diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2008-04-29 14:41:22 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2008-04-29 14:41:22 -0400 |
| commit | 9781db7b345b5dfe93787aaaf310c861db7c1ede (patch) | |
| tree | d9796e29fd914ca04835636be95bbd5082a034fd /net | |
| parent | 97094dcf5cefc8ccfdf93839f54dac2c4d316165 (diff) | |
| parent | 8b67dca9420474623709e00d72a066068a502b20 (diff) | |
Merge branch 'audit.b50' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current
* 'audit.b50' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current:
[PATCH] new predicate - AUDIT_FILETYPE
[patch 2/2] Use find_task_by_vpid in audit code
[patch 1/2] audit: let userspace fully control TTY input auditing
[PATCH 2/2] audit: fix sparse shadowed variable warnings
[PATCH 1/2] audit: move extern declarations to audit.h
Audit: MAINTAINERS update
Audit: increase the maximum length of the key field
Audit: standardize string audit interfaces
Audit: stop deadlock from signals under load
Audit: save audit_backlog_limit audit messages in case auditd comes back
Audit: collect sessionid in netlink messages
Audit: end printk with newline
Diffstat (limited to 'net')
| -rw-r--r-- | net/key/af_key.c | 17 | ||||
| -rw-r--r-- | net/netlabel/netlabel_unlabeled.c | 1 | ||||
| -rw-r--r-- | net/netlabel/netlabel_user.c | 4 | ||||
| -rw-r--r-- | net/netlabel/netlabel_user.h | 1 | ||||
| -rw-r--r-- | net/netlink/af_netlink.c | 1 | ||||
| -rw-r--r-- | net/xfrm/xfrm_policy.c | 12 | ||||
| -rw-r--r-- | net/xfrm/xfrm_state.c | 13 | ||||
| -rw-r--r-- | net/xfrm/xfrm_user.c | 41 |
8 files changed, 62 insertions, 28 deletions
diff --git a/net/key/af_key.c b/net/key/af_key.c index 2403a31fe0f6..9e7236ff6bcc 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c | |||
| @@ -1498,7 +1498,8 @@ static int pfkey_add(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, | |||
| 1498 | err = xfrm_state_update(x); | 1498 | err = xfrm_state_update(x); |
| 1499 | 1499 | ||
| 1500 | xfrm_audit_state_add(x, err ? 0 : 1, | 1500 | xfrm_audit_state_add(x, err ? 0 : 1, |
| 1501 | audit_get_loginuid(current), 0); | 1501 | audit_get_loginuid(current), |
| 1502 | audit_get_sessionid(current), 0); | ||
| 1502 | 1503 | ||
| 1503 | if (err < 0) { | 1504 | if (err < 0) { |
| 1504 | x->km.state = XFRM_STATE_DEAD; | 1505 | x->km.state = XFRM_STATE_DEAD; |
| @@ -1552,7 +1553,8 @@ static int pfkey_delete(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h | |||
| 1552 | km_state_notify(x, &c); | 1553 | km_state_notify(x, &c); |
| 1553 | out: | 1554 | out: |
| 1554 | xfrm_audit_state_delete(x, err ? 0 : 1, | 1555 | xfrm_audit_state_delete(x, err ? 0 : 1, |
| 1555 | audit_get_loginuid(current), 0); | 1556 | audit_get_loginuid(current), |
| 1557 | audit_get_sessionid(current), 0); | ||
| 1556 | xfrm_state_put(x); | 1558 | xfrm_state_put(x); |
| 1557 | 1559 | ||
| 1558 | return err; | 1560 | return err; |
| @@ -1728,6 +1730,7 @@ static int pfkey_flush(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hd | |||
