diff options
author | Joy Latten <latten@austin.ibm.com> | 2007-09-17 14:51:22 -0400 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2007-10-10 19:49:02 -0400 |
commit | ab5f5e8b144e4c804ef3aa1ce08a9ca9f01187ce (patch) | |
tree | bf3915a618b29f507d882e9c665ed9d07e7c0765 | |
parent | d2e9117c7aa9544d910634e17e3519fd67155229 (diff) |
[XFRM]: xfrm audit calls
This patch modifies the current ipsec audit layer
by breaking it up into purpose driven audit calls.
So far, the only audit calls made are when add/delete
an SA/policy. It had been discussed to give each
key manager it's own calls to do this, but I found
there to be much redundnacy since they did the exact
same things, except for how they got auid and sid, so I
combined them. The below audit calls can be made by any
key manager. Hopefully, this is ok.
Signed-off-by: Joy Latten <latten@austin.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | include/linux/audit.h | 9 | ||||
-rw-r--r-- | include/net/xfrm.h | 40 | ||||
-rw-r--r-- | net/key/af_key.c | 21 | ||||
-rw-r--r-- | net/xfrm/xfrm_policy.c | 210 | ||||
-rw-r--r-- | net/xfrm/xfrm_state.c | 89 | ||||
-rw-r--r-- | net/xfrm/xfrm_user.c | 26 |
6 files changed, 218 insertions, 177 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h index d6579df8dadf..9ae740936a65 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h | |||
@@ -108,10 +108,11 @@ | |||
108 | #define AUDIT_MAC_CIPSOV4_DEL 1408 /* NetLabel: del CIPSOv4 DOI entry */ | 108 | #define AUDIT_MAC_CIPSOV4_DEL 1408 /* NetLabel: del CIPSOv4 DOI entry */ |
109 | #define AUDIT_MAC_MAP_ADD 1409 /* NetLabel: add LSM domain mapping */ | 109 | #define AUDIT_MAC_MAP_ADD 1409 /* NetLabel: add LSM domain mapping */ |
110 | #define AUDIT_MAC_MAP_DEL 1410 /* NetLabel: del LSM domain mapping */ | 110 | #define AUDIT_MAC_MAP_DEL 1410 /* NetLabel: del LSM domain mapping */ |
111 | #define AUDIT_MAC_IPSEC_ADDSA 1411 /* Add a XFRM state */ | 111 | #define AUDIT_MAC_IPSEC_ADDSA 1411 /* Not used */ |
112 | #define AUDIT_MAC_IPSEC_DELSA 1412 /* Delete a XFRM state */ | 112 | #define AUDIT_MAC_IPSEC_DELSA 1412 /* Not used */ |
113 | #define AUDIT_MAC_IPSEC_ADDSPD 1413 /* Add a XFRM policy */ | 113 | #define AUDIT_MAC_IPSEC_ADDSPD 1413 /* Not used */ |
114 | #define AUDIT_MAC_IPSEC_DELSPD 1414 /* Delete a XFRM policy */ | 114 | #define AUDIT_MAC_IPSEC_DELSPD 1414 /* Not used */ |
115 | #define AUDIT_MAC_IPSEC_EVENT 1415 /* Audit an IPSec event */ | ||
115 | 116 | ||
116 | #define AUDIT_FIRST_KERN_ANOM_MSG 1700 | 117 | #define AUDIT_FIRST_KERN_ANOM_MSG 1700 |
117 | #define AUDIT_LAST_KERN_ANOM_MSG 1799 | 118 | #define AUDIT_LAST_KERN_ANOM_MSG 1799 |
diff --git a/include/net/xfrm.h b/include/net/xfrm.h index a5f80bfbaaa4..760d2432be6b 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h | |||
@@ -12,6 +12,7 @@ | |||
12 | #include <linux/ipsec.h> | 12 | #include <linux/ipsec.h> |
13 | #include <linux/in6.h> | 13 | #include <linux/in6.h> |
14 | #include <linux/mutex.h> | 14 | #include <linux/mutex.h> |
15 | #include <linux/audit.h> | ||
15 | 16 | ||
16 | #include <net/sock.h> | 17 | #include <net/sock.h> |
17 | #include <net/dst.h> | 18 | #include <net/dst.h> |
@@ -421,15 +422,46 @@ extern unsigned int xfrm_policy_count[XFRM_POLICY_MAX*2]; | |||
421 | /* Audit Information */ | 422 | /* Audit Information */ |
422 | struct xfrm_audit | 423 | struct xfrm_audit |
423 | { | 424 | { |
424 | uid_t loginuid; | 425 | u32 loginuid; |
425 | u32 secid; | 426 | u32 secid; |
426 | }; | 427 | }; |
427 | 428 | ||
428 | #ifdef CONFIG_AUDITSYSCALL | 429 | #ifdef CONFIG_AUDITSYSCALL |
429 | extern void xfrm_audit_log(uid_t auid, u32 secid, int type, int result, | 430 | static inline struct audit_buffer *xfrm_audit_start(u32 auid, u32 sid) |
430 | struct xfrm_policy *xp, struct xfrm_state *x); | 431 | { |
432 | struct audit_buffer *audit_buf = NULL; | ||
433 | char *secctx; | ||
434 | u32 secctx_len; | ||
435 | |||
436 | audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, | ||
437 | AUDIT_MAC_IPSEC_EVENT); | ||
438 | if (audit_buf == NULL) | ||
439 | return NULL; | ||
440 | |||
441 | audit_log_format(audit_buf, "auid=%u", auid); | ||
442 | |||
443 | if (sid != 0 && | ||
444 | security_secid_to_secctx(sid, &secctx, &secctx_len) == 0) { | ||
445 | audit_log_format(audit_buf, " subj=%s", secctx); | ||
446 | security_release_secctx(secctx, secctx_len); | ||
447 | } else | ||
448 | audit_log_task_context(audit_buf); | ||
449 | return audit_buf; | ||
450 | } | ||
451 | |||
452 | extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, | ||
453 | u32 auid, u32 sid); | ||
454 | extern void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, | ||
455 | u32 auid, u32 sid); | ||
456 | extern void xfrm_audit_state_add(struct xfrm_state *x, int result, | ||
457 | u32 auid, u32 sid); | ||
458 | extern void xfrm_audit_state_delete(struct xfrm_state *x, int result, | ||
459 | u32 auid, u32 sid); | ||
431 | #else | 460 | #else |
432 | #define xfrm_audit_log(a,s,t,r,p,x) do { ; } while (0) | 461 | #define xfrm_audit_policy_add(x, r, a, s) do { ; } while (0) |
462 | #define xfrm_audit_policy_delete(x, r, a, s) do { ; } while (0) | ||
463 | #define xfrm_audit_state_add(x, r, a, s) do { ; } while (0) | ||
464 | #define xfrm_audit_state_delete(x, r, a, s) do { ; } while (0) | ||
433 | #endif /* CONFIG_AUDITSYSCALL */ | 465 | #endif /* CONFIG_AUDITSYSCALL */ |
434 | 466 | ||
435 | static inline void xfrm_pol_hold(struct xfrm_policy *policy) | 467 | static inline void xfrm_pol_hold(struct xfrm_policy *policy) |
diff --git a/net/key/af_key.c b/net/key/af_key.c index 17b2a6927f01..0241fff95137 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c | |||
@@ -27,7 +27,6 @@ | |||
27 | #include <linux/proc_fs.h> | 27 | #include <linux/proc_fs.h> |
28 | #include <linux/init.h> | 28 | #include <linux/init.h> |
29 | #include <net/xfrm.h> | 29 | #include <net/xfrm.h> |
30 | #include <linux/audit.h> | ||
31 | 30 | ||
32 | #include <net/sock.h> | 31 | #include <net/sock.h> |
33 | 32 | ||
@@ -1454,8 +1453,8 @@ static int pfkey_add(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, | |||
1454 | else | 1453 | else |
1455 | err = xfrm_state_update(x); | 1454 | err = xfrm_state_update(x); |
1456 | 1455 | ||
1457 | xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, | 1456 | xfrm_audit_state_add(x, err ? 0 : 1, |
1458 | AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x); | 1457 | audit_get_loginuid(current->audit_context), 0); |
1459 | 1458 | ||
1460 | if (err < 0) { | 1459 | if (err < 0) { |
1461 | x->km.state = XFRM_STATE_DEAD; | 1460 | x->km.state = XFRM_STATE_DEAD; |
@@ -1508,8 +1507,8 @@ static int pfkey_delete(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h | |||
1508 | c.event = XFRM_MSG_DELSA; | 1507 | c.event = XFRM_MSG_DELSA; |
1509 | km_state_notify(x, &c); | 1508 | km_state_notify(x, &c); |
1510 | out: | 1509 | out: |
1511 | xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, | 1510 | xfrm_audit_state_delete(x, err ? 0 : 1, |
1512 | AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); | 1511 | audit_get_loginuid(current->audit_context), 0); |
1513 | xfrm_state_put(x); | 1512 | xfrm_state_put(x); |
1514 | 1513 | ||
1515 | return err; | 1514 | return err; |
@@ -2261,8 +2260,8 @@ static int pfkey_spdadd(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h | |||
2261 | err = xfrm_policy_insert(pol->sadb_x_policy_dir-1, xp, | 2260 | err = xfrm_policy_insert(pol->sadb_x_policy_dir-1, xp, |
2262 | hdr->sadb_msg_type != SADB_X_SPDUPDATE); | 2261 | hdr->sadb_msg_type != SADB_X_SPDUPDATE); |
2263 | 2262 | ||
2264 | xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, | 2263 | xfrm_audit_policy_add(xp, err ? 0 : 1, |
2265 | AUDIT_MAC_IPSEC_ADDSPD, err ? 0 : 1, xp, NULL); | 2264 | audit_get_loginuid(current->audit_context), 0); |
2266 | 2265 | ||
2267 | if (err) | 2266 | if (err) |
2268 | goto out; | 2267 | goto out; |
@@ -2345,8 +2344,8 @@ static int pfkey_spddelete(struct sock *sk, struct sk_buff *skb, struct sadb_msg | |||
2345 | if (xp == NULL) | 2344 | if (xp == NULL) |
2346 | return -ENOENT; | 2345 | return -ENOENT; |
2347 | 2346 | ||
2348 | xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, | 2347 | xfrm_audit_policy_delete(xp, err ? 0 : 1, |
2349 | AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); | 2348 | audit_get_loginuid(current->audit_context), 0); |
2350 | 2349 | ||
2351 | if (err) | 2350 | if (err) |
2352 | goto out; | 2351 | goto out; |
@@ -2606,8 +2605,8 @@ static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h | |||
2606 | return -ENOENT; | 2605 | return -ENOENT; |
2607 | 2606 | ||
2608 | if (delete) { | 2607 | if (delete) { |
2609 | xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, | 2608 | xfrm_audit_policy_delete(xp, err ? 0 : 1, |
2610 | AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); | 2609 | audit_get_loginuid(current->audit_context), 0); |
2611 | 2610 | ||
2612 | if (err) | 2611 | if (err) |
2613 | goto out; | 2612 | goto out; |
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 6ab81b1d215e..36dd31c40f4a 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c | |||
@@ -23,7 +23,6 @@ | |||
23 | #include <linux/netfilter.h> | 23 | #include <linux/netfilter.h> |
24 | #include <linux/module.h> | 24 | #include <linux/module.h> |
25 | #include <linux/cache.h> | 25 | #include <linux/cache.h> |
26 | #include <linux/audit.h> | ||
27 | #include <net/xfrm.h> | 26 | #include <net/xfrm.h> |
28 | #include <net/ip.h> | 27 | #include <net/ip.h> |
29 | 28 | ||
@@ -850,10 +849,9 @@ xfrm_policy_flush_secctx_check(u8 type, struct xfrm_audit *audit_info) | |||
850 | continue; | 849 | continue; |
851 | err = security_xfrm_policy_delete(pol); | 850 | err = security_xfrm_policy_delete(pol); |
852 | if (err) { | 851 | if (err) { |
853 | xfrm_audit_log(audit_info->loginuid, | 852 | xfrm_audit_policy_delete(pol, 0, |
854 | audit_info->secid, | 853 | audit_info->loginuid, |
855 | AUDIT_MAC_IPSEC_DELSPD, 0, | 854 | audit_info->secid); |
856 | pol, NULL); | ||
857 | return err; | 855 | return err; |
858 | } | 856 | } |
859 | } | 857 | } |
@@ -865,10 +863,9 @@ xfrm_policy_flush_secctx_check(u8 type, struct xfrm_audit *audit_info) | |||
865 | continue; | 863 | continue; |
866 | err = security_xfrm_policy_delete(pol); | 864 | err = security_xfrm_policy_delete(pol); |
867 | if (err) { | 865 | if (err) { |
868 | xfrm_audit_log(audit_info->loginuid, | 866 | xfrm_audit_policy_delete(pol, 0, |
869 | audit_info->secid, | 867 | audit_info->loginuid, |
870 | AUDIT_MAC_IPSEC_DELSPD, | 868 | audit_info->secid); |
871 | 0, pol, NULL); | ||
872 | return err; | 869 | return err; |
873 | } | 870 | } |
874 | } | 871 | } |
@@ -909,8 +906,8 @@ int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info) | |||
909 | hlist_del(&pol->byidx); | 906 | hlist_del(&pol->byidx); |
910 | write_unlock_bh(&xfrm_policy_lock); | 907 | write_unlock_bh(&xfrm_policy_lock); |
911 | 908 | ||
912 | xfrm_audit_log(audit_info->loginuid, audit_info->secid, | 909 | xfrm_audit_policy_delete(pol, 1, audit_info->loginuid, |
913 | AUDIT_MAC_IPSEC_DELSPD, 1, pol, NULL); | 910 | audit_info->secid); |
914 | 911 | ||
915 | xfrm_policy_kill(pol); | 912 | xfrm_policy_kill(pol); |
916 | killed++; | 913 | killed++; |
@@ -930,11 +927,9 @@ int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info) | |||
930 | hlist_del(&pol->byidx); | 927 | hlist_del(&pol->byidx); |
931 | write_unlock_bh(&xfrm_policy_lock); | 928 | write_unlock_bh(&xfrm_policy_lock); |
932 | 929 | ||
933 | xfrm_audit_log(audit_info->loginuid, | 930 | xfrm_audit_policy_delete(pol, 1, |
934 | audit_info->secid, | 931 | audit_info->loginuid, |
935 | AUDIT_MAC_IPSEC_DELSPD, 1, | 932 | audit_info->secid); |
936 | pol, NULL); | ||
937 | |||
938 | xfrm_policy_kill(pol); | 933 | xfrm_policy_kill(pol); |
939 | killed++; | 934 | killed++; |
940 | 935 | ||
@@ -2150,123 +2145,6 @@ int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first, | |||
2150 | 2145 | ||
2151 | EXPORT_SYMBOL(xfrm_bundle_ok); | 2146 | EXPORT_SYMBOL(xfrm_bundle_ok); |
2152 | 2147 | ||
2153 | #ifdef CONFIG_AUDITSYSCALL | ||
2154 | /* Audit addition and deletion of SAs and ipsec policy */ | ||
2155 | |||
2156 | void xfrm_audit_log(uid_t auid, u32 sid, int type, int result, | ||
2157 | struct xfrm_policy *xp, struct xfrm_state *x) | ||
2158 | { | ||
2159 | |||
2160 | char *secctx; | ||
2161 | u32 secctx_len; | ||
2162 | struct xfrm_sec_ctx *sctx = NULL; | ||
2163 | struct audit_buffer *audit_buf; | ||
2164 | int family; | ||
2165 | extern int audit_enabled; | ||
2166 | |||
2167 | if (audit_enabled == 0) | ||
2168 | return; | ||
2169 | |||
2170 | BUG_ON((type == AUDIT_MAC_IPSEC_ADDSA || | ||
2171 | type == AUDIT_MAC_IPSEC_DELSA) && !x); | ||
2172 | BUG_ON((type == AUDIT_MAC_IPSEC_ADDSPD || | ||
2173 | type == AUDIT_MAC_IPSEC_DELSPD) && !xp); | ||
2174 | |||
2175 | audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type); | ||
2176 | if (audit_buf == NULL) | ||
2177 | return; | ||
2178 | |||
2179 | switch(type) { | ||
2180 | case AUDIT_MAC_IPSEC_ADDSA: | ||
2181 | audit_log_format(audit_buf, "SAD add: auid=%u", auid); | ||
2182 | break; | ||
2183 | case AUDIT_MAC_IPSEC_DELSA: | ||
2184 | audit_log_format(audit_buf, "SAD delete: auid=%u", auid); | ||
2185 | break; | ||
2186 | case AUDIT_MAC_IPSEC_ADDSPD: | ||
2187 | audit_log_format(audit_buf, "SPD add: auid=%u", auid); | ||
2188 | break; | ||
2189 | case AUDIT_MAC_IPSEC_DELSPD: | ||
2190 | audit_log_format(audit_buf, "SPD delete: auid=%u", auid); | ||
2191 | break; | ||
2192 | default: | ||
2193 | return; | ||
2194 | } | ||
2195 | |||
2196 | if (sid != 0 && | ||
2197 | security_secid_to_secctx(sid, &secctx, &secctx_len) == 0) { | ||
2198 | audit_log_format(audit_buf, " subj=%s", secctx); | ||
2199 | security_release_secctx(secctx, secctx_len); | ||
2200 | } else | ||
2201 | audit_log_task_context(audit_buf); | ||
2202 | |||
2203 | if (xp) { | ||
2204 | family = xp->selector.family; | ||
2205 | if (xp->security) | ||
2206 | sctx = xp->security; | ||
2207 | } else { | ||
2208 | family = x->props.family; | ||
2209 | if (x->security) | ||
2210 | sctx = x->security; | ||
2211 | } | ||
2212 | |||
2213 | if (sctx) | ||
