summaryrefslogtreecommitdiffstats
path: root/net/xfrm
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@woody.osdl.org>2006-12-07 09:05:15 -0800
committerLinus Torvalds <torvalds@woody.osdl.org>2006-12-07 09:05:15 -0800
commit2685b267bce34c9b66626cb11664509c32a761a5 (patch)
treece8b4ad47b4a1aa1b0e7634298d63c4cb0ca46c5 /net/xfrm
parent4522d58275f124105819723e24e912c8e5bf3cdd (diff)
parent272491ef423b6976a230a998b10f46976aa91342 (diff)
downloadlinux-stable-2685b267bce34c9b66626cb11664509c32a761a5.tar.gz
linux-stable-2685b267bce34c9b66626cb11664509c32a761a5.tar.bz2
linux-stable-2685b267bce34c9b66626cb11664509c32a761a5.zip
Merge master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6
* master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6: (48 commits) [NETFILTER]: Fix non-ANSI func. decl. [TG3]: Identify Serdes devices more clearly. [TG3]: Use msleep. [TG3]: Use netif_msg_*. [TG3]: Allow partial speed advertisement. [TG3]: Add TG3_FLG2_IS_NIC flag. [TG3]: Add 5787F device ID. [TG3]: Fix Phy loopback. [WANROUTER]: Kill kmalloc debugging code. [TCP] inet_twdr_hangman: Delete unnecessary memory barrier(). [NET]: Memory barrier cleanups [IPSEC]: Fix inetpeer leak in ipv4 xfrm dst entries. audit: disable ipsec auditing when CONFIG_AUDITSYSCALL=n audit: Add auditing to ipsec [IRDA] irlan: Fix compile warning when CONFIG_PROC_FS=n [IrDA]: Incorrect TTP header reservation [IrDA]: PXA FIR code device model conversion [GENETLINK]: Fix misplaced command flags. [NETLIK]: Add a pointer to the Generic Netlink wiki page. [IPV6] RAW: Don't release unlocked sock. ...
Diffstat (limited to 'net/xfrm')
-rw-r--r--net/xfrm/xfrm_algo.c17
-rw-r--r--net/xfrm/xfrm_policy.c177
-rw-r--r--net/xfrm/xfrm_state.c42
-rw-r--r--net/xfrm/xfrm_user.c33
4 files changed, 219 insertions, 50 deletions
diff --git a/net/xfrm/xfrm_algo.c b/net/xfrm/xfrm_algo.c
index 5a0dbeb6bbe8..6b381fc0383d 100644
--- a/net/xfrm/xfrm_algo.c
+++ b/net/xfrm/xfrm_algo.c
@@ -119,6 +119,23 @@ static struct xfrm_algo_desc aalg_list[] = {
.sadb_alg_maxbits = 160
}
},
+{
+ .name = "xcbc(aes)",
+
+ .uinfo = {
+ .auth = {
+ .icv_truncbits = 96,
+ .icv_fullbits = 128,
+ }
+ },
+
+ .desc = {
+ .sadb_alg_id = SADB_X_AALG_AES_XCBC_MAC,
+ .sadb_alg_ivlen = 0,
+ .sadb_alg_minbits = 128,
+ .sadb_alg_maxbits = 128
+ }
+},
};
static struct xfrm_algo_desc ealg_list[] = {
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 3f3f563eb4ab..bebd40e5a62e 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -25,6 +25,7 @@
#include <linux/cache.h>
#include <net/xfrm.h>
#include <net/ip.h>
+#include <linux/audit.h>
#include "xfrm_hash.h"
@@ -804,7 +805,7 @@ struct xfrm_policy *xfrm_policy_byid(u8 type, int dir, u32 id, int delete)
}
EXPORT_SYMBOL(xfrm_policy_byid);
-void xfrm_policy_flush(u8 type)
+void xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info)
{
int dir;
@@ -824,6 +825,9 @@ void xfrm_policy_flush(u8 type)
hlist_del(&pol->byidx);
write_unlock_bh(&xfrm_policy_lock);
+ xfrm_audit_log(audit_info->loginuid, audit_info->secid,
+ AUDIT_MAC_IPSEC_DELSPD, 1, pol, NULL);
+
xfrm_policy_kill(pol);
killed++;
@@ -842,6 +846,11 @@ void xfrm_policy_flush(u8 type)
hlist_del(&pol->byidx);
write_unlock_bh(&xfrm_policy_lock);
+ xfrm_audit_log(audit_info->loginuid,
+ audit_info->secid,
+ AUDIT_MAC_IPSEC_DELSPD, 1,
+ pol, NULL);
+
xfrm_policy_kill(pol);
killed++;
@@ -860,33 +869,12 @@ EXPORT_SYMBOL(xfrm_policy_flush);
