LSM: shrink the common_audit_data data union

After shrinking the common_audit_data stack usage for private LSM data I'm
not going to shrink the data union.  To do this I'm going to move anything
larger than 2 void * ptrs to it's own structure and require it to be declared
separately on the calling stack.  Thus hot paths which don't need more than
a couple pointer don't have to declare space to hold large unneeded
structures.  I could get this down to one void * by dealing with the key
struct and the struct path.  We'll see if that is helpful after taking care of
networking.

Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
index 6f4fb37aac8866a713849c12d642871eeae7193d..d1b073ffec240ca0a818fe4f9d387faaad2049e8 100644 (file)
--- a/include/linux/lsm_audit.h
+++ b/include/linux/lsm_audit.h
@@ -22,6 +22,23 @@
 #include <linux/key.h>
 #include <linux/skbuff.h>
 
+struct lsm_network_audit {
+       int netif;
+       struct sock *sk;
+       u16 family;
+       __be16 dport;
+       __be16 sport;
+       union {
+               struct {
+                       __be32 daddr;
+                       __be32 saddr;
+               } v4;
+               struct {
+                       struct in6_addr daddr;
+                       struct in6_addr saddr;
+               } v6;
+       } fam;
+};
 
 /* Auxiliary data to use in generating the audit record. */
 struct common_audit_data {
@@ -41,23 +58,7 @@ struct common_audit_data {
                struct path path;
                struct dentry *dentry;
                struct inode *inode;
-               struct {
-                       int netif;
-                       struct sock *sk;
-                       u16 family;
-                       __be16 dport;
-                       __be16 sport;
-                       union {
-                               struct {
-                                       __be32 daddr;
-                                       __be32 saddr;
-                               } v4;
-                               struct {
-                                       struct in6_addr daddr;
-                                       struct in6_addr saddr;
-                               } v6;
-                       } fam;
-               } net;
+               struct lsm_network_audit *net;
                int cap;
                int ipc_id;
                struct task_struct *tsk;

diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index 8b8f0902f6e57f744a8f50d774b84a617df12f67..e96c6aa17bb01ad147388a6270e4b1a6f3250841 100644 (file)
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -49,8 +49,8 @@ int ipv4_skb_to_auditdata(struct sk_buff *skb,
        if (ih == NULL)
                return -EINVAL;
 
-       ad->u.net.v4info.saddr = ih->saddr;
-       ad->u.net.v4info.daddr = ih->daddr;
+       ad->u.net->v4info.saddr = ih->saddr;
+       ad->u.net->v4info.daddr = ih->daddr;
 
        if (proto)
                *proto = ih->protocol;
@@ -64,8 +64,8 @@ int ipv4_skb_to_auditdata(struct sk_buff *skb,
                if (th == NULL)
                        break;
 
-               ad->u.net.sport = th->source;
-               ad->u.net.dport = th->dest;
+               ad->u.net->sport = th->source;
+               ad->u.net->dport = th->dest;
                break;
        }
        case IPPROTO_UDP: {
@@ -73,8 +73,8 @@ int ipv4_skb_to_auditdata(struct sk_buff *skb,
                if (uh == NULL)
                        break;
 
-               ad->u.net.sport = uh->source;
-               ad->u.net.dport = uh->dest;
+               ad->u.net->sport = uh->source;
+               ad->u.net->dport = uh->dest;
                break;
        }
        case IPPROTO_DCCP: {
@@ -82,16 +82,16 @@ int ipv4_skb_to_auditdata(struct sk_buff *skb,
                if (dh == NULL)
                        break;
 
