diff options
| author | Eric Paris <eparis@redhat.com> | 2008-04-18 10:09:25 -0400 |
|---|---|---|
| committer | Al Viro <viro@zeniv.linux.org.uk> | 2008-04-28 06:18:03 -0400 |
| commit | 2532386f480eefbdd67b48be55fb4fb3e5a6081c (patch) | |
| tree | dd6a5a3c4116a67380a1336319c16632f04f80f9 /net/xfrm/xfrm_user.c | |
| parent | 436c405c7d19455a71f42c9bec5fd5e028f1eb4e (diff) | |
Audit: collect sessionid in netlink messages
Previously I added sessionid output to all audit messages where it was
available but we still didn't know the sessionid of the sender of
netlink messages. This patch adds that information to netlink messages
so we can audit who sent netlink messages.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'net/xfrm/xfrm_user.c')
| -rw-r--r-- | net/xfrm/xfrm_user.c | 41 |
1 files changed, 28 insertions, 13 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 22a30ae582a2..a1b0fbe3ea35 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c | |||
| @@ -407,6 +407,9 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
| 407 | struct xfrm_state *x; | 407 | struct xfrm_state *x; |
| 408 | int err; | 408 | int err; |
| 409 | struct km_event c; | 409 | struct km_event c; |
| 410 | uid_t loginuid = NETLINK_CB(skb).loginuid; | ||
| 411 | u32 sessionid = NETLINK_CB(skb).sessionid; | ||
| 412 | u32 sid = NETLINK_CB(skb).sid; | ||
| 410 | 413 | ||
| 411 | err = verify_newsa_info(p, attrs); | 414 | err = verify_newsa_info(p, attrs); |
| 412 | if (err) | 415 | if (err) |
| @@ -422,8 +425,7 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
| 422 | else | 425 | else |
| 423 | err = xfrm_state_update(x); | 426 | err = xfrm_state_update(x); |
| 424 | 427 | ||
| 425 | xfrm_audit_state_add(x, err ? 0 : 1, NETLINK_CB(skb).loginuid, | 428 | xfrm_audit_state_add(x, err ? 0 : 1, loginuid, sessionid, sid); |
| 426 | NETLINK_CB(skb).sid); | ||
| 427 | 429 | ||
| 428 | if (err < 0) { | 430 | if (err < 0) { |
| 429 | x->km.state = XFRM_STATE_DEAD; | 431 | x->km.state = XFRM_STATE_DEAD; |
| @@ -478,6 +480,9 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
| 478 | int err = -ESRCH; | 480 | int err = -ESRCH; |
| 479 | struct km_event c; | 481 | struct km_event c; |
| 480 | struct xfrm_usersa_id *p = nlmsg_data(nlh); | 482 | struct xfrm_usersa_id *p = nlmsg_data(nlh); |
| 483 | uid_t loginuid = NETLINK_CB(skb).loginuid; | ||
| 484 | u32 sessionid = NETLINK_CB(skb).sessionid; | ||
| 485 | u32 sid = NETLINK_CB(skb).sid; | ||
| 481 | 486 | ||
| 482 | x = xfrm_user_state_lookup(p, attrs, &err); | 487 | x = xfrm_user_state_lookup(p, attrs, &err); |
| 483 | if (x == NULL) | 488 | if (x == NULL) |
| @@ -502,8 +507,7 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
| 502 | km_state_notify(x, &c); | 507 | km_state_notify(x, &c); |
| 503 | 508 | ||
| 504 | out: | 509 | out: |
| 505 | xfrm_audit_state_delete(x, err ? 0 : 1, NETLINK_CB(skb).loginuid, | 510 | xfrm_audit_state_delete(x, err ? 0 : 1, loginuid, sessionid, sid); |
| 506 | NETLINK_CB(skb).sid); | ||
| 507 | xfrm_state_put(x); | 511 | xfrm_state_put(x); |
| 508 | return err; | 512 | return err; |
| 509 | } | 513 | } |
| @@ -1123,6 +1127,9 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
| 1123 | struct km_event c; | 1127 | struct km_event c; |
| 1124 | int err; | 1128 | int err; |
| 1125 | int excl; | 1129 | int excl; |
| 1130 | uid_t loginuid = NETLINK_CB(skb).loginuid; | ||
| 1131 | u32 sessionid = NETLINK_CB(skb).sessionid; | ||
| 1132 | u32 sid = NETLINK_CB(skb).sid; | ||
| 1126 | 1133 | ||
| 1127 | err = verify_newpolicy_info(p); | 1134 | err = verify_newpolicy_info(p); |
| 1128 | if (err) | 1135 | if (err) |
| @@ -1141,8 +1148,7 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
| 1141 | * a type XFRM_MSG_UPDPOLICY - JHS */ | 1148 | * a type XFRM_MSG_UPDPOLICY - JHS */ |
| 1142 | excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; | 1149 | excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; |
