diff options
| author | Joy Latten <latten@austin.ibm.com> | 2007-09-17 14:51:22 -0400 |
|---|---|---|
| committer | David S. Miller <davem@sunset.davemloft.net> | 2007-10-10 19:49:02 -0400 |
| commit | ab5f5e8b144e4c804ef3aa1ce08a9ca9f01187ce (patch) | |
| tree | bf3915a618b29f507d882e9c665ed9d07e7c0765 /net/xfrm/xfrm_user.c | |
| parent | d2e9117c7aa9544d910634e17e3519fd67155229 (diff) | |
[XFRM]: xfrm audit calls
This patch modifies the current ipsec audit layer
by breaking it up into purpose driven audit calls.
So far, the only audit calls made are when add/delete
an SA/policy. It had been discussed to give each
key manager it's own calls to do this, but I found
there to be much redundnacy since they did the exact
same things, except for how they got auid and sid, so I
combined them. The below audit calls can be made by any
key manager. Hopefully, this is ok.
Signed-off-by: Joy Latten <latten@austin.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/xfrm/xfrm_user.c')
| -rw-r--r-- | net/xfrm/xfrm_user.c | 26 |
1 files changed, 13 insertions, 13 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 9e516f5cbb5e..0d81c0f23919 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c | |||
| @@ -30,7 +30,6 @@ | |||
| 30 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) | 30 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) |
| 31 | #include <linux/in6.h> | 31 | #include <linux/in6.h> |
| 32 | #endif | 32 | #endif |
| 33 | #include <linux/audit.h> | ||
| 34 | 33 | ||
| 35 | static inline int alg_len(struct xfrm_algo *alg) | 34 | static inline int alg_len(struct xfrm_algo *alg) |
| 36 | { | 35 | { |
| @@ -371,8 +370,8 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
| 371 | else | 370 | else |
| 372 | err = xfrm_state_update(x); | 371 | err = xfrm_state_update(x); |
| 373 | 372 | ||
| 374 | xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, | 373 | xfrm_audit_state_add(x, err ? 0 : 1, NETLINK_CB(skb).loginuid, |
| 375 | AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x); | 374 | NETLINK_CB(skb).sid); |
| 376 | 375 | ||
| 377 | if (err < 0) { | 376 | if (err < 0) { |
| 378 | x->km.state = XFRM_STATE_DEAD; | 377 | x->km.state = XFRM_STATE_DEAD; |
| @@ -451,8 +450,8 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
| 451 | km_state_notify(x, &c); | 450 | km_state_notify(x, &c); |
| 452 | 451 | ||
| 453 | out: | 452 | out: |
| 454 | xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, | 453 | xfrm_audit_state_delete(x, err ? 0 : 1, NETLINK_CB(skb).loginuid, |
| 455 | AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); | 454 | NETLINK_CB(skb).sid); |
| 456 | xfrm_state_put(x); | 455 | xfrm_state_put(x); |
| 457 | return err; | 456 | return err; |
| 458 | } | 457 | } |
| @@ -1067,8 +1066,8 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
| 1067 | * a type XFRM_MSG_UPDPOLICY - JHS */ | 1066 | * a type XFRM_MSG_UPDPOLICY - JHS */ |
| 1068 | excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; | 1067 | excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; |
| 1069 | err = xfrm_policy_insert(p->dir, xp, excl); | 1068 | err = xfrm_policy_insert(p->dir, xp, excl); |
| 1070 | xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, | 1069 | xfrm_audit_policy_add(xp, err ? 0 : 1, NETLINK_CB(skb).loginuid, |
| 1071 | AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); | 1070 | NETLINK_CB(skb).sid); |
| 1072 | 1071 | ||
| 1073 | if (err) { | 1072 | if (err) { |
| 1074 | security_xfrm_policy_free(xp); | 1073 | security_xfrm_policy_free(xp); |
| @@ -1290,8 +1289,9 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
| 1290 | NETLINK_CB(skb).pid); | 1289 | NETLINK_CB(skb).pid); |
| 1291 | } | 1290 | } |
| 1292 | } else { | 1291 | } else { |
| 1293 | xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, | 1292 | xfrm_audit_policy_delete(xp, err ? 0 : 1, |
| 1294 | AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); | 1293 | NETLINK_CB(skb).loginuid, |
| 1294 | NETLINK_CB(skb).sid); | ||
| 1295 | 1295 | ||
| 1296 | if (err != 0) | 1296 | if (err != 0) |
| 1297 | goto out; | 1297 | goto out; |
| @@ -1523,8 +1523,8 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
| 1523 | err = 0; | 1523 | err = 0; |
| 1524 | if (up->hard) { | 1524 | if (up->hard) { |
| 1525 | xfrm_policy_delete(xp, p->dir); | 1525 | xfrm_policy_delete(xp, p->dir); |
| 1526 | xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, | 1526 | xfrm_audit_policy_delete(xp, 1, NETLINK_CB(skb).loginuid, |
| 1527 | AUDIT_MAC_IPSEC_DELSPD, 1, xp, NULL); | 1527 | NETLINK_CB(skb).sid); |
| 1528 | 1528 | ||
| 1529 | } else { | 1529 | } else { |
| 1530 | // reset the timers here? | 1530 | // reset the timers here? |
| @@ -1559,8 +1559,8 @@ static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
| 1559 | 1559 | ||
| 1560 | if (ue->hard) { | 1560 | if (ue->hard) { |
| 1561 | __xfrm_state_delete(x); | 1561 | __xfrm_state_delete(x); |
| 1562 | xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, | 1562 | xfrm_audit_state_delete(x, 1, NETLINK_CB(skb).loginuid, |
| 1563 | AUDIT_MAC_IPSEC_DELSA, 1, NULL, x); | 1563 | NETLINK_CB(skb).sid); |
| 1564 | } | 1564 | } |
| 1565 | err = 0; | 1565 | err = 0; |
| 1566 | out: | 1566 | out: |