2214 | audit_log_format(audit_buf, | ||
2215 | " sec_alg=%u sec_doi=%u sec_obj=%s", | ||
2216 | sctx->ctx_alg, sctx->ctx_doi, sctx->ctx_str); | ||
2217 | |||
2218 | switch(family) { | ||
2219 | case AF_INET: | ||
2220 | { | ||
2221 | struct in_addr saddr, daddr; | ||
2222 | if (xp) { | ||
2223 | saddr.s_addr = xp->selector.saddr.a4; | ||
2224 | daddr.s_addr = xp->selector.daddr.a4; | ||
2225 | } else { | ||
2226 | saddr.s_addr = x->props.saddr.a4; | ||
2227 | daddr.s_addr = x->id.daddr.a4; | ||
2228 | } | ||
2229 | audit_log_format(audit_buf, | ||
2230 | " src=%u.%u.%u.%u dst=%u.%u.%u.%u", | ||
2231 | NIPQUAD(saddr), NIPQUAD(daddr)); | ||
2232 | } | ||
2233 | break; | ||
2234 | case AF_INET6: | ||
2235 | { | ||
2236 | struct in6_addr saddr6, daddr6; | ||
2237 | if (xp) { | ||
2238 | memcpy(&saddr6, xp->selector.saddr.a6, | ||
2239 | sizeof(struct in6_addr)); | ||
2240 | memcpy(&daddr6, xp->selector.daddr.a6, | ||
2241 | sizeof(struct in6_addr)); | ||
2242 | } else { | ||
2243 | memcpy(&saddr6, x->props.saddr.a6, | ||
2244 | sizeof(struct in6_addr)); | ||
2245 | memcpy(&daddr6, x->id.daddr.a6, | ||
2246 | sizeof(struct in6_addr)); | ||
2247 | } | ||
2248 | audit_log_format(audit_buf, | ||
2249 | " src=" NIP6_FMT " dst=" NIP6_FMT, | ||
2250 | NIP6(saddr6), NIP6(daddr6)); | ||
2251 | } | ||
2252 | break; | ||
2253 | } | ||
2254 | |||
2255 | if (x) | ||
2256 | audit_log_format(audit_buf, " spi=%lu(0x%lx) protocol=%s", | ||
2257 | (unsigned long)ntohl(x->id.spi), | ||
2258 | (unsigned long)ntohl(x->id.spi), | ||
2259 | x->id.proto == IPPROTO_AH ? "AH" : | ||
2260 | (x->id.proto == IPPROTO_ESP ? | ||
2261 | "ESP" : "IPCOMP")); | ||
2262 | |||
2263 | audit_log_format(audit_buf, " res=%u", result); | ||
2264 | audit_log_end(audit_buf); | ||
2265 | } | ||
2266 | |||
2267 | EXPORT_SYMBOL(xfrm_audit_log); | ||
2268 | #endif /* CONFIG_AUDITSYSCALL */ | ||
2269 | |||
2270 | int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo) | 2148 | int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo) |
2271 | { | 2149 | { |
2272 | int err = 0; | 2150 | int err = 0; |
@@ -2412,6 +2290,72 @@ void __init xfrm_init(void) | |||
2412 | xfrm_input_init(); | 2290 | xfrm_input_init(); |
2413 | } | 2291 | } |
2414 | 2292 | ||
2293 | #ifdef CONFIG_AUDITSYSCALL | ||
2294 | static inline void xfrm_audit_common_policyinfo(struct xfrm_policy *xp, | ||
2295 | struct audit_buffer *audit_buf) | ||
2296 | { | ||
2297 | if (xp->security) | ||
2298 | audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s", | ||
2299 | xp->security->ctx_alg, xp->security->ctx_doi, | ||
2300 | xp->security->ctx_str); | ||
2301 | |||
2302 | switch(xp->selector.family) { | ||
2303 | case AF_INET: | ||
2304 | audit_log_format(audit_buf, " src=%u.%u.%u.%u dst=%u.%u.%u.%u", | ||
2305 | NIPQUAD(xp->selector.saddr.a4), | ||
2306 | NIPQUAD(xp->selector.daddr.a4)); | ||
2307 | break; | ||
2308 | case AF_INET6: | ||
2309 | { | ||
2310 | struct in6_addr saddr6, daddr6; | ||
2311 | |||
2312 | memcpy(&saddr6, xp->selector.saddr.a6, | ||
2313 | sizeof(struct in6_addr)); | ||
2314 | memcpy(&daddr6, xp->selector.daddr.a6, | ||
2315 | sizeof(struct in6_addr)); | ||
2316 | audit_log_format(audit_buf, | ||
2317 | " src=" NIP6_FMT " dst=" NIP6_FMT, | ||
2318 | NIP6(saddr6), NIP6(daddr6)); | ||
2319 | } | ||
2320 | break; | ||
2321 | } | ||
2322 | } | ||
2323 | |||
2324 | void | ||
2325 | xfrm_audit_policy_add(struct xfrm_policy *xp, int result, u32 auid, u32 sid) | ||
2326 | { | ||
2327 | struct audit_buffer *audit_buf; | ||
2328 | extern int audit_enabled; | ||