| 1728 | return -EINVAL; | 1730 | return -EINVAL; |
| 1729 | 1731 | ||
| 1730 | audit_info.loginuid = audit_get_loginuid(current); | 1732 | audit_info.loginuid = audit_get_loginuid(current); |
| 1733 | audit_info.sessionid = audit_get_sessionid(current); | ||
| 1731 | audit_info.secid = 0; | 1734 | audit_info.secid = 0; |
| 1732 | err = xfrm_state_flush(proto, &audit_info); | 1735 | err = xfrm_state_flush(proto, &audit_info); |
| 1733 | if (err) | 1736 | if (err) |
| @@ -2324,7 +2327,8 @@ static int pfkey_spdadd(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h | |||
| 2324 | hdr->sadb_msg_type != SADB_X_SPDUPDATE); | 2327 | hdr->sadb_msg_type != SADB_X_SPDUPDATE); |
| 2325 | 2328 | ||
| 2326 | xfrm_audit_policy_add(xp, err ? 0 : 1, | 2329 | xfrm_audit_policy_add(xp, err ? 0 : 1, |
| 2327 | audit_get_loginuid(current), 0); | 2330 | audit_get_loginuid(current), |
| 2331 | audit_get_sessionid(current), 0); | ||
| 2328 | 2332 | ||
| 2329 | if (err) | 2333 | if (err) |
| 2330 | goto out; | 2334 | goto out; |
| @@ -2406,7 +2410,8 @@ static int pfkey_spddelete(struct sock *sk, struct sk_buff *skb, struct sadb_msg | |||
| 2406 | return -ENOENT; | 2410 | return -ENOENT; |
| 2407 | 2411 | ||
| 2408 | xfrm_audit_policy_delete(xp, err ? 0 : 1, | 2412 | xfrm_audit_policy_delete(xp, err ? 0 : 1, |
| 2409 | audit_get_loginuid(current), 0); | 2413 | audit_get_loginuid(current), |
| 2414 | audit_get_sessionid(current), 0); | ||
| 2410 | 2415 | ||
| 2411 | if (err) | 2416 | if (err) |
| 2412 | goto out; | 2417 | goto out; |
| @@ -2667,7 +2672,8 @@ static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h | |||
| 2667 | 2672 | ||
| 2668 | if (delete) { | 2673 | if (delete) { |
| 2669 | xfrm_audit_policy_delete(xp, err ? 0 : 1, | 2674 | xfrm_audit_policy_delete(xp, err ? 0 : 1, |
| 2670 | audit_get_loginuid(current), 0); | 2675 | audit_get_loginuid(current), |
| 2676 | audit_get_sessionid(current), 0); | ||
| 2671 | 2677 | ||
| 2672 | if (err) | 2678 | if (err) |
| 2673 | goto out; | 2679 | goto out; |
| @@ -2767,6 +2773,7 @@ static int pfkey_spdflush(struct sock *sk, struct sk_buff *skb, struct sadb_msg | |||
| 2767 | int err; | 2773 | int err; |
| 2768 | 2774 | ||
| 2769 | audit_info.loginuid = audit_get_loginuid(current); | 2775 | audit_info.loginuid = audit_get_loginuid(current); |
| 2776 | audit_info.sessionid = audit_get_sessionid(current); | ||
| 2770 | audit_info.secid = 0; | 2777 | audit_info.secid = 0; |
| 2771 | err = xfrm_policy_flush(XFRM_POLICY_TYPE_MAIN, &audit_info); | 2778 | err = xfrm_policy_flush(XFRM_POLICY_TYPE_MAIN, &audit_info); |
| 2772 | if (err) | 2779 | if (err) |
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index d282ad1570a7..0099da5b2591 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c | |||
| @@ -1780,6 +1780,7 @@ int __init netlbl_unlabel_defconf(void) | |||
| 1780 | * messages so don't worry to much about these values. */ | 1780 | * messages so don't worry to much about these values. */ |
