aboutsummaryrefslogtreecommitdiffstats
path: root/net/xfrm/xfrm_user.c
diff options
context:
space:
mode:
authorJoy Latten <latten@austin.ibm.com>2006-11-27 14:11:54 -0500
committerDavid S. Miller <davem@sunset.davemloft.net>2006-12-06 23:14:22 -0500
commit161a09e737f0761ca064ee6a907313402f7a54b6 (patch)
tree80fdf6dc5de73d810ef0ec811299a5ec3c5ce23e /net/xfrm/xfrm_user.c
parent95b99a670df31ca5271f503f378e5cac3aee8f5e (diff)
audit: Add auditing to ipsec
An audit message occurs when an ipsec SA or ipsec policy is created/deleted. Signed-off-by: Joy Latten <latten@austin.ibm.com> Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/xfrm/xfrm_user.c')
-rw-r--r--net/xfrm/xfrm_user.c33
1 files changed, 30 insertions, 3 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 311205ffa77..e5372b11fc8 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -31,6 +31,7 @@
31#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 31#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
32#include <linux/in6.h> 32#include <linux/in6.h>
33#endif 33#endif
34#include <linux/audit.h>
34 35
35static int verify_one_alg(struct rtattr **xfrma, enum xfrm_attr_type_t type) 36static int verify_one_alg(struct rtattr **xfrma, enum xfrm_attr_type_t type)
36{ 37{
@@ -454,6 +455,9 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfrma)
454 else 455 else
455 err = xfrm_state_update(x); 456 err = xfrm_state_update(x);
456 457
458 xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
459 AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x);
460
457 if (err < 0) { 461 if (err < 0) {
458 x->km.state = XFRM_STATE_DEAD; 462 x->km.state = XFRM_STATE_DEAD;
459 __xfrm_state_put(x); 463 __xfrm_state_put(x);
@@ -523,6 +527,10 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfrma)
523 } 527 }
524 528
525 err = xfrm_state_delete(x); 529 err = xfrm_state_delete(x);
530
531 xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
532 AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
533
526 if (err < 0) 534 if (err < 0)
527 goto out; 535 goto out;
528 536
@@ -1030,6 +1038,9 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfr
1030 * a type XFRM_MSG_UPDPOLICY - JHS */ 1038 * a type XFRM_MSG_UPDPOLICY - JHS */
1031 excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; 1039 excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY;
1032 err = xfrm_policy_insert(p->dir, xp, excl); 1040 err = xfrm_policy_insert(p->dir, xp, excl);
1041 xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
1042 AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
1043
1033 if (err) { 1044 if (err) {
1034 security_xfrm_policy_free(xp); 1045 security_xfrm_policy_free(xp);
1035 kfree(xp); 1046 kfree(xp);
@@ -1257,6 +1268,10 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfr
1257 xp = xfrm_policy_bysel_ctx(type, p->dir, &p->sel, tmp.security, delete); 1268 xp = xfrm_policy_bysel_ctx(type, p->dir, &p->sel, tmp.security, delete);
1258 security_xfrm_policy_free(&tmp); 1269 security_xfrm_policy_free(&tmp);
1259 } 1270 }
1271 if (delete)
1272 xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
1273 AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL);
1274
1260 if (xp == NULL) 1275 if (xp == NULL)
1261 return -ENOENT; 1276 return -ENOENT;
1262 1277
@@ -1291,8 +1306,11 @@ static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfrma
1291{ 1306{
1292 struct km_event c; 1307 struct km_event c;
1293 struct xfrm_usersa_flush *p = NLMSG_DATA(nlh); 1308 struct xfrm_usersa_flush *p = NLMSG_DATA(nlh);
1309 struct xfrm_audit audit_info;
1294 1310
1295 xfrm_state_flush(p->proto); 1311 audit_info.loginuid = NETLINK_CB(skb).loginuid;
1312 audit_info.secid = NETLINK_CB(skb).sid;
1313 xfrm_state_flush(p->proto, &audit_info);
1296 c.data.proto = p->proto; 1314 c.data.proto = p->proto;
1297 c.event = nlh->nlmsg_type; 1315 c.event = nlh->nlmsg_type;
1298 c.seq = nlh->nlmsg_seq; 1316 c.seq = nlh->nlmsg_seq;
@@ -1442,12 +1460,15 @@ static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh, void **x
1442 struct km_event c; 1460 struct km_event c;
1443 u8 type = XFRM_POLICY_TYPE_MAIN; 1461 u8 type = XFRM_POLICY_TYPE_MAIN;
1444 int err; 1462 int err;
1463 struct xfrm_audit audit_info;
1445 1464
1446 err = copy_from_user_policy_type(&type, (struct rtattr **)xfrma); 1465 err = copy_from_user_policy_type(&type, (struct rtattr **)xfrma);
1447 if (err) 1466 if (err)
1448 return err; 1467 return err;
1449 1468
1450 xfrm_policy_flush(type); 1469 audit_info.loginuid = NETLINK_CB(skb).loginuid;
1470 audit_info.secid = NETLINK_CB(skb).sid;
1471 xfrm_policy_flush(type, &audit_info);
1451 c.data.type = type; 1472 c.data.type = type;
1452 c.event = nlh->nlmsg_type; 1473 c.event = nlh->nlmsg_type;
1453 c.seq = nlh->nlmsg_seq; 1474 c.seq = nlh->nlmsg_seq;
@@ -1502,6 +1523,9 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh, void *
1502 err = 0; 1523 err = 0;
1503 if (up->hard) { 1524 if (up->hard) {
1504 xfrm_policy_delete(xp, p->dir); 1525 xfrm_policy_delete(xp, p->dir);
1526 xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
1527 AUDIT_MAC_IPSEC_DELSPD, 1, xp, NULL);
1528
1505 } else { 1529 } else {
1506 // reset the timers here? 1530 // reset the timers here?
1507 printk("Dont know what to do with soft policy expire\n"); 1531 printk("Dont know what to do with soft policy expire\n");
@@ -1533,8 +1557,11 @@ static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh, void **
1533 goto out; 1557 goto out;
1534 km_state_expired(x, ue->hard, current->pid); 1558 km_state_expired(x, ue->hard, current->pid);
1535 1559
1536 if (ue->hard) 1560 if (ue->hard) {
1537 __xfrm_state_delete(x); 1561 __xfrm_state_delete(x);
1562 xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
1563 AUDIT_MAC_IPSEC_DELSA, 1, NULL, x);
1564 }
1538out: 1565out:
1539 spin_unlock_bh(&x->lock); 1566 spin_unlock_bh(&x->lock);
1540 xfrm_state_put(x); 1567 xfrm_state_put(x);