tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
SELinux: Only store the network interface's ifindex
Instead of storing the packet's network interface name store the ifindex. This
allows us to defer the need to lookup the net_device structure until the audit
record is generated meaning that in the majority of cases we never need to
bother with this at all.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
authored by
Paul Moore
and committed by
James Morris
da5645a2
e8bfdb9d
+15
-6
+12
-3
security/selinux/avc.c
+12
-3
security/selinux/avc.c
···
661
661
"daddr", "dest");
662
662
break;
663
663
}
664
-
if (a->u.net.netif)
665
-
audit_log_format(ab, " netif=%s",
666
-
a->u.net.netif);
664
+
if (a->u.net.netif > 0) {
665
+
struct net_device *dev;
666
+
667
+
/* NOTE: we always use init's namespace */
668
+
dev = dev_get_by_index(&init_net,
669
+
a->u.net.netif);
670
+
if (dev) {
671
+
audit_log_format(ab, " netif=%s",
672
+
dev->name);
673
+
dev_put(dev);
674
+
}
675
+
}
667
676
break;
668
677
}
669
678
}
+2
-2
security/selinux/hooks.c
+2
-2
security/selinux/hooks.c
···
3928
3928
family = PF_INET;
3929
3929
3930
3930
AVC_AUDIT_DATA_INIT(&ad, NET);
3931
-
ad.u.net.netif = skb->dev ? skb->dev->name : "[unknown]";
3931
+
ad.u.net.netif = skb->iif;
3932
3932
ad.u.net.family = family;
3933
3933
3934
3934
err = selinux_parse_skb(skb, &ad, &addrp, &len, 1, NULL);
···
4259
4259
sksec = sk->sk_security;
4260
4260
4261
4261
AVC_AUDIT_DATA_INIT(&ad, NET);
4262
-
ad.u.net.netif = dev->name;
4262
+
ad.u.net.netif = dev->ifindex;
4263
4263
ad.u.net.family = family;
4264
4264
4265
4265
err = selinux_parse_skb(skb, &ad, &addrp, &len, 0, &proto);