diff options
author | Paul Moore <paul.moore@hp.com> | 2007-12-01 07:27:18 -0500 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-01-28 17:55:19 -0500 |
commit | 875179fa60ffe2eba1daaefb0af1be97ff5eda6a (patch) | |
tree | cc691e83f8dc2e022299362da49673fb31c2de55 /net/xfrm | |
parent | 9108d5f4b2cd82f55ad178caa0be66a866a06dcc (diff) |
[IPSEC]: SPD auditing fix to include the netmask/prefix-length
Currently the netmask/prefix-length of an IPsec SPD entry is not included in
any of the SPD related audit messages. This can cause a problem when the
audit log is examined as the netmask/prefix-length is vital in determining
what network traffic is affected by a particular SPD entry. This patch fixes
this problem by adding two additional fields, "src_prefixlen" and
"dst_prefixlen", to the SPD audit messages to indicate the source and
destination netmasks. These new fields are only included in the audit message
when the netmask/prefix-length is less than the address length, i.e. the SPD
entry applies to a network address and not a host address.
Example audit message:
type=UNKNOWN[1415] msg=audit(1196105849.752:25): auid=0 \
subj=root:system_r:unconfined_t:s0-s0:c0.c1023 op=SPD-add res=1 \
src=192.168.0.0 src_prefixlen=24 dst=192.168.1.0 dst_prefixlen=24
In addition, this patch also fixes a few other things in the
xfrm_audit_common_policyinfo() function. The IPv4 string formatting was
converted to use the standard NIPQUAD_FMT constant, the memcpy() was removed
from the IPv6 code path and replaced with a typecast (the memcpy() was acting
as a slow, implicit typecast anyway), and two local variables were created to
make referencing the XFRM security context and selector information cleaner.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/xfrm')
-rw-r--r-- | net/xfrm/xfrm_policy.c | 44 |
1 files changed, 26 insertions, 18 deletions
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index b153f748205..a76280a14e7 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c | |||
@@ -2266,29 +2266,37 @@ void __init xfrm_init(void) | |||
2266 | static inline void xfrm_audit_common_policyinfo(struct xfrm_policy *xp, | 2266 | static inline void xfrm_audit_common_policyinfo(struct xfrm_policy *xp, |
2267 | struct audit_buffer *audit_buf) | 2267 | struct audit_buffer *audit_buf) |
2268 | { | 2268 | { |
2269 | if (xp->security) | 2269 | struct xfrm_sec_ctx *ctx = xp->security; |
2270 | struct xfrm_selector *sel = &xp->selector; | ||
2271 | |||
2272 | if (ctx) | ||
2270 | audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s", | 2273 | audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s", |
2271 | xp->security->ctx_alg, xp->security->ctx_doi, | 2274 | ctx->ctx_alg, ctx->ctx_doi, ctx->ctx_str); |
2272 | xp->security->ctx_str); | ||
2273 | 2275 | ||
2274 | switch(xp->selector.family) { | 2276 | switch(sel->family) { |
2275 | case AF_INET: | 2277 | case AF_INET: |
2276 | audit_log_format(audit_buf, " src=%u.%u.%u.%u dst=%u.%u.%u.%u", | 2278 | audit_log_format(audit_buf, " src=" NIPQUAD_FMT, |
2277 | NIPQUAD(xp->selector.saddr.a4), | 2279 | NIPQUAD(sel->saddr.a4)); |
2278 | NIPQUAD(xp->selector.daddr.a4)); | 2280 | if (sel->prefixlen_s != 32) |
2281 | audit_log_format(audit_buf, " src_prefixlen=%d", | ||
2282 | sel->prefixlen_s); | ||
2283 | audit_log_format(audit_buf, " dst=" NIPQUAD_FMT, | ||
2284 | NIPQUAD(sel->daddr.a4)); | ||
2285 | if (sel->prefixlen_d != 32) | ||
2286 | audit_log_format(audit_buf, " dst_prefixlen=%d", | ||
2287 | sel->prefixlen_d); | ||
2279 | break; | 2288 | break; |
2280 | case AF_INET6: | 2289 | case AF_INET6: |
2281 | { | 2290 | audit_log_format(audit_buf, " src=" NIP6_FMT, |
2282 | struct in6_addr saddr6, daddr6; | 2291 | NIP6(*(struct in6_addr *)sel->saddr.a6)); |
2283 | 2292 | if (sel->prefixlen_s != 128) | |
2284 | memcpy(&saddr6, xp->selector.saddr.a6, | 2293 | audit_log_format(audit_buf, " src_prefixlen=%d", |
2285 | sizeof(struct in6_addr)); | 2294 | sel->prefixlen_s); |
2286 | memcpy(&daddr6, xp->selector.daddr.a6, | 2295 | audit_log_format(audit_buf, " dst=" NIP6_FMT, |
2287 | sizeof(struct in6_addr)); | 2296 | NIP6(*(struct in6_addr *)sel->daddr.a6)); |
2288 | audit_log_format(audit_buf, | 2297 | if (sel->prefixlen_d != 128) |
2289 | " src=" NIP6_FMT " dst=" NIP6_FMT, | 2298 | audit_log_format(audit_buf, " dst_prefixlen=%d", |
2290 | NIP6(saddr6), NIP6(daddr6)); | 2299 | sel->prefixlen_d); |
2291 | } | ||
2292 | break; | 2300 | break; |
2293 | } | 2301 | } |
2294 | } | 2302 | } |