diff options
Diffstat (limited to 'net/xfrm/xfrm_policy.c')
-rw-r--r-- | net/xfrm/xfrm_policy.c | 120 |
1 files changed, 119 insertions, 1 deletions
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 4f04222698d9..47c13649bac1 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c | |||
@@ -25,6 +25,7 @@ | |||
25 | #include <linux/cache.h> | 25 | #include <linux/cache.h> |
26 | #include <net/xfrm.h> | 26 | #include <net/xfrm.h> |
27 | #include <net/ip.h> | 27 | #include <net/ip.h> |
28 | #include <linux/audit.h> | ||
28 | 29 | ||
29 | #include "xfrm_hash.h" | 30 | #include "xfrm_hash.h" |
30 | 31 | ||
@@ -804,7 +805,7 @@ struct xfrm_policy *xfrm_policy_byid(u8 type, int dir, u32 id, int delete) | |||
804 | } | 805 | } |
805 | EXPORT_SYMBOL(xfrm_policy_byid); | 806 | EXPORT_SYMBOL(xfrm_policy_byid); |
806 | 807 | ||
807 | void xfrm_policy_flush(u8 type) | 808 | void xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info) |
808 | { | 809 | { |
809 | int dir; | 810 | int dir; |
810 | 811 | ||
@@ -824,6 +825,9 @@ void xfrm_policy_flush(u8 type) | |||
824 | hlist_del(&pol->byidx); | 825 | hlist_del(&pol->byidx); |
825 | write_unlock_bh(&xfrm_policy_lock); | 826 | write_unlock_bh(&xfrm_policy_lock); |
826 | 827 | ||
828 | xfrm_audit_log(audit_info->loginuid, audit_info->secid, | ||
829 | AUDIT_MAC_IPSEC_DELSPD, 1, pol, NULL); | ||
830 | |||
827 | xfrm_policy_kill(pol); | 831 | xfrm_policy_kill(pol); |
828 | killed++; | 832 | killed++; |
829 | 833 | ||
@@ -842,6 +846,11 @@ void xfrm_policy_flush(u8 type) | |||
842 | hlist_del(&pol->byidx); | 846 | hlist_del(&pol->byidx); |
843 | write_unlock_bh(&xfrm_policy_lock); | 847 | write_unlock_bh(&xfrm_policy_lock); |
844 | 848 | ||
849 | xfrm_audit_log(audit_info->loginuid, | ||
850 | audit_info->secid, | ||
851 | AUDIT_MAC_IPSEC_DELSPD, 1, | ||
852 | pol, NULL); | ||
853 | |||
845 | xfrm_policy_kill(pol); | 854 | xfrm_policy_kill(pol); |
846 | killed++; | 855 | killed++; |
847 | 856 | ||
@@ -1977,6 +1986,115 @@ int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first, | |||
1977 | 1986 | ||
1978 | EXPORT_SYMBOL(xfrm_bundle_ok); | 1987 | EXPORT_SYMBOL(xfrm_bundle_ok); |
1979 | 1988 | ||
1989 | /* Audit addition and deletion of SAs and ipsec policy */ | ||
1990 | |||
1991 | void xfrm_audit_log(uid_t auid, u32 sid, int type, int result, | ||
1992 | struct xfrm_policy *xp, struct xfrm_state *x) | ||
1993 | { | ||
1994 | |||
1995 | char *secctx; | ||
1996 | u32 secctx_len; | ||
1997 | struct xfrm_sec_ctx *sctx = NULL; | ||
1998 | struct audit_buffer *audit_buf; | ||
1999 | int family; | ||
2000 | extern int audit_enabled; | ||
2001 | |||
2002 | if (audit_enabled == 0) | ||
2003 | return; | ||
2004 | |||
2005 | audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type); | ||
2006 | if (audit_buf == NULL) | ||
2007 | return; | ||
2008 | |||
2009 | switch(type) { | ||
2010 | case AUDIT_MAC_IPSEC_ADDSA: | ||
2011 | audit_log_format(audit_buf, "SAD add: auid=%u", auid); | ||
2012 | break; | ||
2013 | case AUDIT_MAC_IPSEC_DELSA: | ||
2014 | audit_log_format(audit_buf, "SAD delete: auid=%u", auid); | ||
2015 | break; | ||
2016 | case AUDIT_MAC_IPSEC_ADDSPD: | ||
2017 | audit_log_format(audit_buf, "SPD add: auid=%u", auid); | ||
2018 | break; | ||
2019 | case AUDIT_MAC_IPSEC_DELSPD: | ||
2020 | audit_log_format(audit_buf, "SPD delete: auid=%u", auid); | ||
2021 | break; | ||
2022 | default: | ||
2023 | return; | ||
2024 | } | ||
2025 | |||
2026 | if (sid != 0 && | ||
2027 | security_secid_to_secctx(sid, &secctx, &secctx_len) == 0) | ||
2028 | audit_log_format(audit_buf, " subj=%s", secctx); | ||
2029 | else | ||
2030 | audit_log_task_context(audit_buf); | ||
2031 | |||
2032 | if (xp) { | ||
2033 | family = xp->selector.family; | ||
2034 | if (xp->security) | ||
2035 | sctx = xp->security; | ||
2036 | } else { | ||
2037 | family = x->props.family; | ||
2038 | if (x->security) | ||
2039 | sctx = x->security; | ||
2040 | } | ||
2041 | |||
2042 | if (sctx) | ||
2043 | audit_log_format(audit_buf, | ||
2044 | " sec_alg=%u sec_doi=%u sec_obj=%s", | ||
2045 | sctx->ctx_alg, sctx->ctx_doi, sctx->ctx_str); | ||
2046 | |||
2047 | switch(family) { | ||
2048 | case AF_INET: | ||
2049 | { | ||
2050 | struct in_addr saddr, daddr; | ||
2051 | if (xp) { | ||
2052 | saddr.s_addr = xp->selector.saddr.a4; | ||
2053 | daddr.s_addr = xp->selector.daddr.a4; | ||
2054 | } else { | ||
2055 | saddr.s_addr = x->props.saddr.a4; | ||
2056 | daddr.s_addr = x->id.daddr.a4; | ||
2057 | } | ||
2058 | audit_log_format(audit_buf, | ||
2059 | " src=%u.%u.%u.%u dst=%u.%u.%u.%u", | ||
2060 | NIPQUAD(saddr), NIPQUAD(daddr)); | ||
2061 | } | ||
2062 | break; | ||
2063 | case AF_INET6: | ||
2064 | { | ||
2065 | struct in6_addr saddr6, daddr6; | ||
2066 | if (xp) { | ||
2067 | memcpy(&saddr6, xp->selector.saddr.a6, | ||
2068 | sizeof(struct in6_addr)); | ||
2069 | memcpy(&daddr6, xp->selector.daddr.a6, | ||
2070 | sizeof(struct in6_addr)); | ||
2071 | } else { | ||
2072 | memcpy(&saddr6, x->props.saddr.a6, | ||
2073 | sizeof(struct in6_addr)); | ||
2074 | memcpy(&daddr6, x->id.daddr.a6, | ||
2075 | sizeof(struct in6_addr)); | ||
2076 | } | ||
2077 | audit_log_format(audit_buf, | ||
2078 | " src=" NIP6_FMT "dst=" NIP6_FMT, | ||
2079 | NIP6(saddr6), NIP6(daddr6)); | ||
2080 | } | ||
2081 | break; | ||
2082 | } | ||
2083 | |||
2084 | if (x) | ||
2085 | audit_log_format(audit_buf, " spi=%lu(0x%lx) protocol=%s", | ||
2086 | (unsigned long)ntohl(x->id.spi), | ||
2087 | (unsigned long)ntohl(x->id.spi), | ||
2088 | x->id.proto == IPPROTO_AH ? "AH" : | ||
2089 | (x->id.proto == IPPROTO_ESP ? | ||
2090 | "ESP" : "IPCOMP")); | ||
2091 | |||
2092 | audit_log_format(audit_buf, " res=%u", result); | ||
2093 | audit_log_end(audit_buf); | ||
2094 | } | ||
2095 | |||
2096 | EXPORT_SYMBOL(xfrm_audit_log); | ||
2097 | |||
1980 | int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo) | 2098 | int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo) |
1981 | { | 2099 | { |
1982 | int err = 0; | 2100 | int err = 0; |