aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>2014-04-18 03:23:46 -0400
committerSteffen Klassert <steffen.klassert@secunet.com>2014-04-22 04:47:53 -0400
commitf1370cc4a01e61007ab3020c761cef6b88ae3729 (patch)
treebee103f4c6398b978b47b1b6bba8e097c1e332aa
parent5a9d19ab76f98b7cdc97ba9724be01deba791bc0 (diff)
xfrm: Remove useless secid field from xfrm_audit.
It seems to me that commit ab5f5e8b "[XFRM]: xfrm audit calls" is doing something strange at xfrm_audit_helper_usrinfo(). If secid != 0 && security_secid_to_secctx(secid) != 0, the caller calls audit_log_task_context() which basically does secid != 0 && security_secid_to_secctx(secid) == 0 case except that secid is obtained from current thread's context. Oh, what happens if secid passed to xfrm_audit_helper_usrinfo() was obtained from other thread's context? It might audit current thread's context rather than other thread's context if security_secid_to_secctx() in xfrm_audit_helper_usrinfo() failed for some reason. Then, are all the caller of xfrm_audit_helper_usrinfo() passing either secid obtained from current thread's context or secid == 0? It seems to me that they are. If I didn't miss something, we don't need to pass secid to xfrm_audit_helper_usrinfo() because audit_log_task_context() will obtain secid from current thread's context. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Diffstat
-rw-r--r--include/net/xfrm.h29
-rw-r--r--net/key/af_key.c12
-rw-r--r--net/xfrm/xfrm_policy.c22
-rw-r--r--net/xfrm/xfrm_state.c17
-rw-r--r--net/xfrm/xfrm_user.c27
5 files changed, 36 insertions, 71 deletions
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 116e9c7e19cb..882889eb156b 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -693,7 +693,6 @@ struct xfrm_spi_skb_cb {
693 693
694/* Audit Information */ 694/* Audit Information */
695struct xfrm_audit { 695struct xfrm_audit {
696 u32 secid;
697 kuid_t loginuid; 696 kuid_t loginuid;
698 unsigned int sessionid; 697 unsigned int sessionid;
699}; 698};
@@ -713,30 +712,22 @@ static inline struct audit_buffer *xfrm_audit_start(const char *op)
713 return audit_buf; 712 return audit_buf;
714} 713}
715 714
716static inline void xfrm_audit_helper_usrinfo(kuid_t auid, unsigned int ses, u32 secid, 715static inline void xfrm_audit_helper_usrinfo(kuid_t auid, unsigned int ses,
717 struct audit_buffer *audit_buf) 716 struct audit_buffer *audit_buf)
718{ 717{
719 char *secctx;
720 u32 secctx_len;
721
722 audit_log_format(audit_buf, " auid=%u ses=%u", 718 audit_log_format(audit_buf, " auid=%u ses=%u",
723 from_kuid(&init_user_ns, auid), ses); 719 from_kuid(&init_user_ns, auid), ses);
724 if (secid != 0 && 720 audit_log_task_context(audit_buf);
725 security_secid_to_secctx(secid, &secctx, &secctx_len) == 0) {
726 audit_log_format(audit_buf, " subj=%s", secctx);
727 security_release_secctx(secctx, secctx_len);
728 } else
729 audit_log_task_context(audit_buf);
730} 721}
731 722
732void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, kuid_t auid, 723void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, kuid_t auid,
733 unsigned int ses, u32 secid); 724 unsigned int ses);
734void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, kuid_t auid, 725void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, kuid_t auid,
735 unsigned int ses, u32 secid); 726 unsigned int ses);
736void xfrm_audit_state_add(struct xfrm_state *x, int result, kuid_t auid, 727void xfrm_audit_state_add(struct xfrm_state *x, int result, kuid_t auid,
737 unsigned int ses, u32 secid); 728 unsigned int ses);
738void xfrm_audit_state_delete(struct xfrm_state *x, int result, kuid_t auid, 729void xfrm_audit_state_delete(struct xfrm_state *x, int result, kuid_t auid,
739 unsigned int ses, u32 secid); 730 unsigned int ses);
740void xfrm_audit_state_replay_overflow(struct xfrm_state *x, 731void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
741 struct sk_buff *skb); 732 struct sk_buff *skb);
742void xfrm_audit_state_replay(struct xfrm_state *x, struct sk_buff *skb, 733void xfrm_audit_state_replay(struct xfrm_state *x, struct sk_buff *skb,
@@ -749,22 +740,22 @@ void xfrm_audit_state_icvfail(struct xfrm_state *x, struct sk_buff *skb,
749#else 740#else
750 741
751static inline void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, 742static inline void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
752 kuid_t auid, unsigned int ses, u32 secid) 743 kuid_t auid, unsigned int ses)
753{ 744{
754} 745}
755 746
756static inline void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, 747static inline void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
757 kuid_t auid, unsigned int ses, u32 secid) 748 kuid_t auid, unsigned int ses)
758{ 749{
759} 750}
760 751
761static inline void xfrm_audit_state_add(struct xfrm_state *x, int result, 752static inline void xfrm_audit_state_add(struct xfrm_state *x, int result,
762 kuid_t auid, unsigned int ses, u32 secid) 753 kuid_t auid, unsigned int ses)
763{ 754{
764} 755}
765 756
766static inline void xfrm_audit_state_delete(struct xfrm_state *x, int result, 757static inline void xfrm_audit_state_delete(struct xfrm_state *x, int result,
767 kuid_t auid, unsigned int ses, u32 secid) 758 kuid_t auid, unsigned int ses)
768{ 759{
769} 760}
770 761
diff --git a/net/key/af_key.c b/net/key/af_key.c
index f3c83073afc4..d66ff72adefb 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1478,7 +1478,7 @@ static int pfkey_add(struct sock *sk, struct sk_buff *skb, const struct sadb_msg
1478 1478
1479 xfrm_audit_state_add(x, err ? 0 : 1, 1479 xfrm_audit_state_add(x, err ? 0 : 1,
1480 audit_get_loginuid(current), 1480 audit_get_loginuid(current),
1481 audit_get_sessionid(current), 0); 1481 audit_get_sessionid(current));
1482 1482
1483 if (err < 0) { 1483 if (err < 0) {
1484 x->km.state = XFRM_STATE_DEAD; 1484 x->km.state = XFRM_STATE_DEAD;
@@ -1534,7 +1534,7 @@ static int pfkey_delete(struct sock *sk, struct sk_buff *skb, const struct sadb_
1534out: 1534out:
1535 xfrm_audit_state_delete(x, err ? 0 : 1, 1535 xfrm_audit_state_delete(x, err ? 0 : 1,
1536 audit_get_loginuid(current), 1536 audit_get_loginuid(current),
1537 audit_get_sessionid(current), 0); 1537 audit_get_sessionid(current));
1538 xfrm_state_put(x); 1538 xfrm_state_put(x);
1539 1539
1540 return err; 1540 return err;
@@ -1735,7 +1735,6 @@ static int pfkey_flush(struct sock *sk, struct sk_buff *skb, const struct sadb_m
1735 1735
1736 audit_info.loginuid = audit_get_loginuid(current); 1736 audit_info.loginuid = audit_get_loginuid(current);
1737 audit_info.sessionid = audit_get_sessionid(current); 1737 audit_info.sessionid = audit_get_sessionid(current);
1738 audit_info.secid = 0;
1739 err = xfrm_state_flush(net, proto, &audit_info); 1738 err = xfrm_state_flush(net, proto, &audit_info);
1740 err2 = unicast_flush_resp(sk, hdr); 1739 err2 = unicast_flush_resp(sk, hdr);
1741 if (err || err2) { 1740 if (err || err2) {
@@ -2290,7 +2289,7 @@ static int pfkey_spdadd(struct sock *sk, struct sk_buff *skb, const struct sadb_
2290 2289
2291 xfrm_audit_policy_add(xp, err ? 0 : 1, 2290 xfrm_audit_policy_add(xp, err ? 0 : 1,
2292 audit_get_loginuid(current), 2291 audit_get_loginuid(current),
2293 audit_get_sessionid(current), 0); 2292 audit_get_sessionid(current));
2294 2293
2295 if (err) 2294 if (err)
2296 goto out; 2295 goto out;
@@ -2374,7 +2373,7 @@ static int pfkey_spddelete(struct sock *sk, struct sk_buff *skb, const struct sa
2374 2373
2375 xfrm_audit_policy_delete(xp, err ? 0 : 1, 2374 xfrm_audit_policy_delete(xp, err ? 0 : 1,
2376 audit_get_loginuid(current), 2375 audit_get_loginuid(current),
2377 audit_get_sessionid(current), 0); 2376 audit_get_sessionid(current));
2378 2377
2379 if (err) 2378 if (err)
2380 goto out; 2379 goto out;
@@ -2624,7 +2623,7 @@ static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, const struct sadb_
2624 if (delete) { 2623 if (delete) {
2625 xfrm_audit_policy_delete(xp, err ? 0 : 1, 2624 xfrm_audit_policy_delete(xp, err ? 0 : 1,
2626 audit_get_loginuid(current), 2625 audit_get_loginuid(current),
2627 audit_get_sessionid(current), 0); 2626 audit_get_sessionid(current));
2628 2627
2629 if (err) 2628 if (err)
2630 goto out; 2629 goto out;
@@ -2738,7 +2737,6 @@ static int pfkey_spdflush(struct sock *sk, struct sk_buff *skb, const struct sad
2738 2737
2739 audit_info.loginuid = audit_get_loginuid(current); 2738 audit_info.loginuid = audit_get_loginuid(current);
2740 audit_info.sessionid = audit_get_sessionid(current); 2739 audit_info.sessionid = audit_get_sessionid(current);
2741 audit_info.secid = 0;
2742 err = xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, &audit_info); 2740 err = xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, &audit_info);
2743 err2 = unicast_flush_resp(sk, hdr); 2741 err2 = unicast_flush_resp(sk, hdr);
2744 if (err || err2) { 2742 if (err || err2) {
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index c08fbd11ceff..bd001b7062c0 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -785,8 +785,7 @@ xfrm_policy_flush_secctx_check(struct net *net, u8 type, struct xfrm_audit *audi
785 if (err) { 785 if (err) {
786 xfrm_audit_policy_delete(pol, 0, 786 xfrm_audit_policy_delete(pol, 0,
787 audit_info->loginuid, 787 audit_info->loginuid,
788 audit_info->sessionid, 788 audit_info->sessionid);
789 audit_info->secid);
790 return err; 789 return err;
791 } 790 }
792 } 791 }
@@ -801,8 +800,7 @@ xfrm_policy_flush_secctx_check(struct net *net, u8 type, struct xfrm_audit *audi
801 if (err) { 800 if (err) {
802 xfrm_audit_policy_delete(pol, 0, 801 xfrm_audit_policy_delete(pol, 0,
803 audit_info->loginuid, 802 audit_info->loginuid,
804 audit_info->sessionid, 803 audit_info->sessionid);
805 audit_info->secid);
806 return err; 804 return err;
807 } 805 }
808 } 806 }
@@ -842,8 +840,7 @@ int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info)
842 cnt++; 840 cnt++;
843 841
844 xfrm_audit_policy_delete(pol, 1, audit_info->loginuid, 842 xfrm_audit_policy_delete(pol, 1, audit_info->loginuid,
845 audit_info->sessionid, 843 audit_info->sessionid);
846 audit_info->secid);
847 844
848 xfrm_policy_kill(pol); 845 xfrm_policy_kill(pol);
849 846
@@ -864,8 +861,7 @@ int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info)
864 861
865 xfrm_audit_policy_delete(pol, 1, 862 xfrm_audit_policy_delete(pol, 1,
866 audit_info->loginuid, 863 audit_info->loginuid,
867 audit_info->sessionid, 864 audit_info->sessionid);
868 audit_info->secid);
869 xfrm_policy_kill(pol); 865 xfrm_policy_kill(pol);
870 866
871 write_lock_bh(&net->xfrm.xfrm_policy_lock); 867 write_lock_bh(&net->xfrm.xfrm_policy_lock);
@@ -2870,12 +2866,10 @@ static void xfrm_policy_fini(struct net *net)
2870#ifdef CONFIG_XFRM_SUB_POLICY 2866#ifdef CONFIG_XFRM_SUB_POLICY
2871 audit_info.loginuid = INVALID_UID; 2867 audit_info.loginuid = INVALID_UID;
2872 audit_info.sessionid = (unsigned int)-1; 2868 audit_info.sessionid = (unsigned int)-1;
2873 audit_info.secid = 0;
2874 xfrm_policy_flush(net, XFRM_POLICY_TYPE_SUB, &audit_info); 2869 xfrm_policy_flush(net, XFRM_POLICY_TYPE_SUB, &audit_info);
2875#endif 2870#endif
2876 audit_info.loginuid = INVALID_UID; 2871 audit_info.loginuid = INVALID_UID;
2877 audit_info.sessionid = (unsigned int)-1; 2872 audit_info.sessionid = (unsigned int)-1;
2878 audit_info.secid = 0;
2879 xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, &audit_info); 2873 xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, &audit_info);
2880 2874
2881 WARN_ON(!list_empty(&net->xfrm.policy_all)); 2875 WARN_ON(!list_empty(&net->xfrm.policy_all));
@@ -2992,14 +2986,14 @@ static void xfrm_audit_common_policyinfo(struct xfrm_policy *xp,
2992} 2986}
2993 2987
2994void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, 2988void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
2995 kuid_t auid, unsigned int sessionid, u32 secid) 2989 kuid_t auid, unsigned int sessionid)
2996{ 2990{
2997 struct audit_buffer *audit_buf; 2991 struct audit_buffer *audit_buf;
2998 2992
2999 audit_buf = xfrm_audit_start("SPD-add"); 2993 audit_buf = xfrm_audit_start("SPD-add");
3000 if (audit_buf == NULL) 2994 if (audit_buf == NULL)
3001 return; 2995 return;
3002 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf); 2996 xfrm_audit_helper_usrinfo(auid, sessionid, audit_buf);
3003 audit_log_format(audit_buf, " res=%u", result); 2997 audit_log_format(audit_buf, " res=%u", result);
3004 xfrm_audit_common_policyinfo(xp, audit_buf); 2998 xfrm_audit_common_policyinfo(xp, audit_buf);
3005 audit_log_end(audit_buf); 2999 audit_log_end(audit_buf);
@@ -3007,14 +3001,14 @@ void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
3007EXPORT_SYMBOL_GPL(xfrm_audit_policy_add); 3001EXPORT_SYMBOL_GPL(xfrm_audit_policy_add);
3008 3002
3009void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, 3003void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
3010 kuid_t auid, unsigned int sessionid, u32 secid) 3004 kuid_t auid, unsigned int sessionid)
3011{ 3005{
3012 struct audit_buffer *audit_buf; 3006 struct audit_buffer *audit_buf;
3013 3007
3014 audit_buf = xfrm_audit_start("SPD-delete"); 3008 audit_buf = xfrm_audit_start("SPD-delete");
3015 if (audit_buf == NULL) 3009 if (audit_buf == NULL)
3016 return; 3010 return;
3017 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf); 3011 xfrm_audit_helper_usrinfo(auid, sessionid, audit_buf);
3018 audit_log_format(audit_buf, " res=%u", result); 3012 audit_log_format(audit_buf, " res=%u", result);
3019 xfrm_audit_common_policyinfo(xp, audit_buf); 3013 xfrm_audit_common_policyinfo(xp, audit_buf);
3020 audit_log_end(audit_buf); 3014 audit_log_end(audit_buf);
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 8e9c781a6bba..d91312b5ceb0 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -465,7 +465,7 @@ expired:
465 465
466 xfrm_audit_state_delete(x, err ? 0 : 1, 466 xfrm_audit_state_delete(x, err ? 0 : 1,
467 audit_get_loginuid(current), 467 audit_get_loginuid(current),
468 audit_get_sessionid(current), 0); 468 audit_get_sessionid(current));
469 469
470out: 470out:
471 spin_unlock(&x->lock); 471 spin_unlock(&x->lock);
@@ -574,8 +574,7 @@ xfrm_state_flush_secctx_check(struct net *net, u8 proto, struct xfrm_audit *audi
574 (err = security_xfrm_state_delete(x)) != 0) { 574 (err = security_xfrm_state_delete(x)) != 0) {
575 xfrm_audit_state_delete(x, 0, 575 xfrm_audit_state_delete(x, 0,
576 audit_info->loginuid, 576 audit_info->loginuid,
577 audit_info->sessionid, 577 audit_info->sessionid);
578 audit_info->secid);
579 return err; 578 return err;
580 } 579 }
581 } 580 }
@@ -613,8 +612,7 @@ restart:
613 err = xfrm_state_delete(x); 612 err = xfrm_state_delete(x);
614 xfrm_audit_state_delete(x, err ? 0 : 1, 613 xfrm_audit_state_delete(x, err ? 0 : 1,
615 audit_info->loginuid, 614 audit_info->loginuid,
616 audit_info->sessionid, 615 audit_info->sessionid);
617 audit_info->secid);
618 xfrm_state_put(x); 616 xfrm_state_put(x);
619 if (!err) 617 if (!err)
620 cnt++; 618 cnt++;
@@ -2134,7 +2132,6 @@ void xfrm_state_fini(struct net *net)
2134 flush_work(&net->xfrm.state_hash_work); 2132 flush_work(&net->xfrm.state_hash_work);
2135 audit_info.loginuid = INVALID_UID; 2133 audit_info.loginuid = INVALID_UID;
2136 audit_info.sessionid = (unsigned int)-1; 2134 audit_info.sessionid = (unsigned int)-1;
2137 audit_info.secid = 0;
2138 xfrm_state_flush(net, IPSEC_PROTO_ANY, &audit_info); 2135 xfrm_state_flush(net, IPSEC_PROTO_ANY, &audit_info);
2139 flush_work(&net->xfrm.state_gc_work); 2136 flush_work(&net->xfrm.state_gc_work);
2140 2137
@@ -2199,14 +2196,14 @@ static void xfrm_audit_helper_pktinfo(struct sk_buff *skb, u16 family,
2199} 2196}
2200 2197
2201void xfrm_audit_state_add(struct xfrm_state *x, int result, 2198void xfrm_audit_state_add(struct xfrm_state *x, int result,
2202 kuid_t auid, unsigned int sessionid, u32 secid) 2199 kuid_t auid, unsigned int sessionid)
2203{ 2200{
2204 struct audit_buffer *audit_buf; 2201 struct audit_buffer *audit_buf;
2205 2202
2206 audit_buf = xfrm_audit_start("SAD-add"); 2203 audit_buf = xfrm_audit_start("SAD-add");
2207 if (audit_buf == NULL) 2204 if (audit_buf == NULL)
2208 return; 2205 return;
2209 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf); 2206 xfrm_audit_helper_usrinfo(auid, sessionid, audit_buf);
2210 xfrm_audit_helper_sainfo(x, audit_buf); 2207 xfrm_audit_helper_sainfo(x, audit_buf);
2211 audit_log_format(audit_buf, " res=%u", result); 2208 audit_log_format(audit_buf, " res=%u", result);
2212 audit_log_end(audit_buf); 2209 audit_log_end(audit_buf);
@@ -2214,14 +2211,14 @@ void xfrm_audit_state_add(struct xfrm_state *x, int result,
2214EXPORT_SYMBOL_GPL(xfrm_audit_state_add); 2211EXPORT_SYMBOL_GPL(xfrm_audit_state_add);
2215 2212
2216void xfrm_audit_state_delete(struct xfrm_state *x, int result, 2213void xfrm_audit_state_delete(struct xfrm_state *x, int result,
2217 kuid_t auid, unsigned int sessionid, u32 secid) 2214 kuid_t auid, unsigned int sessionid)
2218{ 2215{
2219 struct audit_buffer *audit_buf; 2216 struct audit_buffer *audit_buf;
2220 2217
2221 audit_buf = xfrm_audit_start("SAD-delete"); 2218 audit_buf = xfrm_audit_start("SAD-delete");
2222 if (audit_buf == NULL) 2219 if (audit_buf == NULL)
2223 return; 2220 return;
2224 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf); 2221 xfrm_audit_helper_usrinfo(auid, sessionid, audit_buf);
2225 xfrm_audit_helper_sainfo(x, audit_buf); 2222 xfrm_audit_helper_sainfo(x, audit_buf);
2226 audit_log_format(audit_buf, " res=%u", result); 2223 audit_log_format(audit_buf, " res=%u", result);
2227 audit_log_end(audit_buf); 2224 audit_log_end(audit_buf);
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 8f131c10a6f3..d6409d927b82 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -599,7 +599,6 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
599 struct km_event c; 599 struct km_event c;
600 kuid_t loginuid = audit_get_loginuid(current); 600 kuid_t loginuid = audit_get_loginuid(current);
601 unsigned int sessionid = audit_get_sessionid(current); 601 unsigned int sessionid = audit_get_sessionid(current);
602 u32 sid;
603 602
604 err = verify_newsa_info(p, attrs); 603 err = verify_newsa_info(p, attrs);
605 if (err) 604 if (err)
@@ -615,8 +614,7 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
615 else 614 else
616 err = xfrm_state_update(x); 615 err = xfrm_state_update(x);
617 616
618 security_task_getsecid(current, &sid); 617 xfrm_audit_state_add(x, err ? 0 : 1, loginuid, sessionid);
619 xfrm_audit_state_add(x, err ? 0 : 1, loginuid, sessionid, sid);
620 618
621 if (err < 0) { 619 if (err < 0) {
622 x->km.state = XFRM_STATE_DEAD; 620 x->km.state = XFRM_STATE_DEAD;
@@ -678,7 +676,6 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
678 struct xfrm_usersa_id *p = nlmsg_data(nlh); 676 struct xfrm_usersa_id *p = nlmsg_data(nlh);
679 kuid_t loginuid = audit_get_loginuid(current); 677 kuid_t loginuid = audit_get_loginuid(current);
680 unsigned int sessionid = audit_get_sessionid(current); 678 unsigned int sessionid = audit_get_sessionid(current);
681 u32 sid;
682 679
683 x = xfrm_user_state_lookup(net, p, attrs, &err); 680 x = xfrm_user_state_lookup(net, p, attrs, &err);
684 if (x == NULL) 681 if (x == NULL)
@@ -703,8 +700,7 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
703 km_state_notify(x, &c); 700 km_state_notify(x, &c);
704 701
705out: 702out:
706 security_task_getsecid(current, &sid); 703 xfrm_audit_state_delete(x, err ? 0 : 1, loginuid, sessionid);
707 xfrm_audit_state_delete(x, err ? 0 : 1, loginuid, sessionid, sid);
708 xfrm_state_put(x); 704 xfrm_state_put(x);
709 return err; 705 return err;
710} 706}
@@ -1416,7 +1412,6 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
1416 int excl; 1412 int excl;
1417 kuid_t loginuid = audit_get_loginuid(current); 1413 kuid_t loginuid = audit_get_loginuid(current);
1418 unsigned int sessionid = audit_get_sessionid(current); 1414 unsigned int sessionid = audit_get_sessionid(current);
1419 u32 sid;
1420 1415
1421 err = verify_newpolicy_info(p); 1416 err = verify_newpolicy_info(p);
1422 if (err) 1417 if (err)
@@ -1435,8 +1430,7 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
1435 * a type XFRM_MSG_UPDPOLICY - JHS */ 1430 * a type XFRM_MSG_UPDPOLICY - JHS */
1436 excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; 1431 excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY;
1437 err = xfrm_policy_insert(p->dir, xp, excl); 1432 err = xfrm_policy_insert(p->dir, xp, excl);
1438 security_task_getsecid(current, &sid); 1433 xfrm_audit_policy_add(xp, err ? 0 : 1, loginuid, sessionid);
1439 xfrm_audit_policy_add(xp, err ? 0 : 1, loginuid, sessionid, sid);
1440 1434
1441 if (err) { 1435 if (err) {
1442 security_xfrm_policy_free(xp->security); 1436 security_xfrm_policy_free(xp->security);
@@ -1675,11 +1669,8 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
1675 } else { 1669 } else {
1676 kuid_t loginuid = audit_get_loginuid(current); 1670 kuid_t loginuid = audit_get_loginuid(current);
1677 unsigned int sessionid = audit_get_sessionid(current); 1671 unsigned int sessionid = audit_get_sessionid(current);
1678 u32 sid;
1679 1672
1680 security_task_getsecid(current, &sid); 1673 xfrm_audit_policy_delete(xp, err ? 0 : 1, loginuid, sessionid);
1681 xfrm_audit_policy_delete(xp, err ? 0 : 1, loginuid, sessionid,
1682 sid);
1683 1674
1684 if (err != 0) 1675 if (err != 0)
1685 goto out; 1676 goto out;
@@ -1709,7 +1700,6 @@ static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
1709 1700
1710 audit_info.loginuid = audit_get_loginuid(current); 1701 audit_info.loginuid = audit_get_loginuid(current);
1711 audit_info.sessionid = audit_get_sessionid(current); 1702 audit_info.sessionid = audit_get_sessionid(current);
1712 security_task_getsecid(current, &audit_info.secid);
1713 err = xfrm_state_flush(net, p->proto, &audit_info); 1703 err = xfrm_state_flush(net, p->proto, &audit_info);
1714 if (err) { 1704 if (err) {
1715 if (err == -ESRCH) /* empty table */ 1705 if (err == -ESRCH) /* empty table */
@@ -1902,7 +1892,6 @@ static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
1902 1892
1903 audit_info.loginuid = audit_get_loginuid(current); 1893 audit_info.loginuid = audit_get_loginuid(current);
1904 audit_info.sessionid = audit_get_sessionid(current); 1894 audit_info.sessionid = audit_get_sessionid(current);
1905 security_task_getsecid(current, &audit_info.secid);
1906 err = xfrm_policy_flush(net, type, &audit_info); 1895 err = xfrm_policy_flush(net, type, &audit_info);
1907 if (err) { 1896 if (err) {
1908 if (err == -ESRCH) /* empty table */ 1897 if (err == -ESRCH) /* empty table */
@@ -1971,11 +1960,9 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
1971 if (up->hard) { 1960 if (up->hard) {
1972 kuid_t loginuid = audit_get_loginuid(current); 1961 kuid_t loginuid = audit_get_loginuid(current);
1973 unsigned int sessionid = audit_get_sessionid(current); 1962 unsigned int sessionid = audit_get_sessionid(current);
1974 u32 sid;
1975 1963
1976 security_task_getsecid(current, &sid);
1977 xfrm_policy_delete(xp, p->dir); 1964 xfrm_policy_delete(xp, p->dir);
1978 xfrm_audit_policy_delete(xp, 1, loginuid, sessionid, sid); 1965 xfrm_audit_policy_delete(xp, 1, loginuid, sessionid);
1979 1966
1980 } else { 1967 } else {
1981 // reset the timers here? 1968 // reset the timers here?
@@ -2014,11 +2001,9 @@ static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
2014 if (ue->hard) { 2001 if (ue->hard) {
2015 kuid_t loginuid = audit_get_loginuid(current); 2002 kuid_t loginuid = audit_get_loginuid(current);
2016 unsigned int sessionid = audit_get_sessionid(current); 2003 unsigned int sessionid = audit_get_sessionid(current);
2017 u32 sid;
2018 2004
2019 security_task_getsecid(current, &sid);
2020 __xfrm_state_delete(x); 2005 __xfrm_state_delete(x);
2021 xfrm_audit_state_delete(x, 1, loginuid, sessionid, sid); 2006 xfrm_audit_state_delete(x, 1, loginuid, sessionid);
2022 } 2007 }
2023 err = 0; 2008 err = 0;
2024out: 2009out:
generated by cgit v1.2.2 (git 2.25.0) at 2025-01-07 05:37:19 -0500