diff options
| author | Linus Torvalds <torvalds@woody.osdl.org> | 2006-12-07 12:05:15 -0500 |
|---|---|---|
| committer | Linus Torvalds <torvalds@woody.osdl.org> | 2006-12-07 12:05:15 -0500 |
| commit | 2685b267bce34c9b66626cb11664509c32a761a5 (patch) | |
| tree | ce8b4ad47b4a1aa1b0e7634298d63c4cb0ca46c5 /net/xfrm | |
| parent | 4522d58275f124105819723e24e912c8e5bf3cdd (diff) | |
| parent | 272491ef423b6976a230a998b10f46976aa91342 (diff) | |
Merge master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6
* master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6: (48 commits)
[NETFILTER]: Fix non-ANSI func. decl.
[TG3]: Identify Serdes devices more clearly.
[TG3]: Use msleep.
[TG3]: Use netif_msg_*.
[TG3]: Allow partial speed advertisement.
[TG3]: Add TG3_FLG2_IS_NIC flag.
[TG3]: Add 5787F device ID.
[TG3]: Fix Phy loopback.
[WANROUTER]: Kill kmalloc debugging code.
[TCP] inet_twdr_hangman: Delete unnecessary memory barrier().
[NET]: Memory barrier cleanups
[IPSEC]: Fix inetpeer leak in ipv4 xfrm dst entries.
audit: disable ipsec auditing when CONFIG_AUDITSYSCALL=n
audit: Add auditing to ipsec
[IRDA] irlan: Fix compile warning when CONFIG_PROC_FS=n
[IrDA]: Incorrect TTP header reservation
[IrDA]: PXA FIR code device model conversion
[GENETLINK]: Fix misplaced command flags.
[NETLIK]: Add a pointer to the Generic Netlink wiki page.
[IPV6] RAW: Don't release unlocked sock.
...
Diffstat (limited to 'net/xfrm')
| -rw-r--r-- | net/xfrm/xfrm_algo.c | 17 | ||||
| -rw-r--r-- | net/xfrm/xfrm_policy.c | 177 | ||||
| -rw-r--r-- | net/xfrm/xfrm_state.c | 42 | ||||
| -rw-r--r-- | net/xfrm/xfrm_user.c | 33 |
4 files changed, 219 insertions, 50 deletions
diff --git a/net/xfrm/xfrm_algo.c b/net/xfrm/xfrm_algo.c index 5a0dbeb6bbe8..6b381fc0383d 100644 --- a/net/xfrm/xfrm_algo.c +++ b/net/xfrm/xfrm_algo.c | |||
| @@ -119,6 +119,23 @@ static struct xfrm_algo_desc aalg_list[] = { | |||
| 119 | .sadb_alg_maxbits = 160 | 119 | .sadb_alg_maxbits = 160 |
| 120 | } | 120 | } |
| 121 | }, | 121 | }, |
| 122 | { | ||
| 123 | .name = "xcbc(aes)", | ||
| 124 | |||
| 125 | .uinfo = { | ||
| 126 | .auth = { | ||
| 127 | .icv_truncbits = 96, | ||
| 128 | .icv_fullbits = 128, | ||
| 129 | } | ||
| 130 | }, | ||
| 131 | |||
| 132 | .desc = { | ||
| 133 | .sadb_alg_id = SADB_X_AALG_AES_XCBC_MAC, | ||
| 134 | .sadb_alg_ivlen = 0, | ||
| 135 | .sadb_alg_minbits = 128, | ||
| 136 | .sadb_alg_maxbits = 128 | ||
| 137 | } | ||
| 138 | }, | ||
| 122 | }; | 139 | }; |
| 123 | 140 | ||
| 124 | static struct xfrm_algo_desc ealg_list[] = { | 141 | static struct xfrm_algo_desc ealg_list[] = { |
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 3f3f563eb4ab..bebd40e5a62e 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c | |||
| @@ -25,6 +25,7 @@ | |||
| 25 | #include <linux/cache.h> | 25 | #include <linux/cache.h> |
| 26 | #include <net/xfrm.h> | 26 | #include <net/xfrm.h> |
