Merge rsync://rsync.kernel.org/pub/scm/linux/kernel/git/torvalds/linux-2.6

Conflicts: drivers/usb/input/hid.h
author: Dmitry Torokhov <dtor@insightbb.com> 2006-12-08 01:07:56 -0500
committer: Dmitry Torokhov <dtor@insightbb.com> 2006-12-08 01:07:56 -0500
commit: bef986502fa398b1785a3979b1aa17cd902d3527 (patch)
tree: b59c1afe7b1dfcc001b86e54863f550d7ddc8c34 /net/key
parent: 4bdbd2807deeccc0793d57fb5120d7a53f2c0b3c (diff)
parent: c99767974ebd2a719d849fdeaaa1674456f5283f (diff)
1 files changed, 50 insertions, 19 deletions
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 20ff7cca1d07..5dd5094659a1 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -27,6 +27,7 @@
 #include <linux/proc_fs.h>
 #include <linux/init.h>
 #include <net/xfrm.h>
+#include <linux/audit.h>
 #include <net/sock.h>
@@ -1420,6 +1421,9 @@ static int pfkey_add(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr,
        else
                err = xfrm_state_update(x);
+        xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
+                       AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x);
        if (err < 0) {
                x->km.state = XFRM_STATE_DEAD;
                __xfrm_state_put(x);
@@ -1460,8 +1464,12 @@ static int pfkey_delete(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h
                err = -EPERM;
                goto out;
        }
-        
        err = xfrm_state_delete(x);
+        xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
+                       AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
        if (err < 0)
                goto out;
@@ -1637,12 +1645,15 @@ static int pfkey_flush(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hd
 {
        unsigned proto;
        struct km_event c;
+        struct xfrm_audit audit_info;
        proto = pfkey_satype2proto(hdr->sadb_msg_satype);
        if (proto == 0)
                return -EINVAL;
-        xfrm_state_flush(proto);
+        audit_info.loginuid = audit_get_loginuid(current->audit_context);
+        audit_info.secid = 0;
+        xfrm_state_flush(proto, &audit_info);
        c.data.proto = proto;
        c.seq = hdr->sadb_msg_seq;
        c.pid = hdr->sadb_msg_pid;
@@ -1767,11 +1778,11 @@ parse_ipsecrequest(struct xfrm_policy *xp, struct sadb_x_ipsecrequest *rq)
        /* addresses present only in tunnel mode */
        if (t->mode == XFRM_MODE_TUNNEL) {
-                switch (xp->family) {
+                struct sockaddr *sa;
+                sa = (struct sockaddr *)(rq+1);
+                switch(sa->sa_family) {
                case AF_INET:
-                        sin = (void*)(rq+1);
+                        sin = (struct sockaddr_in*)sa;
-                        if (sin->sin_family != AF_INET)
-                                return -EINVAL;
                        t->saddr.a4 = sin->sin_addr.s_addr;
                        sin++;
                        if (sin->sin_family != AF_INET)
@@ -1780,9 +1791,7 @@ parse_ipsecrequest(struct xfrm_policy *xp, struct sadb_x_ipsecrequest *rq)
                        break;
 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
                case AF_INET6:
-                        sin6 = (void *)(rq+1);
+                        sin6 = (struct sockaddr_in6*)sa;
-                        if (sin6->sin6_family != AF_INET6)
-                                return -EINVAL;
                        memcpy(t->saddr.a6, &sin6->sin6_addr, sizeof(struct in6_addr));
                        sin6++;
                        if (sin6->sin6_family != AF_INET6)
@@ -1793,7 +1802,10 @@ parse_ipsecrequest(struct xfrm_policy *xp, struct sadb_x_ipsecrequest *rq)
                default:
                        return -EINVAL;
                }
-        }
+                t->encap_family = sa->sa_family;
+        } else
+                t->encap_family = xp->family;
        /* No way to set this via kame pfkey */
        t->aalgos = t->ealgos = t->calgos = ~0;
        xp->xfrm_nr++;
@@ -1830,18 +1842,25 @@ static inline int pfkey_xfrm_policy2sec_ctx_size(struct xfrm_policy *xp)
 static int pfkey_xfrm_policy2msg_size(struct xfrm_policy *xp)
 {
+        struct xfrm_tmpl *t;
        int sockaddr_size = pfkey_sockaddr_size(xp->family);
-        int socklen = (xp->family == AF_INET ?
