--- v27
+++ v25
@@ -27,48 +27,86 @@
Cc: netdev@vger.kernel.org
---
drivers/android/binder.c | 2 +-
- include/linux/audit.h | 16 +++++
+ include/linux/audit.h | 24 ++++++++
include/linux/security.h | 16 ++++-
- include/net/netlabel.h | 2 +-
+ include/net/netlabel.h | 3 +-
include/net/scm.h | 2 +-
include/net/xfrm.h | 13 +++-
include/uapi/linux/audit.h | 1 +
- kernel/audit.c | 90 +++++++++++++++++++------
- kernel/auditfilter.c | 5 +-
- kernel/auditsc.c | 27 ++++++--
+ kernel/audit.c | 80 ++++++++++++++++++-------
+ kernel/audit.h | 3 +
+ kernel/auditfilter.c | 6 +-
+ kernel/auditsc.c | 75 ++++++++++++++++++++---
net/ipv4/ip_sockglue.c | 2 +-
net/netfilter/nf_conntrack_netlink.c | 4 +-
net/netfilter/nf_conntrack_standalone.c | 2 +-
net/netfilter/nfnetlink_queue.c | 2 +-
- net/netlabel/netlabel_unlabeled.c | 21 +++---
- net/netlabel/netlabel_user.c | 14 ++--
+ net/netlabel/netlabel_domainhash.c | 4 +-
+ net/netlabel/netlabel_unlabeled.c | 24 ++++----
+ net/netlabel/netlabel_user.c | 20 ++++---
net/netlabel/netlabel_user.h | 6 +-
- net/xfrm/xfrm_policy.c | 8 ++-
- net/xfrm/xfrm_state.c | 18 +++--
- security/integrity/ima/ima_api.c | 6 +-
- security/integrity/integrity_audit.c | 5 +-
- security/security.c | 46 ++++++++-----
+ net/xfrm/xfrm_policy.c | 10 ++--
+ net/xfrm/xfrm_state.c | 20 ++++---
+ security/integrity/ima/ima_api.c | 7 ++-
+ security/integrity/integrity_audit.c | 6 +-
+ security/security.c | 46 +++++++++-----
security/smack/smackfs.c | 3 +-
- 23 files changed, 221 insertions(+), 90 deletions(-)
+ 25 files changed, 274 insertions(+), 107 deletions(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
-index f2a27bbbbe4d..7818c0fe0f38 100644
+index 4c810ea52ab7..28f573d46391 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
-@@ -2722,7 +2722,7 @@ static void binder_transaction(struct binder_proc *proc,
- * case well anyway.
- */
- security_task_getsecid_obj(proc->tsk, &blob);
+@@ -2700,7 +2700,7 @@ static void binder_transaction(struct binder_proc *proc,
+ size_t added_size;
+
+ security_task_getsecid(proc->tsk, &blob);
- ret = security_secid_to_secctx(&blob, &lsmctx);
+ ret = security_secid_to_secctx(&blob, &lsmctx, LSMBLOB_DISPLAY);
if (ret) {
return_error = BR_FAILED_REPLY;
return_error_param = ret;
diff --git a/include/linux/audit.h b/include/linux/audit.h
-index 97cd7471e572..85eb87f6f92d 100644
+index 97cd7471e572..229cd71fbf09 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
-@@ -291,6 +291,7 @@ extern int audit_alloc(struct task_struct *task);
+@@ -164,6 +164,8 @@ extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp
+ extern __printf(2, 3)
+ void audit_log_format(struct audit_buffer *ab, const char *fmt, ...);
+ extern void audit_log_end(struct audit_buffer *ab);
++extern void audit_log_end_local(struct audit_buffer *ab,
++ struct audit_context *context);
+ extern bool audit_string_contains_control(const char *string,
+ size_t len);
+ extern void audit_log_n_hex(struct audit_buffer *ab,
+@@ -188,6 +190,7 @@ extern void audit_log_lost(const char *message);
+
+ extern int audit_log_task_context(struct audit_buffer *ab);
+ extern void audit_log_task_info(struct audit_buffer *ab);
++extern void audit_log_lsm(struct audit_context *context);
+
+ extern int audit_update_lsm_rules(void);
+
+@@ -226,6 +229,9 @@ void audit_log_format(struct audit_buffer *ab, const char *fmt, ...)
+ { }
+ static inline void audit_log_end(struct audit_buffer *ab)
+ { }
++static inline void audit_log_end_local(struct audit_buffer *ab,
++ struct audit_context *context)
++{ }
+ static inline void audit_log_n_hex(struct audit_buffer *ab,
+ const unsigned char *buf, size_t len)
+ { }
+@@ -252,6 +258,8 @@ static inline int audit_log_task_context(struct audit_buffer *ab)
+ }
+ static inline void audit_log_task_info(struct audit_buffer *ab)
+ { }
++static void audit_log_lsm(struct audit_context *context)
++{ }
+
+ static inline kuid_t audit_get_loginuid(struct task_struct *tsk)
+ {
+@@ -291,6 +299,7 @@ extern int audit_alloc(struct task_struct *task);
extern void __audit_free(struct task_struct *task);
extern struct audit_context *audit_alloc_local(gfp_t gfpflags);
extern void audit_free_context(struct audit_context *context);
@@ -76,7 +114,7 @@
extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long a1,
unsigned long a2, unsigned long a3);
extern void __audit_syscall_exit(int ret_success, long ret_value);
-@@ -386,6 +387,19 @@ static inline void audit_ptrace(struct task_struct *t)
+@@ -386,6 +395,19 @@ static inline void audit_ptrace(struct task_struct *t)
__audit_ptrace(t);
}
@@ -96,7 +134,7 @@
/* Private API (for audit.c only) */
extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);
extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode);
-@@ -560,6 +574,8 @@ extern int audit_signals;
+@@ -560,6 +582,8 @@ extern int audit_signals;
}
static inline void audit_free_context(struct audit_context *context)
{ }
@@ -106,7 +144,7 @@
{
return 0;
diff --git a/include/linux/security.h b/include/linux/security.h
-index 0129400ff6e9..ddab456e93d3 100644
+index 9dcc910036f4..d2fcbc20d764 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -182,6 +182,8 @@ struct lsmblob {
@@ -134,7 +172,7 @@
/* These functions are in security/commoncap.c */
extern int cap_capable(const struct cred *cred, struct user_namespace *ns,
int cap, unsigned int opts);
-@@ -578,7 +589,8 @@ int security_setprocattr(const char *lsm, const char *name, void *value,
+@@ -575,7 +586,8 @@ int security_setprocattr(const char *lsm, const char *name, void *value,
size_t size);
int security_netlink_send(struct sock *sk, struct sk_buff *skb);
int security_ismaclabel(const char *name);
@@ -144,7 +182,7 @@
int security_secctx_to_secid(const char *secdata, u32 seclen,
struct lsmblob *blob);
void security_release_secctx(struct lsmcontext *cp);
-@@ -1433,7 +1445,7 @@ static inline int security_ismaclabel(const char *name)
+@@ -1414,7 +1426,7 @@ static inline int security_ismaclabel(const char *name)
}
static inline int security_secid_to_secctx(struct lsmblob *blob,
@@ -154,14 +192,15 @@
return -EOPNOTSUPP;
}
diff --git a/include/net/netlabel.h b/include/net/netlabel.h
-index 73fc25b4042b..216cb1ffc8f0 100644
+index 73fc25b4042b..9bc1f969a25d 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
-@@ -97,7 +97,7 @@ struct calipso_doi;
+@@ -97,7 +97,8 @@ struct calipso_doi;
/* NetLabel audit information */
struct netlbl_audit {
- u32 secid;
++ struct audit_context *localcontext;
+ struct lsmblob lsmdata;
kuid_t loginuid;
unsigned int sessionid;
@@ -180,7 +219,7 @@
if (!err) {
put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, context.len,
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
-index c58a6d4eb610..f8ad20d34498 100644
+index b2a06f10b62c..bfe3ba2a5233 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -669,13 +669,22 @@ struct xfrm_spi_skb_cb {
@@ -221,7 +260,7 @@
#define AUDIT_FIRST_KERN_ANOM_MSG 1700
#define AUDIT_LAST_KERN_ANOM_MSG 1799
diff --git a/kernel/audit.c b/kernel/audit.c
-index 841123390d41..36249dab3280 100644
+index a8dc5f55cfa3..5b29a350df78 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -386,10 +386,12 @@ void audit_log_lost(const char *message)
@@ -238,15 +277,16 @@
if (unlikely(!ab))
return rc;
audit_log_format(ab, "op=set %s=%u old=%u ", function_name, new, old);
-@@ -399,6 +401,7 @@ static int audit_log_config_change(char *function_name, u32 new, u32 old,
+@@ -398,7 +400,7 @@ static int audit_log_config_change(char *function_name, u32 new, u32 old,
+ if (rc)
allow_changes = 0; /* Something weird, deny request */
audit_log_format(ab, " res=%d", allow_changes);
- audit_log_end(ab);
-+ audit_free_local(context);
+- audit_log_end(ab);
++ audit_log_end_local(ab, context);
return rc;
}
-@@ -1072,12 +1075,6 @@ static void audit_log_common_recv_msg(struct audit_context *context,
+@@ -1072,12 +1074,6 @@ static void audit_log_common_recv_msg(struct audit_context *context,
audit_log_task_context(*ab);
}
@@ -259,6 +299,14 @@
int is_audit_feature_set(int i)
{
return af.features & AUDIT_FEATURE_TO_MASK(i);
+@@ -1110,6 +1106,7 @@ static void audit_log_feature_change(int which, u32 old_feature, u32 new_feature
+ audit_log_format(ab, " feature=%s old=%u new=%u old_lock=%u new_lock=%u res=%d",
+ audit_feature_names[which], !!old_feature, !!new_feature,
+ !!old_lock, !!new_lock, res);
++ audit_log_lsm(ab->ctx);
+ audit_log_end(ab);
+ }
+
@@ -1190,6 +1187,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
struct audit_buffer *ab;
u16 msg_type = nlh->nlmsg_type;
@@ -277,15 +325,16 @@
if (msg_type != AUDIT_USER_TTY) {
/* ensure NULL termination */
str[data_len - 1] = '\0';
-@@ -1371,6 +1370,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
+@@ -1370,7 +1369,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
+ data_len--;
audit_log_n_untrustedstring(ab, str, data_len);
}
- audit_log_end(ab);
-+ audit_free_local(lcontext);
+- audit_log_end(ab);
++ audit_log_end_local(ab, lcontext);
}
break;
case AUDIT_ADD_RULE:
-@@ -1378,13 +1378,15 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
+@@ -1378,13 +1377,14 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
if (data_len < sizeof(struct audit_rule_data))
return -EINVAL;
if (audit_enabled == AUDIT_LOCKED) {
@@ -297,12 +346,12 @@
msg_type == AUDIT_ADD_RULE ?
