aboutsummaryrefslogtreecommitdiffstats
path: root/net/xfrm/xfrm_policy.c
diff options
context:
space:
mode:
authorDavid S. Miller <davem@davemloft.net>2014-05-22 16:00:00 -0400
committerDavid S. Miller <davem@davemloft.net>2014-05-22 16:00:00 -0400
commit65db611a5cc17182b62c0edc4bf31cf272d58304 (patch)
tree51987fafb7ab0946369e0e4b4d713f2887b2d870 /net/xfrm/xfrm_policy.c
parentb3f7a7b48f429e52f3d3dc36d253627c2a73803b (diff)
parentfc68086ce888a10220c7c79a2a3b44cb85d4074c (diff)
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next
Steffen Klassert says: ==================== pull request (net-next): ipsec-next 2014-05-22 This is the last ipsec pull request before I leave for a three weeks vacation tomorrow. David, can you please take urgent ipsec patches directly into net/net-next during this time? I'll continue to run the ipsec/ipsec-next trees as soon as I'm back. 1) Simplify the xfrm audit handling, from Tetsuo Handa. 2) Codingstyle cleanup for xfrm_output, from abian Frederick. Please pull or let me know if there are problems. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/xfrm/xfrm_policy.c')
-rw-r--r--net/xfrm/xfrm_policy.c46
1 files changed, 14 insertions, 32 deletions
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index e63f242ae03e..a8ef5108e0d8 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -769,7 +769,7 @@ EXPORT_SYMBOL(xfrm_policy_byid);
769 769
770#ifdef CONFIG_SECURITY_NETWORK_XFRM 770#ifdef CONFIG_SECURITY_NETWORK_XFRM
771static inline int 771static inline int
772xfrm_policy_flush_secctx_check(struct net *net, u8 type, struct xfrm_audit *audit_info) 772xfrm_policy_flush_secctx_check(struct net *net, u8 type, bool task_valid)
773{ 773{
774 int dir, err = 0; 774 int dir, err = 0;
775 775
@@ -783,10 +783,7 @@ xfrm_policy_flush_secctx_check(struct net *net, u8 type, struct xfrm_audit *audi
783 continue; 783 continue;
784 err = security_xfrm_policy_delete(pol->security); 784 err = security_xfrm_policy_delete(pol->security);
785 if (err) { 785 if (err) {
786 xfrm_audit_policy_delete(pol, 0, 786 xfrm_audit_policy_delete(pol, 0, task_valid);
787 audit_info->loginuid,
788 audit_info->sessionid,
789 audit_info->secid);
790 return err; 787 return err;
791 } 788 }
792 } 789 }
@@ -800,9 +797,7 @@ xfrm_policy_flush_secctx_check(struct net *net, u8 type, struct xfrm_audit *audi
800 pol->security); 797 pol->security);
801 if (err) { 798 if (err) {
802 xfrm_audit_policy_delete(pol, 0, 799 xfrm_audit_policy_delete(pol, 0,
803 audit_info->loginuid, 800 task_valid);
804 audit_info->sessionid,
805 audit_info->secid);
806 return err; 801 return err;
807 } 802 }
808 } 803 }
@@ -812,19 +807,19 @@ xfrm_policy_flush_secctx_check(struct net *net, u8 type, struct xfrm_audit *audi
812} 807}
813#else 808#else
814static inline int 809static inline int
815xfrm_policy_flush_secctx_check(struct net *net, u8 type, struct xfrm_audit *audit_info) 810xfrm_policy_flush_secctx_check(struct net *net, u8 type, bool task_valid)
816{ 811{
817 return 0; 812 return 0;
818} 813}
819#endif 814#endif
820 815
821int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info) 816int xfrm_policy_flush(struct net *net, u8 type, bool task_valid)
822{ 817{
823 int dir, err = 0, cnt = 0; 818 int dir, err = 0, cnt = 0;
824 819
825 write_lock_bh(&net->xfrm.xfrm_policy_lock); 820 write_lock_bh(&net->xfrm.xfrm_policy_lock);
826 821
827 err = xfrm_policy_flush_secctx_check(net, type, audit_info); 822 err = xfrm_policy_flush_secctx_check(net, type, task_valid);
828 if (err) 823 if (err)
829 goto out; 824 goto out;
830 825
@@ -841,9 +836,7 @@ int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info)
841 write_unlock_bh(&net->xfrm.xfrm_policy_lock); 836 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
842 cnt++; 837 cnt++;
843 838
844 xfrm_audit_policy_delete(pol, 1, audit_info->loginuid, 839 xfrm_audit_policy_delete(pol, 1, task_valid);
845 audit_info->sessionid,
846 audit_info->secid);
847 840
848 xfrm_policy_kill(pol); 841 xfrm_policy_kill(pol);
849 842
@@ -862,10 +855,7 @@ int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info)
862 write_unlock_bh(&net->xfrm.xfrm_policy_lock); 855 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
863 cnt++; 856 cnt++;
864 857
865 xfrm_audit_policy_delete(pol, 1, 858 xfrm_audit_policy_delete(pol, 1, task_valid);
866 audit_info->loginuid,
867 audit_info->sessionid,
868 audit_info->secid);
869 xfrm_policy_kill(pol); 859 xfrm_policy_kill(pol);
870 860
871 write_lock_bh(&net->xfrm.xfrm_policy_lock); 861 write_lock_bh(&net->xfrm.xfrm_policy_lock);
@@ -2860,21 +2850,14 @@ out_byidx:
2860 2850
2861static void xfrm_policy_fini(struct net *net) 2851static void xfrm_policy_fini(struct net *net)
2862{ 2852{
2863 struct xfrm_audit audit_info;
2864 unsigned int sz; 2853 unsigned int sz;
2865 int dir; 2854 int dir;
2866 2855
2867 flush_work(&net->xfrm.policy_hash_work); 2856 flush_work(&net->xfrm.policy_hash_work);
2868#ifdef CONFIG_XFRM_SUB_POLICY 2857#ifdef CONFIG_XFRM_SUB_POLICY
2869 audit_info.loginuid = INVALID_UID; 2858 xfrm_policy_flush(net, XFRM_POLICY_TYPE_SUB, false);
2870 audit_info.sessionid = (unsigned int)-1;
2871 audit_info.secid = 0;
2872 xfrm_policy_flush(net, XFRM_POLICY_TYPE_SUB, &audit_info);
2873#endif 2859#endif
2874 audit_info.loginuid = INVALID_UID; 2860 xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, false);
2875 audit_info.sessionid = (unsigned int)-1;
2876 audit_info.secid = 0;
2877 xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, &audit_info);
2878 2861
2879 WARN_ON(!list_empty(&net->xfrm.policy_all)); 2862 WARN_ON(!list_empty(&net->xfrm.policy_all));
2880 2863
@@ -2989,15 +2972,14 @@ static void xfrm_audit_common_policyinfo(struct xfrm_policy *xp,
2989 } 2972 }
2990} 2973}
2991 2974
2992void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, 2975void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, bool task_valid)
2993 kuid_t auid, unsigned int sessionid, u32 secid)
2994{ 2976{
2995 struct audit_buffer *audit_buf; 2977 struct audit_buffer *audit_buf;
2996 2978
2997 audit_buf = xfrm_audit_start("SPD-add"); 2979 audit_buf = xfrm_audit_start("SPD-add");
2998 if (audit_buf == NULL) 2980 if (audit_buf == NULL)
2999 return; 2981 return;
3000 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf); 2982 xfrm_audit_helper_usrinfo(task_valid, audit_buf);
3001 audit_log_format(audit_buf, " res=%u", result); 2983 audit_log_format(audit_buf, " res=%u", result);
3002 xfrm_audit_common_policyinfo(xp, audit_buf); 2984 xfrm_audit_common_policyinfo(xp, audit_buf);
3003 audit_log_end(audit_buf); 2985 audit_log_end(audit_buf);
@@ -3005,14 +2987,14 @@ void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
3005EXPORT_SYMBOL_GPL(xfrm_audit_policy_add); 2987EXPORT_SYMBOL_GPL(xfrm_audit_policy_add);
3006 2988
3007void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, 2989void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
3008 kuid_t auid, unsigned int sessionid, u32 secid) 2990 bool task_valid)
3009{ 2991{
3010 struct audit_buffer *audit_buf; 2992 struct audit_buffer *audit_buf;
3011 2993
3012 audit_buf = xfrm_audit_start("SPD-delete"); 2994 audit_buf = xfrm_audit_start("SPD-delete");
3013 if (audit_buf == NULL) 2995 if (audit_buf == NULL)
3014 return; 2996 return;
3015 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf); 2997 xfrm_audit_helper_usrinfo(task_valid, audit_buf);
3016 audit_log_format(audit_buf, " res=%u", result); 2998 audit_log_format(audit_buf, " res=%u", result);
3017 xfrm_audit_common_policyinfo(xp, audit_buf); 2999 xfrm_audit_common_policyinfo(xp, audit_buf);
3018 audit_log_end(audit_buf); 3000 audit_log_end(audit_buf);
generated by cgit v1.2.2 (git 2.25.0) at 2024-10-15 02:20:54 -0400