diff options
author | Paul Moore <paul.moore@hp.com> | 2007-12-21 17:58:11 -0500 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-01-28 18:00:01 -0500 |
commit | afeb14b49098ba7a51c96e083a4105a0301f94c4 (patch) | |
tree | 2675451596adbea8aa261704c356d074136abbbd /include | |
parent | dfd4f0ae2e111e2b93c295938c0e64ebbb69ae6e (diff) |
[XFRM]: RFC4303 compliant auditing
This patch adds a number of new IPsec audit events to meet the auditing
requirements of RFC4303. This includes audit hooks for the following events:
* Could not find a valid SA [sections 2.1, 3.4.2]
. xfrm_audit_state_notfound()
. xfrm_audit_state_notfound_simple()
* Sequence number overflow [section 3.3.3]
. xfrm_audit_state_replay_overflow()
* Replayed packet [section 3.4.3]
. xfrm_audit_state_replay()
* Integrity check failure [sections 3.4.4.1, 3.4.4.2]
. xfrm_audit_state_icvfail()
While RFC4304 deals only with ESP most of the changes in this patch apply to
IPsec in general, i.e. both AH and ESP. The one case, integrity check
failure, where ESP specific code had to be modified the same was done to the
AH code for the sake of consistency.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include')
-rw-r--r-- | include/net/xfrm.h | 33 |
1 files changed, 26 insertions, 7 deletions
diff --git a/include/net/xfrm.h b/include/net/xfrm.h index f333c95c4189..5d5580ac0101 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h | |||
@@ -565,26 +565,33 @@ struct xfrm_audit | |||
565 | }; | 565 | }; |
566 | 566 | ||
567 | #ifdef CONFIG_AUDITSYSCALL | 567 | #ifdef CONFIG_AUDITSYSCALL |
568 | static inline struct audit_buffer *xfrm_audit_start(u32 auid, u32 secid) | 568 | static inline struct audit_buffer *xfrm_audit_start(const char *op) |
569 | { | 569 | { |
570 | struct audit_buffer *audit_buf = NULL; | 570 | struct audit_buffer *audit_buf = NULL; |
571 | char *secctx; | ||
572 | u32 secctx_len; | ||
573 | 571 | ||
572 | if (audit_enabled == 0) | ||
573 | return NULL; | ||
574 | audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, | 574 | audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, |
575 | AUDIT_MAC_IPSEC_EVENT); | 575 | AUDIT_MAC_IPSEC_EVENT); |
576 | if (audit_buf == NULL) | 576 | if (audit_buf == NULL) |
577 | return NULL; | 577 | return NULL; |
578 | audit_log_format(audit_buf, "op=%s", op); | ||
579 | return audit_buf; | ||
580 | } | ||
578 | 581 | ||
579 | audit_log_format(audit_buf, "auid=%u", auid); | 582 | static inline void xfrm_audit_helper_usrinfo(u32 auid, u32 secid, |
583 | struct audit_buffer *audit_buf) | ||
584 | { | ||
585 | char *secctx; | ||
586 | u32 secctx_len; | ||
580 | 587 | ||
588 | audit_log_format(audit_buf, " auid=%u", auid); | ||
581 | if (secid != 0 && | 589 | if (secid != 0 && |
582 | security_secid_to_secctx(secid, &secctx, &secctx_len) == 0) { | 590 | security_secid_to_secctx(secid, &secctx, &secctx_len) == 0) { |
583 | audit_log_format(audit_buf, " subj=%s", secctx); | 591 | audit_log_format(audit_buf, " subj=%s", secctx); |
584 | security_release_secctx(secctx, secctx_len); | 592 | security_release_secctx(secctx, secctx_len); |
585 | } else | 593 | } else |
586 | audit_log_task_context(audit_buf); | 594 | audit_log_task_context(audit_buf); |
587 | return audit_buf; | ||
588 | } | 595 | } |
589 | 596 | ||
590 | extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, | 597 | extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, |
@@ -595,11 +602,22 @@ extern void xfrm_audit_state_add(struct xfrm_state *x, int result, | |||
595 | u32 auid, u32 secid); | 602 | u32 auid, u32 secid); |
596 | extern void xfrm_audit_state_delete(struct xfrm_state *x, int result, | 603 | extern void xfrm_audit_state_delete(struct xfrm_state *x, int result, |
597 | u32 auid, u32 secid); | 604 | u32 auid, u32 secid); |
605 | extern void xfrm_audit_state_replay_overflow(struct xfrm_state *x, | ||
606 | struct sk_buff *skb); | ||
607 | extern void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family); | ||
608 | extern void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family, | ||
609 | __be32 net_spi, __be32 net_seq); | ||
610 | extern void xfrm_audit_state_icvfail(struct xfrm_state *x, | ||
611 | struct sk_buff *skb, u8 proto); | ||
598 | #else | 612 | #else |
599 | #define xfrm_audit_policy_add(x, r, a, s) do { ; } while (0) | 613 | #define xfrm_audit_policy_add(x, r, a, s) do { ; } while (0) |
600 | #define xfrm_audit_policy_delete(x, r, a, s) do { ; } while (0) | 614 | #define xfrm_audit_policy_delete(x, r, a, s) do { ; } while (0) |
601 | #define xfrm_audit_state_add(x, r, a, s) do { ; } while (0) | 615 | #define xfrm_audit_state_add(x, r, a, s) do { ; } while (0) |
602 | #define xfrm_audit_state_delete(x, r, a, s) do { ; } while (0) | 616 | #define xfrm_audit_state_delete(x, r, a, s) do { ; } while (0) |
617 | #define xfrm_audit_state_replay_overflow(x, s) do { ; } while (0) | ||
618 | #define xfrm_audit_state_notfound_simple(s, f) do { ; } while (0) | ||
619 | #define xfrm_audit_state_notfound(s, f, sp, sq) do { ; } while (0) | ||
620 | #define xfrm_audit_state_icvfail(x, s, p) do { ; } while (0) | ||
603 | #endif /* CONFIG_AUDITSYSCALL */ | 621 | #endif /* CONFIG_AUDITSYSCALL */ |
604 | 622 | ||
605 | static inline void xfrm_pol_hold(struct xfrm_policy *policy) | 623 | static inline void xfrm_pol_hold(struct xfrm_policy *policy) |
@@ -1214,7 +1232,8 @@ extern int xfrm_state_delete(struct xfrm_state *x); | |||
1214 | extern int xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info); | 1232 | extern int xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info); |
1215 | extern void xfrm_sad_getinfo(struct xfrmk_sadinfo *si); | 1233 | extern void xfrm_sad_getinfo(struct xfrmk_sadinfo *si); |
1216 | extern void xfrm_spd_getinfo(struct xfrmk_spdinfo *si); | 1234 | extern void xfrm_spd_getinfo(struct xfrmk_spdinfo *si); |
1217 | extern int xfrm_replay_check(struct xfrm_state *x, __be32 seq); | 1235 | extern int xfrm_replay_check(struct xfrm_state *x, |
1236 | struct sk_buff *skb, __be32 seq); | ||
1218 | extern void xfrm_replay_advance(struct xfrm_state *x, __be32 seq); | 1237 | extern void xfrm_replay_advance(struct xfrm_state *x, __be32 seq); |
1219 | extern void xfrm_replay_notify(struct xfrm_state *x, int event); | 1238 | extern void xfrm_replay_notify(struct xfrm_state *x, int event); |
1220 | extern int xfrm_state_mtu(struct xfrm_state *x, int mtu); | 1239 | extern int xfrm_state_mtu(struct xfrm_state *x, int mtu); |