Skip to content

Commit

Permalink
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/gi…
Browse files Browse the repository at this point in the history 
…t/klassert/ipsec-next

Steffen Klassert says:

====================
pull request (net-next): ipsec-next 2014-05-22

This is the last ipsec pull request before I leave for
a three weeks vacation tomorrow. David, can you please
take urgent ipsec patches directly into net/net-next
during this time?

I'll continue to run the ipsec/ipsec-next trees as soon
as I'm back.

1) Simplify the xfrm audit handling, from Tetsuo Handa.

2) Codingstyle cleanup for xfrm_output, from abian Frederick.

Please pull or let me know if there are problems.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
  • Loading branch information
@davem330
davem330 committed May 22, 2014
2 parents b3f7a7b + fc68086 commit 65db611
Show file tree
Hide file tree
Showing 6 changed files with 65 additions and 165 deletions.
57 changes: 22 additions & 35 deletions include/net/xfrm.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -691,13 +691,6 @@ struct xfrm_spi_skb_cb {

#define XFRM_SPI_SKB_CB(__skb) ((struct xfrm_spi_skb_cb *)&((__skb)->cb[0]))

/* Audit Information */
struct xfrm_audit {
u32 secid;
kuid_t loginuid;
unsigned int sessionid;
};

#ifdef CONFIG_AUDITSYSCALL
static inline struct audit_buffer *xfrm_audit_start(const char *op)
{
Expand All @@ -713,30 +706,24 @@ static inline struct audit_buffer *xfrm_audit_start(const char *op)
return audit_buf;
}

static inline void xfrm_audit_helper_usrinfo(kuid_t auid, unsigned int ses, u32 secid,
static inline void xfrm_audit_helper_usrinfo(bool task_valid,
struct audit_buffer *audit_buf)
{
char *secctx;
u32 secctx_len;

audit_log_format(audit_buf, " auid=%u ses=%u",
from_kuid(&init_user_ns, auid), ses);
if (secid != 0 &&
security_secid_to_secctx(secid, &secctx, &secctx_len) == 0) {
audit_log_format(audit_buf, " subj=%s", secctx);
security_release_secctx(secctx, secctx_len);
} else
audit_log_task_context(audit_buf);
}

void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, kuid_t auid,
unsigned int ses, u32 secid);
void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, kuid_t auid,
unsigned int ses, u32 secid);
void xfrm_audit_state_add(struct xfrm_state *x, int result, kuid_t auid,
unsigned int ses, u32 secid);
void xfrm_audit_state_delete(struct xfrm_state *x, int result, kuid_t auid,
unsigned int ses, u32 secid);
const unsigned int auid = from_kuid(&init_user_ns, task_valid ?
audit_get_loginuid(current) :
INVALID_UID);
const unsigned int ses = task_valid ? audit_get_sessionid(current) :
(unsigned int) -1;

audit_log_format(audit_buf, " auid=%u ses=%u", auid, ses);
audit_log_task_context(audit_buf);
}

void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, bool task_valid);
void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
bool task_valid);
void xfrm_audit_state_add(struct xfrm_state *x, int result, bool task_valid);
void xfrm_audit_state_delete(struct xfrm_state *x, int result, bool task_valid);
void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
struct sk_buff *skb);
void xfrm_audit_state_replay(struct xfrm_state *x, struct sk_buff *skb,
Expand All @@ -749,22 +736,22 @@ void xfrm_audit_state_icvfail(struct xfrm_state *x, struct sk_buff *skb,
#else

static inline void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
kuid_t auid, unsigned int ses, u32 secid)
bool task_valid)
{
}

static inline void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
kuid_t auid, unsigned int ses, u32 secid)
bool task_valid)
{
}

static inline void xfrm_audit_state_add(struct xfrm_state *x, int result,
kuid_t auid, unsigned int ses, u32 secid)
bool task_valid)
{
}

static inline void xfrm_audit_state_delete(struct xfrm_state *x, int result,
kuid_t auid, unsigned int ses, u32 secid)
bool task_valid)
{
}

Expand Down Expand Up @@ -1508,7 +1495,7 @@ struct xfrmk_spdinfo {

struct xfrm_state *xfrm_find_acq_byseq(struct net *net, u32 mark, u32 seq);
int xfrm_state_delete(struct xfrm_state *x);
int xfrm_state_flush(struct net *net, u8 proto, struct xfrm_audit *audit_info);
int xfrm_state_flush(struct net *net, u8 proto, bool task_valid);
void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si);
void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si);
u32 xfrm_replay_seqhi(struct xfrm_state *x, __be32 net_seq);
Expand Down Expand Up @@ -1603,7 +1590,7 @@ struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, u32 mark,
int *err);
struct xfrm_policy *xfrm_policy_byid(struct net *net, u32 mark, u8, int dir,
u32 id, int delete, int *err);
int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info);
int xfrm_policy_flush(struct net *net, u8 type, bool task_valid);
u32 xfrm_get_acqseq(void);
int verify_spi_info(u8 proto, u32 min, u32 max);
int xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi);
Expand Down
32 changes: 7 additions & 25 deletions net/key/af_key.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1476,9 +1476,7 @@ static int pfkey_add(struct sock *sk, struct sk_buff *skb, const struct sadb_msg
else
err = xfrm_state_update(x);

xfrm_audit_state_add(x, err ? 0 : 1,
audit_get_loginuid(current),
audit_get_sessionid(current), 0);
xfrm_audit_state_add(x, err ? 0 : 1, true);

if (err < 0) {
x->km.state = XFRM_STATE_DEAD;
Expand Down Expand Up @@ -1532,9 +1530,7 @@ static int pfkey_delete(struct sock *sk, struct sk_buff *skb, const struct sadb_
c.event = XFRM_MSG_DELSA;
km_state_notify(x, &c);
out:
xfrm_audit_state_delete(x, err ? 0 : 1,
audit_get_loginuid(current),
audit_get_sessionid(current), 0);
xfrm_audit_state_delete(x, err ? 0 : 1, true);
xfrm_state_put(x);

return err;
Expand Down Expand Up @@ -1726,17 +1722,13 @@ static int pfkey_flush(struct sock *sk, struct sk_buff *skb, const struct sadb_m
struct net *net = sock_net(sk);
unsigned int proto;
struct km_event c;
struct xfrm_audit audit_info;
int err, err2;

proto = pfkey_satype2proto(hdr->sadb_msg_satype);
if (proto == 0)
return -EINVAL;

audit_info.loginuid = audit_get_loginuid(current);
audit_info.sessionid = audit_get_sessionid(current);
audit_info.secid = 0;
err = xfrm_state_flush(net, proto, &audit_info);
err = xfrm_state_flush(net, proto, true);
err2 = unicast_flush_resp(sk, hdr);
if (err || err2) {
if (err == -ESRCH) /* empty table - go quietly */
Expand Down Expand Up @@ -2288,9 +2280,7 @@ static int pfkey_spdadd(struct sock *sk, struct sk_buff *skb, const struct sadb_
err = xfrm_policy_insert(pol->sadb_x_policy_dir-1, xp,
hdr->sadb_msg_type != SADB_X_SPDUPDATE);

xfrm_audit_policy_add(xp, err ? 0 : 1,
audit_get_loginuid(current),
audit_get_sessionid(current), 0);
xfrm_audit_policy_add(xp, err ? 0 : 1, true);

if (err)
goto out;
Expand Down Expand Up @@ -2372,9 +2362,7 @@ static int pfkey_spddelete(struct sock *sk, struct sk_buff *skb, const struct sa
if (xp == NULL)
return -ENOENT;

xfrm_audit_policy_delete(xp, err ? 0 : 1,
audit_get_loginuid(current),
audit_get_sessionid(current), 0);
xfrm_audit_policy_delete(xp, err ? 0 : 1, true);

if (err)
goto out;
Expand Down Expand Up @@ -2622,9 +2610,7 @@ static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, const struct sadb_
return -ENOENT;

if (delete) {
xfrm_audit_policy_delete(xp, err ? 0 : 1,
audit_get_loginuid(current),
audit_get_sessionid(current), 0);
xfrm_audit_policy_delete(xp, err ? 0 : 1, true);

if (err)
goto out;
Expand Down Expand Up @@ -2733,13 +2719,9 @@ static int pfkey_spdflush(struct sock *sk, struct sk_buff *skb, const struct sad
{
struct net *net = sock_net(sk);
struct km_event c;
struct xfrm_audit audit_info;
int err, err2;

audit_info.loginuid = audit_get_loginuid(current);
audit_info.sessionid = audit_get_sessionid(current);
audit_info.secid = 0;
err = xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, &audit_info);
err = xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, true);
err2 = unicast_flush_resp(sk, hdr);
if (err || err2) {
if (err == -ESRCH) /* empty table - old silent behavior */
Expand Down
5 changes: 2 additions & 3 deletions net/xfrm/xfrm_output.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -199,6 +199,7 @@ int xfrm_output(struct sk_buff *skb)

return xfrm_output2(skb);
}
EXPORT_SYMBOL_GPL(xfrm_output);

int xfrm_inner_extract_output(struct xfrm_state *x, struct sk_buff *skb)
{
Expand All @@ -213,6 +214,7 @@ int xfrm_inner_extract_output(struct xfrm_state *x, struct sk_buff *skb)
return -EAFNOSUPPORT;
return inner_mode->afinfo->extract_output(x, skb);
}
EXPORT_SYMBOL_GPL(xfrm_inner_extract_output);

void xfrm_local_error(struct sk_buff *skb, int mtu)
{
Expand All @@ -233,7 +235,4 @@ void xfrm_local_error(struct sk_buff *skb, int mtu)
afinfo->local_error(skb, mtu);
xfrm_state_put_afinfo(afinfo);
}

EXPORT_SYMBOL_GPL(xfrm_output);
EXPORT_SYMBOL_GPL(xfrm_inner_extract_output);
EXPORT_SYMBOL_GPL(xfrm_local_error);
46 changes: 14 additions & 32 deletions net/xfrm/xfrm_policy.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -769,7 +769,7 @@ EXPORT_SYMBOL(xfrm_policy_byid);

#ifdef CONFIG_SECURITY_NETWORK_XFRM
static inline int
xfrm_policy_flush_secctx_check(struct net *net, u8 type, struct xfrm_audit *audit_info)
xfrm_policy_flush_secctx_check(struct net *net, u8 type, bool task_valid)
{
int dir, err = 0;

Expand All @@ -783,10 +783,7 @@ xfrm_policy_flush_secctx_check(struct net *net, u8 type, struct xfrm_audit *audi
continue;
err = security_xfrm_policy_delete(pol->security);
if (err) {
xfrm_audit_policy_delete(pol, 0,
audit_info->loginuid,
audit_info->sessionid,
audit_info->secid);
xfrm_audit_policy_delete(pol, 0, task_valid);
return err;
}
}
Expand All @@ -800,9 +797,7 @@ xfrm_policy_flush_secctx_check(struct net *net, u8 type, struct xfrm_audit *audi
pol->security);
if (err) {
xfrm_audit_policy_delete(pol, 0,
audit_info->loginuid,
audit_info->sessionid,
audit_info->secid);
task_valid);
return err;
}
}
Expand All @@ -812,19 +807,19 @@ xfrm_policy_flush_secctx_check(struct net *net, u8 type, struct xfrm_audit *audi
}
#else
static inline int
xfrm_policy_flush_secctx_check(struct net *net, u8 type, struct xfrm_audit *audit_info)
xfrm_policy_flush_secctx_check(struct net *net, u8 type, bool task_valid)
{
return 0;
}
#endif

int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info)
int xfrm_policy_flush(struct net *net, u8 type, bool task_valid)
{
int dir, err = 0, cnt = 0;

write_lock_bh(&net->xfrm.xfrm_policy_lock);

err = xfrm_policy_flush_secctx_check(net, type, audit_info);
err = xfrm_policy_flush_secctx_check(net, type, task_valid);
if (err)
goto out;

Expand All @@ -841,9 +836,7 @@ int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info)
write_unlock_bh(&net->xfrm.xfrm_policy_lock);
cnt++;

xfrm_audit_policy_delete(pol, 1, audit_info->loginuid,
audit_info->sessionid,
audit_info->secid);
xfrm_audit_policy_delete(pol, 1, task_valid);

xfrm_policy_kill(pol);

Expand All @@ -862,10 +855,7 @@ int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info)
write_unlock_bh(&net->xfrm.xfrm_policy_lock);
cnt++;

xfrm_audit_policy_delete(pol, 1,
audit_info->loginuid,
audit_info->sessionid,
audit_info->secid);
xfrm_audit_policy_delete(pol, 1, task_valid);
xfrm_policy_kill(pol);

write_lock_bh(&net->xfrm.xfrm_policy_lock);
Expand Down Expand Up @@ -2860,21 +2850,14 @@ static int __net_init xfrm_policy_init(struct net *net)

static void xfrm_policy_fini(struct net *net)
{
struct xfrm_audit audit_info;
unsigned int sz;
int dir;

flush_work(&net->xfrm.policy_hash_work);
#ifdef CONFIG_XFRM_SUB_POLICY
audit_info.loginuid = INVALID_UID;
audit_info.sessionid = (unsigned int)-1;
audit_info.secid = 0;
xfrm_policy_flush(net, XFRM_POLICY_TYPE_SUB, &audit_info);
xfrm_policy_flush(net, XFRM_POLICY_TYPE_SUB, false);
#endif
audit_info.loginuid = INVALID_UID;
audit_info.sessionid = (unsigned int)-1;
audit_info.secid = 0;
xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, &audit_info);
xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, false);

WARN_ON(!list_empty(&net->xfrm.policy_all));

Expand Down Expand Up @@ -2989,30 +2972,29 @@ static void xfrm_audit_common_policyinfo(struct xfrm_policy *xp,
}
}

void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
kuid_t auid, unsigned int sessionid, u32 secid)
void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, bool task_valid)
{
struct audit_buffer *audit_buf;

audit_buf = xfrm_audit_start("SPD-add");
if (audit_buf == NULL)
return;
xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf);
xfrm_audit_helper_usrinfo(task_valid, audit_buf);
audit_log_format(audit_buf, " res=%u", result);
xfrm_audit_common_policyinfo(xp, audit_buf);
audit_log_end(audit_buf);
}
EXPORT_SYMBOL_GPL(xfrm_audit_policy_add);

void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
kuid_t auid, unsigned int sessionid, u32 secid)
bool task_valid)
{
struct audit_buffer *audit_buf;

audit_buf = xfrm_audit_start("SPD-delete");
if (audit_buf == NULL)
return;
xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf);
xfrm_audit_helper_usrinfo(task_valid, audit_buf);
audit_log_format(audit_buf, " res=%u", result);
xfrm_audit_common_policyinfo(xp, audit_buf);
audit_log_end(audit_buf);
Expand Down
Loading

0 comments on commit 65db611

Please sign in to comment.