diff options
Diffstat (limited to 'net')
-rw-r--r-- | net/key/af_key.c | 30 | ||||
-rw-r--r-- | net/xfrm/xfrm_policy.c | 40 | ||||
-rw-r--r-- | net/xfrm/xfrm_state.c | 34 | ||||
-rw-r--r-- | net/xfrm/xfrm_user.c | 38 |
4 files changed, 41 insertions, 101 deletions
diff --git a/net/key/af_key.c b/net/key/af_key.c index d66ff72adefb..b47f8e542aae 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c | |||
@@ -1476,9 +1476,7 @@ static int pfkey_add(struct sock *sk, struct sk_buff *skb, const struct sadb_msg | |||
1476 | else | 1476 | else |
1477 | err = xfrm_state_update(x); | 1477 | err = xfrm_state_update(x); |
1478 | 1478 | ||
1479 | xfrm_audit_state_add(x, err ? 0 : 1, | 1479 | xfrm_audit_state_add(x, err ? 0 : 1, true); |
1480 | audit_get_loginuid(current), | ||
1481 | audit_get_sessionid(current)); | ||
1482 | 1480 | ||
1483 | if (err < 0) { | 1481 | if (err < 0) { |
1484 | x->km.state = XFRM_STATE_DEAD; | 1482 | x->km.state = XFRM_STATE_DEAD; |
@@ -1532,9 +1530,7 @@ static int pfkey_delete(struct sock *sk, struct sk_buff *skb, const struct sadb_ | |||
1532 | c.event = XFRM_MSG_DELSA; | 1530 | c.event = XFRM_MSG_DELSA; |
1533 | km_state_notify(x, &c); | 1531 | km_state_notify(x, &c); |
1534 | out: | 1532 | out: |
1535 | xfrm_audit_state_delete(x, err ? 0 : 1, | 1533 | xfrm_audit_state_delete(x, err ? 0 : 1, true); |
1536 | audit_get_loginuid(current), | ||
1537 | audit_get_sessionid(current)); | ||
1538 | xfrm_state_put(x); | 1534 | xfrm_state_put(x); |
1539 | 1535 | ||
1540 | return err; | 1536 | return err; |
@@ -1726,16 +1722,13 @@ static int pfkey_flush(struct sock *sk, struct sk_buff *skb, const struct sadb_m | |||
1726 | struct net *net = sock_net(sk); | 1722 | struct net *net = sock_net(sk); |
1727 | unsigned int proto; | 1723 | unsigned int proto; |
1728 | struct km_event c; | 1724 | struct km_event c; |
1729 | struct xfrm_audit audit_info; | ||
1730 | int err, err2; | 1725 | int err, err2; |
1731 | 1726 | ||
1732 | proto = pfkey_satype2proto(hdr->sadb_msg_satype); | 1727 | proto = pfkey_satype2proto(hdr->sadb_msg_satype); |
1733 | if (proto == 0) | 1728 | if (proto == 0) |
1734 | return -EINVAL; | 1729 | return -EINVAL; |
1735 | 1730 | ||
1736 | audit_info.loginuid = audit_get_loginuid(current); | 1731 | err = xfrm_state_flush(net, proto, true); |
1737 | audit_info.sessionid = audit_get_sessionid(current); | ||
1738 | err = xfrm_state_flush(net, proto, &audit_info); | ||
1739 | err2 = unicast_flush_resp(sk, hdr); | 1732 | err2 = unicast_flush_resp(sk, hdr); |
1740 | if (err || err2) { | 1733 | if (err || err2) { |
1741 | if (err == -ESRCH) /* empty table - go quietly */ | 1734 | if (err == -ESRCH) /* empty table - go quietly */ |
@@ -2287,9 +2280,7 @@ static int pfkey_spdadd(struct sock *sk, struct sk_buff *skb, const struct sadb_ | |||
2287 | err = xfrm_policy_insert(pol->sadb_x_policy_dir-1, xp, | 2280 | err = xfrm_policy_insert(pol->sadb_x_policy_dir-1, xp, |
2288 | hdr->sadb_msg_type != SADB_X_SPDUPDATE); | 2281 | hdr->sadb_msg_type != SADB_X_SPDUPDATE); |
2289 | 2282 | ||
2290 | xfrm_audit_policy_add(xp, err ? 0 : 1, | 2283 | xfrm_audit_policy_add(xp, err ? 0 : 1, true); |
2291 | audit_get_loginuid(current), | ||
2292 | audit_get_sessionid(current)); | ||