| 1143 | err = xfrm_policy_insert(p->dir, xp, excl); | 1150 | err = xfrm_policy_insert(p->dir, xp, excl); |
| 1144 | xfrm_audit_policy_add(xp, err ? 0 : 1, NETLINK_CB(skb).loginuid, | 1151 | xfrm_audit_policy_add(xp, err ? 0 : 1, loginuid, sessionid, sid); |
| 1145 | NETLINK_CB(skb).sid); | ||
| 1146 | 1152 | ||
| 1147 | if (err) { | 1153 | if (err) { |
| 1148 | security_xfrm_policy_free(xp->security); | 1154 | security_xfrm_policy_free(xp->security); |
| @@ -1371,9 +1377,12 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
| 1371 | NETLINK_CB(skb).pid); | 1377 | NETLINK_CB(skb).pid); |
| 1372 | } | 1378 | } |
| 1373 | } else { | 1379 | } else { |
| 1374 | xfrm_audit_policy_delete(xp, err ? 0 : 1, | 1380 | uid_t loginuid = NETLINK_CB(skb).loginuid; |
| 1375 | NETLINK_CB(skb).loginuid, | 1381 | u32 sessionid = NETLINK_CB(skb).sessionid; |
| 1376 | NETLINK_CB(skb).sid); | 1382 | u32 sid = NETLINK_CB(skb).sid; |
| 1383 | |||
| 1384 | xfrm_audit_policy_delete(xp, err ? 0 : 1, loginuid, sessionid, | ||
| 1385 | sid); | ||
| 1377 | 1386 | ||
| 1378 | if (err != 0) | 1387 | if (err != 0) |
| 1379 | goto out; | 1388 | goto out; |
| @@ -1399,6 +1408,7 @@ static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
| 1399 | int err; | 1408 | int err; |
| 1400 | 1409 | ||
| 1401 | audit_info.loginuid = NETLINK_CB(skb).loginuid; | 1410 | audit_info.loginuid = NETLINK_CB(skb).loginuid; |
| 1411 | audit_info.sessionid = NETLINK_CB(skb).sessionid; | ||
| 1402 | audit_info.secid = NETLINK_CB(skb).sid; | 1412 | audit_info.secid = NETLINK_CB(skb).sid; |
| 1403 | err = xfrm_state_flush(p->proto, &audit_info); | 1413 | err = xfrm_state_flush(p->proto, &audit_info); |
| 1404 | if (err) | 1414 | if (err) |
| @@ -1546,6 +1556,7 @@ static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
| 1546 | return err; | 1556 | return err; |
| 1547 | 1557 | ||
| 1548 | audit_info.loginuid = NETLINK_CB(skb).loginuid; | 1558 | audit_info.loginuid = NETLINK_CB(skb).loginuid; |
| 1559 | audit_info.sessionid = NETLINK_CB(skb).sessionid; | ||
| 1549 | audit_info.secid = NETLINK_CB(skb).sid; | 1560 | audit_info.secid = NETLINK_CB(skb).sid; |
| 1550 | err = xfrm_policy_flush(type, &audit_info); | 1561 | err = xfrm_policy_flush(type, &audit_info); |
| 1551 | if (err) | 1562 | if (err) |
| @@ -1604,9 +1615,11 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
| 1604 | read_unlock(&xp->lock); | 1615 | read_unlock(&xp->lock); |
| 1605 | err = 0; | 1616 | err = 0; |
| 1606 | if (up->hard) { | 1617 | if (up->hard) { |
| 1618 | uid_t loginuid = NETLINK_CB(skb).loginuid; | ||
| 1619 | uid_t sessionid = NETLINK_CB(skb).sessionid; | ||
| 1620 | u32 sid = NETLINK_CB(skb).sid; | ||
| 1607 | xfrm_policy_delete(xp, p->dir); | 1621 | xfrm_policy_delete(xp, p->dir); |
| 1608 | xfrm_audit_policy_delete(xp, 1, NETLINK_CB(skb).loginuid, | 1622 | xfrm_audit_policy_delete(xp, 1, loginuid, sessionid, sid); |
| 1609 | NETLINK_CB(skb).sid); | ||
| 1610 | 1623 | ||
| 1611 | } else { | 1624 | } else { |
| 1612 | // reset the timers here? | 1625 | // reset the timers here? |
| @@ -1640,9 +1653,11 @@ static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
| 1640 | km_state_expired(x, ue->hard, current->pid); | 1653 | km_state_expired(x, ue->hard, current->pid); |
| 1641 | 1654 | ||
| 1642 | if (ue->hard) { | 1655 | if (ue->hard) { |
| 1656 | uid_t loginuid = NETLINK_CB(skb).loginuid; | ||
| 1657 | uid_t sessionid = NETLINK_CB(skb).sessionid; | ||
| 1658 | u32 sid = NETLINK_CB(skb).sid; | ||
| 1643 | __xfrm_state_delete(x); | 1659 | __xfrm_state_delete(x); |
| 1644 | xfrm_audit_state_delete(x, 1, NETLINK_CB(skb).loginuid, | 1660 | xfrm_audit_state_delete(x, 1, loginuid, sessionid, sid); |
| 1645 | NETLINK_CB(skb).sid); | ||
| 1646 | } | 1661 | } |
| 1647 | err = 0; | 1662 | err = 0; |
| 1648 | out: | 1663 | out: |