diff options
| author | Paul Moore <paul.moore@hp.com> | 2006-09-28 17:51:47 -0400 |
|---|---|---|
| committer | David S. Miller <davem@sunset.davemloft.net> | 2006-09-28 21:03:09 -0400 |
| commit | 32f50cdee666333168b5203c7864bede159f789e (patch) | |
| tree | c4989cc2521551714f656d60f6b895232ffdeda6 /net/netlabel/netlabel_cipso_v4.c | |
| parent | 8ea333eb5da3e3219f570220c56bca09f6f4d25a (diff) | |
[NetLabel]: add audit support for configuration changes
This patch adds audit support to NetLabel, including six new audit message
types shown below.
#define AUDIT_MAC_UNLBL_ACCEPT 1406
#define AUDIT_MAC_UNLBL_DENY 1407
#define AUDIT_MAC_CIPSOV4_ADD 1408
#define AUDIT_MAC_CIPSOV4_DEL 1409
#define AUDIT_MAC_MAP_ADD 1410
#define AUDIT_MAC_MAP_DEL 1411
Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/netlabel/netlabel_cipso_v4.c')
| -rw-r--r-- | net/netlabel/netlabel_cipso_v4.c | 43 |
1 files changed, 33 insertions, 10 deletions
diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c index 4125a55f469f..09986ca962a6 100644 --- a/net/netlabel/netlabel_cipso_v4.c +++ b/net/netlabel/netlabel_cipso_v4.c | |||
| @@ -32,6 +32,7 @@ | |||
| 32 | #include <linux/socket.h> | 32 | #include <linux/socket.h> |
| 33 | #include <linux/string.h> | 33 | #include <linux/string.h> |
| 34 | #include <linux/skbuff.h> | 34 | #include <linux/skbuff.h> |
| 35 | #include <linux/audit.h> | ||
| 35 | #include <net/sock.h> | 36 | #include <net/sock.h> |
| 36 | #include <net/netlink.h> | 37 | #include <net/netlink.h> |
| 37 | #include <net/genetlink.h> | 38 | #include <net/genetlink.h> |
| @@ -162,8 +163,7 @@ static int netlbl_cipsov4_add_std(struct genl_info *info) | |||
| 162 | int nla_a_rem; | 163 | int nla_a_rem; |
| 163 | int nla_b_rem; | 164 | int nla_b_rem; |
| 164 | 165 | ||
| 165 | if (!info->attrs[NLBL_CIPSOV4_A_DOI] || | 166 | if (!info->attrs[NLBL_CIPSOV4_A_TAGLST] || |
| 166 | !info->attrs[NLBL_CIPSOV4_A_TAGLST] || | ||
| 167 | !info->attrs[NLBL_CIPSOV4_A_MLSLVLLST]) | 167 | !info->attrs[NLBL_CIPSOV4_A_MLSLVLLST]) |
| 168 | return -EINVAL; | 168 | return -EINVAL; |
| 169 | 169 | ||
| @@ -344,8 +344,7 @@ static int netlbl_cipsov4_add_pass(struct genl_info *info) | |||
| 344 | int ret_val; | 344 | int ret_val; |
| 345 | struct cipso_v4_doi *doi_def = NULL; | 345 | struct cipso_v4_doi *doi_def = NULL; |
| 346 | 346 | ||
| 347 | if (!info->attrs[NLBL_CIPSOV4_A_DOI] || | 347 | if (!info->attrs[NLBL_CIPSOV4_A_TAGLST]) |
| 348 | !info->attrs[NLBL_CIPSOV4_A_TAGLST]) | ||
| 349 | return -EINVAL; | 348 | return -EINVAL; |
| 350 | 349 | ||
| 351 | doi_def = kmalloc(sizeof(*doi_def), GFP_KERNEL); | 350 | doi_def = kmalloc(sizeof(*doi_def), GFP_KERNEL); |
| @@ -381,21 +380,35 @@ static int netlbl_cipsov4_add(struct sk_buff *skb, struct genl_info *info) | |||
| 381 | 380 | ||
| 382 | { | 381 | { |
