subject:"\[PATCH\] make xfrm_audit

Re: [PATCH] make xfrm_audit_log more generic

2007-07-23 Thread Steve Grubb

On Monday 23 July 2007 13:49:17 Joy Latten wrote:
> > Will this cause existing applications to break?
>
> Perhaps someone in audit list could help answer this.

Probably. Its better to take a new number and let the old ones sit idle.

-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH] make xfrm_audit_log more generic

2007-07-23 Thread Joy Latten

On Thu, 2007-07-19 at 21:45 -0400, James Morris wrote:
> On Thu, 19 Jul 2007, Joy Latten wrote:
> 
> > --- linux-2.6.22/include/linux/audit.h  2007-07-19 13:17:22.0 
> > -0500
> > +++ linux-2.6.22.patch/include/linux/audit.h2007-07-19 
> > 13:21:29.0 -0500
> > @@ -108,10 +108,7 @@
> >  #define AUDIT_MAC_CIPSOV4_DEL  1408/* NetLabel: del CIPSOv4 DOI 
> > entry */
> >  #define AUDIT_MAC_MAP_ADD  1409/* NetLabel: add LSM domain mapping */
> >  #define AUDIT_MAC_MAP_DEL  1410/* NetLabel: del LSM domain mapping */
> > -#define AUDIT_MAC_IPSEC_ADDSA  1411/* Add a XFRM state */
> > -#define AUDIT_MAC_IPSEC_DELSA  1412/* Delete a XFRM state */
> > -#define AUDIT_MAC_IPSEC_ADDSPD 1413/* Add a XFRM policy */
> > -#define AUDIT_MAC_IPSEC_DELSPD 1414/* Delete a XFRM policy */
> > +#define AUDIT_MAC_IPSEC_EVENT  1411/* Audit IPSec events */
> 
> Will this cause existing applications to break?
> 

Perhaps someone in audit list could help answer this. 

During testing, because I changed the above defines, all
IPSec events are listed as "MAC_IPSEC_ADDSA" for now without
userspace change. Is this ok? Or is there a better way to 
migrate this change in? Perhaps leave previous IPsec defines 
and just add in a new one and use it? If that is better
approach, let me know and I will change code to accomodate.

Regards,
Joy
 

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: [PATCH] make xfrm_audit_log more generic

2007-07-19 Thread James Morris

On Thu, 19 Jul 2007, Joy Latten wrote:

> --- linux-2.6.22/include/linux/audit.h2007-07-19 13:17:22.0 
> -0500
> +++ linux-2.6.22.patch/include/linux/audit.h  2007-07-19 13:21:29.0 
> -0500
> @@ -108,10 +108,7 @@
>  #define AUDIT_MAC_CIPSOV4_DEL1408/* NetLabel: del CIPSOv4 DOI 
> entry */
>  #define AUDIT_MAC_MAP_ADD1409/* NetLabel: add LSM domain mapping */
>  #define AUDIT_MAC_MAP_DEL1410/* NetLabel: del LSM domain mapping */
> -#define AUDIT_MAC_IPSEC_ADDSA1411/* Add a XFRM state */
> -#define AUDIT_MAC_IPSEC_DELSA1412/* Delete a XFRM state */
> -#define AUDIT_MAC_IPSEC_ADDSPD   1413/* Add a XFRM policy */
> -#define AUDIT_MAC_IPSEC_DELSPD   1414/* Delete a XFRM policy */
> +#define AUDIT_MAC_IPSEC_EVENT1411/* Audit IPSec events */

Will this cause existing applications to break?




- James
-- 
James Morris
<[EMAIL PROTECTED]>

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

[PATCH] make xfrm_audit_log more generic

2007-07-19 Thread Joy Latten

This patch modifies xfrm_audit_log() such that it 
can accomodate auditing other ipsec events
besides add/delete of an SA or SPD entry. 

This is a small change to accomodate updating 
ipsec protocol to RFCs 4301, 4302 and 4303 which
require auditing some ipsec events if auditing
is available. Please let me know if ok.

I tested with selinux/labeled-ipsec/plain-ipsec and plain ipsec
without selinux. Also compiled and tested with auditing disabled.

Regards,
Joy

Signed-off-by: Joy Latten <[EMAIL PROTECTED]>
 

diff -urpN linux-2.6.22/include/linux/audit.h 
linux-2.6.22.patch/include/linux/audit.h
--- linux-2.6.22/include/linux/audit.h  2007-07-19 13:17:22.0 -0500
+++ linux-2.6.22.patch/include/linux/audit.h2007-07-19 13:21:29.0 
-0500
@@ -108,10 +108,7 @@
 #define AUDIT_MAC_CIPSOV4_DEL  1408/* NetLabel: del CIPSOv4 DOI entry */
 #define AUDIT_MAC_MAP_ADD  1409/* NetLabel: add LSM domain mapping */
 #define AUDIT_MAC_MAP_DEL  1410/* NetLabel: del LSM domain mapping */
-#define AUDIT_MAC_IPSEC_ADDSA  1411/* Add a XFRM state */
-#define AUDIT_MAC_IPSEC_DELSA  1412/* Delete a XFRM state */
-#define AUDIT_MAC_IPSEC_ADDSPD 1413/* Add a XFRM policy */
-#define AUDIT_MAC_IPSEC_DELSPD 1414/* Delete a XFRM policy */
+#define AUDIT_MAC_IPSEC_EVENT  1411/* Audit IPSec events */
 
 #define AUDIT_FIRST_KERN_ANOM_MSG   1700
 #define AUDIT_LAST_KERN_ANOM_MSG1799
diff -urpN linux-2.6.22/include/net/xfrm.h linux-2.6.22.patch/include/net/xfrm.h
--- linux-2.6.22/include/net/xfrm.h 2007-07-19 13:17:22.0 -0500
+++ linux-2.6.22.patch/include/net/xfrm.h   2007-07-19 13:21:29.0 
-0500
@@ -427,9 +427,11 @@ struct xfrm_audit
 
 #ifdef CONFIG_AUDITSYSCALL
 extern void xfrm_audit_log(uid_t auid, u32 secid, int type, int result,
-   struct xfrm_policy *xp, struct xfrm_state *x);
+  u16 family, xfrm_address_t saddr, 
+  xfrm_address_t daddr, __be32 spi, __be32 flowid, 
+  struct xfrm_sec_ctx *sctx, char *buf);
 #else
-#define xfrm_audit_log(a,s,t,r,p,x) do { ; } while (0)
+#define xfrm_audit_log(a,i,t,r,f,s,d,p,l,c,b) do { ; } while (0)
 #endif /* CONFIG_AUDITSYSCALL */
 
 static inline void xfrm_pol_hold(struct xfrm_policy *policy)
diff -urpN linux-2.6.22/net/key/af_key.c linux-2.6.22.patch/net/key/af_key.c
--- linux-2.6.22/net/key/af_key.c   2007-07-08 18:32:17.0 -0500
+++ linux-2.6.22.patch/net/key/af_key.c 2007-07-19 13:21:30.0 -0500
@@ -1459,7 +1459,9 @@ static int pfkey_add(struct sock *sk, st
err = xfrm_state_update(x);
 
xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
-  AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x);
+  AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, 
+  x->props.family, x->props.saddr, x->id.daddr, 
+  x->id.spi, 0, x->security, "SAD add");
 
if (err < 0) {
x->km.state = XFRM_STATE_DEAD;
@@ -1513,7 +1515,10 @@ static int pfkey_delete(struct sock *sk,
km_state_notify(x, &c);
 out:
xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
-  AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
+  AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, x->props.family,
+  x->props.saddr, x->id.daddr, x->id.spi, 0,
+  x->security, "SAD delete");
+
xfrm_state_put(x);
 
return err;
@@ -2266,7 +2271,9 @@ static int pfkey_spdadd(struct sock *sk,
 hdr->sadb_msg_type != SADB_X_SPDUPDATE);
 
xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
-  AUDIT_MAC_IPSEC_ADDSPD, err ? 0 : 1, xp, NULL);
+  AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, 
+  xp->selector.family, xp->selector.saddr,
+  xp->selector.daddr, 0, 0, xp->security, "SPD add");
 
if (err)
goto out;
@@ -2350,7 +2357,9 @@ static int pfkey_spddelete(struct sock *
return -ENOENT;
 
xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
-  AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
+  AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1,
+  xp->selector.family, xp->selector.saddr,
+  xp->selector.daddr, 0, 0, xp->security, "SPD delete");
 
if (err)
goto out;
@@ -2611,7 +2620,10 @@ static int pfkey_spdget(struct sock *sk,
 
if (delete) {
xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
-  AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
+  AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, 
+  xp->selector.family, xp->selector.saddr,
+  xp->selector.daddr, 0, 0, xp->sec

Re: [PATCH] make xfrm_audit_log more generic

Re: [PATCH] make xfrm_audit_log more generic

Re: [PATCH] make xfrm_audit_log more generic

[PATCH] make xfrm_audit_log more generic

4 matches

Site Navigation

Mail list logo

Footer information