"add_rule" : "remove_rule",
audit_enabled);
- audit_log_end(ab);
-+ audit_free_local(lcontext);
+- audit_log_end(ab);
++ audit_log_end_local(ab, lcontext);
return -EPERM;
}
err = audit_rule_change(msg_type, seq, data, data_len);
-@@ -1394,10 +1396,11 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
+@@ -1394,10 +1394,10 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
break;
case AUDIT_TRIM:
audit_trim_trees();
@@ -311,30 +360,29 @@
+ lcontext = audit_alloc_for_lsm(GFP_KERNEL);
+ audit_log_common_recv_msg(lcontext, &ab, AUDIT_CONFIG_CHANGE);
audit_log_format(ab, " op=trim res=1");
- audit_log_end(ab);
-+ audit_free_local(lcontext);
+- audit_log_end(ab);
++ audit_log_end_local(ab, lcontext);
break;
case AUDIT_MAKE_EQUIV: {
void *bufp = data;
-@@ -1425,14 +1428,15 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
+@@ -1425,6 +1425,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
/* OK, here comes... */
err = audit_tag_tree(old, new);
-- audit_log_common_recv_msg(audit_context(), &ab,
-- AUDIT_CONFIG_CHANGE);
+ lcontext = audit_alloc_for_lsm(GFP_KERNEL);
-+ audit_log_common_recv_msg(lcontext, &ab, AUDIT_CONFIG_CHANGE);
+ audit_log_common_recv_msg(audit_context(), &ab,
+ AUDIT_CONFIG_CHANGE);
audit_log_format(ab, " op=make_equiv old=");
- audit_log_untrustedstring(ab, old);
+@@ -1432,7 +1433,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
audit_log_format(ab, " new=");
audit_log_untrustedstring(ab, new);
audit_log_format(ab, " res=%d", !err);
- audit_log_end(ab);
-+ audit_free_local(lcontext);
+- audit_log_end(ab);
++ audit_log_end_local(ab, lcontext);
kfree(old);
kfree(new);
break;
-@@ -1443,7 +1447,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
+@@ -1443,7 +1444,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
if (lsmblob_is_set(&audit_sig_lsm)) {
err = security_secid_to_secctx(&audit_sig_lsm,
@@ -343,24 +391,23 @@
if (err)
return err;
}
-@@ -1498,13 +1502,14 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
+@@ -1498,13 +1499,14 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
old.enabled = t & AUDIT_TTY_ENABLE;
old.log_passwd = !!(t & AUDIT_TTY_LOG_PASSWD);
-- audit_log_common_recv_msg(audit_context(), &ab,
-- AUDIT_CONFIG_CHANGE);
+ lcontext = audit_alloc_for_lsm(GFP_KERNEL);
-+ audit_log_common_recv_msg(lcontext, &ab, AUDIT_CONFIG_CHANGE);
+ audit_log_common_recv_msg(audit_context(), &ab,
+ AUDIT_CONFIG_CHANGE);
audit_log_format(ab, " op=tty_set old-enabled=%d new-enabled=%d"
" old-log_passwd=%d new-log_passwd=%d res=%d",
old.enabled, s.enabled, old.log_passwd,
s.log_passwd, !err);
- audit_log_end(ab);
-+ audit_free_local(lcontext);
+- audit_log_end(ab);
++ audit_log_end_local(ab, lcontext);
break;
}
default:
-@@ -1550,6 +1555,7 @@ static void audit_receive(struct sk_buff *skb)
+@@ -1550,6 +1552,7 @@ static void audit_receive(struct sk_buff *skb)
/* Log information about who is connecting to the audit multicast socket */
static void audit_log_multicast(int group, const char *op, int err)
{
@@ -368,7 +415,7 @@
const struct cred *cred;
struct tty_struct *tty;
char comm[sizeof(current->comm)];
-@@ -1558,7 +1564,8 @@ static void audit_log_multicast(int group, const char *op, int err)
+@@ -1558,7 +1561,8 @@ static void audit_log_multicast(int group, const char *op, int err)
if (!audit_enabled)
return;
@@ -378,52 +425,16 @@
if (!ab)
return;
-@@ -1577,6 +1584,7 @@ static void audit_log_multicast(int group, const char *op, int err)
+@@ -1576,7 +1580,7 @@ static void audit_log_multicast(int group, const char *op, int err)
+ audit_log_untrustedstring(ab, get_task_comm(comm, current));
audit_log_d_path_exe(ab, current->mm); /* exe= */
audit_log_format(ab, " nl-mcgrp=%d op=%s res=%d", group, op, !err);
- audit_log_end(ab);
-+ audit_free_local(context);
+- audit_log_end(ab);
++ audit_log_end_local(ab, context);
}
/* Run custom bind function on netlink socket group connect or bind requests. */
-@@ -2128,6 +2136,36 @@ void audit_log_key(struct audit_buffer *ab, char *key)
- audit_log_format(ab, "(null)");
- }
-
-+static void audit_log_lsm(struct audit_context *context, struct lsmblob *blob)
-+{
-+ struct audit_buffer *ab;
-+ struct lsmcontext lsmdata;
-+ bool sep = false;
-+ int error;
-+ int i;
-+
-+ ab = audit_log_start(context, GFP_ATOMIC, AUDIT_MAC_TASK_CONTEXTS);
-+ if (!ab)
-+ return; /* audit_panic or being filtered */
-+
-+ for (i = 0; i < LSMBLOB_ENTRIES; i++) {
-+ if (blob->secid[i] == 0)
-+ continue;
-+ error = security_secid_to_secctx(blob, &lsmdata, i);
-+ if (error && error != -EINVAL) {
-+ audit_panic("error in audit_log_lsm");
-+ return;
-+ }
-+
-+ audit_log_format(ab, "%ssubj_%s=%s", sep ? " " : "",
-+ lsm_slot_to_name(i), lsmdata.context);
-+ sep = true;
-+
-+ security_release_secctx(&lsmdata);
-+ }
-+ audit_log_end(ab);
-+}
-+
- int audit_log_task_context(struct audit_buffer *ab)
- {
- int error;
-@@ -2138,7 +2176,18 @@ int audit_log_task_context(struct audit_buffer *ab)
+@@ -2138,7 +2142,19 @@ int audit_log_task_context(struct audit_buffer *ab)
if (!lsmblob_is_set(&blob))
return 0;
@@ -434,8 +445,9 @@
+ * into a separate record to maintain compatibility.
+ */
+ if (lsm_multiple_contexts()) {
++ if (ab->ctx)
++ ab->ctx->lsm = blob;
+ audit_log_format(ab, " subj=?");
-+ audit_log_lsm(ab->ctx, &blob);
+ return 0;
+ }
+
@@ -443,7 +455,15 @@
if (error) {
if (error != -EINVAL)
goto error_path;
-@@ -2274,6 +2323,7 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
+@@ -2224,6 +2240,7 @@ void audit_log_task_info(struct audit_buffer *ab)
+ audit_log_untrustedstring(ab, get_task_comm(comm, current));
+ audit_log_d_path_exe(ab, current->mm);
+ audit_log_task_context(ab);
++ audit_log_lsm(ab->ctx);
+ }
+ EXPORT_SYMBOL(audit_log_task_info);
+
+@@ -2274,6 +2291,7 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
unsigned int oldsessionid,
unsigned int sessionid, int rc)
{
@@ -451,7 +471,7 @@
struct audit_buffer *ab;
uid_t uid, oldloginuid, loginuid;
struct tty_struct *tty;
-@@ -2281,7 +2331,8 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
+@@ -2281,7 +2299,8 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
if (!audit_enabled)
return;
@@ -461,16 +481,67 @@
if (!ab)
return;
-@@ -2297,6 +2348,7 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
+@@ -2296,7 +2315,7 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
+ oldloginuid, loginuid, tty ? tty_name(tty) : "(none)",
oldsessionid, sessionid, !rc);
audit_put_tty(tty);
- audit_log_end(ab);
+- audit_log_end(ab);
++ audit_log_end_local(ab, context);
+ }
+
+ /**
+@@ -2396,6 +2415,21 @@ void audit_log_end(struct audit_buffer *ab)
+ audit_buffer_free(ab);
+ }
+
++/**
++ * audit_log_end_local - end one audit record with local context
++ * @ab: the audit_buffer
++ * @context: the local context
++ *
++ * Emit an LSM context record if appropriate, then end the audit event
++ * in the usual way.
++ */
++void audit_log_end_local(struct audit_buffer *ab, struct audit_context *context)
++{
++ audit_log_end(ab);
++ audit_log_lsm_common(context);
+ audit_free_local(context);
- }
-
++}
++
/**
+ * audit_log - Log an audit record
+ * @ctx: audit context
+diff --git a/kernel/audit.h b/kernel/audit.h
+index 3f2285e1c6e0..4f245c3dac0c 100644
+--- a/kernel/audit.h
++++ b/kernel/audit.h
+@@ -100,6 +100,7 @@ struct audit_context {
+ int dummy; /* must be the first element */
+ int in_syscall; /* 1 if task is in a syscall */
+ bool local; /* local context needed */
++ bool lsmdone; /* multiple security reported */
+ enum audit_state state, current_state;
+ unsigned int serial; /* serial number for record */
+ int major; /* syscall number */
+@@ -131,6 +132,7 @@ struct audit_context {
+ kgid_t gid, egid, sgid, fsgid;
+ unsigned long personality;
+ int arch;
++ struct lsmblob lsm;
+
+ pid_t target_pid;
+ kuid_t target_auid;
+@@ -201,6 +203,7 @@ struct audit_context {
+ extern bool audit_ever_enabled;
+
+ extern void audit_log_session_info(struct audit_buffer *ab);
++extern void audit_log_lsm_common(struct audit_context *context);
+
+ extern int auditd_test_task(struct task_struct *task);
+
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
-index 1ba14a7a38f7..fd71c6bac200 100644
+index 9e73a7961665..2b0a6fda767d 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1098,12 +1098,14 @@ static void audit_list_rules(int seq, struct sk_buff_head *q)
@@ -489,19 +560,28 @@
if (!ab)
return;
audit_log_session_info(ab);
-@@ -1112,6 +1114,7 @@ static void audit_log_rule_change(char *action, struct audit_krule *rule, int re
+@@ -1111,7 +1113,7 @@ static void audit_log_rule_change(char *action, struct audit_krule *rule, int re
+ audit_log_format(ab, " op=%s", action);
audit_log_key(ab, rule->filterkey);
audit_log_format(ab, " list=%d res=%d", rule->listnr, res);
- audit_log_end(ab);
-+ audit_free_local(context);
+- audit_log_end(ab);
++ audit_log_end_local(ab, context);
}
/**
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
-index d4e061f95da8..c3e3749328aa 100644
+index 8994d4f4672e..4d0f3fa0bcb0 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
-@@ -987,12 +987,11 @@ struct audit_context *audit_alloc_local(gfp_t gfpflags)
+@@ -942,6 +942,7 @@ static inline struct audit_context *audit_alloc_context(enum audit_state state,
+ INIT_LIST_HEAD(&context->names_list);
+ context->fds[0] = -1;
+ context->return_valid = AUDITSC_INVALID;
++ context->lsmdone = false;
+ return context;
+ }
+
+@@ -989,12 +990,11 @@ struct audit_context *audit_alloc_local(gfp_t gfpflags)
context = audit_alloc_context(AUDIT_RECORD_CONTEXT, gfpflags);
if (!context) {
audit_log_lost("out of memory in audit_alloc_local");
@@ -515,7 +595,7 @@
return context;
}
EXPORT_SYMBOL(audit_alloc_local);
-@@ -1013,6 +1012,13 @@ void audit_free_context(struct audit_context *context)
