rpms/kernel/devel linux-2.6-audit-git.patch, NONE, 1.1.2.1 kernel-2.6.spec, 1.1768, 1.1768.2.1
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Fri Dec 16 16:28:34 UTC 2005
Author: dwmw2
Update of /cvs/dist/rpms/kernel/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv25815
Modified Files:
Tag: private-rawhide-audit-1768-branch
kernel-2.6.spec
Added Files:
Tag: private-rawhide-audit-1768-branch
linux-2.6-audit-git.patch
Log Message:
lspp.4 build
linux-2.6-audit-git.patch:
arch/ia64/kernel/ptrace.c | 10
fs/namei.c | 14
fs/open.c | 8
fs/xattr.c | 11
include/linux/audit.h | 95 ++++-
include/linux/fsnotify.h | 14
include/linux/security.h | 33 +
ipc/msg.c | 5
ipc/sem.c | 5
ipc/shm.c | 4
ipc/util.c | 2
kernel/Makefile | 2
kernel/audit.c | 142 ++++++-
kernel/audit.h | 70 +++
kernel/auditfilter.c | 375 ++++++++++++++++++++
kernel/auditsc.c | 786 ++++++++++++++++++++++----------------------
security/dummy.c | 14
security/selinux/hooks.c | 98 ++---
security/selinux/nlmsgtab.c | 6
19 files changed, 1181 insertions(+), 513 deletions(-)
--- NEW FILE linux-2.6-audit-git.patch ---
diff --git a/arch/ia64/kernel/ptrace.c b/arch/ia64/kernel/ptrace.c
index 4b19d04..49fd3f6 100644
--- a/arch/ia64/kernel/ptrace.c
+++ b/arch/ia64/kernel/ptrace.c
@@ -1663,8 +1663,14 @@ syscall_trace_leave (long arg0, long arg
long arg4, long arg5, long arg6, long arg7,
struct pt_regs regs)
{
- if (unlikely(current->audit_context))
- audit_syscall_exit(current, AUDITSC_RESULT(regs.r10), regs.r8);
+ if (unlikely(current->audit_context)) {
+ int success = AUDITSC_RESULT(regs.r10);
+ long result = regs.r8;
+
+ if (success != AUDITSC_SUCCESS)
+ result = -result;
+ audit_syscall_exit(current, success, result);
+ }
if (test_thread_flag(TIF_SYSCALL_TRACE)
&& (current->ptrace & PT_PTRACED))
diff --git a/fs/namei.c b/fs/namei.c
index 6dbbd42..55798c3 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1090,8 +1090,7 @@ int fastcall path_lookup(const char *nam
current->total_link_count = 0;
retval = link_path_walk(name, nd);
out:
- if (unlikely(current->audit_context
- && nd && nd->dentry && nd->dentry->d_inode))
+ if (nd && nd->dentry && nd->dentry->d_inode)
audit_inode(name, nd->dentry->d_inode, flags);
return retval;
}
@@ -1301,6 +1300,7 @@ static inline int may_delete(struct inod
return -ENOENT;
BUG_ON(victim->d_parent->d_inode != dir);
+ audit_inode_child(victim->d_name.name, victim->d_inode, dir->i_ino);
error = permission(dir,MAY_WRITE | MAY_EXEC, NULL);
if (error)
@@ -1420,7 +1420,7 @@ int vfs_create(struct inode *dir, struct
DQUOT_INIT(dir);
error = dir->i_op->create(dir, dentry, mode, nd);
if (!error)
- fsnotify_create(dir, dentry->d_name.name);
+ fsnotify_create(dir, dentry);
return error;
}
@@ -1739,7 +1739,7 @@ int vfs_mknod(struct inode *dir, struct
DQUOT_INIT(dir);
error = dir->i_op->mknod(dir, dentry, mode, dev);
if (!error)
- fsnotify_create(dir, dentry->d_name.name);
+ fsnotify_create(dir, dentry);
return error;
}
@@ -1810,7 +1810,7 @@ int vfs_mkdir(struct inode *dir, struct
DQUOT_INIT(dir);
error = dir->i_op->mkdir(dir, dentry, mode);
if (!error)
- fsnotify_mkdir(dir, dentry->d_name.name);
+ fsnotify_mkdir(dir, dentry);
return error;
}
@@ -2047,7 +2047,7 @@ int vfs_symlink(struct inode *dir, struc
DQUOT_INIT(dir);
error = dir->i_op->symlink(dir, dentry, oldname);
if (!error)