2329 | |||
2330 | if (audit_enabled == 0) | ||
2331 | return; | ||
2332 | audit_buf = xfrm_audit_start(sid, auid); | ||
2333 | if (audit_buf == NULL) | ||
2334 | return; | ||
2335 | audit_log_format(audit_buf, " op=SPD-add res=%u", result); | ||
2336 | xfrm_audit_common_policyinfo(xp, audit_buf); | ||
2337 | audit_log_end(audit_buf); | ||
2338 | } | ||
2339 | EXPORT_SYMBOL_GPL(xfrm_audit_policy_add); | ||
2340 | |||
2341 | void | ||
2342 | xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, u32 auid, u32 sid) | ||
2343 | { | ||
2344 | struct audit_buffer *audit_buf; | ||
2345 | extern int audit_enabled; | ||
2346 | |||
2347 | if (audit_enabled == 0) | ||
2348 | return; | ||
2349 | audit_buf = xfrm_audit_start(sid, auid); | ||
2350 | if (audit_buf == NULL) | ||
2351 | return; | ||
2352 | audit_log_format(audit_buf, " op=SPD-delete res=%u", result); | ||
2353 | xfrm_audit_common_policyinfo(xp, audit_buf); | ||
2354 | audit_log_end(audit_buf); | ||
2355 | } | ||
2356 | EXPORT_SYMBOL_GPL(xfrm_audit_policy_delete); | ||
2357 | #endif | ||
2358 | |||
2415 | #ifdef CONFIG_XFRM_MIGRATE | 2359 | #ifdef CONFIG_XFRM_MIGRATE |
2416 | static int xfrm_migrate_selector_match(struct xfrm_selector *sel_cmp, | 2360 | static int xfrm_migrate_selector_match(struct xfrm_selector *sel_cmp, |
2417 | struct xfrm_selector *sel_tgt) | 2361 | struct xfrm_selector *sel_tgt) |
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index d4356e6f7f9b..15734adc9367 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c | |||
@@ -19,7 +19,6 @@ | |||
19 | #include <linux/ipsec.h> | 19 | #include <linux/ipsec.h> |
20 | #include <linux/module.h> | 20 | #include <linux/module.h> |
21 | #include <linux/cache.h> | 21 | #include <linux/cache.h> |
22 | #include <linux/audit.h> | ||
23 | #include <asm/uaccess.h> | 22 | #include <asm/uaccess.h> |
24 | 23 | ||
25 | #include "xfrm_hash.h" | 24 | #include "xfrm_hash.h" |
@@ -301,8 +300,8 @@ expired: | |||
301 | if (!err && x->id.spi) | 300 | if (!err && x->id.spi) |
302 | km_state_expired(x, 1, 0); | 301 | km_state_expired(x, 1, 0); |
303 | 302 | ||
304 | xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, | 303 | xfrm_audit_state_delete(x, err ? 0 : 1, |
305 | AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); | 304 | audit_get_loginuid(current->audit_context), 0); |
306 | 305 | ||
307 | out: | 306 | out: |
308 | spin_unlock(&x->lock); | 307 | spin_unlock(&x->lock); |
@@ -403,11 +402,9 @@ xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info) | |||
403 | hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) { | 402 | hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) { |
404 | if (xfrm_id_proto_match(x->id.proto, proto) && | 403 | if (xfrm_id_proto_match(x->id.proto, proto) && |
405 | (err = security_xfrm_state_delete(x)) != 0) { | 404 | (err = security_xfrm_state_delete(x)) != 0) { |
406 | xfrm_audit_log(audit_info->loginuid, | 405 | xfrm_audit_state_delete(x, 0, |
407 | audit_info->secid, | 406 | audit_info->loginuid, |
408 | AUDIT_MAC_IPSEC_DELSA, | 407 | audit_info->secid); |
409 | 0, NULL, x); | ||
410 | |||
411 | return err; | 408 | return err; |
412 | } | 409 | } |
413 | } | 410 | } |
@@ -443,10 +440,9 @@ restart: | |||
443 | spin_unlock_bh(&xfrm_state_lock); | 440 | spin_unlock_bh(&xfrm_state_lock); |
444 | 441 | ||
445 | err = xfrm_state_delete(x); | 442 | err = xfrm_state_delete(x); |
446 | xfrm_audit_log(audit_info->loginuid, | 443 | xfrm_audit_state_delete(x, err ? 0 : 1, |
447 | audit_info->secid, | 444 | audit_info->loginuid, |
