Skip to content

Commit

Permalink
netlink: kill loginuid/sessionid/sid members from struct netlink_skb_…
Browse files Browse the repository at this point in the history 
…parms

Netlink message processing in the kernel is synchronous these days, the
session information can be collected when needed.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
  • Loading branch information
@kaber @davem330
kaber authored and davem330 committed Mar 3, 2011
1 parent 06dc94b commit c53fa1e
Show file tree
Hide file tree
Showing 7 changed files with 49 additions and 41 deletions.
3 changes: 0 additions & 3 deletions include/linux/netlink.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -161,9 +161,6 @@ struct netlink_skb_parms {
__u32 pid;
__u32 dst_group;
kernel_cap_t eff_cap;
__u32 loginuid; /* Login (audit) uid */
__u32 sessionid; /* Session id (audit) */
__u32 sid; /* SELinux security id */
};

#define NETLINK_CB(skb) (*(struct netlink_skb_parms*)&((skb)->cb))
Expand Down
6 changes: 3 additions & 3 deletions kernel/audit.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -673,9 +673,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)

pid = NETLINK_CREDS(skb)->pid;
uid = NETLINK_CREDS(skb)->uid;
loginuid = NETLINK_CB(skb).loginuid;
sessionid = NETLINK_CB(skb).sessionid;
sid = NETLINK_CB(skb).sid;
loginuid = audit_get_loginuid(current);
sessionid = audit_get_sessionid(current);
security_task_getsecid(current, &sid);
seq = nlh->nlmsg_seq;
data = NLMSG_DATA(nlh);

Expand Down
10 changes: 7 additions & 3 deletions kernel/auditfilter.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1238,6 +1238,7 @@ static int audit_filter_user_rules(struct netlink_skb_parms *cb,
for (i = 0; i < rule->field_count; i++) {
struct audit_field *f = &rule->fields[i];
int result = 0;
u32 sid;

switch (f->type) {
case AUDIT_PID:
Expand All @@ -1250,19 +1251,22 @@ static int audit_filter_user_rules(struct netlink_skb_parms *cb,
result = audit_comparator(cb->creds.gid, f->op, f->val);
break;
case AUDIT_LOGINUID:
result = audit_comparator(cb->loginuid, f->op, f->val);
result = audit_comparator(audit_get_loginuid(current),
f->op, f->val);
break;
case AUDIT_SUBJ_USER:
case AUDIT_SUBJ_ROLE:
case AUDIT_SUBJ_TYPE:
case AUDIT_SUBJ_SEN:
case AUDIT_SUBJ_CLR:
if (f->lsm_rule)
result = security_audit_rule_match(cb->sid,
if (f->lsm_rule) {
security_task_getsecid(current, &sid);
result = security_audit_rule_match(sid,
f->type,
f->op,
f->lsm_rule,
NULL);
}
break;
}

Expand Down
6 changes: 3 additions & 3 deletions net/netlabel/netlabel_user.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,9 +49,9 @@
static inline void netlbl_netlink_auditinfo(struct sk_buff *skb,
struct netlbl_audit *audit_info)
{
audit_info->secid = NETLINK_CB(skb).sid;
audit_info->loginuid = NETLINK_CB(skb).loginuid;
audit_info->sessionid = NETLINK_CB(skb).sessionid;
security_task_getsecid(current, &audit_info->secid);
audit_info->loginuid = audit_get_loginuid(current);
audit_info->sessionid = audit_get_sessionid(current);
}

/* NetLabel NETLINK I/O functions */
Expand Down
3 changes: 0 additions & 3 deletions net/netlink/af_netlink.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1362,9 +1362,6 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,

NETLINK_CB(skb).pid = nlk->pid;
NETLINK_CB(skb).dst_group = dst_group;
NETLINK_CB(skb).loginuid = audit_get_loginuid(current);
NETLINK_CB(skb).sessionid = audit_get_sessionid(current);
security_task_getsecid(current, &(NETLINK_CB(skb).sid));
memcpy(NETLINK_CREDS(skb), &siocb->scm->creds, sizeof(struct ucred));

/* What can I do? Netlink is asynchronous, so that
Expand Down
56 changes: 32 additions & 24 deletions net/xfrm/xfrm_user.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -497,9 +497,9 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
struct xfrm_state *x;
int err;
struct km_event c;
uid_t loginuid = NETLINK_CB(skb).loginuid;
u32 sessionid = NETLINK_CB(skb).sessionid;
u32 sid = NETLINK_CB(skb).sid;
uid_t loginuid = audit_get_loginuid(current);
u32 sessionid = audit_get_sessionid(current);
u32 sid;

err = verify_newsa_info(p, attrs);
if (err)
Expand All @@ -515,6 +515,7 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
else
err = xfrm_state_update(x);

security_task_getsecid(current, &sid);
xfrm_audit_state_add(x, err ? 0 : 1, loginuid, sessionid, sid);

if (err < 0) {
Expand Down Expand Up @@ -575,9 +576,9 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
int err = -ESRCH;
struct km_event c;
struct xfrm_usersa_id *p = nlmsg_data(nlh);
uid_t loginuid = NETLINK_CB(skb).loginuid;
u32 sessionid = NETLINK_CB(skb).sessionid;
u32 sid = NETLINK_CB(skb).sid;
uid_t loginuid = audit_get_loginuid(current);
u32 sessionid = audit_get_sessionid(current);
u32 sid;

