diff options
| author | Joy Latten <latten@austin.ibm.com> | 2007-09-17 14:51:22 -0400 |
|---|---|---|
| committer | David S. Miller <davem@sunset.davemloft.net> | 2007-10-10 19:49:02 -0400 |
| commit | ab5f5e8b144e4c804ef3aa1ce08a9ca9f01187ce (patch) | |
| tree | bf3915a618b29f507d882e9c665ed9d07e7c0765 /net/xfrm/xfrm_policy.c | |
| parent | d2e9117c7aa9544d910634e17e3519fd67155229 (diff) | |
[XFRM]: xfrm audit calls
This patch modifies the current ipsec audit layer
by breaking it up into purpose driven audit calls.
So far, the only audit calls made are when add/delete
an SA/policy. It had been discussed to give each
key manager it's own calls to do this, but I found
there to be much redundnacy since they did the exact
same things, except for how they got auid and sid, so I
combined them. The below audit calls can be made by any
key manager. Hopefully, this is ok.
Signed-off-by: Joy Latten <latten@austin.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/xfrm/xfrm_policy.c')
| -rw-r--r-- | net/xfrm/xfrm_policy.c | 210 |
1 files changed, 77 insertions, 133 deletions
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 6ab81b1d215e..36dd31c40f4a 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c | |||
| @@ -23,7 +23,6 @@ | |||
| 23 | #include <linux/netfilter.h> | 23 | #include <linux/netfilter.h> |
| 24 | #include <linux/module.h> | 24 | #include <linux/module.h> |
| 25 | #include <linux/cache.h> | 25 | #include <linux/cache.h> |
| 26 | #include <linux/audit.h> | ||
| 27 | #include <net/xfrm.h> | 26 | #include <net/xfrm.h> |
| 28 | #include <net/ip.h> | 27 | #include <net/ip.h> |
| 29 | 28 | ||
| @@ -850,10 +849,9 @@ xfrm_policy_flush_secctx_check(u8 type, struct xfrm_audit *audit_info) | |||
| 850 | continue; | 849 | continue; |
| 851 | err = security_xfrm_policy_delete(pol); | 850 | err = security_xfrm_policy_delete(pol); |
| 852 | if (err) { | 851 | if (err) { |
| 853 | xfrm_audit_log(audit_info->loginuid, | 852 | xfrm_audit_policy_delete(pol, 0, |
| 854 | audit_info->secid, | 853 | audit_info->loginuid, |
| 855 | AUDIT_MAC_IPSEC_DELSPD, 0, | 854 | audit_info->secid); |
| 856 | pol, NULL); | ||
| 857 | return err; | 855 | return err; |
| 858 | } | 856 | } |
| 859 | } | 857 | } |
| @@ -865,10 +863,9 @@ xfrm_policy_flush_secctx_check(u8 type, struct xfrm_audit *audit_info) | |||
| 865 | continue; | 863 | continue; |
| 866 | err = security_xfrm_policy_delete(pol); | 864 | err = security_xfrm_policy_delete(pol); |
| 867 | if (err) { | 865 | if (err) { |
| 868 | xfrm_audit_log(audit_info->loginuid, | 866 | xfrm_audit_policy_delete(pol, 0, |
| 869 | audit_info->secid, | 867 | audit_info->loginuid, |
| 870 | AUDIT_MAC_IPSEC_DELSPD, | 868 | audit_info->secid); |
| 871 | 0, pol, NULL); | ||
| 872 | return err; | 869 | return err; |
| 873 | } | 870 | } |
| 874 | } | 871 | } |
| @@ -909,8 +906,8 @@ int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info) | |||
