Re: [PATCH] Add xfrm policy change auditing to pfkey_spdget
On Thu, 8 Mar 2007, Eric Paris wrote: > which didn't have my fix up because i didn't commit it to my local > branch. Is there a better way to get a diff between my miller tree and > 'everything in the branch I have checked out even if it is not > committed'? I'd suggest you commit all your changes in local branches, then export them as emails via git-format-patch for posting. Something like: davem-upstream [1] +- for-davem [2] +- for-davem-prep [3] Do all of your work in [3], so you can manage the queue of patches there before merging/applying them into [2] as a final patch series. So, if one of the commits in [3] needs fixing, you can, for example, export commits up to that with git-format-patch, git-reset --hard to the broken commit, fix, compile, test then reapply the exported commits. Then, once it's all ready, merge into [2] (or export & apply to avoid merge commits). This is just one possible workflow. There are probably several better. - James -- James Morris <[EMAIL PROTECTED]> - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] Add xfrm policy change auditing to pfkey_spdget
On Wed, 2007-03-07 at 16:07 -0800, David Miller wrote: > From: David Miller <[EMAIL PROTECTED]> > Date: Wed, 07 Mar 2007 15:43:16 -0800 (PST) > > > From: Eric Paris <[EMAIL PROTECTED]> > > Date: Fri, 02 Mar 2007 13:51:24 -0500 > > > > > pfkey_spdget neither had an LSM security hook nor auditing for the > > > removal of xfrm_policy structs. The security hook was added when it was > > > moved into xfrm_policy_byid instead of the callers to that function by > > > my earlier patch and this patch adds the auditing hooks as well. > > > > > > Signed-off-by: Eric Paris <[EMAIL PROTECTED]> > > > > Applied. > > This patch was missing an openning brace on the "if (delete)" line. > Eric you don't post patches without at least compile testing > them now do you? :-) > > I fixed this up, but I will just kick it back to you next time, > and I will likely growl very loudly in your general direction > too. ;) I lose at using git. Sorry. I'll be more careful to check that all of my changes on the current branch are committed before I run my git diff. Or maybe someone will convince me to use git in an all new better way. I created a branch that has your tree and then created a new branch off of that for my changes. I checked out my branch made my patch and commited. I then tried to compile failed and fixed it up. I then compiled, booted, and tested. When I thought it was working I did a git diff miller..my-branch-with-pfkey_spdget which didn't have my fix up because i didn't commit it to my local branch. Is there a better way to get a diff between my miller tree and 'everything in the branch I have checked out even if it is not committed'? Sorry, even if there are no ideas I'll be more careful. -Eric - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] Add xfrm policy change auditing to pfkey_spdget
On Wed, 2007-03-07 at 16:07 -0800, David Miller wrote: From: David Miller [EMAIL PROTECTED] Date: Wed, 07 Mar 2007 15:43:16 -0800 (PST) From: Eric Paris [EMAIL PROTECTED] Date: Fri, 02 Mar 2007 13:51:24 -0500 pfkey_spdget neither had an LSM security hook nor auditing for the removal of xfrm_policy structs. The security hook was added when it was moved into xfrm_policy_byid instead of the callers to that function by my earlier patch and this patch adds the auditing hooks as well. Signed-off-by: Eric Paris [EMAIL PROTECTED] Applied. This patch was missing an openning brace on the if (delete) line. Eric you don't post patches without at least compile testing them now do you? :-) I fixed this up, but I will just kick it back to you next time, and I will likely growl very loudly in your general direction too. ;) I lose at using git. Sorry. I'll be more careful to check that all of my changes on the current branch are committed before I run my git diff. Or maybe someone will convince me to use git in an all new better way. I created a branch that has your tree and then created a new branch off of that for my changes. I checked out my branch made my patch and commited. I then tried to compile failed and fixed it up. I then compiled, booted, and tested. When I thought it was working I did a git diff miller..my-branch-with-pfkey_spdget which didn't have my fix up because i didn't commit it to my local branch. Is there a better way to get a diff between my miller tree and 'everything in the branch I have checked out even if it is not committed'? Sorry, even if there are no ideas I'll be more careful. -Eric - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] Add xfrm policy change auditing to pfkey_spdget