+        int socklen = 0;
-                       sizeof(struct sockaddr_in) :
+        int i;
-                       sizeof(struct sockaddr_in6));
+        for (i=0; i<xp->xfrm_nr; i++) {
+                t = xp->xfrm_vec + i;
+                socklen += (t->encap_family == AF_INET ?
+                            sizeof(struct sockaddr_in) :
+                            sizeof(struct sockaddr_in6));
+        }
        return sizeof(struct sadb_msg) +
                (sizeof(struct sadb_lifetime) * 3) +
                (sizeof(struct sadb_address) * 2) + 
                (sockaddr_size * 2) +
                sizeof(struct sadb_x_policy) +
-                (xp->xfrm_nr * (sizeof(struct sadb_x_ipsecrequest) +
+                (xp->xfrm_nr * sizeof(struct sadb_x_ipsecrequest)) +
-                                (socklen * 2))) +
+                (socklen * 2) +
                pfkey_xfrm_policy2sec_ctx_size(xp);
 }
@@ -1999,7 +2018,9 @@ static void pfkey_xfrm_policy2msg(struct sk_buff *skb, struct xfrm_policy *xp, i
                req_size = sizeof(struct sadb_x_ipsecrequest);
                if (t->mode == XFRM_MODE_TUNNEL)
-                        req_size += 2*socklen;
+                        req_size += ((t->encap_family == AF_INET ?
+                                     sizeof(struct sockaddr_in) :
+                                     sizeof(struct sockaddr_in6)) * 2);
                else
                        size -= 2*socklen;
                rq = (void*)skb_put(skb, req_size);
@@ -2015,7 +2036,7 @@ static void pfkey_xfrm_policy2msg(struct sk_buff *skb, struct xfrm_policy *xp, i
                        rq->sadb_x_ipsecrequest_level = IPSEC_LEVEL_USE;
                rq->sadb_x_ipsecrequest_reqid = t->reqid;
                if (t->mode == XFRM_MODE_TUNNEL) {
-                        switch (xp->family) {
+                        switch (t->encap_family) {
                        case AF_INET:
                                sin = (void*)(rq+1);
                                sin->sin_family = AF_INET;
@@ -2195,6 +2216,9 @@ static int pfkey_spdadd(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h
        err = xfrm_policy_insert(pol->sadb_x_policy_dir-1, xp,
                                 hdr->sadb_msg_type != SADB_X_SPDUPDATE);
+        xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
+                       AUDIT_MAC_IPSEC_ADDSPD, err ? 0 : 1, xp, NULL);
        if (err)
                goto out;
@@ -2272,6 +2296,10 @@ static int pfkey_spddelete(struct sock *sk, struct sk_buff *skb, struct sadb_msg
        xp = xfrm_policy_bysel_ctx(XFRM_POLICY_TYPE_MAIN, pol->sadb_x_policy_dir-1,
                                   &sel, tmp.security, 1);
        security_xfrm_policy_free(&tmp);
+        xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
+                       AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL);
        if (xp == NULL)
                return -ENOENT;
@@ -2406,8 +2434,11 @@ static int key_notify_policy_flush(struct km_event *c)
 static int pfkey_spdflush(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, void **ext_hdrs)
 {
        struct km_event c;
+        struct xfrm_audit audit_info;
-        xfrm_policy_flush(XFRM_POLICY_TYPE_MAIN);
+        audit_info.loginuid = audit_get_loginuid(current->audit_context);
+        audit_info.secid = 0;
