aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJoy Latten <latten@austin.ibm.com>2007-09-17 14:51:22 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2007-10-10 19:49:02 -0400
commitab5f5e8b144e4c804ef3aa1ce08a9ca9f01187ce (patch)
treebf3915a618b29f507d882e9c665ed9d07e7c0765
parentd2e9117c7aa9544d910634e17e3519fd67155229 (diff)
[XFRM]: xfrm audit calls
This patch modifies the current ipsec audit layer by breaking it up into purpose driven audit calls. So far, the only audit calls made are when add/delete an SA/policy. It had been discussed to give each key manager it's own calls to do this, but I found there to be much redundnacy since they did the exact same things, except for how they got auid and sid, so I combined them. The below audit calls can be made by any key manager. Hopefully, this is ok. Signed-off-by: Joy Latten <latten@austin.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--include/linux/audit.h9
-rw-r--r--include/net/xfrm.h40
-rw-r--r--net/key/af_key.c21
-rw-r--r--net/xfrm/xfrm_policy.c210
-rw-r--r--net/xfrm/xfrm_state.c89
-rw-r--r--net/xfrm/xfrm_user.c26
6 files changed, 218 insertions, 177 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h
index d6579df8dadf..9ae740936a65 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -108,10 +108,11 @@
108#define AUDIT_MAC_CIPSOV4_DEL 1408 /* NetLabel: del CIPSOv4 DOI entry */ 108#define AUDIT_MAC_CIPSOV4_DEL 1408 /* NetLabel: del CIPSOv4 DOI entry */
109#define AUDIT_MAC_MAP_ADD 1409 /* NetLabel: add LSM domain mapping */ 109#define AUDIT_MAC_MAP_ADD 1409 /* NetLabel: add LSM domain mapping */
110#define AUDIT_MAC_MAP_DEL 1410 /* NetLabel: del LSM domain mapping */ 110#define AUDIT_MAC_MAP_DEL 1410 /* NetLabel: del LSM domain mapping */
111#define AUDIT_MAC_IPSEC_ADDSA 1411 /* Add a XFRM state */ 111#define AUDIT_MAC_IPSEC_ADDSA 1411 /* Not used */
112#define AUDIT_MAC_IPSEC_DELSA 1412 /* Delete a XFRM state */ 112#define AUDIT_MAC_IPSEC_DELSA 1412 /* Not used */
113#define AUDIT_MAC_IPSEC_ADDSPD 1413 /* Add a XFRM policy */ 113#define AUDIT_MAC_IPSEC_ADDSPD 1413 /* Not used */
114#define AUDIT_MAC_IPSEC_DELSPD 1414 /* Delete a XFRM policy */ 114#define AUDIT_MAC_IPSEC_DELSPD 1414 /* Not used */
115#define AUDIT_MAC_IPSEC_EVENT 1415 /* Audit an IPSec event */
115 116
116#define AUDIT_FIRST_KERN_ANOM_MSG 1700 117#define AUDIT_FIRST_KERN_ANOM_MSG 1700
117#define AUDIT_LAST_KERN_ANOM_MSG 1799 118#define AUDIT_LAST_KERN_ANOM_MSG 1799
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index a5f80bfbaaa4..760d2432be6b 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -12,6 +12,7 @@
12#include <linux/ipsec.h> 12#include <linux/ipsec.h>
13#include <linux/in6.h> 13#include <linux/in6.h>
14#include <linux/mutex.h> 14#include <linux/mutex.h>
15#include <linux/audit.h>
15 16
16#include <net/sock.h> 17#include <net/sock.h>
17#include <net/dst.h> 18#include <net/dst.h>
@@ -421,15 +422,46 @@ extern unsigned int xfrm_policy_count[XFRM_POLICY_MAX*2];
421/* Audit Information */ 422/* Audit Information */
422struct xfrm_audit 423struct xfrm_audit
423{ 424{
424 uid_t loginuid; 425 u32 loginuid;
425 u32 secid; 426 u32 secid;
426}; 427};
427 428
428#ifdef CONFIG_AUDITSYSCALL 429#ifdef CONFIG_AUDITSYSCALL
429extern void xfrm_audit_log(uid_t auid, u32 secid, int type, int result, 430static inline struct audit_buffer *xfrm_audit_start(u32 auid, u32 sid)
430 struct xfrm_policy *xp, struct xfrm_state *x); 431{
432 struct audit_buffer *audit_buf = NULL;
433 char *secctx;
434 u32 secctx_len;
435
436 audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC,
437 AUDIT_MAC_IPSEC_EVENT);
438 if (audit_buf == NULL)
439 return NULL;
440
441 audit_log_format(audit_buf, "auid=%u", auid);
442
443 if (sid != 0 &&
444 security_secid_to_secctx(sid, &secctx, &secctx_len) == 0) {
445 audit_log_format(audit_buf, " subj=%s", secctx);
446 security_release_secctx(secctx, secctx_len);
447 } else
448 audit_log_task_context(audit_buf);
449 return audit_buf;
450}
451
452extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
453 u32 auid, u32 sid);
454extern void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
455 u32 auid, u32 sid);
456extern void xfrm_audit_state_add(struct xfrm_state *x, int result,
457 u32 auid, u32 sid);
458extern void xfrm_audit_state_delete(struct xfrm_state *x, int result,
459 u32 auid, u32 sid);
431#else 460#else
432#define xfrm_audit_log(a,s,t,r,p,x) do { ; } while (0) 461#define xfrm_audit_policy_add(x, r, a, s) do { ; } while (0)
462#define xfrm_audit_policy_delete(x, r, a, s) do { ; } while (0)
463#define xfrm_audit_state_add(x, r, a, s) do { ; } while (0)
464#define xfrm_audit_state_delete(x, r, a, s) do { ; } while (0)
433#endif /* CONFIG_AUDITSYSCALL */ 465#endif /* CONFIG_AUDITSYSCALL */
434 466
435static inline void xfrm_pol_hold(struct xfrm_policy *policy) 467static inline void xfrm_pol_hold(struct xfrm_policy *policy)
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 17b2a6927f01..0241fff95137 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -27,7 +27,6 @@
27#include <linux/proc_fs.h> 27#include <linux/proc_fs.h>
28#include <linux/init.h> 28#include <linux/init.h>
29#include <net/xfrm.h> 29#include <net/xfrm.h>
30#include <linux/audit.h>
31 30
32#include <net/sock.h> 31#include <net/sock.h>
33 32
@@ -1454,8 +1453,8 @@ static int pfkey_add(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr,
1454 else 1453 else
1455 err = xfrm_state_update(x); 1454 err = xfrm_state_update(x);
1456 1455
1457 xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, 1456 xfrm_audit_state_add(x, err ? 0 : 1,
1458 AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x); 1457 audit_get_loginuid(current->audit_context), 0);
1459 1458
1460 if (err < 0) { 1459 if (err < 0) {
1461 x->km.state = XFRM_STATE_DEAD; 1460 x->km.state = XFRM_STATE_DEAD;
@@ -1508,8 +1507,8 @@ static int pfkey_delete(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h
1508 c.event = XFRM_MSG_DELSA; 1507 c.event = XFRM_MSG_DELSA;
1509 km_state_notify(x, &c); 1508 km_state_notify(x, &c);
1510out: 1509out:
1511 xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, 1510 xfrm_audit_state_delete(x, err ? 0 : 1,
1512 AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); 1511 audit_get_loginuid(current->audit_context), 0);
1513 xfrm_state_put(x); 1512 xfrm_state_put(x);
1514 1513
1515 return err; 1514 return err;
@@ -2261,8 +2260,8 @@ static int pfkey_spdadd(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h
2261 err = xfrm_policy_insert(pol->sadb_x_policy_dir-1, xp, 2260 err = xfrm_policy_insert(pol->sadb_x_policy_dir-1, xp,
2262 hdr->sadb_msg_type != SADB_X_SPDUPDATE); 2261 hdr->sadb_msg_type != SADB_X_SPDUPDATE);
2263 2262
2264 xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, 2263 xfrm_audit_policy_add(xp, err ? 0 : 1,