| 27 | #include <net/ip.h> | 27 | #include <net/ip.h> |
| 28 | #include <linux/audit.h> | ||
| 28 | 29 | ||
| 29 | #include "xfrm_hash.h" | 30 | #include "xfrm_hash.h" |
| 30 | 31 | ||
| @@ -804,7 +805,7 @@ struct xfrm_policy *xfrm_policy_byid(u8 type, int dir, u32 id, int delete) | |||
| 804 | } | 805 | } |
| 805 | EXPORT_SYMBOL(xfrm_policy_byid); | 806 | EXPORT_SYMBOL(xfrm_policy_byid); |
| 806 | 807 | ||
| 807 | void xfrm_policy_flush(u8 type) | 808 | void xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info) |
| 808 | { | 809 | { |
| 809 | int dir; | 810 | int dir; |
| 810 | 811 | ||
| @@ -824,6 +825,9 @@ void xfrm_policy_flush(u8 type) | |||
| 824 | hlist_del(&pol->byidx); | 825 | hlist_del(&pol->byidx); |
| 825 | write_unlock_bh(&xfrm_policy_lock); | 826 | write_unlock_bh(&xfrm_policy_lock); |
| 826 | 827 | ||
| 828 | xfrm_audit_log(audit_info->loginuid, audit_info->secid, | ||
| 829 | AUDIT_MAC_IPSEC_DELSPD, 1, pol, NULL); | ||
| 830 | |||
| 827 | xfrm_policy_kill(pol); | 831 | xfrm_policy_kill(pol); |
| 828 | killed++; | 832 | killed++; |
| 829 | 833 | ||
| @@ -842,6 +846,11 @@ void xfrm_policy_flush(u8 type) | |||
| 842 | hlist_del(&pol->byidx); | 846 | hlist_del(&pol->byidx); |
| 843 | write_unlock_bh(&xfrm_policy_lock); | 847 | write_unlock_bh(&xfrm_policy_lock); |
| 844 | 848 | ||
| 849 | xfrm_audit_log(audit_info->loginuid, | ||
| 850 | audit_info->secid, | ||
| 851 | AUDIT_MAC_IPSEC_DELSPD, 1, | ||
| 852 | pol, NULL); | ||
| 853 | |||
| 845 | xfrm_policy_kill(pol); | 854 | xfrm_policy_kill(pol); |
| 846 | killed++; | 855 | killed++; |
| 847 | 856 | ||
| @@ -860,33 +869,12 @@ EXPORT_SYMBOL(xfrm_policy_flush); | |||
| 860 | int xfrm_policy_walk(u8 type, int (*func)(struct xfrm_policy *, int, int, void*), | 869 | int xfrm_policy_walk(u8 type, int (*func)(struct xfrm_policy *, int, int, void*), |
| 861 | void *data) | 870 | void *data) |
| 862 | { | 871 | { |
| 863 | struct xfrm_policy *pol; | 872 | struct xfrm_policy *pol, *last = NULL; |
| 864 | struct hlist_node *entry; | 873 | struct hlist_node *entry; |
| 865 | int dir, count, error; | 874 | int dir, last_dir = 0, count, error; |
| 866 | 875 | ||
| 867 | read_lock_bh(&xfrm_policy_lock); | 876 | read_lock_bh(&xfrm_policy_lock); |
| 868 | count = 0; | 877 | count = 0; |
| 869 | for (dir = 0; dir < 2*XFRM_POLICY_MAX; dir++) { | ||
| 870 | struct hlist_head *table = xfrm_policy_bydst[dir].table; | ||
| 871 | int i; | ||
| 872 | |||
| 873 | hlist_for_each_entry(pol, entry, | ||
| 874 | &xfrm_policy_inexact[dir], bydst) { | ||
| 875 | if (pol->type == type) | ||
| 876 | count++; | ||
| 877 | } | ||
| 878 | for (i = xfrm_policy_bydst[dir].hmask; i >= 0; i--) { | ||
| 879 | hlist_for_each_entry(pol, entry, table + i, bydst) { | ||
| 880 | if (pol->type == type) | ||
| 881 | count++; | ||
| 882 | } | ||
| 883 | } | ||
| 884 | } | ||
| 885 | |||
| 886 | if (count == 0) { | ||