2293 | 2284 | ||
2294 | if (err) | 2285 | if (err) |
2295 | goto out; | 2286 | goto out; |
@@ -2371,9 +2362,7 @@ static int pfkey_spddelete(struct sock *sk, struct sk_buff *skb, const struct sa | |||
2371 | if (xp == NULL) | 2362 | if (xp == NULL) |
2372 | return -ENOENT; | 2363 | return -ENOENT; |
2373 | 2364 | ||
2374 | xfrm_audit_policy_delete(xp, err ? 0 : 1, | 2365 | xfrm_audit_policy_delete(xp, err ? 0 : 1, true); |
2375 | audit_get_loginuid(current), | ||
2376 | audit_get_sessionid(current)); | ||
2377 | 2366 | ||
2378 | if (err) | 2367 | if (err) |
2379 | goto out; | 2368 | goto out; |
@@ -2621,9 +2610,7 @@ static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, const struct sadb_ | |||
2621 | return -ENOENT; | 2610 | return -ENOENT; |
2622 | 2611 | ||
2623 | if (delete) { | 2612 | if (delete) { |
2624 | xfrm_audit_policy_delete(xp, err ? 0 : 1, | 2613 | xfrm_audit_policy_delete(xp, err ? 0 : 1, true); |
2625 | audit_get_loginuid(current), | ||
2626 | audit_get_sessionid(current)); | ||
2627 | 2614 | ||
2628 | if (err) | 2615 | if (err) |
2629 | goto out; | 2616 | goto out; |
@@ -2732,12 +2719,9 @@ static int pfkey_spdflush(struct sock *sk, struct sk_buff *skb, const struct sad | |||
2732 | { | 2719 | { |
2733 | struct net *net = sock_net(sk); | 2720 | struct net *net = sock_net(sk); |
2734 | struct km_event c; | 2721 | struct km_event c; |
2735 | struct xfrm_audit audit_info; | ||
2736 | int err, err2; | 2722 | int err, err2; |
2737 | 2723 | ||
2738 | audit_info.loginuid = audit_get_loginuid(current); | 2724 | err = xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, true); |
2739 | audit_info.sessionid = audit_get_sessionid(current); | ||
2740 | err = xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, &audit_info); | ||
2741 | err2 = unicast_flush_resp(sk, hdr); | 2725 | err2 = unicast_flush_resp(sk, hdr); |
2742 | if (err || err2) { | 2726 | if (err || err2) { |
2743 | if (err == -ESRCH) /* empty table - old silent behavior */ | 2727 | if (err == -ESRCH) /* empty table - old silent behavior */ |
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index bd001b7062c0..375267d15c8f 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c | |||
@@ -769,7 +769,7 @@ EXPORT_SYMBOL(xfrm_policy_byid); | |||
769 | 769 | ||
770 | #ifdef CONFIG_SECURITY_NETWORK_XFRM | 770 | #ifdef CONFIG_SECURITY_NETWORK_XFRM |
771 | static inline int | 771 | static inline int |
772 | xfrm_policy_flush_secctx_check(struct net *net, u8 type, struct xfrm_audit *audit_info) | 772 | xfrm_policy_flush_secctx_check(struct net *net, u8 type, bool task_valid) |
773 | { | 773 | { |
774 | int dir, err = 0; | 774 | int dir, err = 0; |
775 | 775 | ||
@@ -783,9 +783,7 @@ xfrm_policy_flush_secctx_check(struct net *net, u8 type, struct xfrm_audit *audi | |||
783 | continue; | 783 | continue; |
784 | err = security_xfrm_policy_delete(pol->security); | 784 | err = security_xfrm_policy_delete(pol->security); |
785 | if (err) { | 785 | if (err) { |
786 | xfrm_audit_policy_delete(pol, 0, | 786 | xfrm_audit_policy_delete(pol, 0, task_valid); |
787 | audit_info->loginuid, | ||
788 | audit_info->sessionid); | ||
789 | return err; | 787 | return err; |
790 | } | 788 | } |
