diff options
author | Eric Paris <eparis@redhat.com> | 2007-03-07 19:01:45 -0500 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2007-03-07 19:08:10 -0500 |
commit | 215a2dd3b43e0dc425e81d21de9d961416b1dad4 (patch) | |
tree | 1b59b4ae1b4682d5da10a684a262e67b22a19246 /net | |
parent | ef41aaa0b755f479012341ac11db9ca5b8928d98 (diff) |
[IPSEC]: Add xfrm policy change auditing to pfkey_spdget
pfkey_spdget neither had an LSM security hook nor auditing for the
removal of xfrm_policy structs. The security hook was added when it was
moved into xfrm_policy_byid instead of the callers to that function by
my earlier patch and this patch adds the auditing hooks as well.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Venkat Yekkirala <vyekkirala@trustedcs.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/key/af_key.c | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/net/key/af_key.c b/net/key/af_key.c index 3542435e9d40..1a2bd5f88b7d 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c | |||
@@ -2537,7 +2537,7 @@ static int pfkey_migrate(struct sock *sk, struct sk_buff *skb, | |||
2537 | static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, void **ext_hdrs) | 2537 | static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, void **ext_hdrs) |
2538 | { | 2538 | { |
2539 | unsigned int dir; | 2539 | unsigned int dir; |
2540 | int err; | 2540 | int err = 0, delete; |
2541 | struct sadb_x_policy *pol; | 2541 | struct sadb_x_policy *pol; |
2542 | struct xfrm_policy *xp; | 2542 | struct xfrm_policy *xp; |
2543 | struct km_event c; | 2543 | struct km_event c; |
@@ -2549,16 +2549,20 @@ static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h | |||
2549 | if (dir >= XFRM_POLICY_MAX) | 2549 | if (dir >= XFRM_POLICY_MAX) |
2550 | return -EINVAL; | 2550 | return -EINVAL; |
2551 | 2551 | ||
2552 | delete = (hdr->sadb_msg_type == SADB_X_SPDDELETE2); | ||
2552 | xp = xfrm_policy_byid(XFRM_POLICY_TYPE_MAIN, dir, pol->sadb_x_policy_id, | 2553 | xp = xfrm_policy_byid(XFRM_POLICY_TYPE_MAIN, dir, pol->sadb_x_policy_id, |
2553 | hdr->sadb_msg_type == SADB_X_SPDDELETE2, &err); | 2554 | delete, &err); |
2554 | if (xp == NULL) | 2555 | if (xp == NULL) |
2555 | return -ENOENT; | 2556 | return -ENOENT; |
2556 | 2557 | ||
2557 | err = 0; | 2558 | if (delete) { |
2559 | xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, | ||
2560 | AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); | ||
2558 | 2561 | ||
2559 | c.seq = hdr->sadb_msg_seq; | 2562 | if (err) |
2560 | c.pid = hdr->sadb_msg_pid; | 2563 | goto out; |
2561 | if (hdr->sadb_msg_type == SADB_X_SPDDELETE2) { | 2564 | c.seq = hdr->sadb_msg_seq; |
2565 | c.pid = hdr->sadb_msg_pid; | ||
2562 | c.data.byid = 1; | 2566 | c.data.byid = 1; |
2563 | c.event = XFRM_MSG_DELPOLICY; | 2567 | c.event = XFRM_MSG_DELPOLICY; |
2564 | km_policy_notify(xp, dir, &c); | 2568 | km_policy_notify(xp, dir, &c); |
@@ -2566,6 +2570,7 @@ static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h | |||
2566 | err = key_pol_get_resp(sk, xp, hdr, dir); | 2570 | err = key_pol_get_resp(sk, xp, hdr, dir); |
2567 | } | 2571 | } |
2568 | 2572 | ||
2573 | out: | ||
2569 | xfrm_pol_put(xp); | 2574 | xfrm_pol_put(xp); |
2570 | return err; | 2575 | return err; |
2571 | } | 2576 | } |