+        xfrm_policy_flush(XFRM_POLICY_TYPE_MAIN, &audit_info);
        c.data.type = XFRM_POLICY_TYPE_MAIN;
        c.event = XFRM_MSG_FLUSHPOLICY;
        c.pid = hdr->sadb_msg_pid;
@@ -2938,7 +2969,7 @@ out:
        return NULL;
 }
-static int pfkey_send_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, u16 sport)
+static int pfkey_send_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport)
 {
        struct sk_buff *skb;
        struct sadb_msg *hdr;
author	Dmitry Torokhov <dtor@insightbb.com>	2006-12-08 01:07:56 -0500
committer	Dmitry Torokhov <dtor@insightbb.com>	2006-12-08 01:07:56 -0500
commit	bef986502fa398b1785a3979b1aa17cd902d3527 (patch)
tree	b59c1afe7b1dfcc001b86e54863f550d7ddc8c34 /net/key
parent	4bdbd2807deeccc0793d57fb5120d7a53f2c0b3c (diff)
parent	c99767974ebd2a719d849fdeaaa1674456f5283f (diff)

diff --git a/net/key/af_key.c b/net/key/af_key.c index 20ff7cca1d07..5dd5094659a1 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c
@@ -27,6 +27,7 @@
27	#include <linux/proc_fs.h>	27	#include <linux/proc_fs.h>
28	#include <linux/init.h>	28	#include <linux/init.h>
29	#include <net/xfrm.h>	29	#include <net/xfrm.h>
		30	#include <linux/audit.h>
30		31
31	#include <net/sock.h>	32	#include <net/sock.h>
32		33
@@ -1420,6 +1421,9 @@ static int pfkey_add(struct sock sk, struct sk_buff skb, struct sadb_msg *hdr,
1420	else	1421	else
1421	err = xfrm_state_update(x);	1422	err = xfrm_state_update(x);
1422		1423
		1424	xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
		1425	AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x);
		1426
1423	if (err < 0) {	1427	if (err < 0) {
1424	x->km.state = XFRM_STATE_DEAD;	1428	x->km.state = XFRM_STATE_DEAD;
1425	__xfrm_state_put(x);	1429	__xfrm_state_put(x);
@@ -1460,8 +1464,12 @@ static int pfkey_delete(struct sock sk, struct sk_buff skb, struct sadb_msg *h
1460	err = -EPERM;	1464	err = -EPERM;
1461	goto out;	1465	goto out;
1462	}	1466	}
1463		1467
1464	err = xfrm_state_delete(x);	1468	err = xfrm_state_delete(x);
		1469
		1470	xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
		1471	AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
		1472
1465	if (err < 0)	1473	if (err < 0)
1466	goto out;	1474	goto out;
1467		1475
@@ -1637,12 +1645,15 @@ static int pfkey_flush(struct sock sk, struct sk_buff skb, struct sadb_msg *hd
1637	{	1645	{
1638	unsigned proto;	1646	unsigned proto;
1639	struct km_event c;	1647	struct km_event c;
		1648	struct xfrm_audit audit_info;
1640		1649
1641	proto = pfkey_satype2proto(hdr->sadb_msg_satype);	1650	proto = pfkey_satype2proto(hdr->sadb_msg_satype);
1642	if (proto == 0)	1651	if (proto == 0)
1643	return -EINVAL;	1652	return -EINVAL;
1644		1653
1645	xfrm_state_flush(proto);	1654	audit_info.loginuid = audit_get_loginuid(current->audit_context);
		1655	audit_info.secid = 0;
		1656	xfrm_state_flush(proto, &audit_info);
1646	c.data.proto = proto;	1657	c.data.proto = proto;
1647	c.seq = hdr->sadb_msg_seq;	1658	c.seq = hdr->sadb_msg_seq;
1648	c.pid = hdr->sadb_msg_pid;	1659	c.pid = hdr->sadb_msg_pid;
@@ -1767,11 +1778,11 @@ parse_ipsecrequest(struct xfrm_policy xp, struct sadb_x_ipsecrequest rq)
1767		1778
1768	/* addresses present only in tunnel mode */	1779	/* addresses present only in tunnel mode */
1769	if (t->mode == XFRM_MODE_TUNNEL) {	1780	if (t->mode == XFRM_MODE_TUNNEL) {
1770	switch (xp->family) {	1781	struct sockaddr *sa;
