Commit 2ef6fc99 authored Dec 05, 2024 by Thiébaud Weksteen Committed by Paul Moore Dec 15, 2024

selinux: add netlink nlmsg_type audit message



Add a new audit message type to capture nlmsg-related information. This
is similar to LSM_AUDIT_DATA_IOCTL_OP which was added for the other
SELinux extended permission (ioctl).

Adding a new type is preferred to adding to the existing
lsm_network_audit structure which contains irrelevant information for
the netlink sockets (i.e., dport, sport).

Signed-off-by: Thiébaud Weksteen <tweek@google.com>
[PM: change "nlnk-msgtype" to "nl-msgtype" as discussed]
Signed-off-by: Paul Moore <paul@paul-moore.com>

parent 4aa17619

include/linux/lsm_audit.h

+2 −0

Original line number	Diff line number	Diff line
		@@ -77,6 +77,7 @@ struct common_audit_data {
		#define LSM_AUDIT_DATA_LOCKDOWN 15
		#define LSM_AUDIT_DATA_NOTIFICATION 16
		#define LSM_AUDIT_DATA_ANONINODE 17
		#define LSM_AUDIT_DATA_NLMSGTYPE 18
		union {
		struct path path;
		struct dentry *dentry;
		@@ -98,6 +99,7 @@ struct common_audit_data {
		struct lsm_ibendport_audit *ibendport;
		int reason;
		const char *anonclass;
		u16 nlmsg_type;
		} u;
		/* this union contains LSM specific data */
		union {

security/lsm_audit.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -425,6 +425,9 @@ static void dump_common_audit_data(struct audit_buffer *ab,
		case LSM_AUDIT_DATA_ANONINODE:
		audit_log_format(ab, " anonclass=%s", a->u.anonclass);
		break;
		case LSM_AUDIT_DATA_NLMSGTYPE:
		audit_log_format(ab, " nl-msgtype=%hu", a->u.nlmsg_type);
		break;
		} /* switch (a->type) */
		}

security/selinux/hooks.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -5939,14 +5939,14 @@ static int nlmsg_sock_has_extended_perms(struct sock *sk, u32 perms, u16 nlmsg_t
		{
		struct sk_security_struct *sksec = sk->sk_security;
		struct common_audit_data ad;
		struct lsm_network_audit net;
		u8 driver;
		u8 xperm;

		if (sock_skip_has_perm(sksec->sid))
		return 0;

		ad_net_init_from_sk(&ad, &net, sk);
		ad.type = LSM_AUDIT_DATA_NLMSGTYPE;
		ad.u.nlmsg_type = nlmsg_type;

		driver = nlmsg_type >> 8;
		xperm = nlmsg_type & 0xff;