| 383 | int ret_val = -EINVAL; | 382 | int ret_val = -EINVAL; |
| 384 | u32 map_type; | 383 | u32 type; |
| 384 | u32 doi; | ||
| 385 | const char *type_str = "(unknown)"; | ||
| 386 | struct audit_buffer *audit_buf; | ||
| 385 | 387 | ||
| 386 | if (!info->attrs[NLBL_CIPSOV4_A_MTYPE]) | 388 | if (!info->attrs[NLBL_CIPSOV4_A_DOI] || |
| 389 | !info->attrs[NLBL_CIPSOV4_A_MTYPE]) | ||
| 387 | return -EINVAL; | 390 | return -EINVAL; |
| 388 | 391 | ||
| 389 | map_type = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE]); | 392 | type = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE]); |
| 390 | switch (map_type) { | 393 | switch (type) { |
| 391 | case CIPSO_V4_MAP_STD: | 394 | case CIPSO_V4_MAP_STD: |
| 395 | type_str = "std"; | ||
| 392 | ret_val = netlbl_cipsov4_add_std(info); | 396 | ret_val = netlbl_cipsov4_add_std(info); |
| 393 | break; | 397 | break; |
| 394 | case CIPSO_V4_MAP_PASS: | 398 | case CIPSO_V4_MAP_PASS: |
| 399 | type_str = "pass"; | ||
| 395 | ret_val = netlbl_cipsov4_add_pass(info); | 400 | ret_val = netlbl_cipsov4_add_pass(info); |
| 396 | break; | 401 | break; |
| 397 | } | 402 | } |
| 398 | 403 | ||
| 404 | if (ret_val == 0) { | ||
| 405 | doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]); | ||
| 406 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD, | ||
| 407 | NETLINK_CB(skb).sid); | ||
| 408 | audit_log_format(audit_buf, " doi=%u type=%s", doi, type_str); | ||
| 409 | audit_log_end(audit_buf); | ||
| 410 | } | ||
| 411 | |||
| 399 | return ret_val; | 412 | return ret_val; |
| 400 | } | 413 | } |
| 401 | 414 | ||
| @@ -653,11 +666,21 @@ static int netlbl_cipsov4_listall(struct sk_buff *skb, | |||
| 653 | static int netlbl_cipsov4_remove(struct sk_buff *skb, struct genl_info *info) | 666 | static int netlbl_cipsov4_remove(struct sk_buff *skb, struct genl_info *info) |
| 654 | { | 667 | { |
| 655 | int ret_val = -EINVAL; | 668 | int ret_val = -EINVAL; |
| 656 | u32 doi; | 669 | u32 doi = 0; |
| 670 | struct audit_buffer *audit_buf; | ||
| 657 | 671 | ||
| 658 | if (info->attrs[NLBL_CIPSOV4_A_DOI]) { | 672 | if (info->attrs[NLBL_CIPSOV4_A_DOI]) { |
| 659 | doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]); | 673 | doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]); |
| 660 | ret_val = cipso_v4_doi_remove(doi, netlbl_cipsov4_doi_free); | 674 | ret_val = cipso_v4_doi_remove(doi, |
| 675 | NETLINK_CB(skb).sid, | ||
| 676 | netlbl_cipsov4_doi_free); | ||
| 677 | } | ||
| 678 | |||
| 679 | if (ret_val == 0) { | ||
| 680 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_DEL, | ||
| 681 | NETLINK_CB(skb).sid); | ||
| 682 | audit_log_format(audit_buf, " doi=%u", doi); | ||
| 683 | audit_log_end(audit_buf); | ||
| 661 | } | 684 | } |
| 662 | 685 | ||
| 663 | return ret_val; | 686 | return ret_val; |