From a73b8cf29e6f6bd4d32da5856f482790624b4724 Mon Sep 17 00:00:00 2001
From: Miloslav Trmač <mitr@redhat.com>
Date: Mon, 2 Aug 2010 11:25:24 +0200
Subject: Implement AUDIT_CRYPTO_STORAGE_KEY

---
 crypto/userspace/ncr.c | 28 ++++++++++++++++++++++++----
 include/linux/audit.h  |  2 ++
 2 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/crypto/userspace/ncr.c b/crypto/userspace/ncr.c
index 6cae7167c9d..57744396db8 100644
--- a/crypto/userspace/ncr.c
+++ b/crypto/userspace/ncr.c
@@ -22,6 +22,7 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
  */
 
+#include <linux/audit.h>
 #include <linux/compat.h>
 #include <linux/crypto.h>
 #include <linux/ioctl.h>
@@ -102,19 +103,30 @@ void ncr_master_key_reset(void)
 static int ncr_master_key_set(const struct ncr_master_key_set *st,
 			      struct nlattr *tb[])
 {
+	struct audit_buffer *ab;
+	int ret;
+
 	if (!capable(CAP_SYS_ADMIN)) {
 		err();
 		return -EPERM;
 	}
 
+	/* This will also cause auditing of the syscall, including information
+	   about the process, and success/failure indication.  Note that on
+	   error the AUDIT_CRYPTO_STORAGE_KEY record will be empty. */
+	ab = audit_log_start(current->audit_context, GFP_KERNEL,
+			     AUDIT_CRYPTO_STORAGE_KEY);
+
 	if (st->key_size > sizeof(master_key.key.secret.data)) {
 		err();
-		return -EINVAL;
+		ret = -EINVAL;
+		goto end;
 	}
 
 	if (st->key_size != 16 && st->key_size != 24 && st->key_size != 32) {
 		dprintk(0, KERN_DEBUG, "Master key size must be 16,24 or 32.\n");
-		return -EINVAL;
+		ret = -EINVAL;
+		goto end;
 	}
 
 	if (master_key.type != NCR_KEY_TYPE_INVALID) {
@@ -124,15 +136,23 @@ static int ncr_master_key_set(const struct ncr_master_key_set *st,
 	if (unlikely(copy_from_user(master_key.key.secret.data, st->key,
 				    st->key_size))) {
 		err();
-		return -EFAULT;
+		ret = -EFAULT;
+		goto end;
 	}
 
 	dprintk(0, KERN_INFO, "Initializing master key.\n");
+	/* Not much we can reveal... */
+	audit_log_format(ab, "key_size=%u", (unsigned)st->key_size);
 
 	master_key.type = NCR_KEY_TYPE_SECRET;
 	master_key.key.secret.size = st->key_size;
 
-	return 0;
+	ret = 0;
+
+end:
+	audit_log_end(ab);
+
+	return ret;
 }
 
 long
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 3c7a358241a..35fa4e9c34a 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -122,6 +122,8 @@
 #define AUDIT_MAC_UNLBL_STCADD	1416	/* NetLabel: add a static label */
 #define AUDIT_MAC_UNLBL_STCDEL	1417	/* NetLabel: del a static label */
 
+#define AUDIT_CRYPTO_STORAGE_KEY    1600 /* Key storage key configured */
+
 #define AUDIT_FIRST_KERN_ANOM_MSG   1700
 #define AUDIT_LAST_KERN_ANOM_MSG    1799
 #define AUDIT_ANOM_PROMISCUOUS      1700 /* Device changed promiscuous mode */
-- 
cgit