aboutsummaryrefslogtreecommitdiffstats
path: root/net/xfrm
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2008-04-29 14:41:22 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2008-04-29 14:41:22 -0400
commit9781db7b345b5dfe93787aaaf310c861db7c1ede (patch)
treed9796e29fd914ca04835636be95bbd5082a034fd /net/xfrm
parent97094dcf5cefc8ccfdf93839f54dac2c4d316165 (diff)
parent8b67dca9420474623709e00d72a066068a502b20 (diff)
Merge branch 'audit.b50' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current
* 'audit.b50' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current: [PATCH] new predicate - AUDIT_FILETYPE [patch 2/2] Use find_task_by_vpid in audit code [patch 1/2] audit: let userspace fully control TTY input auditing [PATCH 2/2] audit: fix sparse shadowed variable warnings [PATCH 1/2] audit: move extern declarations to audit.h Audit: MAINTAINERS update Audit: increase the maximum length of the key field Audit: standardize string audit interfaces Audit: stop deadlock from signals under load Audit: save audit_backlog_limit audit messages in case auditd comes back Audit: collect sessionid in netlink messages Audit: end printk with newline
Diffstat (limited to 'net/xfrm')
-rw-r--r--net/xfrm/xfrm_policy.c12
-rw-r--r--net/xfrm/xfrm_state.c13
-rw-r--r--net/xfrm/xfrm_user.c41
3 files changed, 44 insertions, 22 deletions
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index e0c0390613c0..cae9fd815543 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -762,6 +762,7 @@ xfrm_policy_flush_secctx_check(u8 type, struct xfrm_audit *audit_info)
762 if (err) { 762 if (err) {
763 xfrm_audit_policy_delete(pol, 0, 763 xfrm_audit_policy_delete(pol, 0,
764 audit_info->loginuid, 764 audit_info->loginuid,
765 audit_info->sessionid,
765 audit_info->secid); 766 audit_info->secid);
766 return err; 767 return err;
767 } 768 }
@@ -777,6 +778,7 @@ xfrm_policy_flush_secctx_check(u8 type, struct xfrm_audit *audit_info)
777 if (err) { 778 if (err) {
778 xfrm_audit_policy_delete(pol, 0, 779 xfrm_audit_policy_delete(pol, 0,
779 audit_info->loginuid, 780 audit_info->loginuid,
781 audit_info->sessionid,
780 audit_info->secid); 782 audit_info->secid);
781 return err; 783 return err;
782 } 784 }
@@ -819,6 +821,7 @@ int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info)
819 write_unlock_bh(&xfrm_policy_lock); 821 write_unlock_bh(&xfrm_policy_lock);
820 822
821 xfrm_audit_policy_delete(pol, 1, audit_info->loginuid, 823 xfrm_audit_policy_delete(pol, 1, audit_info->loginuid,
824 audit_info->sessionid,
822 audit_info->secid); 825 audit_info->secid);
823 826
824 xfrm_policy_kill(pol); 827 xfrm_policy_kill(pol);
@@ -841,6 +844,7 @@ int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info)
841 844
842 xfrm_audit_policy_delete(pol, 1, 845 xfrm_audit_policy_delete(pol, 1,
843 audit_info->loginuid, 846 audit_info->loginuid,
847 audit_info->sessionid,
844 audit_info->secid); 848 audit_info->secid);
845 xfrm_policy_kill(pol); 849 xfrm_policy_kill(pol);
846 killed++; 850 killed++;
@@ -2472,14 +2476,14 @@ static void xfrm_audit_common_policyinfo(struct xfrm_policy *xp,
2472} 2476}
2473 2477
2474void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, 2478void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
2475 u32 auid, u32 secid) 2479 uid_t auid, u32 sessionid, u32 secid)
2476{ 2480{
2477 struct audit_buffer *audit_buf; 2481 struct audit_buffer *audit_buf;
2478 2482
2479 audit_buf = xfrm_audit_start("SPD-add"); 2483 audit_buf = xfrm_audit_start("SPD-add");
2480 if (audit_buf == NULL) 2484 if (audit_buf == NULL)