791 | } | 789 | } |
@@ -799,8 +797,7 @@ xfrm_policy_flush_secctx_check(struct net *net, u8 type, struct xfrm_audit *audi | |||
799 | pol->security); | 797 | pol->security); |
800 | if (err) { | 798 | if (err) { |
801 | xfrm_audit_policy_delete(pol, 0, | 799 | xfrm_audit_policy_delete(pol, 0, |
802 | audit_info->loginuid, | 800 | task_valid); |
803 | audit_info->sessionid); | ||
804 | return err; | 801 | return err; |
805 | } | 802 | } |
806 | } | 803 | } |
@@ -810,19 +807,19 @@ xfrm_policy_flush_secctx_check(struct net *net, u8 type, struct xfrm_audit *audi | |||
810 | } | 807 | } |
811 | #else | 808 | #else |
812 | static inline int | 809 | static inline int |
813 | xfrm_policy_flush_secctx_check(struct net *net, u8 type, struct xfrm_audit *audit_info) | 810 | xfrm_policy_flush_secctx_check(struct net *net, u8 type, bool task_valid) |
814 | { | 811 | { |
815 | return 0; | 812 | return 0; |
816 | } | 813 | } |
817 | #endif | 814 | #endif |
818 | 815 | ||
819 | int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info) | 816 | int xfrm_policy_flush(struct net *net, u8 type, bool task_valid) |
820 | { | 817 | { |
821 | int dir, err = 0, cnt = 0; | 818 | int dir, err = 0, cnt = 0; |
822 | 819 | ||
823 | write_lock_bh(&net->xfrm.xfrm_policy_lock); | 820 | write_lock_bh(&net->xfrm.xfrm_policy_lock); |
824 | 821 | ||
825 | err = xfrm_policy_flush_secctx_check(net, type, audit_info); | 822 | err = xfrm_policy_flush_secctx_check(net, type, task_valid); |
826 | if (err) | 823 | if (err) |
827 | goto out; | 824 | goto out; |
828 | 825 | ||
@@ -839,8 +836,7 @@ int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info) | |||
839 | write_unlock_bh(&net->xfrm.xfrm_policy_lock); | 836 | write_unlock_bh(&net->xfrm.xfrm_policy_lock); |
840 | cnt++; | 837 | cnt++; |
841 | 838 | ||
842 | xfrm_audit_policy_delete(pol, 1, audit_info->loginuid, | 839 | xfrm_audit_policy_delete(pol, 1, task_valid); |
843 | audit_info->sessionid); | ||
844 | 840 | ||
845 | xfrm_policy_kill(pol); | 841 | xfrm_policy_kill(pol); |
846 | 842 | ||
@@ -859,9 +855,7 @@ int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info) | |||
859 | write_unlock_bh(&net->xfrm.xfrm_policy_lock); | 855 | write_unlock_bh(&net->xfrm.xfrm_policy_lock); |
860 | cnt++; | 856 | cnt++; |
861 | 857 | ||
862 | xfrm_audit_policy_delete(pol, 1, | 858 | xfrm_audit_policy_delete(pol, 1, task_valid); |
863 | audit_info->loginuid, | ||
864 | audit_info->sessionid); | ||
865 | xfrm_policy_kill(pol); | 859 | xfrm_policy_kill(pol); |
866 | 860 | ||
867 | write_lock_bh(&net->xfrm.xfrm_policy_lock); | 861 | write_lock_bh(&net->xfrm.xfrm_policy_lock); |
@@ -2858,19 +2852,14 @@ out_byidx: | |||
2858 | 2852 | ||
2859 | static void xfrm_policy_fini(struct net *net) | 2853 | static void xfrm_policy_fini(struct net *net) |
2860 | { | 2854 | { |
2861 | struct xfrm_audit audit_info; | ||
2862 | unsigned int sz; | 2855 | unsigned int sz; |
2863 | int dir; | 2856 | int dir; |
2864 | 2857 | ||
2865 | flush_work(&net->xfrm.policy_hash_work); | 2858 | flush_work(&net->xfrm.policy_hash_work); |
2866 | #ifdef CONFIG_XFRM_SUB_POLICY | 2859 | #ifdef CONFIG_XFRM_SUB_POLICY |
2867 | audit_info.loginuid = INVALID_UID; | 2860 | xfrm_policy_flush(net, XFRM_POLICY_TYPE_SUB, false); |
