LSM: shrink the common_audit_data data union

After shrinking the common_audit_data stack usage for private LSM data I'm not going to shrink the data union. To do this I'm going to move anything larger than 2 void * ptrs to it's own structure and require it to be declared separately on the calling stack. Thus hot paths which don't need more than a couple pointer don't have to declare space to hold large unneeded structures. I could get this down to one void * by dealing with the key struct and the struct path. We'll see if that is helpful after taking care of networking. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

LSM: shrink the common_audit_data data union
After shrinking the common_audit_data stack usage for private LSM data I'm not going to shrink the data union. To do this I'm going to move anything larger than 2 void * ptrs to it's own structure and require it to be declared separately on the calling stack. Thus hot paths which don't need more than a couple pointer don't have to declare space to hold large unneeded structures. I could get this down to one void * by dealing with the key struct and the struct path. We'll see if that is helpful after taking care of networking. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
48c62af6 · Eric Paris · Linus Torvalds · 3b3b0e4f · 48c62af6 · 48c62af6
Commit 48c62af6 authored Apr 02, 2012 by Eric Paris Committed by Linus Torvalds Apr 03, 2012
5 changed files
--- a/include/linux/lsm_audit.h
+++ b/include/linux/lsm_audit.h
@@ -22,6 +22,23 @@
 #include <linux/key.h>
 #include <linux/skbuff.h>
+struct lsm_network_audit {
+	int netif;
+	struct sock *sk;
+	u16 family;
+	__be16 dport;
+	__be16 sport;
+	union {
+		struct {
+			__be32 daddr;
+			__be32 saddr;
+		} v4;
+		struct {
+			struct in6_addr daddr;
+			struct in6_addr saddr;
+		} v6;
+	} fam;
+};
 /* Auxiliary data to use in generating the audit record. */
 struct common_audit_data {
@@ -41,23 +58,7 @@ struct common_audit_data {
 		struct path path;
 		struct dentry *dentry;
 		struct inode *inode;
-		struct {
+		struct lsm_network_audit *net;
-			int netif;
-			struct sock *sk;
-			u16 family;
-			__be16 dport;
-			__be16 sport;
-			union {
-				struct {
-					__be32 daddr;
-					__be32 saddr;
-				} v4;
-				struct {
-					struct in6_addr daddr;
-					struct in6_addr saddr;
-				} v6;
-			} fam;
-		} net;
 		int cap;
 		int ipc_id;
 		struct task_struct *tsk;

--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -49,8 +49,8 @@ int ipv4_skb_to_auditdata(struct sk_buff *skb,
 	if (ih == NULL)
 		return -EINVAL;
-	ad->u.net.v4info.saddr = ih->saddr;
+	ad->u.net->v4info.saddr = ih->saddr;
-	ad->u.net.v4info.daddr = ih->daddr;
+	ad->u.net->v4info.daddr = ih->daddr;
 	if (proto)
 		*proto = ih->protocol;
@@ -64,8 +64,8 @@ int ipv4_skb_to_auditdata(struct sk_buff *skb,
 		if (th == NULL)
 			break;
-		ad->u.net.sport = th->source;
+		ad->u.net->sport = th->source;
-		ad->u.net.dport = th->dest;
+		ad->u.net->dport = th->dest;
 		break;
 	}
 	case IPPROTO_UDP: {
@@ -73,8 +73,8 @@ int ipv4_skb_to_auditdata(struct sk_buff *skb,
 		if (uh == NULL)
 			break;
-		ad->u.net.sport = uh->source;
+		ad->u.net->sport = uh->source;
-		ad->u.net.dport = uh->dest;
+		ad->u.net->dport = uh->dest;
 		break;
 	}
 	case IPPROTO_DCCP: {
@@ -82,16 +82,16 @@ int ipv4_skb_to_auditdata(struct sk_buff *skb,
 		if (dh == NULL)
 			break;
-		ad->u.net.sport = dh->dccph_sport;
+		ad->u.net->sport = dh->dccph_sport;
-		ad->u.net.dport = dh->dccph_dport;
+		ad->u.net->dport = dh->dccph_dport;
 		break;
 	}
 	case IPPROTO_SCTP: {
 		struct sctphdr *sh = sctp_hdr(skb);
 		if (sh == NULL)
 			break;
-		ad->u.net.sport = sh->source;
+		ad->u.net->sport = sh->source;
-		ad->u.net.dport = sh->dest;
+		ad->u.net->dport = sh->dest;
 		break;
 	}
 	default:
@@ -119,8 +119,8 @@ int ipv6_skb_to_auditdata(struct sk_buff *skb,
 	ip6 = ipv6_hdr(skb);
 	if (ip6 == NULL)
 		return -EINVAL;
-	ad->u.net.v6info.saddr = ip6->saddr;
+	ad->u.net->v6info.saddr = ip6->saddr;
-	ad->u.net.v6info.daddr = ip6->daddr;
+	ad->u.net->v6info.daddr = ip6->daddr;
 	ret = 0;
 	/* IPv6 can have several extension header before the Transport header
 	 * skip them */
@@ -140,8 +140,8 @@ int ipv6_skb_to_auditdata(struct sk_buff *skb,
 		if (th == NULL)
 			break;
-		ad->u.net.sport = th->source;
+		ad->u.net->sport = th->source;
-		ad->u.net.dport = th->dest;
+		ad->u.net->dport = th->dest;
 		break;
 	}
 	case IPPROTO_UDP: {
@@ -151,8 +151,8 @@ int ipv6_skb_to_auditdata(struct sk_buff *skb,
 		if (uh == NULL)
 			break;
-		ad->u.net.sport = uh->source;
+		ad->u.net->sport = uh->source;
-		ad->u.net.dport = uh->dest;
+		ad->u.net->dport = uh->dest;
 		break;
 	}
 	case IPPROTO_DCCP: {
@@ -162,8 +162,8 @@ int ipv6_skb_to_auditdata(struct sk_buff *skb,
 		if (dh == NULL)
 			break;
-		ad->u.net.sport = dh->dccph_sport;
+		ad->u.net->sport = dh->dccph_sport;
-		ad->u.net.dport = dh->dccph_dport;
+		ad->u.net->dport = dh->dccph_dport;
 		break;
 	}
 	case IPPROTO_SCTP: {
@@ -172,8 +172,8 @@ int ipv6_skb_to_auditdata(struct sk_buff *skb,
 		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
 		if (sh == NULL)
 			break;
-		ad->u.net.sport = sh->source;
+		ad->u.net->sport = sh->source;
-		ad->u.net.dport = sh->dest;
+		ad->u.net->dport = sh->dest;
 		break;
 	}
 	default:
@@ -281,8 +281,8 @@ static void dump_common_audit_data(struct audit_buffer *ab,
 		}
 		break;
 	case LSM_AUDIT_DATA_NET:
-		if (a->u.net.sk) {
+		if (a->u.net->sk) {
-			struct sock *sk = a->u.net.sk;
+			struct sock *sk = a->u.net->sk;
 			struct unix_sock *u;
 			int len = 0;
 			char *p = NULL;
@@ -330,29 +330,29 @@ static void dump_common_audit_data(struct audit_buffer *ab,
 			}
 		}
-		switch (a->u.net.family) {
+		switch (a->u.net->family) {
 		case AF_INET:
-			print_ipv4_addr(ab, a->u.net.v4info.saddr,
+			print_ipv4_addr(ab, a->u.net->v4info.saddr,
-					a->u.net.sport,
+					a->u.net->sport,
 					"saddr", "src");
-			print_ipv4_addr(ab, a->u.net.v4info.daddr,
+			print_ipv4_addr(ab, a->u.net->v4info.daddr,
-					a->u.net.dport,
+					a->u.net->dport,
 					"daddr", "dest");
 			break;
 		case AF_INET6:
-			print_ipv6_addr(ab, &a->u.net.v6info.saddr,
+			print_ipv6_addr(ab, &a->u.net->v6info.saddr,
-					a->u.net.sport,
+					a->u.net->sport,
 					"saddr", "src");
-			print_ipv6_addr(ab, &a->u.net.v6info.daddr,
+			print_ipv6_addr(ab, &a->u.net->v6info.daddr,
-					a->u.net.dport,
+					a->u.net->dport,
 					"daddr", "dest");
 			break;
 		}
-		if (a->u.net.netif > 0) {
+		if (a->u.net->netif > 0) {
 			struct net_device *dev;
 			/* NOTE: we always use init's namespace */
-			dev = dev_get_by_index(&init_net, a->u.net.netif);
+			dev = dev_get_by_index(&init_net, a->u.net->netif);
 			if (dev) {
 				audit_log_format(ab, " netif=%s", dev->name);
 				dev_put(dev);

--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3517,8 +3517,8 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb,
 	if (ihlen < sizeof(_iph))
 		goto out;
-	ad->u.net.v4info.saddr = ih->saddr;
+	ad->u.net->v4info.saddr = ih->saddr;
-	ad->u.net.v4info.daddr = ih->daddr;
+	ad->u.net->v4info.daddr = ih->daddr;
 	ret = 0;
 	if (proto)
@@ -3536,8 +3536,8 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb,
 		if (th == NULL)
 			break;
-		ad->u.net.sport = th->source;
+		ad->u.net->sport = th->source;
-		ad->u.net.dport = th->dest;
+		ad->u.net->dport = th->dest;
 		break;
 	}
@@ -3552,8 +3552,8 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb,
 		if (uh == NULL)
 			break;
-		ad->u.net.sport = uh->source;
+		ad->u.net->sport = uh->source;
-		ad->u.net.dport = uh->dest;
+		ad->u.net->dport = uh->dest;
 		break;
 	}
@@ -3568,8 +3568,8 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb,
 		if (dh == NULL)
 			break;
-		ad->u.net.sport = dh->dccph_sport;
+		ad->u.net->sport = dh->dccph_sport;
-		ad->u.net.dport = dh->dccph_dport;
+		ad->u.net->dport = dh->dccph_dport;
 		break;
 	}
@@ -3596,8 +3596,8 @@ static int selinux_parse_skb_ipv6(struct sk_buff *skb,
 	if (ip6 == NULL)
 		goto out;
-	ad->u.net.v6info.saddr = ip6->saddr;
+	ad->u.net->v6info.saddr = ip6->saddr;
-	ad->u.net.v6info.daddr = ip6->daddr;
+	ad->u.net->v6info.daddr = ip6->daddr;
 	ret = 0;
 	nexthdr = ip6->nexthdr;
@@ -3617,8 +3617,8 @@ static int selinux_parse_skb_ipv6(struct sk_buff *skb,
 		if (th == NULL)
 			break;
-		ad->u.net.sport = th->source;
+		ad->u.net->sport = th->source;
-		ad->u.net.dport = th->dest;
+		ad->u.net->dport = th->dest;
 		break;
 	}
@@ -3629,8 +3629,8 @@ static int selinux_parse_skb_ipv6(struct sk_buff *skb,
 		if (uh == NULL)
 			break;
-		ad->u.net.sport = uh->source;
+		ad->u.net->sport = uh->source;
-		ad->u.net.dport = uh->dest;
+		ad->u.net->dport = uh->dest;
 		break;
 	}
@@ -3641,8 +3641,8 @@ static int selinux_parse_skb_ipv6(struct sk_buff *skb,
 		if (dh == NULL)
 			break;
-		ad->u.net.sport = dh->dccph_sport;
+		ad->u.net->sport = dh->dccph_sport;
-		ad->u.net.dport = dh->dccph_dport;
+		ad->u.net->dport = dh->dccph_dport;
 		break;
 	}
@@ -3662,13 +3662,13 @@ static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
 	char *addrp;
 	int ret;
-	switch (ad->u.net.family) {
+	switch (ad->u.net->family) {
 	case PF_INET:
 		ret = selinux_parse_skb_ipv4(skb, ad, proto);
 		if (ret)
 			goto parse_error;
-		addrp = (char *)(src ? &ad->u.net.v4info.saddr :
+		addrp = (char *)(src ? &ad->u.net->v4info.saddr :
-				       &ad->u.net.v4info.daddr);
+				       &ad->u.net->v4info.daddr);
 		goto okay;
 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
@@ -3676,8 +3676,8 @@ static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
 		ret = selinux_parse_skb_ipv6(skb, ad, proto);
 		if (ret)
 			goto parse_error;
-		addrp = (char *)(src ? &ad->u.net.v6info.saddr :
+		addrp = (char *)(src ? &ad->u.net->v6info.saddr :
-				       &ad->u.net.v6info.daddr);
+				       &ad->u.net->v6info.daddr);
 		goto okay;
 #endif	/* IPV6 */
 	default:
@@ -3752,6 +3752,7 @@ static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
 	struct sk_security_struct *sksec = sk->sk_security;
 	struct common_audit_data ad;
 	struct selinux_audit_data sad = {0,};
+	struct lsm_network_audit net = {0,};
 	u32 tsid = task_sid(task);
 	if (sksec->sid == SECINITSID_KERNEL)
@@ -3759,7 +3760,8 @@ static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
 	COMMON_AUDIT_DATA_INIT(&ad, NET);
 	ad.selinux_audit_data = &sad;
-	ad.u.net.sk = sk;
+	ad.u.net = &net;
+	ad.u.net->sk = sk;
 	return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
 }
@@ -3838,6 +3840,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
 		struct sk_security_struct *sksec = sk->sk_security;
 		struct common_audit_data ad;
 		struct selinux_audit_data sad = {0,};
+		struct lsm_network_audit net = {0,};
 		struct sockaddr_in *addr4 = NULL;
 		struct sockaddr_in6 *addr6 = NULL;
 		unsigned short snum;
@@ -3865,8 +3868,9 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
 					goto out;
 				COMMON_AUDIT_DATA_INIT(&ad, NET);
 				ad.selinux_audit_data = &sad;
-				ad.u.net.sport = htons(snum);
+				ad.u.net = &net;
-				ad.u.net.family = family;
+				ad.u.net->sport = htons(snum);
+				ad.u.net->family = family;
 				err = avc_has_perm(sksec->sid, sid,
 						   sksec->sclass,
 						   SOCKET__NAME_BIND, &ad);
@@ -3899,13 +3903,14 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
 		COMMON_AUDIT_DATA_INIT(&ad, NET);
 		ad.selinux_audit_data = &sad;
-		ad.u.net.sport = htons(snum);
+		ad.u.net = &net;
-		ad.u.net.family = family;
+		ad.u.net->sport = htons(snum);
+		ad.u.net->family = family;
 		if (family == PF_INET)
-			ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
+			ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
 		else
-			ad.u.net.v6info.saddr = addr6->sin6_addr;
+			ad.u.net->v6info.saddr = addr6->sin6_addr;
 		err = avc_has_perm(sksec->sid, sid,
 				   sksec->sclass, node_perm, &ad);
@@ -3933,6 +3938,7 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address,
 	    sksec->sclass == SECCLASS_DCCP_SOCKET) {
 		struct common_audit_data ad;
 		struct selinux_audit_data sad = {0,};
+		struct lsm_network_audit net = {0,};
 		struct sockaddr_in *addr4 = NULL;
 		struct sockaddr_in6 *addr6 = NULL;
 		unsigned short snum;
@@ -3959,8 +3965,9 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address,
 		COMMON_AUDIT_DATA_INIT(&ad, NET);
 		ad.selinux_audit_data = &sad;
-		ad.u.net.dport = htons(snum);
+		ad.u.net = &net;
-		ad.u.net.family = sk->sk_family;
+		ad.u.net->dport = htons(snum);
+		ad.u.net->family = sk->sk_family;
 		err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
 		if (err)
 			goto out;
@@ -4050,11 +4057,13 @@ static int selinux_socket_unix_stream_connect(struct sock *sock,
 	struct sk_security_struct *sksec_new = newsk->sk_security;
 	struct common_audit_data ad;
 	struct selinux_audit_data sad = {0,};
+	struct lsm_network_audit net = {0,};
 	int err;
 	COMMON_AUDIT_DATA_INIT(&ad, NET);
 	ad.selinux_audit_data = &sad;
-	ad.u.net.sk = other;
+	ad.u.net = &net;
+	ad.u.net->sk = other;
 	err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
 			   sksec_other->sclass,
@@ -4082,10 +4091,12 @@ static int selinux_socket_unix_may_send(struct socket *sock,
 	struct sk_security_struct *osec = other->sk->sk_security;
 	struct common_audit_data ad;
 	struct selinux_audit_data sad = {0,};
+	struct lsm_network_audit net = {0,};
 	COMMON_AUDIT_DATA_INIT(&ad, NET);
 	ad.selinux_audit_data = &sad;
-	ad.u.net.sk = other->sk;
+	ad.u.net = &net;
+	ad.u.net->sk = other->sk;
 	return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
 			    &ad);
@@ -4122,12 +4133,14 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
 	u32 sk_sid = sksec->sid;
 	struct common_audit_data ad;
 	struct selinux_audit_data sad = {0,};
+	struct lsm_network_audit net = {0,};
 	char *addrp;
 	COMMON_AUDIT_DATA_INIT(&ad, NET);
 	ad.selinux_audit_data = &sad;
-	ad.u.net.netif = skb->skb_iif;
+	ad.u.net = &net;
-	ad.u.net.family = family;
+	ad.u.net->netif = skb->skb_iif;
+	ad.u.net->family = family;
 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
 	if (err)
 		return err;
@@ -4155,6 +4168,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
 	u32 sk_sid = sksec->sid;
 	struct common_audit_data ad;
 	struct selinux_audit_data sad = {0,};
+	struct lsm_network_audit net = {0,};
 	char *addrp;
 	u8 secmark_active;
 	u8 peerlbl_active;
@@ -4180,8 +4194,9 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
 	COMMON_AUDIT_DATA_INIT(&ad, NET);
 	ad.selinux_audit_data = &sad;
-	ad.u.net.netif = skb->skb_iif;
+	ad.u.net = &net;
-	ad.u.net.family = family;
+	ad.u.net->netif = skb->skb_iif;
+	ad.u.net->family = family;
 	err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
 	if (err)
 		return err;
@@ -4517,6 +4532,7 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
 	u32 peer_sid;
 	struct common_audit_data ad;
 	struct selinux_audit_data sad = {0,};
+	struct lsm_network_audit net = {0,};
 	u8 secmark_active;
 	u8 netlbl_active;
 	u8 peerlbl_active;
@@ -4535,8 +4551,9 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
 	COMMON_AUDIT_DATA_INIT(&ad, NET);
 	ad.selinux_audit_data = &sad;
-	ad.u.net.netif = ifindex;
+	ad.u.net = &net;
-	ad.u.net.family = family;
+	ad.u.net->netif = ifindex;
+	ad.u.net->family = family;
 	if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
 		return NF_DROP;
@@ -4624,6 +4641,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
 	struct sk_security_struct *sksec;
 	struct common_audit_data ad;
 	struct selinux_audit_data sad = {0,};
+	struct lsm_network_audit net = {0,};
 	char *addrp;
 	u8 proto;
@@ -4633,8 +4651,9 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
 	COMMON_AUDIT_DATA_INIT(&ad, NET);
 	ad.selinux_audit_data = &sad;
-	ad.u.net.netif = ifindex;
+	ad.u.net = &net;
-	ad.u.net.family = family;
+	ad.u.net->netif = ifindex;
+	ad.u.net->family = family;
 	if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
 		return NF_DROP;
@@ -4657,6 +4676,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
 	struct sock *sk;
 	struct common_audit_data ad;
 	struct selinux_audit_data sad = {0,};
+	struct lsm_network_audit net = {0,};
 	char *addrp;
 	u8 secmark_active;
 	u8 peerlbl_active;
@@ -4704,8 +4724,9 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
 	COMMON_AUDIT_DATA_INIT(&ad, NET);
 	ad.selinux_audit_data = &sad;
-	ad.u.net.netif = ifindex;
+	ad.u.net = &net;
-	ad.u.net.family = family;
+	ad.u.net->netif = ifindex;
+	ad.u.net->family = family;
 	if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
 		return NF_DROP;

--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -325,6 +325,14 @@ static inline void smk_ad_init(struct smk_audit_info *a, const char *func,
 	a->a.smack_audit_data->function = func;
 }
+static inline void smk_ad_init_net(struct smk_audit_info *a, const char *func,
+				   char type, struct lsm_network_audit *net)
+{
+	smk_ad_init(a, func, type);
+	memset(net, 0, sizeof(*net));
+	a->a.u.net = net;
+}
 static inline void smk_ad_setfield_u_tsk(struct smk_audit_info *a,