+@@ -1015,6 +1015,13 @@ void audit_free_context(struct audit_context *context)
}
EXPORT_SYMBOL(audit_free_context);
@@ -529,7 +609,7 @@
static int audit_log_pid_context(struct audit_context *context, pid_t pid,
kuid_t auid, kuid_t uid,
unsigned int sessionid,
-@@ -1030,7 +1036,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
+@@ -1032,7 +1039,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
from_kuid(&init_user_ns, auid),
from_kuid(&init_user_ns, uid), sessionid);
if (lsmblob_is_set(blob)) {
@@ -538,7 +618,7 @@
audit_log_format(ab, " obj=(none)");
rc = 1;
} else {
-@@ -1275,7 +1281,8 @@ static void show_special(struct audit_context *context, int *call_panic)
+@@ -1277,7 +1284,8 @@ static void show_special(struct audit_context *context, int *call_panic)
struct lsmblob blob;
lsmblob_init(&blob, osid);
@@ -548,7 +628,7 @@
audit_log_format(ab, " osid=%u", osid);
*call_panic = 1;
} else {
-@@ -1430,7 +1437,7 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n,
+@@ -1432,7 +1440,7 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n,
struct lsmcontext lsmctx;
lsmblob_init(&blob, n->osid);
@@ -557,7 +637,73 @@
audit_log_format(ab, " osid=%u", n->osid);
if (call_panic)
*call_panic = 2;
-@@ -2619,10 +2626,12 @@ void __audit_ntp_log(const struct audit_ntp_data *ad)
+@@ -1506,6 +1514,47 @@ static void audit_log_proctitle(void)
+ audit_log_end(ab);
+ }
+
++void audit_log_lsm_common(struct audit_context *context)
++{
++ struct audit_buffer *ab;
++ struct lsmcontext lsmdata;
++ bool sep = false;
++ int error;
++ int i;
++
++ if (!lsm_multiple_contexts() || context == NULL ||
++ !lsmblob_is_set(&context->lsm))
++ return;
++
++ ab = audit_log_start(context, GFP_ATOMIC, AUDIT_MAC_TASK_CONTEXTS);
++ if (!ab)
++ return; /* audit_panic or being filtered */
++
++ for (i = 0; i < LSMBLOB_ENTRIES; i++) {
++ if (context->lsm.secid[i] == 0)
++ continue;
++ error = security_secid_to_secctx(&context->lsm, &lsmdata, i);
++ if (error && error != -EINVAL) {
++ audit_panic("error in audit_log_lsm");
++ return;
++ }
++
++ audit_log_format(ab, "%ssubj_%s=%s", sep ? " " : "",
++ lsm_slot_to_name(i), lsmdata.context);
++ sep = true;
++
++ security_release_secctx(&lsmdata);
++ }
++ audit_log_end(ab);
++ context->lsmdone = true;
++}
++
++void audit_log_lsm(struct audit_context *context)
++{
++ if (!context->lsmdone)
++ audit_log_lsm_common(context);
++}
++
+ static void audit_log_exit(void)
+ {
+ int i, call_panic = 0;
+@@ -1540,6 +1589,8 @@ static void audit_log_exit(void)
+ audit_log_key(ab, context->filterkey);
+ audit_log_end(ab);
+
++ audit_log_lsm(context);
++
+ for (aux = context->aux; aux; aux = aux->next) {
+
+ ab = audit_log_start(context, GFP_KERNEL, aux->type);
+@@ -1630,6 +1681,8 @@ static void audit_log_exit(void)
+
+ audit_log_proctitle();
+
++ audit_log_lsm(context);
++
+ /* Send end of event record to help user space know we are finished */
+ ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
+ if (ab)
+@@ -2622,10 +2675,12 @@ void __audit_ntp_log(const struct audit_ntp_data *ad)
void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries,
enum audit_nfcfgop op, gfp_t gfp)
{
@@ -571,15 +717,16 @@
if (!ab)
return;
audit_log_format(ab, "table=%s family=%u entries=%u op=%s",
-@@ -2633,6 +2642,7 @@ void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries,
+@@ -2635,7 +2690,7 @@ void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries,
+ audit_log_task_context(ab); /* subj= */
audit_log_format(ab, " comm=");
audit_log_untrustedstring(ab, get_task_comm(comm, current));
- audit_log_end(ab);
-+ audit_free_local(context);
+- audit_log_end(ab);
++ audit_log_end_local(ab, context);
}
EXPORT_SYMBOL_GPL(__audit_log_nfcfg);
-@@ -2667,6 +2677,7 @@ static void audit_log_task(struct audit_buffer *ab)
+@@ -2670,6 +2725,7 @@ static void audit_log_task(struct audit_buffer *ab)
*/
void audit_core_dumps(long signr)
{
@@ -587,7 +734,7 @@
struct audit_buffer *ab;
if (!audit_enabled)
-@@ -2675,12 +2686,14 @@ void audit_core_dumps(long signr)
+@@ -2678,12 +2734,13 @@ void audit_core_dumps(long signr)
if (signr == SIGQUIT) /* don't care for those */
return;
@@ -598,8 +745,8 @@
return;
audit_log_task(ab);
audit_log_format(ab, " sig=%ld res=1", signr);
- audit_log_end(ab);
-+ audit_free_local(context);
+- audit_log_end(ab);
++ audit_log_end_local(ab, context);
}
/**
@@ -617,7 +764,7 @@
return;
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
-index 215d3f9e9715..60539221e023 100644
+index f14c0049d7cc..21d250ef81b4 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -344,7 +344,7 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
@@ -629,7 +776,7 @@
if (ret)
return 0;
