tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

audit: remove unused actx param from audit_rule_match

The audit_rule_match() struct audit_context *actx parameter is not used
by any in-tree consumers (selinux, apparmour, integrity, smack).

The audit context is an internal audit structure that should only be
accessed by audit accessor functions.

It was part of commit 03d37d25e0f9 ("LSM/Audit: Introduce generic
Audit LSM hooks") but appears to have never been used.

Remove it.

Please see the github issue
https://github.com/linux-audit/audit-kernel/issues/107

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
[PM: fixed the referenced commit title]
Signed-off-by: Paul Moore <paul@paul-moore.com>

authored by

Richard Guy Briggs and committed by
Paul Moore 90462a5b 57d46577

+26 -38
+1 -3
include/linux/lsm_hooks.h
··· 1344 1344 * @field contains the field which relates to current LSM. 1345 1345 * @op contains the operator that will be used for matching. 1346 1346 * @rule points to the audit rule that will be checked against. 1347 - * @actx points to the audit context associated with the check. 1348 1347 * Return 1 if secid matches the rule, 0 if it does not, -ERRNO on failure. 1349 1348 * 1350 1349 * @audit_rule_free: ··· 1763 1764 int (*audit_rule_init)(u32 field, u32 op, char *rulestr, 1764 1765 void **lsmrule); 1765 1766 int (*audit_rule_known)(struct audit_krule *krule); 1766 - int (*audit_rule_match)(u32 secid, u32 field, u32 op, void *lsmrule, 1767 - struct audit_context *actx); 1767 + int (*audit_rule_match)(u32 secid, u32 field, u32 op, void *lsmrule); 1768 1768 void (*audit_rule_free)(void *lsmrule); 1769 1769 #endif /* CONFIG_AUDIT */ 1770 1770
+2 -3
include/linux/security.h
··· 1674 1674 #ifdef CONFIG_SECURITY 1675 1675 int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule); 1676 1676 int security_audit_rule_known(struct audit_krule *krule); 1677 - int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule, 1678 - struct audit_context *actx); 1677 + int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule); 1679 1678 void security_audit_rule_free(void *lsmrule); 1680 1679 1681 1680 #else ··· 1691 1692 } 1692 1693 1693 1694 static inline int security_audit_rule_match(u32 secid, u32 field, u32 op, 1694 - void *lsmrule, struct audit_context *actx) 1695 + void *lsmrule) 1695 1696 { 1696 1697 return 0; 1697 1698 }
+1 -1
kernel/auditfilter.c
··· 1355 1355 if (f->lsm_rule) { 1356 1356 security_task_getsecid(current, &sid); 1357 1357 result = security_audit_rule_match(sid, 1358 - f->type, f->op, f->lsm_rule, NULL); 1358 + f->type, f->op, f->lsm_rule); 1359 1359 } 1360 1360 break; 1361 1361 case AUDIT_EXE:
+12 -9
kernel/auditsc.c
··· 631 631 need_sid = 0; 632 632 } 633 633 result = security_audit_rule_match(sid, f->type, 634 - f->op, 635 - f->lsm_rule, 636 - ctx); 634 + f->op, 635 + f->lsm_rule); 637 636 } 638 637 break; 639 638 case AUDIT_OBJ_USER: ··· 646 647 /* Find files that match */ 647 648 if (name) { 648 649 result = security_audit_rule_match( 649 - name->osid, f->type, f->op, 650 - f->lsm_rule, ctx); 650 + name->osid, 651 + f->type, 652 + f->op, 653 + f->lsm_rule); 651 654 } else if (ctx) { 652 655 list_for_each_entry(n, &ctx->names_list, list) { 653 - if (security_audit_rule_match(n->osid, f->type, 654 - f->op, f->lsm_rule, 655 - ctx)) { 656 + if (security_audit_rule_match( 657 + n->osid, 658 + f->type, 659 + f->op, 660 + f->lsm_rule)) { 656 661 ++result; 657 662 break; 658 663 } ··· 667 664 break; 668 665 if (security_audit_rule_match(ctx->ipc.osid, 669 666 f->type, f->op, 670 - f->lsm_rule, ctx)) 667 + f->lsm_rule)) 671 668 ++result; 672 669 } 673 670 break;