| 887 | error = -ENOENT; | ||
| 888 | goto out; | ||
| 889 | } | ||
| 890 | 878 | ||
| 891 | for (dir = 0; dir < 2*XFRM_POLICY_MAX; dir++) { | 879 | for (dir = 0; dir < 2*XFRM_POLICY_MAX; dir++) { |
| 892 | struct hlist_head *table = xfrm_policy_bydst[dir].table; | 880 | struct hlist_head *table = xfrm_policy_bydst[dir].table; |
| @@ -896,21 +884,37 @@ int xfrm_policy_walk(u8 type, int (*func)(struct xfrm_policy *, int, int, void*) | |||
| 896 | &xfrm_policy_inexact[dir], bydst) { | 884 | &xfrm_policy_inexact[dir], bydst) { |
| 897 | if (pol->type != type) | 885 | if (pol->type != type) |
| 898 | continue; | 886 | continue; |
| 899 | error = func(pol, dir % XFRM_POLICY_MAX, --count, data); | 887 | if (last) { |
| 900 | if (error) | 888 | error = func(last, last_dir % XFRM_POLICY_MAX, |
| 901 | goto out; | 889 | count, data); |
| 890 | if (error) | ||
| 891 | goto out; | ||
| 892 | } | ||
| 893 | last = pol; | ||
| 894 | last_dir = dir; | ||
| 895 | count++; | ||
| 902 | } | 896 | } |
| 903 | for (i = xfrm_policy_bydst[dir].hmask; i >= 0; i--) { | 897 | for (i = xfrm_policy_bydst[dir].hmask; i >= 0; i--) { |
| 904 | hlist_for_each_entry(pol, entry, table + i, bydst) { | 898 | hlist_for_each_entry(pol, entry, table + i, bydst) { |
| 905 | if (pol->type != type) | 899 | if (pol->type != type) |
| 906 | continue; | 900 | continue; |
| 907 | error = func(pol, dir % XFRM_POLICY_MAX, --count, data); | 901 | if (last) { |
| 908 | if (error) | 902 | error = func(last, last_dir % XFRM_POLICY_MAX, |
| 909 | goto out; | 903 | count, data); |
| 904 | if (error) | ||
| 905 | goto out; | ||
| 906 | } | ||
| 907 | last = pol; | ||
| 908 | last_dir = dir; | ||
| 909 | count++; | ||
| 910 | } | 910 | } |
| 911 | } | 911 | } |
| 912 | } | 912 | } |
| 913 | error = 0; | 913 | if (count == 0) { |
| 914 | error = -ENOENT; | ||
| 915 | goto out; | ||
| 916 | } | ||
| 917 | error = func(last, last_dir % XFRM_POLICY_MAX, 0, data); | ||
| 914 | out: | 918 | out: |
| 915 | read_unlock_bh(&xfrm_policy_lock); | 919 | read_unlock_bh(&xfrm_policy_lock); |
| 916 | return error; | 920 | return error; |
| @@ -1982,6 +1986,117 @@ int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first, | |||
| 1982 | 1986 | ||
| 1983 | EXPORT_SYMBOL(xfrm_bundle_ok); | 1987 | EXPORT_SYMBOL(xfrm_bundle_ok); |
| 1984 | 1988 | ||
| 1989 | #ifdef CONFIG_AUDITSYSCALL | ||
| 1990 | /* Audit addition and deletion of SAs and ipsec policy */ | ||
| 1991 | |||
| 1992 | void xfrm_audit_log(uid_t auid, u32 sid, int type, int result, | ||
| 1993 | struct xfrm_policy *xp, struct xfrm_state *x) | ||
| 1994 | { | ||
| 1995 | |||
| 1996 | char *secctx; | ||
| 1997 | u32 secctx_len; | ||
| 1998 | struct xfrm_sec_ctx *sctx = NULL; | ||
| 1999 | struct audit_buffer *audit_buf; | ||
| 2000 | int family; | ||
| 2001 | extern int audit_enabled; | ||
| 2002 | |||
| 2003 | if (audit_enabled == 0) | ||
| 2004 | return; | ||