x = xfrm_user_state_lookup(net, p, attrs, &err);
if (x == NULL)
Expand All @@ -602,6 +603,7 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
km_state_notify(x, &c);

out:
security_task_getsecid(current, &sid);
xfrm_audit_state_delete(x, err ? 0 : 1, loginuid, sessionid, sid);
xfrm_state_put(x);
return err;
Expand Down Expand Up @@ -1265,9 +1267,9 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
struct km_event c;
int err;
int excl;
uid_t loginuid = NETLINK_CB(skb).loginuid;
u32 sessionid = NETLINK_CB(skb).sessionid;
u32 sid = NETLINK_CB(skb).sid;
uid_t loginuid = audit_get_loginuid(current);
u32 sessionid = audit_get_sessionid(current);
u32 sid;

err = verify_newpolicy_info(p);
if (err)
Expand All @@ -1286,6 +1288,7 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
* a type XFRM_MSG_UPDPOLICY - JHS */
excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY;
err = xfrm_policy_insert(p->dir, xp, excl);
security_task_getsecid(current, &sid);
xfrm_audit_policy_add(xp, err ? 0 : 1, loginuid, sessionid, sid);

if (err) {
Expand Down Expand Up @@ -1522,10 +1525,11 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
NETLINK_CB(skb).pid);
}
} else {
uid_t loginuid = NETLINK_CB(skb).loginuid;
u32 sessionid = NETLINK_CB(skb).sessionid;
u32 sid = NETLINK_CB(skb).sid;
uid_t loginuid = audit_get_loginuid(current);
u32 sessionid = audit_get_sessionid(current);
u32 sid;

security_task_getsecid(current, &sid);
xfrm_audit_policy_delete(xp, err ? 0 : 1, loginuid, sessionid,
sid);

Expand Down Expand Up @@ -1553,9 +1557,9 @@ static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
struct xfrm_audit audit_info;
int err;

audit_info.loginuid = NETLINK_CB(skb).loginuid;
audit_info.sessionid = NETLINK_CB(skb).sessionid;
audit_info.secid = NETLINK_CB(skb).sid;
audit_info.loginuid = audit_get_loginuid(current);
audit_info.sessionid = audit_get_sessionid(current);
security_task_getsecid(current, &audit_info.secid);
err = xfrm_state_flush(net, p->proto, &audit_info);
if (err) {
if (err == -ESRCH) /* empty table */
Expand Down Expand Up @@ -1720,9 +1724,9 @@ static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
if (err)
return err;

audit_info.loginuid = NETLINK_CB(skb).loginuid;
audit_info.sessionid = NETLINK_CB(skb).sessionid;
audit_info.secid = NETLINK_CB(skb).sid;
audit_info.loginuid = audit_get_loginuid(current);
audit_info.sessionid = audit_get_sessionid(current);
security_task_getsecid(current, &audit_info.secid);
err = xfrm_policy_flush(net, type, &audit_info);
if (err) {
if (err == -ESRCH) /* empty table */
Expand Down Expand Up @@ -1789,9 +1793,11 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh,

err = 0;
if (up->hard) {
uid_t loginuid = NETLINK_CB(skb).loginuid;
uid_t sessionid = NETLINK_CB(skb).sessionid;
u32 sid = NETLINK_CB(skb).sid;
uid_t loginuid = audit_get_loginuid(current);
u32 sessionid = audit_get_sessionid(current);
u32 sid;

security_task_getsecid(current, &sid);
xfrm_policy_delete(xp, p->dir);
xfrm_audit_policy_delete(xp, 1, loginuid, sessionid, sid);

Expand Down Expand Up @@ -1830,9 +1836,11 @@ static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
km_state_expired(x, ue->hard, current->pid);

if (ue->hard) {
uid_t loginuid = NETLINK_CB(skb).loginuid;
uid_t sessionid = NETLINK_CB(skb).sessionid;
u32 sid = NETLINK_CB(skb).sid;
uid_t loginuid = audit_get_loginuid(current);
u32 sessionid = audit_get_sessionid(current);
u32 sid;

security_task_getsecid(current, &sid);
__xfrm_state_delete(x);
xfrm_audit_state_delete(x, 1, loginuid, sessionid, sid);
}
Expand Down
6 changes: 4 additions & 2 deletions security/selinux/hooks.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4669,6 +4669,7 @@ static int selinux_netlink_recv(struct sk_buff *skb, int capability)
{
int err;
struct common_audit_data ad;
u32 sid;

err = cap_netlink_recv(skb, capability);
if (err)
Expand All @@ -4677,8 +4678,9 @@ static int selinux_netlink_recv(struct sk_buff *skb, int capability)
COMMON_AUDIT_DATA_INIT(&ad, CAP);
ad.u.cap = capability;

return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
security_task_getsecid(current, &sid);
return avc_has_perm(sid, sid, SECCLASS_CAPABILITY,
CAP_TO_MASK(capability), &ad);
}

static int ipc_alloc_security(struct task_struct *task,
Expand Down

0 comments on commit c53fa1e

Please sign in to comment.