| 1781 | security_task_getsecid(current, &audit_info.secid); | 1781 | security_task_getsecid(current, &audit_info.secid); |
| 1782 | audit_info.loginuid = 0; | 1782 | audit_info.loginuid = 0; |
| 1783 | audit_info.sessionid = 0; | ||
| 1783 | 1784 | ||
| 1784 | entry = kzalloc(sizeof(*entry), GFP_KERNEL); | 1785 | entry = kzalloc(sizeof(*entry), GFP_KERNEL); |
| 1785 | if (entry == NULL) | 1786 | if (entry == NULL) |
diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index b17d4203806e..68706b4e3bf8 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c | |||
| @@ -107,7 +107,9 @@ struct audit_buffer *netlbl_audit_start_common(int type, | |||
| 107 | if (audit_buf == NULL) | 107 | if (audit_buf == NULL) |
| 108 | return NULL; | 108 | return NULL; |
| 109 | 109 | ||
| 110 | audit_log_format(audit_buf, "netlabel: auid=%u", audit_info->loginuid); | 110 | audit_log_format(audit_buf, "netlabel: auid=%u ses=%u", |
| 111 | audit_info->loginuid, | ||
| 112 | audit_info->sessionid); | ||
| 111 | 113 | ||
| 112 | if (audit_info->secid != 0 && | 114 | if (audit_info->secid != 0 && |
| 113 | security_secid_to_secctx(audit_info->secid, | 115 | security_secid_to_secctx(audit_info->secid, |
diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h index 6d7f4ab46c2b..6caef8b20611 100644 --- a/net/netlabel/netlabel_user.h +++ b/net/netlabel/netlabel_user.h | |||
| @@ -51,6 +51,7 @@ static inline void netlbl_netlink_auditinfo(struct sk_buff *skb, | |||
| 51 | { | 51 | { |
| 52 | audit_info->secid = NETLINK_CB(skb).sid; | 52 | audit_info->secid = NETLINK_CB(skb).sid; |
| 53 | audit_info->loginuid = NETLINK_CB(skb).loginuid; | 53 | audit_info->loginuid = NETLINK_CB(skb).loginuid; |
| 54 | audit_info->sessionid = NETLINK_CB(skb).sessionid; | ||
| 54 | } | 55 | } |
| 55 | 56 | ||
| 56 | /* NetLabel NETLINK I/O functions */ | 57 | /* NetLabel NETLINK I/O functions */ |
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index 46f3e44bb83a..9b97f8006c9c 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c | |||
| @@ -1248,6 +1248,7 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock, | |||
| 1248 | NETLINK_CB(skb).pid = nlk->pid; | 1248 | NETLINK_CB(skb).pid = nlk->pid; |
| 1249 | NETLINK_CB(skb).dst_group = dst_group; | 1249 | NETLINK_CB(skb).dst_group = dst_group; |
| 1250 | NETLINK_CB(skb).loginuid = audit_get_loginuid(current); | 1250 | NETLINK_CB(skb).loginuid = audit_get_loginuid(current); |
| 1251 | NETLINK_CB(skb).sessionid = audit_get_sessionid(current); | ||
| 1251 | security_task_getsecid(current, &(NETLINK_CB(skb).sid)); | 1252 | security_task_getsecid(current, &(NETLINK_CB(skb).sid)); |
| 1252 | memcpy(NETLINK_CREDS(skb), &siocb->scm->creds, sizeof(struct ucred)); | 1253 | memcpy(NETLINK_CREDS(skb), &siocb->scm->creds, sizeof(struct ucred)); |
| 1253 | 1254 | ||
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index e0c0390613c0..cae9fd815543 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c | |||
