Re: [PATCH] context based audit filtering (take 3)
On Tue, 2006-02-21 at 17:59 -0600, Darrel Goeddel wrote:
- Add a selinux callback for re-initializing the se_rule field when
there is
a policy reload. THIS NEEDS WORK - It doesn't obey proper locking yet, but
it is functional. I need to get my head around the locking of the audit
structures a little better - I'll also take suggestions ;)
<snip>
@@ -726,3 +777,45 @@ unlock_and_return:
rcu_read_unlock();
return result;
}
+
+static int selinux_callback(void)
+{
+ struct audit_entry *entry;
+ int i, j, err = 0;
+
+ /* TODO: add proper locking. */
+ for (i = 0; i < AUDIT_NR_FILTERS; i++) {
+ list_for_each_entry(entry, &audit_filter_list[i], list) {
+ for (j = 0; j < entry->rule.field_count; j++) {
+ struct audit_field *f = &entry->rule.fields[j];
+ switch (f->type) {
+ case AUDIT_SE_USER:
+ case AUDIT_SE_ROLE:
+ case AUDIT_SE_TYPE:
+ case AUDIT_SE_SEN:
+ case AUDIT_SE_CLR:
+ selinux_audit_rule_free(f->se_rule);
+ err = selinux_audit_rule_init(f->type,
+ f->op, f->se_str, &f->se_rule);
+ if (err == -EINVAL) {
+ printk(KERN_WARNING "selinux audit rule for item %s is invalid\n",
f->se_str);
+ err = 0;
+ }
+ if (err)
+ goto out;
+ }
+ }
+ }
+ }
For RCU, you need to make a new copy of the entry, mutate the copy (not
the original), list_replace_rcu the old original with the modified copy,
and call_rcu to drop the original when it is safe to do so. Look at the
SELinux AVC code for an example (avc_update_node).
--
Stephen Smalley
National Security Agency