448 | AUDIT_MAC_IPSEC_DELSA, | 445 | audit_info->secid); |
449 | err ? 0 : 1, NULL, x); | ||
450 | xfrm_state_put(x); | 446 | xfrm_state_put(x); |
451 | 447 | ||
452 | spin_lock_bh(&xfrm_state_lock); | 448 | spin_lock_bh(&xfrm_state_lock); |
@@ -1821,3 +1817,72 @@ void __init xfrm_state_init(void) | |||
1821 | INIT_WORK(&xfrm_state_gc_work, xfrm_state_gc_task); | 1817 | INIT_WORK(&xfrm_state_gc_work, xfrm_state_gc_task); |
1822 | } | 1818 | } |
1823 | 1819 | ||
1820 | #ifdef CONFIG_AUDITSYSCALL | ||
1821 | static inline void xfrm_audit_common_stateinfo(struct xfrm_state *x, | ||
1822 | struct audit_buffer *audit_buf) | ||
1823 | { | ||
1824 | if (x->security) | ||
1825 | audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s", | ||
1826 | x->security->ctx_alg, x->security->ctx_doi, | ||
1827 | x->security->ctx_str); | ||
1828 | |||
1829 | switch(x->props.family) { | ||
1830 | case AF_INET: | ||
1831 | audit_log_format(audit_buf, " src=%u.%u.%u.%u dst=%u.%u.%u.%u", | ||
1832 | NIPQUAD(x->props.saddr.a4), | ||
1833 | NIPQUAD(x->id.daddr.a4)); | ||
1834 | break; | ||
1835 | case AF_INET6: | ||
1836 | { | ||
1837 | struct in6_addr saddr6, daddr6; | ||
1838 | |||
1839 | memcpy(&saddr6, x->props.saddr.a6, | ||
1840 | sizeof(struct in6_addr)); | ||
1841 | memcpy(&daddr6, x->id.daddr.a6, | ||
1842 | sizeof(struct in6_addr)); | ||
1843 | audit_log_format(audit_buf, | ||
1844 | " src=" NIP6_FMT " dst=" NIP6_FMT, | ||
1845 | NIP6(saddr6), NIP6(daddr6)); | ||
1846 | } | ||
1847 | break; | ||
1848 | } | ||
1849 | } | ||
1850 | |||
1851 | void | ||
1852 | xfrm_audit_state_add(struct xfrm_state *x, int result, u32 auid, u32 sid) | ||
1853 | { | ||
1854 | struct audit_buffer *audit_buf; | ||
1855 | extern int audit_enabled; | ||
1856 | |||
1857 | if (audit_enabled == 0) | ||
1858 | return; | ||
1859 | audit_buf = xfrm_audit_start(sid, auid); | ||
1860 | if (audit_buf == NULL) | ||
1861 | return; | ||
1862 | audit_log_format(audit_buf, " op=SAD-add res=%u",result); | ||
1863 | xfrm_audit_common_stateinfo(x, audit_buf); | ||
1864 | audit_log_format(audit_buf, " spi=%lu(0x%lx)", | ||
1865 | (unsigned long)x->id.spi, (unsigned long)x->id.spi); | ||
1866 | audit_log_end(audit_buf); | ||
1867 | } | ||
1868 | EXPORT_SYMBOL_GPL(xfrm_audit_state_add); | ||
1869 | |||
1870 | void | ||
1871 | xfrm_audit_state_delete(struct xfrm_state *x, int result, u32 auid, u32 sid) | ||
1872 | { | ||
1873 | struct audit_buffer *audit_buf; | ||
1874 | extern int audit_enabled; | ||
1875 | |||
1876 | if (audit_enabled == 0) | ||
1877 | return; | ||
1878 | audit_buf = xfrm_audit_start(sid, auid); | ||
1879 | if (audit_buf == NULL) | ||
1880 | return; | ||
1881 | audit_log_format(audit_buf, " op=SAD-delete res=%u",result); | ||
1882 | xfrm_audit_common_stateinfo(x, audit_buf); | ||
1883 | audit_log_format(audit_buf, " spi=%lu(0x%lx)", | ||
1884 | (unsigned long)x->id.spi, (unsigned long)x->id.spi); | ||
1885 | audit_log_end(audit_buf); | ||
1886 | } | ||
1887 | EXPORT_SYMBOL_GPL(xfrm_audit_state_delete); | ||
1888 | #endif /* CONFIG_AUDITSYSCALL */ | ||
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 9e516f5cbb5e..0d81c0f23919 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c | |||
@@ -30,7 +30,6 @@ | |||
30 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) | 30 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) |
31 | #include <linux/in6.h> | 31 | #include <linux/in6.h> |
32 | #endif | 32 | #endif |
33 | #include <linux/audit.h> | ||
34 | 33 | ||
35 | static inline int alg_len(struct xfrm_algo *alg) | 34 | static inline int alg_len(struct xfrm_algo *alg) |