-               ad->u.net.sport = dh->dccph_sport;
-               ad->u.net.dport = dh->dccph_dport;
+               ad->u.net->sport = dh->dccph_sport;
+               ad->u.net->dport = dh->dccph_dport;
                break;
        }
        case IPPROTO_SCTP: {
                struct sctphdr *sh = sctp_hdr(skb);
                if (sh == NULL)
                        break;
-               ad->u.net.sport = sh->source;
-               ad->u.net.dport = sh->dest;
+               ad->u.net->sport = sh->source;
+               ad->u.net->dport = sh->dest;
                break;
        }
        default:
@@ -119,8 +119,8 @@ int ipv6_skb_to_auditdata(struct sk_buff *skb,
        ip6 = ipv6_hdr(skb);
        if (ip6 == NULL)
                return -EINVAL;
-       ad->u.net.v6info.saddr = ip6->saddr;
-       ad->u.net.v6info.daddr = ip6->daddr;
+       ad->u.net->v6info.saddr = ip6->saddr;
+       ad->u.net->v6info.daddr = ip6->daddr;
        ret = 0;
        /* IPv6 can have several extension header before the Transport header
         * skip them */
@@ -140,8 +140,8 @@ int ipv6_skb_to_auditdata(struct sk_buff *skb,
                if (th == NULL)
                        break;
 
-               ad->u.net.sport = th->source;
-               ad->u.net.dport = th->dest;
+               ad->u.net->sport = th->source;
+               ad->u.net->dport = th->dest;
                break;
        }
        case IPPROTO_UDP: {
@@ -151,8 +151,8 @@ int ipv6_skb_to_auditdata(struct sk_buff *skb,
                if (uh == NULL)
                        break;
 
-               ad->u.net.sport = uh->source;
-               ad->u.net.dport = uh->dest;
+               ad->u.net->sport = uh->source;
+               ad->u.net->dport = uh->dest;
                break;
        }
        case IPPROTO_DCCP: {
@@ -162,8 +162,8 @@ int ipv6_skb_to_auditdata(struct sk_buff *skb,
                if (dh == NULL)
                        break;
 
-               ad->u.net.sport = dh->dccph_sport;
-               ad->u.net.dport = dh->dccph_dport;
+               ad->u.net->sport = dh->dccph_sport;
+               ad->u.net->dport = dh->dccph_dport;
                break;
        }
        case IPPROTO_SCTP: {
@@ -172,8 +172,8 @@ int ipv6_skb_to_auditdata(struct sk_buff *skb,
                sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
                if (sh == NULL)
                        break;
-               ad->u.net.sport = sh->source;
-               ad->u.net.dport = sh->dest;
+               ad->u.net->sport = sh->source;
+               ad->u.net->dport = sh->dest;
                break;
        }
        default:
@@ -281,8 +281,8 @@ static void dump_common_audit_data(struct audit_buffer *ab,
                }
                break;
        case LSM_AUDIT_DATA_NET:
-               if (a->u.net.sk) {
-                       struct sock *sk = a->u.net.sk;
+               if (a->u.net->sk) {
+                       struct sock *sk = a->u.net->sk;
                        struct unix_sock *u;
                        int len = 0;
                        char *p = NULL;
@@ -330,29 +330,29 @@ static void dump_common_audit_data(struct audit_buffer *ab,
                        }
                }
 
-               switch (a->u.net.family) {
+               switch (a->u.net->family) {
                case AF_INET:
-                       print_ipv4_addr(ab, a->u.net.v4info.saddr,
-                                       a->u.net.sport,
+                       print_ipv4_addr(ab, a->u.net->v4info.saddr,
+                                       a->u.net->sport,
                                        "saddr", "src");
-                       print_ipv4_addr(ab, a->u.net.v4info.daddr,
-                                       a->u.net.dport,
+                       print_ipv4_addr(ab, a->u.net->v4info.daddr,
+                                       a->u.net->dport,
                                        "daddr", "dest");
                        break;
                case AF_INET6:
-                       print_ipv6_addr(ab, &a->u.net.v6info.saddr,
-                                       a->u.net.sport,
+                       print_ipv6_addr(ab, &a->u.net->v6info.saddr,
+                                       a->u.net->sport,
                                        "saddr", "src");
-                       print_ipv6_addr(ab, &a->u.net.v6info.daddr,
-                                       a->u.net.dport,
+                       print_ipv6_addr(ab, &a->u.net->v6info.daddr,
+                                       a->u.net->dport,
                                        "daddr", "dest");
                        break;
                }
-               if (a->u.net.netif > 0) {
+               if (a->u.net->netif > 0) {
                        struct net_device *dev;
 