2265 AUDIT_MAC_IPSEC_ADDSPD, err ? 0 : 1, xp, NULL); 2264 audit_get_loginuid(current->audit_context), 0);
2266 2265
2267 if (err) 2266 if (err)
2268 goto out; 2267 goto out;
@@ -2345,8 +2344,8 @@ static int pfkey_spddelete(struct sock *sk, struct sk_buff *skb, struct sadb_msg
2345 if (xp == NULL) 2344 if (xp == NULL)
2346 return -ENOENT; 2345 return -ENOENT;
2347 2346
2348 xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, 2347 xfrm_audit_policy_delete(xp, err ? 0 : 1,
2349 AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); 2348 audit_get_loginuid(current->audit_context), 0);
2350 2349
2351 if (err) 2350 if (err)
2352 goto out; 2351 goto out;
@@ -2606,8 +2605,8 @@ static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h
2606 return -ENOENT; 2605 return -ENOENT;
2607 2606
2608 if (delete) { 2607 if (delete) {
2609 xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, 2608 xfrm_audit_policy_delete(xp, err ? 0 : 1,
2610 AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); 2609 audit_get_loginuid(current->audit_context), 0);
2611 2610
2612 if (err) 2611 if (err)
2613 goto out; 2612 goto out;
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 6ab81b1d215e..36dd31c40f4a 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -23,7 +23,6 @@
23#include <linux/netfilter.h> 23#include <linux/netfilter.h>
24#include <linux/module.h> 24#include <linux/module.h>
25#include <linux/cache.h> 25#include <linux/cache.h>
26#include <linux/audit.h>
27#include <net/xfrm.h> 26#include <net/xfrm.h>
28#include <net/ip.h> 27#include <net/ip.h>
29 28
@@ -850,10 +849,9 @@ xfrm_policy_flush_secctx_check(u8 type, struct xfrm_audit *audit_info)
850 continue; 849 continue;
851 err = security_xfrm_policy_delete(pol); 850 err = security_xfrm_policy_delete(pol);
852 if (err) { 851 if (err) {
853 xfrm_audit_log(audit_info->loginuid, 852 xfrm_audit_policy_delete(pol, 0,
854 audit_info->secid, 853 audit_info->loginuid,
855 AUDIT_MAC_IPSEC_DELSPD, 0, 854 audit_info->secid);
856 pol, NULL);
857 return err; 855 return err;
858 } 856 }
859 } 857 }
@@ -865,10 +863,9 @@ xfrm_policy_flush_secctx_check(u8 type, struct xfrm_audit *audit_info)
865 continue; 863 continue;
866 err = security_xfrm_policy_delete(pol); 864 err = security_xfrm_policy_delete(pol);
867 if (err) { 865 if (err) {
868 xfrm_audit_log(audit_info->loginuid, 866 xfrm_audit_policy_delete(pol, 0,
869 audit_info->secid, 867 audit_info->loginuid,
870 AUDIT_MAC_IPSEC_DELSPD, 868 audit_info->secid);
871 0, pol, NULL);
872 return err; 869 return err;
873 } 870 }
874 } 871 }
@@ -909,8 +906,8 @@ int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info)
909 hlist_del(&pol->byidx); 906 hlist_del(&pol->byidx);
910 write_unlock_bh(&xfrm_policy_lock); 907 write_unlock_bh(&xfrm_policy_lock);
911 908
912 xfrm_audit_log(audit_info->loginuid, audit_info->secid, 909 xfrm_audit_policy_delete(pol, 1, audit_info->loginuid,
913 AUDIT_MAC_IPSEC_DELSPD, 1, pol, NULL); 910 audit_info->secid);
914 911
915 xfrm_policy_kill(pol); 912 xfrm_policy_kill(pol);
916 killed++; 913 killed++;
@@ -930,11 +927,9 @@ int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info)
930 hlist_del(&pol->byidx); 927 hlist_del(&pol->byidx);
931 write_unlock_bh(&xfrm_policy_lock); 928 write_unlock_bh(&xfrm_policy_lock);
932 929
933 xfrm_audit_log(audit_info->loginuid, 930 xfrm_audit_policy_delete(pol, 1,