2868 | audit_info.sessionid = (unsigned int)-1; | ||
2869 | xfrm_policy_flush(net, XFRM_POLICY_TYPE_SUB, &audit_info); | ||
2870 | #endif | 2861 | #endif |
2871 | audit_info.loginuid = INVALID_UID; | 2862 | xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, false); |
2872 | audit_info.sessionid = (unsigned int)-1; | ||
2873 | xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, &audit_info); | ||
2874 | 2863 | ||
2875 | WARN_ON(!list_empty(&net->xfrm.policy_all)); | 2864 | WARN_ON(!list_empty(&net->xfrm.policy_all)); |
2876 | 2865 | ||
@@ -2985,15 +2974,14 @@ static void xfrm_audit_common_policyinfo(struct xfrm_policy *xp, | |||
2985 | } | 2974 | } |
2986 | } | 2975 | } |
2987 | 2976 | ||
2988 | void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, | 2977 | void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, bool task_valid) |
2989 | kuid_t auid, unsigned int sessionid) | ||
2990 | { | 2978 | { |
2991 | struct audit_buffer *audit_buf; | 2979 | struct audit_buffer *audit_buf; |
2992 | 2980 | ||
2993 | audit_buf = xfrm_audit_start("SPD-add"); | 2981 | audit_buf = xfrm_audit_start("SPD-add"); |
2994 | if (audit_buf == NULL) | 2982 | if (audit_buf == NULL) |
2995 | return; | 2983 | return; |
2996 | xfrm_audit_helper_usrinfo(auid, sessionid, audit_buf); | 2984 | xfrm_audit_helper_usrinfo(task_valid, audit_buf); |
2997 | audit_log_format(audit_buf, " res=%u", result); | 2985 | audit_log_format(audit_buf, " res=%u", result); |
2998 | xfrm_audit_common_policyinfo(xp, audit_buf); | 2986 | xfrm_audit_common_policyinfo(xp, audit_buf); |
2999 | audit_log_end(audit_buf); | 2987 | audit_log_end(audit_buf); |
@@ -3001,14 +2989,14 @@ void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, | |||
3001 | EXPORT_SYMBOL_GPL(xfrm_audit_policy_add); | 2989 | EXPORT_SYMBOL_GPL(xfrm_audit_policy_add); |
3002 | 2990 | ||
3003 | void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, | 2991 | void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, |
3004 | kuid_t auid, unsigned int sessionid) | 2992 | bool task_valid) |
3005 | { | 2993 | { |
3006 | struct audit_buffer *audit_buf; | 2994 | struct audit_buffer *audit_buf; |
3007 | 2995 | ||
3008 | audit_buf = xfrm_audit_start("SPD-delete"); | 2996 | audit_buf = xfrm_audit_start("SPD-delete"); |
3009 | if (audit_buf == NULL) | 2997 | if (audit_buf == NULL) |
3010 | return; | 2998 | return; |
3011 | xfrm_audit_helper_usrinfo(auid, sessionid, audit_buf); | 2999 | xfrm_audit_helper_usrinfo(task_valid, audit_buf); |
3012 | audit_log_format(audit_buf, " res=%u", result); | 3000 | audit_log_format(audit_buf, " res=%u", result); |
3013 | xfrm_audit_common_policyinfo(xp, audit_buf); | 3001 | xfrm_audit_common_policyinfo(xp, audit_buf); |
3014 | audit_log_end(audit_buf); | 3002 | audit_log_end(audit_buf); |
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index d91312b5ceb0..0ab54134bb40 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c | |||
@@ -463,9 +463,7 @@ expired: | |||
463 | if (!err) | 463 | if (!err) |
464 | km_state_expired(x, 1, 0); | 464 | km_state_expired(x, 1, 0); |
465 | 465 | ||
466 | xfrm_audit_state_delete(x, err ? 0 : 1, | 466 | xfrm_audit_state_delete(x, err ? 0 : 1, true); |
467 | audit_get_loginuid(current), | ||
468 | audit_get_sessionid(current)); | ||
469 | 467 | ||
470 | out: | 468 | out: |
471 | spin_unlock(&x->lock); | 469 | spin_unlock(&x->lock); |
@@ -562,7 +560,7 @@ EXPORT_SYMBOL(xfrm_state_delete); | |||
562 | 560 | ||
563 | #ifdef CONFIG_SECURITY_NETWORK_XFRM | 561 | #ifdef CONFIG_SECURITY_NETWORK_XFRM |
564 | static inline int | 562 | static inline int |
565 | xfrm_state_flush_secctx_check(struct net *net, u8 proto, struct xfrm_audit *audit_info) | 563 | xfrm_state_flush_secctx_check(struct net *net, u8 proto, bool task_valid) |
566 | { | 564 | { |
567 | int i, err = 0; | 565 | int i, err = 0; |
568 | 566 | ||
@@ -572,9 +570,7 @@ xfrm_state_flush_secctx_check(struct net *net, u8 proto, struct xfrm_audit *audi | |||
572 | hlist_for_each_entry(x, net->xfrm.state_bydst+i, bydst) { | 570 | hlist_for_each_entry(x, net->xfrm.state_bydst+i, bydst) { |
573 | if (xfrm_id_proto_match(x->id.proto, proto) && | 571 | if (xfrm_id_proto_match(x->id.proto, proto) && |
574 | (err = security_xfrm_state_delete(x)) != 0) { | 572 | (err = security_xfrm_state_delete(x)) != 0) { |
575 | xfrm_audit_state_delete(x, 0, | 573 | xfrm_audit_state_delete(x, 0, task_valid); |
576 | audit_info->loginuid, | ||
577 | audit_info->sessionid); | ||
578 | return err; | 574 | return err; |
579 | } | 575 | } |
580 | } | 576 | } |
@@ -584,18 +580,18 @@ xfrm_state_flush_secctx_check(struct net *net, u8 proto, struct xfrm_audit *audi | |||
584 | } | 580 | } |
585 | #else | 581 | #else |
586 | static inline int | 582 | static inline int |
587 | xfrm_state_flush_secctx_check(struct net *net, u8 proto, struct xfrm_audit *audit_info) | 583 | xfrm_state_flush_secctx_check(struct net *net, u8 proto, bool task_valid) |
588 | { | 584 | { |
589 | return 0; | 585 | return 0; |
590 | } | 586 | } |
591 | #endif | 587 | #endif |
592 | 588 | ||
593 | int xfrm_state_flush(struct net *net, u8 proto, struct xfrm_audit *audit_info) | 589 | int xfrm_state_flush(struct net *net, u8 proto, bool task_valid) |
594 | { | 590 | { |
595 | int i, err = 0, cnt = 0; | 591 | int i, err = 0, cnt = 0; |
596 | 592 | ||
597 | spin_lock_bh(&net->xfrm.xfrm_state_lock); | 593 | spin_lock_bh(&net->xfrm.xfrm_state_lock); |
598 | err = xfrm_state_flush_secctx_check(net, proto, audit_info); | 594 | err = xfrm_state_flush_secctx_check(net, proto, task_valid); |
599 | if (err) | 595 | if (err) |
600 | goto out; | 596 | goto out; |
601 | 597 | ||
@@ -611,8 +607,7 @@ restart: | |||
611 | 607 | ||
612 | err = xfrm_state_delete(x); | 608 | err = xfrm_state_delete(x); |
613 | xfrm_audit_state_delete(x, err ? 0 : 1, | 609 | xfrm_audit_state_delete(x, err ? 0 : 1, |
614 | audit_info->loginuid, | 610 | task_valid); |
615 | audit_info->sessionid); | ||
616 | xfrm_state_put(x); | 611 | xfrm_state_put(x); |
617 | if (!err) | 612 | if (!err) |
618 | cnt++; | 613 | cnt++; |
@@ -2126,13 +2121,10 @@ out_bydst: | |||
2126 | 2121 | ||
2127 | void xfrm_state_fini(struct net *net) | 2122 | void xfrm_state_fini(struct net *net) |
2128 | { | 2123 | { |
2129 | struct xfrm_audit audit_info; | ||
2130 | unsigned int sz; | 2124 | unsigned int sz; |
2131 | 2125 | ||
