diff options
author | Paul Moore <paul.moore@hp.com> | 2007-12-20 23:49:33 -0500 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-01-28 17:59:40 -0500 |
commit | 68277accb3a5f004344f4346498640601b8b7016 (patch) | |
tree | e6b541283a516406fbd936051028845a20f5a7c4 | |
parent | 8ea843495df36036cb7f22f61994b34f8362b443 (diff) |
[XFRM]: Assorted IPsec fixups
This patch fixes a number of small but potentially troublesome things in the
XFRM/IPsec code:
* Use the 'audit_enabled' variable already in include/linux/audit.h
Removed the need for extern declarations local to each XFRM audit fuction
* Convert 'sid' to 'secid' everywhere we can
The 'sid' name is specific to SELinux, 'secid' is the common naming
convention used by the kernel when refering to tokenized LSM labels,
unfortunately we have to leave 'ctx_sid' in 'struct xfrm_sec_ctx' otherwise
we risk breaking userspace
* Convert address display to use standard NIP* macros
Similar to what was recently done with the SPD audit code, this also also
includes the removal of some unnecessary memcpy() calls
* Move common code to xfrm_audit_common_stateinfo()
Code consolidation from the "less is more" book on software development
* Proper spacing around commas in function arguments
Minor style tweak since I was already touching the code
Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | include/net/xfrm.h | 14 | ||||
-rw-r--r-- | net/xfrm/xfrm_policy.c | 15 | ||||
-rw-r--r-- | net/xfrm/xfrm_state.c | 53 |
3 files changed, 36 insertions, 46 deletions
diff --git a/include/net/xfrm.h b/include/net/xfrm.h index a79702bcdcd0..f333c95c4189 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h | |||
@@ -565,7 +565,7 @@ struct xfrm_audit | |||
565 | }; | 565 | }; |
566 | 566 | ||
567 | #ifdef CONFIG_AUDITSYSCALL | 567 | #ifdef CONFIG_AUDITSYSCALL |
568 | static inline struct audit_buffer *xfrm_audit_start(u32 auid, u32 sid) | 568 | static inline struct audit_buffer *xfrm_audit_start(u32 auid, u32 secid) |
569 | { | 569 | { |
570 | struct audit_buffer *audit_buf = NULL; | 570 | struct audit_buffer *audit_buf = NULL; |
571 | char *secctx; | 571 | char *secctx; |
@@ -578,8 +578,8 @@ static inline struct audit_buffer *xfrm_audit_start(u32 auid, u32 sid) | |||
578 | 578 | ||
579 | audit_log_format(audit_buf, "auid=%u", auid); | 579 | audit_log_format(audit_buf, "auid=%u", auid); |
580 | 580 | ||
581 | if (sid != 0 && | 581 | if (secid != 0 && |
582 | security_secid_to_secctx(sid, &secctx, &secctx_len) == 0) { | 582 | security_secid_to_secctx(secid, &secctx, &secctx_len) == 0) { |
583 | audit_log_format(audit_buf, " subj=%s", secctx); | 583 | audit_log_format(audit_buf, " subj=%s", secctx); |
584 | security_release_secctx(secctx, secctx_len); | 584 | security_release_secctx(secctx, secctx_len); |
585 | } else | 585 | } else |
@@ -588,13 +588,13 @@ static inline struct audit_buffer *xfrm_audit_start(u32 auid, u32 sid) | |||
588 | } | 588 | } |
589 | 589 | ||
590 | extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, | 590 | extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, |
591 | u32 auid, u32 sid); | 591 | u32 auid, u32 secid); |
592 | extern void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, | 592 | extern void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, |
593 | u32 auid, u32 sid); | 593 | u32 auid, u32 secid); |
594 | extern void xfrm_audit_state_add(struct xfrm_state *x, int result, | 594 | extern void xfrm_audit_state_add(struct xfrm_state *x, int result, |
595 | u32 auid, u32 sid); | 595 | u32 auid, u32 secid); |
596 | extern void xfrm_audit_state_delete(struct xfrm_state *x, int result, | 596 | extern void xfrm_audit_state_delete(struct xfrm_state *x, int result, |
597 | u32 auid, u32 sid); | 597 | u32 auid, u32 secid); |
598 | #else | 598 | #else |
599 | #define xfrm_audit_policy_add(x, r, a, s) do { ; } while (0) | 599 | #define xfrm_audit_policy_add(x, r, a, s) do { ; } while (0) |