934 audit_info->secid, 931 audit_info->loginuid,
935 AUDIT_MAC_IPSEC_DELSPD, 1, 932 audit_info->secid);
936 pol, NULL);
937
938 xfrm_policy_kill(pol); 933 xfrm_policy_kill(pol);
939 killed++; 934 killed++;
940 935
@@ -2150,123 +2145,6 @@ int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first,
2150 2145
2151EXPORT_SYMBOL(xfrm_bundle_ok); 2146EXPORT_SYMBOL(xfrm_bundle_ok);
2152 2147
2153#ifdef CONFIG_AUDITSYSCALL
2154/* Audit addition and deletion of SAs and ipsec policy */
2155
2156void xfrm_audit_log(uid_t auid, u32 sid, int type, int result,
2157 struct xfrm_policy *xp, struct xfrm_state *x)
2158{
2159
2160 char *secctx;
2161 u32 secctx_len;
2162 struct xfrm_sec_ctx *sctx = NULL;
2163 struct audit_buffer *audit_buf;
2164 int family;
2165 extern int audit_enabled;
2166
2167 if (audit_enabled == 0)
2168 return;
2169
2170 BUG_ON((type == AUDIT_MAC_IPSEC_ADDSA ||
2171 type == AUDIT_MAC_IPSEC_DELSA) && !x);
2172 BUG_ON((type == AUDIT_MAC_IPSEC_ADDSPD ||
2173 type == AUDIT_MAC_IPSEC_DELSPD) && !xp);
2174
2175 audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type);
2176 if (audit_buf == NULL)
2177 return;
2178
2179 switch(type) {
2180 case AUDIT_MAC_IPSEC_ADDSA:
2181 audit_log_format(audit_buf, "SAD add: auid=%u", auid);
2182 break;
2183 case AUDIT_MAC_IPSEC_DELSA:
2184 audit_log_format(audit_buf, "SAD delete: auid=%u", auid);
2185 break;
2186 case AUDIT_MAC_IPSEC_ADDSPD:
2187 audit_log_format(audit_buf, "SPD add: auid=%u", auid);
2188 break;
2189 case AUDIT_MAC_IPSEC_DELSPD:
2190 audit_log_format(audit_buf, "SPD delete: auid=%u", auid);
2191 break;
2192 default:
2193 return;
2194 }
2195
2196 if (sid != 0 &&
2197 security_secid_to_secctx(sid, &secctx, &secctx_len) == 0) {
2198 audit_log_format(audit_buf, " subj=%s", secctx);
2199 security_release_secctx(secctx, secctx_len);
2200 } else
2201 audit_log_task_context(audit_buf);
2202
2203 if (xp) {
2204 family = xp->selector.family;
2205 if (xp->security)
2206 sctx = xp->security;
2207 } else {
2208 family = x->props.family;
2209 if (x->security)
2210 sctx = x->security;
2211 }
2212
2213 if (sctx)
2214 audit_log_format(audit_buf,
2215 " sec_alg=%u sec_doi=%u sec_obj=%s",
2216 sctx->ctx_alg, sctx->ctx_doi, sctx->ctx_str);
2217
2218 switch(family) {
2219 case AF_INET:
2220 {
2221 struct in_addr saddr, daddr;
2222 if (xp) {
2223 saddr.s_addr = xp->selector.saddr.a4;
2224 daddr.s_addr = xp->selector.daddr.a4;
2225 } else {
2226 saddr.s_addr = x->props.saddr.a4;
2227 daddr.s_addr = x->id.daddr.a4;
2228 }
2229 audit_log_format(audit_buf,
2230 " src=%u.%u.%u.%u dst=%u.%u.%u.%u",
2231 NIPQUAD(saddr), NIPQUAD(daddr));
2232 }
2233 break;
2234 case AF_INET6:
2235 {
2236 struct in6_addr saddr6, daddr6;
2237 if (xp) {
2238 memcpy(&saddr6, xp->selector.saddr.a6,
2239 sizeof(struct in6_addr));
2240 memcpy(&daddr6, xp->selector.daddr.a6,
2241 sizeof(struct in6_addr));
2242 } else {
2243 memcpy(&saddr6, x->props.saddr.a6,
2244 sizeof(struct in6_addr));
2245 memcpy(&daddr6, x->id.daddr.a6,
2246 sizeof(struct in6_addr));
2247 }
2248 audit_log_format(audit_buf,
2249 " src=" NIP6_FMT " dst=" NIP6_FMT,
2250 NIP6(saddr6), NIP6(daddr6));
2251 }
2252 break;
2253 }
2254
2255 if (x)
2256 audit_log_format(audit_buf, " spi=%lu(0x%lx) protocol=%s",
2257 (unsigned long)ntohl(x->id.spi),
2258 (unsigned long)ntohl(x->id.spi),
2259 x->id.proto == IPPROTO_AH ? "AH" :
2260 (x->id.proto == IPPROTO_ESP ?