- fsnotify_create(dir, dentry->d_name.name);
+ fsnotify_create(dir, dentry);
return error;
}
@@ -2118,7 +2118,7 @@ int vfs_link(struct dentry *old_dentry,
error = dir->i_op->link(old_dentry, dir, new_dentry);
up(&old_dentry->d_inode->i_sem);
if (!error)
- fsnotify_create(dir, new_dentry->d_name.name);
+ fsnotify_create(dir, new_dentry);
return error;
}
diff --git a/fs/open.c b/fs/open.c
index f53a5b9..3231a67 100644
--- a/fs/open.c
+++ b/fs/open.c
@@ -25,6 +25,7 @@
#include <linux/pagemap.h>
#include <linux/syscalls.h>
#include <linux/rcupdate.h>
+#include <linux/audit.h>
#include <asm/unistd.h>
@@ -613,6 +614,8 @@ asmlinkage long sys_fchmod(unsigned int
dentry = file->f_dentry;
inode = dentry->d_inode;
+ audit_inode(NULL, inode, 0);
+
err = -EROFS;
if (IS_RDONLY(inode))
goto out_putf;
@@ -736,7 +739,10 @@ asmlinkage long sys_fchown(unsigned int
file = fget(fd);
if (file) {
- error = chown_common(file->f_dentry, user, group);
+ struct dentry * dentry;
+ dentry = file->f_dentry;
+ audit_inode(NULL, dentry->d_inode, 0);
+ error = chown_common(dentry, user, group);
fput(file);
}
return error;
diff --git a/fs/xattr.c b/fs/xattr.c
index bcc2156..8f40edf 100644
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -17,6 +17,7 @@
#include <linux/syscalls.h>
#include <linux/module.h>
#include <linux/fsnotify.h>
+#include <linux/audit.h>
#include <asm/uaccess.h>
/*
@@ -113,12 +114,15 @@ sys_fsetxattr(int fd, char __user *name,
size_t size, int flags)
{
struct file *f;
+ struct dentry *dentry;
int error = -EBADF;
f = fget(fd);
if (!f)
return error;
- error = setxattr(f->f_dentry, name, value, size, flags);
+ dentry = f->f_dentry;
+ audit_inode(NULL, dentry->d_inode, 0);
+ error = setxattr(dentry, name, value, size, flags);
fput(f);
return error;
}
@@ -365,12 +369,15 @@ asmlinkage long
sys_fremovexattr(int fd, char __user *name)
{
struct file *f;
+ struct dentry *dentry;
int error = -EBADF;
f = fget(fd);
if (!f)
return error;
- error = removexattr(f->f_dentry, name);
+ dentry = f->f_dentry;
+ audit_inode(NULL, dentry->d_inode, 0);
+ error = removexattr(dentry, name);
fput(f);
return error;
}
diff --git a/include/linux/audit.h b/include/linux/audit.h
index da3c019..8817141 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -33,11 +33,20 @@
* 1200 - 1299 messages internal to the audit daemon
* 1300 - 1399 audit event messages
* 1400 - 1499 SE Linux use
- * 1500 - 1999 future use
- * 2000 is for otherwise unclassified kernel audit messages
+ * 1500 - 1599 kernel LSPP events
+ * 1600 - 1699 kernel crypto events
+ * 1700 - 1999 future kernel use (maybe integrity labels and related events)
+ * 2000 is for otherwise unclassified kernel audit messages (legacy)
+ * 2001 - 2099 unused (kernel)
+ * 2100 - 2199 user space anomaly records
+ * 2200 - 2299 user space actions taken in response to anomalies
+ * 2300 - 2399 user space generated LSPP events
+ * 2400 - 2499 user space crypto events
+ * 2500 - 2999 future user space (maybe integrity labels and related events)
*
- * Messages from 1000-1199 are bi-directional. 1200-1299 are exclusively user
- * space. Anything over that is kernel --> user space communication.
+ * Messages from 1000-1199 are bi-directional. 1200-1299 & 2100 - 2999 are
+ * exclusively user space. 1300-2099 is kernel --> user space
+ * communication.
