diff options
author | Joy Latten <latten@austin.ibm.com> | 2006-11-27 14:11:54 -0500 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2006-12-06 23:14:22 -0500 |
commit | 161a09e737f0761ca064ee6a907313402f7a54b6 (patch) | |
tree | 80fdf6dc5de73d810ef0ec811299a5ec3c5ce23e /net/key | |
parent | 95b99a670df31ca5271f503f378e5cac3aee8f5e (diff) |
audit: Add auditing to ipsec
An audit message occurs when an ipsec SA
or ipsec policy is created/deleted.
Signed-off-by: Joy Latten <latten@austin.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/key')
-rw-r--r-- | net/key/af_key.c | 27 |
1 files changed, 24 insertions, 3 deletions
diff --git a/net/key/af_key.c b/net/key/af_key.c index 0e1dbfbb9b10..5dd5094659a1 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c | |||
@@ -27,6 +27,7 @@ | |||
27 | #include <linux/proc_fs.h> | 27 | #include <linux/proc_fs.h> |
28 | #include <linux/init.h> | 28 | #include <linux/init.h> |
29 | #include <net/xfrm.h> | 29 | #include <net/xfrm.h> |
30 | #include <linux/audit.h> | ||
30 | 31 | ||
31 | #include <net/sock.h> | 32 | #include <net/sock.h> |
32 | 33 | ||
@@ -1420,6 +1421,9 @@ static int pfkey_add(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, | |||
1420 | else | 1421 | else |
1421 | err = xfrm_state_update(x); | 1422 | err = xfrm_state_update(x); |
1422 | 1423 | ||
1424 | xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, | ||
1425 | AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x); | ||
1426 | |||
1423 | if (err < 0) { | 1427 | if (err < 0) { |
1424 | x->km.state = XFRM_STATE_DEAD; | 1428 | x->km.state = XFRM_STATE_DEAD; |
1425 | __xfrm_state_put(x); | 1429 | __xfrm_state_put(x); |
@@ -1460,8 +1464,12 @@ static int pfkey_delete(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h | |||
1460 | err = -EPERM; | 1464 | err = -EPERM; |
1461 | goto out; | 1465 | goto out; |
1462 | } | 1466 | } |
1463 | 1467 | ||
1464 | err = xfrm_state_delete(x); | 1468 | err = xfrm_state_delete(x); |
1469 | |||
1470 | xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, | ||
1471 | AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); | ||
1472 | |||
1465 | if (err < 0) | 1473 | if (err < 0) |
1466 | goto out; | 1474 | goto out; |
1467 | 1475 | ||
@@ -1637,12 +1645,15 @@ static int pfkey_flush(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hd | |||
1637 | { | 1645 | { |
1638 | unsigned proto; | 1646 | unsigned proto; |
1639 | struct km_event c; | 1647 | struct km_event c; |
1648 | struct xfrm_audit audit_info; | ||
1640 | 1649 | ||
1641 | proto = pfkey_satype2proto(hdr->sadb_msg_satype); | 1650 | proto = pfkey_satype2proto(hdr->sadb_msg_satype); |
1642 | if (proto == 0) | 1651 | if (proto == 0) |
1643 | return -EINVAL; | 1652 | return -EINVAL; |
1644 | 1653 | ||
1645 | xfrm_state_flush(proto); | 1654 | audit_info.loginuid = audit_get_loginuid(current->audit_context); |
1655 | audit_info.secid = 0; | ||
1656 | xfrm_state_flush(proto, &audit_info); | ||
1646 | c.data.proto = proto; | 1657 | c.data.proto = proto; |
1647 | c.seq = hdr->sadb_msg_seq; | 1658 | c.seq = hdr->sadb_msg_seq; |
1648 | c.pid = hdr->sadb_msg_pid; | 1659 | c.pid = hdr->sadb_msg_pid; |
@@ -2205,6 +2216,9 @@ static int pfkey_spdadd(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h | |||
2205 | err = xfrm_policy_insert(pol->sadb_x_policy_dir-1, xp, | 2216 | err = xfrm_policy_insert(pol->sadb_x_policy_dir-1, xp, |
2206 | hdr->sadb_msg_type != SADB_X_SPDUPDATE); | 2217 | hdr->sadb_msg_type != SADB_X_SPDUPDATE); |
2207 | 2218 | ||
2219 | xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, | ||
2220 | AUDIT_MAC_IPSEC_ADDSPD, err ? 0 : 1, xp, NULL); | ||
2221 | |||
2208 | if (err) | 2222 | if (err) |
2209 | goto out; | 2223 | goto out; |
2210 | 2224 | ||
@@ -2282,6 +2296,10 @@ static int pfkey_spddelete(struct sock *sk, struct sk_buff *skb, struct sadb_msg | |||
2282 | xp = xfrm_policy_bysel_ctx(XFRM_POLICY_TYPE_MAIN, pol->sadb_x_policy_dir-1, | 2296 | xp = xfrm_policy_bysel_ctx(XFRM_POLICY_TYPE_MAIN, pol->sadb_x_policy_dir-1, |
2283 | &sel, tmp.security, 1); | 2297 | &sel, tmp.security, 1); |
2284 | security_xfrm_policy_free(&tmp); | 2298 | security_xfrm_policy_free(&tmp); |
2299 | |||
2300 | xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, | ||
2301 | AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL); | ||
2302 | |||
2285 | if (xp == NULL) | 2303 | if (xp == NULL) |
2286 | return -ENOENT; | 2304 | return -ENOENT; |
2287 | 2305 | ||
@@ -2416,8 +2434,11 @@ static int key_notify_policy_flush(struct km_event *c) | |||
2416 | static int pfkey_spdflush(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, void **ext_hdrs) | 2434 | static int pfkey_spdflush(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, void **ext_hdrs) |
2417 | { | 2435 | { |
2418 | struct km_event c; | 2436 | struct km_event c; |
2437 | struct xfrm_audit audit_info; | ||
2419 | 2438 | ||
2420 | xfrm_policy_flush(XFRM_POLICY_TYPE_MAIN); | 2439 | audit_info.loginuid = audit_get_loginuid(current->audit_context); |
2440 | audit_info.secid = 0; | ||
2441 | xfrm_policy_flush(XFRM_POLICY_TYPE_MAIN, &audit_info); | ||
2421 | c.data.type = XFRM_POLICY_TYPE_MAIN; | 2442 | c.data.type = XFRM_POLICY_TYPE_MAIN; |
2422 | c.event = XFRM_MSG_FLUSHPOLICY; | 2443 | c.event = XFRM_MSG_FLUSHPOLICY; |
2423 | c.pid = hdr->sadb_msg_pid; | 2444 | c.pid = hdr->sadb_msg_pid; |