| @@ -762,6 +762,7 @@ xfrm_policy_flush_secctx_check(u8 type, struct xfrm_audit *audit_info) | |||
| 762 | if (err) { | 762 | if (err) { |
| 763 | xfrm_audit_policy_delete(pol, 0, | 763 | xfrm_audit_policy_delete(pol, 0, |
| 764 | audit_info->loginuid, | 764 | audit_info->loginuid, |
| 765 | audit_info->sessionid, | ||
| 765 | audit_info->secid); | 766 | audit_info->secid); |
| 766 | return err; | 767 | return err; |
| 767 | } | 768 | } |
| @@ -777,6 +778,7 @@ xfrm_policy_flush_secctx_check(u8 type, struct xfrm_audit *audit_info) | |||
| 777 | if (err) { | 778 | if (err) { |
| 778 | xfrm_audit_policy_delete(pol, 0, | 779 | xfrm_audit_policy_delete(pol, 0, |
| 779 | audit_info->loginuid, | 780 | audit_info->loginuid, |
| 781 | audit_info->sessionid, | ||
| 780 | audit_info->secid); | 782 | audit_info->secid); |
| 781 | return err; | 783 | return err; |
| 782 | } | 784 | } |
| @@ -819,6 +821,7 @@ int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info) | |||
| 819 | write_unlock_bh(&xfrm_policy_lock); | 821 | write_unlock_bh(&xfrm_policy_lock); |
| 820 | 822 | ||
| 821 | xfrm_audit_policy_delete(pol, 1, audit_info->loginuid, | 823 | xfrm_audit_policy_delete(pol, 1, audit_info->loginuid, |
| 824 | audit_info->sessionid, | ||
| 822 | audit_info->secid); | 825 | audit_info->secid); |
| 823 | 826 | ||
| 824 | xfrm_policy_kill(pol); | 827 | xfrm_policy_kill(pol); |
| @@ -841,6 +844,7 @@ int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info) | |||
| 841 | 844 | ||
| 842 | xfrm_audit_policy_delete(pol, 1, | 845 | xfrm_audit_policy_delete(pol, 1, |
| 843 | audit_info->loginuid, | 846 | audit_info->loginuid, |
| 847 | audit_info->sessionid, | ||
| 844 | audit_info->secid); | 848 | audit_info->secid); |
| 845 | xfrm_policy_kill(pol); | 849 | xfrm_policy_kill(pol); |
| 846 | killed++; | 850 | killed++; |
| @@ -2472,14 +2476,14 @@ static void xfrm_audit_common_policyinfo(struct xfrm_policy *xp, | |||
| 2472 | } | 2476 | } |
| 2473 | 2477 | ||
| 2474 | void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, | 2478 | void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, |
| 2475 | u32 auid, u32 secid) | 2479 | uid_t auid, u32 sessionid, u32 secid) |
| 2476 | { | 2480 | { |
| 2477 | struct audit_buffer *audit_buf; | 2481 | struct audit_buffer *audit_buf; |
| 2478 | 2482 | ||
| 2479 | audit_buf = xfrm_audit_start("SPD-add"); | 2483 | audit_buf = xfrm_audit_start("SPD-add"); |
| 2480 | if (audit_buf == NULL) | 2484 | if (audit_buf == NULL) |
| 2481 | return; | 2485 | return; |
| 2482 | xfrm_audit_helper_usrinfo(auid, secid, audit_buf); | 2486 | xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf); |
| 2483 | audit_log_format(audit_buf, " res=%u", result); | 2487 | audit_log_format(audit_buf, " res=%u", result); |
| 2484 | xfrm_audit_common_policyinfo(xp, audit_buf); | 2488 | xfrm_audit_common_policyinfo(xp, audit_buf); |
| 2485 | audit_log_end(audit_buf); | 2489 | audit_log_end(audit_buf); |
