diff options
author | Joy Latten <latten@austin.ibm.com> | 2007-09-17 14:51:22 -0400 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2007-10-10 19:49:02 -0400 |
commit | ab5f5e8b144e4c804ef3aa1ce08a9ca9f01187ce (patch) | |
tree | bf3915a618b29f507d882e9c665ed9d07e7c0765 /net/xfrm/xfrm_user.c | |
parent | d2e9117c7aa9544d910634e17e3519fd67155229 (diff) |
[XFRM]: xfrm audit calls
This patch modifies the current ipsec audit layer
by breaking it up into purpose driven audit calls.
So far, the only audit calls made are when add/delete
an SA/policy. It had been discussed to give each
key manager it's own calls to do this, but I found
there to be much redundnacy since they did the exact
same things, except for how they got auid and sid, so I
combined them. The below audit calls can be made by any
key manager. Hopefully, this is ok.
Signed-off-by: Joy Latten <latten@austin.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/xfrm/xfrm_user.c')
-rw-r--r-- | net/xfrm/xfrm_user.c | 26 |
1 files changed, 13 insertions, 13 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 9e516f5cbb5e..0d81c0f23919 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c | |||
@@ -30,7 +30,6 @@ | |||
30 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) | 30 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) |
31 | #include <linux/in6.h> | 31 | #include <linux/in6.h> |
32 | #endif | 32 | #endif |
33 | #include <linux/audit.h> | ||
34 | 33 | ||
35 | static inline int alg_len(struct xfrm_algo *alg) | 34 | static inline int alg_len(struct xfrm_algo *alg) |
36 | { | 35 | { |
@@ -371,8 +370,8 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
371 | else | 370 | else |
372 | err = xfrm_state_update(x); | 371 | err = xfrm_state_update(x); |
373 | 372 | ||
374 | xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, | 373 | xfrm_audit_state_add(x, err ? 0 : 1, NETLINK_CB(skb).loginuid, |
375 | AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x); | 374 | NETLINK_CB(skb).sid); |
376 | 375 | ||
377 | if (err < 0) { | 376 | if (err < 0) { |
378 | x->km.state = XFRM_STATE_DEAD; | 377 | x->km.state = XFRM_STATE_DEAD; |
@@ -451,8 +450,8 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
451 | km_state_notify(x, &c); | 450 | km_state_notify(x, &c); |
452 | 451 | ||
453 | out: | 452 | out: |
454 | xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, | 453 | xfrm_audit_state_delete(x, err ? 0 : 1, NETLINK_CB(skb).loginuid, |
455 | AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); | 454 | NETLINK_CB(skb).sid); |
456 | xfrm_state_put(x); | 455 | xfrm_state_put(x); |
457 | return err; | 456 | return err; |
458 | } | 457 | } |
@@ -1067,8 +1066,8 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
1067 | * a type XFRM_MSG_UPDPOLICY - JHS */ | 1066 | * a type XFRM_MSG_UPDPOLICY - JHS */ |
1068 | excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; | 1067 | excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; |
1069 | err = xfrm_policy_insert(p->dir, xp, excl); | 1068 | err = xfrm_policy_insert(p->dir, xp, excl); |
1070 | xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, | 1069 | xfrm_audit_policy_add(xp, err ? 0 : 1, NETLINK_CB(skb).loginuid, |
1071 | AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); | 1070 | NETLINK_CB(skb).sid); |
1072 | 1071 | ||
1073 | if (err) { | 1072 | if (err) { |
1074 | security_xfrm_policy_free(xp); | 1073 | security_xfrm_policy_free(xp); |
@@ -1290,8 +1289,9 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
1290 | NETLINK_CB(skb).pid); | 1289 | NETLINK_CB(skb).pid); |
1291 | } | 1290 | } |
1292 | } else { | 1291 | } else { |
1293 | xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, | 1292 | xfrm_audit_policy_delete(xp, err ? 0 : 1, |
1294 | AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); | 1293 | NETLINK_CB(skb).loginuid, |
1294 | NETLINK_CB(skb).sid); | ||
1295 | 1295 | ||
1296 | if (err != 0) | 1296 | if (err != 0) |
1297 | goto out; | 1297 | goto out; |
@@ -1523,8 +1523,8 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
1523 | err = 0; | 1523 | err = 0; |
1524 | if (up->hard) { | 1524 | if (up->hard) { |
1525 | xfrm_policy_delete(xp, p->dir); | 1525 | xfrm_policy_delete(xp, p->dir); |
1526 | xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, | 1526 | xfrm_audit_policy_delete(xp, 1, NETLINK_CB(skb).loginuid, |
1527 | AUDIT_MAC_IPSEC_DELSPD, 1, xp, NULL); | 1527 | NETLINK_CB(skb).sid); |
1528 | 1528 | ||
1529 | } else { | 1529 | } else { |
1530 | // reset the timers here? | 1530 | // reset the timers here? |
@@ -1559,8 +1559,8 @@ static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
1559 | 1559 | ||
1560 | if (ue->hard) { | 1560 | if (ue->hard) { |
1561 | __xfrm_state_delete(x); | 1561 | __xfrm_state_delete(x); |
1562 | xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, | 1562 | xfrm_audit_state_delete(x, 1, NETLINK_CB(skb).loginuid, |
1563 | AUDIT_MAC_IPSEC_DELSA, 1, NULL, x); | 1563 | NETLINK_CB(skb).sid); |
1564 | } | 1564 | } |
1565 | err = 0; | 1565 | err = 0; |
1566 | out: | 1566 | out: |