 					 struct task_struct *t)
 {
@@ -348,7 +356,7 @@ static inline void smk_ad_setfield_u_fs_path(struct smk_audit_info *a,
 static inline void smk_ad_setfield_u_net_sk(struct smk_audit_info *a,
 					    struct sock *sk)
 {
-	a->a.u.net.sk = sk;
+	a->a.u.net->sk = sk;
 }
 #else /* no AUDIT */

--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1939,16 +1939,17 @@ static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap)
 	char *hostsp;
 	struct socket_smack *ssp = sk->sk_security;
 	struct smk_audit_info ad;
+	struct lsm_network_audit net;
 	rcu_read_lock();
 	hostsp = smack_host_label(sap);
 	if (hostsp != NULL) {
 		sk_lbl = SMACK_UNLABELED_SOCKET;
 #ifdef CONFIG_AUDIT
-		smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET);
+		smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
-		ad.a.u.net.family = sap->sin_family;
+		ad.a.u.net->family = sap->sin_family;
-		ad.a.u.net.dport = sap->sin_port;
+		ad.a.u.net->dport = sap->sin_port;
-		ad.a.u.net.v4info.daddr = sap->sin_addr.s_addr;
+		ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr;
 #endif
 		rc = smk_access(ssp->smk_out, hostsp, MAY_WRITE, &ad);
 	} else {
@@ -2808,9 +2809,10 @@ static int smack_unix_stream_connect(struct sock *sock,
 	struct socket_smack *osp = other->sk_security;
 	struct socket_smack *nsp = newsk->sk_security;
 	struct smk_audit_info ad;
+	struct lsm_network_audit net;
 	int rc = 0;
-	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET);
+	smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
 	smk_ad_setfield_u_net_sk(&ad, other);
 	if (!capable(CAP_MAC_OVERRIDE))
@@ -2840,9 +2842,10 @@ static int smack_unix_may_send(struct socket *sock, struct socket *other)
 	struct socket_smack *ssp = sock->sk->sk_security;
 	struct socket_smack *osp = other->sk->sk_security;
 	struct smk_audit_info ad;
+	struct lsm_network_audit net;
 	int rc = 0;
-	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET);
+	smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
 	smk_ad_setfield_u_net_sk(&ad, other->sk);
 	if (!capable(CAP_MAC_OVERRIDE))
@@ -2990,6 +2993,7 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
 	char *csp;
 	int rc;
 	struct smk_audit_info ad;
+	struct lsm_network_audit net;
 	if (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)
 		return 0;
@@ -3007,9 +3011,9 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
 	netlbl_secattr_destroy(&secattr);
 #ifdef CONFIG_AUDIT
-	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET);
+	smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
-	ad.a.u.net.family = sk->sk_family;
+	ad.a.u.net->family = sk->sk_family;
-	ad.a.u.net.netif = skb->skb_iif;
+	ad.a.u.net->netif = skb->skb_iif;
 	ipv4_skb_to_auditdata(skb, &ad.a, NULL);
 #endif
 	/*
@@ -3152,6 +3156,7 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
 	char *sp;
 	int rc;
 	struct smk_audit_info ad;
+	struct lsm_network_audit net;
 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
@@ -3166,9 +3171,9 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
 	netlbl_secattr_destroy(&secattr);
 #ifdef CONFIG_AUDIT
-	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET);
+	smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
-	ad.a.u.net.family = family;
+	ad.a.u.net->family = family;
-	ad.a.u.net.netif = skb->skb_iif;
+	ad.a.u.net->netif = skb->skb_iif;
 	ipv4_skb_to_auditdata(skb, &ad.a, NULL);
 #endif
 	/*