2132 | flush_work(&net->xfrm.state_hash_work); | 2126 | flush_work(&net->xfrm.state_hash_work); |
2133 | audit_info.loginuid = INVALID_UID; | 2127 | xfrm_state_flush(net, IPSEC_PROTO_ANY, false); |
2134 | audit_info.sessionid = (unsigned int)-1; | ||
2135 | xfrm_state_flush(net, IPSEC_PROTO_ANY, &audit_info); | ||
2136 | flush_work(&net->xfrm.state_gc_work); | 2128 | flush_work(&net->xfrm.state_gc_work); |
2137 | 2129 | ||
2138 | WARN_ON(!list_empty(&net->xfrm.state_all)); | 2130 | WARN_ON(!list_empty(&net->xfrm.state_all)); |
@@ -2195,30 +2187,28 @@ static void xfrm_audit_helper_pktinfo(struct sk_buff *skb, u16 family, | |||
2195 | } | 2187 | } |
2196 | } | 2188 | } |
2197 | 2189 | ||
2198 | void xfrm_audit_state_add(struct xfrm_state *x, int result, | 2190 | void xfrm_audit_state_add(struct xfrm_state *x, int result, bool task_valid) |
2199 | kuid_t auid, unsigned int sessionid) | ||
2200 | { | 2191 | { |
2201 | struct audit_buffer *audit_buf; | 2192 | struct audit_buffer *audit_buf; |
2202 | 2193 | ||
2203 | audit_buf = xfrm_audit_start("SAD-add"); | 2194 | audit_buf = xfrm_audit_start("SAD-add"); |
2204 | if (audit_buf == NULL) | 2195 | if (audit_buf == NULL) |
2205 | return; | 2196 | return; |
2206 | xfrm_audit_helper_usrinfo(auid, sessionid, audit_buf); | 2197 | xfrm_audit_helper_usrinfo(task_valid, audit_buf); |
2207 | xfrm_audit_helper_sainfo(x, audit_buf); | 2198 | xfrm_audit_helper_sainfo(x, audit_buf); |
2208 | audit_log_format(audit_buf, " res=%u", result); | 2199 | audit_log_format(audit_buf, " res=%u", result); |
2209 | audit_log_end(audit_buf); | 2200 | audit_log_end(audit_buf); |
2210 | } | 2201 | } |
2211 | EXPORT_SYMBOL_GPL(xfrm_audit_state_add); | 2202 | EXPORT_SYMBOL_GPL(xfrm_audit_state_add); |
2212 | 2203 | ||
2213 | void xfrm_audit_state_delete(struct xfrm_state *x, int result, | 2204 | void xfrm_audit_state_delete(struct xfrm_state *x, int result, bool task_valid) |
2214 | kuid_t auid, unsigned int sessionid) | ||
2215 | { | 2205 | { |
2216 | struct audit_buffer *audit_buf; | 2206 | struct audit_buffer *audit_buf; |
2217 | 2207 | ||
2218 | audit_buf = xfrm_audit_start("SAD-delete"); | 2208 | audit_buf = xfrm_audit_start("SAD-delete"); |
2219 | if (audit_buf == NULL) | 2209 | if (audit_buf == NULL) |
2220 | return; | 2210 | return; |
2221 | xfrm_audit_helper_usrinfo(auid, sessionid, audit_buf); | 2211 | xfrm_audit_helper_usrinfo(task_valid, audit_buf); |
2222 | xfrm_audit_helper_sainfo(x, audit_buf); | 2212 | xfrm_audit_helper_sainfo(x, audit_buf); |
2223 | audit_log_format(audit_buf, " res=%u", result); | 2213 | audit_log_format(audit_buf, " res=%u", result); |
2224 | audit_log_end(audit_buf); | 2214 | audit_log_end(audit_buf); |
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index d6409d927b82..3d4b4c464091 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c | |||
@@ -597,8 +597,6 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
597 | struct xfrm_state *x; | 597 | struct xfrm_state *x; |
598 | int err; | 598 | int err; |
599 | struct km_event c; | 599 | struct km_event c; |
600 | kuid_t loginuid = audit_get_loginuid(current); | ||
601 | unsigned int sessionid = audit_get_sessionid(current); | ||
602 | 600 | ||
603 | err = verify_newsa_info(p, attrs); | 601 | err = verify_newsa_info(p, attrs); |