2481 return; 2485 return;
2482 xfrm_audit_helper_usrinfo(auid, secid, audit_buf); 2486 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf);
2483 audit_log_format(audit_buf, " res=%u", result); 2487 audit_log_format(audit_buf, " res=%u", result);
2484 xfrm_audit_common_policyinfo(xp, audit_buf); 2488 xfrm_audit_common_policyinfo(xp, audit_buf);
2485 audit_log_end(audit_buf); 2489 audit_log_end(audit_buf);
@@ -2487,14 +2491,14 @@ void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
2487EXPORT_SYMBOL_GPL(xfrm_audit_policy_add); 2491EXPORT_SYMBOL_GPL(xfrm_audit_policy_add);
2488 2492
2489void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, 2493void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
2490 u32 auid, u32 secid) 2494 uid_t auid, u32 sessionid, u32 secid)
2491{ 2495{
2492 struct audit_buffer *audit_buf; 2496 struct audit_buffer *audit_buf;
2493 2497
2494 audit_buf = xfrm_audit_start("SPD-delete"); 2498 audit_buf = xfrm_audit_start("SPD-delete");
2495 if (audit_buf == NULL) 2499 if (audit_buf == NULL)
2496 return; 2500 return;
2497 xfrm_audit_helper_usrinfo(auid, secid, audit_buf); 2501 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf);
2498 audit_log_format(audit_buf, " res=%u", result); 2502 audit_log_format(audit_buf, " res=%u", result);
2499 xfrm_audit_common_policyinfo(xp, audit_buf); 2503 xfrm_audit_common_policyinfo(xp, audit_buf);
2500 audit_log_end(audit_buf); 2504 audit_log_end(audit_buf);
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index fac27ce770d5..72fddafd891a 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -496,7 +496,8 @@ expired:
496 km_state_expired(x, 1, 0); 496 km_state_expired(x, 1, 0);
497 497
498 xfrm_audit_state_delete(x, err ? 0 : 1, 498 xfrm_audit_state_delete(x, err ? 0 : 1,
499 audit_get_loginuid(current), 0); 499 audit_get_loginuid(current),
500 audit_get_sessionid(current), 0);
500 501
501out: 502out:
502 spin_unlock(&x->lock); 503 spin_unlock(&x->lock);
@@ -603,6 +604,7 @@ xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info)
603 (err = security_xfrm_state_delete(x)) != 0) { 604 (err = security_xfrm_state_delete(x)) != 0) {
604 xfrm_audit_state_delete(x, 0, 605 xfrm_audit_state_delete(x, 0,
605 audit_info->loginuid, 606 audit_info->loginuid,
607 audit_info->sessionid,
606 audit_info->secid); 608 audit_info->secid);
607 return err; 609 return err;
608 } 610 }
@@ -641,6 +643,7 @@ restart:
641 err = xfrm_state_delete(x); 643 err = xfrm_state_delete(x);
642 xfrm_audit_state_delete(x, err ? 0 : 1, 644 xfrm_audit_state_delete(x, err ? 0 : 1,
643 audit_info->loginuid, 645 audit_info->loginuid,
646 audit_info->sessionid,
644 audit_info->secid); 647 audit_info->secid);
645 xfrm_state_put(x); 648 xfrm_state_put(x);
646 649
@@ -2123,14 +2126,14 @@ static void xfrm_audit_helper_pktinfo(struct sk_buff *skb, u16 family,
2123} 2126}
2124 2127
2125void xfrm_audit_state_add(struct xfrm_state *x, int result, 2128void xfrm_audit_state_add(struct xfrm_state *x, int result,
2126 u32 auid, u32 secid) 2129 uid_t auid, u32 sessionid, u32 secid)
2127{ 2130{
2128 struct audit_buffer *audit_buf; 2131 struct audit_buffer *audit_buf;
2129 2132
2130 audit_buf = xfrm_audit_start("SAD-add"); 2133 audit_buf = xfrm_audit_start("SAD-add");
2131 if (audit_buf == NULL) 2134 if (audit_buf == NULL)
2132 return; 2135 return;
2133 xfrm_audit_helper_usrinfo(auid, secid, audit_buf); 2136 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf);
2134 xfrm_audit_helper_sainfo(x, audit_buf); 2137 xfrm_audit_helper_sainfo(x, audit_buf);