2261 "ESP" : "IPCOMP"));
2262
2263 audit_log_format(audit_buf, " res=%u", result);
2264 audit_log_end(audit_buf);
2265}
2266
2267EXPORT_SYMBOL(xfrm_audit_log);
2268#endif /* CONFIG_AUDITSYSCALL */
2269
2270int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo) 2148int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo)
2271{ 2149{
2272 int err = 0; 2150 int err = 0;
@@ -2412,6 +2290,72 @@ void __init xfrm_init(void)
2412 xfrm_input_init(); 2290 xfrm_input_init();
2413} 2291}
2414 2292
2293#ifdef CONFIG_AUDITSYSCALL
2294static inline void xfrm_audit_common_policyinfo(struct xfrm_policy *xp,
2295 struct audit_buffer *audit_buf)
2296{
2297 if (xp->security)
2298 audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s",
2299 xp->security->ctx_alg, xp->security->ctx_doi,
2300 xp->security->ctx_str);
2301
2302 switch(xp->selector.family) {
2303 case AF_INET:
2304 audit_log_format(audit_buf, " src=%u.%u.%u.%u dst=%u.%u.%u.%u",
2305 NIPQUAD(xp->selector.saddr.a4),
2306 NIPQUAD(xp->selector.daddr.a4));
2307 break;
2308 case AF_INET6:
2309 {
2310 struct in6_addr saddr6, daddr6;
2311
2312 memcpy(&saddr6, xp->selector.saddr.a6,
2313 sizeof(struct in6_addr));
2314 memcpy(&daddr6, xp->selector.daddr.a6,
2315 sizeof(struct in6_addr));
2316 audit_log_format(audit_buf,
2317 " src=" NIP6_FMT " dst=" NIP6_FMT,
2318 NIP6(saddr6), NIP6(daddr6));
2319 }
2320 break;
2321 }
2322}
2323
2324void
2325xfrm_audit_policy_add(struct xfrm_policy *xp, int result, u32 auid, u32 sid)
2326{
2327 struct audit_buffer *audit_buf;
2328 extern int audit_enabled;
2329
2330 if (audit_enabled == 0)
2331 return;
2332 audit_buf = xfrm_audit_start(sid, auid);
2333 if (audit_buf == NULL)
2334 return;
2335 audit_log_format(audit_buf, " op=SPD-add res=%u", result);
2336 xfrm_audit_common_policyinfo(xp, audit_buf);
2337 audit_log_end(audit_buf);
2338}
2339EXPORT_SYMBOL_GPL(xfrm_audit_policy_add);
2340
2341void
2342xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, u32 auid, u32 sid)
2343{
2344 struct audit_buffer *audit_buf;
2345 extern int audit_enabled;
2346
2347 if (audit_enabled == 0)
2348 return;
2349 audit_buf = xfrm_audit_start(sid, auid);
2350 if (audit_buf == NULL)
2351 return;
2352 audit_log_format(audit_buf, " op=SPD-delete res=%u", result);
2353 xfrm_audit_common_policyinfo(xp, audit_buf);
2354 audit_log_end(audit_buf);
2355}
2356EXPORT_SYMBOL_GPL(xfrm_audit_policy_delete);
2357#endif
2358
2415#ifdef CONFIG_XFRM_MIGRATE 2359#ifdef CONFIG_XFRM_MIGRATE
2416static int xfrm_migrate_selector_match(struct xfrm_selector *sel_cmp, 2360static int xfrm_migrate_selector_match(struct xfrm_selector *sel_cmp,
2417 struct xfrm_selector *sel_tgt) 2361 struct xfrm_selector *sel_tgt)
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index d4356e6f7f9b..15734adc9367 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -19,7 +19,6 @@
19#include <linux/ipsec.h> 19#include <linux/ipsec.h>
20#include <linux/module.h> 20#include <linux/module.h>
21#include <linux/cache.h> 21#include <linux/cache.h>
22#include <linux/audit.h>
23#include <asm/uaccess.h> 22#include <asm/uaccess.h>
24 23
25#include "xfrm_hash.h" 24#include "xfrm_hash.h"
@@ -301,8 +300,8 @@ expired:
301 if (!err && x->id.spi) 300 if (!err && x->id.spi)
302 km_state_expired(x, 1, 0); 301 km_state_expired(x, 1, 0);
303 302
304 xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, 303 xfrm_audit_state_delete(x, err ? 0 : 1,
305 AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); 304 audit_get_loginuid(current->audit_context), 0);
306 305
307out: 306out:
