aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2007-12-20 23:49:33 -0500
committerDavid S. Miller <davem@davemloft.net>2008-01-28 17:59:40 -0500
commit68277accb3a5f004344f4346498640601b8b7016 (patch)
treee6b541283a516406fbd936051028845a20f5a7c4
parent8ea843495df36036cb7f22f61994b34f8362b443 (diff)
[XFRM]: Assorted IPsec fixups
This patch fixes a number of small but potentially troublesome things in the XFRM/IPsec code: * Use the 'audit_enabled' variable already in include/linux/audit.h Removed the need for extern declarations local to each XFRM audit fuction * Convert 'sid' to 'secid' everywhere we can The 'sid' name is specific to SELinux, 'secid' is the common naming convention used by the kernel when refering to tokenized LSM labels, unfortunately we have to leave 'ctx_sid' in 'struct xfrm_sec_ctx' otherwise we risk breaking userspace * Convert address display to use standard NIP* macros Similar to what was recently done with the SPD audit code, this also also includes the removal of some unnecessary memcpy() calls * Move common code to xfrm_audit_common_stateinfo() Code consolidation from the "less is more" book on software development * Proper spacing around commas in function arguments Minor style tweak since I was already touching the code Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--include/net/xfrm.h14
-rw-r--r--net/xfrm/xfrm_policy.c15
-rw-r--r--net/xfrm/xfrm_state.c53
3 files changed, 36 insertions, 46 deletions
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index a79702bcdcd0..f333c95c4189 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -565,7 +565,7 @@ struct xfrm_audit
565}; 565};
566 566
567#ifdef CONFIG_AUDITSYSCALL 567#ifdef CONFIG_AUDITSYSCALL
568static inline struct audit_buffer *xfrm_audit_start(u32 auid, u32 sid) 568static inline struct audit_buffer *xfrm_audit_start(u32 auid, u32 secid)
569{ 569{
570 struct audit_buffer *audit_buf = NULL; 570 struct audit_buffer *audit_buf = NULL;
571 char *secctx; 571 char *secctx;
@@ -578,8 +578,8 @@ static inline struct audit_buffer *xfrm_audit_start(u32 auid, u32 sid)
578 578
579 audit_log_format(audit_buf, "auid=%u", auid); 579 audit_log_format(audit_buf, "auid=%u", auid);
580 580
581 if (sid != 0 && 581 if (secid != 0 &&
582 security_secid_to_secctx(sid, &secctx, &secctx_len) == 0) { 582 security_secid_to_secctx(secid, &secctx, &secctx_len) == 0) {
583 audit_log_format(audit_buf, " subj=%s", secctx); 583 audit_log_format(audit_buf, " subj=%s", secctx);
584 security_release_secctx(secctx, secctx_len); 584 security_release_secctx(secctx, secctx_len);
585 } else 585 } else
@@ -588,13 +588,13 @@ static inline struct audit_buffer *xfrm_audit_start(u32 auid, u32 sid)
588} 588}
589 589
590extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, 590extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
591 u32 auid, u32 sid); 591 u32 auid, u32 secid);
592extern void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, 592extern void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
593 u32 auid, u32 sid); 593 u32 auid, u32 secid);
594extern void xfrm_audit_state_add(struct xfrm_state *x, int result, 594extern void xfrm_audit_state_add(struct xfrm_state *x, int result,
595 u32 auid, u32 sid); 595 u32 auid, u32 secid);
596extern void xfrm_audit_state_delete(struct xfrm_state *x, int result, 596extern void xfrm_audit_state_delete(struct xfrm_state *x, int result,