| 2005 | |||
| 2006 | audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type); | ||
| 2007 | if (audit_buf == NULL) | ||
| 2008 | return; | ||
| 2009 | |||
| 2010 | switch(type) { | ||
| 2011 | case AUDIT_MAC_IPSEC_ADDSA: | ||
| 2012 | audit_log_format(audit_buf, "SAD add: auid=%u", auid); | ||
| 2013 | break; | ||
| 2014 | case AUDIT_MAC_IPSEC_DELSA: | ||
| 2015 | audit_log_format(audit_buf, "SAD delete: auid=%u", auid); | ||
| 2016 | break; | ||
| 2017 | case AUDIT_MAC_IPSEC_ADDSPD: | ||
| 2018 | audit_log_format(audit_buf, "SPD add: auid=%u", auid); | ||
| 2019 | break; | ||
| 2020 | case AUDIT_MAC_IPSEC_DELSPD: | ||
| 2021 | audit_log_format(audit_buf, "SPD delete: auid=%u", auid); | ||
| 2022 | break; | ||
| 2023 | default: | ||
| 2024 | return; | ||
| 2025 | } | ||
| 2026 | |||
| 2027 | if (sid != 0 && | ||
| 2028 | security_secid_to_secctx(sid, &secctx, &secctx_len) == 0) | ||
| 2029 | audit_log_format(audit_buf, " subj=%s", secctx); | ||
| 2030 | else | ||
| 2031 | audit_log_task_context(audit_buf); | ||
| 2032 | |||
| 2033 | if (xp) { | ||
| 2034 | family = xp->selector.family; | ||
| 2035 | if (xp->security) | ||
| 2036 | sctx = xp->security; | ||
| 2037 | } else { | ||
| 2038 | family = x->props.family; | ||
| 2039 | if (x->security) | ||
| 2040 | sctx = x->security; | ||
| 2041 | } | ||
| 2042 | |||
| 2043 | if (sctx) | ||
| 2044 | audit_log_format(audit_buf, | ||
| 2045 | " sec_alg=%u sec_doi=%u sec_obj=%s", | ||
| 2046 | sctx->ctx_alg, sctx->ctx_doi, sctx->ctx_str); | ||
| 2047 | |||
| 2048 | switch(family) { | ||
| 2049 | case AF_INET: | ||
| 2050 | { | ||
| 2051 | struct in_addr saddr, daddr; | ||
| 2052 | if (xp) { | ||
| 2053 | saddr.s_addr = xp->selector.saddr.a4; | ||
| 2054 | daddr.s_addr = xp->selector.daddr.a4; | ||
| 2055 | } else { | ||
| 2056 | saddr.s_addr = x->props.saddr.a4; | ||
| 2057 | daddr.s_addr = x->id.daddr.a4; | ||
| 2058 | } | ||
| 2059 | audit_log_format(audit_buf, | ||
| 2060 | " src=%u.%u.%u.%u dst=%u.%u.%u.%u", | ||
| 2061 | NIPQUAD(saddr), NIPQUAD(daddr)); | ||
| 2062 | } | ||
| 2063 | break; | ||
| 2064 | case AF_INET6: | ||
| 2065 | { | ||
| 2066 | struct in6_addr saddr6, daddr6; | ||
| 2067 | if (xp) { | ||
| 2068 | memcpy(&saddr6, xp->selector.saddr.a6, | ||
| 2069 | sizeof(struct in6_addr)); | ||
| 2070 | memcpy(&daddr6, xp->selector.daddr.a6, | ||
| 2071 | sizeof(struct in6_addr)); | ||
| 2072 | } else { | ||
| 2073 | memcpy(&saddr6, x->props.saddr.a6, | ||
| 2074 | sizeof(struct in6_addr)); | ||
| 2075 | memcpy(&daddr6, x->id.daddr.a6, | ||
| 2076 | sizeof(struct in6_addr)); | ||
| 2077 | } | ||
| 2078 | audit_log_format(audit_buf, | ||
| 2079 | " src=" NIP6_FMT "dst=" NIP6_FMT, | ||
| 2080 | NIP6(saddr6), NIP6(daddr6)); | ||
| 2081 | } | ||
| 2082 | break; | ||
| 2083 | } | ||
| 2084 | |||
| 2085 | if (x) | ||
| 2086 | audit_log_format(audit_buf, " spi=%lu(0x%lx) protocol=%s", | ||
