This patch modifies xfrm_audit_log() such that it 
can accomodate auditing other ipsec events
besides add/delete of an SA or SPD entry. 

This is a small change to accomodate updating 
ipsec protocol to RFCs 4301, 4302 and 4303 which
require auditing some ipsec events if auditing
is available. Please let me know if ok.

I tested with selinux/labeled-ipsec/plain-ipsec and plain ipsec
without selinux. Also compiled and tested with auditing disabled.

Regards,
Joy

Signed-off-by: Joy Latten <[EMAIL PROTECTED]>
 

diff -urpN linux-2.6.22/include/linux/audit.h 
linux-2.6.22.patch/include/linux/audit.h
--- linux-2.6.22/include/linux/audit.h  2007-07-19 13:17:22.000000000 -0500
+++ linux-2.6.22.patch/include/linux/audit.h    2007-07-19 13:21:29.000000000 
-0500
@@ -108,10 +108,7 @@
 #define AUDIT_MAC_CIPSOV4_DEL  1408    /* NetLabel: del CIPSOv4 DOI entry */
 #define AUDIT_MAC_MAP_ADD      1409    /* NetLabel: add LSM domain mapping */
 #define AUDIT_MAC_MAP_DEL      1410    /* NetLabel: del LSM domain mapping */
-#define AUDIT_MAC_IPSEC_ADDSA  1411    /* Add a XFRM state */
-#define AUDIT_MAC_IPSEC_DELSA  1412    /* Delete a XFRM state */
-#define AUDIT_MAC_IPSEC_ADDSPD 1413    /* Add a XFRM policy */
-#define AUDIT_MAC_IPSEC_DELSPD 1414    /* Delete a XFRM policy */
+#define AUDIT_MAC_IPSEC_EVENT  1411    /* Audit IPSec events */
 
 #define AUDIT_FIRST_KERN_ANOM_MSG   1700
 #define AUDIT_LAST_KERN_ANOM_MSG    1799
diff -urpN linux-2.6.22/include/net/xfrm.h linux-2.6.22.patch/include/net/xfrm.h
--- linux-2.6.22/include/net/xfrm.h     2007-07-19 13:17:22.000000000 -0500
+++ linux-2.6.22.patch/include/net/xfrm.h       2007-07-19 13:21:29.000000000 
-0500
@@ -427,9 +427,11 @@ struct xfrm_audit
 
 #ifdef CONFIG_AUDITSYSCALL
 extern void xfrm_audit_log(uid_t auid, u32 secid, int type, int result,
-                   struct xfrm_policy *xp, struct xfrm_state *x);
+                          u16 family, xfrm_address_t saddr, 
+                          xfrm_address_t daddr, __be32 spi, __be32 flowid, 
+                          struct xfrm_sec_ctx *sctx, char *buf);
 #else
-#define xfrm_audit_log(a,s,t,r,p,x) do { ; } while (0)
+#define xfrm_audit_log(a,i,t,r,f,s,d,p,l,c,b) do { ; } while (0)
 #endif /* CONFIG_AUDITSYSCALL */
 
 static inline void xfrm_pol_hold(struct xfrm_policy *policy)
diff -urpN linux-2.6.22/net/key/af_key.c linux-2.6.22.patch/net/key/af_key.c
--- linux-2.6.22/net/key/af_key.c       2007-07-08 18:32:17.000000000 -0500
+++ linux-2.6.22.patch/net/key/af_key.c 2007-07-19 13:21:30.000000000 -0500
@@ -1459,7 +1459,9 @@ static int pfkey_add(struct sock *sk, st
                err = xfrm_state_update(x);
 
        xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
-                      AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x);
+                      AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, 
+                      x->props.family, x->props.saddr, x->id.daddr, 
+                      x->id.spi, 0, x->security, "SAD add");
 
        if (err < 0) {
                x->km.state = XFRM_STATE_DEAD;
@@ -1513,7 +1515,10 @@ static int pfkey_delete(struct sock *sk,
        km_state_notify(x, &c);
 out:
        xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
-                      AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
+                      AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, x->props.family,
+                      x->props.saddr, x->id.daddr, x->id.spi, 0,
+                      x->security, "SAD delete");
+
        xfrm_state_put(x);
 
        return err;
@@ -2266,7 +2271,9 @@ static int pfkey_spdadd(struct sock *sk,
                                 hdr->sadb_msg_type != SADB_X_SPDUPDATE);
 
        xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
-                      AUDIT_MAC_IPSEC_ADDSPD, err ? 0 : 1, xp, NULL);
+                      AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, 
+                      xp->selector.family, xp->selector.saddr,
+                      xp->selector.daddr, 0, 0, xp->security, "SPD add");
 
