diff options
author | Joy Latten <latten@austin.ibm.com> | 2007-09-17 14:51:22 -0400 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2007-10-10 19:49:02 -0400 |
commit | ab5f5e8b144e4c804ef3aa1ce08a9ca9f01187ce (patch) | |
tree | bf3915a618b29f507d882e9c665ed9d07e7c0765 /net/xfrm/xfrm_state.c | |
parent | d2e9117c7aa9544d910634e17e3519fd67155229 (diff) |
[XFRM]: xfrm audit calls
This patch modifies the current ipsec audit layer
by breaking it up into purpose driven audit calls.
So far, the only audit calls made are when add/delete
an SA/policy. It had been discussed to give each
key manager it's own calls to do this, but I found
there to be much redundnacy since they did the exact
same things, except for how they got auid and sid, so I
combined them. The below audit calls can be made by any
key manager. Hopefully, this is ok.
Signed-off-by: Joy Latten <latten@austin.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/xfrm/xfrm_state.c')
-rw-r--r-- | net/xfrm/xfrm_state.c | 89 |
1 files changed, 77 insertions, 12 deletions
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index d4356e6f7f9b..15734adc9367 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c | |||
@@ -19,7 +19,6 @@ | |||
19 | #include <linux/ipsec.h> | 19 | #include <linux/ipsec.h> |
20 | #include <linux/module.h> | 20 | #include <linux/module.h> |
21 | #include <linux/cache.h> | 21 | #include <linux/cache.h> |
22 | #include <linux/audit.h> | ||
23 | #include <asm/uaccess.h> | 22 | #include <asm/uaccess.h> |
24 | 23 | ||
25 | #include "xfrm_hash.h" | 24 | #include "xfrm_hash.h" |
@@ -301,8 +300,8 @@ expired: | |||
301 | if (!err && x->id.spi) | 300 | if (!err && x->id.spi) |
302 | km_state_expired(x, 1, 0); | 301 | km_state_expired(x, 1, 0); |
303 | 302 | ||
304 | xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, | 303 | xfrm_audit_state_delete(x, err ? 0 : 1, |
305 | AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); | 304 | audit_get_loginuid(current->audit_context), 0); |
306 | 305 | ||
307 | out: | 306 | out: |
308 | spin_unlock(&x->lock); | 307 | spin_unlock(&x->lock); |
@@ -403,11 +402,9 @@ xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info) | |||
403 | hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) { | 402 | hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) { |
404 | if (xfrm_id_proto_match(x->id.proto, proto) && | 403 | if (xfrm_id_proto_match(x->id.proto, proto) && |
405 | (err = security_xfrm_state_delete(x)) != 0) { | 404 | (err = security_xfrm_state_delete(x)) != 0) { |
406 | xfrm_audit_log(audit_info->loginuid, | 405 | xfrm_audit_state_delete(x, 0, |
407 | audit_info->secid, | 406 | audit_info->loginuid, |
408 | AUDIT_MAC_IPSEC_DELSA, | 407 | audit_info->secid); |
409 | 0, NULL, x); | ||
410 | |||
411 | return err; | 408 | return err; |
412 | } | 409 | } |
413 | } | 410 | } |
@@ -443,10 +440,9 @@ restart: | |||
443 | spin_unlock_bh(&xfrm_state_lock); | 440 | spin_unlock_bh(&xfrm_state_lock); |
444 | 441 | ||
445 | err = xfrm_state_delete(x); | 442 | err = xfrm_state_delete(x); |
446 | xfrm_audit_log(audit_info->loginuid, | 443 | xfrm_audit_state_delete(x, err ? 0 : 1, |
