From b805b198dc74b73aabb6969a3db734c71c05c88c Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Fri, 24 May 2013 12:09:50 -0400 Subject: selinux: apply selinux checks on new audit message types We use the read check to get the feature set (like AUDIT_GET) and the write check to set the features (like AUDIT_SET). Signed-off-by: Eric Paris Signed-off-by: Richard Guy Briggs Signed-off-by: Eric Paris --- security/selinux/nlmsgtab.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'security') diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c index 855e464e92e..332ac8a80cf 100644 --- a/security/selinux/nlmsgtab.c +++ b/security/selinux/nlmsgtab.c @@ -116,6 +116,8 @@ static struct nlmsg_perm nlmsg_audit_perms[] = { AUDIT_MAKE_EQUIV, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, { AUDIT_TTY_GET, NETLINK_AUDIT_SOCKET__NLMSG_READ }, { AUDIT_TTY_SET, NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT }, + { AUDIT_GET_FEATURE, NETLINK_AUDIT_SOCKET__NLMSG_READ }, + { AUDIT_SET_FEATURE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, }; -- cgit v1.2.3-70-g09d2 From a20b62bdf7a1ed1a334eff3c4cafa97f5826006b Mon Sep 17 00:00:00 2001 From: Richard Guy Briggs Date: Tue, 1 Oct 2013 21:14:54 -0400 Subject: audit: suppress stock memalloc failure warnings since already managed Supress the stock memory allocation failure warnings for audit buffers since audit alreay takes care of memory allocation failure warnings, including rate-limiting, in audit_log_start(). Signed-off-by: Richard Guy Briggs Signed-off-by: Eric Paris --- security/lsm_audit.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'security') diff --git a/security/lsm_audit.c b/security/lsm_audit.c index 8d8d97dbb38..b0f249d1a1e 100644 --- a/security/lsm_audit.c +++ b/security/lsm_audit.c @@ -396,7 +396,8 @@ void common_lsm_audit(struct common_audit_data *a, if (a == NULL) return; /* we use GFP_ATOMIC so we won't sleep */ - ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_AVC); + ab = audit_log_start(current->audit_context, GFP_ATOMIC | __GFP_NOWARN, + AUDIT_AVC); if (ab == NULL) return; -- cgit v1.2.3-70-g09d2