (f) {
- switch(f->op) {
+
ino_
f = entry->rule.inode_f;
+ if (
ino_
f) {
+ switch(
ino_
f->op) {
case AUDIT_NOT_EQUAL:
entry->rule.inode_f = NULL;
case AUDIT_EQUAL:
case AUDIT_NOT_EQUAL:
entry->rule.inode_f = NULL;
case AUDIT_EQUAL:
@@
-848,7
+851,7
@@
static struct audit_watch *audit_dupe_watch(struct audit_watch *old)
return ERR_PTR(-ENOMEM);
new = audit_init_watch(path);
return ERR_PTR(-ENOMEM);
new = audit_init_watch(path);
- if (
unlikely(IS_ERR(new)
)) {
+ if (
IS_ERR(new
)) {
kfree(path);
goto out;
}
kfree(path);
goto out;
}
@@
-989,7
+992,7
@@
static void audit_update_watch(struct audit_parent *parent,
audit_set_auditable(current->audit_context);
nwatch = audit_dupe_watch(owatch);
audit_set_auditable(current->audit_context);
nwatch = audit_dupe_watch(owatch);
- if (
unlikely(IS_ERR(nwatch)
)) {
+ if (
IS_ERR(nwatch
)) {
mutex_unlock(&audit_filter_mutex);
audit_panic("error updating watch, skipping");
return;
mutex_unlock(&audit_filter_mutex);
audit_panic("error updating watch, skipping");
return;
@@
-1004,7
+1007,7
@@
static void audit_update_watch(struct audit_parent *parent,
list_del_rcu(&oentry->list);
nentry = audit_dupe_rule(&oentry->rule, nwatch);
list_del_rcu(&oentry->list);
nentry = audit_dupe_rule(&oentry->rule, nwatch);
- if (
unlikely(IS_ERR(nentry)
))
+ if (
IS_ERR(nentry
))
audit_panic("error updating watch, removing");
else {
int h = audit_hash_ino((u32)ino);
audit_panic("error updating watch, removing");
else {
int h = audit_hash_ino((u32)ino);
@@
-1500,8
+1503,9
@@
static void audit_list_rules(int pid, int seq, struct sk_buff_head *q)
}
/* Log rule additions and removals */
}
/* Log rule additions and removals */
-static void audit_log_rule_change(uid_t loginuid, u32 sid, char *action,
- struct audit_krule *rule, int res)
+static void audit_log_rule_change(uid_t loginuid, u32 sessionid, u32 sid,
+ char *action, struct audit_krule *rule,
+ int res)
{
struct audit_buffer *ab;
{
struct audit_buffer *ab;
@@
-1511,7
+1515,7
@@
static void audit_log_rule_change(uid_t loginuid, u32 sid, char *action,
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
if (!ab)
return;
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
if (!ab)
return;
- audit_log_format(ab, "auid=%u
", loginu
id);
+ audit_log_format(ab, "auid=%u
ses=%u", loginuid, session
id);
if (sid) {
char *ctx = NULL;
u32 len;
if (sid) {
char *ctx = NULL;
u32 len;
@@
-1543,7
+1547,7
@@
static void audit_log_rule_change(uid_t loginuid, u32 sid, char *action,
* @sid: SE Linux Security ID of sender
*/
int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
* @sid: SE Linux Security ID of sender
*/
int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
- size_t datasz, uid_t loginuid, u32 sid)
+ size_t datasz, uid_t loginuid, u32 s
essionid, u32 s
id)
{
struct task_struct *tsk;
struct audit_netlink_list *dest;
{
struct task_struct *tsk;
struct audit_netlink_list *dest;
@@
-1590,7
+1594,8
@@
int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
err = audit_add_rule(entry,
&audit_filter_list[entry->rule.listnr]);
err = audit_add_rule(entry,
&audit_filter_list[entry->rule.listnr]);
- audit_log_rule_change(loginuid, sid, "add", &entry->rule, !err);
+ audit_log_rule_change(loginuid, sessionid, sid, "add",
+ &entry->rule, !err);
if (err)
audit_free_rule(entry);
if (err)
audit_free_rule(entry);
@@
-1606,8
+1611,8
@@
int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
err = audit_del_rule(entry,
&audit_filter_list[entry->rule.listnr]);
err = audit_del_rule(entry,
&audit_filter_list[entry->rule.listnr]);
- audit_log_rule_change(loginuid, s
id, "remove", &entry->rule
,
- !err);
+ audit_log_rule_change(loginuid, s
essionid, sid, "remove"
,
+
&entry->rule,
!err);
audit_free_rule(entry);
break;
audit_free_rule(entry);
break;
@@
-1785,7
+1790,7
@@
int audit_update_lsm_rules(void)
watch = entry->rule.watch;
tree = entry->rule.tree;
nentry = audit_dupe_rule(&entry->rule, watch);
watch = entry->rule.watch;
tree = entry->rule.tree;
nentry = audit_dupe_rule(&entry->rule, watch);
- if (
unlikely(IS_ERR(nentry)
)) {
+ if (
IS_ERR(nentry
)) {
/* save the first error encountered for the
* return value */
if (!err)
/* save the first error encountered for the
* return value */
if (!err)