-@@ -655,7 +655,7 @@ static inline int ctnetlink_secctx_size(const struct nf_conn *ct)
+@@ -660,7 +660,7 @@ static inline int ctnetlink_secctx_size(const struct nf_conn *ct)
struct lsmblob blob;
struct lsmcontext context;
@@ -639,7 +786,7 @@
return 0;
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
-index df6043d1bc22..861106a5f605 100644
+index 241089cb7e20..b53ef27b57fe 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -177,7 +177,7 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
@@ -652,7 +799,7 @@
return;
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
-index bf8db099090b..90ecf03b35ba 100644
+index 56784592c820..cb4d02199fdb 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -316,7 +316,7 @@ static void nfqnl_get_sk_secctx(struct sk_buff *skb, struct lsmcontext *context)
@@ -664,11 +811,33 @@
}
read_unlock_bh(&skb->sk->sk_callback_lock);
+diff --git a/net/netlabel/netlabel_domainhash.c b/net/netlabel/netlabel_domainhash.c
+index dc8c39f51f7d..2690a528d262 100644
+--- a/net/netlabel/netlabel_domainhash.c
++++ b/net/netlabel/netlabel_domainhash.c
+@@ -259,7 +259,7 @@ static void netlbl_domhsh_audit_add(struct netlbl_dom_map *entry,
+ break;
+ }
+ audit_log_format(audit_buf, " res=%u", result == 0 ? 1 : 0);
+- audit_log_end(audit_buf);
++ audit_log_end_local(audit_buf, audit_info->localcontext);
+ }
+ }
+
+@@ -614,7 +614,7 @@ int netlbl_domhsh_remove_entry(struct netlbl_dom_map *entry,
+ audit_log_format(audit_buf,
+ " nlbl_domain=%s res=1",
+ entry->domain ? entry->domain : "(default)");
+- audit_log_end(audit_buf);
++ audit_log_end_local(audit_buf, audit_info->localcontext);
+ }
+
+ switch (entry->def.type) {
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
-index 0ce9bee43dd3..061b0c04740b 100644
+index 3befe0738d31..ff5901113a27 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
-@@ -437,7 +437,8 @@ int netlbl_unlhsh_add(struct net *net,
+@@ -437,13 +437,14 @@ int netlbl_unlhsh_add(struct net *net,
unlhsh_add_return:
rcu_read_unlock();
if (audit_buf != NULL) {
@@ -678,7 +847,14 @@
audit_log_format(audit_buf, " sec_obj=%s",
context.context);
security_release_secctx(&context);
-@@ -492,7 +493,8 @@ static int netlbl_unlhsh_remove_addr4(struct net *net,
+ }
+ audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0);
+- audit_log_end(audit_buf);
++ audit_log_end_local(audit_buf, audit_info->localcontext);
+ }
+ return ret_val;
+ }
+@@ -492,13 +493,14 @@ static int netlbl_unlhsh_remove_addr4(struct net *net,
if (dev != NULL)
dev_put(dev);
if (entry != NULL &&
@@ -688,7 +864,14 @@
audit_log_format(audit_buf, " sec_obj=%s",
context.context);
security_release_secctx(&context);
-@@ -552,7 +554,8 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
+ }
+ audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0);
+- audit_log_end(audit_buf);
++ audit_log_end_local(audit_buf, audit_info->localcontext);
+ }
+
+ if (entry == NULL)
+@@ -552,13 +554,14 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
if (dev != NULL)
dev_put(dev);
if (entry != NULL &&
@@ -698,21 +881,23 @@
audit_log_format(audit_buf, " sec_obj=%s",
context.context);
security_release_secctx(&context);
-@@ -738,11 +741,10 @@ static void netlbl_unlabel_acceptflg_set(u8 value,
- netlabel_unlabel_acceptflg = value;
- audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_ALLOW,
- audit_info);
-- if (audit_buf != NULL) {
-+ if (audit_buf != NULL)
+ }
+ audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0);
+- audit_log_end(audit_buf);
++ audit_log_end_local(audit_buf, audit_info->localcontext);
+ }
+
+ if (entry == NULL)
+@@ -741,7 +744,7 @@ static void netlbl_unlabel_acceptflg_set(u8 value,
+ if (audit_buf != NULL) {
audit_log_format(audit_buf,
" unlbl_accept=%u old=%u", value, old_val);
- audit_log_end(audit_buf);
-- }
-+ audit_log_end(audit_buf);
- }
-
- /**
-@@ -1122,7 +1124,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
++ audit_log_end_local(audit_buf, audit_info->localcontext);
+ }
+ }
+
+@@ -1122,7 +1125,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
lsmb = (struct lsmblob *)&addr6->lsmblob;
}
@@ -721,7 +906,7 @@
if (ret_val != 0)
goto list_cb_failure;
ret_val = nla_put(cb_arg->skb,
-@@ -1528,14 +1530,11 @@ int __init netlbl_unlabel_defconf(void)
+@@ -1528,14 +1531,11 @@ int __init netlbl_unlabel_defconf(void)
int ret_val;
struct netlbl_dom_map *entry;
struct netlbl_audit audit_info;
@@ -730,26 +915,38 @@
/* Only the kernel is allowed to call this function and the only time
* it is called is at bootup before the audit subsystem is reporting
* messages so don't worry to much about these values. */
-- security_task_getsecid_subj(current, &blob);