On Thu, 8 Mar 2007, Eric Paris wrote: which didn't have my fix up because i didn't commit it to my local branch. Is there a better way to get a diff between my miller tree and 'everything in the branch I have checked out even if it is not committed'? I'd suggest you commit all your changes in local branches, then export them as emails via git-format-patch for posting. Something like: davem-upstream [1] +- for-davem [2] +- for-davem-prep [3] Do all of your work in [3], so you can manage the queue of patches there before merging/applying them into [2] as a final patch series. So, if one of the commits in [3] needs fixing, you can, for example, export commits up to that with git-format-patch, git-reset --hard to the broken commit, fix, compile, test then reapply the exported commits. Then, once it's all ready, merge into [2] (or export apply to avoid merge commits). This is just one possible workflow. There are probably several better. - James -- James Morris [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] Add xfrm policy change auditing to pfkey_spdget
From: David Miller <[EMAIL PROTECTED]> Date: Wed, 07 Mar 2007 15:43:16 -0800 (PST) > From: Eric Paris <[EMAIL PROTECTED]> > Date: Fri, 02 Mar 2007 13:51:24 -0500 > > > pfkey_spdget neither had an LSM security hook nor auditing for the > > removal of xfrm_policy structs. The security hook was added when it was > > moved into xfrm_policy_byid instead of the callers to that function by > > my earlier patch and this patch adds the auditing hooks as well. > > > > Signed-off-by: Eric Paris <[EMAIL PROTECTED]> > > Applied. This patch was missing an openning brace on the "if (delete)" line. Eric you don't post patches without at least compile testing them now do you? :-) I fixed this up, but I will just kick it back to you next time, and I will likely growl very loudly in your general direction too. ;) - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] Add xfrm policy change auditing to pfkey_spdget
From: Eric Paris <[EMAIL PROTECTED]> Date: Fri, 02 Mar 2007 13:51:24 -0500 > pfkey_spdget neither had an LSM security hook nor auditing for the > removal of xfrm_policy structs. The security hook was added when it was > moved into xfrm_policy_byid instead of the callers to that function by > my earlier patch and this patch adds the auditing hooks as well. > > Signed-off-by: Eric Paris <[EMAIL PROTECTED]> Applied. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] Add xfrm policy change auditing to pfkey_spdget
From: Eric Paris [EMAIL PROTECTED] Date: Fri, 02 Mar 2007 13:51:24 -0500 pfkey_spdget neither had an LSM security hook nor auditing for the removal of xfrm_policy structs. The security hook was added when it was moved into xfrm_policy_byid instead of the callers to that function by my earlier patch and this patch adds the auditing hooks as well. Signed-off-by: Eric Paris [EMAIL PROTECTED] Applied. - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] Add xfrm policy change auditing to pfkey_spdget
From: David Miller [EMAIL PROTECTED] Date: Wed, 07 Mar 2007 15:43:16 -0800 (PST) From: Eric Paris [EMAIL PROTECTED] Date: Fri, 02 Mar 2007 13:51:24 -0500 pfkey_spdget neither had an LSM security hook nor auditing for the removal of xfrm_policy structs. The security hook was added when it was moved into xfrm_policy_byid instead of the callers to that function by my earlier patch and this patch adds the auditing hooks as well. Signed-off-by: Eric Paris [EMAIL PROTECTED] Applied. This patch was missing an openning brace on the if (delete) line. Eric you don't post patches without at least compile testing them now do you? :-) I fixed this up, but I will just kick it back to you next time, and I will likely growl very loudly in your general direction too. ;) - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] Add xfrm policy change auditing to pfkey_spdget
On Fri, 2 Mar 2007, Eric Paris wrote: > pfkey_spdget neither had an LSM security hook nor auditing for the > removal of xfrm_policy structs. The security hook was added when it was > moved into xfrm_policy_byid instead of the callers to that function by > my earlier patch and this patch adds the auditing hooks as well. > > Signed-off-by: Eric Paris <[EMAIL PROTECTED]> Acked-by: James Morris <[EMAIL PROTECTED]> -- James Morris <[EMAIL PROTECTED]> - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
RE: [PATCH] Add xfrm policy change auditing to pfkey_spdget
> pfkey_spdget neither had an LSM security hook nor auditing for the > removal of xfrm_policy structs. The security hook was added > when it was > moved into xfrm_policy_byid instead of the callers to that function by > my earlier patch and this patch adds the auditing hooks as well. > > Signed-off-by: Eric Paris <[EMAIL PROTECTED]> Acked-by: Venkat Yekkirala <[EMAIL PROTECTED]> - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
RE: [PATCH] Add xfrm policy change auditing to pfkey_spdget
pfkey_spdget neither had an LSM security hook nor auditing for the removal of xfrm_policy structs. The security hook was added when it was moved into xfrm_policy_byid instead of the callers to that function by my earlier patch and this patch adds the auditing hooks as well. Signed-off-by: Eric Paris [EMAIL PROTECTED] Acked-by: Venkat Yekkirala [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] Add xfrm policy change auditing to pfkey_spdget
On Fri, 2 Mar 2007, Eric Paris wrote: pfkey_spdget neither had an LSM security hook nor auditing for the removal of xfrm_policy structs. The security hook was added when it was moved into xfrm_policy_byid instead of the callers to that function by my earlier patch and this patch adds the auditing hooks as well. Signed-off-by: Eric Paris [EMAIL PROTECTED] Acked-by: James Morris [EMAIL PROTECTED] -- James Morris [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH] Add xfrm policy change auditing to pfkey_spdget
pfkey_spdget neither had an LSM security hook nor auditing for the removal of xfrm_policy structs. The security hook was added when it was moved into xfrm_policy_byid instead of the callers to that function by my earlier patch and this patch adds the auditing hooks as well. Signed-off-by: Eric Paris <[EMAIL PROTECTED]> net/key/af_key.c | 17 +++-- 1 files changed, 11 insertions(+), 6 deletions(-) diff --git a/net/key/af_key.c b/net/key/af_key.c index 3542435..7cbf0a2 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c @@ -2537,7 +2537,7 @@ static int pfkey_migrate(struct sock *sk, struct sk_buff *skb, static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, void **ext_hdrs) { unsigned int dir; - int err; + int err = 0, delete; struct sadb_x_policy *pol; struct xfrm_policy *xp; struct km_event c; @@ -2549,16 +2549,20 @@ static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h if (dir >= XFRM_POLICY_MAX) return -EINVAL; + delete = (hdr->sadb_msg_type == SADB_X_SPDDELETE2); xp = xfrm_policy_byid(XFRM_POLICY_TYPE_MAIN, dir, pol->sadb_x_policy_id, - hdr->sadb_msg_type == SADB_X_SPDDELETE2, ); + delete, ); if (xp == NULL) return -ENOENT; - err = 0; + if (delete) + xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, + AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); - c.seq = hdr->sadb_msg_seq; - c.pid = hdr->sadb_msg_pid; - if (hdr->sadb_msg_type == SADB_X_SPDDELETE2) { + if (err) + goto out; + c.seq = hdr->sadb_msg_seq; + c.pid = hdr->sadb_msg_pid; c.data.byid = 1; c.event = XFRM_MSG_DELPOLICY; km_policy_notify(xp, dir, ); @@ -2566,6 +2570,7 @@ static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h err = key_pol_get_resp(sk, xp, hdr, dir); } +out: xfrm_pol_put(xp); return err; } - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH] Add xfrm policy change auditing to pfkey_spdget
pfkey_spdget neither had an LSM security hook nor auditing for the removal of xfrm_policy structs. The security hook was added when it was moved into xfrm_policy_byid instead of the callers to that function by my earlier patch and this patch adds the auditing hooks as well. Signed-off-by: Eric Paris [EMAIL PROTECTED] net/key/af_key.c | 17 +++-- 1 files changed, 11 insertions(+), 6 deletions(-) diff --git a/net/key/af_key.c b/net/key/af_key.c index 3542435..7cbf0a2 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c @@ -2537,7 +2537,7 @@ static int pfkey_migrate(struct sock *sk, struct sk_buff *skb, static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, void **ext_hdrs) { unsigned int dir; - int err; + int err = 0, delete; struct sadb_x_policy *pol; struct xfrm_policy *xp; struct km_event c; @@ -2549,16 +2549,20 @@ static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h if (dir = XFRM_POLICY_MAX) return -EINVAL; + delete = (hdr-sadb_msg_type == SADB_X_SPDDELETE2); xp = xfrm_policy_byid(XFRM_POLICY_TYPE_MAIN, dir, pol-sadb_x_policy_id, - hdr-sadb_msg_type == SADB_X_SPDDELETE2, err); + delete, err); if (xp == NULL) return -ENOENT; - err = 0; + if (delete) + xfrm_audit_log(audit_get_loginuid(current-audit_context), 0, + AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); - c.seq = hdr-sadb_msg_seq; - c.pid = hdr-sadb_msg_pid; - if (hdr-sadb_msg_type == SADB_X_SPDDELETE2) { + if (err) + goto out; + c.seq = hdr-sadb_msg_seq; + c.pid = hdr-sadb_msg_pid; c.data.byid = 1; c.event = XFRM_MSG_DELPOLICY; km_policy_notify(xp, dir, c); @@ -2566,6 +2570,7 @@ static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h err = key_pol_get_resp(sk, xp, hdr, dir); } +out: xfrm_pol_put(xp); return err; } - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/