604 | if (err) | 602 | if (err) |
@@ -614,7 +612,7 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
614 | else | 612 | else |
615 | err = xfrm_state_update(x); | 613 | err = xfrm_state_update(x); |
616 | 614 | ||
617 | xfrm_audit_state_add(x, err ? 0 : 1, loginuid, sessionid); | 615 | xfrm_audit_state_add(x, err ? 0 : 1, true); |
618 | 616 | ||
619 | if (err < 0) { | 617 | if (err < 0) { |
620 | x->km.state = XFRM_STATE_DEAD; | 618 | x->km.state = XFRM_STATE_DEAD; |
@@ -674,8 +672,6 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
674 | int err = -ESRCH; | 672 | int err = -ESRCH; |
675 | struct km_event c; | 673 | struct km_event c; |
676 | struct xfrm_usersa_id *p = nlmsg_data(nlh); | 674 | struct xfrm_usersa_id *p = nlmsg_data(nlh); |
677 | kuid_t loginuid = audit_get_loginuid(current); | ||
678 | unsigned int sessionid = audit_get_sessionid(current); | ||
679 | 675 | ||
680 | x = xfrm_user_state_lookup(net, p, attrs, &err); | 676 | x = xfrm_user_state_lookup(net, p, attrs, &err); |
681 | if (x == NULL) | 677 | if (x == NULL) |
@@ -700,7 +696,7 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
700 | km_state_notify(x, &c); | 696 | km_state_notify(x, &c); |
701 | 697 | ||
702 | out: | 698 | out: |
703 | xfrm_audit_state_delete(x, err ? 0 : 1, loginuid, sessionid); | 699 | xfrm_audit_state_delete(x, err ? 0 : 1, true); |
704 | xfrm_state_put(x); | 700 | xfrm_state_put(x); |
705 | return err; | 701 | return err; |
706 | } | 702 | } |
@@ -1410,8 +1406,6 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
1410 | struct km_event c; | 1406 | struct km_event c; |
1411 | int err; | 1407 | int err; |
1412 | int excl; | 1408 | int excl; |
1413 | kuid_t loginuid = audit_get_loginuid(current); | ||
1414 | unsigned int sessionid = audit_get_sessionid(current); | ||
1415 | 1409 | ||
1416 | err = verify_newpolicy_info(p); | 1410 | err = verify_newpolicy_info(p); |
1417 | if (err) | 1411 | if (err) |
@@ -1430,7 +1424,7 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
1430 | * a type XFRM_MSG_UPDPOLICY - JHS */ | 1424 | * a type XFRM_MSG_UPDPOLICY - JHS */ |
1431 | excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; | 1425 | excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; |
1432 | err = xfrm_policy_insert(p->dir, xp, excl); | 1426 | err = xfrm_policy_insert(p->dir, xp, excl); |
1433 | xfrm_audit_policy_add(xp, err ? 0 : 1, loginuid, sessionid); | 1427 | xfrm_audit_policy_add(xp, err ? 0 : 1, true); |
1434 | 1428 | ||
1435 | if (err) { | 1429 | if (err) { |
1436 | security_xfrm_policy_free(xp->security); | 1430 | security_xfrm_policy_free(xp->security); |
@@ -1667,10 +1661,7 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
1667 | NETLINK_CB(skb).portid); | 1661 | NETLINK_CB(skb).portid); |
1668 | } | 1662 | } |
1669 | } else { | 1663 | } else { |
1670 | kuid_t loginuid = audit_get_loginuid(current); | 1664 | xfrm_audit_policy_delete(xp, err ? 0 : 1, true); |
1671 | unsigned int sessionid = audit_get_sessionid(current); | ||
1672 | |||
1673 | xfrm_audit_policy_delete(xp, err ? 0 : 1, loginuid, sessionid); | ||
1674 | 1665 | ||
1675 | if (err != 0) | 1666 | if (err != 0) |
1676 | goto out; | 1667 | goto out; |
