diff -up ipsec-tools-0.7.1/configure.ac.loopback ipsec-tools-0.7.1/configure.ac
--- ipsec-tools-0.7.1/configure.ac.loopback 2008-07-22 15:53:46.000000000 +0200
+++ ipsec-tools-0.7.1/configure.ac 2008-07-30 21:14:30.000000000 +0200
@@ -794,6 +794,27 @@ if test "$enable_security_context" = "ye
fi
fi
+AC_MSG_CHECKING(whether to support Auditing)
+AC_ARG_ENABLE(audit,
+ [ --enable-audit build audit daemon support for SELinux],
+ enable_audit=$enableval,enable_audit=auto)
+
+AC_MSG_RESULT($enable_audit)
+
+# libaudit detection
+if test x$enable_audit = xno ; then
+ have_libaudit=no;
+else
+ AC_CHECK_LIB(audit, audit_log_user_avc_message,
+ have_libaudit=yes, have_libaudit=no)
+fi
+AM_CONDITIONAL(HAVE_LIBAUDIT, test x$have_libaudit = xyes)
+if test x$have_libaudit = xyes ; then
+ AUDIT_LIBS="-laudit"
+ AC_DEFINE(HAVE_LIBAUDIT,1,[audit daemon SELinux support])
+fi
+AC_SUBST(AUDIT_LIBS)
+
CFLAGS="$CFLAGS $CFLAGS_ADD"
CPPFLAGS="$CPPFLAGS $CPPFLAGS_ADD"
diff -up ipsec-tools-0.7.1/src/racoon/pfkey.c.loopback ipsec-tools-0.7.1/src/racoon/pfkey.c
--- ipsec-tools-0.7.1/src/racoon/pfkey.c.loopback 2008-07-30 21:14:30.000000000 +0200
+++ ipsec-tools-0.7.1/src/racoon/pfkey.c 2008-07-30 21:33:20.000000000 +0200
@@ -99,6 +99,7 @@
#include "nattraversal.h"
#include "crypto_openssl.h"
#include "grabmyaddr.h"
+#include "sockmisc.h"
#if defined(SADB_X_EALG_RIJNDAELCBC) && !defined(SADB_X_EALG_AESCBC)
#define SADB_X_EALG_AESCBC SADB_X_EALG_RIJNDAELCBC
@@ -972,6 +973,56 @@ pk_recvgetspi(mhp)
return -1;
}
+#ifdef HAVE_SECCTX
+ if (iph2->loopback == 1) {
+ u_int satype, reqid;
+ struct sockaddr *src;
+
+ src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
+ if (cmpsaddrstrict(src, dst) == 0) {
+ struct pfkey_send_sa_args sa_args;
+ /* yep, this is loopback. install SA */
+ satype = ipsecdoi2pfkey_proto(iph2->proposal->head->proto_id);
+ if (satype == ~0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "invalid proto_id %d\n",
+ iph2->proposal->head->proto_id);
+ return -1;
+ }
+
+ reqid = iph2->proposal->head->reqid_in;
+
+ iph2->status = PHASE2ST_ADDSA;
+
+ memset (&sa_args, 0, sizeof (sa_args));
+ sa_args.so = lcconf->sock_pfkey;
+ sa_args.satype = satype;
+ sa_args.mode = IPSEC_MODE_TRANSPORT;
+ sa_args.src = src;
+ sa_args.dst = dst;
+ sa_args.spi = sa->sadb_sa_spi;
+ sa_args.reqid = reqid;
+ sa_args.e_type = SADB_EALG_NULL;
+ sa_args.a_type = SADB_AALG_NONE;
+ sa_args.l_addtime = iph2->proposal->lifetime;
+ sa_args.seq = iph2->seq;
+ sa_args.ctxdoi = iph2->proposal->sctx.ctx_doi;
+ sa_args.ctxalg = iph2->proposal->sctx.ctx_alg;
+ sa_args.ctxstr = iph2->proposal->sctx.ctx_str;