| 2087 | (unsigned long)ntohl(x->id.spi), | ||
| 2088 | (unsigned long)ntohl(x->id.spi), | ||
| 2089 | x->id.proto == IPPROTO_AH ? "AH" : | ||
| 2090 | (x->id.proto == IPPROTO_ESP ? | ||
| 2091 | "ESP" : "IPCOMP")); | ||
| 2092 | |||
| 2093 | audit_log_format(audit_buf, " res=%u", result); | ||
| 2094 | audit_log_end(audit_buf); | ||
| 2095 | } | ||
| 2096 | |||
| 2097 | EXPORT_SYMBOL(xfrm_audit_log); | ||
| 2098 | #endif /* CONFIG_AUDITSYSCALL */ | ||
| 2099 | |||
| 1985 | int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo) | 2100 | int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo) |
| 1986 | { | 2101 | { |
| 1987 | int err = 0; | 2102 | int err = 0; |
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index da54a64ccfa3..fdb08d9f34aa 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c | |||
| @@ -20,6 +20,7 @@ | |||
| 20 | #include <linux/module.h> | 20 | #include <linux/module.h> |
| 21 | #include <linux/cache.h> | 21 | #include <linux/cache.h> |
| 22 | #include <asm/uaccess.h> | 22 | #include <asm/uaccess.h> |
| 23 | #include <linux/audit.h> | ||
| 23 | 24 | ||
| 24 | #include "xfrm_hash.h" | 25 | #include "xfrm_hash.h" |
| 25 | 26 | ||
| @@ -238,6 +239,7 @@ static void xfrm_timer_handler(unsigned long data) | |||
| 238 | unsigned long now = (unsigned long)xtime.tv_sec; | 239 | unsigned long now = (unsigned long)xtime.tv_sec; |
| 239 | long next = LONG_MAX; | 240 | long next = LONG_MAX; |
| 240 | int warn = 0; | 241 | int warn = 0; |
| 242 | int err = 0; | ||
| 241 | 243 | ||
| 242 | spin_lock(&x->lock); | 244 | spin_lock(&x->lock); |
| 243 | if (x->km.state == XFRM_STATE_DEAD) | 245 | if (x->km.state == XFRM_STATE_DEAD) |
| @@ -295,9 +297,14 @@ expired: | |||
| 295 | next = 2; | 297 | next = 2; |
| 296 | goto resched; | 298 | goto resched; |
| 297 | } | 299 | } |
| 298 | if (!__xfrm_state_delete(x) && x->id.spi) | 300 | |
| 301 | err = __xfrm_state_delete(x); | ||
| 302 | if (!err && x->id.spi) | ||
| 299 | km_state_expired(x, 1, 0); | 303 | km_state_expired(x, 1, 0); |
| 300 | 304 | ||
| 305 | xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, | ||
| 306 | AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); | ||
| 307 | |||
| 301 | out: | 308 | out: |
| 302 | spin_unlock(&x->lock); | 309 | spin_unlock(&x->lock); |
| 303 | } | 310 | } |
| @@ -384,9 +391,10 @@ int xfrm_state_delete(struct xfrm_state *x) | |||
| 384 | } | 391 | } |
| 385 | EXPORT_SYMBOL(xfrm_state_delete); | 392 | EXPORT_SYMBOL(xfrm_state_delete); |
| 386 | 393 | ||
| 387 | void xfrm_state_flush(u8 proto) | 394 | void xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info) |
| 388 | { | 395 | { |
| 389 | int i; | 396 | int i; |
| 397 | int err = 0; | ||
| 390 | 398 | ||
| 391 | spin_lock_bh(&xfrm_state_lock); | 399 | spin_lock_bh(&xfrm_state_lock); |
| 392 | for (i = 0; i <= xfrm_state_hmask; i++) { | 400 | for (i = 0; i <= xfrm_state_hmask; i++) { |
| @@ -399,7 +407,11 @@ restart: | |||
| 399 | xfrm_state_hold(x); | 407 | xfrm_state_hold(x); |
| 400 | spin_unlock_bh(&xfrm_state_lock); | 408 | spin_unlock_bh(&xfrm_state_lock); |
| 401 | 409 | ||
| 402 | xfrm_state_delete(x); | 410 | err = xfrm_state_delete(x); |
| 411 | xfrm_audit_log(audit_info->loginuid, | ||
| 412 | audit_info->secid, | ||
| 413 | AUDIT_MAC_IPSEC_DELSA, | ||
| 414 | err ? 0 : 1, NULL, x); | ||
| 403 | xfrm_state_put(x); | 415 | xfrm_state_put(x); |
| 404 | 416 | ||
| 405 | spin_lock_bh(&xfrm_state_lock); | 417 | spin_lock_bh(&xfrm_state_lock); |
| @@ -1099,7 +1111,7 @@ int xfrm_state_walk(u8 proto, int (*func)(struct xfrm_state *, int, void*), | |||
| 1099 | void *data) | 1111 | void *data) |
| 1100 | { | 1112 | { |
| 1101 | int i; | 1113 | int i; |
| 1102 | struct xfrm_state *x; | 1114 | struct xfrm_state *x, *last = NULL; |
| 1103 | struct hlist_node *entry; | 1115 | struct hlist_node *entry; |
| 1104 | int count = 0; | 1116 | int count = 0; |
| 1105 | int err = 0; | 1117 | int err = 0; |
| @@ -1107,24 +1119,22 @@ int xfrm_state_walk(u8 proto, int (*func)(struct xfrm_state *, int, void*), | |||
| 1107 | spin_lock_bh(&xfrm_state_lock); | 1119 | spin_lock_bh(&xfrm_state_lock); |
| 1108 | for (i = 0; i <= xfrm_state_hmask; i++) { | 1120 | for (i = 0; i <= xfrm_state_hmask; i++) { |
| 1109 | hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) { | 1121 | hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) { |
| 1110 | if (xfrm_id_proto_match(x->id.proto, proto)) | 1122 | if (!xfrm_id_proto_match(x->id.proto, proto)) |
| 1111 | count++; | 1123 | continue; |
| 1124 | if (last) { | ||
| 1125 | err = func(last, count, data); | ||
| 1126 | if (err) | ||
| 1127 | goto out; | ||
| 1128 | } | ||
| 1129 | last = x; | ||
| 1130 | count++; | ||
| 1112 | } | 1131 | } |
| 1113 | } | 1132 | } |
| 1114 | if (count == 0) { | 1133 | if (count == 0) { |
| 1115 | err = -ENOENT; | 1134 | err = -ENOENT; |
| 1116 | goto out; | 1135 | goto out; |
| 1117 | } | 1136 | } |
| 1118 | 1137 | err = func(last, 0, data); | |
| 1119 | for (i = 0; i <= xfrm_state_hmask; i++) { | ||
| 1120 | hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) { | ||
| 1121 | if (!xfrm_id_proto_match(x->id.proto, proto)) | ||
| 1122 | continue; | ||
| 1123 | err = func(x, --count, data); | ||
| 1124 | if (err) | ||
| 1125 | goto out; | ||
| 1126 | } | ||
| 1127 | } | ||
| 1128 | out: | 1138 | out: |
| 1129 | spin_unlock_bh(&xfrm_state_lock); | 1139 | spin_unlock_bh(&xfrm_state_lock); |
| 1130 | return err; | 1140 | return err; |
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 311205ffa775..e5372b11fc8f 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c | |||
| @@ -31,6 +31,7 @@ | |||
| 31 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) | 31 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) |
| 32 | #include <linux/in6.h> | 32 | #include <linux/in6.h> |