                        /* NOTE: we always use init's namespace */
-                       dev = dev_get_by_index(&init_net, a->u.net.netif);
+                       dev = dev_get_by_index(&init_net, a->u.net->netif);
                        if (dev) {
                                audit_log_format(ab, " netif=%s", dev->name);
                                dev_put(dev);

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 3861ce4b10077d2d39ad1855af10c055c8238506..d85b793c9321c5866a2f6bd2ce60cb5aaff42e17 100644 (file)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3517,8 +3517,8 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb,
        if (ihlen < sizeof(_iph))
                goto out;
 
-       ad->u.net.v4info.saddr = ih->saddr;
-       ad->u.net.v4info.daddr = ih->daddr;
+       ad->u.net->v4info.saddr = ih->saddr;
+       ad->u.net->v4info.daddr = ih->daddr;
        ret = 0;
 
        if (proto)
@@ -3536,8 +3536,8 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb,
                if (th == NULL)
                        break;
 
-               ad->u.net.sport = th->source;
-               ad->u.net.dport = th->dest;
+               ad->u.net->sport = th->source;
+               ad->u.net->dport = th->dest;
                break;
        }
 
@@ -3552,8 +3552,8 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb,
                if (uh == NULL)
                        break;
 
-               ad->u.net.sport = uh->source;
-               ad->u.net.dport = uh->dest;
+               ad->u.net->sport = uh->source;
+               ad->u.net->dport = uh->dest;
                break;
        }
 
@@ -3568,8 +3568,8 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb,
                if (dh == NULL)
                        break;
 
-               ad->u.net.sport = dh->dccph_sport;
-               ad->u.net.dport = dh->dccph_dport;
+               ad->u.net->sport = dh->dccph_sport;
+               ad->u.net->dport = dh->dccph_dport;
                break;
        }
 
@@ -3596,8 +3596,8 @@ static int selinux_parse_skb_ipv6(struct sk_buff *skb,
        if (ip6 == NULL)
                goto out;
 
-       ad->u.net.v6info.saddr = ip6->saddr;
-       ad->u.net.v6info.daddr = ip6->daddr;
+       ad->u.net->v6info.saddr = ip6->saddr;
+       ad->u.net->v6info.daddr = ip6->daddr;
        ret = 0;
 
        nexthdr = ip6->nexthdr;
@@ -3617,8 +3617,8 @@ static int selinux_parse_skb_ipv6(struct sk_buff *skb,
                if (th == NULL)
                        break;
 
-               ad->u.net.sport = th->source;
-               ad->u.net.dport = th->dest;
+               ad->u.net->sport = th->source;
+               ad->u.net->dport = th->dest;
                break;
        }
 
@@ -3629,8 +3629,8 @@ static int selinux_parse_skb_ipv6(struct sk_buff *skb,
                if (uh == NULL)
                        break;
 
-               ad->u.net.sport = uh->source;
-               ad->u.net.dport = uh->dest;
+               ad->u.net->sport = uh->source;
+               ad->u.net->dport = uh->dest;
                break;
        }
 
@@ -3641,8 +3641,8 @@ static int selinux_parse_skb_ipv6(struct sk_buff *skb,
                if (dh == NULL)
                        break;
 
-               ad->u.net.sport = dh->dccph_sport;
-               ad->u.net.dport = dh->dccph_dport;
+               ad->u.net->sport = dh->dccph_sport;
+               ad->u.net->dport = dh->dccph_dport;
                break;
        }
 
@@ -3662,13 +3662,13 @@ static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
        char *addrp;
        int ret;
 
-       switch (ad->u.net.family) {
+       switch (ad->u.net->family) {
        case PF_INET:
                ret = selinux_parse_skb_ipv4(skb, ad, proto);
                if (ret)
                        goto parse_error;
-               addrp = (char *)(src ? &ad->u.net.v4info.saddr :
-                                      &ad->u.net.v4info.daddr);
+               addrp = (char *)(src ? &ad->u.net->v4info.saddr :
+                                      &ad->u.net->v4info.daddr);
                goto okay;
 
 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
@@ -3676,8 +3676,8 @@ static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
                ret = selinux_parse_skb_ipv6(skb, ad, proto);
                if (ret)
                        goto parse_error;
-               addrp = (char *)(src ? &ad->u.net.v6info.saddr :
-                                      &ad->u.net.v6info.daddr);
+               addrp = (char *)(src ? &ad->u.net->v6info.saddr :
+                                      &ad->u.net->v6info.daddr);
                goto okay;
 #endif /* IPV6 */
        default:
@@ -3752,6 +3752,7 @@ static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
        struct sk_security_struct *sksec = sk->sk_security;
        struct common_audit_data ad;
        struct selinux_audit_data sad = {0,};
+       struct lsm_network_audit net = {0,};
        u32 tsid = task_sid(task);
 
        if (sksec->sid == SECINITSID_KERNEL)
@@ -3759,7 +3760,8 @@ static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
 
        COMMON_AUDIT_DATA_INIT(&ad, NET);
        ad.selinux_audit_data = &sad;
-       ad.u.net.sk = sk;
+       ad.u.net = &net;
+       ad.u.net->sk = sk;
 
        return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
 }
@@ -3838,6 +3840,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
                struct sk_security_struct *sksec = sk->sk_security;
                struct common_audit_data ad;
                struct selinux_audit_data sad = {0,};
+               struct lsm_network_audit net = {0,};
                struct sockaddr_in *addr4 = NULL;
                struct sockaddr_in6 *addr6 = NULL;
                unsigned short snum;
@@ -3865,8 +3868,9 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
                                        goto out;
                                COMMON_AUDIT_DATA_INIT(&ad, NET);
                                ad.selinux_audit_data = &sad;
-                               ad.u.net.sport = htons(snum);
-                               ad.u.net.family = family;
+                               ad.u.net = &net;
+                               ad.u.net->sport = htons(snum);
+                               ad.u.net->family = family;
                                err = avc_has_perm(sksec->sid, sid,
                                                   sksec->sclass,
                                                   SOCKET__NAME_BIND, &ad);
@@ -3899,13 +3903,14 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
 
                COMMON_AUDIT_DATA_INIT(&ad, NET);
                ad.selinux_audit_data = &sad;
-               ad.u.net.sport = htons(snum);
-               ad.u.net.family = family;
+               ad.u.net = &net;
+               ad.u.net->sport = htons(snum);
+               ad.u.net->family = family;
 
                if (family == PF_INET)
-                       ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
+                       ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
                else
-                       ad.u.net.v6info.saddr = addr6->sin6_addr;
+                       ad.u.net->v6info.saddr = addr6->sin6_addr;
 
                err = avc_has_perm(sksec->sid, sid,
                                   sksec->sclass, node_perm, &ad);
@@ -3933,6 +3938,7 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address,
            sksec->sclass == SECCLASS_DCCP_SOCKET) {
                struct common_audit_data ad;
                struct selinux_audit_data sad = {0,};
+               struct lsm_network_audit net = {0,};
                struct sockaddr_in *addr4 = NULL;
                struct sockaddr_in6 *addr6 = NULL;
                unsigned short snum;
@@ -3959,8 +3965,9 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address,
 
                COMMON_AUDIT_DATA_INIT(&ad, NET);
                ad.selinux_audit_data = &sad;
-               ad.u.net.dport = htons(snum);
-               ad.u.net.family = sk->sk_family;
+               ad.u.net = &net;
+               ad.u.net->dport = htons(snum);
+               ad.u.net->family = sk->sk_family;
                err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
                if (err)
                        goto out;
@@ -4050,11 +4057,13 @@ static int selinux_socket_unix_stream_connect(struct sock *sock,
        struct sk_security_struct *sksec_new = newsk->sk_security;
        struct common_audit_data ad;
        struct selinux_audit_data sad = {0,};
+       struct lsm_network_audit net = {0,};
        int err;
 
        COMMON_AUDIT_DATA_INIT(&ad, NET);
        ad.selinux_audit_data = &sad;
-       ad.u.net.sk = other;
+       ad.u.net = &net;
+       ad.u.net->sk = other;
 
        err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
                           sksec_other->sclass,
@@ -4082,10 +4091,12 @@ static int selinux_socket_unix_may_send(struct socket *sock,
        struct sk_security_struct *osec = other->sk->sk_security;
        struct common_audit_data ad;
        struct selinux_audit_data sad = {0,};
+       struct lsm_network_audit net = {0,};
 
