subject:"\[PATCH\]\: 2nd revision of make xfrm_audit

Re: [PATCH]: 2nd revision of make xfrm_audit_log more generic

2007-07-26 Thread Joy Latten

On Wed, 2007-07-25 at 17:17 -0700, David Miller wrote:
 From: Joy Latten [EMAIL PROTECTED]
 Date: Wed, 25 Jul 2007 14:21:43 -0500

  This is 2nd revision of patch to modify xfrm_audit_log() such
  that it can accomodate auditing other ipsec events
  besides add/delete of an SA or SPD entry.

  2nd revision includes new define for all IPsec
  events in audit.h and introduces op= entry
  in logfile as well as add a hyphen in description
  for report parsing. 

  This is a small change to accomodate updating
  ipsec protocol to RFCs 4301, 4302 and 4303 which
  require auditing some ipsec events if auditing
  is available. Please let me know if ok.

  Signed-off-by: Joy Latten [EMAIL PROTECTED]

 I like very much how the implementation of xfrm_audit_log() got
 simplified.

 But _TEN_ function call arguments, good grief!

 That's at least twice as many as most cpus can pass in registers.

:-) :-) Sorry. Must have been in a fog or something now that I take a
step back and look at it. 

 Let's try an alternative where you have specialized
 xfrm_audit_log_foo() routines that take a user policy pointer, or
 whatever the main object is.

 If internally this just unpacks the needed bits and calls some
 do_xfrm_audit_log() thing inside of the auditing code that takes lots
 of arguments, that's fine, but let's not expand all of that argument
 setup code in the main IPSEC code paths.

Fixing up right now. Will re-post when done.
Thanks!

Joy
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH]: 2nd revision of make xfrm_audit_log more generic

2007-07-25 Thread David Miller

From: Joy Latten [EMAIL PROTECTED]
Date: Wed, 25 Jul 2007 14:21:43 -0500

 This is 2nd revision of patch to modify xfrm_audit_log() such
 that it can accomodate auditing other ipsec events
 besides add/delete of an SA or SPD entry.

 2nd revision includes new define for all IPsec
 events in audit.h and introduces op= entry
 in logfile as well as add a hyphen in description
 for report parsing. 

 This is a small change to accomodate updating
 ipsec protocol to RFCs 4301, 4302 and 4303 which
 require auditing some ipsec events if auditing
 is available. Please let me know if ok.

 Signed-off-by: Joy Latten [EMAIL PROTECTED]

I like very much how the implementation of xfrm_audit_log() got
simplified.

But _TEN_ function call arguments, good grief!

That's at least twice as many as most cpus can pass in registers.

Let's try an alternative where you have specialized
xfrm_audit_log_foo() routines that take a user policy pointer, or
whatever the main object is.

If internally this just unpacks the needed bits and calls some
do_xfrm_audit_log() thing inside of the auditing code that takes lots
of arguments, that's fine, but let's not expand all of that argument
setup code in the main IPSEC code paths.
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH]: 2nd revision of make xfrm_audit_log more generic

2007-07-25 Thread Joy Latten

This is 2nd revision of patch to modify xfrm_audit_log() such
that it can accomodate auditing other ipsec events
besides add/delete of an SA or SPD entry.

2nd revision includes new define for all IPsec
events in audit.h and introduces op= entry
in logfile as well as add a hyphen in description
for report parsing. 

This is a small change to accomodate updating
ipsec protocol to RFCs 4301, 4302 and 4303 which
require auditing some ipsec events if auditing
is available. Please let me know if ok.

Regards,
Joy

Signed-off-by: Joy Latten [EMAIL PROTECTED]

diff -urpN linux-2.6.22/include/linux/audit.h 
linux-2.6.22.patch/include/linux/audit.h
--- linux-2.6.22/include/linux/audit.h  2007-07-23 14:35:28.0 -0500
+++ linux-2.6.22.patch/include/linux/audit.h2007-07-23 14:38:51.0 
-0500
@@ -112,6 +112,7 @@
 #define AUDIT_MAC_IPSEC_DELSA  1412/* Delete a XFRM state */
 #define AUDIT_MAC_IPSEC_ADDSPD 1413/* Add a XFRM policy */
 #define AUDIT_MAC_IPSEC_DELSPD 1414/* Delete a XFRM policy */
+#define AUDIT_MAC_IPSEC_EVENT  1415/* Audit IPSec events */
 
 #define AUDIT_FIRST_KERN_ANOM_MSG   1700
 #define AUDIT_LAST_KERN_ANOM_MSG1799
diff -urpN linux-2.6.22/include/net/xfrm.h linux-2.6.22.patch/include/net/xfrm.h
--- linux-2.6.22/include/net/xfrm.h 2007-07-23 14:35:28.0 -0500
+++ linux-2.6.22.patch/include/net/xfrm.h   2007-07-23 14:38:51.0 
-0500
@@ -427,9 +427,11 @@ struct xfrm_audit
 
 #ifdef CONFIG_AUDITSYSCALL
 extern void xfrm_audit_log(uid_t auid, u32 secid, int type, int result,
-   struct xfrm_policy *xp, struct xfrm_state *x);
+  u16 family, xfrm_address_t saddr, 
+  xfrm_address_t daddr, __be32 spi, __be32 flowid, 
+  struct xfrm_sec_ctx *sctx, char *buf);
 #else
-#define xfrm_audit_log(a,s,t,r,p,x) do { ; } while (0)
+#define xfrm_audit_log(a,i,t,r,f,s,d,p,l,c,b) do { ; } while (0)
 #endif /* CONFIG_AUDITSYSCALL */
 
 static inline void xfrm_pol_hold(struct xfrm_policy *policy)
diff -urpN linux-2.6.22/net/key/af_key.c linux-2.6.22.patch/net/key/af_key.c
--- linux-2.6.22/net/key/af_key.c   2007-07-08 18:32:17.0 -0500
+++ linux-2.6.22.patch/net/key/af_key.c 2007-07-24 11:50:35.0 -0500
@@ -1459,7 +1459,9 @@ static int pfkey_add(struct sock *sk, st
err = xfrm_state_update(x);
 
xfrm_audit_log(audit_get_loginuid(current-audit_context), 0,
-  AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x);
+  AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, 
+  x-props.family, x-props.saddr, x-id.daddr, 
+  x-id.spi, 0, x-security, SAD-add);
 
if (err  0) {
x-km.state = XFRM_STATE_DEAD;
@@ -1513,7 +1515,10 @@ static int pfkey_delete(struct sock *sk,
km_state_notify(x, c);
 out:
xfrm_audit_log(audit_get_loginuid(current-audit_context), 0,
-  AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
+  AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, x-props.family,
+  x-props.saddr, x-id.daddr, x-id.spi, 0,
+  x-security, SAD-delete);
+
xfrm_state_put(x);
 
return err;
@@ -2266,7 +2271,9 @@ static int pfkey_spdadd(struct sock *sk,
 hdr-sadb_msg_type != SADB_X_SPDUPDATE);
 
xfrm_audit_log(audit_get_loginuid(current-audit_context), 0,
-  AUDIT_MAC_IPSEC_ADDSPD, err ? 0 : 1, xp, NULL);
+  AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, 
+  xp-selector.family, xp-selector.saddr,
+  xp-selector.daddr, 0, 0, xp-security, SPD-add);
 
if (err)
goto out;
@@ -2350,7 +2357,9 @@ static int pfkey_spddelete(struct sock *
return -ENOENT;
 
xfrm_audit_log(audit_get_loginuid(current-audit_context), 0,
-  AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
+  AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1,
+  xp-selector.family, xp-selector.saddr,
+  xp-selector.daddr, 0, 0, xp-security, SPD-delete);
 
if (err)
goto out;
@@ -2611,7 +2620,10 @@ static int pfkey_spdget(struct sock *sk,
 
if (delete) {
xfrm_audit_log(audit_get_loginuid(current-audit_context), 0,
-  AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
+  AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, 
+  xp-selector.family, xp-selector.saddr,
+  xp-selector.daddr, 0, 0, xp-security,
+  SPD-delete);
 
if (err)
goto out;
diff -urpN linux-2.6.22/net/xfrm/xfrm_policy.c 
linux-2.6.22.patch/net/xfrm/xfrm_policy.c
--- linux-2.6.22/net/xfrm/xfrm_policy.c 2007-07-23 14:35:29.0 -0500
+++

Re: [PATCH]: 2nd revision of make xfrm_audit_log more generic

Re: [PATCH]: 2nd revision of make xfrm_audit_log more generic

[PATCH]: 2nd revision of make xfrm_audit_log more generic

3 matches

Site Navigation

Mail list logo

Footer information