+- security_task_getsecid(current, &blob);
- /* scaffolding until audit_info.secid is converted */
- audit_info.secid = blob.secid[0];
-+ security_task_getsecid_subj(current, &audit_info.lsmdata);
++ security_task_getsecid(current, &audit_info.lsmdata);
audit_info.loginuid = GLOBAL_ROOT_UID;
audit_info.sessionid = 0;
diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c
-index 951ba0639d20..9c43c3cb2088 100644
+index 951ba0639d20..90a18b245380 100644
--- a/net/netlabel/netlabel_user.c
+++ b/net/netlabel/netlabel_user.c
-@@ -85,7 +85,6 @@ struct audit_buffer *netlbl_audit_start_common(int type,
- {
+@@ -83,14 +83,17 @@ int __init netlbl_netlink_init(void)
+ struct audit_buffer *netlbl_audit_start_common(int type,
+ struct netlbl_audit *audit_info)
+ {
++ struct audit_context *audit_ctx;
struct audit_buffer *audit_buf;
struct lsmcontext context;
- struct lsmblob blob;
if (audit_enabled == AUDIT_OFF)
return NULL;
-@@ -98,11 +97,14 @@ struct audit_buffer *netlbl_audit_start_common(int type,
+
+- audit_buf = audit_log_start(audit_context(), GFP_ATOMIC, type);
++ audit_ctx = audit_alloc_for_lsm(GFP_ATOMIC);
++ audit_info->localcontext = audit_ctx;
++
++ audit_buf = audit_log_start(audit_ctx, GFP_ATOMIC, type);
+ if (audit_buf == NULL)
+ return NULL;
+
+@@ -98,11 +101,14 @@ struct audit_buffer *netlbl_audit_start_common(int type,
from_kuid(&init_user_ns, audit_info->loginuid),
audit_info->sessionid);
@@ -770,7 +967,7 @@
return audit_buf;
diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h
-index 11f6da93f31b..bc1f0cd824d5 100644
+index 438b5db6c714..bd4335443b87 100644
--- a/net/netlabel/netlabel_user.h
+++ b/net/netlabel/netlabel_user.h
@@ -34,11 +34,7 @@
@@ -779,18 +976,18 @@
{
- struct lsmblob blob;
-
-- security_task_getsecid_subj(current, &blob);
+- security_task_getsecid(current, &blob);
- /* scaffolding until secid is converted */
- audit_info->secid = blob.secid[0];
-+ security_task_getsecid_subj(current, &audit_info->lsmdata);
++ security_task_getsecid(current, &audit_info->lsmdata);
audit_info->loginuid = audit_get_loginuid(current);
audit_info->sessionid = audit_get_sessionid(current);
}
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
-index ce500f847b99..18a0a7be7230 100644
+index b74f28cabe24..d0c89b570ac5 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
-@@ -4173,30 +4173,34 @@ static void xfrm_audit_common_policyinfo(struct xfrm_policy *xp,
+@@ -4215,30 +4215,32 @@ static void xfrm_audit_common_policyinfo(struct xfrm_policy *xp,
void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, bool task_valid)
{
@@ -804,8 +1001,8 @@
xfrm_audit_helper_usrinfo(task_valid, audit_buf);
audit_log_format(audit_buf, " res=%u", result);
xfrm_audit_common_policyinfo(xp, audit_buf);
- audit_log_end(audit_buf);
-+ audit_free_local(context);
+- audit_log_end(audit_buf);
++ audit_log_end_local(audit_buf, context);
}
EXPORT_SYMBOL_GPL(xfrm_audit_policy_add);
@@ -822,16 +1019,16 @@
xfrm_audit_helper_usrinfo(task_valid, audit_buf);
audit_log_format(audit_buf, " res=%u", result);
xfrm_audit_common_policyinfo(xp, audit_buf);
- audit_log_end(audit_buf);
-+ audit_free_local(context);
+- audit_log_end(audit_buf);
++ audit_log_end_local(audit_buf, context);
}
EXPORT_SYMBOL_GPL(xfrm_audit_policy_delete);
#endif
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
-index 4496f7efa220..a2ba060af6f1 100644
+index d01ca1a18418..a3d49a854ed2 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
-@@ -2747,29 +2747,33 @@ static void xfrm_audit_helper_pktinfo(struct sk_buff *skb, u16 family,
+@@ -2746,29 +2746,31 @@ static void xfrm_audit_helper_pktinfo(struct sk_buff *skb, u16 family,
void xfrm_audit_state_add(struct xfrm_state *x, int result, bool task_valid)
{
@@ -845,8 +1042,8 @@
xfrm_audit_helper_usrinfo(task_valid, audit_buf);
xfrm_audit_helper_sainfo(x, audit_buf);
audit_log_format(audit_buf, " res=%u", result);
- audit_log_end(audit_buf);
-+ audit_free_local(context);
+- audit_log_end(audit_buf);
++ audit_log_end_local(audit_buf, context);
}
EXPORT_SYMBOL_GPL(xfrm_audit_state_add);
@@ -862,12 +1059,12 @@
xfrm_audit_helper_usrinfo(task_valid, audit_buf);
xfrm_audit_helper_sainfo(x, audit_buf);
audit_log_format(audit_buf, " res=%u", result);
- audit_log_end(audit_buf);
-+ audit_free_local(context);
+- audit_log_end(audit_buf);
++ audit_log_end_local(audit_buf, context);
}
EXPORT_SYMBOL_GPL(xfrm_audit_state_delete);
-@@ -2779,7 +2783,7 @@ void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
+@@ -2778,7 +2780,7 @@ void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
struct audit_buffer *audit_buf;
u32 spi;