@@ -1695,12 +1686,9 @@ static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
1695 | struct net *net = sock_net(skb->sk); | 1686 | struct net *net = sock_net(skb->sk); |
1696 | struct km_event c; | 1687 | struct km_event c; |
1697 | struct xfrm_usersa_flush *p = nlmsg_data(nlh); | 1688 | struct xfrm_usersa_flush *p = nlmsg_data(nlh); |
1698 | struct xfrm_audit audit_info; | ||
1699 | int err; | 1689 | int err; |
1700 | 1690 | ||
1701 | audit_info.loginuid = audit_get_loginuid(current); | 1691 | err = xfrm_state_flush(net, p->proto, true); |
1702 | audit_info.sessionid = audit_get_sessionid(current); | ||
1703 | err = xfrm_state_flush(net, p->proto, &audit_info); | ||
1704 | if (err) { | 1692 | if (err) { |
1705 | if (err == -ESRCH) /* empty table */ | 1693 | if (err == -ESRCH) /* empty table */ |
1706 | return 0; | 1694 | return 0; |
@@ -1884,15 +1872,12 @@ static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
1884 | struct km_event c; | 1872 | struct km_event c; |
1885 | u8 type = XFRM_POLICY_TYPE_MAIN; | 1873 | u8 type = XFRM_POLICY_TYPE_MAIN; |
1886 | int err; | 1874 | int err; |
1887 | struct xfrm_audit audit_info; | ||
1888 | 1875 | ||
1889 | err = copy_from_user_policy_type(&type, attrs); | 1876 | err = copy_from_user_policy_type(&type, attrs); |
1890 | if (err) | 1877 | if (err) |
1891 | return err; | 1878 | return err; |
1892 | 1879 | ||
1893 | audit_info.loginuid = audit_get_loginuid(current); | 1880 | err = xfrm_policy_flush(net, type, true); |
1894 | audit_info.sessionid = audit_get_sessionid(current); | ||
1895 | err = xfrm_policy_flush(net, type, &audit_info); | ||
1896 | if (err) { | 1881 | if (err) { |
1897 | if (err == -ESRCH) /* empty table */ | 1882 | if (err == -ESRCH) /* empty table */ |
1898 | return 0; | 1883 | return 0; |
@@ -1958,12 +1943,8 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
1958 | 1943 | ||
1959 | err = 0; | 1944 | err = 0; |
1960 | if (up->hard) { | 1945 | if (up->hard) { |
1961 | kuid_t loginuid = audit_get_loginuid(current); | ||
1962 | unsigned int sessionid = audit_get_sessionid(current); | ||
1963 | |||
1964 | xfrm_policy_delete(xp, p->dir); | 1946 | xfrm_policy_delete(xp, p->dir); |
1965 | xfrm_audit_policy_delete(xp, 1, loginuid, sessionid); | 1947 | xfrm_audit_policy_delete(xp, 1, true); |
1966 | |||
1967 | } else { | 1948 | } else { |
1968 | // reset the timers here? | 1949 | // reset the timers here? |
1969 | WARN(1, "Dont know what to do with soft policy expire\n"); | 1950 | WARN(1, "Dont know what to do with soft policy expire\n"); |
@@ -1999,11 +1980,8 @@ static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
1999 | km_state_expired(x, ue->hard, nlh->nlmsg_pid); | 1980 | km_state_expired(x, ue->hard, nlh->nlmsg_pid); |
2000 | 1981 | ||
2001 | if (ue->hard) { | 1982 | if (ue->hard) { |
2002 | kuid_t loginuid = audit_get_loginuid(current); | ||
2003 | unsigned int sessionid = audit_get_sessionid(current); | ||
2004 | |||
2005 | __xfrm_state_delete(x); | 1983 | __xfrm_state_delete(x); |
2006 | xfrm_audit_state_delete(x, 1, loginuid, sessionid); | 1984 | xfrm_audit_state_delete(x, 1, true); |
2007 | } | 1985 | } |
2008 | err = 0; | 1986 | err = 0; |
2009 | out: | 1987 | out: |