aboutsummaryrefslogtreecommitdiffstats
path: root/net/xfrm/xfrm_user.c
diff options
context:
space:
mode:
authorJoy Latten <latten@austin.ibm.com>2007-09-17 14:51:22 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2007-10-10 19:49:02 -0400
commitab5f5e8b144e4c804ef3aa1ce08a9ca9f01187ce (patch)
treebf3915a618b29f507d882e9c665ed9d07e7c0765 /net/xfrm/xfrm_user.c
parentd2e9117c7aa9544d910634e17e3519fd67155229 (diff)
[XFRM]: xfrm audit calls
This patch modifies the current ipsec audit layer by breaking it up into purpose driven audit calls. So far, the only audit calls made are when add/delete an SA/policy. It had been discussed to give each key manager it's own calls to do this, but I found there to be much redundnacy since they did the exact same things, except for how they got auid and sid, so I combined them. The below audit calls can be made by any key manager. Hopefully, this is ok. Signed-off-by: Joy Latten <latten@austin.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/xfrm/xfrm_user.c')
-rw-r--r--net/xfrm/xfrm_user.c26
1 files changed, 13 insertions, 13 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 9e516f5cbb5e..0d81c0f23919 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -30,7 +30,6 @@
30#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 30#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
31#include <linux/in6.h> 31#include <linux/in6.h>
32#endif 32#endif
33#include <linux/audit.h>
34 33
35static inline int alg_len(struct xfrm_algo *alg) 34static inline int alg_len(struct xfrm_algo *alg)
36{ 35{
@@ -371,8 +370,8 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
371 else 370 else
372 err = xfrm_state_update(x); 371 err = xfrm_state_update(x);
373 372
374 xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, 373 xfrm_audit_state_add(x, err ? 0 : 1, NETLINK_CB(skb).loginuid,
375 AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x); 374 NETLINK_CB(skb).sid);
376 375
377 if (err < 0) { 376 if (err < 0) {
378 x->km.state = XFRM_STATE_DEAD; 377 x->km.state = XFRM_STATE_DEAD;
@@ -451,8 +450,8 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
451 km_state_notify(x, &c); 450 km_state_notify(x, &c);
452 451
453out: 452out:
454 xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, 453 xfrm_audit_state_delete(x, err ? 0 : 1, NETLINK_CB(skb).loginuid,
455 AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); 454 NETLINK_CB(skb).sid);
456 xfrm_state_put(x); 455 xfrm_state_put(x);
457 return err; 456 return err;
458} 457}
@@ -1067,8 +1066,8 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
1067 * a type XFRM_MSG_UPDPOLICY - JHS */ 1066 * a type XFRM_MSG_UPDPOLICY - JHS */
1068 excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; 1067 excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY;
1069 err = xfrm_policy_insert(p->dir, xp, excl); 1068 err = xfrm_policy_insert(p->dir, xp, excl);
1070 xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, 1069 xfrm_audit_policy_add(xp, err ? 0 : 1, NETLINK_CB(skb).loginuid,
1071 AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); 1070 NETLINK_CB(skb).sid);
1072 1071
1073 if (err) { 1072 if (err) {
1074 security_xfrm_policy_free(xp); 1073 security_xfrm_policy_free(xp);
@@ -1290,8 +1289,9 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
1290 NETLINK_CB(skb).pid); 1289 NETLINK_CB(skb).pid);
1291 } 1290 }
1292 } else { 1291 } else {
1293 xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, 1292 xfrm_audit_policy_delete(xp, err ? 0 : 1,
1294 AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); 1293 NETLINK_CB(skb).loginuid,
1294 NETLINK_CB(skb).sid);
1295 1295
1296 if (err != 0) 1296 if (err != 0)
1297 goto out; 1297 goto out;
@@ -1523,8 +1523,8 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
1523 err = 0; 1523 err = 0;
1524 if (up->hard) { 1524 if (up->hard) {
1525 xfrm_policy_delete(xp, p->dir); 1525 xfrm_policy_delete(xp, p->dir);
1526 xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, 1526 xfrm_audit_policy_delete(xp, 1, NETLINK_CB(skb).loginuid,
1527 AUDIT_MAC_IPSEC_DELSPD, 1, xp, NULL); 1527 NETLINK_CB(skb).sid);
1528 1528
1529 } else { 1529 } else {
1530 // reset the timers here? 1530 // reset the timers here?
@@ -1559,8 +1559,8 @@ static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
1559 1559
1560 if (ue->hard) { 1560 if (ue->hard) {
1561 __xfrm_state_delete(x); 1561 __xfrm_state_delete(x);
1562 xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, 1562 xfrm_audit_state_delete(x, 1, NETLINK_CB(skb).loginuid,
1563 AUDIT_MAC_IPSEC_DELSA, 1, NULL, x); 1563 NETLINK_CB(skb).sid);
1564 } 1564 }
1565 err = 0; 1565 err = 0;
1566out: 1566out: