2 files changed, 41 insertions, 8 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h
index d6579df8dadf..9ae740936a65 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -108,10 +108,11 @@
 #define AUDIT_MAC_CIPSOV4_DEL   1408    /* NetLabel: del CIPSOv4 DOI entry */
 #define AUDIT_MAC_MAP_ADD       1409    /* NetLabel: add LSM domain mapping */
 #define AUDIT_MAC_MAP_DEL       1410    /* NetLabel: del LSM domain mapping */
-#define AUDIT_MAC_IPSEC_ADDSA   1411    /* Add a XFRM state */
+#define AUDIT_MAC_IPSEC_ADDSA   1411    /* Not used */
-#define AUDIT_MAC_IPSEC_DELSA   1412    /* Delete a XFRM state */
+#define AUDIT_MAC_IPSEC_DELSA   1412    /* Not used  */
-#define AUDIT_MAC_IPSEC_ADDSPD  1413    /* Add a XFRM policy */
+#define AUDIT_MAC_IPSEC_ADDSPD  1413    /* Not used */
-#define AUDIT_MAC_IPSEC_DELSPD  1414    /* Delete a XFRM policy */
+#define AUDIT_MAC_IPSEC_DELSPD  1414    /* Not used */
+#define AUDIT_MAC_IPSEC_EVENT   1415    /* Audit an IPSec event */
 #define AUDIT_FIRST_KERN_ANOM_MSG   1700
 #define AUDIT_LAST_KERN_ANOM_MSG    1799
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index a5f80bfbaaa4..760d2432be6b 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -12,6 +12,7 @@
 #include <linux/ipsec.h>
 #include <linux/in6.h>
 #include <linux/mutex.h>
+#include <linux/audit.h>
 #include <net/sock.h>
 #include <net/dst.h>
@@ -421,15 +422,46 @@ extern unsigned int xfrm_policy_count[XFRM_POLICY_MAX*2];
 /* Audit Information */
 struct xfrm_audit
 {
-        uid_t   loginuid;
+        u32     loginuid;
        u32     secid;
 };
 #ifdef CONFIG_AUDITSYSCALL
-extern void xfrm_audit_log(uid_t auid, u32 secid, int type, int result,
+static inline struct audit_buffer *xfrm_audit_start(u32 auid, u32 sid)
-                    struct xfrm_policy *xp, struct xfrm_state *x);
+{
+        struct audit_buffer *audit_buf = NULL;
+        char *secctx;
+        u32 secctx_len;
+        audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC,
+                              AUDIT_MAC_IPSEC_EVENT);
+        if (audit_buf == NULL)
+                return NULL;
+        audit_log_format(audit_buf, "auid=%u", auid);
+        if (sid != 0 &&
+            security_secid_to_secctx(sid, &secctx, &secctx_len) == 0) {
+                audit_log_format(audit_buf, " subj=%s", secctx);
+                security_release_secctx(secctx, secctx_len);
+        } else
+                audit_log_task_context(audit_buf);
+        return audit_buf;
+}
+extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
+                                  u32 auid, u32 sid);
+extern void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
+                                  u32 auid, u32 sid);
+extern void xfrm_audit_state_add(struct xfrm_state *x, int result,
+                                 u32 auid, u32 sid);
+extern void xfrm_audit_state_delete(struct xfrm_state *x, int result,
+                                    u32 auid, u32 sid);
 #else
-#define xfrm_audit_log(a,s,t,r,p,x) do { ; } while (0)
+#define xfrm_audit_policy_add(x, r, a, s)       do { ; } while (0)
+#define xfrm_audit_policy_delete(x, r, a, s)    do { ; } while (0)
+#define xfrm_audit_state_add(x, r, a, s)        do { ; } while (0)
+#define xfrm_audit_state_delete(x, r, a, s)     do { ; } while (0)
 #endif /* CONFIG_AUDITSYSCALL */
 static inline void xfrm_pol_hold(struct xfrm_policy *policy)

diff --git a/include/linux/audit.h b/include/linux/audit.h index d6579df8dadf..9ae740936a65 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h
@@ -108,10 +108,11 @@
108	#define AUDIT_MAC_CIPSOV4_DEL 1408 /* NetLabel: del CIPSOv4 DOI entry */	108	#define AUDIT_MAC_CIPSOV4_DEL 1408 /* NetLabel: del CIPSOv4 DOI entry */
109	#define AUDIT_MAC_MAP_ADD 1409 /* NetLabel: add LSM domain mapping */	109	#define AUDIT_MAC_MAP_ADD 1409 /* NetLabel: add LSM domain mapping */
110	#define AUDIT_MAC_MAP_DEL 1410 /* NetLabel: del LSM domain mapping */	110	#define AUDIT_MAC_MAP_DEL 1410 /* NetLabel: del LSM domain mapping */
111	#define AUDIT_MAC_IPSEC_ADDSA 1411 /* Add a XFRM state */	111	#define AUDIT_MAC_IPSEC_ADDSA 1411 /* Not used */
112	#define AUDIT_MAC_IPSEC_DELSA 1412 /* Delete a XFRM state */	112	#define AUDIT_MAC_IPSEC_DELSA 1412 /* Not used */
113	#define AUDIT_MAC_IPSEC_ADDSPD 1413 /* Add a XFRM policy */	113	#define AUDIT_MAC_IPSEC_ADDSPD 1413 /* Not used */
114	#define AUDIT_MAC_IPSEC_DELSPD 1414 /* Delete a XFRM policy */	114	#define AUDIT_MAC_IPSEC_DELSPD 1414 /* Not used */
		115	#define AUDIT_MAC_IPSEC_EVENT 1415 /* Audit an IPSec event */
115		116
116	#define AUDIT_FIRST_KERN_ANOM_MSG 1700	117	#define AUDIT_FIRST_KERN_ANOM_MSG 1700
117	#define AUDIT_LAST_KERN_ANOM_MSG 1799	118	#define AUDIT_LAST_KERN_ANOM_MSG 1799


diff --git a/include/net/xfrm.h b/include/net/xfrm.h index a5f80bfbaaa4..760d2432be6b 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h
@@ -12,6 +12,7 @@
12	#include <linux/ipsec.h>	12	#include <linux/ipsec.h>
13	#include <linux/in6.h>	13	#include <linux/in6.h>
14	#include <linux/mutex.h>	14	#include <linux/mutex.h>
		15	#include <linux/audit.h>
15		16
16	#include <net/sock.h>	17	#include <net/sock.h>
17	#include <net/dst.h>	18	#include <net/dst.h>
@@ -421,15 +422,46 @@ extern unsigned int xfrm_policy_count[XFRM_POLICY_MAX*2];
421	/* Audit Information */	422	/* Audit Information */
422	struct xfrm_audit	423	struct xfrm_audit
423	{	424	{
424	uid_t loginuid;	425	u32 loginuid;
425	u32 secid;	426	u32 secid;
426	};	427	};
427		428
428	#ifdef CONFIG_AUDITSYSCALL	429	#ifdef CONFIG_AUDITSYSCALL
429	extern void xfrm_audit_log(uid_t auid, u32 secid, int type, int result,	430	static inline struct audit_buffer *xfrm_audit_start(u32 auid, u32 sid)
430	struct xfrm_policy xp, struct xfrm_state x);	431	{
		432	struct audit_buffer *audit_buf = NULL;
		433	char *secctx;
		434	u32 secctx_len;
		435
		436	audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC,
		437	AUDIT_MAC_IPSEC_EVENT);
		438	if (audit_buf == NULL)
		439	return NULL;
		440
		441	audit_log_format(audit_buf, "auid=%u", auid);
		442
		443	if (sid != 0 &&
		444	security_secid_to_secctx(sid, &secctx, &secctx_len) == 0) {
		445	audit_log_format(audit_buf, " subj=%s", secctx);
		446	security_release_secctx(secctx, secctx_len);
		447	} else
		448	audit_log_task_context(audit_buf);
		449	return audit_buf;
		450	}
		451
		452	extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
		453	u32 auid, u32 sid);
		454	extern void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
		455	u32 auid, u32 sid);
		456	extern void xfrm_audit_state_add(struct xfrm_state *x, int result,
		457	u32 auid, u32 sid);
		458	extern void xfrm_audit_state_delete(struct xfrm_state *x, int result,
		459	u32 auid, u32 sid);
431	#else	460	#else
432	#define xfrm_audit_log(a,s,t,r,p,x) do { ; } while (0)	461	#define xfrm_audit_policy_add(x, r, a, s) do { ; } while (0)
		462	#define xfrm_audit_policy_delete(x, r, a, s) do { ; } while (0)
		463	#define xfrm_audit_state_add(x, r, a, s) do { ; } while (0)
		464	#define xfrm_audit_state_delete(x, r, a, s) do { ; } while (0)
433	#endif /* CONFIG_AUDITSYSCALL */	465	#endif /* CONFIG_AUDITSYSCALL */
434		466
435	static inline void xfrm_pol_hold(struct xfrm_policy *policy)	467	static inline void xfrm_pol_hold(struct xfrm_policy *policy)