        if (err)
                goto out;
@@ -2350,7 +2357,9 @@ static int pfkey_spddelete(struct sock *
                return -ENOENT;
 
        xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
-                      AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
+                      AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1,
+                      xp->selector.family, xp->selector.saddr,
+                      xp->selector.daddr, 0, 0, xp->security, "SPD delete");
 
        if (err)
                goto out;
@@ -2611,7 +2620,10 @@ static int pfkey_spdget(struct sock *sk,
 
        if (delete) {
                xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
-                              AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
+                              AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, 
+                              xp->selector.family, xp->selector.saddr,
+                              xp->selector.daddr, 0, 0, xp->security,
+                              "SPD delete");
 
                if (err)
                        goto out;
diff -urpN linux-2.6.22/net/xfrm/xfrm_policy.c 
linux-2.6.22.patch/net/xfrm/xfrm_policy.c
--- linux-2.6.22/net/xfrm/xfrm_policy.c 2007-07-19 13:17:23.000000000 -0500
+++ linux-2.6.22.patch/net/xfrm/xfrm_policy.c   2007-07-19 13:21:30.000000000 
-0500
@@ -853,8 +853,11 @@ xfrm_policy_flush_secctx_check(u8 type, 
                        if (err) {
                                xfrm_audit_log(audit_info->loginuid,
                                               audit_info->secid,
-                                              AUDIT_MAC_IPSEC_DELSPD, 0,
-                                              pol, NULL);
+                                              AUDIT_MAC_IPSEC_EVENT, 0,
+                                              pol->selector.family, 
+                                              pol->selector.saddr, 
+                                              pol->selector.daddr, 0, 0,
+                                              pol->security, "SPD delete");
                                return err;
                        }
                 }
@@ -868,8 +871,12 @@ xfrm_policy_flush_secctx_check(u8 type, 
                                if (err) {
                                        xfrm_audit_log(audit_info->loginuid,
                                                       audit_info->secid,
-                                                      AUDIT_MAC_IPSEC_DELSPD,
-                                                      0, pol, NULL);
+                                                      AUDIT_MAC_IPSEC_EVENT,
+                                                      0, pol->selector.family, 
+                                                      pol->selector.saddr, 
+                                                      pol->selector.daddr, 
+                                                      0, 0, pol->security, 
+                                                      "SPD delete");
                                        return err;
                                }
                        }
@@ -911,7 +918,11 @@ int xfrm_policy_flush(u8 type, struct xf
                        write_unlock_bh(&xfrm_policy_lock);
 
                        xfrm_audit_log(audit_info->loginuid, audit_info->secid,
-                                      AUDIT_MAC_IPSEC_DELSPD, 1, pol, NULL);
+                                      AUDIT_MAC_IPSEC_EVENT, 1, 
+                                      pol->selector.family,
+                                      pol->selector.saddr,
+                                      pol->selector.daddr, 0, 0,
+                                      pol->security, "SPD delete");
 
                        xfrm_policy_kill(pol);
                        killed++;
@@ -933,8 +944,11 @@ int xfrm_policy_flush(u8 type, struct xf
 
                                xfrm_audit_log(audit_info->loginuid,
                                               audit_info->secid,
-                                              AUDIT_MAC_IPSEC_DELSPD, 1,
-                                              pol, NULL);
+                                              AUDIT_MAC_IPSEC_EVENT, 1,
+                                              pol->selector.family,
+                                              pol->selector.saddr,
+                                              pol->selector.daddr, 0, 0,
+                                              pol->security, "SPD delete");
 
                                xfrm_policy_kill(pol);
                                killed++;
@@ -2154,44 +2168,23 @@ EXPORT_SYMBOL(xfrm_bundle_ok);
 /* Audit addition and deletion of SAs and ipsec policy */
 
 void xfrm_audit_log(uid_t auid, u32 sid, int type, int result,
-                   struct xfrm_policy *xp, struct xfrm_state *x)
+                    u16 family, xfrm_address_t saddr, xfrm_address_t daddr,
+                    __be32 spi, __be32 flowlabel, struct xfrm_sec_ctx *sctx,
+                    char *buf)
 {
-
        char *secctx;
        u32 secctx_len;
-       struct xfrm_sec_ctx *sctx = NULL;
        struct audit_buffer *audit_buf;
-       int family;
        extern int audit_enabled;
 
        if (audit_enabled == 0)
                return;
 
-       BUG_ON((type == AUDIT_MAC_IPSEC_ADDSA ||
-               type == AUDIT_MAC_IPSEC_DELSA) && !x);
-       BUG_ON((type == AUDIT_MAC_IPSEC_ADDSPD ||
-               type == AUDIT_MAC_IPSEC_DELSPD) && !xp);
-
        audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type);
        if (audit_buf == NULL)
                return;
 
-       switch(type) {
-       case AUDIT_MAC_IPSEC_ADDSA:
-               audit_log_format(audit_buf, "SAD add: auid=%u", auid);
-               break;
-       case AUDIT_MAC_IPSEC_DELSA:
-               audit_log_format(audit_buf, "SAD delete: auid=%u", auid);
-               break;
-       case AUDIT_MAC_IPSEC_ADDSPD:
-               audit_log_format(audit_buf, "SPD add: auid=%u", auid);
-               break;
-       case AUDIT_MAC_IPSEC_DELSPD:
-               audit_log_format(audit_buf, "SPD delete: auid=%u", auid);
-               break;
-       default:
-               return;
-       }
+       audit_log_format(audit_buf, "%s: auid=%u", buf, auid);
 
        if (sid != 0 &&
                security_secid_to_secctx(sid, &secctx, &secctx_len) == 0)
@@ -2199,16 +2192,6 @@ void xfrm_audit_log(uid_t auid, u32 sid,
        else
                audit_log_task_context(audit_buf);
 
-       if (xp) {
-               family = xp->selector.family;
-               if (xp->security)
-                       sctx = xp->security;
-       } else {
-               family = x->props.family;
-               if (x->security)
-                       sctx = x->security;
-       }
-
        if (sctx)
                audit_log_format(audit_buf,
                                " sec_alg=%u sec_doi=%u sec_obj=%s",
@@ -2216,48 +2199,24 @@ void xfrm_audit_log(uid_t auid, u32 sid,
 
        switch(family) {
        case AF_INET:
-               {
-                       struct in_addr saddr, daddr;
-                       if (xp) {
-                               saddr.s_addr = xp->selector.saddr.a4;
-                               daddr.s_addr = xp->selector.daddr.a4;
-                       } else {
-                               saddr.s_addr = x->props.saddr.a4;
-                               daddr.s_addr = x->id.daddr.a4;
-                       }
-                       audit_log_format(audit_buf,
-                                        " src=%u.%u.%u.%u dst=%u.%u.%u.%u",
-                                        NIPQUAD(saddr), NIPQUAD(daddr));
-               }
-                       break;
+               audit_log_format(audit_buf,
+                                " src=" NIPQUAD_FMT " dst=" NIPQUAD_FMT,
+                                NIPQUAD(saddr.a4), NIPQUAD(daddr.a4));
+               break;
        case AF_INET6:
-               {
-                       struct in6_addr saddr6, daddr6;
-                       if (xp) {
-                               memcpy(&saddr6, xp->selector.saddr.a6,
-                                       sizeof(struct in6_addr));
-                               memcpy(&daddr6, xp->selector.daddr.a6,
-                                       sizeof(struct in6_addr));
-                       } else {
-                               memcpy(&saddr6, x->props.saddr.a6,
-                                       sizeof(struct in6_addr));
-                               memcpy(&daddr6, x->id.daddr.a6,
-                                       sizeof(struct in6_addr));
-                       }
-                       audit_log_format(audit_buf,
-                                        " src=" NIP6_FMT " dst=" NIP6_FMT,
-                                        NIP6(saddr6), NIP6(daddr6));
-               }
+               audit_log_format(audit_buf, " src=" NIP6_FMT " dst=" NIP6_FMT,
+                                NIP6(*((struct in6_addr *)&saddr.a6)),
+                                NIP6(*((struct in6_addr *)&daddr.a6)));
                break;
        }
 
-       if (x)
-               audit_log_format(audit_buf, " spi=%lu(0x%lx) protocol=%s",
-                               (unsigned long)ntohl(x->id.spi),
-                               (unsigned long)ntohl(x->id.spi),
-                               x->id.proto == IPPROTO_AH ? "AH" :
-                               (x->id.proto == IPPROTO_ESP ?
-                               "ESP" : "IPCOMP"));
+       if (flowlabel)
+               audit_log_format(audit_buf, " flowlabel=%u", flowlabel);
+
+       if (spi)
+               audit_log_format(audit_buf, " spi=%lu(0x%lx)",
+                               (unsigned long)ntohl(spi),
+                               (unsigned long)ntohl(spi));
 
        audit_log_format(audit_buf, " res=%u", result);
        audit_log_end(audit_buf);
diff -urpN linux-2.6.22/net/xfrm/xfrm_state.c 
linux-2.6.22.patch/net/xfrm/xfrm_state.c
--- linux-2.6.22/net/xfrm/xfrm_state.c  2007-07-19 13:17:23.000000000 -0500
+++ linux-2.6.22.patch/net/xfrm/xfrm_state.c    2007-07-19 13:21:30.000000000 
-0500
@@ -303,7 +303,9 @@ expired:
                km_state_expired(x, 1, 0);
 
        xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
-                      AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
+                      AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, 
+                      x->props.family, x->props.saddr, x->id.daddr, x->id.spi,
+                      0, x->security, "SAD delete");
 
 out:
        spin_unlock(&x->lock);
@@ -406,8 +408,10 @@ xfrm_state_flush_secctx_check(u8 proto, 
                           (err = security_xfrm_state_delete(x)) != 0) {
                                xfrm_audit_log(audit_info->loginuid,
                                               audit_info->secid,
-                                              AUDIT_MAC_IPSEC_DELSA,
-                                               0, NULL, x);
+                                              AUDIT_MAC_IPSEC_EVENT, 0, 
+                                              x->props.family, x->props.saddr,
+                                              x->id.daddr, x->id.spi, 0,
+                                              x->security, "SAD delete");
 
                                return err;
                        }
@@ -446,8 +450,11 @@ restart:
                                err = xfrm_state_delete(x);
                                xfrm_audit_log(audit_info->loginuid,
                                               audit_info->secid,
-                                              AUDIT_MAC_IPSEC_DELSA,
-                                              err ? 0 : 1, NULL, x);
+                                              AUDIT_MAC_IPSEC_EVENT, 
+                                              err ? 0 : 1, x->props.family,
+                                              x->props.saddr, x->id.daddr,
+                                              x->id.spi, 0, x->security,
+                                              "SAD delete");
                                xfrm_state_put(x);
 
                                spin_lock_bh(&xfrm_state_lock);
diff -urpN linux-2.6.22/net/xfrm/xfrm_user.c 
linux-2.6.22.patch/net/xfrm/xfrm_user.c
--- linux-2.6.22/net/xfrm/xfrm_user.c   2007-07-08 18:32:17.000000000 -0500
+++ linux-2.6.22.patch/net/xfrm/xfrm_user.c     2007-07-19 13:21:30.000000000 
-0500
@@ -456,7 +456,9 @@ static int xfrm_add_sa(struct sk_buff *s
                err = xfrm_state_update(x);
 
        xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
-                      AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x);
+                      AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, 
+                      x->props.family, x->props.saddr, x->id.daddr, 
+                      x->id.spi, 0, x->security, "SAD add");
 
        if (err < 0) {
                x->km.state = XFRM_STATE_DEAD;
@@ -539,7 +541,9 @@ static int xfrm_del_sa(struct sk_buff *s
 
 out:
        xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
-                      AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
+                      AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, 
+                      x->props.family, x->props.saddr, x->id.daddr, 
+                      x->id.spi, 0, x->security, "SAD delete");
        xfrm_state_put(x);
        return err;
 }
@@ -1149,7 +1153,9 @@ static int xfrm_add_policy(struct sk_buf
        excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY;
        err = xfrm_policy_insert(p->dir, xp, excl);
        xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
-                      AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
+                      AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, 
+                      xp->selector.family, xp->selector.saddr, 
+                      xp->selector.daddr, 0, 0, xp->security, "SPD delete");
 
        if (err) {
                security_xfrm_policy_free(xp);
@@ -1395,7 +1401,10 @@ static int xfrm_get_policy(struct sk_buf
                }
        } else {
                xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
-                              AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
+                              AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, 
+                              xp->selector.family, xp->selector.saddr,
+                              xp->selector.daddr, 0, 0, xp->security,
+                              "SPD delete");
 
                if (err != 0)
                        goto out;
@@ -1644,8 +1653,9 @@ static int xfrm_add_pol_expire(struct sk
        if (up->hard) {
                xfrm_policy_delete(xp, p->dir);
                xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
-                               AUDIT_MAC_IPSEC_DELSPD, 1, xp, NULL);
-
+                              AUDIT_MAC_IPSEC_EVENT, 1, xp->selector.family,
+                              xp->selector.saddr, xp->selector.daddr, 0, 0,
+                              xp->security, "SPD delete");
        } else {
                // reset the timers here?
                printk("Dont know what to do with soft policy expire\n");
@@ -1680,7 +1690,9 @@ static int xfrm_add_sa_expire(struct sk_
        if (ue->hard) {
                __xfrm_state_delete(x);
                xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
-                              AUDIT_MAC_IPSEC_DELSA, 1, NULL, x);
+                              AUDIT_MAC_IPSEC_EVENT, 1, x->props.family,
+                              x->props.saddr, x->id.daddr, x->id.spi, 0,
+                              x->security, "SAD delete");
        }
        err = 0;
 out:
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to