aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2007-03-07 19:01:45 -0500
committerDavid S. Miller <davem@sunset.davemloft.net>2007-03-07 19:08:10 -0500
commit215a2dd3b43e0dc425e81d21de9d961416b1dad4 (patch)
tree1b59b4ae1b4682d5da10a684a262e67b22a19246 /net
parentef41aaa0b755f479012341ac11db9ca5b8928d98 (diff)
[IPSEC]: Add xfrm policy change auditing to pfkey_spdget
pfkey_spdget neither had an LSM security hook nor auditing for the removal of xfrm_policy structs. The security hook was added when it was moved into xfrm_policy_byid instead of the callers to that function by my earlier patch and this patch adds the auditing hooks as well. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Venkat Yekkirala <vyekkirala@trustedcs.com> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/key/af_key.c17
1 files changed, 11 insertions, 6 deletions
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 3542435e9d40..1a2bd5f88b7d 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -2537,7 +2537,7 @@ static int pfkey_migrate(struct sock *sk, struct sk_buff *skb,
2537static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, void **ext_hdrs) 2537static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, void **ext_hdrs)
2538{ 2538{
2539 unsigned int dir; 2539 unsigned int dir;
2540 int err; 2540 int err = 0, delete;
2541 struct sadb_x_policy *pol; 2541 struct sadb_x_policy *pol;
2542 struct xfrm_policy *xp; 2542 struct xfrm_policy *xp;
2543 struct km_event c; 2543 struct km_event c;
@@ -2549,16 +2549,20 @@ static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h
2549 if (dir >= XFRM_POLICY_MAX) 2549 if (dir >= XFRM_POLICY_MAX)
2550 return -EINVAL; 2550 return -EINVAL;
2551 2551
2552 delete = (hdr->sadb_msg_type == SADB_X_SPDDELETE2);
2552 xp = xfrm_policy_byid(XFRM_POLICY_TYPE_MAIN, dir, pol->sadb_x_policy_id, 2553 xp = xfrm_policy_byid(XFRM_POLICY_TYPE_MAIN, dir, pol->sadb_x_policy_id,
2553 hdr->sadb_msg_type == SADB_X_SPDDELETE2, &err); 2554 delete, &err);
2554 if (xp == NULL) 2555 if (xp == NULL)
2555 return -ENOENT; 2556 return -ENOENT;
2556 2557
2557 err = 0; 2558 if (delete) {
2559 xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
2560 AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
2558 2561
2559 c.seq = hdr->sadb_msg_seq; 2562 if (err)
2560 c.pid = hdr->sadb_msg_pid; 2563 goto out;
2561 if (hdr->sadb_msg_type == SADB_X_SPDDELETE2) { 2564 c.seq = hdr->sadb_msg_seq;
2565 c.pid = hdr->sadb_msg_pid;
2562 c.data.byid = 1; 2566 c.data.byid = 1;
2563 c.event = XFRM_MSG_DELPOLICY; 2567 c.event = XFRM_MSG_DELPOLICY;
2564 km_policy_notify(xp, dir, &c); 2568 km_policy_notify(xp, dir, &c);
@@ -2566,6 +2570,7 @@ static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h
2566 err = key_pol_get_resp(sk, xp, hdr, dir); 2570 err = key_pol_get_resp(sk, xp, hdr, dir);
2567 } 2571 }
2568 2572
2573out:
2569 xfrm_pol_put(xp); 2574 xfrm_pol_put(xp);
2570 return err; 2575 return err;
2571} 2576}