447 | audit_info->secid, | 444 | audit_info->loginuid, |
448 | AUDIT_MAC_IPSEC_DELSA, | 445 | audit_info->secid); |
449 | err ? 0 : 1, NULL, x); | ||
450 | xfrm_state_put(x); | 446 | xfrm_state_put(x); |
451 | 447 | ||
452 | spin_lock_bh(&xfrm_state_lock); | 448 | spin_lock_bh(&xfrm_state_lock); |
@@ -1821,3 +1817,72 @@ void __init xfrm_state_init(void) | |||
1821 | INIT_WORK(&xfrm_state_gc_work, xfrm_state_gc_task); | 1817 | INIT_WORK(&xfrm_state_gc_work, xfrm_state_gc_task); |
1822 | } | 1818 | } |
1823 | 1819 | ||
1820 | #ifdef CONFIG_AUDITSYSCALL | ||
1821 | static inline void xfrm_audit_common_stateinfo(struct xfrm_state *x, | ||
1822 | struct audit_buffer *audit_buf) | ||
1823 | { | ||
1824 | if (x->security) | ||
1825 | audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s", | ||
1826 | x->security->ctx_alg, x->security->ctx_doi, | ||
1827 | x->security->ctx_str); | ||
1828 | |||
1829 | switch(x->props.family) { | ||
1830 | case AF_INET: | ||
1831 | audit_log_format(audit_buf, " src=%u.%u.%u.%u dst=%u.%u.%u.%u", | ||
1832 | NIPQUAD(x->props.saddr.a4), | ||
1833 | NIPQUAD(x->id.daddr.a4)); | ||
1834 | break; | ||
1835 | case AF_INET6: | ||
1836 | { | ||
1837 | struct in6_addr saddr6, daddr6; | ||
1838 | |||
1839 | memcpy(&saddr6, x->props.saddr.a6, | ||
1840 | sizeof(struct in6_addr)); | ||
1841 | memcpy(&daddr6, x->id.daddr.a6, | ||
1842 | sizeof(struct in6_addr)); | ||
1843 | audit_log_format(audit_buf, | ||
1844 | " src=" NIP6_FMT " dst=" NIP6_FMT, | ||
1845 | NIP6(saddr6), NIP6(daddr6)); | ||
1846 | } | ||
1847 | break; | ||
1848 | } | ||
1849 | } | ||
1850 | |||
1851 | void | ||
1852 | xfrm_audit_state_add(struct xfrm_state *x, int result, u32 auid, u32 sid) | ||
1853 | { | ||
1854 | struct audit_buffer *audit_buf; | ||
1855 | extern int audit_enabled; | ||
1856 | |||
1857 | if (audit_enabled == 0) | ||
1858 | return; | ||
1859 | audit_buf = xfrm_audit_start(sid, auid); | ||
1860 | if (audit_buf == NULL) | ||
1861 | return; | ||
1862 | audit_log_format(audit_buf, " op=SAD-add res=%u",result); | ||
1863 | xfrm_audit_common_stateinfo(x, audit_buf); | ||
1864 | audit_log_format(audit_buf, " spi=%lu(0x%lx)", | ||
1865 | (unsigned long)x->id.spi, (unsigned long)x->id.spi); | ||
1866 | audit_log_end(audit_buf); | ||
1867 | } | ||
1868 | EXPORT_SYMBOL_GPL(xfrm_audit_state_add); | ||
1869 | |||
1870 | void | ||
1871 | xfrm_audit_state_delete(struct xfrm_state *x, int result, u32 auid, u32 sid) | ||
1872 | { | ||
1873 | struct audit_buffer *audit_buf; | ||
1874 | extern int audit_enabled; | ||
1875 | |||
1876 | if (audit_enabled == 0) | ||
1877 | return; | ||
1878 | audit_buf = xfrm_audit_start(sid, auid); | ||
1879 | if (audit_buf == NULL) | ||
1880 | return; | ||
1881 | audit_log_format(audit_buf, " op=SAD-delete res=%u",result); | ||
1882 | xfrm_audit_common_stateinfo(x, audit_buf); | ||
1883 | audit_log_format(audit_buf, " spi=%lu(0x%lx)", | ||
1884 | (unsigned long)x->id.spi, (unsigned long)x->id.spi); | ||
1885 | audit_log_end(audit_buf); | ||
1886 | } | ||
1887 | EXPORT_SYMBOL_GPL(xfrm_audit_state_delete); | ||
1888 | #endif /* CONFIG_AUDITSYSCALL */ | ||