Sophie: kernel-2.6.18-238.el5 src

kernel-2.6.18-238.el5.src.rpm

From: Eric Paris <eparis@redhat.com>
Date: Mon, 17 Dec 2007 11:10:49 -0500
Subject: [audit] netmask on xfrm policy configuration changes
Message-id: 1197907849.6197.10.camel@localhost.localdomain
O-Subject: [RHEL5 PATCH] XFRM/Audit: audit netmask on xfrm policy configuration changes
Bugzilla: 410531

BZ 410531

http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.25.git;a=commitdiff;h=373e473ddeefcddea6ffd2a2d0bf0d3aa7e8d3e3

Currently the netmask/prefix-length of an IPsec SPD entry is not
included in
any of the SPD related audit messages.  This can cause a problem when the
audit log is examined as the netmask/prefix-length is vital in determining
what network traffic is affected by a particular SPD entry.  This patch fixes
this problem by adding two additional fields, "src_prefixlen" and
"dst_prefixlen", to the SPD audit messages to indicate the source and
destination netmasks.  These new fields are only included in the audit message
when the netmask/prefix-length is less than the address length, i.e. the SPD
entry applies to a network address and not a host address.

[snip]

Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

Tested on a RHEL5 kernel.  The original author also looked at the patch
and thought it was correct.  This is not a complete backport of the
upstream commit as the upstream commit made 3 'cosmetic' changes as well
which are not needed to fix a bug nor does any of that patch cleanly
apply since most of the subsystem was rewritten.  I did make one
cosmetic change to use NIPQUAD_FMT similar to upstream.

Example audit messages from my RHEL5 box:
type=MAC_IPSEC_DELSPD msg=audit(1197906947.196:192): SPD delete: auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 src=10.0.0.1 dst=10.0.0.2 res=1
type=MAC_IPSEC_DELSPD msg=audit(1197906947.196:192): SPD delete: auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 src=10.0.0.0 src_prefixlen=24 dst=10.0.1.0 dst_prefixlen=24 res=1

Acked-by: "David S. Miller" <davem@redhat.com>
Acked-by: James Morris <jmorris@redhat.com>

diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index ee1bd8f..d5e6cd7 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1528,9 +1528,17 @@ void xfrm_audit_log(uid_t auid, u32 sid, int type, int result,
 				saddr.s_addr = x->props.saddr.a4;
 				daddr.s_addr = x->id.daddr.a4;
 			}
-			audit_log_format(audit_buf,
-					 " src=%u.%u.%u.%u dst=%u.%u.%u.%u",
-					 NIPQUAD(saddr), NIPQUAD(daddr));
+			audit_log_format(audit_buf, " src=" NIPQUAD_FMT,
+					 NIPQUAD(saddr));
+			if (xp && (xp->selector.prefixlen_s != 32))
+				audit_log_format(audit_buf, " src_prefixlen=%d",
+						 xp->selector.prefixlen_s);
+
+			audit_log_format(audit_buf, " dst=" NIPQUAD_FMT,
+					 NIPQUAD(daddr));
+			if (xp && (xp->selector.prefixlen_d != 32))
+				audit_log_format(audit_buf, " dst_prefixlen=%d",
+						 xp->selector.prefixlen_d);
 		}
 			break;
 	case AF_INET6:
@@ -1547,9 +1555,17 @@ void xfrm_audit_log(uid_t auid, u32 sid, int type, int result,
 				memcpy(&daddr6, x->id.daddr.a6,
 					sizeof(struct in6_addr));
 			}
-			audit_log_format(audit_buf,
-					 " src=" NIP6_FMT " dst=" NIP6_FMT,
-					 NIP6(saddr6), NIP6(daddr6));
+			audit_log_format(audit_buf, " src=" NIP6_FMT,
+					 NIP6(saddr6));
+			if (xp && (xp->selector.prefixlen_s != 128))
+				audit_log_format(audit_buf, " src_prefixlen=%d",
+						 xp->selector.prefixlen_s);
+
+			audit_log_format(audit_buf, " dst=" NIP6_FMT,
+					 NIP6(daddr6));
+			if (xp && (xp->selector.prefixlen_d != 128))
+				audit_log_format(audit_buf, " dst_prefixlen=%d",
+						 xp->selector.prefixlen_d);
 		}
 		break;
 	}