2135 audit_log_format(audit_buf, " res=%u", result); 2138 audit_log_format(audit_buf, " res=%u", result);
2136 audit_log_end(audit_buf); 2139 audit_log_end(audit_buf);
@@ -2138,14 +2141,14 @@ void xfrm_audit_state_add(struct xfrm_state *x, int result,
2138EXPORT_SYMBOL_GPL(xfrm_audit_state_add); 2141EXPORT_SYMBOL_GPL(xfrm_audit_state_add);
2139 2142
2140void xfrm_audit_state_delete(struct xfrm_state *x, int result, 2143void xfrm_audit_state_delete(struct xfrm_state *x, int result,
2141 u32 auid, u32 secid) 2144 uid_t auid, u32 sessionid, u32 secid)
2142{ 2145{
2143 struct audit_buffer *audit_buf; 2146 struct audit_buffer *audit_buf;
2144 2147
2145 audit_buf = xfrm_audit_start("SAD-delete"); 2148 audit_buf = xfrm_audit_start("SAD-delete");
2146 if (audit_buf == NULL) 2149 if (audit_buf == NULL)
2147 return; 2150 return;
2148 xfrm_audit_helper_usrinfo(auid, secid, audit_buf); 2151 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf);
2149 xfrm_audit_helper_sainfo(x, audit_buf); 2152 xfrm_audit_helper_sainfo(x, audit_buf);
2150 audit_log_format(audit_buf, " res=%u", result); 2153 audit_log_format(audit_buf, " res=%u", result);
2151 audit_log_end(audit_buf); 2154 audit_log_end(audit_buf);
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 22a30ae582a2..a1b0fbe3ea35 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -407,6 +407,9 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
407 struct xfrm_state *x; 407 struct xfrm_state *x;
408 int err; 408 int err;
409 struct km_event c; 409 struct km_event c;
410 uid_t loginuid = NETLINK_CB(skb).loginuid;
411 u32 sessionid = NETLINK_CB(skb).sessionid;
412 u32 sid = NETLINK_CB(skb).sid;
410 413
411 err = verify_newsa_info(p, attrs); 414 err = verify_newsa_info(p, attrs);
412 if (err) 415 if (err)
@@ -422,8 +425,7 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
422 else 425 else
423 err = xfrm_state_update(x); 426 err = xfrm_state_update(x);
424 427
425 xfrm_audit_state_add(x, err ? 0 : 1, NETLINK_CB(skb).loginuid, 428 xfrm_audit_state_add(x, err ? 0 : 1, loginuid, sessionid, sid);
426 NETLINK_CB(skb).sid);
427 429
428 if (err < 0) { 430 if (err < 0) {
429 x->km.state = XFRM_STATE_DEAD; 431 x->km.state = XFRM_STATE_DEAD;
@@ -478,6 +480,9 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
478 int err = -ESRCH; 480 int err = -ESRCH;
479 struct km_event c; 481 struct km_event c;
480 struct xfrm_usersa_id *p = nlmsg_data(nlh); 482 struct xfrm_usersa_id *p = nlmsg_data(nlh);
483 uid_t loginuid = NETLINK_CB(skb).loginuid;
484 u32 sessionid = NETLINK_CB(skb).sessionid;
485 u32 sid = NETLINK_CB(skb).sid;
481 486
482 x = xfrm_user_state_lookup(p, attrs, &err); 487 x = xfrm_user_state_lookup(p, attrs, &err);
483 if (x == NULL) 488 if (x == NULL)
@@ -502,8 +507,7 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
502 km_state_notify(x, &c); 507 km_state_notify(x, &c);
503 508
504out: 509out:
505 xfrm_audit_state_delete(x, err ? 0 : 1, NETLINK_CB(skb).loginuid, 510 xfrm_audit_state_delete(x, err ? 0 : 1, loginuid, sessionid, sid);
506 NETLINK_CB(skb).sid);
507 xfrm_state_put(x); 511 xfrm_state_put(x);
508 return err; 512 return err;
509} 513}
@@ -1123,6 +1127,9 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
1123 struct km_event c; 1127 struct km_event c;
1124 int err; 1128 int err;
1125 int excl; 1129 int excl;
1130 uid_t loginuid = NETLINK_CB(skb).loginuid;
1131 u32 sessionid = NETLINK_CB(skb).sessionid;
1132 u32 sid = NETLINK_CB(skb).sid;
1126 1133
1127 err = verify_newpolicy_info(p); 1134 err = verify_newpolicy_info(p);
1128 if (err) 1135 if (err)
@@ -1141,8 +1148,7 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