| @@ -2487,14 +2491,14 @@ void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, | |||
| 2487 | EXPORT_SYMBOL_GPL(xfrm_audit_policy_add); | 2491 | EXPORT_SYMBOL_GPL(xfrm_audit_policy_add); |
| 2488 | 2492 | ||
| 2489 | void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, | 2493 | void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, |
| 2490 | u32 auid, u32 secid) | 2494 | uid_t auid, u32 sessionid, u32 secid) |
| 2491 | { | 2495 | { |
| 2492 | struct audit_buffer *audit_buf; | 2496 | struct audit_buffer *audit_buf; |
| 2493 | 2497 | ||
| 2494 | audit_buf = xfrm_audit_start("SPD-delete"); | 2498 | audit_buf = xfrm_audit_start("SPD-delete"); |
| 2495 | if (audit_buf == NULL) | 2499 | if (audit_buf == NULL) |
| 2496 | return; | 2500 | return; |
| 2497 | xfrm_audit_helper_usrinfo(auid, secid, audit_buf); | 2501 | xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf); |
| 2498 | audit_log_format(audit_buf, " res=%u", result); | 2502 | audit_log_format(audit_buf, " res=%u", result); |
| 2499 | xfrm_audit_common_policyinfo(xp, audit_buf); | 2503 | xfrm_audit_common_policyinfo(xp, audit_buf); |
| 2500 | audit_log_end(audit_buf); | 2504 | audit_log_end(audit_buf); |
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index fac27ce770d5..72fddafd891a 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c | |||
| @@ -496,7 +496,8 @@ expired: | |||
| 496 | km_state_expired(x, 1, 0); | 496 | km_state_expired(x, 1, 0); |
| 497 | 497 | ||
| 498 | xfrm_audit_state_delete(x, err ? 0 : 1, | 498 | xfrm_audit_state_delete(x, err ? 0 : 1, |
| 499 | audit_get_loginuid(current), 0); | 499 | audit_get_loginuid(current), |
| 500 | audit_get_sessionid(current), 0); | ||
| 500 | 501 | ||
| 501 | out: | 502 | out: |
| 502 | spin_unlock(&x->lock); | 503 | spin_unlock(&x->lock); |
| @@ -603,6 +604,7 @@ xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info) | |||
| 603 | (err = security_xfrm_state_delete(x)) != 0) { | 604 | (err = security_xfrm_state_delete(x)) != 0) { |
| 604 | xfrm_audit_state_delete(x, 0, | 605 | xfrm_audit_state_delete(x, 0, |
| 605 | audit_info->loginuid, | 606 | audit_info->loginuid, |
| 607 | audit_info->sessionid, | ||
| 606 | audit_info->secid); | 608 | audit_info->secid); |
| 607 | return err; | 609 | return err; |
| 608 | } | 610 | } |
| @@ -641,6 +643,7 @@ restart: | |||
| 641 | err = xfrm_state_delete(x); | 643 | err = xfrm_state_delete(x); |
| 642 | xfrm_audit_state_delete(x, err ? 0 : 1, | 644 | xfrm_audit_state_delete(x, err ? 0 : 1, |
| 643 | audit_info->loginuid, | 645 | audit_info->loginuid, |
| 646 | audit_info->sessionid, | ||
| 644 | audit_info->secid); | 647 | audit_info->secid); |
| 645 | xfrm_state_put(x); | 648 | xfrm_state_put(x); |
| 646 | 649 | ||
| @@ -2123,14 +2126,14 @@ static void xfrm_audit_helper_pktinfo(struct sk_buff *skb, u16 family, | |||
| 2123 | } | 2126 | } |
| 2124 | 2127 | ||
| 2125 | void xfrm_audit_state_add(struct xfrm_state *x, int result, | 2128 | void xfrm_audit_state_add(struct xfrm_state *x, int result, |
