[PATCH][SELINUX] Audit unrecognized netlink messages
From: Stephen Smalley
Date: Mon Mar 21 2005 - 15:12:34 EST
This patch changes SELinux to audit any unrecognized netlink messages
in controlled classes rather than silently rejecting them, and to
allow them if in permissive mode. Please apply.
Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
Signed-off-by: James Morris <jmorris@xxxxxxxxxx>
security/selinux/hooks.c | 10 ++++++++++
1 files changed, 10 insertions(+)
Index: linux-2.6/security/selinux/hooks.c
===================================================================
RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/hooks.c,v
retrieving revision 1.158
diff -u -p -r1.158 hooks.c
--- linux-2.6/security/selinux/hooks.c 21 Mar 2005 15:56:37 -0000 1.158
+++ linux-2.6/security/selinux/hooks.c 21 Mar 2005 16:24:06 -0000
@@ -67,6 +67,7 @@
#include <linux/hugetlb.h>
#include <linux/personality.h>
#include <linux/sysctl.h>
+#include <linux/audit.h>
#include "avc.h"
#include "objsec.h"
@@ -3377,6 +3378,15 @@ static int selinux_nlmsg_perm(struct soc
err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
if (err) {
+ if (err == -EINVAL) {
+ audit_log(current->audit_context,
+ "SELinux: unrecognized netlink message"
+ " type=%hu for sclass=%hu\n",
+ nlh->nlmsg_type, isec->sclass);
+ if (!selinux_enforcing)
+ err = 0;
+ }
+
/* Ignore */
if (err == -ENOENT)
err = 0;
--
Stephen Smalley <sds@xxxxxxxxxxxxx>
National Security Agency
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/