597 u32 auid, u32 sid); 597 u32 auid, u32 secid);
598#else 598#else
599#define xfrm_audit_policy_add(x, r, a, s) do { ; } while (0) 599#define xfrm_audit_policy_add(x, r, a, s) do { ; } while (0)
600#define xfrm_audit_policy_delete(x, r, a, s) do { ; } while (0) 600#define xfrm_audit_policy_delete(x, r, a, s) do { ; } while (0)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 74807a7d3d69..abc3e39b115b 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -24,6 +24,7 @@
24#include <linux/netfilter.h> 24#include <linux/netfilter.h>
25#include <linux/module.h> 25#include <linux/module.h>
26#include <linux/cache.h> 26#include <linux/cache.h>
27#include <linux/audit.h>
27#include <net/dst.h> 28#include <net/dst.h>
28#include <net/xfrm.h> 29#include <net/xfrm.h>
29#include <net/ip.h> 30#include <net/ip.h>
@@ -2401,15 +2402,14 @@ static inline void xfrm_audit_common_policyinfo(struct xfrm_policy *xp,
2401 } 2402 }
2402} 2403}
2403 2404
2404void 2405void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
2405xfrm_audit_policy_add(struct xfrm_policy *xp, int result, u32 auid, u32 sid) 2406 u32 auid, u32 secid)
2406{ 2407{
2407 struct audit_buffer *audit_buf; 2408 struct audit_buffer *audit_buf;
2408 extern int audit_enabled;
2409 2409
2410 if (audit_enabled == 0) 2410 if (audit_enabled == 0)
2411 return; 2411 return;
2412 audit_buf = xfrm_audit_start(auid, sid); 2412 audit_buf = xfrm_audit_start(auid, secid);
2413 if (audit_buf == NULL) 2413 if (audit_buf == NULL)
2414 return; 2414 return;
2415 audit_log_format(audit_buf, " op=SPD-add res=%u", result); 2415 audit_log_format(audit_buf, " op=SPD-add res=%u", result);
@@ -2418,15 +2418,14 @@ xfrm_audit_policy_add(struct xfrm_policy *xp, int result, u32 auid, u32 sid)
2418} 2418}
2419EXPORT_SYMBOL_GPL(xfrm_audit_policy_add); 2419EXPORT_SYMBOL_GPL(xfrm_audit_policy_add);
2420 2420
2421void 2421void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
2422xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, u32 auid, u32 sid) 2422 u32 auid, u32 secid)
2423{ 2423{
2424 struct audit_buffer *audit_buf; 2424 struct audit_buffer *audit_buf;
2425 extern int audit_enabled;
2426 2425
2427 if (audit_enabled == 0) 2426 if (audit_enabled == 0)
2428 return; 2427 return;
2429 audit_buf = xfrm_audit_start(auid, sid); 2428 audit_buf = xfrm_audit_start(auid, secid);
2430 if (audit_buf == NULL) 2429 if (audit_buf == NULL)
2431 return; 2430 return;
2432 audit_log_format(audit_buf, " op=SPD-delete res=%u", result); 2431 audit_log_format(audit_buf, " op=SPD-delete res=%u", result);
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index f7c0951c9fd9..9e57378c51df 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -19,6 +19,7 @@
19#include <linux/ipsec.h> 19#include <linux/ipsec.h>
20#include <linux/module.h> 20#include <linux/module.h>
21#include <linux/cache.h> 21#include <linux/cache.h>
22#include <linux/audit.h>
22#include <asm/uaccess.h> 23#include <asm/uaccess.h>
23 24
24#include "xfrm_hash.h" 25#include "xfrm_hash.h"
@@ -1998,69 +1999,59 @@ void __init xfrm_state_init(void)
1998static inline void xfrm_audit_common_stateinfo(struct xfrm_state *x, 1999static inline void xfrm_audit_common_stateinfo(struct xfrm_state *x,
1999 struct audit_buffer *audit_buf) 2000 struct audit_buffer *audit_buf)
2000{ 2001{
2001 if (x->security) 2002 struct xfrm_sec_ctx *ctx = x->security;
2003 u32 spi = ntohl(x->id.spi);
2004
2005 if (ctx)