| 2126 | u32 auid, u32 secid) | 2129 | uid_t auid, u32 sessionid, u32 secid) |
| 2127 | { | 2130 | { |
| 2128 | struct audit_buffer *audit_buf; | 2131 | struct audit_buffer *audit_buf; |
| 2129 | 2132 | ||
| 2130 | audit_buf = xfrm_audit_start("SAD-add"); | 2133 | audit_buf = xfrm_audit_start("SAD-add"); |
| 2131 | if (audit_buf == NULL) | 2134 | if (audit_buf == NULL) |
| 2132 | return; | 2135 | return; |
| 2133 | xfrm_audit_helper_usrinfo(auid, secid, audit_buf); | 2136 | xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf); |
| 2134 | xfrm_audit_helper_sainfo(x, audit_buf); | 2137 | xfrm_audit_helper_sainfo(x, audit_buf); |
| 2135 | audit_log_format(audit_buf, " res=%u", result); | 2138 | audit_log_format(audit_buf, " res=%u", result); |
| 2136 | audit_log_end(audit_buf); | 2139 | audit_log_end(audit_buf); |
| @@ -2138,14 +2141,14 @@ void xfrm_audit_state_add(struct xfrm_state *x, int result, | |||
| 2138 | EXPORT_SYMBOL_GPL(xfrm_audit_state_add); | 2141 | EXPORT_SYMBOL_GPL(xfrm_audit_state_add); |
| 2139 | 2142 | ||
| 2140 | void xfrm_audit_state_delete(struct xfrm_state *x, int result, | 2143 | void xfrm_audit_state_delete(struct xfrm_state *x, int result, |
| 2141 | u32 auid, u32 secid) | 2144 | uid_t auid, u32 sessionid, u32 secid) |
| 2142 | { | 2145 | { |
| 2143 | struct audit_buffer *audit_buf; | 2146 | struct audit_buffer *audit_buf; |
| 2144 | 2147 | ||
| 2145 | audit_buf = xfrm_audit_start("SAD-delete"); | 2148 | audit_buf = xfrm_audit_start("SAD-delete"); |
| 2146 | if (audit_buf == NULL) | 2149 | if (audit_buf == NULL) |
| 2147 | return; | 2150 | return; |
| 2148 | xfrm_audit_helper_usrinfo(auid, secid, audit_buf); | 2151 | xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf); |
| 2149 | xfrm_audit_helper_sainfo(x, audit_buf); | 2152 | xfrm_audit_helper_sainfo(x, audit_buf); |
| 2150 | audit_log_format(audit_buf, " res=%u", result); | 2153 | audit_log_format(audit_buf, " res=%u", result); |
| 2151 | audit_log_end(audit_buf); | 2154 | audit_log_end(audit_buf); |
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 22a30ae582a2..a1b0fbe3ea35 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c | |||
| @@ -407,6 +407,9 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
| 407 | struct xfrm_state *x; | 407 | struct xfrm_state *x; |
| 408 | int err; | 408 | int err; |
| 409 | struct km_event c; | 409 | struct km_event c; |
| 410 | uid_t loginuid = NETLINK_CB(skb).loginuid; | ||
| 411 | u32 sessionid = NETLINK_CB(skb).sessionid; | ||
| 412 | u32 sid = NETLINK_CB(skb).sid; | ||
| 410 | 413 | ||
| 411 | err = verify_newsa_info(p, attrs); | 414 | err = verify_newsa_info(p, attrs); |
| 412 | if (err) | 415 | if (err) |
| @@ -422,8 +425,7 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
| 422 | else | 425 | else |
| 423 | err = xfrm_state_update(x); | 426 | err = xfrm_state_update(x); |
| 424 | 427 | ||
| 425 | xfrm_audit_state_add(x, err ? 0 : 1, NETLINK_CB(skb).loginuid, | 428 | xfrm_audit_state_add(x, err ? 0 : 1, loginuid, sessionid, sid); |
| 426 | NETLINK_CB(skb).sid); | ||
| 427 | 429 | ||
| 428 | if (err < 0) { | 430 | if (err < 0) { |
| 429 | x->km.state = XFRM_STATE_DEAD; | 431 | x->km.state = XFRM_STATE_DEAD; |
| @@ -478,6 +480,9 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
| 478 | int err = -ESRCH; | 480 | int err = -ESRCH; |
| 479 | struct km_event c; | 481 | struct km_event c; |
| 480 | struct xfrm_usersa_id *p = nlmsg_data(nlh); | 482 | struct xfrm_usersa_id *p = nlmsg_data(nlh); |
| 483 | uid_t loginuid = NETLINK_CB(skb).loginuid; | ||
| 484 | u32 sessionid = NETLINK_CB(skb).sessionid; | ||
| 485 | u32 sid = NETLINK_CB(skb).sid; | ||
| 481 | 486 | ||
| 482 | x = xfrm_user_state_lookup(p, attrs, &err); | 487 | x = xfrm_user_state_lookup(p, attrs, &err); |
| 483 | if (x == NULL) | 488 | if (x == NULL) |
| @@ -502,8 +507,7 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
| 502 | km_state_notify(x, &c); | 507 | km_state_notify(x, &c); |
| 503 | 508 | ||
| 504 | out: | 509 | out: |
| 505 | xfrm_audit_state_delete(x, err ? 0 : 1, NETLINK_CB(skb).loginuid, | 510 | xfrm_audit_state_delete(x, err ? 0 : 1, loginuid, sessionid, sid); |
| 506 | NETLINK_CB(skb).sid); | ||
| 507 | xfrm_state_put(x); | 511 | xfrm_state_put(x); |
| 508 | return err; | 512 | return err; |
| 509 | } | 513 | } |
| @@ -1123,6 +1127,9 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
| 1123 | struct km_event c; | 1127 | struct km_event c; |
| 1124 | int err; | 1128 | int err; |
| 1125 | int excl; | 1129 | int excl; |
| 1130 | uid_t loginuid = NETLINK_CB(skb).loginuid; | ||
| 1131 | u32 sessionid = NETLINK_CB(skb).sessionid; | ||
| 1132 | u32 sid = NETLINK_CB(skb).sid; | ||
| 1126 | 1133 | ||
| 1127 | err = verify_newpolicy_info(p); | 1134 | err = verify_newpolicy_info(p); |
| 1128 | if (err) | 1135 | if (err) |
| @@ -1141,8 +1148,7 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
| 1141 | * a type XFRM_MSG_UPDPOLICY - JHS */ | 1148 | * a type XFRM_MSG_UPDPOLICY - JHS */ |
| 1142 | excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; | 1149 | excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; |
| 1143 | err = xfrm_policy_insert(p->dir, xp, excl); | 1150 | err = xfrm_policy_insert(p->dir, xp, excl); |
| 1144 | xfrm_audit_policy_add(xp, err ? 0 : 1, NETLINK_CB(skb).loginuid, | 1151 | xfrm_audit_policy_add(xp, err ? 0 : 1, loginuid, sessionid, sid); |
| 1145 | NETLINK_CB(skb).sid); | ||
| 1146 | 1152 | ||
| 1147 | if (err) { | 1153 | if (err) { |
| 1148 | security_xfrm_policy_free(xp->security); | 1154 | security_xfrm_policy_free(xp->security); |
| @@ -1371,9 +1377,12 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
| 1371 | NETLINK_CB(skb).pid); | 1377 | NETLINK_CB(skb).pid); |
| 1372 | } | 1378 | } |
| 1373 | } else { | 1379 | } else { |
| 1374 | xfrm_audit_policy_delete(xp, err ? 0 : 1, | 1380 | uid_t loginuid = NETLINK_CB(skb).loginuid; |
| 1375 | NETLINK_CB(skb).loginuid, | 1381 | u32 sessionid = NETLINK_CB(skb).sessionid; |
| 1376 | NETLINK_CB(skb).sid); | 1382 | u32 sid = NETLINK_CB(skb).sid; |
| 1383 | |||
| 1384 | xfrm_audit_policy_delete(xp, err ? 0 : 1, loginuid, sessionid, | ||
| 1385 | sid); | ||
| 1377 | 1386 | ||
| 1378 | if (err != 0) | 1387 | if (err != 0) |
| 1379 | goto out; | 1388 | goto out; |
| @@ -1399,6 +1408,7 @@ static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
| 1399 | int err; | 1408 | int err; |
| 1400 | 1409 | ||
| 1401 | audit_info.loginuid = NETLINK_CB(skb).loginuid; | 1410 | audit_info.loginuid = NETLINK_CB(skb).loginuid; |
| 1411 | audit_info.sessionid = NETLINK_CB(skb).sessionid; | ||
| 1402 | audit_info.secid = NETLINK_CB(skb).sid; | 1412 | audit_info.secid = NETLINK_CB(skb).sid; |
| 1403 | err = xfrm_state_flush(p->proto, &audit_info); | 1413 | err = xfrm_state_flush(p->proto, &audit_info); |
| 1404 | if (err) | 1414 | if (err) |
| @@ -1546,6 +1556,7 @@ static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
| 1546 | return err; | 1556 | return err; |
| 1547 | 1557 | ||
| 1548 | audit_info.loginuid = NETLINK_CB(skb).loginuid; | 1558 | audit_info.loginuid = NETLINK_CB(skb).loginuid; |
| 1559 | audit_info.sessionid = NETLINK_CB(skb).sessionid; | ||
| 1549 | audit_info.secid = NETLINK_CB(skb).sid; | 1560 | audit_info.secid = NETLINK_CB(skb).sid; |
| 1550 | err = xfrm_policy_flush(type, &audit_info); | 1561 | err = xfrm_policy_flush(type, &audit_info); |
| 1551 | if (err) | 1562 | if (err) |
| @@ -1604,9 +1615,11 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
| 1604 | read_unlock(&xp->lock); | 1615 | read_unlock(&xp->lock); |
| 1605 | err = 0; | 1616 | err = 0; |
| 1606 | if (up->hard) { | 1617 | if (up->hard) { |
| 1618 | uid_t loginuid = NETLINK_CB(skb).loginuid; | ||
| 1619 | uid_t sessionid = NETLINK_CB(skb).sessionid; | ||
| 1620 | u32 sid = NETLINK_CB(skb).sid; | ||
| 1607 | xfrm_policy_delete(xp, p->dir); | 1621 | xfrm_policy_delete(xp, p->dir); |
| 1608 | xfrm_audit_policy_delete(xp, 1, NETLINK_CB(skb).loginuid, | 1622 | xfrm_audit_policy_delete(xp, 1, loginuid, sessionid, sid); |
| 1609 | NETLINK_CB(skb).sid); | ||
| 1610 | 1623 | ||
| 1611 | } else { | 1624 | } else { |
| 1612 | // reset the timers here? | 1625 | // reset the timers here? |
| @@ -1640,9 +1653,11 @@ static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
| 1640 | km_state_expired(x, ue->hard, current->pid); | 1653 | km_state_expired(x, ue->hard, current->pid); |
| 1641 | 1654 | ||
| 1642 | if (ue->hard) { | 1655 | if (ue->hard) { |
| 1656 | uid_t loginuid = NETLINK_CB(skb).loginuid; | ||
| 1657 | uid_t sessionid = NETLINK_CB(skb).sessionid; | ||
| 1658 | u32 sid = NETLINK_CB(skb).sid; | ||
| 1643 | __xfrm_state_delete(x); | 1659 | __xfrm_state_delete(x); |
| 1644 | xfrm_audit_state_delete(x, 1, NETLINK_CB(skb).loginuid, | 1660 | xfrm_audit_state_delete(x, 1, loginuid, sessionid, sid); |
| 1645 | NETLINK_CB(skb).sid); | ||
| 1646 | } | 1661 | } |
| 1647 | err = 0; | 1662 | err = 0; |
| 1648 | out: | 1663 | out: |