SELinux: unify the selinux_audit_data and selinux_late_audit_data
We no longer need the distinction. We only need data after we decide to do an
audit. So turn the "late" audit data into just "data" and remove what we
currently have as "data".
Signed-off-by: Eric Paris <eparis@redhat.com>
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index cd91e25..c03a964 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -436,9 +436,9 @@
{
struct common_audit_data *ad = a;
audit_log_format(ab, "avc: %s ",
- ad->selinux_audit_data->slad->denied ? "denied" : "granted");
- avc_dump_av(ab, ad->selinux_audit_data->slad->tclass,
- ad->selinux_audit_data->slad->audited);
+ ad->selinux_audit_data->denied ? "denied" : "granted");
+ avc_dump_av(ab, ad->selinux_audit_data->tclass,
+ ad->selinux_audit_data->audited);
audit_log_format(ab, " for ");
}
@@ -452,9 +452,9 @@
{
struct common_audit_data *ad = a;
audit_log_format(ab, " ");
- avc_dump_query(ab, ad->selinux_audit_data->slad->ssid,
- ad->selinux_audit_data->slad->tsid,
- ad->selinux_audit_data->slad->tclass);
+ avc_dump_query(ab, ad->selinux_audit_data->ssid,
+ ad->selinux_audit_data->tsid,
+ ad->selinux_audit_data->tclass);
}
/* This is the slow part of avc audit with big stack footprint */
@@ -464,13 +464,11 @@
unsigned flags)
{
struct common_audit_data stack_data;
- struct selinux_audit_data sad = {0,};
- struct selinux_late_audit_data slad;
+ struct selinux_audit_data sad;
if (!a) {
a = &stack_data;
a->type = LSM_AUDIT_DATA_NONE;
- a->selinux_audit_data = &sad;
}
/*
@@ -484,14 +482,15 @@
(flags & MAY_NOT_BLOCK))
return -ECHILD;
- slad.tclass = tclass;
- slad.requested = requested;
- slad.ssid = ssid;
- slad.tsid = tsid;
- slad.audited = audited;
- slad.denied = denied;
+ sad.tclass = tclass;
+ sad.requested = requested;
+ sad.ssid = ssid;
+ sad.tsid = tsid;
+ sad.audited = audited;
+ sad.denied = denied;
- a->selinux_audit_data->slad = &slad;
+ a->selinux_audit_data = &sad;
+
common_lsm_audit(a, avc_audit_pre_callback, avc_audit_post_callback);
return 0;
}
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index d9fa248..2578de5 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1420,7 +1420,6 @@
int cap, int audit)
{
struct common_audit_data ad;
- struct selinux_audit_data sad = {0,};
struct av_decision avd;
u16 sclass;
u32 sid = cred_sid(cred);
@@ -1428,7 +1427,6 @@
int rc;
ad.type = LSM_AUDIT_DATA_CAP;
- ad.selinux_audit_data = &sad;
ad.u.cap = cap;
switch (CAP_TO_INDEX(cap)) {
@@ -1496,11 +1494,9 @@
{
struct inode *inode = dentry->d_inode;
struct common_audit_data ad;
- struct selinux_audit_data sad = {0,};
ad.type = LSM_AUDIT_DATA_DENTRY;
ad.u.dentry = dentry;
- ad.selinux_audit_data = &sad;
return inode_has_perm(cred, inode, av, &ad, 0);
}
@@ -1513,11 +1509,9 @@
{
struct inode *inode = path->dentry->d_inode;
struct common_audit_data ad;
- struct selinux_audit_data sad = {0,};
ad.type = LSM_AUDIT_DATA_PATH;
ad.u.path = *path;
- ad.selinux_audit_data = &sad;
return inode_has_perm(cred, inode, av, &ad, 0);
}
@@ -1536,13 +1530,11 @@
struct file_security_struct *fsec = file->f_security;
struct inode *inode = file->f_path.dentry->d_inode;
struct common_audit_data ad;
- struct selinux_audit_data sad = {0,};
u32 sid = cred_sid(cred);
int rc;
ad.type = LSM_AUDIT_DATA_PATH;
ad.u.path = file->f_path;
- ad.selinux_audit_data = &sad;
if (sid != fsec->sid) {
rc = avc_has_perm(sid, fsec->sid,
@@ -1572,7 +1564,6 @@
struct superblock_security_struct *sbsec;
u32 sid, newsid;
struct common_audit_data ad;
- struct selinux_audit_data sad = {0,};
int rc;
dsec = dir->i_security;
@@ -1583,7 +1574,6 @@
ad.type = LSM_AUDIT_DATA_DENTRY;
ad.u.dentry = dentry;
