@@ -1946,7 +1946,7 @@ static inline int security_key_getsecurity(struct key *key, char **_buffer)
int security_audit_rule_init(u32 field, u32 op, char *rulestr,
struct audit_lsm_rules *lsmrules);
int security_audit_rule_known(struct audit_krule *krule);
-int security_audit_rule_match(u32 secid, u32 field, u32 op,
+int security_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
struct audit_lsm_rules *lsmrules);
void security_audit_rule_free(struct audit_lsm_rules *lsmrules);
@@ -1963,7 +1963,8 @@ static inline int security_audit_rule_known(struct audit_krule *krule)
return 0;
}
-static inline int security_audit_rule_match(u32 secid, u32 field, u32 op,
+static inline int security_audit_rule_match(struct lsmblob *blob,
+ u32 field, u32 op,
struct audit_lsm_rules *lsmrules)
{
return 0;
@@ -1337,6 +1337,7 @@ int audit_filter(int msgtype, unsigned int listtype)
for (i = 0; i < e->rule.field_count; i++) {
struct audit_field *f = &e->rule.fields[i];
+ struct lsmblob blob;
pid_t pid;
u32 sid;
@@ -1369,8 +1370,9 @@ int audit_filter(int msgtype, unsigned int listtype)
case AUDIT_SUBJ_CLR:
if (f->lsm_str) {
security_current_getsecid_subj(&sid);
- result = security_audit_rule_match(sid,
- f->type, f->op,
+ lsmblob_init(&blob, sid);
+ result = security_audit_rule_match(
+ &blob, f->type, f->op,
&f->lsm_rules);
}
break;
@@ -468,6 +468,7 @@ static int audit_filter_rules(struct task_struct *tsk,
const struct cred *cred;
int i, need_sid = 1;
u32 sid;
+ struct lsmblob blob;
unsigned int sessionid;
if (ctx && rule->prio <= ctx->prio)
@@ -678,8 +679,10 @@ static int audit_filter_rules(struct task_struct *tsk,
security_current_getsecid_subj(&sid);
need_sid = 0;
}
- result = security_audit_rule_match(sid, f->type,
- f->op, &f->lsm_rules);
+ lsmblob_init(&blob, sid);
+ result = security_audit_rule_match(&blob,
+ f->type, f->op,
+ &f->lsm_rules);
}
break;
case AUDIT_OBJ_USER:
@@ -692,15 +695,17 @@ static int audit_filter_rules(struct task_struct *tsk,
if (f->lsm_str) {
/* Find files that match */
if (name) {
+ lsmblob_init(&blob, name->osid);
result = security_audit_rule_match(
- name->osid,
+ &blob,
f->type,
f->op,
&f->lsm_rules);
} else if (ctx) {
list_for_each_entry(n, &ctx->names_list, list) {
+ lsmblob_init(&blob, n->osid);
if (security_audit_rule_match(
- n->osid, f->type, f->op,
+ &blob, f->type, f->op,
&f->lsm_rules)) {
++result;
break;
@@ -710,7 +715,8 @@ static int audit_filter_rules(struct task_struct *tsk,
/* Find ipc objects that match */
if (!ctx || ctx->type != AUDIT_IPC)
break;
- if (security_audit_rule_match(ctx->ipc.osid,
+ lsmblob_init(&blob, ctx->ipc.osid);
+ if (security_audit_rule_match(&blob,
f->type, f->op,
&f->lsm_rules))
++result;
@@ -2683,7 +2683,7 @@ void security_audit_rule_free(struct audit_lsm_rules *lsmrules)
}
}
-int security_audit_rule_match(u32 secid, u32 field, u32 op,
+int security_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
struct audit_lsm_rules *lsmrules)
{
struct security_hook_list *hp;
@@ -2694,7 +2694,8 @@ int security_audit_rule_match(u32 secid, u32 field, u32 op,
continue;
if (lsmrules->rule[hp->lsmid->slot] == NULL)
continue;
- rc = hp->hook.audit_rule_match(secid, field, op,
+ rc = hp->hook.audit_rule_match(blob->secid[hp->lsmid->slot],
+ field, op,
&lsmrules->rule[hp->lsmid->slot]);
if (rc)
return rc;