aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
Diffstat (limited to 'net')
-rw-r--r--net/key/af_key.c30
-rw-r--r--net/xfrm/xfrm_policy.c40
-rw-r--r--net/xfrm/xfrm_state.c34
-rw-r--r--net/xfrm/xfrm_user.c38
4 files changed, 41 insertions, 101 deletions
diff --git a/net/key/af_key.c b/net/key/af_key.c
index d66ff72adefb..b47f8e542aae 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1476,9 +1476,7 @@ static int pfkey_add(struct sock *sk, struct sk_buff *skb, const struct sadb_msg
1476 else 1476 else
1477 err = xfrm_state_update(x); 1477 err = xfrm_state_update(x);
1478 1478
1479 xfrm_audit_state_add(x, err ? 0 : 1, 1479 xfrm_audit_state_add(x, err ? 0 : 1, true);
1480 audit_get_loginuid(current),
1481 audit_get_sessionid(current));
1482 1480
1483 if (err < 0) { 1481 if (err < 0) {
1484 x->km.state = XFRM_STATE_DEAD; 1482 x->km.state = XFRM_STATE_DEAD;
@@ -1532,9 +1530,7 @@ static int pfkey_delete(struct sock *sk, struct sk_buff *skb, const struct sadb_
1532 c.event = XFRM_MSG_DELSA; 1530 c.event = XFRM_MSG_DELSA;
1533 km_state_notify(x, &c); 1531 km_state_notify(x, &c);
1534out: 1532out:
1535 xfrm_audit_state_delete(x, err ? 0 : 1, 1533 xfrm_audit_state_delete(x, err ? 0 : 1, true);
1536 audit_get_loginuid(current),
1537 audit_get_sessionid(current));
1538 xfrm_state_put(x); 1534 xfrm_state_put(x);
1539 1535
1540 return err; 1536 return err;
@@ -1726,16 +1722,13 @@ static int pfkey_flush(struct sock *sk, struct sk_buff *skb, const struct sadb_m
1726 struct net *net = sock_net(sk); 1722 struct net *net = sock_net(sk);
1727 unsigned int proto; 1723 unsigned int proto;
1728 struct km_event c; 1724 struct km_event c;
1729 struct xfrm_audit audit_info;
1730 int err, err2; 1725 int err, err2;
1731 1726
1732 proto = pfkey_satype2proto(hdr->sadb_msg_satype); 1727 proto = pfkey_satype2proto(hdr->sadb_msg_satype);
1733 if (proto == 0) 1728 if (proto == 0)
1734 return -EINVAL; 1729 return -EINVAL;
1735 1730
1736 audit_info.loginuid = audit_get_loginuid(current); 1731 err = xfrm_state_flush(net, proto, true);
1737 audit_info.sessionid = audit_get_sessionid(current);
1738 err = xfrm_state_flush(net, proto, &audit_info);
1739 err2 = unicast_flush_resp(sk, hdr); 1732 err2 = unicast_flush_resp(sk, hdr);
1740 if (err || err2) { 1733 if (err || err2) {
1741 if (err == -ESRCH) /* empty table - go quietly */ 1734 if (err == -ESRCH) /* empty table - go quietly */
@@ -2287,9 +2280,7 @@ static int pfkey_spdadd(struct sock *sk, struct sk_buff *skb, const struct sadb_
2287 err = xfrm_policy_insert(pol->sadb_x_policy_dir-1, xp, 2280 err = xfrm_policy_insert(pol->sadb_x_policy_dir-1, xp,
2288 hdr->sadb_msg_type != SADB_X_SPDUPDATE); 2281 hdr->sadb_msg_type != SADB_X_SPDUPDATE);
2289 2282
2290 xfrm_audit_policy_add(xp, err ? 0 : 1, 2283 xfrm_audit_policy_add(xp, err ? 0 : 1, true);
2291 audit_get_loginuid(current),
2292 audit_get_sessionid(current));
2293 2284
2294 if (err) 2285 if (err)
2295 goto out; 2286 goto out;
@@ -2371,9 +2362,7 @@ static int pfkey_spddelete(struct sock *sk, struct sk_buff *skb, const struct sa
2371 if (xp == NULL) 2362 if (xp == NULL)
2372 return -ENOENT; 2363 return -ENOENT;
2373 2364
2374 xfrm_audit_policy_delete(xp, err ? 0 : 1, 2365 xfrm_audit_policy_delete(xp, err ? 0 : 1, true);
2375 audit_get_loginuid(current),
2376 audit_get_sessionid(current));
2377 2366
2378 if (err) 2367 if (err)
2379 goto out; 2368 goto out;
@@ -2621,9 +2610,7 @@ static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, const struct sadb_
2621 return -ENOENT; 2610 return -ENOENT;
2622 2611
2623 if (delete) { 2612 if (delete) {
2624 xfrm_audit_policy_delete(xp, err ? 0 : 1, 2613 xfrm_audit_policy_delete(xp, err ? 0 : 1, true);
2625 audit_get_loginuid(current),
2626 audit_get_sessionid(current));
2627 2614
2628 if (err) 2615 if (err)
2629 goto out; 2616 goto out;
@@ -2732,12 +2719,9 @@ static int pfkey_spdflush(struct sock *sk, struct sk_buff *skb, const struct sad
2732{ 2719{
2733 struct net *net = sock_net(sk); 2720 struct net *net = sock_net(sk);
2734 struct km_event c; 2721 struct km_event c;
2735 struct xfrm_audit audit_info;
2736 int err, err2; 2722 int err, err2;
2737 2723
2738 audit_info.loginuid = audit_get_loginuid(current); 2724 err = xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, true);
2739 audit_info.sessionid = audit_get_sessionid(current);
2740 err = xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, &audit_info);
2741 err2 = unicast_flush_resp(sk, hdr); 2725 err2 = unicast_flush_resp(sk, hdr);
2742 if (err || err2) { 2726 if (err || err2) {
2743 if (err == -ESRCH) /* empty table - old silent behavior */ 2727 if (err == -ESRCH) /* empty table - old silent behavior */
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index bd001b7062c0..375267d15c8f 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -769,7 +769,7 @@ EXPORT_SYMBOL(xfrm_policy_byid);
769 769
770#ifdef CONFIG_SECURITY_NETWORK_XFRM 770#ifdef CONFIG_SECURITY_NETWORK_XFRM
771static inline int 771static inline int
772xfrm_policy_flush_secctx_check(struct net *net, u8 type, struct xfrm_audit *audit_info) 772xfrm_policy_flush_secctx_check(struct net *net, u8 type, bool task_valid)
773{ 773{
774 int dir, err = 0; 774 int dir, err = 0;
775 775
@@ -783,9 +783,7 @@ xfrm_policy_flush_secctx_check(struct net *net, u8 type, struct xfrm_audit *audi
783 continue; 783 continue;
784 err = security_xfrm_policy_delete(pol->security); 784 err = security_xfrm_policy_delete(pol->security);
785 if (err) { 785 if (err) {
786 xfrm_audit_policy_delete(pol, 0, 786 xfrm_audit_policy_delete(pol, 0, task_valid);
787 audit_info->loginuid,
788 audit_info->sessionid);
789 return err; 787 return err;
790 } 788 }
791 } 789 }
@@ -799,8 +797,7 @@ xfrm_policy_flush_secctx_check(struct net *net, u8 type, struct xfrm_audit *audi
799 pol->security); 797 pol->security);
800 if (err) { 798 if (err) {
801 xfrm_audit_policy_delete(pol, 0, 799 xfrm_audit_policy_delete(pol, 0,
802 audit_info->loginuid, 800 task_valid);
803 audit_info->sessionid);
804 return err; 801 return err;
805 } 802 }
806 } 803 }
@@ -810,19 +807,19 @@ xfrm_policy_flush_secctx_check(struct net *net, u8 type, struct xfrm_audit *audi
810} 807}
811#else 808#else
812static inline int 809static inline int
813xfrm_policy_flush_secctx_check(struct net *net, u8 type, struct xfrm_audit *audit_info) 810xfrm_policy_flush_secctx_check(struct net *net, u8 type, bool task_valid)
814{ 811{
815 return 0; 812 return 0;
816} 813}
817#endif 814#endif
818 815
819int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info) 816int xfrm_policy_flush(struct net *net, u8 type, bool task_valid)
820{ 817{
821 int dir, err = 0, cnt = 0; 818 int dir, err = 0, cnt = 0;
822 819
823 write_lock_bh(&net->xfrm.xfrm_policy_lock); 820 write_lock_bh(&net->xfrm.xfrm_policy_lock);
824 821
825 err = xfrm_policy_flush_secctx_check(net, type, audit_info); 822 err = xfrm_policy_flush_secctx_check(net, type, task_valid);
826 if (err) 823 if (err)
827 goto out; 824 goto out;
828 825
@@ -839,8 +836,7 @@ int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info)
839 write_unlock_bh(&net->xfrm.xfrm_policy_lock); 836 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
840 cnt++; 837 cnt++;
841 838
842 xfrm_audit_policy_delete(pol, 1, audit_info->loginuid, 839 xfrm_audit_policy_delete(pol, 1, task_valid);
843 audit_info->sessionid);
844 840
845 xfrm_policy_kill(pol); 841 xfrm_policy_kill(pol);
846 842
@@ -859,9 +855,7 @@ int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info)
859 write_unlock_bh(&net->xfrm.xfrm_policy_lock); 855 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
860 cnt++; 856 cnt++;
861 857
862 xfrm_audit_policy_delete(pol, 1, 858 xfrm_audit_policy_delete(pol, 1, task_valid);
863 audit_info->loginuid,
864 audit_info->sessionid);
865 xfrm_policy_kill(pol); 859 xfrm_policy_kill(pol);
866 860
867 write_lock_bh(&net->xfrm.xfrm_policy_lock); 861 write_lock_bh(&net->xfrm.xfrm_policy_lock);
@@ -2858,19 +2852,14 @@ out_byidx:
2858 2852
2859static void xfrm_policy_fini(struct net *net) 2853static void xfrm_policy_fini(struct net *net)
2860{ 2854{
2861 struct xfrm_audit audit_info;
2862 unsigned int sz; 2855 unsigned int sz;
2863 int dir; 2856 int dir;
2864 2857
2865 flush_work(&net->xfrm.policy_hash_work); 2858 flush_work(&net->xfrm.policy_hash_work);
2866#ifdef CONFIG_XFRM_SUB_POLICY 2859#ifdef CONFIG_XFRM_SUB_POLICY
2867 audit_info.loginuid = INVALID_UID; 2860 xfrm_policy_flush(net, XFRM_POLICY_TYPE_SUB, false);
2868 audit_info.sessionid = (unsigned int)-1;
2869 xfrm_policy_flush(net, XFRM_POLICY_TYPE_SUB, &audit_info);
2870#endif 2861#endif
2871 audit_info.loginuid = INVALID_UID; 2862 xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, false);
2872 audit_info.sessionid = (unsigned int)-1;
2873 xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, &audit_info);
2874 2863
2875 WARN_ON(!list_empty(&net->xfrm.policy_all)); 2864 WARN_ON(!list_empty(&net->xfrm.policy_all));
2876 2865
@@ -2985,15 +2974,14 @@ static void xfrm_audit_common_policyinfo(struct xfrm_policy *xp,
2985 } 2974 }
2986} 2975}
2987 2976
2988void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, 2977void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, bool task_valid)
2989 kuid_t auid, unsigned int sessionid)
2990{ 2978{
2991 struct audit_buffer *audit_buf; 2979 struct audit_buffer *audit_buf;
2992 2980
2993 audit_buf = xfrm_audit_start("SPD-add"); 2981 audit_buf = xfrm_audit_start("SPD-add");
2994 if (audit_buf == NULL) 2982 if (audit_buf == NULL)
2995 return; 2983 return;
2996 xfrm_audit_helper_usrinfo(auid, sessionid, audit_buf); 2984 xfrm_audit_helper_usrinfo(task_valid, audit_buf);