int xfrm_policy_walk(u8 type, int (*func)(struct xfrm_policy *, int, int, void*),
void *data)
{
- struct xfrm_policy *pol;
+ struct xfrm_policy *pol, *last = NULL;
struct hlist_node *entry;
- int dir, count, error;
+ int dir, last_dir = 0, count, error;
read_lock_bh(&xfrm_policy_lock);
count = 0;
- for (dir = 0; dir < 2*XFRM_POLICY_MAX; dir++) {
- struct hlist_head *table = xfrm_policy_bydst[dir].table;
- int i;
-
- hlist_for_each_entry(pol, entry,
- &xfrm_policy_inexact[dir], bydst) {
- if (pol->type == type)
- count++;
- }
- for (i = xfrm_policy_bydst[dir].hmask; i >= 0; i--) {
- hlist_for_each_entry(pol, entry, table + i, bydst) {
- if (pol->type == type)
- count++;
- }
- }
- }
-
- if (count == 0) {
- error = -ENOENT;
- goto out;
- }
for (dir = 0; dir < 2*XFRM_POLICY_MAX; dir++) {
struct hlist_head *table = xfrm_policy_bydst[dir].table;
@@ -896,21 +884,37 @@ int xfrm_policy_walk(u8 type, int (*func)(struct xfrm_policy *, int, int, void*)
&xfrm_policy_inexact[dir], bydst) {
if (pol->type != type)
continue;
- error = func(pol, dir % XFRM_POLICY_MAX, --count, data);
- if (error)
- goto out;
+ if (last) {
+ error = func(last, last_dir % XFRM_POLICY_MAX,
+ count, data);
+ if (error)
+ goto out;
+ }
+ last = pol;
+ last_dir = dir;
+ count++;
}
for (i = xfrm_policy_bydst[dir].hmask; i >= 0; i--) {
hlist_for_each_entry(pol, entry, table + i, bydst) {
if (pol->type != type)
continue;
- error = func(pol, dir % XFRM_POLICY_MAX, --count, data);
- if (error)
- goto out;
+ if (last) {
+ error = func(last, last_dir % XFRM_POLICY_MAX,
+ count, data);
+ if (error)
+ goto out;
+ }
+ last = pol;
+ last_dir = dir;
+ count++;
}
}
}
- error = 0;
+ if (count == 0) {
+ error = -ENOENT;
+ goto out;
+ }
+ error = func(last, last_dir % XFRM_POLICY_MAX, 0, data);
out:
read_unlock_bh(&xfrm_policy_lock);
return error;
@@ -1982,6 +1986,117 @@ int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first,
EXPORT_SYMBOL(xfrm_bundle_ok);
+#ifdef CONFIG_AUDITSYSCALL
+/* Audit addition and deletion of SAs and ipsec policy */
+
+void xfrm_audit_log(uid_t auid, u32 sid, int type, int result,
+ struct xfrm_policy *xp, struct xfrm_state *x)
+{
+
+ char *secctx;
+ u32 secctx_len;
+ struct xfrm_sec_ctx *sctx = NULL;
+ struct audit_buffer *audit_buf;
+ int family;
+ extern int audit_enabled;
+
+ if (audit_enabled == 0)
+ return;
+
+ audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type);
+ if (audit_buf == NULL)
+ return;
+
+ switch(type) {
+ case AUDIT_MAC_IPSEC_ADDSA:
+ audit_log_format(audit_buf, "SAD add: auid=%u", auid);
+ break;
+ case AUDIT_MAC_IPSEC_DELSA:
+ audit_log_format(audit_buf, "SAD delete: auid=%u", auid);
+ break;
+ case AUDIT_MAC_IPSEC_ADDSPD:
+ audit_log_format(audit_buf, "SPD add: auid=%u", auid);
+ break;
+ case AUDIT_MAC_IPSEC_DELSPD:
+ audit_log_format(audit_buf, "SPD delete: auid=%u", auid);
+ break;
+ default:
+ return;
+ }
+
+ if (sid != 0 &&
+ security_secid_to_secctx(sid, &secctx, &secctx_len) == 0)
+ audit_log_format(audit_buf, " subj=%s", secctx);
+ else
+ audit_log_task_context(audit_buf);
+
+ if (xp) {
+ family = xp->selector.family;
+ if (xp->security)
+ sctx = xp->security;
+ } else {
+ family = x->props.family;
+ if (x->security)
+ sctx = x->security;
+ }
+
+ if (sctx)
+ audit_log_format(audit_buf,
+ " sec_alg=%u sec_doi=%u sec_obj=%s",
+ sctx->ctx_alg, sctx->ctx_doi, sctx->ctx_str);
+
+ switch(family) {
+ case AF_INET:
+ {
+ struct in_addr saddr, daddr;
+ if (xp) {
+ saddr.s_addr = xp->selector.saddr.a4;