		1782	sa = (struct sockaddr *)(rq+1);
		1783	switch(sa->sa_family) {
1771	case AF_INET:	1784	case AF_INET:
1772	sin = (void*)(rq+1);	1785	sin = (struct sockaddr_in*)sa;
1773	if (sin->sin_family != AF_INET)
1774	return -EINVAL;
1775	t->saddr.a4 = sin->sin_addr.s_addr;	1786	t->saddr.a4 = sin->sin_addr.s_addr;
1776	sin++;	1787	sin++;
1777	if (sin->sin_family != AF_INET)	1788	if (sin->sin_family != AF_INET)
@@ -1780,9 +1791,7 @@ parse_ipsecrequest(struct xfrm_policy xp, struct sadb_x_ipsecrequest rq)
1780	break;	1791	break;
1781	#if defined(CONFIG_IPV6) \|\| defined(CONFIG_IPV6_MODULE)	1792	#if defined(CONFIG_IPV6) \|\| defined(CONFIG_IPV6_MODULE)
1782	case AF_INET6:	1793	case AF_INET6:
1783	sin6 = (void *)(rq+1);	1794	sin6 = (struct sockaddr_in6*)sa;
1784	if (sin6->sin6_family != AF_INET6)
1785	return -EINVAL;
1786	memcpy(t->saddr.a6, &sin6->sin6_addr, sizeof(struct in6_addr));	1795	memcpy(t->saddr.a6, &sin6->sin6_addr, sizeof(struct in6_addr));
1787	sin6++;	1796	sin6++;
1788	if (sin6->sin6_family != AF_INET6)	1797	if (sin6->sin6_family != AF_INET6)
@@ -1793,7 +1802,10 @@ parse_ipsecrequest(struct xfrm_policy xp, struct sadb_x_ipsecrequest rq)
1793	default:	1802	default:
1794	return -EINVAL;	1803	return -EINVAL;
1795	}	1804	}
1796	}	1805	t->encap_family = sa->sa_family;
		1806	} else
		1807	t->encap_family = xp->family;
		1808
1797	/* No way to set this via kame pfkey */	1809	/* No way to set this via kame pfkey */
1798	t->aalgos = t->ealgos = t->calgos = ~0;	1810	t->aalgos = t->ealgos = t->calgos = ~0;
1799	xp->xfrm_nr++;	1811	xp->xfrm_nr++;
@@ -1830,18 +1842,25 @@ static inline int pfkey_xfrm_policy2sec_ctx_size(struct xfrm_policy *xp)
1830		1842
1831	static int pfkey_xfrm_policy2msg_size(struct xfrm_policy *xp)	1843	static int pfkey_xfrm_policy2msg_size(struct xfrm_policy *xp)
1832	{	1844	{
		1845	struct xfrm_tmpl *t;
1833	int sockaddr_size = pfkey_sockaddr_size(xp->family);	1846	int sockaddr_size = pfkey_sockaddr_size(xp->family);
1834	int socklen = (xp->family == AF_INET ?	1847	int socklen = 0;
1835	sizeof(struct sockaddr_in) :	1848	int i;
1836	sizeof(struct sockaddr_in6));	1849
		1850	for (i=0; i<xp->xfrm_nr; i++) {
		1851	t = xp->xfrm_vec + i;
		1852	socklen += (t->encap_family == AF_INET ?
		1853	sizeof(struct sockaddr_in) :
		1854	sizeof(struct sockaddr_in6));
		1855	}
1837		1856
1838	return sizeof(struct sadb_msg) +	1857	return sizeof(struct sadb_msg) +
1839	(sizeof(struct sadb_lifetime) * 3) +	1858	(sizeof(struct sadb_lifetime) * 3) +
1840	(sizeof(struct sadb_address) * 2) +	1859	(sizeof(struct sadb_address) * 2) +
1841	(sockaddr_size * 2) +	1860	(sockaddr_size * 2) +
1842	sizeof(struct sadb_x_policy) +	1861	sizeof(struct sadb_x_policy) +
1843	(xp->xfrm_nr * (sizeof(struct sadb_x_ipsecrequest) +	1862	(xp->xfrm_nr * sizeof(struct sadb_x_ipsecrequest)) +
1844	(socklen * 2))) +	1863	(socklen * 2) +
1845	pfkey_xfrm_policy2sec_ctx_size(xp);	1864	pfkey_xfrm_policy2sec_ctx_size(xp);
1846	}	1865	}
1847		1866
@@ -1999,7 +2018,9 @@ static void pfkey_xfrm_policy2msg(struct sk_buff skb, struct xfrm_policy xp, i
1999		2018
2000	req_size = sizeof(struct sadb_x_ipsecrequest);	2019	req_size = sizeof(struct sadb_x_ipsecrequest);
2001	if (t->mode == XFRM_MODE_TUNNEL)	2020	if (t->mode == XFRM_MODE_TUNNEL)
2002	req_size += 2*socklen;	2021	req_size += ((t->encap_family == AF_INET ?