        COMMON_AUDIT_DATA_INIT(&ad, NET);
        ad.selinux_audit_data = &sad;
-       ad.u.net.sk = other->sk;
+       ad.u.net = &net;
+       ad.u.net->sk = other->sk;
 
        return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
                            &ad);
@@ -4122,12 +4133,14 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
        u32 sk_sid = sksec->sid;
        struct common_audit_data ad;
        struct selinux_audit_data sad = {0,};
+       struct lsm_network_audit net = {0,};
        char *addrp;
 
        COMMON_AUDIT_DATA_INIT(&ad, NET);
        ad.selinux_audit_data = &sad;
-       ad.u.net.netif = skb->skb_iif;
-       ad.u.net.family = family;
+       ad.u.net = &net;
+       ad.u.net->netif = skb->skb_iif;
+       ad.u.net->family = family;
        err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
        if (err)
                return err;
@@ -4155,6 +4168,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
        u32 sk_sid = sksec->sid;
        struct common_audit_data ad;
        struct selinux_audit_data sad = {0,};
+       struct lsm_network_audit net = {0,};
        char *addrp;
        u8 secmark_active;
        u8 peerlbl_active;
@@ -4180,8 +4194,9 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
 
        COMMON_AUDIT_DATA_INIT(&ad, NET);
        ad.selinux_audit_data = &sad;
-       ad.u.net.netif = skb->skb_iif;
-       ad.u.net.family = family;
+       ad.u.net = &net;
+       ad.u.net->netif = skb->skb_iif;
+       ad.u.net->family = family;
        err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
        if (err)
                return err;
@@ -4517,6 +4532,7 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
        u32 peer_sid;
        struct common_audit_data ad;
        struct selinux_audit_data sad = {0,};
+       struct lsm_network_audit net = {0,};
        u8 secmark_active;
        u8 netlbl_active;
        u8 peerlbl_active;
@@ -4535,8 +4551,9 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
 
        COMMON_AUDIT_DATA_INIT(&ad, NET);
        ad.selinux_audit_data = &sad;
-       ad.u.net.netif = ifindex;
-       ad.u.net.family = family;
+       ad.u.net = &net;
+       ad.u.net->netif = ifindex;
+       ad.u.net->family = family;
        if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
                return NF_DROP;
 
@@ -4624,6 +4641,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
        struct sk_security_struct *sksec;
        struct common_audit_data ad;
        struct selinux_audit_data sad = {0,};
+       struct lsm_network_audit net = {0,};
        char *addrp;
        u8 proto;
 
@@ -4633,8 +4651,9 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
 
        COMMON_AUDIT_DATA_INIT(&ad, NET);
        ad.selinux_audit_data = &sad;
-       ad.u.net.netif = ifindex;
-       ad.u.net.family = family;
+       ad.u.net = &net;
+       ad.u.net->netif = ifindex;
+       ad.u.net->family = family;
        if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
                return NF_DROP;
 
@@ -4657,6 +4676,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
        struct sock *sk;
        struct common_audit_data ad;
        struct selinux_audit_data sad = {0,};
+       struct lsm_network_audit net = {0,};
        char *addrp;
        u8 secmark_active;
        u8 peerlbl_active;
@@ -4704,8 +4724,9 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
 
        COMMON_AUDIT_DATA_INIT(&ad, NET);
        ad.selinux_audit_data = &sad;
-       ad.u.net.netif = ifindex;
-       ad.u.net.family = family;
+       ad.u.net = &net;
+       ad.u.net->netif = ifindex;
+       ad.u.net->family = family;
        if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
                return NF_DROP;
 

diff --git a/security/smack/smack.h b/security/smack/smack.h
index ccba3823d9efcd7b1f8af732ec203b0cb54c89aa..4ede719922edbf3b0f89deb1041168a52bf0e5ce 100644 (file)
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -325,6 +325,14 @@ static inline void smk_ad_init(struct smk_audit_info *a, const char *func,
        a->a.smack_audit_data->function = func;
 }
 