+ sa_args.ctxstrlen = iph2->proposal->sctx.ctx_strlen;
+ if (pfkey_send_update2(&sa_args) < 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to update loopback SA: %s\n",
+ ipsec_strerror());
+ remph2(iph2);
+ delph2(iph2);
+ return -1;
+ }
+ }
+ return 0;
+ }
+#endif /* HAVE SECCTX */
+
/* set SPI, and check to get all spi whether or not */
allspiok = 1;
notfound = 1;
@@ -1222,6 +1273,26 @@ pk_recvupdate(mhp)
return -1;
}
+#ifdef HAVE_SECCTX
+ /* get update for loopback here */
+ if (iph2->loopback == 1 && (cmpsaddrstrict(src, dst) == 0)) {
+ plog(LLV_INFO, LOCATION, NULL,
+ "IPsec-SA established without ISAKMP: %s\n",
+ sadbsecas2str(iph2->dst, iph2->src,
+ msg->sadb_msg_satype, sa->sadb_sa_spi,
+ IPSEC_MODE_TRANSPORT));
+
+ /* turn off the timer for calling pfkey_timeover() */
+ SCHED_KILL(iph2->sce);
+
+ iph2->sce = sched_new(iph2->proposal->lifetime,
+ isakmp_ph2expire_stub, iph2);
+
+ iph2->status = PHASE2ST_ESTABLISHED;
+ return 0;
+ }
+#endif
+
/* check to complete all keys ? */
for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
@@ -1264,11 +1335,6 @@ pk_recvupdate(mhp)
/* turn off the timer for calling pfkey_timeover() */
SCHED_KILL(iph2->sce);
- /* update status */
- /* Do this in pk_recvadd
- * iph2->status = PHASE2ST_ESTABLISHED;
- */
-
#ifdef ENABLE_STATS
gettimeofday(&iph2->end, NULL);
syslog(LOG_NOTICE, "%s(%s): %8.6f",
@@ -1657,6 +1723,7 @@ pk_recvacquire(mhp)
struct sadb_x_sec_ctx *m_sec_ctx;
#endif /* HAVE_SECCTX */
struct policyindex spidx;
+ int do_listen = 0;
/* ignore this message because of local test mode. */
@@ -1681,6 +1748,12 @@ pk_recvacquire(mhp)
m_sec_ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
if (m_sec_ctx != NULL) {
+ if (m_sec_ctx->sadb_x_ctx_len > MAX_CTXSTR_SIZE) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "ignoring ACQUIRE: security context is greater than MAX, %d.\n",
+ MAX_CTXSTR_SIZE);
+ return -1;
+ }
plog(LLV_INFO, LOCATION, NULL, "security context doi: %u\n",
m_sec_ctx->sadb_x_ctx_doi);
plog(LLV_INFO, LOCATION, NULL,
@@ -1730,7 +1803,6 @@ pk_recvacquire(mhp)
*/
struct sockaddr *sa = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
struct myaddrs *p;
- int do_listen = 0;
for (p = lcconf->myaddrs; p; p = p->next) {
if (!cmpsaddrwop(p->addr, sa)) {
do_listen = 1;
@@ -1853,6 +1925,73 @@ pk_recvacquire(mhp)
plog(LLV_DEBUG, LOCATION, NULL,
"new acquire %s\n", spidx2str(&sp_out->spidx));
+#ifdef HAVE_SECCTX
+ /*
+ * If the src address in the ACQUIRE is one we listen on and
+ * the src and dst addresses are the same, then assume this
+ * packet arrived over loopback and just get an SPI and
+ * install the SA.
