aboutsummaryrefslogtreecommitdiffstats
path: root/include/net
diff options
context:
space:
mode:
authorJoy Latten <latten@austin.ibm.com>2007-09-17 14:51:22 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2007-10-10 19:49:02 -0400
commitab5f5e8b144e4c804ef3aa1ce08a9ca9f01187ce (patch)
treebf3915a618b29f507d882e9c665ed9d07e7c0765 /include/net
parentd2e9117c7aa9544d910634e17e3519fd67155229 (diff)
[XFRM]: xfrm audit calls
This patch modifies the current ipsec audit layer by breaking it up into purpose driven audit calls. So far, the only audit calls made are when add/delete an SA/policy. It had been discussed to give each key manager it's own calls to do this, but I found there to be much redundnacy since they did the exact same things, except for how they got auid and sid, so I combined them. The below audit calls can be made by any key manager. Hopefully, this is ok. Signed-off-by: Joy Latten <latten@austin.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/net')
-rw-r--r--include/net/xfrm.h40
1 files changed, 36 insertions, 4 deletions
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index a5f80bfbaaa4..760d2432be6b 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -12,6 +12,7 @@
12#include <linux/ipsec.h> 12#include <linux/ipsec.h>
13#include <linux/in6.h> 13#include <linux/in6.h>
14#include <linux/mutex.h> 14#include <linux/mutex.h>
15#include <linux/audit.h>
15 16
16#include <net/sock.h> 17#include <net/sock.h>
17#include <net/dst.h> 18#include <net/dst.h>
@@ -421,15 +422,46 @@ extern unsigned int xfrm_policy_count[XFRM_POLICY_MAX*2];
421/* Audit Information */ 422/* Audit Information */
422struct xfrm_audit 423struct xfrm_audit
423{ 424{
424 uid_t loginuid; 425 u32 loginuid;
425 u32 secid; 426 u32 secid;
426}; 427};
427 428
428#ifdef CONFIG_AUDITSYSCALL 429#ifdef CONFIG_AUDITSYSCALL
429extern void xfrm_audit_log(uid_t auid, u32 secid, int type, int result, 430static inline struct audit_buffer *xfrm_audit_start(u32 auid, u32 sid)
430 struct xfrm_policy *xp, struct xfrm_state *x); 431{
432 struct audit_buffer *audit_buf = NULL;
433 char *secctx;
434 u32 secctx_len;
435
436 audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC,
437 AUDIT_MAC_IPSEC_EVENT);
438 if (audit_buf == NULL)
439 return NULL;
440
441 audit_log_format(audit_buf, "auid=%u", auid);
442
443 if (sid != 0 &&
444 security_secid_to_secctx(sid, &secctx, &secctx_len) == 0) {
445 audit_log_format(audit_buf, " subj=%s", secctx);
446 security_release_secctx(secctx, secctx_len);
447 } else
448 audit_log_task_context(audit_buf);
449 return audit_buf;
450}
451
452extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
453 u32 auid, u32 sid);
454extern void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
455 u32 auid, u32 sid);
456extern void xfrm_audit_state_add(struct xfrm_state *x, int result,
457 u32 auid, u32 sid);
458extern void xfrm_audit_state_delete(struct xfrm_state *x, int result,
459 u32 auid, u32 sid);
431#else 460#else
432#define xfrm_audit_log(a,s,t,r,p,x) do { ; } while (0) 461#define xfrm_audit_policy_add(x, r, a, s) do { ; } while (0)
462#define xfrm_audit_policy_delete(x, r, a, s) do { ; } while (0)
463#define xfrm_audit_state_add(x, r, a, s) do { ; } while (0)
464#define xfrm_audit_state_delete(x, r, a, s) do { ; } while (0)
433#endif /* CONFIG_AUDITSYSCALL */ 465#endif /* CONFIG_AUDITSYSCALL */
434 466
435static inline void xfrm_pol_hold(struct xfrm_policy *policy) 467static inline void xfrm_pol_hold(struct xfrm_policy *policy)