[PATCH 1/1]: ipsec audit

[Joy Latten]

On Mon, 2006-10-30 at 12:01 -0500, Steve Grubb wrote:

> 
> > diff -urpN linux-2.6.18.ppc64/net/xfrm/xfrm_policy.c
> > linux-2.6.18.ppc64.patch/net/xfrm/xfrm_policy.c
> > --- linux-2.6.18.ppc64/net/xfrm/xfrm_policy.c	2006-10-26
> > 03:10:11.000000000 -0500
> > +++ linux-2.6.18.ppc64.patch/net/xfrm/xfrm_policy.c	2006-10-26
> > 07:04:08.000000000 -0500
> > @@ -374,13 +374,21 @@ static void xfrm_policy_gc_task(void *da
> >   * entry dead. The rule must be unlinked from lists to the moment.
> >   */
> >
> > -static void xfrm_policy_kill(struct xfrm_policy *policy)
> > +static void xfrm_policy_kill(struct xfrm_policy *policy, uid_t auid)
> >  {
> >  	int dead;
> >
> >  	write_lock_bh(&policy->lock);
> >  	dead = policy->dead;
> >  	policy->dead = 1;
> > +
> > +	if (policy->security)
> 
> If this is NULL we get no audit message?
> 
> > +		audit_log(current->audit_context, GFP_ATOMIC,
> > +			  AUDIT_MAC_IPSEC_DELSPD,
> > +			  "spd delete: auid=%u 
> 
> subj=  should be after auid field. This means that you need to collect the 
> secid out of the netlink packets and the audit context and send it as well.
> 
Ok, I see how to get the security id from the netlink packet, but how do
I get it from the audit context? I did not see an selinux security id in
audit_context structure...? Am I looking in the wrong place?

> > ctx_alg=%d ctx_doi=%d
> 
> I'd drop the ctx in favor of sp.
> 
ok, but since the algorithm and doi or specific to security lsm/selinux
and not ipsec, would sec_alg, or sec_doi, be better?

> > ctx=%s",  
> > +			  auid, policy->security->ctx_alg,
> > +			  policy->security->ctx_doi, policy->security->ctx_str);
> > +
> 
> Also, the last field should be res=%u. res is the results, 1 meaning success 
> and 0 failure. This means we want this function called on failure, too.
> 
> >  	write_unlock_bh(&policy->lock);

Joy