+ */
+ if (do_listen && m_sec_ctx && (cmpsaddrstrict(src, dst) == 0)) {
+ struct saprop *newpp;
+ struct saproto *newpr;
+ iph2[n]->loopback = 1;
+ newpp = newsaprop();
+ if (newpp == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to allocate saprop.\n");
+ delph2(iph2[n]);
+ return -1;
+ }
+ /* allocate to hold reqid */
+ newpr = newsaproto();
+ if (newpr == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to allocate saproto.\n");
+ delph2(iph2[n]);
+ return -1;
+ }
+
+ newpr->reqid_out = sp_out->req->saidx.reqid;
+ newpr->reqid_in = sp_in->req->saidx.reqid;
+ newpr->proto_id = ipproto2doi(sp_out->req->saidx.proto);
+
+ inssaprotorev(newpp, newpr);
+ iph2[n]->proposal = newpp;
+ printsaprop0(LLV_DEBUG, newpp);
+
+ set_secctx_in_proposal(iph2[n], spidx);
+ iph2[n]->proposal->lifetime = IPSECDOI_ATTR_SA_LD_SEC_DEFAULT;
+
+ insph2(iph2[n]);
+
+ iph2[n]->status = PHASE2ST_GETSPISENT;
+ plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_getspi\n");
+ if (pfkey_send_getspi(
+ lcconf->sock_pfkey,
+ iph2[n]->satype,
+ IPSEC_MODE_TRANSPORT,
+ dst, /* src of SA */
+ src, /* dst of SA */
+ 0, 0,
+ newpr->reqid_in, iph2[n]->seq) < 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "ipseclib failed send getspi (%s)\n",
+ ipsec_strerror());
+ delph2(iph2[n]);
+ return -1;
+ }
+ iph2[n]->sce = sched_new(lcconf->wait_ph2complete,
+ pfkey_timeover_stub, iph2[n]);
+
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "pfkey GETSPI sent: %s\n",
+ sadbsecas2str(dst, src, iph2[n]->satype, 0,
+ IPSEC_MODE_TRANSPORT));
+ return 0;
+ }
+#endif /* HAVE_SECCTX */
+
/* get sainfo */
{
vchar_t *idsrc, *iddst;
diff -up ipsec-tools-0.7.1/src/racoon/Makefile.am.loopback ipsec-tools-0.7.1/src/racoon/Makefile.am
--- ipsec-tools-0.7.1/src/racoon/Makefile.am.loopback 2008-07-23 15:54:16.000000000 +0200
+++ ipsec-tools-0.7.1/src/racoon/Makefile.am 2008-07-30 21:14:30.000000000 +0200
@@ -39,7 +39,7 @@ racoon_SOURCES = \
EXTRA_racoon_SOURCES = isakmp_xauth.c isakmp_cfg.c isakmp_unity.c throttle.c \
isakmp_frag.c nattraversal.c security.c $(MISSING_ALGOS)
racoon_LDADD = $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(LEXLIB) \
- $(SECCTX_OBJS) vmbuf.o sockmisc.o misc.o ../libipsec/libipsec.la
+ $(SECCTX_OBJS) vmbuf.o sockmisc.o misc.o ../libipsec/libipsec.la @AUDIT_LIBS@
racoon_DEPENDENCIES = \
$(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(SECCTX_OBJS) \
vmbuf.o sockmisc.o misc.o
diff -up ipsec-tools-0.7.1/src/racoon/policy.h.loopback ipsec-tools-0.7.1/src/racoon/policy.h
--- ipsec-tools-0.7.1/src/racoon/policy.h.loopback 2007-06-07 22:34:19.000000000 +0200
+++ ipsec-tools-0.7.1/src/racoon/policy.h 2008-07-30 21:14:30.000000000 +0200
@@ -38,7 +38,12 @@
#ifdef HAVE_SECCTX
-#define MAX_CTXSTR_SIZE 50
+
+/* Current LSPP policy is 1024 compartments, 5 chars each 'c1024'. SE Linux
+ * will attempt to combine so, worst case is all odd or even numbers. The
+ * context size of SE Linux types is max'ed around 256. We allow 16 for
+ * sensitivity */
+#define MAX_CTXSTR_SIZE 3344 /* (6 * 512) + 256 + 16 */
struct security_ctx {