308 spin_unlock(&x->lock); 307 spin_unlock(&x->lock);
@@ -403,11 +402,9 @@ xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info)
403 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) { 402 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) {
404 if (xfrm_id_proto_match(x->id.proto, proto) && 403 if (xfrm_id_proto_match(x->id.proto, proto) &&
405 (err = security_xfrm_state_delete(x)) != 0) { 404 (err = security_xfrm_state_delete(x)) != 0) {
406 xfrm_audit_log(audit_info->loginuid, 405 xfrm_audit_state_delete(x, 0,
407 audit_info->secid, 406 audit_info->loginuid,
408 AUDIT_MAC_IPSEC_DELSA, 407 audit_info->secid);
409 0, NULL, x);
410
411 return err; 408 return err;
412 } 409 }
413 } 410 }
@@ -443,10 +440,9 @@ restart:
443 spin_unlock_bh(&xfrm_state_lock); 440 spin_unlock_bh(&xfrm_state_lock);
444 441
445 err = xfrm_state_delete(x); 442 err = xfrm_state_delete(x);
446 xfrm_audit_log(audit_info->loginuid, 443 xfrm_audit_state_delete(x, err ? 0 : 1,
447 audit_info->secid, 444 audit_info->loginuid,
448 AUDIT_MAC_IPSEC_DELSA, 445 audit_info->secid);
449 err ? 0 : 1, NULL, x);
450 xfrm_state_put(x); 446 xfrm_state_put(x);
451 447
452 spin_lock_bh(&xfrm_state_lock); 448 spin_lock_bh(&xfrm_state_lock);
@@ -1821,3 +1817,72 @@ void __init xfrm_state_init(void)
1821 INIT_WORK(&xfrm_state_gc_work, xfrm_state_gc_task); 1817 INIT_WORK(&xfrm_state_gc_work, xfrm_state_gc_task);
1822} 1818}
1823 1819
1820#ifdef CONFIG_AUDITSYSCALL
1821static inline void xfrm_audit_common_stateinfo(struct xfrm_state *x,
1822 struct audit_buffer *audit_buf)
1823{
1824 if (x->security)
1825 audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s",
1826 x->security->ctx_alg, x->security->ctx_doi,
1827 x->security->ctx_str);
1828
1829 switch(x->props.family) {
1830 case AF_INET:
1831 audit_log_format(audit_buf, " src=%u.%u.%u.%u dst=%u.%u.%u.%u",
1832 NIPQUAD(x->props.saddr.a4),
1833 NIPQUAD(x->id.daddr.a4));
1834 break;
1835 case AF_INET6:
1836 {
1837 struct in6_addr saddr6, daddr6;
1838
1839 memcpy(&saddr6, x->props.saddr.a6,
1840 sizeof(struct in6_addr));
1841 memcpy(&daddr6, x->id.daddr.a6,
1842 sizeof(struct in6_addr));
1843 audit_log_format(audit_buf,
1844 " src=" NIP6_FMT " dst=" NIP6_FMT,
1845 NIP6(saddr6), NIP6(daddr6));
1846 }
1847 break;
1848 }
1849}
1850
1851void
1852xfrm_audit_state_add(struct xfrm_state *x, int result, u32 auid, u32 sid)
1853{
1854 struct audit_buffer *audit_buf;
1855 extern int audit_enabled;
1856
1857 if (audit_enabled == 0)
1858 return;
1859 audit_buf = xfrm_audit_start(sid, auid);
1860 if (audit_buf == NULL)
1861 return;
1862 audit_log_format(audit_buf, " op=SAD-add res=%u",result);
1863 xfrm_audit_common_stateinfo(x, audit_buf);
1864 audit_log_format(audit_buf, " spi=%lu(0x%lx)",
1865 (unsigned long)x->id.spi, (unsigned long)x->id.spi);
1866 audit_log_end(audit_buf);
1867}
1868EXPORT_SYMBOL_GPL(xfrm_audit_state_add);
1869
1870void
1871xfrm_audit_state_delete(struct xfrm_state *x, int result, u32 auid, u32 sid)
1872{
1873 struct audit_buffer *audit_buf;
1874 extern int audit_enabled;
1875
1876 if (audit_enabled == 0)
1877 return;
1878 audit_buf = xfrm_audit_start(sid, auid);
1879 if (audit_buf == NULL)
1880 return;
1881 audit_log_format(audit_buf, " op=SAD-delete res=%u",result);
1882 xfrm_audit_common_stateinfo(x, audit_buf);
1883 audit_log_format(audit_buf, " spi=%lu(0x%lx)",
1884 (unsigned long)x->id.spi, (unsigned long)x->id.spi);
1885 audit_log_end(audit_buf);
1886}
1887EXPORT_SYMBOL_GPL(xfrm_audit_state_delete);
1888#endif /* CONFIG_AUDITSYSCALL */