2997 audit_log_format(audit_buf, " res=%u", result); 2985 audit_log_format(audit_buf, " res=%u", result);
2998 xfrm_audit_common_policyinfo(xp, audit_buf); 2986 xfrm_audit_common_policyinfo(xp, audit_buf);
2999 audit_log_end(audit_buf); 2987 audit_log_end(audit_buf);
@@ -3001,14 +2989,14 @@ void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
3001EXPORT_SYMBOL_GPL(xfrm_audit_policy_add); 2989EXPORT_SYMBOL_GPL(xfrm_audit_policy_add);
3002 2990
3003void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, 2991void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
3004 kuid_t auid, unsigned int sessionid) 2992 bool task_valid)
3005{ 2993{
3006 struct audit_buffer *audit_buf; 2994 struct audit_buffer *audit_buf;
3007 2995
3008 audit_buf = xfrm_audit_start("SPD-delete"); 2996 audit_buf = xfrm_audit_start("SPD-delete");
3009 if (audit_buf == NULL) 2997 if (audit_buf == NULL)
3010 return; 2998 return;
3011 xfrm_audit_helper_usrinfo(auid, sessionid, audit_buf); 2999 xfrm_audit_helper_usrinfo(task_valid, audit_buf);
3012 audit_log_format(audit_buf, " res=%u", result); 3000 audit_log_format(audit_buf, " res=%u", result);
3013 xfrm_audit_common_policyinfo(xp, audit_buf); 3001 xfrm_audit_common_policyinfo(xp, audit_buf);
3014 audit_log_end(audit_buf); 3002 audit_log_end(audit_buf);
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index d91312b5ceb0..0ab54134bb40 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -463,9 +463,7 @@ expired:
463 if (!err) 463 if (!err)
464 km_state_expired(x, 1, 0); 464 km_state_expired(x, 1, 0);
465 465
466 xfrm_audit_state_delete(x, err ? 0 : 1, 466 xfrm_audit_state_delete(x, err ? 0 : 1, true);
467 audit_get_loginuid(current),
468 audit_get_sessionid(current));
469 467
470out: 468out:
471 spin_unlock(&x->lock); 469 spin_unlock(&x->lock);
@@ -562,7 +560,7 @@ EXPORT_SYMBOL(xfrm_state_delete);
562 560
563#ifdef CONFIG_SECURITY_NETWORK_XFRM 561#ifdef CONFIG_SECURITY_NETWORK_XFRM
564static inline int 562static inline int
565xfrm_state_flush_secctx_check(struct net *net, u8 proto, struct xfrm_audit *audit_info) 563xfrm_state_flush_secctx_check(struct net *net, u8 proto, bool task_valid)
566{ 564{
567 int i, err = 0; 565 int i, err = 0;
568 566
@@ -572,9 +570,7 @@ xfrm_state_flush_secctx_check(struct net *net, u8 proto, struct xfrm_audit *audi
572 hlist_for_each_entry(x, net->xfrm.state_bydst+i, bydst) { 570 hlist_for_each_entry(x, net->xfrm.state_bydst+i, bydst) {
573 if (xfrm_id_proto_match(x->id.proto, proto) && 571 if (xfrm_id_proto_match(x->id.proto, proto) &&
574 (err = security_xfrm_state_delete(x)) != 0) { 572 (err = security_xfrm_state_delete(x)) != 0) {
575 xfrm_audit_state_delete(x, 0, 573 xfrm_audit_state_delete(x, 0, task_valid);
576 audit_info->loginuid,
577 audit_info->sessionid);
578 return err; 574 return err;
579 } 575 }
580 } 576 }
@@ -584,18 +580,18 @@ xfrm_state_flush_secctx_check(struct net *net, u8 proto, struct xfrm_audit *audi
584} 580}
585#else 581#else
586static inline int 582static inline int
587xfrm_state_flush_secctx_check(struct net *net, u8 proto, struct xfrm_audit *audit_info) 583xfrm_state_flush_secctx_check(struct net *net, u8 proto, bool task_valid)
588{ 584{
589 return 0; 585 return 0;
590} 586}
591#endif 587#endif
592 588
593int xfrm_state_flush(struct net *net, u8 proto, struct xfrm_audit *audit_info) 589int xfrm_state_flush(struct net *net, u8 proto, bool task_valid)
594{ 590{
595 int i, err = 0, cnt = 0; 591 int i, err = 0, cnt = 0;
596 592
597 spin_lock_bh(&net->xfrm.xfrm_state_lock); 593 spin_lock_bh(&net->xfrm.xfrm_state_lock);
598 err = xfrm_state_flush_secctx_check(net, proto, audit_info); 594 err = xfrm_state_flush_secctx_check(net, proto, task_valid);
599 if (err) 595 if (err)
600 goto out; 596 goto out;
601 597
@@ -611,8 +607,7 @@ restart:
611 607
612 err = xfrm_state_delete(x); 608 err = xfrm_state_delete(x);
613 xfrm_audit_state_delete(x, err ? 0 : 1, 609 xfrm_audit_state_delete(x, err ? 0 : 1,
614 audit_info->loginuid, 610 task_valid);
615 audit_info->sessionid);
616 xfrm_state_put(x); 611 xfrm_state_put(x);
617 if (!err) 612 if (!err)
618 cnt++; 613 cnt++;
@@ -2126,13 +2121,10 @@ out_bydst:
2126 2121
2127void xfrm_state_fini(struct net *net) 2122void xfrm_state_fini(struct net *net)
2128{ 2123{
2129 struct xfrm_audit audit_info;
2130 unsigned int sz; 2124 unsigned int sz;
2131 2125
2132 flush_work(&net->xfrm.state_hash_work); 2126 flush_work(&net->xfrm.state_hash_work);
2133 audit_info.loginuid = INVALID_UID; 2127 xfrm_state_flush(net, IPSEC_PROTO_ANY, false);
2134 audit_info.sessionid = (unsigned int)-1;
2135 xfrm_state_flush(net, IPSEC_PROTO_ANY, &audit_info);
2136 flush_work(&net->xfrm.state_gc_work); 2128 flush_work(&net->xfrm.state_gc_work);
2137 2129
2138 WARN_ON(!list_empty(&net->xfrm.state_all)); 2130 WARN_ON(!list_empty(&net->xfrm.state_all));
@@ -2195,30 +2187,28 @@ static void xfrm_audit_helper_pktinfo(struct sk_buff *skb, u16 family,
2195 } 2187 }
2196} 2188}
2197 2189
2198void xfrm_audit_state_add(struct xfrm_state *x, int result, 2190void xfrm_audit_state_add(struct xfrm_state *x, int result, bool task_valid)
2199 kuid_t auid, unsigned int sessionid)
2200{ 2191{
2201 struct audit_buffer *audit_buf; 2192 struct audit_buffer *audit_buf;
2202 2193
2203 audit_buf = xfrm_audit_start("SAD-add"); 2194 audit_buf = xfrm_audit_start("SAD-add");
2204 if (audit_buf == NULL) 2195 if (audit_buf == NULL)
2205 return; 2196 return;
2206 xfrm_audit_helper_usrinfo(auid, sessionid, audit_buf); 2197 xfrm_audit_helper_usrinfo(task_valid, audit_buf);
2207 xfrm_audit_helper_sainfo(x, audit_buf); 2198 xfrm_audit_helper_sainfo(x, audit_buf);
2208 audit_log_format(audit_buf, " res=%u", result); 2199 audit_log_format(audit_buf, " res=%u", result);
2209 audit_log_end(audit_buf); 2200 audit_log_end(audit_buf);
2210} 2201}
2211EXPORT_SYMBOL_GPL(xfrm_audit_state_add); 2202EXPORT_SYMBOL_GPL(xfrm_audit_state_add);
2212 2203
2213void xfrm_audit_state_delete(struct xfrm_state *x, int result, 2204void xfrm_audit_state_delete(struct xfrm_state *x, int result, bool task_valid)
2214 kuid_t auid, unsigned int sessionid)
2215{ 2205{
2216 struct audit_buffer *audit_buf; 2206 struct audit_buffer *audit_buf;
2217 2207
2218 audit_buf = xfrm_audit_start("SAD-delete"); 2208 audit_buf = xfrm_audit_start("SAD-delete");
2219 if (audit_buf == NULL) 2209 if (audit_buf == NULL)
2220 return; 2210 return;
2221 xfrm_audit_helper_usrinfo(auid, sessionid, audit_buf); 2211 xfrm_audit_helper_usrinfo(task_valid, audit_buf);
