Instead of storing the packet's network interface name store the ifindex. This
allows us to defer the need to lookup the net_device structure until the audit
record is generated meaning that in the majority of cases we never need to
bother with this at all.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
"daddr", "dest");
break;
}
"daddr", "dest");
break;
}
- if (a->u.net.netif)
- audit_log_format(ab, " netif=%s",
- a->u.net.netif);
+ if (a->u.net.netif > 0) {
+ struct net_device *dev;
+
+ /* NOTE: we always use init's namespace */
+ dev = dev_get_by_index(&init_net,
+ a->u.net.netif);
+ if (dev) {
+ audit_log_format(ab, " netif=%s",
+ dev->name);
+ dev_put(dev);
+ }
+ }
family = PF_INET;
AVC_AUDIT_DATA_INIT(&ad, NET);
family = PF_INET;
AVC_AUDIT_DATA_INIT(&ad, NET);
- ad.u.net.netif = skb->dev ? skb->dev->name : "[unknown]";
+ ad.u.net.netif = skb->iif;
ad.u.net.family = family;
err = selinux_parse_skb(skb, &ad, &addrp, &len, 1, NULL);
ad.u.net.family = family;
err = selinux_parse_skb(skb, &ad, &addrp, &len, 1, NULL);
sksec = sk->sk_security;
AVC_AUDIT_DATA_INIT(&ad, NET);
sksec = sk->sk_security;
AVC_AUDIT_DATA_INIT(&ad, NET);
- ad.u.net.netif = dev->name;
+ ad.u.net.netif = dev->ifindex;
ad.u.net.family = family;
err = selinux_parse_skb(skb, &ad, &addrp, &len, 0, &proto);
ad.u.net.family = family;
err = selinux_parse_skb(skb, &ad, &addrp, &len, 0, &proto);
struct inode *inode;
} fs;
struct {
struct inode *inode;
} fs;
struct {
struct sock *sk;
u16 family;
__be16 dport;
struct sock *sk;
u16 family;
__be16 dport;