Re: [PATCH]: xfrm audit calls

2007-09-12 Thread David Miller 
From: Joy Latten [EMAIL PROTECTED]
Date: Tue, 11 Sep 2007 19:03:14 -0500

 This patch modifies the current ipsec audit layer
 by breaking it up into purpose driven audit calls.
 
 So far, the only audit calls made are when add/delete
 an SA/policy. It had been discussed to give each 
 key manager it's own calls to do this, but I found
 there to be much redundnacy since they did the exact 
 same things, except for how they got auid and sid, so I 
 combined them. The below audit calls can be made by any 
 key manager. Hopefully, this is ok.
 
 I compiled and tested with CONFIG_AUDITSYSCALLS on and off.
 
 Signed-off-by: Joy Latten [EMAIL PROTECTED]

Patch applied, thanks!
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH]: xfrm audit calls

2007-09-12 Thread Valdis . Kletnieks 
On Tue, 11 Sep 2007 19:03:14 CDT, Joy Latten said:
 This patch modifies the current ipsec audit layer
 by breaking it up into purpose driven audit calls.

 So far, the only audit calls made are when add/delete
 an SA/policy.

What other audit calls do you envision adding in the future?


pgpGAfniPI6M2.pgp
Description: PGP signature

Re: [PATCH]: xfrm audit calls

2007-09-12 Thread Joy Latten 
On Wed, 2007-09-12 at 14:56 -0400, [EMAIL PROTECTED] wrote:
 On Tue, 11 Sep 2007 19:03:14 CDT, Joy Latten said:
  This patch modifies the current ipsec audit layer
  by breaking it up into purpose driven audit calls.
 
  So far, the only audit calls made are when add/delete
  an SA/policy.
 
 What other audit calls do you envision adding in the future?

Those specified in updated RFCs for ipsec, mainly 4301,
4302 and 4303. 

Joy
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH]: xfrm audit calls

2007-09-11 Thread Joy Latten 
This patch modifies the current ipsec audit layer
by breaking it up into purpose driven audit calls.

So far, the only audit calls made are when add/delete
an SA/policy. It had been discussed to give each 
key manager it's own calls to do this, but I found
there to be much redundnacy since they did the exact 
same things, except for how they got auid and sid, so I 
combined them. The below audit calls can be made by any 
key manager. Hopefully, this is ok.

I compiled and tested with CONFIG_AUDITSYSCALLS on and off.

Regards,
Joy Latten

Signed-off-by: Joy Latten [EMAIL PROTECTED]

diff -urpN linux-2.6.22/include/linux/audit.h 
linux-2.6.22-rc6/include/linux/audit.h
--- linux-2.6.22/include/linux/audit.h  2007-09-11 13:59:49.0 -0500
+++ linux-2.6.22-rc6/include/linux/audit.h  2007-09-11 14:10:57.0 
-0500
@@ -108,10 +108,11 @@
 #define AUDIT_MAC_CIPSOV4_DEL  1408/* NetLabel: del CIPSOv4 DOI entry */
 #define AUDIT_MAC_MAP_ADD  1409/* NetLabel: add LSM domain mapping */
 #define AUDIT_MAC_MAP_DEL  1410/* NetLabel: del LSM domain mapping */
-#define AUDIT_MAC_IPSEC_ADDSA  1411/* Add a XFRM state */
-#define AUDIT_MAC_IPSEC_DELSA  1412/* Delete a XFRM state */
-#define AUDIT_MAC_IPSEC_ADDSPD 1413/* Add a XFRM policy */
-#define AUDIT_MAC_IPSEC_DELSPD 1414/* Delete a XFRM policy */
+#define AUDIT_MAC_IPSEC_ADDSA  1411/* Not used */
+#define AUDIT_MAC_IPSEC_DELSA  1412/* Not used  */
+#define AUDIT_MAC_IPSEC_ADDSPD 1413/* Not used */
+#define AUDIT_MAC_IPSEC_DELSPD 1414/* Not used */
+#define AUDIT_MAC_IPSEC_EVENT  1415/* Audit an IPSec event */
 
 #define AUDIT_FIRST_KERN_ANOM_MSG   1700
 #define AUDIT_LAST_KERN_ANOM_MSG1799
diff -urpN linux-2.6.22/include/net/xfrm.h linux-2.6.22-rc6/include/net/xfrm.h
--- linux-2.6.22/include/net/xfrm.h 2007-09-11 13:59:49.0 -0500
+++ linux-2.6.22-rc6/include/net/xfrm.h 2007-09-11 14:10:57.0 -0500
@@ -12,6 +12,7 @@
 #include linux/ipsec.h
 #include linux/in6.h
 #include linux/mutex.h
+#include linux/audit.h
 
 #include net/sock.h
 #include net/dst.h
@@ -421,15 +422,46 @@ extern unsigned int xfrm_policy_count[XF
 /* Audit Information */
 struct xfrm_audit
 {
-   uid_t   loginuid;
+   u32 loginuid;
u32 secid;
 };
 
 #ifdef CONFIG_AUDITSYSCALL
-extern void xfrm_audit_log(uid_t auid, u32 secid, int type, int result,
-   struct xfrm_policy *xp, struct xfrm_state *x);
+static inline struct audit_buffer *xfrm_audit_start(u32 auid, u32 sid)
+{
+   struct audit_buffer *audit_buf = NULL;
+   char *secctx;
+   u32 secctx_len;
+
+   audit_buf = audit_log_start(current-audit_context, GFP_ATOMIC,
+ AUDIT_MAC_IPSEC_EVENT);
+   if (audit_buf == NULL)
+   return NULL;
+
+   audit_log_format(audit_buf, auid=%u, auid);
+
+   if (sid != 0 
+   security_secid_to_secctx(sid, secctx, secctx_len) == 0) {
+   audit_log_format(audit_buf,  subj=%s, secctx);
+   security_release_secctx(secctx, secctx_len);
+   } else
+   audit_log_task_context(audit_buf);
+   return audit_buf;
+}
+
+extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,  
+ u32 auid, u32 sid);
+extern void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,  
+ u32 auid, u32 sid);
+extern void xfrm_audit_state_add(struct xfrm_state *x, int result,  
+u32 auid, u32 sid);
+extern void xfrm_audit_state_delete(struct xfrm_state *x, int result,
+   u32 auid, u32 sid);
 #else
-#define xfrm_audit_log(a,s,t,r,p,x) do { ; } while (0)
+#define xfrm_audit_policy_add(x, r, a, s)  do { ; } while (0)
+#define xfrm_audit_policy_delete(x, r, a, s)   do { ; } while (0)
+#define xfrm_audit_state_add(x, r, a, s)   do { ; } while (0)
+#define xfrm_audit_state_delete(x, r, a, s)do { ; } while (0)
 #endif /* CONFIG_AUDITSYSCALL */
 
 static inline void xfrm_pol_hold(struct xfrm_policy *policy)
diff -urpN linux-2.6.22/net/key/af_key.c linux-2.6.22-rc6/net/key/af_key.c
--- linux-2.6.22/net/key/af_key.c   2007-09-11 13:59:52.0 -0500
+++ linux-2.6.22-rc6/net/key/af_key.c   2007-09-11 14:10:58.0 -0500
@@ -27,7 +27,6 @@
 #include linux/proc_fs.h
 #include linux/init.h
 #include net/xfrm.h
-#include linux/audit.h
 
 #include net/sock.h
 
@@ -1461,8 +1460,8 @@ static int pfkey_add(struct sock *sk, st
else
err = xfrm_state_update(x);
 
-   xfrm_audit_log(audit_get_loginuid(current-audit_context), 0,
-  AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x);
+   xfrm_audit_state_add(x, err ? 0 : 1, 
+audit_get_loginuid(current-audit_context), 0);
 
if (err  0) {
x-km.state = XFRM_STATE_DEAD;
@@ -1515,8 +1514,8 @@ static int