600 | #define xfrm_audit_policy_delete(x, r, a, s) do { ; } while (0) | 600 | #define xfrm_audit_policy_delete(x, r, a, s) do { ; } while (0) |
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 74807a7d3d69..abc3e39b115b 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c | |||
@@ -24,6 +24,7 @@ | |||
24 | #include <linux/netfilter.h> | 24 | #include <linux/netfilter.h> |
25 | #include <linux/module.h> | 25 | #include <linux/module.h> |
26 | #include <linux/cache.h> | 26 | #include <linux/cache.h> |
27 | #include <linux/audit.h> | ||
27 | #include <net/dst.h> | 28 | #include <net/dst.h> |
28 | #include <net/xfrm.h> | 29 | #include <net/xfrm.h> |
29 | #include <net/ip.h> | 30 | #include <net/ip.h> |
@@ -2401,15 +2402,14 @@ static inline void xfrm_audit_common_policyinfo(struct xfrm_policy *xp, | |||
2401 | } | 2402 | } |
2402 | } | 2403 | } |
2403 | 2404 | ||
2404 | void | 2405 | void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, |
2405 | xfrm_audit_policy_add(struct xfrm_policy *xp, int result, u32 auid, u32 sid) | 2406 | u32 auid, u32 secid) |
2406 | { | 2407 | { |
2407 | struct audit_buffer *audit_buf; | 2408 | struct audit_buffer *audit_buf; |
2408 | extern int audit_enabled; | ||
2409 | 2409 | ||
2410 | if (audit_enabled == 0) | 2410 | if (audit_enabled == 0) |
2411 | return; | 2411 | return; |
2412 | audit_buf = xfrm_audit_start(auid, sid); | 2412 | audit_buf = xfrm_audit_start(auid, secid); |
2413 | if (audit_buf == NULL) | 2413 | if (audit_buf == NULL) |
2414 | return; | 2414 | return; |
2415 | audit_log_format(audit_buf, " op=SPD-add res=%u", result); | 2415 | audit_log_format(audit_buf, " op=SPD-add res=%u", result); |
@@ -2418,15 +2418,14 @@ xfrm_audit_policy_add(struct xfrm_policy *xp, int result, u32 auid, u32 sid) | |||
2418 | } | 2418 | } |
2419 | EXPORT_SYMBOL_GPL(xfrm_audit_policy_add); | 2419 | EXPORT_SYMBOL_GPL(xfrm_audit_policy_add); |
2420 | 2420 | ||
2421 | void | 2421 | void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, |
2422 | xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, u32 auid, u32 sid) | 2422 | u32 auid, u32 secid) |
2423 | { | 2423 | { |
2424 | struct audit_buffer *audit_buf; | 2424 | struct audit_buffer *audit_buf; |
2425 | extern int audit_enabled; | ||
2426 | 2425 | ||
2427 | if (audit_enabled == 0) | 2426 | if (audit_enabled == 0) |
2428 | return; | 2427 | return; |
2429 | audit_buf = xfrm_audit_start(auid, sid); | 2428 | audit_buf = xfrm_audit_start(auid, secid); |
2430 | if (audit_buf == NULL) | 2429 | if (audit_buf == NULL) |
2431 | return; | 2430 | return; |
2432 | audit_log_format(audit_buf, " op=SPD-delete res=%u", result); | 2431 | audit_log_format(audit_buf, " op=SPD-delete res=%u", result); |
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index f7c0951c9fd9..9e57378c51df 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c | |||
@@ -19,6 +19,7 @@ | |||
19 | #include <linux/ipsec.h> | 19 | #include <linux/ipsec.h> |
20 | #include <linux/module.h> | 20 | #include <linux/module.h> |
21 | #include <linux/cache.h> | 21 | #include <linux/cache.h> |
22 | #include <linux/audit.h> | ||
22 | #include <asm/uaccess.h> | 23 | #include <asm/uaccess.h> |
23 | 24 | ||
24 | #include "xfrm_hash.h" | 25 | #include "xfrm_hash.h" |
@@ -1998,69 +1999,59 @@ void __init xfrm_state_init(void) | |||
1998 | static inline void xfrm_audit_common_stateinfo(struct xfrm_state *x, | 1999 | static inline void xfrm_audit_common_stateinfo(struct xfrm_state *x, |
1999 | struct audit_buffer *audit_buf) | 2000 | struct audit_buffer *audit_buf) |
2000 | { | 2001 | { |
2001 | if (x->security) | 2002 | struct xfrm_sec_ctx *ctx = x->security; |
2003 | u32 spi = ntohl(x->id.spi); | ||
2004 | |||
2005 | if (ctx) | ||
2002 | audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s", | 2006 | audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s", |
