audit: Add auditing to ipsec

An audit message occurs when an ipsec SA or ipsec policy is created/deleted. Signed-off-by: Joy Latten <latten@austin.ibm.com> Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Joy Latten <latten@austin.ibm.com> 2006-11-27 14:11:54 -0500
committer: David S. Miller <davem@sunset.davemloft.net> 2006-12-06 23:14:22 -0500
commit: 161a09e737f0761ca064ee6a907313402f7a54b6 (patch)
tree: 80fdf6dc5de73d810ef0ec811299a5ec3c5ce23e /net/xfrm/xfrm_state.c
parent: 95b99a670df31ca5271f503f378e5cac3aee8f5e (diff)
1 files changed, 15 insertions, 2 deletions
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index a14c88bf17f0..d5d3a6f1f609 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -20,6 +20,7 @@
 #include <linux/module.h>
 #include <linux/cache.h>
 #include <asm/uaccess.h>
+#include <linux/audit.h>
 #include "xfrm_hash.h"
@@ -238,6 +239,7 @@ static void xfrm_timer_handler(unsigned long data)
        unsigned long now = (unsigned long)xtime.tv_sec;
        long next = LONG_MAX;
        int warn = 0;
+        int err = 0;
        spin_lock(&x->lock);
        if (x->km.state == XFRM_STATE_DEAD)
@@ -295,9 +297,14 @@ expired:
                next = 2;
                goto resched;
        }
-        if (!__xfrm_state_delete(x) && x->id.spi)
+        err = __xfrm_state_delete(x);
+        if (!err && x->id.spi)
                km_state_expired(x, 1, 0);
+        xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
+                       AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
 out:
        spin_unlock(&x->lock);
 }
@@ -384,9 +391,10 @@ int xfrm_state_delete(struct xfrm_state *x)
 }
 EXPORT_SYMBOL(xfrm_state_delete);
-void xfrm_state_flush(u8 proto)
+void xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info)
 {
        int i;
+        int err = 0;
        spin_lock_bh(&xfrm_state_lock);
        for (i = 0; i <= xfrm_state_hmask; i++) {
@@ -400,6 +408,11 @@ restart:
                                spin_unlock_bh(&xfrm_state_lock);
                                xfrm_state_delete(x);
+                                err = xfrm_state_delete(x);
+                                xfrm_audit_log(audit_info->loginuid,
+                                               audit_info->secid,
+                                               AUDIT_MAC_IPSEC_DELSA,
+                                               err ? 0 : 1, NULL, x);
                                xfrm_state_put(x);
                                spin_lock_bh(&xfrm_state_lock);
author	Joy Latten <latten@austin.ibm.com>	2006-11-27 14:11:54 -0500
committer	David S. Miller <davem@sunset.davemloft.net>	2006-12-06 23:14:22 -0500
commit	161a09e737f0761ca064ee6a907313402f7a54b6 (patch)
tree	80fdf6dc5de73d810ef0ec811299a5ec3c5ce23e /net/xfrm/xfrm_state.c
parent	95b99a670df31ca5271f503f378e5cac3aee8f5e (diff)

diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index a14c88bf17f0..d5d3a6f1f609 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c
@@ -20,6 +20,7 @@
20	#include <linux/module.h>	20	#include <linux/module.h>
21	#include <linux/cache.h>	21	#include <linux/cache.h>
22	#include <asm/uaccess.h>	22	#include <asm/uaccess.h>
		23	#include <linux/audit.h>
23		24
24	#include "xfrm_hash.h"	25	#include "xfrm_hash.h"
25		26
@@ -238,6 +239,7 @@ static void xfrm_timer_handler(unsigned long data)
238	unsigned long now = (unsigned long)xtime.tv_sec;	239	unsigned long now = (unsigned long)xtime.tv_sec;
239	long next = LONG_MAX;	240	long next = LONG_MAX;
240	int warn = 0;	241	int warn = 0;
		242	int err = 0;
241		243
242	spin_lock(&x->lock);	244	spin_lock(&x->lock);
243	if (x->km.state == XFRM_STATE_DEAD)	245	if (x->km.state == XFRM_STATE_DEAD)
@@ -295,9 +297,14 @@ expired:
295	next = 2;	297	next = 2;
296	goto resched;	298	goto resched;
297	}	299	}
298	if (!__xfrm_state_delete(x) && x->id.spi)	300
		301	err = __xfrm_state_delete(x);
		302	if (!err && x->id.spi)
299	km_state_expired(x, 1, 0);	303	km_state_expired(x, 1, 0);
300		304
		305	xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
		306	AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
		307
301	out:	308	out:
302	spin_unlock(&x->lock);	309	spin_unlock(&x->lock);
303	}	310	}
@@ -384,9 +391,10 @@ int xfrm_state_delete(struct xfrm_state *x)
384	}	391	}
385	EXPORT_SYMBOL(xfrm_state_delete);	392	EXPORT_SYMBOL(xfrm_state_delete);
386		393
387	void xfrm_state_flush(u8 proto)	394	void xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info)
388	{	395	{
389	int i;	396	int i;
		397	int err = 0;
390		398
391	spin_lock_bh(&xfrm_state_lock);	399	spin_lock_bh(&xfrm_state_lock);
392	for (i = 0; i <= xfrm_state_hmask; i++) {	400	for (i = 0; i <= xfrm_state_hmask; i++) {
@@ -400,6 +408,11 @@ restart:
400	spin_unlock_bh(&xfrm_state_lock);	408	spin_unlock_bh(&xfrm_state_lock);
401		409
402	xfrm_state_delete(x);	410	xfrm_state_delete(x);
		411	err = xfrm_state_delete(x);
		412	xfrm_audit_log(audit_info->loginuid,
		413	audit_info->secid,
		414	AUDIT_MAC_IPSEC_DELSA,
		415	err ? 0 : 1, NULL, x);
403	xfrm_state_put(x);	416	xfrm_state_put(x);
404		417
405	spin_lock_bh(&xfrm_state_lock);	418	spin_lock_bh(&xfrm_state_lock);