2222 xfrm_audit_helper_sainfo(x, audit_buf); 2212 xfrm_audit_helper_sainfo(x, audit_buf);
2223 audit_log_format(audit_buf, " res=%u", result); 2213 audit_log_format(audit_buf, " res=%u", result);
2224 audit_log_end(audit_buf); 2214 audit_log_end(audit_buf);
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index d6409d927b82..3d4b4c464091 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -597,8 +597,6 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
597 struct xfrm_state *x; 597 struct xfrm_state *x;
598 int err; 598 int err;
599 struct km_event c; 599 struct km_event c;
600 kuid_t loginuid = audit_get_loginuid(current);
601 unsigned int sessionid = audit_get_sessionid(current);
602 600
603 err = verify_newsa_info(p, attrs); 601 err = verify_newsa_info(p, attrs);
604 if (err) 602 if (err)
@@ -614,7 +612,7 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
614 else 612 else
615 err = xfrm_state_update(x); 613 err = xfrm_state_update(x);
616 614
617 xfrm_audit_state_add(x, err ? 0 : 1, loginuid, sessionid); 615 xfrm_audit_state_add(x, err ? 0 : 1, true);
618 616
619 if (err < 0) { 617 if (err < 0) {
620 x->km.state = XFRM_STATE_DEAD; 618 x->km.state = XFRM_STATE_DEAD;
@@ -674,8 +672,6 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
674 int err = -ESRCH; 672 int err = -ESRCH;
675 struct km_event c; 673 struct km_event c;
676 struct xfrm_usersa_id *p = nlmsg_data(nlh); 674 struct xfrm_usersa_id *p = nlmsg_data(nlh);
677 kuid_t loginuid = audit_get_loginuid(current);
678 unsigned int sessionid = audit_get_sessionid(current);
679 675
680 x = xfrm_user_state_lookup(net, p, attrs, &err); 676 x = xfrm_user_state_lookup(net, p, attrs, &err);
681 if (x == NULL) 677 if (x == NULL)
@@ -700,7 +696,7 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
700 km_state_notify(x, &c); 696 km_state_notify(x, &c);
701 697
702out: 698out:
703 xfrm_audit_state_delete(x, err ? 0 : 1, loginuid, sessionid); 699 xfrm_audit_state_delete(x, err ? 0 : 1, true);
704 xfrm_state_put(x); 700 xfrm_state_put(x);
705 return err; 701 return err;
706} 702}
@@ -1410,8 +1406,6 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
1410 struct km_event c; 1406 struct km_event c;
1411 int err; 1407 int err;
1412 int excl; 1408 int excl;
1413 kuid_t loginuid = audit_get_loginuid(current);
1414 unsigned int sessionid = audit_get_sessionid(current);
1415 1409
1416 err = verify_newpolicy_info(p); 1410 err = verify_newpolicy_info(p);
1417 if (err) 1411 if (err)
@@ -1430,7 +1424,7 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
1430 * a type XFRM_MSG_UPDPOLICY - JHS */ 1424 * a type XFRM_MSG_UPDPOLICY - JHS */
1431 excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; 1425 excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY;
1432 err = xfrm_policy_insert(p->dir, xp, excl); 1426 err = xfrm_policy_insert(p->dir, xp, excl);
1433 xfrm_audit_policy_add(xp, err ? 0 : 1, loginuid, sessionid); 1427 xfrm_audit_policy_add(xp, err ? 0 : 1, true);
1434 1428
1435 if (err) { 1429 if (err) {
1436 security_xfrm_policy_free(xp->security); 1430 security_xfrm_policy_free(xp->security);
@@ -1667,10 +1661,7 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