*/
#define AUDIT_GET 1000 /* Get status */
#define AUDIT_SET 1001 /* Set status (enable/disable/auditd) */
@@ -54,6 +63,8 @@
#define AUDIT_FIRST_USER_MSG 1100 /* Userspace messages mostly uninteresting to kernel */
#define AUDIT_USER_AVC 1107 /* We filter this differently */
[...2353 lines suppressed...]
set_to_dummy_if_null(ops, inode_listxattr);
set_to_dummy_if_null(ops, inode_removexattr);
+ set_to_dummy_if_null(ops, inode_xattr_getsuffix);
set_to_dummy_if_null(ops, inode_getsecurity);
set_to_dummy_if_null(ops, inode_setsecurity);
set_to_dummy_if_null(ops, inode_listsecurity);
@@ -924,6 +935,7 @@ void security_fixup_ops (struct security
set_to_dummy_if_null(ops, task_reparent_to_init);
set_to_dummy_if_null(ops, task_to_inode);
set_to_dummy_if_null(ops, ipc_permission);
+ set_to_dummy_if_null(ops, ipc_getsecurity);
set_to_dummy_if_null(ops, msg_msg_alloc_security);
set_to_dummy_if_null(ops, msg_msg_free_security);
set_to_dummy_if_null(ops, msg_queue_alloc_security);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index fc77443..21c8aa6 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -116,6 +116,32 @@ static struct security_operations *secon
static LIST_HEAD(superblock_security_head);
static DEFINE_SPINLOCK(sb_security_lock);
+/* Return security context for a given sid or just the context
+ length if the buffer is null or length is 0 */
+static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
+{
+ char *context;
+ unsigned len;
+ int rc;
+
+ rc = security_sid_to_context(sid, &context, &len);
+ if (rc)
+ return rc;
+
+ if (!buffer || !size)
+ goto getsecurity_exit;
+
+ if (size < len) {
+ len = -ERANGE;
+ goto getsecurity_exit;
+ }
+ memcpy(buffer, context, len);
+
+getsecurity_exit:
+ kfree(context);
+ return len;
+}
+
/* Allocate and free functions for each kind of security blob. */
static int task_alloc_security(struct task_struct *task)
@@ -2238,6 +2264,11 @@ static int selinux_inode_removexattr (st
return -EACCES;
}
+static const char *selinux_inode_xattr_getsuffix(void)
+{
+ return XATTR_SELINUX_SUFFIX;
+}
+
/*
* Copy the in-core inode security context value to the user. If the
* getxattr() prior to this succeeded, check to see if we need to
@@ -2245,47 +2276,14 @@ static int selinux_inode_removexattr (st
*
* Permission check is handled by selinux_inode_getxattr hook.
*/
-static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size, int err)
+static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
{
struct inode_security_struct *isec = inode->i_security;
- char *context;
- unsigned len;
- int rc;
-
- if (strcmp(name, XATTR_SELINUX_SUFFIX)) {
- rc = -EOPNOTSUPP;
- goto out;
- }
-
- rc = security_sid_to_context(isec->sid, &context, &len);
- if (rc)
- goto out;
-
- /* Probe for required buffer size */
- if (!buffer || !size) {
- rc = len;
- goto out_free;
- }
- if (size < len) {
- rc = -ERANGE;
- goto out_free;
- }
+ if (strcmp(name, XATTR_SELINUX_SUFFIX))
+ return -EOPNOTSUPP;
- if (err > 0) {
- if ((len == err) && !(memcmp(context, buffer, len))) {
- /* Don't need to canonicalize value */
- rc = err;
- goto out_free;
- }
- memset(buffer, 0, size);
- }
- memcpy(buffer, context, len);
- rc = len;
-out_free:
- kfree(context);
-out:
- return rc;
+ return selinux_getsecurity(isec->sid, buffer, size);
}
static int selinux_inode_setsecurity(struct inode *inode, const char *name,
@@ -4054,6 +4052,13 @@ static int selinux_ipc_permission(struct
return ipc_has_perm(ipcp, av);
}
+static int selinux_ipc_getsecurity(struct kern_ipc_perm *ipcp, void *buffer, size_t size)
+{
+ struct ipc_security_struct *isec = ipcp->security;
+
+ return selinux_getsecurity(isec->sid, buffer, size);
+}
+
/* module stacking operations */
static int selinux_register_security (const char *name, struct security_operations *ops)
{
@@ -4095,8 +4100,7 @@ static int selinux_getprocattr(struct ta
char *name, void *value, size_t size)
{
struct task_security_struct *tsec;
- u32 sid, len;
- char *context;
+ u32 sid;
int error;
if (current != p) {
@@ -4105,9 +4109,6 @@ static int selinux_getprocattr(struct ta
return error;
}
- if (!size)
- return -ERANGE;
-
tsec = p->security;
if (!strcmp(name, "current"))
@@ -4124,16 +4125,7 @@ static int selinux_getprocattr(struct ta
if (!sid)
return 0;
- error = security_sid_to_context(sid, &context, &len);
- if (error)
- return error;
- if (len > size) {
- kfree(context);
- return -ERANGE;
- }
- memcpy(value, context, len);
- kfree(context);
- return len;
+ return selinux_getsecurity(sid, value, size);
}
static int selinux_setprocattr(struct task_struct *p,
@@ -4291,6 +4283,7 @@ static struct security_operations selinu
.inode_getxattr = selinux_inode_getxattr,
.inode_listxattr = selinux_inode_listxattr,
.inode_removexattr = selinux_inode_removexattr,
+ .inode_xattr_getsuffix = selinux_inode_xattr_getsuffix,
.inode_getsecurity = selinux_inode_getsecurity,
.inode_setsecurity = selinux_inode_setsecurity,
.inode_listsecurity = selinux_inode_listsecurity,
@@ -4328,6 +4321,7 @@ static struct security_operations selinu
.task_to_inode = selinux_task_to_inode,
.ipc_permission = selinux_ipc_permission,
+ .ipc_getsecurity = selinux_ipc_getsecurity,
.msg_msg_alloc_security = selinux_msg_msg_alloc_security,
.msg_msg_free_security = selinux_msg_msg_free_security,
diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
index 69b9329..d7c0e91 100644
--- a/security/selinux/nlmsgtab.c
+++ b/security/selinux/nlmsgtab.c
@@ -145,8 +145,10 @@ int selinux_nlmsg_lookup(u16 sclass, u16
break;
case SECCLASS_NETLINK_AUDIT_SOCKET:
- if (nlmsg_type >= AUDIT_FIRST_USER_MSG &&
- nlmsg_type <= AUDIT_LAST_USER_MSG) {
+ if ((nlmsg_type >= AUDIT_FIRST_USER_MSG &&
+ nlmsg_type <= AUDIT_LAST_USER_MSG) ||
+ (nlmsg_type >= AUDIT_FIRST_USER_MSG2 &&
+ nlmsg_type <= AUDIT_LAST_USER_MSG2)) {
*perm = NETLINK_AUDIT_SOCKET__NLMSG_RELAY;
} else {
err = nlmsg_perm(nlmsg_type, perm, nlmsg_audit_perms,
Index: kernel-2.6.spec
===================================================================
RCS file: /cvs/dist/rpms/kernel/devel/kernel-2.6.spec,v
retrieving revision 1.1768
retrieving revision 1.1768.2.1
diff -u -r1.1768 -r1.1768.2.1
--- kernel-2.6.spec 16 Dec 2005 08:13:39 -0000 1.1768
+++ kernel-2.6.spec 16 Dec 2005 16:28:31 -0000 1.1768.2.1
@@ -20,7 +20,7 @@
%define sublevel 14
%define kversion 2.6.%{sublevel}
%define rpmversion 2.6.%{sublevel}
-%define rhbsys %([ -r /etc/beehive-root -o -n "%{?__beehive_build}" ] && echo || echo .`whoami`)
+%define rhbsys lspp.4
%define release %(R="$Revision$"; RR="${R##: }"; echo ${RR%%?})_FC5%{rhbsys}
%define signmodules 0
%define make_target bzImage
@@ -379,6 +379,8 @@
Patch10003: linux-2.6-gcc41.patch
Patch10004: linux-2.6-compile-fixes.patch
+Patch20000: linux-2.6-audit-git.patch
+
# END OF PATCH DEFINITIONS
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -871,6 +873,7 @@
%patch10003 -p1
#%patch10004 -p1
+%patch20000 -p1
# END OF PATCH APPLICATIONS
More information about the fedora-cvs-commits
mailing list