u_int8_t ctx_doi; /* Security Context DOI */
u_int8_t ctx_alg; /* Security Context Algorithm */
@@ -152,6 +157,9 @@ extern void initsp __P((void));
extern struct ipsecrequest *newipsecreq __P((void));
extern const char *spidx2str __P((const struct policyindex *));
+#ifdef HAVE_LIBAUDIT
+extern void audit_init __P((void));
+#endif
#ifdef HAVE_SECCTX
#include <selinux/selinux.h>
extern int get_security_context __P((vchar_t *, struct policyindex *));
diff -up ipsec-tools-0.7.1/src/racoon/main.c.loopback ipsec-tools-0.7.1/src/racoon/main.c
--- ipsec-tools-0.7.1/src/racoon/main.c.loopback 2007-06-07 22:34:18.000000000 +0200
+++ ipsec-tools-0.7.1/src/racoon/main.c 2008-07-30 21:14:30.000000000 +0200
@@ -169,6 +169,9 @@ main(ac, av)
#ifdef HAVE_SECCTX
init_avc();
#endif
+#ifdef HAVE_LIBAUDIT
+ audit_init();
+#endif
eay_init();
initlcconf();
initrmconf();
diff -up ipsec-tools-0.7.1/src/racoon/handler.h.loopback ipsec-tools-0.7.1/src/racoon/handler.h
--- ipsec-tools-0.7.1/src/racoon/handler.h.loopback 2008-07-30 21:14:30.000000000 +0200
+++ ipsec-tools-0.7.1/src/racoon/handler.h 2008-07-30 21:14:30.000000000 +0200
@@ -286,6 +286,7 @@ struct ph2handle {
u_int32_t msgid; /* msgid for phase 2 */
u_int32_t sa_count; /* num of SAs sent in SADB_ADD */
+ u_int8_t loopback;
struct sainfo *sainfo; /* place holder of sainfo */
struct saprop *proposal; /* SA(s) proposal. */
diff -up ipsec-tools-0.7.1/src/racoon/security.c.loopback ipsec-tools-0.7.1/src/racoon/security.c
--- ipsec-tools-0.7.1/src/racoon/security.c.loopback 2007-06-07 22:34:19.000000000 +0200
+++ ipsec-tools-0.7.1/src/racoon/security.c 2008-07-30 21:14:30.000000000 +0200
@@ -55,6 +55,61 @@
#include "proposal.h"
#include "strnames.h"
#include "handler.h"
+#ifdef HAVE_LIBAUDIT
+#include <unistd.h>
+#include <sys/param.h>
+#include "libaudit.h"
+#endif
+
+static void log_callback (const char *fmt, ...);
+
+static const struct avc_log_callback log_cb =
+{
+ .func_log = log_callback,
+ .func_audit = NULL
+};
+
+#ifdef HAVE_LIBAUDIT
+static int audit_fd = -1;
+void
+audit_init(void)
+{
+ audit_fd = audit_open();
+ if (audit_fd < 0) {
+ /* If kernel doesn't support audit, bail out */
+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
+ errno == EAFNOSUPPORT)
+ return;
+ /* If unprivileged, bail out */
+ if (errno == EPERM && getuid() != 0)
+ return;
+ plog (LLV_ERROR, LOCATION, NULL,
+ "Failed opening connection to the audit subsystem");
+ }
+}
+#endif /* HAVE_LIBAUDIT */
+
+static void
+log_callback (const char *fmt, ...)
+{
+ va_list ap;
+ va_start(ap, fmt);
+#ifdef HAVE_LIBAUDIT
+ if (audit_fd >= 0) {
+ char buf[PATH_MAX*2];
+
+ /* FIXME: need to change this to show real user */
+ vsnprintf(buf, sizeof(buf), fmt, ap);
+ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC,
+ buf, NULL, NULL, NULL, -1);
+ return;
+ } else
+#endif /* HAVE_LIBAUDIT */
+ {
+ vsyslog (LOG_INFO, fmt, ap);
+ va_end(ap);
+ }
+}
/*
* Get the security context information from SA.
distrib
>
Mandriva
>
2009.1
>
x86_64
>
media
>
main-updates-src
>
by-pkgid
>
04a194a09b3d0c936d3a5ccca0fde2a7
>
files
>
9