+1 -2
security/apparmor/audit.c
··· 225 225 return 0; 226 226 } 227 227 228 - int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, 229 - struct audit_context *actx) 228 + int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule) 230 229 { 231 230 struct aa_audit_rule *rule = vrule; 232 231 struct aa_label *label;
+1 -2
security/apparmor/include/audit.h
··· 192 192 void aa_audit_rule_free(void *vrule); 193 193 int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule); 194 194 int aa_audit_rule_known(struct audit_krule *rule); 195 - int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, 196 - struct audit_context *actx); 195 + int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule); 197 196 198 197 #endif /* __AA_AUDIT_H */
+1 -2
security/integrity/ima/ima.h
··· 307 307 } 308 308 309 309 static inline int security_filter_rule_match(u32 secid, u32 field, u32 op, 310 - void *lsmrule, 311 - struct audit_context *actx) 310 + void *lsmrule) 312 311 { 313 312 return -EINVAL; 314 313 }
+2 -4
security/integrity/ima/ima_policy.c
··· 340 340 rc = security_filter_rule_match(osid, 341 341 rule->lsm[i].type, 342 342 Audit_equal, 343 - rule->lsm[i].rule, 344 - NULL); 343 + rule->lsm[i].rule); 345 344 break; 346 345 case LSM_SUBJ_USER: 347 346 case LSM_SUBJ_ROLE: ··· 348 349 rc = security_filter_rule_match(secid, 349 350 rule->lsm[i].type, 350 351 Audit_equal, 351 - rule->lsm[i].rule, 352 - NULL); 352 + rule->lsm[i].rule); 353 353 default: 354 354 break; 355 355 }
+2 -4
security/security.c
··· 1783 1783 call_void_hook(audit_rule_free, lsmrule); 1784 1784 } 1785 1785 1786 - int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule, 1787 - struct audit_context *actx) 1786 + int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule) 1788 1787 { 1789 - return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule, 1790 - actx); 1788 + return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule); 1791 1789 } 1792 1790 #endif /* CONFIG_AUDIT */ 1793 1791
+1 -3
security/selinux/include/audit.h
··· 46 46 * @field: the field this rule refers to 47 47 * @op: the operater the rule uses 48 48 * @rule: pointer to the audit rule to check against 49 - * @actx: the audit context (can be NULL) associated with the check 50 49 * 51 50 * Returns 1 if the context id matches the rule, 0 if it does not, and 52 51 * -errno on failure. 53 52 */ 54 - int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *rule, 55 - struct audit_context *actx); 53 + int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *rule); 56 54 57 55 /** 58 56 * selinux_audit_rule_known - check to see if rule contains selinux fields.
+1 -2
security/selinux/ss/services.c
··· 3376 3376 return 0; 3377 3377 } 3378 3378 3379 - int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, 3380 - struct audit_context *actx) 3379 + int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule) 3381 3380 { 3382 3381 struct selinux_state *state = &selinux_state; 3383 3382 struct context *ctxt;
+1 -3
security/smack/smack_lsm.c
··· 4393 4393 * @field: audit rule flags given from user-space 4394 4394 * @op: required testing operator 4395 4395 * @vrule: smack internal rule presentation 4396 - * @actx: audit context associated with the check 4397 4396 * 4398 4397 * The core Audit hook. It's used to take the decision of 4399 4398 * whether to audit or not to audit a given object. 4400 4399 */ 4401 - static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule, 4402 - struct audit_context *actx) 4400 + static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule) 4403 4401 { 4404 4402 struct smack_known *skp; 4405 4403 char *rule = vrule;