2002 audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s", 2006 audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s",
2003 x->security->ctx_alg, x->security->ctx_doi, 2007 ctx->ctx_alg, ctx->ctx_doi, ctx->ctx_str);
2004 x->security->ctx_str);
2005 2008
2006 switch(x->props.family) { 2009 switch(x->props.family) {
2007 case AF_INET: 2010 case AF_INET:
2008 audit_log_format(audit_buf, " src=%u.%u.%u.%u dst=%u.%u.%u.%u", 2011 audit_log_format(audit_buf,
2012 " src=" NIPQUAD_FMT " dst=" NIPQUAD_FMT,
2009 NIPQUAD(x->props.saddr.a4), 2013 NIPQUAD(x->props.saddr.a4),
2010 NIPQUAD(x->id.daddr.a4)); 2014 NIPQUAD(x->id.daddr.a4));
2011 break; 2015 break;
2012 case AF_INET6: 2016 case AF_INET6:
2013 { 2017 audit_log_format(audit_buf,
2014 struct in6_addr saddr6, daddr6; 2018 " src=" NIP6_FMT " dst=" NIP6_FMT,
2015 2019 NIP6(*(struct in6_addr *)x->props.saddr.a6),
2016 memcpy(&saddr6, x->props.saddr.a6, 2020 NIP6(*(struct in6_addr *)x->id.daddr.a6));
2017 sizeof(struct in6_addr));
2018 memcpy(&daddr6, x->id.daddr.a6,
2019 sizeof(struct in6_addr));
2020 audit_log_format(audit_buf,
2021 " src=" NIP6_FMT " dst=" NIP6_FMT,
2022 NIP6(saddr6), NIP6(daddr6));
2023 }
2024 break; 2021 break;
2025 } 2022 }
2023
2024 audit_log_format(audit_buf, " spi=%u(0x%x)", spi, spi);
2026} 2025}
2027 2026
2028void 2027void xfrm_audit_state_add(struct xfrm_state *x, int result,
2029xfrm_audit_state_add(struct xfrm_state *x, int result, u32 auid, u32 sid) 2028 u32 auid, u32 secid)
2030{ 2029{
2031 struct audit_buffer *audit_buf; 2030 struct audit_buffer *audit_buf;
2032 u32 spi;
2033 extern int audit_enabled;
2034 2031
2035 if (audit_enabled == 0) 2032 if (audit_enabled == 0)
2036 return; 2033 return;
2037 audit_buf = xfrm_audit_start(auid, sid); 2034 audit_buf = xfrm_audit_start(auid, secid);
2038 if (audit_buf == NULL) 2035 if (audit_buf == NULL)
2039 return; 2036 return;
2040 audit_log_format(audit_buf, " op=SAD-add res=%u",result); 2037 audit_log_format(audit_buf, " op=SAD-add res=%u", result);
2041 xfrm_audit_common_stateinfo(x, audit_buf); 2038 xfrm_audit_common_stateinfo(x, audit_buf);
2042 spi = ntohl(x->id.spi);
2043 audit_log_format(audit_buf, " spi=%u(0x%x)", spi, spi);
2044 audit_log_end(audit_buf); 2039 audit_log_end(audit_buf);
2045} 2040}
2046EXPORT_SYMBOL_GPL(xfrm_audit_state_add); 2041EXPORT_SYMBOL_GPL(xfrm_audit_state_add);
2047 2042
2048void 2043void xfrm_audit_state_delete(struct xfrm_state *x, int result,
2049xfrm_audit_state_delete(struct xfrm_state *x, int result, u32 auid, u32 sid) 2044 u32 auid, u32 secid)
2050{ 2045{
2051 struct audit_buffer *audit_buf; 2046 struct audit_buffer *audit_buf;
2052 u32 spi;
2053 extern int audit_enabled;
2054 2047
2055 if (audit_enabled == 0) 2048 if (audit_enabled == 0)
2056 return; 2049 return;
2057 audit_buf = xfrm_audit_start(auid, sid); 2050 audit_buf = xfrm_audit_start(auid, secid);
2058 if (audit_buf == NULL) 2051 if (audit_buf == NULL)
2059 return; 2052 return;
2060 audit_log_format(audit_buf, " op=SAD-delete res=%u",result); 2053 audit_log_format(audit_buf, " op=SAD-delete res=%u", result);
2061 xfrm_audit_common_stateinfo(x, audit_buf); 2054 xfrm_audit_common_stateinfo(x, audit_buf);
2062 spi = ntohl(x->id.spi);
2063 audit_log_format(audit_buf, " spi=%u(0x%x)", spi, spi);
2064 audit_log_end(audit_buf); 2055 audit_log_end(audit_buf);
2065} 2056}
2066EXPORT_SYMBOL_GPL(xfrm_audit_state_delete); 2057EXPORT_SYMBOL_GPL(xfrm_audit_state_delete);