2003 | x->security->ctx_alg, x->security->ctx_doi, | 2007 | ctx->ctx_alg, ctx->ctx_doi, ctx->ctx_str); |
2004 | x->security->ctx_str); | ||
2005 | 2008 | ||
2006 | switch(x->props.family) { | 2009 | switch(x->props.family) { |
2007 | case AF_INET: | 2010 | case AF_INET: |
2008 | audit_log_format(audit_buf, " src=%u.%u.%u.%u dst=%u.%u.%u.%u", | 2011 | audit_log_format(audit_buf, |
2012 | " src=" NIPQUAD_FMT " dst=" NIPQUAD_FMT, | ||
2009 | NIPQUAD(x->props.saddr.a4), | 2013 | NIPQUAD(x->props.saddr.a4), |
2010 | NIPQUAD(x->id.daddr.a4)); | 2014 | NIPQUAD(x->id.daddr.a4)); |
2011 | break; | 2015 | break; |
2012 | case AF_INET6: | 2016 | case AF_INET6: |
2013 | { | 2017 | audit_log_format(audit_buf, |
2014 | struct in6_addr saddr6, daddr6; | 2018 | " src=" NIP6_FMT " dst=" NIP6_FMT, |
2015 | 2019 | NIP6(*(struct in6_addr *)x->props.saddr.a6), | |
2016 | memcpy(&saddr6, x->props.saddr.a6, | 2020 | NIP6(*(struct in6_addr *)x->id.daddr.a6)); |
2017 | sizeof(struct in6_addr)); | ||
2018 | memcpy(&daddr6, x->id.daddr.a6, | ||
2019 | sizeof(struct in6_addr)); | ||
2020 | audit_log_format(audit_buf, | ||
2021 | " src=" NIP6_FMT " dst=" NIP6_FMT, | ||
2022 | NIP6(saddr6), NIP6(daddr6)); | ||
2023 | } | ||
2024 | break; | 2021 | break; |
2025 | } | 2022 | } |
2023 | |||
2024 | audit_log_format(audit_buf, " spi=%u(0x%x)", spi, spi); | ||
2026 | } | 2025 | } |
2027 | 2026 | ||
2028 | void | 2027 | void xfrm_audit_state_add(struct xfrm_state *x, int result, |
2029 | xfrm_audit_state_add(struct xfrm_state *x, int result, u32 auid, u32 sid) | 2028 | u32 auid, u32 secid) |
2030 | { | 2029 | { |
2031 | struct audit_buffer *audit_buf; | 2030 | struct audit_buffer *audit_buf; |
2032 | u32 spi; | ||
2033 | extern int audit_enabled; | ||
2034 | 2031 | ||
2035 | if (audit_enabled == 0) | 2032 | if (audit_enabled == 0) |
2036 | return; | 2033 | return; |
2037 | audit_buf = xfrm_audit_start(auid, sid); | 2034 | audit_buf = xfrm_audit_start(auid, secid); |
2038 | if (audit_buf == NULL) | 2035 | if (audit_buf == NULL) |
2039 | return; | 2036 | return; |
2040 | audit_log_format(audit_buf, " op=SAD-add res=%u",result); | 2037 | audit_log_format(audit_buf, " op=SAD-add res=%u", result); |
2041 | xfrm_audit_common_stateinfo(x, audit_buf); | 2038 | xfrm_audit_common_stateinfo(x, audit_buf); |
2042 | spi = ntohl(x->id.spi); | ||
2043 | audit_log_format(audit_buf, " spi=%u(0x%x)", spi, spi); | ||
2044 | audit_log_end(audit_buf); | 2039 | audit_log_end(audit_buf); |
2045 | } | 2040 | } |
2046 | EXPORT_SYMBOL_GPL(xfrm_audit_state_add); | 2041 | EXPORT_SYMBOL_GPL(xfrm_audit_state_add); |
2047 | 2042 | ||
2048 | void | 2043 | void xfrm_audit_state_delete(struct xfrm_state *x, int result, |
2049 | xfrm_audit_state_delete(struct xfrm_state *x, int result, u32 auid, u32 sid) | 2044 | u32 auid, u32 secid) |
2050 | { | 2045 | { |
2051 | struct audit_buffer *audit_buf; | 2046 | struct audit_buffer *audit_buf; |
2052 | u32 spi; | ||
2053 | extern int audit_enabled; | ||
2054 | 2047 | ||
2055 | if (audit_enabled == 0) | 2048 | if (audit_enabled == 0) |
2056 | return; | 2049 | return; |
2057 | audit_buf = xfrm_audit_start(auid, sid); | 2050 | audit_buf = xfrm_audit_start(auid, secid); |
2058 | if (audit_buf == NULL) | 2051 | if (audit_buf == NULL) |
2059 | return; | 2052 | return; |
2060 | audit_log_format(audit_buf, " op=SAD-delete res=%u",result); | 2053 | audit_log_format(audit_buf, " op=SAD-delete res=%u", result); |
2061 | xfrm_audit_common_stateinfo(x, audit_buf); | 2054 | xfrm_audit_common_stateinfo(x, audit_buf); |
2062 | spi = ntohl(x->id.spi); | ||
2063 | audit_log_format(audit_buf, " spi=%u(0x%x)", spi, spi); | ||
2064 | audit_log_end(audit_buf); | 2055 | audit_log_end(audit_buf); |
2065 | } | 2056 | } |
2066 | EXPORT_SYMBOL_GPL(xfrm_audit_state_delete); | 2057 | EXPORT_SYMBOL_GPL(xfrm_audit_state_delete); |