• Paul Moore's avatar
    [IPSEC]: SPD auditing fix to include the netmask/prefix-length · 875179fa
    Paul Moore authored
    Currently the netmask/prefix-length of an IPsec SPD entry is not included in
    any of the SPD related audit messages.  This can cause a problem when the
    audit log is examined as the netmask/prefix-length is vital in determining
    what network traffic is affected by a particular SPD entry.  This patch fixes
    this problem by adding two additional fields, "src_prefixlen" and
    "dst_prefixlen", to the SPD audit messages to indicate the source and
    destination netmasks.  These new fields are only included in the audit message
    when the netmask/prefix-length is less than the address length, i.e. the SPD
    entry applies to a network address and not a host address.
    
    Example audit message:
    
     type=UNKNOWN[1415] msg=audit(1196105849.752:25): auid=0 \
       subj=root:system_r:unconfined_t:s0-s0:c0.c1023 op=SPD-add res=1 \
       src=192.168.0.0 src_prefixlen=24 dst=192.168.1.0 dst_prefixlen=24
    
    In addition, this patch also fixes a few other things in the
    xfrm_audit_common_policyinfo() function.  The IPv4 string formatting was
    converted to use the standard NIPQUAD_FMT constant, the memcpy() was removed
    from the IPv6 code path and replaced with a typecast (the memcpy() was acting
    as a slow, implicit typecast anyway), and two local variables were created to
    make referencing the XFRM security context and selector information cleaner.
    Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
    Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    875179fa
xfrm_policy.c 59.2 KB