diff options
| author | Joy Latten <latten@austin.ibm.com> | 2006-11-27 14:11:54 -0500 |
|---|---|---|
| committer | David S. Miller <davem@sunset.davemloft.net> | 2006-12-06 23:14:22 -0500 |
| commit | 161a09e737f0761ca064ee6a907313402f7a54b6 (patch) | |
| tree | 80fdf6dc5de73d810ef0ec811299a5ec3c5ce23e /net/xfrm/xfrm_user.c | |
| parent | 95b99a670df31ca5271f503f378e5cac3aee8f5e (diff) | |
audit: Add auditing to ipsec
An audit message occurs when an ipsec SA
or ipsec policy is created/deleted.
Signed-off-by: Joy Latten <latten@austin.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/xfrm/xfrm_user.c')
| -rw-r--r-- | net/xfrm/xfrm_user.c | 33 |
1 files changed, 30 insertions, 3 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 311205ffa775..e5372b11fc8f 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c | |||
| @@ -31,6 +31,7 @@ | |||
| 31 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) | 31 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) |
| 32 | #include <linux/in6.h> | 32 | #include <linux/in6.h> |
| 33 | #endif | 33 | #endif |
| 34 | #include <linux/audit.h> | ||
| 34 | 35 | ||
| 35 | static int verify_one_alg(struct rtattr **xfrma, enum xfrm_attr_type_t type) | 36 | static int verify_one_alg(struct rtattr **xfrma, enum xfrm_attr_type_t type) |
| 36 | { | 37 | { |
| @@ -454,6 +455,9 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfrma) | |||
| 454 | else | 455 | else |
| 455 | err = xfrm_state_update(x); | 456 | err = xfrm_state_update(x); |
| 456 | 457 | ||
| 458 | xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, | ||
| 459 | AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x); | ||
| 460 | |||
| 457 | if (err < 0) { | 461 | if (err < 0) { |
| 458 | x->km.state = XFRM_STATE_DEAD; | 462 | x->km.state = XFRM_STATE_DEAD; |
| 459 | __xfrm_state_put(x); | 463 | __xfrm_state_put(x); |
| @@ -523,6 +527,10 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfrma) | |||
| 523 | } | 527 | } |
| 524 | 528 | ||
| 525 | err = xfrm_state_delete(x); | 529 | err = xfrm_state_delete(x); |
| 530 | |||
| 531 | xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, | ||
| 532 | AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); | ||
| 533 | |||
| 526 | if (err < 0) | 534 | if (err < 0) |
| 527 | goto out; | 535 | goto out; |
| 528 | 536 | ||
| @@ -1030,6 +1038,9 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfr | |||
| 1030 | * a type XFRM_MSG_UPDPOLICY - JHS */ | 1038 | * a type XFRM_MSG_UPDPOLICY - JHS */ |
| 1031 | excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; | 1039 | excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; |
| 1032 | err = xfrm_policy_insert(p->dir, xp, excl); | 1040 | err = xfrm_policy_insert(p->dir, xp, excl); |
| 1041 | xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, | ||
| 1042 | AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); | ||
| 1043 | |||
| 1033 | if (err) { | 1044 | if (err) { |
| 1034 | security_xfrm_policy_free(xp); | 1045 | security_xfrm_policy_free(xp); |
| 1035 | kfree(xp); | 1046 | kfree(xp); |
| @@ -1257,6 +1268,10 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfr | |||
| 1257 | xp = xfrm_policy_bysel_ctx(type, p->dir, &p->sel, tmp.security, delete); | 1268 | xp = xfrm_policy_bysel_ctx(type, p->dir, &p->sel, tmp.security, delete); |
| 1258 | security_xfrm_policy_free(&tmp); | 1269 | security_xfrm_policy_free(&tmp); |
| 1259 | } | 1270 | } |