| 33 | #endif | 33 | #endif |
| 34 | #include <linux/audit.h> | ||
| 34 | 35 | ||
| 35 | static int verify_one_alg(struct rtattr **xfrma, enum xfrm_attr_type_t type) | 36 | static int verify_one_alg(struct rtattr **xfrma, enum xfrm_attr_type_t type) |
| 36 | { | 37 | { |
| @@ -454,6 +455,9 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfrma) | |||
| 454 | else | 455 | else |
| 455 | err = xfrm_state_update(x); | 456 | err = xfrm_state_update(x); |
| 456 | 457 | ||
| 458 | xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, | ||
| 459 | AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x); | ||
| 460 | |||
| 457 | if (err < 0) { | 461 | if (err < 0) { |
| 458 | x->km.state = XFRM_STATE_DEAD; | 462 | x->km.state = XFRM_STATE_DEAD; |
| 459 | __xfrm_state_put(x); | 463 | __xfrm_state_put(x); |
| @@ -523,6 +527,10 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfrma) | |||
| 523 | } | 527 | } |
| 524 | 528 | ||
| 525 | err = xfrm_state_delete(x); | 529 | err = xfrm_state_delete(x); |
| 530 | |||
| 531 | xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, | ||
| 532 | AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); | ||
| 533 | |||
| 526 | if (err < 0) | 534 | if (err < 0) |
| 527 | goto out; | 535 | goto out; |
| 528 | 536 | ||
| @@ -1030,6 +1038,9 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfr | |||
| 1030 | * a type XFRM_MSG_UPDPOLICY - JHS */ | 1038 | * a type XFRM_MSG_UPDPOLICY - JHS */ |
| 1031 | excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; | 1039 | excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; |
| 1032 | err = xfrm_policy_insert(p->dir, xp, excl); | 1040 | err = xfrm_policy_insert(p->dir, xp, excl); |
| 1041 | xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, | ||
| 1042 | AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); | ||
| 1043 | |||
| 1033 | if (err) { | 1044 | if (err) { |
| 1034 | security_xfrm_policy_free(xp); | 1045 | security_xfrm_policy_free(xp); |
| 1035 | kfree(xp); | 1046 | kfree(xp); |
| @@ -1257,6 +1268,10 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfr | |||
| 1257 | xp = xfrm_policy_bysel_ctx(type, p->dir, &p->sel, tmp.security, delete); | 1268 | xp = xfrm_policy_bysel_ctx(type, p->dir, &p->sel, tmp.security, delete); |
| 1258 | security_xfrm_policy_free(&tmp); | 1269 | security_xfrm_policy_free(&tmp); |
| 1259 | } | 1270 | } |
| 1271 | if (delete) | ||
| 1272 | xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, | ||
| 1273 | AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL); | ||
| 1274 | |||
| 1260 | if (xp == NULL) | 1275 | if (xp == NULL) |
| 1261 | return -ENOENT; | 1276 | return -ENOENT; |
| 1262 | 1277 | ||
| @@ -1291,8 +1306,11 @@ static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfrma | |||
| 1291 | { | 1306 | { |
| 1292 | struct km_event c; | 1307 | struct km_event c; |
| 1293 | struct xfrm_usersa_flush *p = NLMSG_DATA(nlh); | 1308 | struct xfrm_usersa_flush *p = NLMSG_DATA(nlh); |
| 1309 | struct xfrm_audit audit_info; | ||
| 1294 | 1310 | ||
| 1295 | xfrm_state_flush(p->proto); | 1311 | audit_info.loginuid = NETLINK_CB(skb).loginuid; |
| 1312 | audit_info.secid = NETLINK_CB(skb).sid; | ||
| 1313 | xfrm_state_flush(p->proto, &audit_info); | ||
| 1296 | c.data.proto = p->proto; | 1314 | c.data.proto = p->proto; |
| 1297 | c.event = nlh->nlmsg_type; | 1315 | c.event = nlh->nlmsg_type; |
| 1298 | c.seq = nlh->nlmsg_seq; | 1316 | c.seq = nlh->nlmsg_seq; |
| @@ -1442,12 +1460,15 @@ static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh, void **x | |||
| 1442 | struct km_event c; | 1460 | struct km_event c; |
| 1443 | u8 type = XFRM_POLICY_TYPE_MAIN; | 1461 | u8 type = XFRM_POLICY_TYPE_MAIN; |
| 1444 | int err; | 1462 | int err; |
| 1463 | struct xfrm_audit audit_info; | ||
| 1445 | 1464 | ||
| 1446 | err = copy_from_user_policy_type(&type, (struct rtattr **)xfrma); | 1465 | err = copy_from_user_policy_type(&type, (struct rtattr **)xfrma); |
| 1447 | if (err) | 1466 | if (err) |
| 1448 | return err; | 1467 | return err; |
| 1449 | 1468 | ||
| 1450 | xfrm_policy_flush(type); | 1469 | audit_info.loginuid = NETLINK_CB(skb).loginuid; |
| 1470 | audit_info.secid = NETLINK_CB(skb).sid; | ||
| 1471 | xfrm_policy_flush(type, &audit_info); | ||
| 1451 | c.data.type = type; | 1472 | c.data.type = type; |
| 1452 | c.event = nlh->nlmsg_type; | 1473 | c.event = nlh->nlmsg_type; |
| 1453 | c.seq = nlh->nlmsg_seq; | 1474 | c.seq = nlh->nlmsg_seq; |
| @@ -1502,6 +1523,9 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh, void * | |||
| 1502 | err = 0; | 1523 | err = 0; |
| 1503 | if (up->hard) { | 1524 | if (up->hard) { |
| 1504 | xfrm_policy_delete(xp, p->dir); | 1525 | xfrm_policy_delete(xp, p->dir); |
| 1526 | xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, | ||
| 1527 | AUDIT_MAC_IPSEC_DELSPD, 1, xp, NULL); | ||
| 1528 | |||
| 1505 | } else { | 1529 | } else { |
| 1506 | // reset the timers here? | 1530 | // reset the timers here? |
| 1507 | printk("Dont know what to do with soft policy expire\n"); | 1531 | printk("Dont know what to do with soft policy expire\n"); |
| @@ -1533,8 +1557,11 @@ static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh, void ** | |||
| 1533 | goto out; | 1557 | goto out; |
| 1534 | km_state_expired(x, ue->hard, current->pid); | 1558 | km_state_expired(x, ue->hard, current->pid); |
| 1535 | 1559 | ||
| 1536 | if (ue->hard) | 1560 | if (ue->hard) { |
| 1537 | __xfrm_state_delete(x); | 1561 | __xfrm_state_delete(x); |
| 1562 | xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, | ||
| 1563 | AUDIT_MAC_IPSEC_DELSA, 1, NULL, x); | ||
| 1564 | } | ||
| 1538 | out: | 1565 | out: |
| 1539 | spin_unlock_bh(&x->lock); | 1566 | spin_unlock_bh(&x->lock); |
| 1540 | xfrm_state_put(x); | 1567 | xfrm_state_put(x); |