[PATCH] audit: support for object context filters

[linux-2.6-block.git] / security / selinux / ss / services.c

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 7177e98df7f33a4e06b521fbb2bb987150838246..d2e80e62ff0c9595414f38d00e3d5e49487cb77d 100644 (file)
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -594,6 +594,10 @@ int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
 
                        *scontext_len = strlen(initial_sid_to_string[sid]) + 1;
                        scontextp = kmalloc(*scontext_len,GFP_ATOMIC);
+                       if (!scontextp) {
+                               rc = -ENOMEM;
+                               goto out;
+                       }
                        strcpy(scontextp, initial_sid_to_string[sid]);
                        *scontext = scontextp;
                        goto out;
@@ -1841,15 +1845,20 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr,
                return -ENOTSUPP;
 
        switch (field) {
-       case AUDIT_SE_USER:
-       case AUDIT_SE_ROLE:
-       case AUDIT_SE_TYPE:
+       case AUDIT_SUBJ_USER:
+       case AUDIT_SUBJ_ROLE:
+       case AUDIT_SUBJ_TYPE:
+       case AUDIT_OBJ_USER:
+       case AUDIT_OBJ_ROLE:
+       case AUDIT_OBJ_TYPE:
                /* only 'equals' and 'not equals' fit user, role, and type */
                if (op != AUDIT_EQUAL && op != AUDIT_NOT_EQUAL)
                        return -EINVAL;
                break;
-       case AUDIT_SE_SEN:
-       case AUDIT_SE_CLR:
+       case AUDIT_SUBJ_SEN:
+       case AUDIT_SUBJ_CLR:
+       case AUDIT_OBJ_LEV_LOW:
+       case AUDIT_OBJ_LEV_HIGH:
                /* we do not allow a range, indicated by the presense of '-' */
                if (strchr(rulestr, '-'))
                        return -EINVAL;
@@ -1870,29 +1879,34 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr,
        tmprule->au_seqno = latest_granting;
 
        switch (field) {
-       case AUDIT_SE_USER:
+       case AUDIT_SUBJ_USER:
+       case AUDIT_OBJ_USER:
                userdatum = hashtab_search(policydb.p_users.table, rulestr);
                if (!userdatum)
                        rc = -EINVAL;
                else
                        tmprule->au_ctxt.user = userdatum->value;
                break;
-       case AUDIT_SE_ROLE:
+       case AUDIT_SUBJ_ROLE:
+       case AUDIT_OBJ_ROLE:
                roledatum = hashtab_search(policydb.p_roles.table, rulestr);
                if (!roledatum)
                        rc = -EINVAL;
                else
                        tmprule->au_ctxt.role = roledatum->value;
                break;
-       case AUDIT_SE_TYPE:
+       case AUDIT_SUBJ_TYPE:
+       case AUDIT_OBJ_TYPE:
                typedatum = hashtab_search(policydb.p_types.table, rulestr);
                if (!typedatum)
                        rc = -EINVAL;
                else
                        tmprule->au_ctxt.type = typedatum->value;
                break;
-       case AUDIT_SE_SEN:
-       case AUDIT_SE_CLR:
+       case AUDIT_SUBJ_SEN:
+       case AUDIT_SUBJ_CLR:
+       case AUDIT_OBJ_LEV_LOW:
+       case AUDIT_OBJ_LEV_HIGH:
                rc = mls_from_string(rulestr, &tmprule->au_ctxt, GFP_ATOMIC);
                break;
        }
@@ -1944,7 +1958,8 @@ int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op,
        /* a field/op pair that is not caught here will simply fall through
           without a match */
        switch (field) {
-       case AUDIT_SE_USER:
+       case AUDIT_SUBJ_USER:
+       case AUDIT_OBJ_USER:
                switch (op) {
                case AUDIT_EQUAL:
                        match = (ctxt->user == rule->au_ctxt.user);
@@ -1954,7 +1969,8 @@ int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op,
                        break;
                }
                break;
-       case AUDIT_SE_ROLE:
+       case AUDIT_SUBJ_ROLE:
+       case AUDIT_OBJ_ROLE:
                switch (op) {
                case AUDIT_EQUAL:
                        match = (ctxt->role == rule->au_ctxt.role);
@@ -1964,7 +1980,8 @@ int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op,
                        break;
                }
                break;
-       case AUDIT_SE_TYPE:
+       case AUDIT_SUBJ_TYPE:
+       case AUDIT_OBJ_TYPE:
                switch (op) {
                case AUDIT_EQUAL:
                        match = (ctxt->type == rule->au_ctxt.type);
@@ -1974,9 +1991,12 @@ int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op,
                        break;
                }
                break;
-       case AUDIT_SE_SEN:
-       case AUDIT_SE_CLR:
-               level = (op == AUDIT_SE_SEN ?
+       case AUDIT_SUBJ_SEN:
+       case AUDIT_SUBJ_CLR:
+       case AUDIT_OBJ_LEV_LOW:
+       case AUDIT_OBJ_LEV_HIGH:
+               level = ((field == AUDIT_SUBJ_SEN ||
+                         field == AUDIT_OBJ_LEV_LOW) ?
                         &ctxt->range.level[0] : &ctxt->range.level[1]);
                switch (op) {
                case AUDIT_EQUAL: