aboutsummaryrefslogtreecommitdiffstats
path: root/net/xfrm/xfrm_policy.c
diff options
context:
space:
mode:
Diffstat (limited to 'net/xfrm/xfrm_policy.c')
-rw-r--r--net/xfrm/xfrm_policy.c120
1 files changed, 119 insertions, 1 deletions
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 4f04222698d9..47c13649bac1 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -25,6 +25,7 @@
25#include <linux/cache.h> 25#include <linux/cache.h>
26#include <net/xfrm.h> 26#include <net/xfrm.h>
27#include <net/ip.h> 27#include <net/ip.h>
28#include <linux/audit.h>
28 29
29#include "xfrm_hash.h" 30#include "xfrm_hash.h"
30 31
@@ -804,7 +805,7 @@ struct xfrm_policy *xfrm_policy_byid(u8 type, int dir, u32 id, int delete)
804} 805}
805EXPORT_SYMBOL(xfrm_policy_byid); 806EXPORT_SYMBOL(xfrm_policy_byid);
806 807
807void xfrm_policy_flush(u8 type) 808void xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info)
808{ 809{
809 int dir; 810 int dir;
810 811
@@ -824,6 +825,9 @@ void xfrm_policy_flush(u8 type)
824 hlist_del(&pol->byidx); 825 hlist_del(&pol->byidx);
825 write_unlock_bh(&xfrm_policy_lock); 826 write_unlock_bh(&xfrm_policy_lock);
826 827
828 xfrm_audit_log(audit_info->loginuid, audit_info->secid,
829 AUDIT_MAC_IPSEC_DELSPD, 1, pol, NULL);
830
827 xfrm_policy_kill(pol); 831 xfrm_policy_kill(pol);
828 killed++; 832 killed++;
829 833
@@ -842,6 +846,11 @@ void xfrm_policy_flush(u8 type)
842 hlist_del(&pol->byidx); 846 hlist_del(&pol->byidx);
843 write_unlock_bh(&xfrm_policy_lock); 847 write_unlock_bh(&xfrm_policy_lock);
844 848
849 xfrm_audit_log(audit_info->loginuid,
850 audit_info->secid,
851 AUDIT_MAC_IPSEC_DELSPD, 1,
852 pol, NULL);
853
845 xfrm_policy_kill(pol); 854 xfrm_policy_kill(pol);
846 killed++; 855 killed++;
847 856
@@ -1977,6 +1986,115 @@ int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first,
1977 1986
1978EXPORT_SYMBOL(xfrm_bundle_ok); 1987EXPORT_SYMBOL(xfrm_bundle_ok);
1979 1988
1989/* Audit addition and deletion of SAs and ipsec policy */
1990
1991void xfrm_audit_log(uid_t auid, u32 sid, int type, int result,
1992 struct xfrm_policy *xp, struct xfrm_state *x)
1993{
1994
1995 char *secctx;
1996 u32 secctx_len;
1997 struct xfrm_sec_ctx *sctx = NULL;
1998 struct audit_buffer *audit_buf;
1999 int family;
2000 extern int audit_enabled;
2001
2002 if (audit_enabled == 0)
2003 return;
2004
2005 audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type);
2006 if (audit_buf == NULL)
2007 return;
2008
2009 switch(type) {
2010 case AUDIT_MAC_IPSEC_ADDSA:
2011 audit_log_format(audit_buf, "SAD add: auid=%u", auid);
2012 break;
2013 case AUDIT_MAC_IPSEC_DELSA:
2014 audit_log_format(audit_buf, "SAD delete: auid=%u", auid);
2015 break;
2016 case AUDIT_MAC_IPSEC_ADDSPD:
2017 audit_log_format(audit_buf, "SPD add: auid=%u", auid);
2018 break;
2019 case AUDIT_MAC_IPSEC_DELSPD:
2020 audit_log_format(audit_buf, "SPD delete: auid=%u", auid);
2021 break;
2022 default:
2023 return;
2024 }
2025
2026 if (sid != 0 &&
2027 security_secid_to_secctx(sid, &secctx, &secctx_len) == 0)
2028 audit_log_format(audit_buf, " subj=%s", secctx);
2029 else
2030 audit_log_task_context(audit_buf);
2031
2032 if (xp) {
2033 family = xp->selector.family;
2034 if (xp->security)
2035 sctx = xp->security;
2036 } else {
2037 family = x->props.family;
2038 if (x->security)
2039 sctx = x->security;
2040 }
2041
2042 if (sctx)
2043 audit_log_format(audit_buf,
2044 " sec_alg=%u sec_doi=%u sec_obj=%s",
2045 sctx->ctx_alg, sctx->ctx_doi, sctx->ctx_str);
2046
2047 switch(family) {
2048 case AF_INET:
2049 {
2050 struct in_addr saddr, daddr;
2051 if (xp) {
2052 saddr.s_addr = xp->selector.saddr.a4;
2053 daddr.s_addr = xp->selector.daddr.a4;
2054 } else {
2055 saddr.s_addr = x->props.saddr.a4;
2056 daddr.s_addr = x->id.daddr.a4;
2057 }
2058 audit_log_format(audit_buf,
2059 " src=%u.%u.%u.%u dst=%u.%u.%u.%u",
2060 NIPQUAD(saddr), NIPQUAD(daddr));
2061 }
2062 break;
2063 case AF_INET6:
2064 {
2065 struct in6_addr saddr6, daddr6;
2066 if (xp) {
2067 memcpy(&saddr6, xp->selector.saddr.a6,
2068 sizeof(struct in6_addr));
2069 memcpy(&daddr6, xp->selector.daddr.a6,
2070 sizeof(struct in6_addr));
2071 } else {
2072 memcpy(&saddr6, x->props.saddr.a6,
2073 sizeof(struct in6_addr));
2074 memcpy(&daddr6, x->id.daddr.a6,
2075 sizeof(struct in6_addr));
2076 }
2077 audit_log_format(audit_buf,
2078 " src=" NIP6_FMT "dst=" NIP6_FMT,
2079 NIP6(saddr6), NIP6(daddr6));
2080 }
2081 break;
2082 }
2083
2084 if (x)
2085 audit_log_format(audit_buf, " spi=%lu(0x%lx) protocol=%s",
2086 (unsigned long)ntohl(x->id.spi),
2087 (unsigned long)ntohl(x->id.spi),
2088 x->id.proto == IPPROTO_AH ? "AH" :
2089 (x->id.proto == IPPROTO_ESP ?
2090 "ESP" : "IPCOMP"));
2091
2092 audit_log_format(audit_buf, " res=%u", result);
2093 audit_log_end(audit_buf);
2094}
2095
2096EXPORT_SYMBOL(xfrm_audit_log);
2097
1980int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo) 2098int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo)
1981{ 2099{
1982 int err = 0; 2100 int err = 0;