[PATCH] context based audit filtering (take 3)

Stephen Smalley sds at tycho.nsa.gov
Wed Feb 22 15:24:00 UTC 2006 

On Wed, 2006-02-22 at 10:07 -0500, Stephen Smalley wrote:
> On Tue, 2006-02-21 at 17:59 -0600, Darrel Goeddel wrote:
> > - Add a selinux callback for re-initializing the se_rule field when there is
> >   a policy reload.  THIS NEEDS WORK - It doesn't obey proper locking yet, but
> >   it is functional.  I need to get my head around the locking of the audit
> >   structures a little better - I'll also take suggestions ;)
> <snip>
> > @@ -726,3 +777,45 @@ unlock_and_return:
> >  	rcu_read_unlock();
> >  	return result;
> >  }
> > +
> > +static int selinux_callback(void)
> > +{
> > +	struct audit_entry *entry;
> > +	int i, j, err = 0;
> > +
> > +	/* TODO: add proper locking. */
> > +	for (i = 0; i < AUDIT_NR_FILTERS; i++) {
> > +		list_for_each_entry(entry, &audit_filter_list[i], list) {
> > +			for (j = 0; j < entry->rule.field_count; j++) {
> > +				struct audit_field *f = &entry->rule.fields[j];
> > +				switch (f->type) {
> > +				case AUDIT_SE_USER:
> > +				case AUDIT_SE_ROLE:
> > +				case AUDIT_SE_TYPE:
> > +				case AUDIT_SE_SEN:
> > +				case AUDIT_SE_CLR:
> > +					selinux_audit_rule_free(f->se_rule);
> > +					err = selinux_audit_rule_init(f->type,
> > +					         f->op, f->se_str, &f->se_rule);
> > +					if (err == -EINVAL) {
> > +						printk(KERN_WARNING "selinux audit rule for item %s is invalid\n", f->se_str);
> > +						err = 0;
> > +					}
> > +					if (err)
> > +						goto out;
> > +				}
> > +			}
> > +		}
> > +	}
> 
> For RCU, you need to make a new copy of the entry, mutate the copy (not
> the original), list_replace_rcu the old original with the modified copy,
> and call_rcu to drop the original when it is safe to do so.  Look at the
> SELinux AVC code for an example (avc_update_node).

Oh, and it looks like you should be holding the audit_netlink_mutex as
well to synchronize with adding, removing and listing of rules.  That is
easy though - the harder part is grasping the RCU model.
Documentation/RCU is very helpful.

-- 
Stephen Smalley
National Security Agency

More information about the Linux-audit mailing list