+ daddr.s_addr = xp->selector.daddr.a4;
+ } else {
+ saddr.s_addr = x->props.saddr.a4;
+ daddr.s_addr = x->id.daddr.a4;
+ }
+ audit_log_format(audit_buf,
+ " src=%u.%u.%u.%u dst=%u.%u.%u.%u",
+ NIPQUAD(saddr), NIPQUAD(daddr));
+ }
+ break;
+ case AF_INET6:
+ {
+ struct in6_addr saddr6, daddr6;
+ if (xp) {
+ memcpy(&saddr6, xp->selector.saddr.a6,
+ sizeof(struct in6_addr));
+ memcpy(&daddr6, xp->selector.daddr.a6,
+ sizeof(struct in6_addr));
+ } else {
+ memcpy(&saddr6, x->props.saddr.a6,
+ sizeof(struct in6_addr));
+ memcpy(&daddr6, x->id.daddr.a6,
+ sizeof(struct in6_addr));
+ }
+ audit_log_format(audit_buf,
+ " src=" NIP6_FMT "dst=" NIP6_FMT,
+ NIP6(saddr6), NIP6(daddr6));
+ }
+ break;
+ }
+
+ if (x)
+ audit_log_format(audit_buf, " spi=%lu(0x%lx) protocol=%s",
+ (unsigned long)ntohl(x->id.spi),
+ (unsigned long)ntohl(x->id.spi),
+ x->id.proto == IPPROTO_AH ? "AH" :
+ (x->id.proto == IPPROTO_ESP ?
+ "ESP" : "IPCOMP"));
+
+ audit_log_format(audit_buf, " res=%u", result);
+ audit_log_end(audit_buf);
+}
+
+EXPORT_SYMBOL(xfrm_audit_log);
+#endif /* CONFIG_AUDITSYSCALL */
+
int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo)
{
int err = 0;
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index da54a64ccfa3..fdb08d9f34aa 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -20,6 +20,7 @@
#include <linux/module.h>
#include <linux/cache.h>
#include <asm/uaccess.h>
+#include <linux/audit.h>
#include "xfrm_hash.h"
@@ -238,6 +239,7 @@ static void xfrm_timer_handler(unsigned long data)
unsigned long now = (unsigned long)xtime.tv_sec;
long next = LONG_MAX;
int warn = 0;
+ int err = 0;
spin_lock(&x->lock);
if (x->km.state == XFRM_STATE_DEAD)
@@ -295,9 +297,14 @@ expired:
next = 2;
goto resched;
}
- if (!__xfrm_state_delete(x) && x->id.spi)
+
+ err = __xfrm_state_delete(x);
+ if (!err && x->id.spi)
km_state_expired(x, 1, 0);
+ xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
+ AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
+
out:
spin_unlock(&x->lock);
}
@@ -384,9 +391,10 @@ int xfrm_state_delete(struct xfrm_state *x)
}
EXPORT_SYMBOL(xfrm_state_delete);
-void xfrm_state_flush(u8 proto)
+void xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info)
{
int i;
+ int err = 0;
spin_lock_bh(&xfrm_state_lock);
for (i = 0; i <= xfrm_state_hmask; i++) {
@@ -399,7 +407,11 @@ restart:
xfrm_state_hold(x);
spin_unlock_bh(&xfrm_state_lock);
- xfrm_state_delete(x);
+ err = xfrm_state_delete(x);
+ xfrm_audit_log(audit_info->loginuid,
+ audit_info->secid,
+ AUDIT_MAC_IPSEC_DELSA,
+ err ? 0 : 1, NULL, x);
xfrm_state_put(x);
spin_lock_bh(&xfrm_state_lock);
@@ -1099,7 +1111,7 @@ int xfrm_state_walk(u8 proto, int (*func)(struct xfrm_state *, int, void*),
void *data)
{
int i;
- struct xfrm_state *x;
+ struct xfrm_state *x, *last = NULL;
struct hlist_node *entry;
int count = 0;
int err = 0;
@@ -1107,24 +1119,22 @@ int xfrm_state_walk(u8 proto, int (*func)(struct xfrm_state *, int, void*),
spin_lock_bh(&xfrm_state_lock);
for (i = 0; i <= xfrm_state_hmask; i++) {
hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) {
- if (xfrm_id_proto_match(x->id.proto, proto))
- count++;
+ if (!xfrm_id_proto_match(x->id.proto, proto))
+ continue;
+ if (last) {
+ err = func(last, count, data);
+ if (err)
+ goto out;
+ }
+ last = x;
+ count++;
}
}
if (count == 0) {
err = -ENOENT;
goto out;
}
-
- for (i = 0; i <= xfrm_state_hmask; i++) {
- hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) {