| 909 | hlist_del(&pol->byidx); | 906 | hlist_del(&pol->byidx); |
| 910 | write_unlock_bh(&xfrm_policy_lock); | 907 | write_unlock_bh(&xfrm_policy_lock); |
| 911 | 908 | ||
| 912 | xfrm_audit_log(audit_info->loginuid, audit_info->secid, | 909 | xfrm_audit_policy_delete(pol, 1, audit_info->loginuid, |
| 913 | AUDIT_MAC_IPSEC_DELSPD, 1, pol, NULL); | 910 | audit_info->secid); |
| 914 | 911 | ||
| 915 | xfrm_policy_kill(pol); | 912 | xfrm_policy_kill(pol); |
| 916 | killed++; | 913 | killed++; |
| @@ -930,11 +927,9 @@ int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info) | |||
| 930 | hlist_del(&pol->byidx); | 927 | hlist_del(&pol->byidx); |
| 931 | write_unlock_bh(&xfrm_policy_lock); | 928 | write_unlock_bh(&xfrm_policy_lock); |
| 932 | 929 | ||
| 933 | xfrm_audit_log(audit_info->loginuid, | 930 | xfrm_audit_policy_delete(pol, 1, |
| 934 | audit_info->secid, | 931 | audit_info->loginuid, |
| 935 | AUDIT_MAC_IPSEC_DELSPD, 1, | 932 | audit_info->secid); |
| 936 | pol, NULL); | ||
| 937 | |||
| 938 | xfrm_policy_kill(pol); | 933 | xfrm_policy_kill(pol); |
| 939 | killed++; | 934 | killed++; |
| 940 | 935 | ||
| @@ -2150,123 +2145,6 @@ int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first, | |||
| 2150 | 2145 | ||
| 2151 | EXPORT_SYMBOL(xfrm_bundle_ok); | 2146 | EXPORT_SYMBOL(xfrm_bundle_ok); |
| 2152 | 2147 | ||
| 2153 | #ifdef CONFIG_AUDITSYSCALL | ||
| 2154 | /* Audit addition and deletion of SAs and ipsec policy */ | ||
| 2155 | |||
| 2156 | void xfrm_audit_log(uid_t auid, u32 sid, int type, int result, | ||
| 2157 | struct xfrm_policy *xp, struct xfrm_state *x) | ||
| 2158 | { | ||
| 2159 | |||
| 2160 | char *secctx; | ||
| 2161 | u32 secctx_len; | ||
| 2162 | struct xfrm_sec_ctx *sctx = NULL; | ||
| 2163 | struct audit_buffer *audit_buf; | ||
| 2164 | int family; | ||
| 2165 | extern int audit_enabled; | ||
| 2166 | |||
| 2167 | if (audit_enabled == 0) | ||
| 2168 | return; | ||
| 2169 | |||
| 2170 | BUG_ON((type == AUDIT_MAC_IPSEC_ADDSA || | ||
| 2171 | type == AUDIT_MAC_IPSEC_DELSA) && !x); | ||
| 2172 | BUG_ON((type == AUDIT_MAC_IPSEC_ADDSPD || | ||
| 2173 | type == AUDIT_MAC_IPSEC_DELSPD) && !xp); | ||
| 2174 | |||
| 2175 | audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type); | ||
| 2176 | if (audit_buf == NULL) | ||
| 2177 | return; | ||
| 2178 | |||
| 2179 | switch(type) { | ||
| 2180 | case AUDIT_MAC_IPSEC_ADDSA: | ||
| 2181 | audit_log_format(audit_buf, "SAD add: auid=%u", auid); | ||
| 2182 | break; | ||
| 2183 | case AUDIT_MAC_IPSEC_DELSA: | ||
| 2184 | audit_log_format(audit_buf, "SAD delete: auid=%u", auid); | ||
| 2185 | break; | ||
| 2186 | case AUDIT_MAC_IPSEC_ADDSPD: | ||
| 2187 | audit_log_format(audit_buf, "SPD add: auid=%u", auid); | ||
| 2188 | break; | ||
| 2189 | case AUDIT_MAC_IPSEC_DELSPD: | ||
| 2190 | audit_log_format(audit_buf, "SPD delete: auid=%u", auid); | ||
| 2191 | break; | ||
| 2192 | default: | ||
| 2193 | return; | ||
| 2194 | } | ||
| 2195 | |||
| 2196 | if (sid != 0 && | ||
| 2197 | security_secid_to_secctx(sid, &secctx, &secctx_len) == 0) { | ||
| 2198 | audit_log_format(audit_buf, " subj=%s", secctx); | ||
| 2199 | security_release_secctx(secctx, secctx_len); | ||
| 2200 | } else | ||
| 2201 | audit_log_task_context(audit_buf); | ||
| 2202 | |||
| 2203 | if (xp) { | ||
| 2204 | family = xp->selector.family; | ||
| 2205 | if (xp->security) | ||
| 2206 | sctx = xp->security; | ||
| 2207 | } else { | ||
| 2208 | family = x->props.family; | ||
| 2209 | if (x->security) | ||
| 2210 | sctx = x->security; | ||
| 2211 | } | ||
| 2212 | |||
| 2213 | if (sctx) | ||
| 2214 | audit_log_format(audit_buf, | ||
| 2215 | " sec_alg=%u sec_doi=%u sec_obj=%s", | ||
| 2216 | sctx->ctx_alg, sctx->ctx_doi, sctx->ctx_str); | ||
| 2217 | |||
| 2218 | switch(family) { | ||
| 2219 | case AF_INET: | ||
| 2220 | { | ||
| 2221 | struct in_addr saddr, daddr; | ||
| 2222 | if (xp) { | ||
| 2223 | saddr.s_addr = xp->selector.saddr.a4; | ||
| 2224 | daddr.s_addr = xp->selector.daddr.a4; | ||
| 2225 | } else { | ||
| 2226 | saddr.s_addr = x->props.saddr.a4; | ||
| 2227 | daddr.s_addr = x->id.daddr.a4; | ||
| 2228 | } | ||
| 2229 | audit_log_format(audit_buf, | ||
| 2230 | " src=%u.%u.%u.%u dst=%u.%u.%u.%u", | ||
| 2231 | NIPQUAD(saddr), NIPQUAD(daddr)); | ||
| 2232 | } | ||
| 2233 | break; | ||
| 2234 | case AF_INET6: | ||
| 2235 | { | ||
| 2236 | struct in6_addr saddr6, daddr6; | ||
| 2237 | if (xp) { | ||
| 2238 | memcpy(&saddr6, xp->selector.saddr.a6, | ||
| 2239 | sizeof(struct in6_addr)); | ||
| 2240 | memcpy(&daddr6, xp->selector.daddr.a6, | ||
| 2241 | sizeof(struct in6_addr)); | ||
| 2242 | } else { | ||
| 2243 | memcpy(&saddr6, x->props.saddr.a6, | ||
| 2244 | sizeof(struct in6_addr)); | ||
| 2245 | memcpy(&daddr6, x->id.daddr.a6, | ||
| 2246 | sizeof(struct in6_addr)); | ||
| 2247 | } | ||
| 2248 | audit_log_format(audit_buf, | ||
| 2249 | " src=" NIP6_FMT " dst=" NIP6_FMT, | ||
| 2250 | NIP6(saddr6), NIP6(daddr6)); | ||
| 2251 | } | ||
| 2252 | break; | ||
| 2253 | } | ||
| 2254 | |||
| 2255 | if (x) | ||
| 2256 | audit_log_format(audit_buf, " spi=%lu(0x%lx) protocol=%s", | ||
| 2257 | (unsigned long)ntohl(x->id.spi), | ||
| 2258 | (unsigned long)ntohl(x->id.spi), | ||
| 2259 | x->id.proto == IPPROTO_AH ? "AH" : | ||
| 2260 | (x->id.proto == IPPROTO_ESP ? | ||
| 2261 | "ESP" : "IPCOMP")); | ||
| 2262 | |||
| 2263 | audit_log_format(audit_buf, " res=%u", result); | ||
| 2264 | audit_log_end(audit_buf); | ||
| 2265 | } | ||
| 2266 | |||
| 2267 | EXPORT_SYMBOL(xfrm_audit_log); | ||
| 2268 | #endif /* CONFIG_AUDITSYSCALL */ | ||
| 2269 | |||
| 2270 | int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo) | 2148 | int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo) |
| 2271 | { | 2149 | { |
| 2272 | int err = 0; | 2150 | int err = 0; |
| @@ -2412,6 +2290,72 @@ void __init xfrm_init(void) | |||
| 2412 | xfrm_input_init(); | 2290 | xfrm_input_init(); |
| 2413 | } | 2291 | } |
| 2414 | 2292 | ||
| 2293 | #ifdef CONFIG_AUDITSYSCALL | ||
| 2294 | static inline void xfrm_audit_common_policyinfo(struct xfrm_policy *xp, | ||
| 2295 | struct audit_buffer *audit_buf) | ||
| 2296 | { | ||
| 2297 | if (xp->security) | ||
| 2298 | audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s", | ||
| 2299 | xp->security->ctx_alg, xp->security->ctx_doi, | ||
| 2300 | xp->security->ctx_str); | ||
| 2301 | |||
| 2302 | switch(xp->selector.family) { | ||
| 2303 | case AF_INET: | ||
| 2304 | audit_log_format(audit_buf, " src=%u.%u.%u.%u dst=%u.%u.%u.%u", | ||
| 2305 | NIPQUAD(xp->selector.saddr.a4), | ||
| 2306 | NIPQUAD(xp->selector.daddr.a4)); | ||
| 2307 | break; | ||
| 2308 | case AF_INET6: | ||
| 2309 | { | ||
| 2310 | struct in6_addr saddr6, daddr6; | ||
| 2311 | |||
| 2312 | memcpy(&saddr6, xp->selector.saddr.a6, | ||
| 2313 | sizeof(struct in6_addr)); | ||
| 2314 | memcpy(&daddr6, xp->selector.daddr.a6, | ||
| 2315 | sizeof(struct in6_addr)); | ||
| 2316 | audit_log_format(audit_buf, | ||
| 2317 | " src=" NIP6_FMT " dst=" NIP6_FMT, | ||
| 2318 | NIP6(saddr6), NIP6(daddr6)); | ||
| 2319 | } | ||
| 2320 | break; | ||
| 2321 | } | ||
| 2322 | } | ||
| 2323 | |||
| 2324 | void | ||
| 2325 | xfrm_audit_policy_add(struct xfrm_policy *xp, int result, u32 auid, u32 sid) | ||
| 2326 | { | ||
| 2327 | struct audit_buffer *audit_buf; | ||
| 2328 | extern int audit_enabled; | ||
| 2329 | |||
| 2330 | if (audit_enabled == 0) | ||
| 2331 | return; | ||
| 2332 | audit_buf = xfrm_audit_start(sid, auid); | ||
| 2333 | if (audit_buf == NULL) | ||
| 2334 | return; | ||
| 2335 | audit_log_format(audit_buf, " op=SPD-add res=%u", result); | ||
| 2336 | xfrm_audit_common_policyinfo(xp, audit_buf); | ||
| 2337 | audit_log_end(audit_buf); | ||
| 2338 | } | ||
| 2339 | EXPORT_SYMBOL_GPL(xfrm_audit_policy_add); | ||
| 2340 | |||
| 2341 | void | ||
| 2342 | xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, u32 auid, u32 sid) | ||
| 2343 | { | ||
| 2344 | struct audit_buffer *audit_buf; | ||
| 2345 | extern int audit_enabled; | ||
| 2346 | |||
| 2347 | if (audit_enabled == 0) | ||
| 2348 | return; | ||
| 2349 | audit_buf = xfrm_audit_start(sid, auid); | ||
| 2350 | if (audit_buf == NULL) | ||
| 2351 | return; | ||
| 2352 | audit_log_format(audit_buf, " op=SPD-delete res=%u", result); | ||
| 2353 | xfrm_audit_common_policyinfo(xp, audit_buf); | ||
| 2354 | audit_log_end(audit_buf); | ||
| 2355 | } | ||
| 2356 | EXPORT_SYMBOL_GPL(xfrm_audit_policy_delete); | ||
| 2357 | #endif | ||
| 2358 | |||
| 2415 | #ifdef CONFIG_XFRM_MIGRATE | 2359 | #ifdef CONFIG_XFRM_MIGRATE |
| 2416 | static int xfrm_migrate_selector_match(struct xfrm_selector *sel_cmp, | 2360 | static int xfrm_migrate_selector_match(struct xfrm_selector *sel_cmp, |
| 2417 | struct xfrm_selector *sel_tgt) | 2361 | struct xfrm_selector *sel_tgt) |