@@ -876,7 +1073,7 @@
if (audit_buf == NULL)
return;
xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf);
-@@ -2797,7 +2801,7 @@ void xfrm_audit_state_replay(struct xfrm_state *x,
+@@ -2796,7 +2798,7 @@ void xfrm_audit_state_replay(struct xfrm_state *x,
struct audit_buffer *audit_buf;
u32 spi;
@@ -885,7 +1082,7 @@
if (audit_buf == NULL)
return;
xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf);
-@@ -2812,7 +2816,7 @@ void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family)
+@@ -2811,7 +2813,7 @@ void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family)
{
struct audit_buffer *audit_buf;
@@ -894,7 +1091,7 @@
if (audit_buf == NULL)
return;
xfrm_audit_helper_pktinfo(skb, family, audit_buf);
-@@ -2826,7 +2830,7 @@ void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
+@@ -2825,7 +2827,7 @@ void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
struct audit_buffer *audit_buf;
u32 spi;
@@ -903,7 +1100,7 @@
if (audit_buf == NULL)
return;
xfrm_audit_helper_pktinfo(skb, family, audit_buf);
-@@ -2844,7 +2848,7 @@ void xfrm_audit_state_icvfail(struct xfrm_state *x,
+@@ -2843,7 +2845,7 @@ void xfrm_audit_state_icvfail(struct xfrm_state *x,
__be32 net_spi;
__be32 net_seq;
@@ -913,7 +1110,7 @@
return;
xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf);
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
-index 691f68d478f1..3481990a25a6 100644
+index 691f68d478f1..8e7c660b9b01 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -342,6 +342,7 @@ void ima_store_measurement(struct integrity_iint_cache *iint,
@@ -935,16 +1132,17 @@
if (!ab)
goto out;
-@@ -369,6 +370,7 @@ void ima_audit_measurement(struct integrity_iint_cache *iint,
+@@ -368,7 +369,7 @@ void ima_audit_measurement(struct integrity_iint_cache *iint,
+ audit_log_format(ab, " hash=\"%s:%s\"", algo_name, hash);
audit_log_task_info(ab);
- audit_log_end(ab);
-+ audit_free_local(context);
+- audit_log_end(ab);
++ audit_log_end_local(ab, context);
iint->flags |= IMA_AUDITED;
out:
diff --git a/security/integrity/integrity_audit.c b/security/integrity/integrity_audit.c
-index 29220056207f..c3b313886e15 100644
+index 29220056207f..b38163c43659 100644
--- a/security/integrity/integrity_audit.c
+++ b/security/integrity/integrity_audit.c
@@ -38,13 +38,15 @@ void integrity_audit_message(int audit_msgno, struct inode *inode,
@@ -964,17 +1162,18 @@
audit_log_format(ab, "pid=%d uid=%u auid=%u ses=%u",
task_pid_nr(current),
from_kuid(&init_user_ns, current_uid()),
-@@ -64,4 +66,5 @@ void integrity_audit_message(int audit_msgno, struct inode *inode,
+@@ -63,5 +65,5 @@ void integrity_audit_message(int audit_msgno, struct inode *inode,
+ audit_log_format(ab, " ino=%lu", inode->i_ino);
}
audit_log_format(ab, " res=%d errno=%d", !result, errno);
- audit_log_end(ab);
-+ audit_free_local(context);
+- audit_log_end(ab);
++ audit_log_end_local(ab, context);
}
diff --git a/security/security.c b/security/security.c
-index ae23b5a8fe87..81baa94092f4 100644
+index 5d3dad5f800f..7d90f2f531b1 100644
--- a/security/security.c
+++ b/security/security.c
-@@ -2309,7 +2309,7 @@ int security_setprocattr(const char *lsm, const char *name, void *value,
+@@ -2249,7 +2249,7 @@ int security_setprocattr(const char *lsm, const char *name, void *value,
hlist_for_each_entry(hp, &security_hook_heads.setprocattr,
list) {
rc = hp->hook.setprocattr(name, value, size);
@@ -983,7 +1182,7 @@
return rc;
}
-@@ -2354,13 +2354,31 @@ int security_ismaclabel(const char *name)
+@@ -2294,13 +2294,31 @@ int security_ismaclabel(const char *name)
}
EXPORT_SYMBOL(security_ismaclabel);
@@ -1017,7 +1216,7 @@
hlist_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) {
if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot))
continue;
-@@ -2390,7 +2408,7 @@ int security_secctx_to_secid(const char *secdata, u32 seclen,
+@@ -2330,7 +2348,7 @@ int security_secctx_to_secid(const char *secdata, u32 seclen,
return hp->hook.secctx_to_secid(secdata, seclen,
&blob->secid[hp->lsmid->slot]);
}
@@ -1026,7 +1225,7 @@
}
EXPORT_SYMBOL(security_secctx_to_secid);
-@@ -2884,23 +2902,17 @@ int security_key_getsecurity(struct key *key, char **_buffer)
+@@ -2824,23 +2842,17 @@ int security_key_getsecurity(struct key *key, char **_buffer)
int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule)
{
struct security_hook_list *hp;
@@ -1056,7 +1255,7 @@
}
int security_audit_rule_known(struct audit_krule *krule)
-@@ -2932,6 +2944,8 @@ int security_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
+@@ -2872,6 +2884,8 @@ int security_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
continue;
if (lsmrule[hp->lsmid->slot] == NULL)
continue;