- ad.selinux_audit_data = &sad;
rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
DIR__ADD_NAME | DIR__SEARCH,
@@ -1628,7 +1618,6 @@
{
struct inode_security_struct *dsec, *isec;
struct common_audit_data ad;
- struct selinux_audit_data sad = {0,};
u32 sid = current_sid();
u32 av;
int rc;
@@ -1638,7 +1627,6 @@
ad.type = LSM_AUDIT_DATA_DENTRY;
ad.u.dentry = dentry;
- ad.selinux_audit_data = &sad;
av = DIR__SEARCH;
av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
@@ -1673,7 +1661,6 @@
{
struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
struct common_audit_data ad;
- struct selinux_audit_data sad = {0,};
u32 sid = current_sid();
u32 av;
int old_is_dir, new_is_dir;
@@ -1685,7 +1672,6 @@
new_dsec = new_dir->i_security;
ad.type = LSM_AUDIT_DATA_DENTRY;
- ad.selinux_audit_data = &sad;
ad.u.dentry = old_dentry;
rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
@@ -1971,7 +1957,6 @@
struct task_security_struct *new_tsec;
struct inode_security_struct *isec;
struct common_audit_data ad;
- struct selinux_audit_data sad = {0,};
struct inode *inode = bprm->file->f_path.dentry->d_inode;
int rc;
@@ -2011,7 +1996,6 @@
}
ad.type = LSM_AUDIT_DATA_PATH;
- ad.selinux_audit_data = &sad;
ad.u.path = bprm->file->f_path;
if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
@@ -2101,7 +2085,6 @@
struct files_struct *files)
{
struct common_audit_data ad;
- struct selinux_audit_data sad = {0,};
struct file *file, *devnull = NULL;
struct tty_struct *tty;
struct fdtable *fdt;
@@ -2135,7 +2118,6 @@
/* Revalidate access to inherited open files. */
ad.type = LSM_AUDIT_DATA_INODE;
- ad.selinux_audit_data = &sad;
spin_lock(&files->file_lock);
for (;;) {
@@ -2473,7 +2455,6 @@
{
const struct cred *cred = current_cred();
struct common_audit_data ad;
- struct selinux_audit_data sad = {0,};
int rc;
rc = superblock_doinit(sb, data);
@@ -2485,7 +2466,6 @@
return 0;
ad.type = LSM_AUDIT_DATA_DENTRY;
- ad.selinux_audit_data = &sad;
ad.u.dentry = sb->s_root;
return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
}
@@ -2494,10 +2474,8 @@
{
const struct cred *cred = current_cred();
struct common_audit_data ad;
- struct selinux_audit_data sad = {0,};
ad.type = LSM_AUDIT_DATA_DENTRY;
- ad.selinux_audit_data = &sad;
ad.u.dentry = dentry->d_sb->s_root;
return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
}
@@ -2662,12 +2640,10 @@
unsigned flags)
{
struct common_audit_data ad;
- struct selinux_audit_data sad = {0,};
struct inode_security_struct *isec = inode->i_security;
int rc;
ad.type = LSM_AUDIT_DATA_INODE;
- ad.selinux_audit_data = &sad;
ad.u.inode = inode;
rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
@@ -2782,7 +2758,6 @@
struct inode_security_struct *isec = inode->i_security;
struct superblock_security_struct *sbsec;
struct common_audit_data ad;
- struct selinux_audit_data sad = {0,};
u32 newsid, sid = current_sid();
int rc = 0;
@@ -2797,7 +2772,6 @@
return -EPERM;
ad.type = LSM_AUDIT_DATA_DENTRY;
- ad.selinux_audit_data = &sad;
ad.u.dentry = dentry;
rc = avc_has_perm(sid, isec->sid, isec->sclass,
@@ -3407,12 +3381,10 @@
{
u32 sid;
struct common_audit_data ad;
- struct selinux_audit_data sad = {0,};
sid = task_sid(current);
ad.type = LSM_AUDIT_DATA_KMOD;
- ad.selinux_audit_data = &sad;
ad.u.kmod_name = kmod_name;
return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
@@ -3785,7 +3757,6 @@
{
struct sk_security_struct *sksec = sk->sk_security;
struct common_audit_data ad;
- struct selinux_audit_data sad = {0,};
struct lsm_network_audit net = {0,};
u32 tsid = task_sid(task);
@@ -3793,7 +3764,6 @@
return 0;
ad.type = LSM_AUDIT_DATA_NET;
- ad.selinux_audit_data = &sad;
ad.u.net = &net;
