diff options
| author | Thomas Gleixner <[email protected]> | 2018-06-22 21:20:35 +0200 |
|---|---|---|
| committer | Thomas Gleixner <[email protected]> | 2018-06-22 21:20:35 +0200 |
| commit | 7731b8bc94e599c9a79e428f3359ff2c34b7576a (patch) | |
| tree | 879f18ccbe274122f2d4f095b43cbc7f953e0ada /security/apparmor/audit.c | |
| parent | 48e315618dc4dc8904182cd221e3d395d5d97005 (diff) | |
| parent | 9ffc59d57228d74809700be6f7ecb1db10292f05 (diff) | |
Merge branch 'linus' into x86/urgent
Required to queue a dependent fix.
Diffstat (limited to 'security/apparmor/audit.c')
| -rw-r--r-- | security/apparmor/audit.c | 90 |
1 files changed, 89 insertions, 1 deletions
diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c index 8f9ecac7f8de..eeaddfe0c0fb 100644 --- a/security/apparmor/audit.c +++ b/security/apparmor/audit.c @@ -19,7 +19,7 @@ #include "include/audit.h" #include "include/policy.h" #include "include/policy_ns.h" - +#include "include/secid.h" const char *const audit_mode_names[] = { "normal", @@ -163,3 +163,91 @@ int aa_audit(int type, struct aa_profile *profile, struct common_audit_data *sa, return aad(sa)->error; } + +struct aa_audit_rule { + struct aa_label *label; +}; + +void aa_audit_rule_free(void *vrule) +{ + struct aa_audit_rule *rule = vrule; + + if (rule) { + if (!IS_ERR(rule->label)) + aa_put_label(rule->label); + kfree(rule); + } +} + +int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) +{ + struct aa_audit_rule *rule; + + switch (field) { + case AUDIT_SUBJ_ROLE: + if (op != Audit_equal && op != Audit_not_equal) + return -EINVAL; + break; + default: + return -EINVAL; + } + + rule = kzalloc(sizeof(struct aa_audit_rule), GFP_KERNEL); + + if (!rule) + return -ENOMEM; + + /* Currently rules are treated as coming from the root ns */ + rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr, + GFP_KERNEL, true, false); + if (IS_ERR(rule->label)) { + aa_audit_rule_free(rule); + return PTR_ERR(rule->label); + } + + *vrule = rule; + return 0; +} + +int aa_audit_rule_known(struct audit_krule *rule) +{ + int i; + + for (i = 0; i < rule->field_count; i++) { + struct audit_field *f = &rule->fields[i]; + + switch (f->type) { + case AUDIT_SUBJ_ROLE: + return 1; + } + } + + return 0; +} + +int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, + struct audit_context *actx) +{ + struct aa_audit_rule *rule = vrule; + struct aa_label *label; + int found = 0; + + label = aa_secid_to_label(sid); + + if (!label) + return -ENOENT; + + if (aa_label_is_subset(label, rule->label)) + found = 1; + + switch (field) { + case AUDIT_SUBJ_ROLE: + switch (op) { + case Audit_equal: + return found; + case Audit_not_equal: + return !found; + } + } + return 0; +} |