From mboxrd@z Thu Jan  1 00:00:00 1970
From: Joy Latten <latten@austin.ibm.com>
Subject: Re: [PATCH 1/1]: ipsec audit
Date: Wed, 01 Nov 2006 17:10:28 -0600
Message-ID: <1162422628.17737.298.camel@faith.austin.ibm.com>
References: <1161908598.17737.280.camel@faith.austin.ibm.com>
	<200610301201.30040.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <200610301201.30040.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Mon, 2006-10-30 at 12:01 -0500, Steve Grubb wrote:

> 
> > diff -urpN linux-2.6.18.ppc64/net/xfrm/xfrm_policy.c
> > linux-2.6.18.ppc64.patch/net/xfrm/xfrm_policy.c
> > --- linux-2.6.18.ppc64/net/xfrm/xfrm_policy.c	2006-10-26
> > 03:10:11.000000000 -0500
> > +++ linux-2.6.18.ppc64.patch/net/xfrm/xfrm_policy.c	2006-10-26
> > 07:04:08.000000000 -0500
> > @@ -374,13 +374,21 @@ static void xfrm_policy_gc_task(void *da
> >   * entry dead. The rule must be unlinked from lists to the moment.
> >   */
> >
> > -static void xfrm_policy_kill(struct xfrm_policy *policy)
> > +static void xfrm_policy_kill(struct xfrm_policy *policy, uid_t auid)
> >  {
> >  	int dead;
> >
> >  	write_lock_bh(&policy->lock);
> >  	dead = policy->dead;
> >  	policy->dead = 1;
> > +
> > +	if (policy->security)
> 
> If this is NULL we get no audit message?
> 
> > +		audit_log(current->audit_context, GFP_ATOMIC,
> > +			  AUDIT_MAC_IPSEC_DELSPD,
> > +			  "spd delete: auid=%u 
> 
> subj=  should be after auid field. This means that you need to collect the 
> secid out of the netlink packets and the audit context and send it as well.
> 
Ok, I see how to get the security id from the netlink packet, but how do
I get it from the audit context? I did not see an selinux security id in
audit_context structure...? Am I looking in the wrong place?

> > ctx_alg=%d ctx_doi=%d
> 
> I'd drop the ctx in favor of sp.
> 
ok, but since the algorithm and doi or specific to security lsm/selinux
and not ipsec, would sec_alg, or sec_doi, be better?

> > ctx=%s",  
> > +			  auid, policy->security->ctx_alg,
> > +			  policy->security->ctx_doi, policy->security->ctx_str);
> > +
> 
> Also, the last field should be res=%u. res is the results, 1 meaning success 
> and 0 failure. This means we want this function called on failure, too.
> 
> >  	write_unlock_bh(&policy->lock);

Joy