		2022	sizeof(struct sockaddr_in) :
		2023	sizeof(struct sockaddr_in6)) * 2);
2003	else	2024	else
2004	size -= 2*socklen;	2025	size -= 2*socklen;
2005	rq = (void*)skb_put(skb, req_size);	2026	rq = (void*)skb_put(skb, req_size);
@@ -2015,7 +2036,7 @@ static void pfkey_xfrm_policy2msg(struct sk_buff skb, struct xfrm_policy xp, i
2015	rq->sadb_x_ipsecrequest_level = IPSEC_LEVEL_USE;	2036	rq->sadb_x_ipsecrequest_level = IPSEC_LEVEL_USE;
2016	rq->sadb_x_ipsecrequest_reqid = t->reqid;	2037	rq->sadb_x_ipsecrequest_reqid = t->reqid;
2017	if (t->mode == XFRM_MODE_TUNNEL) {	2038	if (t->mode == XFRM_MODE_TUNNEL) {
2018	switch (xp->family) {	2039	switch (t->encap_family) {
2019	case AF_INET:	2040	case AF_INET:
2020	sin = (void*)(rq+1);	2041	sin = (void*)(rq+1);
2021	sin->sin_family = AF_INET;	2042	sin->sin_family = AF_INET;
@@ -2195,6 +2216,9 @@ static int pfkey_spdadd(struct sock sk, struct sk_buff skb, struct sadb_msg *h
2195	err = xfrm_policy_insert(pol->sadb_x_policy_dir-1, xp,	2216	err = xfrm_policy_insert(pol->sadb_x_policy_dir-1, xp,
2196	hdr->sadb_msg_type != SADB_X_SPDUPDATE);	2217	hdr->sadb_msg_type != SADB_X_SPDUPDATE);
2197		2218
		2219	xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
		2220	AUDIT_MAC_IPSEC_ADDSPD, err ? 0 : 1, xp, NULL);
		2221
2198	if (err)	2222	if (err)
2199	goto out;	2223	goto out;
2200		2224
@@ -2272,6 +2296,10 @@ static int pfkey_spddelete(struct sock sk, struct sk_buff skb, struct sadb_msg
2272	xp = xfrm_policy_bysel_ctx(XFRM_POLICY_TYPE_MAIN, pol->sadb_x_policy_dir-1,	2296	xp = xfrm_policy_bysel_ctx(XFRM_POLICY_TYPE_MAIN, pol->sadb_x_policy_dir-1,
2273	&sel, tmp.security, 1);	2297	&sel, tmp.security, 1);
2274	security_xfrm_policy_free(&tmp);	2298	security_xfrm_policy_free(&tmp);
		2299
		2300	xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
		2301	AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL);
		2302
2275	if (xp == NULL)	2303	if (xp == NULL)
2276	return -ENOENT;	2304	return -ENOENT;
2277		2305
@@ -2406,8 +2434,11 @@ static int key_notify_policy_flush(struct km_event *c)
2406	static int pfkey_spdflush(struct sock sk, struct sk_buff skb, struct sadb_msg hdr, void *ext_hdrs)	2434	static int pfkey_spdflush(struct sock sk, struct sk_buff skb, struct sadb_msg hdr, void *ext_hdrs)
2407	{	2435	{
2408	struct km_event c;	2436	struct km_event c;
		2437	struct xfrm_audit audit_info;
2409		2438
2410	xfrm_policy_flush(XFRM_POLICY_TYPE_MAIN);	2439	audit_info.loginuid = audit_get_loginuid(current->audit_context);
		2440	audit_info.secid = 0;
		2441	xfrm_policy_flush(XFRM_POLICY_TYPE_MAIN, &audit_info);
2411	c.data.type = XFRM_POLICY_TYPE_MAIN;	2442	c.data.type = XFRM_POLICY_TYPE_MAIN;
2412	c.event = XFRM_MSG_FLUSHPOLICY;	2443	c.event = XFRM_MSG_FLUSHPOLICY;
2413	c.pid = hdr->sadb_msg_pid;	2444	c.pid = hdr->sadb_msg_pid;
@@ -2938,7 +2969,7 @@ out:
2938	return NULL;	2969	return NULL;
2939	}	2970	}
2940		2971
2941	static int pfkey_send_new_mapping(struct xfrm_state x, xfrm_address_t ipaddr, u16 sport)	2972	static int pfkey_send_new_mapping(struct xfrm_state x, xfrm_address_t ipaddr, __be16 sport)
2942	{	2973	{
2943	struct sk_buff *skb;	2974	struct sk_buff *skb;
2944	struct sadb_msg *hdr;	2975	struct sadb_msg *hdr;