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 9e516f5cbb5e..0d81c0f23919 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -30,7 +30,6 @@
30#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 30#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
31#include <linux/in6.h> 31#include <linux/in6.h>
32#endif 32#endif
33#include <linux/audit.h>
34 33
35static inline int alg_len(struct xfrm_algo *alg) 34static inline int alg_len(struct xfrm_algo *alg)
36{ 35{
@@ -371,8 +370,8 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
371 else 370 else
372 err = xfrm_state_update(x); 371 err = xfrm_state_update(x);
373 372
374 xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, 373 xfrm_audit_state_add(x, err ? 0 : 1, NETLINK_CB(skb).loginuid,
375 AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x); 374 NETLINK_CB(skb).sid);
376 375
377 if (err < 0) { 376 if (err < 0) {
378 x->km.state = XFRM_STATE_DEAD; 377 x->km.state = XFRM_STATE_DEAD;
@@ -451,8 +450,8 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
451 km_state_notify(x, &c); 450 km_state_notify(x, &c);
452 451
453out: 452out:
454 xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, 453 xfrm_audit_state_delete(x, err ? 0 : 1, NETLINK_CB(skb).loginuid,
455 AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); 454 NETLINK_CB(skb).sid);
456 xfrm_state_put(x); 455 xfrm_state_put(x);
457 return err; 456 return err;
458} 457}
@@ -1067,8 +1066,8 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
1067 * a type XFRM_MSG_UPDPOLICY - JHS */ 1066 * a type XFRM_MSG_UPDPOLICY - JHS */
1068 excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; 1067 excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY;
1069 err = xfrm_policy_insert(p->dir, xp, excl); 1068 err = xfrm_policy_insert(p->dir, xp, excl);
1070 xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, 1069 xfrm_audit_policy_add(xp, err ? 0 : 1, NETLINK_CB(skb).loginuid,
1071 AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); 1070 NETLINK_CB(skb).sid);
1072 1071
1073 if (err) { 1072 if (err) {
1074 security_xfrm_policy_free(xp); 1073 security_xfrm_policy_free(xp);
@@ -1290,8 +1289,9 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
1290 NETLINK_CB(skb).pid); 1289 NETLINK_CB(skb).pid);
1291 } 1290 }
1292 } else { 1291 } else {
1293 xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, 1292 xfrm_audit_policy_delete(xp, err ? 0 : 1,
1294 AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); 1293 NETLINK_CB(skb).loginuid,
1294 NETLINK_CB(skb).sid);
1295 1295
1296 if (err != 0) 1296 if (err != 0)
1297 goto out; 1297 goto out;
@@ -1523,8 +1523,8 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
1523 err = 0; 1523 err = 0;
1524 if (up->hard) { 1524 if (up->hard) {
1525 xfrm_policy_delete(xp, p->dir); 1525 xfrm_policy_delete(xp, p->dir);
1526 xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, 1526 xfrm_audit_policy_delete(xp, 1, NETLINK_CB(skb).loginuid,
1527 AUDIT_MAC_IPSEC_DELSPD, 1, xp, NULL); 1527 NETLINK_CB(skb).sid);
1528 1528
1529 } else { 1529 } else {
1530 // reset the timers here? 1530 // reset the timers here?
@@ -1559,8 +1559,8 @@ static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
1559 1559
1560 if (ue->hard) { 1560 if (ue->hard) {
1561 __xfrm_state_delete(x); 1561 __xfrm_state_delete(x);
1562 xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, 1562 xfrm_audit_state_delete(x, 1, NETLINK_CB(skb).loginuid,
1563 AUDIT_MAC_IPSEC_DELSA, 1, NULL, x); 1563 NETLINK_CB(skb).sid);
1564 } 1564 }
1565 err = 0; 1565 err = 0;
1566out: 1566out: