This patch modifies xfrm_audit_log() such that it
can accomodate auditing other ipsec events
besides add/delete of an SA or SPD entry.
This is a small change to accomodate updating
ipsec protocol to RFCs 4301, 4302 and 4303 which
require auditing some ipsec events if auditing
is available. Please let me know if ok.
I tested with selinux/labeled-ipsec/plain-ipsec and plain ipsec
without selinux. Also compiled and tested with auditing disabled.
Regards,
Joy
Signed-off-by: Joy Latten <[EMAIL PROTECTED]>
diff -urpN linux-2.6.22/include/linux/audit.h
linux-2.6.22.patch/include/linux/audit.h
--- linux-2.6.22/include/linux/audit.h 2007-07-19 13:17:22.0 -0500
+++ linux-2.6.22.patch/include/linux/audit.h2007-07-19 13:21:29.0
-0500
@@ -108,10 +108,7 @@
#define AUDIT_MAC_CIPSOV4_DEL 1408/* NetLabel: del CIPSOv4 DOI entry */
#define AUDIT_MAC_MAP_ADD 1409/* NetLabel: add LSM domain mapping */
#define AUDIT_MAC_MAP_DEL 1410/* NetLabel: del LSM domain mapping */
-#define AUDIT_MAC_IPSEC_ADDSA 1411/* Add a XFRM state */
-#define AUDIT_MAC_IPSEC_DELSA 1412/* Delete a XFRM state */
-#define AUDIT_MAC_IPSEC_ADDSPD 1413/* Add a XFRM policy */
-#define AUDIT_MAC_IPSEC_DELSPD 1414/* Delete a XFRM policy */
+#define AUDIT_MAC_IPSEC_EVENT 1411/* Audit IPSec events */
#define AUDIT_FIRST_KERN_ANOM_MSG 1700
#define AUDIT_LAST_KERN_ANOM_MSG1799
diff -urpN linux-2.6.22/include/net/xfrm.h linux-2.6.22.patch/include/net/xfrm.h
--- linux-2.6.22/include/net/xfrm.h 2007-07-19 13:17:22.0 -0500
+++ linux-2.6.22.patch/include/net/xfrm.h 2007-07-19 13:21:29.0
-0500
@@ -427,9 +427,11 @@ struct xfrm_audit
#ifdef CONFIG_AUDITSYSCALL
extern void xfrm_audit_log(uid_t auid, u32 secid, int type, int result,
- struct xfrm_policy *xp, struct xfrm_state *x);
+ u16 family, xfrm_address_t saddr,
+ xfrm_address_t daddr, __be32 spi, __be32 flowid,
+ struct xfrm_sec_ctx *sctx, char *buf);
#else
-#define xfrm_audit_log(a,s,t,r,p,x) do { ; } while (0)
+#define xfrm_audit_log(a,i,t,r,f,s,d,p,l,c,b) do { ; } while (0)
#endif /* CONFIG_AUDITSYSCALL */
static inline void xfrm_pol_hold(struct xfrm_policy *policy)
diff -urpN linux-2.6.22/net/key/af_key.c linux-2.6.22.patch/net/key/af_key.c
--- linux-2.6.22/net/key/af_key.c 2007-07-08 18:32:17.0 -0500
+++ linux-2.6.22.patch/net/key/af_key.c 2007-07-19 13:21:30.0 -0500
@@ -1459,7 +1459,9 @@ static int pfkey_add(struct sock *sk, st
err = xfrm_state_update(x);
xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
- AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x);
+ AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1,
+ x->props.family, x->props.saddr, x->id.daddr,
+ x->id.spi, 0, x->security, "SAD add");
if (err < 0) {
x->km.state = XFRM_STATE_DEAD;
@@ -1513,7 +1515,10 @@ static int pfkey_delete(struct sock *sk,
km_state_notify(x, &c);
out:
xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
- AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
+ AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, x->props.family,
+ x->props.saddr, x->id.daddr, x->id.spi, 0,
+ x->security, "SAD delete");
+
xfrm_state_put(x);
return err;
@@ -2266,7 +2271,9 @@ static int pfkey_spdadd(struct sock *sk,
hdr->sadb_msg_type != SADB_X_SPDUPDATE);
xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
- AUDIT_MAC_IPSEC_ADDSPD, err ? 0 : 1, xp, NULL);
+ AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1,
+ xp->selector.family, xp->selector.saddr,
+ xp->selector.daddr, 0, 0, xp->security, "SPD add");
if (err)
goto out;
@@ -2350,7 +2357,9 @@ static int pfkey_spddelete(struct sock *
return -ENOENT;
xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
- AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
+ AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1,
+ xp->selector.family, xp->selector.saddr,
+ xp->selector.daddr, 0, 0, xp->security, "SPD delete");
if (err)
goto out;
@@ -2611,7 +2620,10 @@ static int pfkey_spdget(struct sock *sk,
if (delete) {
xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
- AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
+ AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1,
+ xp->selector.family, xp->selector.saddr,
+ xp->selector.daddr, 0, 0, xp->sec