1667 NETLINK_CB(skb).portid); 1661 NETLINK_CB(skb).portid);
1668 } 1662 }
1669 } else { 1663 } else {
1670 kuid_t loginuid = audit_get_loginuid(current); 1664 xfrm_audit_policy_delete(xp, err ? 0 : 1, true);
1671 unsigned int sessionid = audit_get_sessionid(current);
1672
1673 xfrm_audit_policy_delete(xp, err ? 0 : 1, loginuid, sessionid);
1674 1665
1675 if (err != 0) 1666 if (err != 0)
1676 goto out; 1667 goto out;
@@ -1695,12 +1686,9 @@ static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
1695 struct net *net = sock_net(skb->sk); 1686 struct net *net = sock_net(skb->sk);
1696 struct km_event c; 1687 struct km_event c;
1697 struct xfrm_usersa_flush *p = nlmsg_data(nlh); 1688 struct xfrm_usersa_flush *p = nlmsg_data(nlh);
1698 struct xfrm_audit audit_info;
1699 int err; 1689 int err;
1700 1690
1701 audit_info.loginuid = audit_get_loginuid(current); 1691 err = xfrm_state_flush(net, p->proto, true);
1702 audit_info.sessionid = audit_get_sessionid(current);
1703 err = xfrm_state_flush(net, p->proto, &audit_info);
1704 if (err) { 1692 if (err) {
1705 if (err == -ESRCH) /* empty table */ 1693 if (err == -ESRCH) /* empty table */
1706 return 0; 1694 return 0;
@@ -1884,15 +1872,12 @@ static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
1884 struct km_event c; 1872 struct km_event c;
1885 u8 type = XFRM_POLICY_TYPE_MAIN; 1873 u8 type = XFRM_POLICY_TYPE_MAIN;
1886 int err; 1874 int err;
1887 struct xfrm_audit audit_info;
1888 1875
1889 err = copy_from_user_policy_type(&type, attrs); 1876 err = copy_from_user_policy_type(&type, attrs);
1890 if (err) 1877 if (err)
1891 return err; 1878 return err;
1892 1879
1893 audit_info.loginuid = audit_get_loginuid(current); 1880 err = xfrm_policy_flush(net, type, true);
1894 audit_info.sessionid = audit_get_sessionid(current);
1895 err = xfrm_policy_flush(net, type, &audit_info);
1896 if (err) { 1881 if (err) {
1897 if (err == -ESRCH) /* empty table */ 1882 if (err == -ESRCH) /* empty table */
1898 return 0; 1883 return 0;
@@ -1958,12 +1943,8 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
1958 1943
1959 err = 0; 1944 err = 0;
1960 if (up->hard) { 1945 if (up->hard) {
1961 kuid_t loginuid = audit_get_loginuid(current);
1962 unsigned int sessionid = audit_get_sessionid(current);
1963
1964 xfrm_policy_delete(xp, p->dir); 1946 xfrm_policy_delete(xp, p->dir);
1965 xfrm_audit_policy_delete(xp, 1, loginuid, sessionid); 1947 xfrm_audit_policy_delete(xp, 1, true);
1966
1967 } else { 1948 } else {
1968 // reset the timers here? 1949 // reset the timers here?
1969 WARN(1, "Dont know what to do with soft policy expire\n"); 1950 WARN(1, "Dont know what to do with soft policy expire\n");
@@ -1999,11 +1980,8 @@ static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
1999 km_state_expired(x, ue->hard, nlh->nlmsg_pid); 1980 km_state_expired(x, ue->hard, nlh->nlmsg_pid);
2000 1981
2001 if (ue->hard) { 1982 if (ue->hard) {
2002 kuid_t loginuid = audit_get_loginuid(current);
2003 unsigned int sessionid = audit_get_sessionid(current);
2004
2005 __xfrm_state_delete(x); 1983 __xfrm_state_delete(x);
2006 xfrm_audit_state_delete(x, 1, loginuid, sessionid); 1984 xfrm_audit_state_delete(x, 1, true);
2007 } 1985 }
2008 err = 0; 1986 err = 0;
2009out: 1987out: