[IPSEC]: Add xfrm policy change auditing to pfkey_spdget

pfkey_spdget neither had an LSM security hook nor auditing for the removal of xfrm_policy structs. The security hook was added when it was moved into xfrm_policy_byid instead of the callers to that function by my earlier patch and this patch adds the auditing hooks as well. Signed-off-by: N Eric Paris <eparis@redhat.com> Acked-by: N Venkat Yekkirala <vyekkirala@trustedcs.com> Acked-by: N James Morris <jmorris@namei.org> Signed-off-by: N David S. Miller <davem@davemloft.net>

[IPSEC]: Add xfrm policy change auditing to pfkey_spdget
pfkey_spdget neither had an LSM security hook nor auditing for the removal of xfrm_policy structs. The security hook was added when it was moved into xfrm_policy_byid instead of the callers to that function by my earlier patch and this patch adds the auditing hooks as well. Signed-off-by: N Eric Paris <eparis@redhat.com> Acked-by: N Venkat Yekkirala <vyekkirala@trustedcs.com> Acked-by: N James Morris <jmorris@namei.org> Signed-off-by: N David S. Miller <davem@davemloft.net>
215a2dd3 · Eric Paris · David S. Miller · ef41aaa0 · 215a2dd3
显示空白变更内容
内联并排

Showing with 11 addition and 6 deletion

net/key/af_key.c net/key/af_key.c +11 -6

未找到文件。
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -2537,7 +2537,7 @@ static int pfkey_migrate(struct sock *sk, struct sk_buff *skb,
 static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, void **ext_hdrs)
 {
 	unsigned int dir;
-	int err;
+	int err = 0, delete;
 	struct sadb_x_policy *pol;
 	struct xfrm_policy *xp;
 	struct km_event c;
@@ -2549,16 +2549,20 @@ static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h
 	if (dir >= XFRM_POLICY_MAX)
 		return -EINVAL;

+	delete = (hdr->sadb_msg_type == SADB_X_SPDDELETE2);
 	xp = xfrm_policy_byid(XFRM_POLICY_TYPE_MAIN, dir, pol->sadb_x_policy_id,
-			      hdr->sadb_msg_type == SADB_X_SPDDELETE2, &err);
+			      delete, &err);
 	if (xp == NULL)
 		return -ENOENT;

-	err = 0;
+	if (delete) {
+		xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
+			       AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);

+		if (err)
+			goto out;
 		c.seq = hdr->sadb_msg_seq;
 		c.pid = hdr->sadb_msg_pid;
-	if (hdr->sadb_msg_type == SADB_X_SPDDELETE2) {
 		c.data.byid = 1;
 		c.event = XFRM_MSG_DELPOLICY;
 		km_policy_notify(xp, dir, &c);
@@ -2566,6 +2570,7 @@ static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h
 		err = key_pol_get_resp(sk, xp, hdr, dir);
 	}

+out:
 	xfrm_pol_put(xp);
 	return err;
 }