aboutsummaryrefslogtreecommitdiffstats
path: root/net/xfrm
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2008-04-18 10:09:25 -0400
committerAl Viro <viro@zeniv.linux.org.uk>2008-04-28 06:18:03 -0400
commit2532386f480eefbdd67b48be55fb4fb3e5a6081c (patch)
treedd6a5a3c4116a67380a1336319c16632f04f80f9 /net/xfrm
parent436c405c7d19455a71f42c9bec5fd5e028f1eb4e (diff)
Audit: collect sessionid in netlink messages
Previously I added sessionid output to all audit messages where it was available but we still didn't know the sessionid of the sender of netlink messages. This patch adds that information to netlink messages so we can audit who sent netlink messages. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'net/xfrm')
-rw-r--r--net/xfrm/xfrm_policy.c12
-rw-r--r--net/xfrm/xfrm_state.c13
-rw-r--r--net/xfrm/xfrm_user.c41
3 files changed, 44 insertions, 22 deletions
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index e0c0390613c0..cae9fd815543 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -762,6 +762,7 @@ xfrm_policy_flush_secctx_check(u8 type, struct xfrm_audit *audit_info)
762 if (err) { 762 if (err) {
763 xfrm_audit_policy_delete(pol, 0, 763 xfrm_audit_policy_delete(pol, 0,
764 audit_info->loginuid, 764 audit_info->loginuid,
765 audit_info->sessionid,
765 audit_info->secid); 766 audit_info->secid);
766 return err; 767 return err;
767 } 768 }
@@ -777,6 +778,7 @@ xfrm_policy_flush_secctx_check(u8 type, struct xfrm_audit *audit_info)
777 if (err) { 778 if (err) {
778 xfrm_audit_policy_delete(pol, 0, 779 xfrm_audit_policy_delete(pol, 0,
779 audit_info->loginuid, 780 audit_info->loginuid,
781 audit_info->sessionid,
780 audit_info->secid); 782 audit_info->secid);
781 return err; 783 return err;
782 } 784 }
@@ -819,6 +821,7 @@ int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info)
819 write_unlock_bh(&xfrm_policy_lock); 821 write_unlock_bh(&xfrm_policy_lock);
820 822
821 xfrm_audit_policy_delete(pol, 1, audit_info->loginuid, 823 xfrm_audit_policy_delete(pol, 1, audit_info->loginuid,
824 audit_info->sessionid,
822 audit_info->secid); 825 audit_info->secid);
823 826
824 xfrm_policy_kill(pol); 827 xfrm_policy_kill(pol);
@@ -841,6 +844,7 @@ int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info)
841 844
842 xfrm_audit_policy_delete(pol, 1, 845 xfrm_audit_policy_delete(pol, 1,
843 audit_info->loginuid, 846 audit_info->loginuid,
847 audit_info->sessionid,
844 audit_info->secid); 848 audit_info->secid);
845 xfrm_policy_kill(pol); 849 xfrm_policy_kill(pol);
846 killed++; 850 killed++;
@@ -2472,14 +2476,14 @@ static void xfrm_audit_common_policyinfo(struct xfrm_policy *xp,
2472} 2476}
2473 2477
2474void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, 2478void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
2475 u32 auid, u32 secid) 2479 uid_t auid, u32 sessionid, u32 secid)
2476{ 2480{
2477 struct audit_buffer *audit_buf; 2481 struct audit_buffer *audit_buf;
2478 2482
2479 audit_buf = xfrm_audit_start("SPD-add"); 2483 audit_buf = xfrm_audit_start("SPD-add");
2480 if (audit_buf == NULL) 2484 if (audit_buf == NULL)
2481 return; 2485 return;
2482 xfrm_audit_helper_usrinfo(auid, secid, audit_buf); 2486 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf);
2483 audit_log_format(audit_buf, " res=%u", result); 2487 audit_log_format(audit_buf, " res=%u", result);
2484 xfrm_audit_common_policyinfo(xp, audit_buf); 2488 xfrm_audit_common_policyinfo(xp, audit_buf);
2485 audit_log_end(audit_buf); 2489 audit_log_end(audit_buf);
@@ -2487,14 +2491,14 @@ void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
2487EXPORT_SYMBOL_GPL(xfrm_audit_policy_add); 2491EXPORT_SYMBOL_GPL(xfrm_audit_policy_add);
2488 2492
2489void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, 2493void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
2490 u32 auid, u32 secid) 2494 uid_t auid, u32 sessionid, u32 secid)
2491{ 2495{
2492 struct audit_buffer *audit_buf; 2496 struct audit_buffer *audit_buf;
2493 2497
2494 audit_buf = xfrm_audit_start("SPD-delete"); 2498 audit_buf = xfrm_audit_start("SPD-delete");
2495 if (audit_buf == NULL) 2499 if (audit_buf == NULL)
2496 return; 2500 return;
2497 xfrm_audit_helper_usrinfo(auid, secid, audit_buf); 2501 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf);
2498 audit_log_format(audit_buf, " res=%u", result); 2502 audit_log_format(audit_buf, " res=%u", result);
2499 xfrm_audit_common_policyinfo(xp, audit_buf); 2503 xfrm_audit_common_policyinfo(xp, audit_buf);
2500 audit_log_end(audit_buf); 2504 audit_log_end(audit_buf);
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 5dcc10b93c86..c3f5f70934ec 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -496,7 +496,8 @@ expired:
496 km_state_expired(x, 1, 0); 496 km_state_expired(x, 1, 0);
497 497
498 xfrm_audit_state_delete(x, err ? 0 : 1, 498 xfrm_audit_state_delete(x, err ? 0 : 1,
499 audit_get_loginuid(current), 0); 499 audit_get_loginuid(current),
500 audit_get_sessionid(current), 0);
500 501
501out: 502out:
502 spin_unlock(&x->lock); 503 spin_unlock(&x->lock);
@@ -603,6 +604,7 @@ xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info)
603 (err = security_xfrm_state_delete(x)) != 0) { 604 (err = security_xfrm_state_delete(x)) != 0) {
604 xfrm_audit_state_delete(x, 0, 605 xfrm_audit_state_delete(x, 0,
605 audit_info->loginuid, 606 audit_info->loginuid,
607 audit_info->sessionid,
606 audit_info->secid); 608 audit_info->secid);
607 return err; 609 return err;
608 } 610 }
@@ -641,6 +643,7 @@ restart:
641 err = xfrm_state_delete(x); 643 err = xfrm_state_delete(x);
642 xfrm_audit_state_delete(x, err ? 0 : 1, 644 xfrm_audit_state_delete(x, err ? 0 : 1,
643 audit_info->loginuid, 645 audit_info->loginuid,
646 audit_info->sessionid,
644 audit_info->secid); 647 audit_info->secid);
645 xfrm_state_put(x); 648 xfrm_state_put(x);
646 649
@@ -2123,14 +2126,14 @@ static void xfrm_audit_helper_pktinfo(struct sk_buff *skb, u16 family,
2123} 2126}
2124 2127
2125void xfrm_audit_state_add(struct xfrm_state *x, int result, 2128void xfrm_audit_state_add(struct xfrm_state *x, int result,
2126 u32 auid, u32 secid) 2129 uid_t auid, u32 sessionid, u32 secid)
2127{ 2130{
2128 struct audit_buffer *audit_buf; 2131 struct audit_buffer *audit_buf;
2129 2132
2130 audit_buf = xfrm_audit_start("SAD-add"); 2133 audit_buf = xfrm_audit_start("SAD-add");
2131 if (audit_buf == NULL) 2134 if (audit_buf == NULL)
2132 return; 2135 return;
2133 xfrm_audit_helper_usrinfo(auid, secid, audit_buf); 2136 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf);
2134 xfrm_audit_helper_sainfo(x, audit_buf); 2137 xfrm_audit_helper_sainfo(x, audit_buf);
2135 audit_log_format(audit_buf, " res=%u", result); 2138 audit_log_format(audit_buf, " res=%u", result);
2136 audit_log_end(audit_buf); 2139 audit_log_end(audit_buf);
@@ -2138,14 +2141,14 @@ void xfrm_audit_state_add(struct xfrm_state *x, int result,
2138EXPORT_SYMBOL_GPL(xfrm_audit_state_add); 2141EXPORT_SYMBOL_GPL(xfrm_audit_state_add);
2139 2142
2140void xfrm_audit_state_delete(struct xfrm_state *x, int result, 2143void xfrm_audit_state_delete(struct xfrm_state *x, int result,
2141 u32 auid, u32 secid) 2144 uid_t auid, u32 sessionid, u32 secid)
2142{ 2145{
2143 struct audit_buffer *audit_buf; 2146 struct audit_buffer *audit_buf;
2144 2147
2145 audit_buf = xfrm_audit_start("SAD-delete"); 2148 audit_buf = xfrm_audit_start("SAD-delete");
2146 if (audit_buf == NULL) 2149 if (audit_buf == NULL)
2147 return; 2150 return;
2148 xfrm_audit_helper_usrinfo(auid, secid, audit_buf); 2151 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf);
2149 xfrm_audit_helper_sainfo(x, audit_buf); 2152 xfrm_audit_helper_sainfo(x, audit_buf);
2150 audit_log_format(audit_buf, " res=%u", result); 2153 audit_log_format(audit_buf, " res=%u", result);
2151 audit_log_end(audit_buf); 2154 audit_log_end(audit_buf);
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 22a30ae582a2..a1b0fbe3ea35 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -407,6 +407,9 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
407 struct xfrm_state *x; 407 struct xfrm_state *x;
408 int err; 408 int err;
409 struct km_event c; 409 struct km_event c;
410 uid_t loginuid = NETLINK_CB(skb).loginuid;
411 u32 sessionid = NETLINK_CB(skb).sessionid;
412 u32 sid = NETLINK_CB(skb).sid;
410 413
411 err = verify_newsa_info(p, attrs); 414 err = verify_newsa_info(p, attrs);
412 if (err) 415 if (err)
@@ -422,8 +425,7 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
422 else 425 else
423 err = xfrm_state_update(x); 426 err = xfrm_state_update(x);
424 427
425 xfrm_audit_state_add(x, err ? 0 : 1, NETLINK_CB(skb).loginuid, 428 xfrm_audit_state_add(x, err ? 0 : 1, loginuid, sessionid, sid);
426 NETLINK_CB(skb).sid);
427 429
428 if (err < 0) { 430 if (err < 0) {
429 x->km.state = XFRM_STATE_DEAD; 431 x->km.state = XFRM_STATE_DEAD;
@@ -478,6 +480,9 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
478 int err = -ESRCH; 480 int err = -ESRCH;
479 struct km_event c; 481 struct km_event c;
480 struct xfrm_usersa_id *p = nlmsg_data(nlh); 482 struct xfrm_usersa_id *p = nlmsg_data(nlh);
483 uid_t loginuid = NETLINK_CB(skb).loginuid;
484 u32 sessionid = NETLINK_CB(skb).sessionid;
485 u32 sid = NETLINK_CB(skb).sid;
481 486
482 x = xfrm_user_state_lookup(p, attrs, &err); 487 x = xfrm_user_state_lookup(p, attrs, &err);
483 if (x == NULL) 488 if (x == NULL)
@@ -502,8 +507,7 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
502 km_state_notify(x, &c); 507 km_state_notify(x, &c);
503 508
504out: 509out:
505 xfrm_audit_state_delete(x, err ? 0 : 1, NETLINK_CB(skb).loginuid, 510 xfrm_audit_state_delete(x, err ? 0 : 1, loginuid, sessionid, sid);
506 NETLINK_CB(skb).sid);
507 xfrm_state_put(x); 511 xfrm_state_put(x);
508 return err; 512 return err;
509} 513}
@@ -1123,6 +1127,9 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
1123 struct km_event c; 1127 struct km_event c;
1124 int err; 1128 int err;
1125 int excl; 1129 int excl;
1130 uid_t loginuid = NETLINK_CB(skb).loginuid;
1131 u32 sessionid = NETLINK_CB(skb).sessionid;
1132 u32 sid = NETLINK_CB(skb).sid;
1126 1133
1127 err = verify_newpolicy_info(p); 1134 err = verify_newpolicy_info(p);
1128 if (err) 1135 if (err)
@@ -1141,8 +1148,7 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
1141 * a type XFRM_MSG_UPDPOLICY - JHS */ 1148 * a type XFRM_MSG_UPDPOLICY - JHS */
1142 excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; 1149 excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY;
1143 err = xfrm_policy_insert(p->dir, xp, excl); 1150 err = xfrm_policy_insert(p->dir, xp, excl);
1144 xfrm_audit_policy_add(xp, err ? 0 : 1, NETLINK_CB(skb).loginuid, 1151 xfrm_audit_policy_add(xp, err ? 0 : 1, loginuid, sessionid, sid);
1145 NETLINK_CB(skb).sid);
1146 1152
1147 if (err) { 1153 if (err) {
1148 security_xfrm_policy_free(xp->security); 1154 security_xfrm_policy_free(xp->security);
@@ -1371,9 +1377,12 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
1371 NETLINK_CB(skb).pid); 1377 NETLINK_CB(skb).pid);
1372 } 1378 }
1373 } else { 1379 } else {
1374 xfrm_audit_policy_delete(xp, err ? 0 : 1, 1380 uid_t loginuid = NETLINK_CB(skb).loginuid;
1375 NETLINK_CB(skb).loginuid, 1381 u32 sessionid = NETLINK_CB(skb).sessionid;
1376 NETLINK_CB(skb).sid); 1382 u32 sid = NETLINK_CB(skb).sid;
1383
1384 xfrm_audit_policy_delete(xp, err ? 0 : 1, loginuid, sessionid,
1385 sid);
1377 1386
1378 if (err != 0) 1387 if (err != 0)
1379 goto out; 1388 goto out;
@@ -1399,6 +1408,7 @@ static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
1399 int err; 1408 int err;
1400 1409
1401 audit_info.loginuid = NETLINK_CB(skb).loginuid; 1410 audit_info.loginuid = NETLINK_CB(skb).loginuid;
1411 audit_info.sessionid = NETLINK_CB(skb).sessionid;
1402 audit_info.secid = NETLINK_CB(skb).sid; 1412 audit_info.secid = NETLINK_CB(skb).sid;
1403 err = xfrm_state_flush(p->proto, &audit_info); 1413 err = xfrm_state_flush(p->proto, &audit_info);
1404 if (err) 1414 if (err)
@@ -1546,6 +1556,7 @@ static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
1546 return err; 1556 return err;
1547 1557
1548 audit_info.loginuid = NETLINK_CB(skb).loginuid; 1558 audit_info.loginuid = NETLINK_CB(skb).loginuid;
1559 audit_info.sessionid = NETLINK_CB(skb).sessionid;
1549 audit_info.secid = NETLINK_CB(skb).sid; 1560 audit_info.secid = NETLINK_CB(skb).sid;
1550 err = xfrm_policy_flush(type, &audit_info); 1561 err = xfrm_policy_flush(type, &audit_info);
1551 if (err) 1562 if (err)
@@ -1604,9 +1615,11 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
1604 read_unlock(&xp->lock); 1615 read_unlock(&xp->lock);
1605 err = 0; 1616 err = 0;
1606 if (up->hard) { 1617 if (up->hard) {
1618 uid_t loginuid = NETLINK_CB(skb).loginuid;
1619 uid_t sessionid = NETLINK_CB(skb).sessionid;
1620 u32 sid = NETLINK_CB(skb).sid;
1607 xfrm_policy_delete(xp, p->dir); 1621 xfrm_policy_delete(xp, p->dir);
1608 xfrm_audit_policy_delete(xp, 1, NETLINK_CB(skb).loginuid, 1622 xfrm_audit_policy_delete(xp, 1, loginuid, sessionid, sid);
1609 NETLINK_CB(skb).sid);
1610 1623
1611 } else { 1624 } else {
1612 // reset the timers here? 1625 // reset the timers here?
@@ -1640,9 +1653,11 @@ static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
1640 km_state_expired(x, ue->hard, current->pid); 1653 km_state_expired(x, ue->hard, current->pid);
1641 1654
1642 if (ue->hard) { 1655 if (ue->hard) {
1656 uid_t loginuid = NETLINK_CB(skb).loginuid;
1657 uid_t sessionid = NETLINK_CB(skb).sessionid;
1658 u32 sid = NETLINK_CB(skb).sid;
1643 __xfrm_state_delete(x); 1659 __xfrm_state_delete(x);
1644 xfrm_audit_state_delete(x, 1, NETLINK_CB(skb).loginuid, 1660 xfrm_audit_state_delete(x, 1, loginuid, sessionid, sid);
1645 NETLINK_CB(skb).sid);
1646 } 1661 }
1647 err = 0; 1662 err = 0;
1648out: 1663out:
generated by cgit v1.2.2 (git 2.25.0) at 2024-11-28 20:26:07 -0500