ad.u.net->sk = sk;
@@ -3873,7 +3843,6 @@
char *addrp;
struct sk_security_struct *sksec = sk->sk_security;
struct common_audit_data ad;
- struct selinux_audit_data sad = {0,};
struct lsm_network_audit net = {0,};
struct sockaddr_in *addr4 = NULL;
struct sockaddr_in6 *addr6 = NULL;
@@ -3901,7 +3870,6 @@
if (err)
goto out;
ad.type = LSM_AUDIT_DATA_NET;
- ad.selinux_audit_data = &sad;
ad.u.net = &net;
ad.u.net->sport = htons(snum);
ad.u.net->family = family;
@@ -3936,7 +3904,6 @@
goto out;
ad.type = LSM_AUDIT_DATA_NET;
- ad.selinux_audit_data = &sad;
ad.u.net = &net;
ad.u.net->sport = htons(snum);
ad.u.net->family = family;
@@ -3971,7 +3938,6 @@
if (sksec->sclass == SECCLASS_TCP_SOCKET ||
sksec->sclass == SECCLASS_DCCP_SOCKET) {
struct common_audit_data ad;
- struct selinux_audit_data sad = {0,};
struct lsm_network_audit net = {0,};
struct sockaddr_in *addr4 = NULL;
struct sockaddr_in6 *addr6 = NULL;
@@ -3998,7 +3964,6 @@
TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
ad.type = LSM_AUDIT_DATA_NET;
- ad.selinux_audit_data = &sad;
ad.u.net = &net;
ad.u.net->dport = htons(snum);
ad.u.net->family = sk->sk_family;
@@ -4090,12 +4055,10 @@
struct sk_security_struct *sksec_other = other->sk_security;
struct sk_security_struct *sksec_new = newsk->sk_security;
struct common_audit_data ad;
- struct selinux_audit_data sad = {0,};
struct lsm_network_audit net = {0,};
int err;
ad.type = LSM_AUDIT_DATA_NET;
- ad.selinux_audit_data = &sad;
ad.u.net = &net;
ad.u.net->sk = other;
@@ -4124,11 +4087,9 @@
struct sk_security_struct *ssec = sock->sk->sk_security;
struct sk_security_struct *osec = other->sk->sk_security;
struct common_audit_data ad;
- struct selinux_audit_data sad = {0,};
struct lsm_network_audit net = {0,};
ad.type = LSM_AUDIT_DATA_NET;
- ad.selinux_audit_data = &sad;
ad.u.net = &net;
ad.u.net->sk = other->sk;
@@ -4166,12 +4127,10 @@
struct sk_security_struct *sksec = sk->sk_security;
u32 sk_sid = sksec->sid;
struct common_audit_data ad;
- struct selinux_audit_data sad = {0,};
struct lsm_network_audit net = {0,};
char *addrp;
ad.type = LSM_AUDIT_DATA_NET;
- ad.selinux_audit_data = &sad;
ad.u.net = &net;
ad.u.net->netif = skb->skb_iif;
ad.u.net->family = family;
@@ -4201,7 +4160,6 @@
u16 family = sk->sk_family;
u32 sk_sid = sksec->sid;
struct common_audit_data ad;
- struct selinux_audit_data sad = {0,};
struct lsm_network_audit net = {0,};
char *addrp;
u8 secmark_active;
@@ -4227,7 +4185,6 @@
return 0;
ad.type = LSM_AUDIT_DATA_NET;
- ad.selinux_audit_data = &sad;
ad.u.net = &net;
ad.u.net->netif = skb->skb_iif;
ad.u.net->family = family;
@@ -4565,7 +4522,6 @@
char *addrp;
u32 peer_sid;
struct common_audit_data ad;
- struct selinux_audit_data sad = {0,};
struct lsm_network_audit net = {0,};
u8 secmark_active;
u8 netlbl_active;
@@ -4584,7 +4540,6 @@
return NF_DROP;
ad.type = LSM_AUDIT_DATA_NET;
- ad.selinux_audit_data = &sad;
ad.u.net = &net;
ad.u.net->netif = ifindex;
ad.u.net->family = family;
@@ -4674,7 +4629,6 @@
struct sock *sk = skb->sk;
struct sk_security_struct *sksec;
struct common_audit_data ad;
- struct selinux_audit_data sad = {0,};
struct lsm_network_audit net = {0,};
char *addrp;
u8 proto;
@@ -4684,7 +4638,6 @@
sksec = sk->sk_security;
ad.type = LSM_AUDIT_DATA_NET;
- ad.selinux_audit_data = &sad;
ad.u.net = &net;
ad.u.net->netif = ifindex;
ad.u.net->family = family;
@@ -4709,7 +4662,6 @@
u32 peer_sid;
struct sock *sk;
struct common_audit_data ad;
- struct selinux_audit_data sad = {0,};
struct lsm_network_audit net = {0,};
char *addrp;
u8 secmark_active;
@@ -4757,7 +4709,6 @@
}
ad.type = LSM_AUDIT_DATA_NET;
- ad.selinux_audit_data = &sad;
ad.u.net = &net;
ad.u.net->netif = ifindex;
