aboutsummaryrefslogtreecommitdiffstats
path: root/net/xfrm/xfrm_state.c
diff options
context:
space:
mode:
authorJoy Latten <latten@austin.ibm.com>2007-09-17 14:51:22 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2007-10-10 19:49:02 -0400
commitab5f5e8b144e4c804ef3aa1ce08a9ca9f01187ce (patch)
treebf3915a618b29f507d882e9c665ed9d07e7c0765 /net/xfrm/xfrm_state.c
parentd2e9117c7aa9544d910634e17e3519fd67155229 (diff)
[XFRM]: xfrm audit calls
This patch modifies the current ipsec audit layer by breaking it up into purpose driven audit calls. So far, the only audit calls made are when add/delete an SA/policy. It had been discussed to give each key manager it's own calls to do this, but I found there to be much redundnacy since they did the exact same things, except for how they got auid and sid, so I combined them. The below audit calls can be made by any key manager. Hopefully, this is ok. Signed-off-by: Joy Latten <latten@austin.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/xfrm/xfrm_state.c')
-rw-r--r--net/xfrm/xfrm_state.c89
1 files changed, 77 insertions, 12 deletions
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index d4356e6f7f9b..15734adc9367 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -19,7 +19,6 @@
19#include <linux/ipsec.h> 19#include <linux/ipsec.h>
20#include <linux/module.h> 20#include <linux/module.h>
21#include <linux/cache.h> 21#include <linux/cache.h>
22#include <linux/audit.h>
23#include <asm/uaccess.h> 22#include <asm/uaccess.h>
24 23
25#include "xfrm_hash.h" 24#include "xfrm_hash.h"
@@ -301,8 +300,8 @@ expired:
301 if (!err && x->id.spi) 300 if (!err && x->id.spi)
302 km_state_expired(x, 1, 0); 301 km_state_expired(x, 1, 0);
303 302
304 xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, 303 xfrm_audit_state_delete(x, err ? 0 : 1,
305 AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); 304 audit_get_loginuid(current->audit_context), 0);
306 305
307out: 306out:
308 spin_unlock(&x->lock); 307 spin_unlock(&x->lock);
@@ -403,11 +402,9 @@ xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info)
403 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) { 402 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) {
404 if (xfrm_id_proto_match(x->id.proto, proto) && 403 if (xfrm_id_proto_match(x->id.proto, proto) &&
405 (err = security_xfrm_state_delete(x)) != 0) { 404 (err = security_xfrm_state_delete(x)) != 0) {
406 xfrm_audit_log(audit_info->loginuid, 405 xfrm_audit_state_delete(x, 0,
407 audit_info->secid, 406 audit_info->loginuid,
408 AUDIT_MAC_IPSEC_DELSA, 407 audit_info->secid);
409 0, NULL, x);
410
411 return err; 408 return err;
412 } 409 }
413 } 410 }
@@ -443,10 +440,9 @@ restart:
443 spin_unlock_bh(&xfrm_state_lock); 440 spin_unlock_bh(&xfrm_state_lock);
444 441
445 err = xfrm_state_delete(x); 442 err = xfrm_state_delete(x);
446 xfrm_audit_log(audit_info->loginuid, 443 xfrm_audit_state_delete(x, err ? 0 : 1,
447 audit_info->secid, 444 audit_info->loginuid,
448 AUDIT_MAC_IPSEC_DELSA, 445 audit_info->secid);
449 err ? 0 : 1, NULL, x);
450 xfrm_state_put(x); 446 xfrm_state_put(x);
451 447
452 spin_lock_bh(&xfrm_state_lock); 448 spin_lock_bh(&xfrm_state_lock);
@@ -1821,3 +1817,72 @@ void __init xfrm_state_init(void)
1821 INIT_WORK(&xfrm_state_gc_work, xfrm_state_gc_task); 1817 INIT_WORK(&xfrm_state_gc_work, xfrm_state_gc_task);
1822} 1818}
1823 1819
1820#ifdef CONFIG_AUDITSYSCALL
1821static inline void xfrm_audit_common_stateinfo(struct xfrm_state *x,
1822 struct audit_buffer *audit_buf)
1823{
1824 if (x->security)
1825 audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s",
1826 x->security->ctx_alg, x->security->ctx_doi,
1827 x->security->ctx_str);
1828
1829 switch(x->props.family) {
1830 case AF_INET:
1831 audit_log_format(audit_buf, " src=%u.%u.%u.%u dst=%u.%u.%u.%u",
1832 NIPQUAD(x->props.saddr.a4),
1833 NIPQUAD(x->id.daddr.a4));
1834 break;
1835 case AF_INET6:
1836 {
1837 struct in6_addr saddr6, daddr6;
1838
1839 memcpy(&saddr6, x->props.saddr.a6,
1840 sizeof(struct in6_addr));
1841 memcpy(&daddr6, x->id.daddr.a6,
1842 sizeof(struct in6_addr));
1843 audit_log_format(audit_buf,
1844 " src=" NIP6_FMT " dst=" NIP6_FMT,
1845 NIP6(saddr6), NIP6(daddr6));
1846 }
1847 break;
1848 }
1849}
1850
1851void
1852xfrm_audit_state_add(struct xfrm_state *x, int result, u32 auid, u32 sid)
1853{
1854 struct audit_buffer *audit_buf;
1855 extern int audit_enabled;
1856
1857 if (audit_enabled == 0)
1858 return;
1859 audit_buf = xfrm_audit_start(sid, auid);
1860 if (audit_buf == NULL)
1861 return;
1862 audit_log_format(audit_buf, " op=SAD-add res=%u",result);
1863 xfrm_audit_common_stateinfo(x, audit_buf);
1864 audit_log_format(audit_buf, " spi=%lu(0x%lx)",
1865 (unsigned long)x->id.spi, (unsigned long)x->id.spi);
1866 audit_log_end(audit_buf);
1867}
1868EXPORT_SYMBOL_GPL(xfrm_audit_state_add);
1869
1870void
1871xfrm_audit_state_delete(struct xfrm_state *x, int result, u32 auid, u32 sid)
1872{
1873 struct audit_buffer *audit_buf;
1874 extern int audit_enabled;
1875
1876 if (audit_enabled == 0)
1877 return;
1878 audit_buf = xfrm_audit_start(sid, auid);
1879 if (audit_buf == NULL)
1880 return;
1881 audit_log_format(audit_buf, " op=SAD-delete res=%u",result);
1882 xfrm_audit_common_stateinfo(x, audit_buf);
1883 audit_log_format(audit_buf, " spi=%lu(0x%lx)",
1884 (unsigned long)x->id.spi, (unsigned long)x->id.spi);
1885 audit_log_end(audit_buf);
1886}
1887EXPORT_SYMBOL_GPL(xfrm_audit_state_delete);
1888#endif /* CONFIG_AUDITSYSCALL */