36 | { | 35 | { |
@@ -371,8 +370,8 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
371 | else | 370 | else |
372 | err = xfrm_state_update(x); | 371 | err = xfrm_state_update(x); |
373 | 372 | ||
374 | xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, | 373 | xfrm_audit_state_add(x, err ? 0 : 1, NETLINK_CB(skb).loginuid, |
375 | AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x); | 374 | NETLINK_CB(skb).sid); |
376 | 375 | ||
377 | if (err < 0) { | 376 | if (err < 0) { |
378 | x->km.state = XFRM_STATE_DEAD; | 377 | x->km.state = XFRM_STATE_DEAD; |
@@ -451,8 +450,8 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
451 | km_state_notify(x, &c); | 450 | km_state_notify(x, &c); |
452 | 451 | ||
453 | out: | 452 | out: |
454 | xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, | 453 | xfrm_audit_state_delete(x, err ? 0 : 1, NETLINK_CB(skb).loginuid, |
455 | AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); | 454 | NETLINK_CB(skb).sid); |
456 | xfrm_state_put(x); | 455 | xfrm_state_put(x); |
457 | return err; | 456 | return err; |
458 | } | 457 | } |
@@ -1067,8 +1066,8 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
1067 | * a type XFRM_MSG_UPDPOLICY - JHS */ | 1066 | * a type XFRM_MSG_UPDPOLICY - JHS */ |
1068 | excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; | 1067 | excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; |
1069 | err = xfrm_policy_insert(p->dir, xp, excl); | 1068 | err = xfrm_policy_insert(p->dir, xp, excl); |
1070 | xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, | 1069 | xfrm_audit_policy_add(xp, err ? 0 : 1, NETLINK_CB(skb).loginuid, |
1071 | AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); | 1070 | NETLINK_CB(skb).sid); |
1072 | 1071 | ||
1073 | if (err) { | 1072 | if (err) { |
1074 | security_xfrm_policy_free(xp); | 1073 | security_xfrm_policy_free(xp); |
@@ -1290,8 +1289,9 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
1290 | NETLINK_CB(skb).pid); | 1289 | NETLINK_CB(skb).pid); |
1291 | } | 1290 | } |
1292 | } else { | 1291 | } else { |
1293 | xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, | 1292 | xfrm_audit_policy_delete(xp, err ? 0 : 1, |
1294 | AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); | 1293 | NETLINK_CB(skb).loginuid, |
1294 | NETLINK_CB(skb).sid); | ||
1295 | 1295 | ||
1296 | if (err != 0) | 1296 | if (err != 0) |
1297 | goto out; | 1297 | goto out; |
@@ -1523,8 +1523,8 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
1523 | err = 0; | 1523 | err = 0; |
1524 | if (up->hard) { | 1524 | if (up->hard) { |
1525 | xfrm_policy_delete(xp, p->dir); | 1525 | xfrm_policy_delete(xp, p->dir); |
1526 | xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, | 1526 | xfrm_audit_policy_delete(xp, 1, NETLINK_CB(skb).loginuid, |
1527 | AUDIT_MAC_IPSEC_DELSPD, 1, xp, NULL); | 1527 | NETLINK_CB(skb).sid); |
1528 | 1528 | ||
1529 | } else { | 1529 | } else { |
1530 | // reset the timers here? | 1530 | // reset the timers here? |
@@ -1559,8 +1559,8 @@ static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
1559 | 1559 | ||
1560 | if (ue->hard) { | 1560 | if (ue->hard) { |
1561 | __xfrm_state_delete(x); | 1561 | __xfrm_state_delete(x); |
1562 | xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, | 1562 | xfrm_audit_state_delete(x, 1, NETLINK_CB(skb).loginuid, |
1563 | AUDIT_MAC_IPSEC_DELSA, 1, NULL, x); | 1563 | NETLINK_CB(skb).sid); |
1564 | } | 1564 | } |
1565 | err = 0; | 1565 | err = 0; |
1566 | out: | 1566 | out: |