ad.u.net->family = family;
@@ -4875,13 +4826,11 @@
{
struct ipc_security_struct *isec;
struct common_audit_data ad;
- struct selinux_audit_data sad = {0,};
u32 sid = current_sid();
isec = ipc_perms->security;
ad.type = LSM_AUDIT_DATA_IPC;
- ad.selinux_audit_data = &sad;
ad.u.ipc_id = ipc_perms->key;
return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
@@ -4902,7 +4851,6 @@
{
struct ipc_security_struct *isec;
struct common_audit_data ad;
- struct selinux_audit_data sad = {0,};
u32 sid = current_sid();
int rc;
@@ -4913,7 +4861,6 @@
isec = msq->q_perm.security;
ad.type = LSM_AUDIT_DATA_IPC;
- ad.selinux_audit_data = &sad;
ad.u.ipc_id = msq->q_perm.key;
rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
@@ -4934,13 +4881,11 @@
{
struct ipc_security_struct *isec;
struct common_audit_data ad;
- struct selinux_audit_data sad = {0,};
u32 sid = current_sid();
isec = msq->q_perm.security;
ad.type = LSM_AUDIT_DATA_IPC;
- ad.selinux_audit_data = &sad;
ad.u.ipc_id = msq->q_perm.key;
return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
@@ -4980,7 +4925,6 @@
struct ipc_security_struct *isec;
struct msg_security_struct *msec;
struct common_audit_data ad;
- struct selinux_audit_data sad = {0,};
u32 sid = current_sid();
int rc;
@@ -5002,7 +4946,6 @@
}
ad.type = LSM_AUDIT_DATA_IPC;
- ad.selinux_audit_data = &sad;
ad.u.ipc_id = msq->q_perm.key;
/* Can this process write to the queue? */
@@ -5027,7 +4970,6 @@
struct ipc_security_struct *isec;
struct msg_security_struct *msec;
struct common_audit_data ad;
- struct selinux_audit_data sad = {0,};
u32 sid = task_sid(target);
int rc;
@@ -5035,7 +4977,6 @@
msec = msg->security;
ad.type = LSM_AUDIT_DATA_IPC;
- ad.selinux_audit_data = &sad;
ad.u.ipc_id = msq->q_perm.key;
rc = avc_has_perm(sid, isec->sid,
@@ -5051,7 +4992,6 @@
{
struct ipc_security_struct *isec;
struct common_audit_data ad;
- struct selinux_audit_data sad = {0,};
u32 sid = current_sid();
int rc;
@@ -5062,7 +5002,6 @@
isec = shp->shm_perm.security;
ad.type = LSM_AUDIT_DATA_IPC;
- ad.selinux_audit_data = &sad;
ad.u.ipc_id = shp->shm_perm.key;
rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
@@ -5083,13 +5022,11 @@
{
struct ipc_security_struct *isec;
struct common_audit_data ad;
- struct selinux_audit_data sad = {0,};
u32 sid = current_sid();
isec = shp->shm_perm.security;
ad.type = LSM_AUDIT_DATA_IPC;
- ad.selinux_audit_data = &sad;
ad.u.ipc_id = shp->shm_perm.key;
return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
@@ -5147,7 +5084,6 @@
{
struct ipc_security_struct *isec;
struct common_audit_data ad;
- struct selinux_audit_data sad = {0,};
u32 sid = current_sid();
int rc;
@@ -5158,7 +5094,6 @@
isec = sma->sem_perm.security;
ad.type = LSM_AUDIT_DATA_IPC;
- ad.selinux_audit_data = &sad;
ad.u.ipc_id = sma->sem_perm.key;
rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
@@ -5179,13 +5114,11 @@
{
struct ipc_security_struct *isec;
struct common_audit_data ad;
- struct selinux_audit_data sad = {0,};
u32 sid = current_sid();
isec = sma->sem_perm.security;
ad.type = LSM_AUDIT_DATA_IPC;
- ad.selinux_audit_data = &sad;
ad.u.ipc_id = sma->sem_perm.key;
return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index faa2777..d97fadc 100644
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -49,7 +49,7 @@
/*
* We only need this data after we have decided to send an audit message.
*/
-struct selinux_late_audit_data {
+struct selinux_audit_data {
u32 ssid;
u32 tsid;
u16 tclass;
@@ -60,13 +60,6 @@
};
/*
- * We collect this at the beginning or during an selinux security operation
- */
-struct selinux_audit_data {
- struct selinux_late_audit_data *slad;
-};
-
-/*
* AVC operations
*/