+static inline void smk_ad_init_net(struct smk_audit_info *a, const char *func,
+                                  char type, struct lsm_network_audit *net)
+{
+       smk_ad_init(a, func, type);
+       memset(net, 0, sizeof(*net));
+       a->a.u.net = net;
+}
+
 static inline void smk_ad_setfield_u_tsk(struct smk_audit_info *a,
                                         struct task_struct *t)
 {
@@ -348,7 +356,7 @@ static inline void smk_ad_setfield_u_fs_path(struct smk_audit_info *a,
 static inline void smk_ad_setfield_u_net_sk(struct smk_audit_info *a,
                                            struct sock *sk)
 {
-       a->a.u.net.sk = sk;
+       a->a.u.net->sk = sk;
 }
 
 #else /* no AUDIT */

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index cd667b4089a52ace663ce24f86f939c80c21dbbf..81c03a597112f15e49ad6e77f162be3c0e0f1f6c 100644 (file)
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1939,16 +1939,17 @@ static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap)
        char *hostsp;
        struct socket_smack *ssp = sk->sk_security;
        struct smk_audit_info ad;
+       struct lsm_network_audit net;
 
        rcu_read_lock();
        hostsp = smack_host_label(sap);
        if (hostsp != NULL) {
                sk_lbl = SMACK_UNLABELED_SOCKET;
 #ifdef CONFIG_AUDIT
-               smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET);
-               ad.a.u.net.family = sap->sin_family;
-               ad.a.u.net.dport = sap->sin_port;
-               ad.a.u.net.v4info.daddr = sap->sin_addr.s_addr;
+               smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
+               ad.a.u.net->family = sap->sin_family;
+               ad.a.u.net->dport = sap->sin_port;
+               ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr;
 #endif
                rc = smk_access(ssp->smk_out, hostsp, MAY_WRITE, &ad);
        } else {
@@ -2808,9 +2809,10 @@ static int smack_unix_stream_connect(struct sock *sock,
        struct socket_smack *osp = other->sk_security;
        struct socket_smack *nsp = newsk->sk_security;
        struct smk_audit_info ad;
+       struct lsm_network_audit net;
        int rc = 0;
 
-       smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET);
+       smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
        smk_ad_setfield_u_net_sk(&ad, other);
 
        if (!capable(CAP_MAC_OVERRIDE))
@@ -2840,9 +2842,10 @@ static int smack_unix_may_send(struct socket *sock, struct socket *other)
        struct socket_smack *ssp = sock->sk->sk_security;
        struct socket_smack *osp = other->sk->sk_security;
        struct smk_audit_info ad;
+       struct lsm_network_audit net;
        int rc = 0;
 
-       smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET);
+       smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
        smk_ad_setfield_u_net_sk(&ad, other->sk);
 
        if (!capable(CAP_MAC_OVERRIDE))
@@ -2990,6 +2993,7 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
        char *csp;
        int rc;
        struct smk_audit_info ad;
+       struct lsm_network_audit net;
        if (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)
                return 0;
 
@@ -3007,9 +3011,9 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
        netlbl_secattr_destroy(&secattr);
 
 #ifdef CONFIG_AUDIT
-       smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET);
-       ad.a.u.net.family = sk->sk_family;
-       ad.a.u.net.netif = skb->skb_iif;
+       smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
+       ad.a.u.net->family = sk->sk_family;
+       ad.a.u.net->netif = skb->skb_iif;
        ipv4_skb_to_auditdata(skb, &ad.a, NULL);
 #endif
        /*
@@ -3152,6 +3156,7 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
        char *sp;
        int rc;
        struct smk_audit_info ad;
+       struct lsm_network_audit net;
 
        /* handle mapped IPv4 packets arriving via IPv6 sockets */
        if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
@@ -3166,9 +3171,9 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
        netlbl_secattr_destroy(&secattr);
 
 #ifdef CONFIG_AUDIT
-       smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET);
-       ad.a.u.net.family = family;
-       ad.a.u.net.netif = skb->skb_iif;
+       smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
+       ad.a.u.net->family = family;
+       ad.a.u.net->netif = skb->skb_iif;
        ipv4_skb_to_auditdata(skb, &ad.a, NULL);
 #endif
        /*