- if (!xfrm_id_proto_match(x->id.proto, proto))
- continue;
- err = func(x, --count, data);
- if (err)
- goto out;
- }
- }
+ err = func(last, 0, data);
out:
spin_unlock_bh(&xfrm_state_lock);
return err;
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 311205ffa775..e5372b11fc8f 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -31,6 +31,7 @@
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
#include <linux/in6.h>
#endif
+#include <linux/audit.h>
static int verify_one_alg(struct rtattr **xfrma, enum xfrm_attr_type_t type)
{
@@ -454,6 +455,9 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfrma)
else
err = xfrm_state_update(x);
+ xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
+ AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x);
+
if (err < 0) {
x->km.state = XFRM_STATE_DEAD;
__xfrm_state_put(x);
@@ -523,6 +527,10 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfrma)
}
err = xfrm_state_delete(x);
+
+ xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
+ AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
+
if (err < 0)
goto out;
@@ -1030,6 +1038,9 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfr
* a type XFRM_MSG_UPDPOLICY - JHS */
excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY;
err = xfrm_policy_insert(p->dir, xp, excl);
+ xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
+ AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
+
if (err) {
security_xfrm_policy_free(xp);
kfree(xp);
@@ -1257,6 +1268,10 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfr
xp = xfrm_policy_bysel_ctx(type, p->dir, &p->sel, tmp.security, delete);
security_xfrm_policy_free(&tmp);
}
+ if (delete)
+ xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
+ AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL);
+
if (xp == NULL)
return -ENOENT;
@@ -1291,8 +1306,11 @@ static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfrma
{
struct km_event c;
struct xfrm_usersa_flush *p = NLMSG_DATA(nlh);
+ struct xfrm_audit audit_info;
- xfrm_state_flush(p->proto);
+ audit_info.loginuid = NETLINK_CB(skb).loginuid;
+ audit_info.secid = NETLINK_CB(skb).sid;
+ xfrm_state_flush(p->proto, &audit_info);
c.data.proto = p->proto;
c.event = nlh->nlmsg_type;
c.seq = nlh->nlmsg_seq;
@@ -1442,12 +1460,15 @@ static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh, void **x
struct km_event c;
u8 type = XFRM_POLICY_TYPE_MAIN;
int err;
+ struct xfrm_audit audit_info;
err = copy_from_user_policy_type(&type, (struct rtattr **)xfrma);
if (err)
return err;
- xfrm_policy_flush(type);
+ audit_info.loginuid = NETLINK_CB(skb).loginuid;
+ audit_info.secid = NETLINK_CB(skb).sid;
+ xfrm_policy_flush(type, &audit_info);
c.data.type = type;
c.event = nlh->nlmsg_type;
c.seq = nlh->nlmsg_seq;
@@ -1502,6 +1523,9 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh, void *
err = 0;
if (up->hard) {
xfrm_policy_delete(xp, p->dir);
+ xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
+ AUDIT_MAC_IPSEC_DELSPD, 1, xp, NULL);
+
} else {
// reset the timers here?
printk("Dont know what to do with soft policy expire\n");
@@ -1533,8 +1557,11 @@ static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh, void **
goto out;
km_state_expired(x, ue->hard, current->pid);
- if (ue->hard)
+ if (ue->hard) {
__xfrm_state_delete(x);
+ xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
+ AUDIT_MAC_IPSEC_DELSA, 1, NULL, x);
+ }
out:
spin_unlock_bh(&x->lock);
xfrm_state_put(x);