aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2007-12-21 17:58:11 -0500
committerDavid S. Miller <davem@davemloft.net>2008-01-28 18:00:01 -0500
commitafeb14b49098ba7a51c96e083a4105a0301f94c4 (patch)
tree2675451596adbea8aa261704c356d074136abbbd /include
parentdfd4f0ae2e111e2b93c295938c0e64ebbb69ae6e (diff)
[XFRM]: RFC4303 compliant auditing
This patch adds a number of new IPsec audit events to meet the auditing requirements of RFC4303. This includes audit hooks for the following events: * Could not find a valid SA [sections 2.1, 3.4.2] . xfrm_audit_state_notfound() . xfrm_audit_state_notfound_simple() * Sequence number overflow [section 3.3.3] . xfrm_audit_state_replay_overflow() * Replayed packet [section 3.4.3] . xfrm_audit_state_replay() * Integrity check failure [sections 3.4.4.1, 3.4.4.2] . xfrm_audit_state_icvfail() While RFC4304 deals only with ESP most of the changes in this patch apply to IPsec in general, i.e. both AH and ESP. The one case, integrity check failure, where ESP specific code had to be modified the same was done to the AH code for the sake of consistency. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include')
-rw-r--r--include/net/xfrm.h33
1 files changed, 26 insertions, 7 deletions
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index f333c95c4189..5d5580ac0101 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -565,26 +565,33 @@ struct xfrm_audit
565}; 565};
566 566
567#ifdef CONFIG_AUDITSYSCALL 567#ifdef CONFIG_AUDITSYSCALL
568static inline struct audit_buffer *xfrm_audit_start(u32 auid, u32 secid) 568static inline struct audit_buffer *xfrm_audit_start(const char *op)
569{ 569{
570 struct audit_buffer *audit_buf = NULL; 570 struct audit_buffer *audit_buf = NULL;
571 char *secctx;
572 u32 secctx_len;
573 571
572 if (audit_enabled == 0)
573 return NULL;
574 audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, 574 audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC,
575 AUDIT_MAC_IPSEC_EVENT); 575 AUDIT_MAC_IPSEC_EVENT);
576 if (audit_buf == NULL) 576 if (audit_buf == NULL)
577 return NULL; 577 return NULL;
578 audit_log_format(audit_buf, "op=%s", op);
579 return audit_buf;
580}
578 581
579 audit_log_format(audit_buf, "auid=%u", auid); 582static inline void xfrm_audit_helper_usrinfo(u32 auid, u32 secid,
583 struct audit_buffer *audit_buf)
584{
585 char *secctx;
586 u32 secctx_len;
580 587
588 audit_log_format(audit_buf, " auid=%u", auid);
581 if (secid != 0 && 589 if (secid != 0 &&
582 security_secid_to_secctx(secid, &secctx, &secctx_len) == 0) { 590 security_secid_to_secctx(secid, &secctx, &secctx_len) == 0) {
583 audit_log_format(audit_buf, " subj=%s", secctx); 591 audit_log_format(audit_buf, " subj=%s", secctx);
584 security_release_secctx(secctx, secctx_len); 592 security_release_secctx(secctx, secctx_len);
585 } else 593 } else
586 audit_log_task_context(audit_buf); 594 audit_log_task_context(audit_buf);
587 return audit_buf;
588} 595}
589 596
590extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, 597extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
@@ -595,11 +602,22 @@ extern void xfrm_audit_state_add(struct xfrm_state *x, int result,
595 u32 auid, u32 secid); 602 u32 auid, u32 secid);
596extern void xfrm_audit_state_delete(struct xfrm_state *x, int result, 603extern void xfrm_audit_state_delete(struct xfrm_state *x, int result,
597 u32 auid, u32 secid); 604 u32 auid, u32 secid);
605extern void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
606 struct sk_buff *skb);
607extern void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family);
608extern void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
609 __be32 net_spi, __be32 net_seq);
610extern void xfrm_audit_state_icvfail(struct xfrm_state *x,
611 struct sk_buff *skb, u8 proto);
598#else 612#else
599#define xfrm_audit_policy_add(x, r, a, s) do { ; } while (0) 613#define xfrm_audit_policy_add(x, r, a, s) do { ; } while (0)
600#define xfrm_audit_policy_delete(x, r, a, s) do { ; } while (0) 614#define xfrm_audit_policy_delete(x, r, a, s) do { ; } while (0)
601#define xfrm_audit_state_add(x, r, a, s) do { ; } while (0) 615#define xfrm_audit_state_add(x, r, a, s) do { ; } while (0)
602#define xfrm_audit_state_delete(x, r, a, s) do { ; } while (0) 616#define xfrm_audit_state_delete(x, r, a, s) do { ; } while (0)
617#define xfrm_audit_state_replay_overflow(x, s) do { ; } while (0)
618#define xfrm_audit_state_notfound_simple(s, f) do { ; } while (0)
619#define xfrm_audit_state_notfound(s, f, sp, sq) do { ; } while (0)
620#define xfrm_audit_state_icvfail(x, s, p) do { ; } while (0)
603#endif /* CONFIG_AUDITSYSCALL */ 621#endif /* CONFIG_AUDITSYSCALL */
604 622
605static inline void xfrm_pol_hold(struct xfrm_policy *policy) 623static inline void xfrm_pol_hold(struct xfrm_policy *policy)
@@ -1214,7 +1232,8 @@ extern int xfrm_state_delete(struct xfrm_state *x);
1214extern int xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info); 1232extern int xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info);
1215extern void xfrm_sad_getinfo(struct xfrmk_sadinfo *si); 1233extern void xfrm_sad_getinfo(struct xfrmk_sadinfo *si);
1216extern void xfrm_spd_getinfo(struct xfrmk_spdinfo *si); 1234extern void xfrm_spd_getinfo(struct xfrmk_spdinfo *si);
1217extern int xfrm_replay_check(struct xfrm_state *x, __be32 seq); 1235extern int xfrm_replay_check(struct xfrm_state *x,
1236 struct sk_buff *skb, __be32 seq);
1218extern void xfrm_replay_advance(struct xfrm_state *x, __be32 seq); 1237extern void xfrm_replay_advance(struct xfrm_state *x, __be32 seq);
1219extern void xfrm_replay_notify(struct xfrm_state *x, int event); 1238extern void xfrm_replay_notify(struct xfrm_state *x, int event);
1220extern int xfrm_state_mtu(struct xfrm_state *x, int mtu); 1239extern int xfrm_state_mtu(struct xfrm_state *x, int mtu);