1141 * a type XFRM_MSG_UPDPOLICY - JHS */ 1148 * a type XFRM_MSG_UPDPOLICY - JHS */
1142 excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; 1149 excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY;
1143 err = xfrm_policy_insert(p->dir, xp, excl); 1150 err = xfrm_policy_insert(p->dir, xp, excl);
1144 xfrm_audit_policy_add(xp, err ? 0 : 1, NETLINK_CB(skb).loginuid, 1151 xfrm_audit_policy_add(xp, err ? 0 : 1, loginuid, sessionid, sid);
1145 NETLINK_CB(skb).sid);
1146 1152
1147 if (err) { 1153 if (err) {
1148 security_xfrm_policy_free(xp->security); 1154 security_xfrm_policy_free(xp->security);
@@ -1371,9 +1377,12 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
1371 NETLINK_CB(skb).pid); 1377 NETLINK_CB(skb).pid);
1372 } 1378 }
1373 } else { 1379 } else {
1374 xfrm_audit_policy_delete(xp, err ? 0 : 1, 1380 uid_t loginuid = NETLINK_CB(skb).loginuid;
1375 NETLINK_CB(skb).loginuid, 1381 u32 sessionid = NETLINK_CB(skb).sessionid;
1376 NETLINK_CB(skb).sid); 1382 u32 sid = NETLINK_CB(skb).sid;
1383
1384 xfrm_audit_policy_delete(xp, err ? 0 : 1, loginuid, sessionid,
1385 sid);
1377 1386
1378 if (err != 0) 1387 if (err != 0)
1379 goto out; 1388 goto out;
@@ -1399,6 +1408,7 @@ static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
1399 int err; 1408 int err;
1400 1409
1401 audit_info.loginuid = NETLINK_CB(skb).loginuid; 1410 audit_info.loginuid = NETLINK_CB(skb).loginuid;
1411 audit_info.sessionid = NETLINK_CB(skb).sessionid;
1402 audit_info.secid = NETLINK_CB(skb).sid; 1412 audit_info.secid = NETLINK_CB(skb).sid;
1403 err = xfrm_state_flush(p->proto, &audit_info); 1413 err = xfrm_state_flush(p->proto, &audit_info);
1404 if (err) 1414 if (err)
@@ -1546,6 +1556,7 @@ static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
1546 return err; 1556 return err;
1547 1557
1548 audit_info.loginuid = NETLINK_CB(skb).loginuid; 1558 audit_info.loginuid = NETLINK_CB(skb).loginuid;
1559 audit_info.sessionid = NETLINK_CB(skb).sessionid;
1549 audit_info.secid = NETLINK_CB(skb).sid; 1560 audit_info.secid = NETLINK_CB(skb).sid;
1550 err = xfrm_policy_flush(type, &audit_info); 1561 err = xfrm_policy_flush(type, &audit_info);
1551 if (err) 1562 if (err)
@@ -1604,9 +1615,11 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
1604 read_unlock(&xp->lock); 1615 read_unlock(&xp->lock);
1605 err = 0; 1616 err = 0;
1606 if (up->hard) { 1617 if (up->hard) {
1618 uid_t loginuid = NETLINK_CB(skb).loginuid;
1619 uid_t sessionid = NETLINK_CB(skb).sessionid;
1620 u32 sid = NETLINK_CB(skb).sid;
1607 xfrm_policy_delete(xp, p->dir); 1621 xfrm_policy_delete(xp, p->dir);
1608 xfrm_audit_policy_delete(xp, 1, NETLINK_CB(skb).loginuid, 1622 xfrm_audit_policy_delete(xp, 1, loginuid, sessionid, sid);
1609 NETLINK_CB(skb).sid);
1610 1623
1611 } else { 1624 } else {
1612 // reset the timers here? 1625 // reset the timers here?
@@ -1640,9 +1653,11 @@ static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
1640 km_state_expired(x, ue->hard, current->pid); 1653 km_state_expired(x, ue->hard, current->pid);
1641 1654
1642 if (ue->hard) { 1655 if (ue->hard) {
1656 uid_t loginuid = NETLINK_CB(skb).loginuid;
1657 uid_t sessionid = NETLINK_CB(skb).sessionid;
1658 u32 sid = NETLINK_CB(skb).sid;
1643 __xfrm_state_delete(x); 1659 __xfrm_state_delete(x);
1644 xfrm_audit_state_delete(x, 1, NETLINK_CB(skb).loginuid, 1660 xfrm_audit_state_delete(x, 1, loginuid, sessionid, sid);
1645 NETLINK_CB(skb).sid);
1646 } 1661 }
1647 err = 0; 1662 err = 0;
1648out: 1663out:
generated by cgit v1.2.2 (git 2.25.0) at 2026-01-10 05:49:58 -0500