diff options
author | Joy Latten <latten@austin.ibm.com> | 2007-09-17 11:51:22 -0700 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2007-10-10 16:49:02 -0700 |
commit | ab5f5e8b144e4c804ef3aa1ce08a9ca9f01187ce (patch) | |
tree | bf3915a618b29f507d882e9c665ed9d07e7c0765 /include | |
parent | d2e9117c7aa9544d910634e17e3519fd67155229 (diff) | |
download | linux-ab5f5e8b144e4c804ef3aa1ce08a9ca9f01187ce.tar.gz linux-ab5f5e8b144e4c804ef3aa1ce08a9ca9f01187ce.tar.bz2 linux-ab5f5e8b144e4c804ef3aa1ce08a9ca9f01187ce.zip |
[XFRM]: xfrm audit calls
This patch modifies the current ipsec audit layer
by breaking it up into purpose driven audit calls.
So far, the only audit calls made are when add/delete
an SA/policy. It had been discussed to give each
key manager it's own calls to do this, but I found
there to be much redundnacy since they did the exact
same things, except for how they got auid and sid, so I
combined them. The below audit calls can be made by any
key manager. Hopefully, this is ok.
Signed-off-by: Joy Latten <latten@austin.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include')
-rw-r--r-- | include/linux/audit.h | 9 | ||||
-rw-r--r-- | include/net/xfrm.h | 40 |
2 files changed, 41 insertions, 8 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h index d6579df8dadf..9ae740936a65 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -108,10 +108,11 @@ #define AUDIT_MAC_CIPSOV4_DEL 1408 /* NetLabel: del CIPSOv4 DOI entry */ #define AUDIT_MAC_MAP_ADD 1409 /* NetLabel: add LSM domain mapping */ #define AUDIT_MAC_MAP_DEL 1410 /* NetLabel: del LSM domain mapping */ -#define AUDIT_MAC_IPSEC_ADDSA 1411 /* Add a XFRM state */ -#define AUDIT_MAC_IPSEC_DELSA 1412 /* Delete a XFRM state */ -#define AUDIT_MAC_IPSEC_ADDSPD 1413 /* Add a XFRM policy */ -#define AUDIT_MAC_IPSEC_DELSPD 1414 /* Delete a XFRM policy */ +#define AUDIT_MAC_IPSEC_ADDSA 1411 /* Not used */ +#define AUDIT_MAC_IPSEC_DELSA 1412 /* Not used */ +#define AUDIT_MAC_IPSEC_ADDSPD 1413 /* Not used */ +#define AUDIT_MAC_IPSEC_DELSPD 1414 /* Not used */ +#define AUDIT_MAC_IPSEC_EVENT 1415 /* Audit an IPSec event */ #define AUDIT_FIRST_KERN_ANOM_MSG 1700 #define AUDIT_LAST_KERN_ANOM_MSG 1799 diff --git a/include/net/xfrm.h b/include/net/xfrm.h index a5f80bfbaaa4..760d2432be6b 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -12,6 +12,7 @@ #include <linux/ipsec.h> #include <linux/in6.h> #include <linux/mutex.h> +#include <linux/audit.h> #include <net/sock.h> #include <net/dst.h> @@ -421,15 +422,46 @@ extern unsigned int xfrm_policy_count[XFRM_POLICY_MAX*2]; /* Audit Information */ struct xfrm_audit { - uid_t loginuid; + u32 loginuid; u32 secid; }; #ifdef CONFIG_AUDITSYSCALL -extern void xfrm_audit_log(uid_t auid, u32 secid, int type, int result, - struct xfrm_policy *xp, struct xfrm_state *x); +static inline struct audit_buffer *xfrm_audit_start(u32 auid, u32 sid) +{ + struct audit_buffer *audit_buf = NULL; + char *secctx; + u32 secctx_len; + + audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, + AUDIT_MAC_IPSEC_EVENT); + if (audit_buf == NULL) + return NULL; + + audit_log_format(audit_buf, "auid=%u", auid); + + if (sid != 0 && + security_secid_to_secctx(sid, &secctx, &secctx_len) == 0) { + audit_log_format(audit_buf, " subj=%s", secctx); + security_release_secctx(secctx, secctx_len); + } else + audit_log_task_context(audit_buf); + return audit_buf; +} + +extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, + u32 auid, u32 sid); +extern void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, + u32 auid, u32 sid); +extern void xfrm_audit_state_add(struct xfrm_state *x, int result, + u32 auid, u32 sid); +extern void xfrm_audit_state_delete(struct xfrm_state *x, int result, + u32 auid, u32 sid); #else -#define xfrm_audit_log(a,s,t,r,p,x) do { ; } while (0) +#define xfrm_audit_policy_add(x, r, a, s) do { ; } while (0) +#define xfrm_audit_policy_delete(x, r, a, s) do { ; } while (0) +#define xfrm_audit_state_add(x, r, a, s) do { ; } while (0) +#define xfrm_audit_state_delete(x, r, a, s) do { ; } while (0) #endif /* CONFIG_AUDITSYSCALL */ static inline void xfrm_pol_hold(struct xfrm_policy *policy) |