| 1271 | if (delete) | ||
| 1272 | xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, | ||
| 1273 | AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL); | ||
| 1274 | |||
| 1260 | if (xp == NULL) | 1275 | if (xp == NULL) |
| 1261 | return -ENOENT; | 1276 | return -ENOENT; |
| 1262 | 1277 | ||
| @@ -1291,8 +1306,11 @@ static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfrma | |||
| 1291 | { | 1306 | { |
| 1292 | struct km_event c; | 1307 | struct km_event c; |
| 1293 | struct xfrm_usersa_flush *p = NLMSG_DATA(nlh); | 1308 | struct xfrm_usersa_flush *p = NLMSG_DATA(nlh); |
| 1309 | struct xfrm_audit audit_info; | ||
| 1294 | 1310 | ||
| 1295 | xfrm_state_flush(p->proto); | 1311 | audit_info.loginuid = NETLINK_CB(skb).loginuid; |
| 1312 | audit_info.secid = NETLINK_CB(skb).sid; | ||
| 1313 | xfrm_state_flush(p->proto, &audit_info); | ||
| 1296 | c.data.proto = p->proto; | 1314 | c.data.proto = p->proto; |
| 1297 | c.event = nlh->nlmsg_type; | 1315 | c.event = nlh->nlmsg_type; |
| 1298 | c.seq = nlh->nlmsg_seq; | 1316 | c.seq = nlh->nlmsg_seq; |
| @@ -1442,12 +1460,15 @@ static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh, void **x | |||
| 1442 | struct km_event c; | 1460 | struct km_event c; |
| 1443 | u8 type = XFRM_POLICY_TYPE_MAIN; | 1461 | u8 type = XFRM_POLICY_TYPE_MAIN; |
| 1444 | int err; | 1462 | int err; |
| 1463 | struct xfrm_audit audit_info; | ||
| 1445 | 1464 | ||
| 1446 | err = copy_from_user_policy_type(&type, (struct rtattr **)xfrma); | 1465 | err = copy_from_user_policy_type(&type, (struct rtattr **)xfrma); |
| 1447 | if (err) | 1466 | if (err) |
| 1448 | return err; | 1467 | return err; |
| 1449 | 1468 | ||
| 1450 | xfrm_policy_flush(type); | 1469 | audit_info.loginuid = NETLINK_CB(skb).loginuid; |
| 1470 | audit_info.secid = NETLINK_CB(skb).sid; | ||
| 1471 | xfrm_policy_flush(type, &audit_info); | ||
| 1451 | c.data.type = type; | 1472 | c.data.type = type; |
| 1452 | c.event = nlh->nlmsg_type; | 1473 | c.event = nlh->nlmsg_type; |
| 1453 | c.seq = nlh->nlmsg_seq; | 1474 | c.seq = nlh->nlmsg_seq; |
| @@ -1502,6 +1523,9 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh, void * | |||
| 1502 | err = 0; | 1523 | err = 0; |
| 1503 | if (up->hard) { | 1524 | if (up->hard) { |
| 1504 | xfrm_policy_delete(xp, p->dir); | 1525 | xfrm_policy_delete(xp, p->dir); |
| 1526 | xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, | ||
| 1527 | AUDIT_MAC_IPSEC_DELSPD, 1, xp, NULL); | ||
| 1528 | |||
| 1505 | } else { | 1529 | } else { |
| 1506 | // reset the timers here? | 1530 | // reset the timers here? |
| 1507 | printk("Dont know what to do with soft policy expire\n"); | 1531 | printk("Dont know what to do with soft policy expire\n"); |
| @@ -1533,8 +1557,11 @@ static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh, void ** | |||
| 1533 | goto out; | 1557 | goto out; |
| 1534 | km_state_expired(x, ue->hard, current->pid); | 1558 | km_state_expired(x, ue->hard, current->pid); |
| 1535 | 1559 | ||
| 1536 | if (ue->hard) | 1560 | if (ue->hard) { |
| 1537 | __xfrm_state_delete(x); | 1561 | __xfrm_state_delete(x); |
| 1562 | xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, | ||
| 1563 | AUDIT_MAC_IPSEC_DELSA, 1, NULL, x); | ||
| 1564 | } | ||
| 1538 | out: | 1565 | out: |
| 1539 | spin_unlock_bh(&x->lock); | 1566 | spin_unlock_bh(&x->lock); |
| 1540 | xfrm_state_put(x); | 1567 | xfrm_state_put(x); |