drivenets · dyonayov-dn · Nov 8, 2022
diff --git a/conf/options/charon.opt b/conf/options/charon.opt
@@ -508,3 +508,9 @@ charon.oper_db_client_type = empty
 	With _liboper_ oper accesses will be sent to liboper_db_client.
 	With _loggy_ oper accesses will be logged and then discarded.
 	With _empty_ oper accesses will be immediately discarded, without logs.
+
+charon.system_events_type = libsystem_events
+	Type of system events connection (_libsystem_events_, _empty_)
+
+	With _libsystem_events_ accesses will be sent to libsystem_events.
+	With _empty_ accesses will be immediately discarded, without logs.
diff --git a/conf/plugins/kernel-super.opt b/conf/plugins/kernel-super.opt
@@ -5,9 +5,3 @@ charon.plugins.kernel-super.pm_routes_conn = no
 charon.plugins.kernel-super.peer_cert_info_local = no
 	Whether to parse local certificates for VRF/vlan information.
 	Set only in tests. Should be 'no' in production
-
-charon.plugins.kernel-super.system_events_type = libsystem_events
-	Type of system events connection (_libsystem_events_, _empty_)
-
-	With _libsystem_events_ accesses will be sent to libsystem_events.
-	With _empty_ accesses will be immediately discarded, without logs.
diff --git a/containers/scripts/format_src.sh b/containers/scripts/format_src.sh
@@ -16,7 +16,7 @@ format_file() {
 	BLACKLIST_SRCS+=("/strongswan/src/picomsg/src/grpc/socket_mutator.h")
 	BLACKLIST_SRCS+=("/strongswan/src/libcharon/plugins/kernel_super/libike_client/ike_client.h")
 	BLACKLIST_SRCS+=("/strongswan/src/libstrongswan/oper_db/liboper_db_client/liboper_db_client.h")
-	BLACKLIST_SRCS+=("/strongswan/src/libcharon/plugins/kernel_super/system_events/libsystem_events/libsystem_events.h")
+	BLACKLIST_SRCS+=("/strongswan/src/libcharon/system_events/libsystem_events/libsystem_events.h")
 	BLACKLIST_SRCS+=("/strongswan/src/picomsg/src/blocking_concurrent_queue/.*")
 
 	local src_file=$1

diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am
@@ -91,7 +91,11 @@ if USE_KERNEL_SUPER
 libcharon_la_SOURCES += \
 sa/ike_super_peer_info.h sa/ike_super_peer_info.c \
 oper_db/oper_db_client.h oper_db/sl_oper_db_client.h oper_db/sl_oper_db_client.c \
-oper_db/liboper_db_client/liboper_db_client.h
+oper_db/liboper_db_client/liboper_db_client.h \
+system_events/system_events.h \
+system_events/sl_system_events/sl_system_events.h system_events/sl_system_events/sl_system_events.c \
+system_events/empty_system_events/empty_system_events.h system_events/empty_system_events/empty_system_events.c \
+system_events/libsystem_events/libsystem_events.h
 endif
 
 if USE_IKEV2

diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c
@@ -65,6 +65,9 @@
 #include "../picomsg/src/loggy_oper_db_client/loggy_oper_db_client.h"
 #include "oper_db/sl_oper_db_client.h"
 #include "../picomsg/src/picomsg.h"
+
+#include "system_events/sl_system_events/sl_system_events.h"
+#include "system_events/empty_system_events/empty_system_events.h"
 #endif // USE_KERNEL_SUPER
 
 #ifndef LOG_AUTHPRIV /* not defined on OpenSolaris */
@@ -758,6 +761,7 @@ static void destroy(private_daemon_t *this)
 	DESTROY_IF(this->public.kernel);
 #ifdef USE_KERNEL_SUPER
 	DESTROY_IF(this->public.oper_db_client);
+	DESTROY_IF(this->public.system_events);
 #endif // USE_KERNEL_SUPER
 
 	/* rehook library logging, shutdown logging */
@@ -991,6 +995,44 @@ static oper_db_client_t *create_oper_db_client(void)
 	LOG(DBG_KNL, SL_LOG_CRIT, "unknown oper_db_client_type '%s'", oper_db_client_type);
 	return NULL;
 }
+
+system_events_t* create_system_events(void)
+{
+	const char *system_events_type =
+		lib->settings->get_str(lib->settings, "%s.system_events_type", NULL,
+							   lib->ns);
+	LOG(DBG_KNL, SL_LOG_INFO, "using system_events_type '%s'", system_events_type);
+
+	if (streq("libsystem_events", system_events_type))
+	{
+		sl_system_events_t *const sl_system_events = sl_system_events_create();
+		if (! sl_system_events)
+		{
+			LOG(DBG_KNL, SL_LOG_ERR, "failed to create sl_system_events_t");
+			goto fail;
+		}
+		return &sl_system_events->interface;
+	}
+	else if (streq("empty", system_events_type))
+	{
+		empty_system_events_t *const empty_system_events = empty_system_events_create();
+		if (! empty_system_events)
+		{
+			LOG(DBG_KNL, SL_LOG_ERR, "failed to create empty_system_events_t");
+			goto fail;
+		}
+		return &empty_system_events->interface;
+	}
+	else
+	{
+		LOG(DBG_KNL, SL_LOG_ERR, "wrong system_events_type: %s", system_events_type);
+		goto fail;
+	}
+
+fail:
+	LOG(DBG_KNL, SL_LOG_ERR, "failed to create system_events_interface");
+	return NULL;
+}
 #endif
 
 METHOD(daemon_t, initialize, bool,
@@ -1078,6 +1120,13 @@ private_daemon_t *daemon_create()
 		goto out_destroy;
 	}
 	picomsg_set_oper_db_client(this->public.oper_db_client);
+	this->public.system_events = create_system_events();
+	if (! this->public.system_events)
+	{
+		// Reason already logged @ function
+		goto out_destroy;
+	}
+	picomsg_set_system_events(this->public.system_events);
 #endif // USE_KERNEL_SUPER
 
 	return this;

diff --git a/src/libcharon/daemon.h b/src/libcharon/daemon.h
@@ -202,6 +202,7 @@ typedef struct daemon_t daemon_t;
 
 #ifdef USE_KERNEL_SUPER
 #include "oper_db/oper_db_client.h"
+#include "system_events/system_events.h"
 #endif /* USE_KERNEL_SUPER */
 
 /**
@@ -329,6 +330,7 @@ struct daemon_t {
 
 #ifdef USE_KERNEL_SUPER
 	oper_db_client_t *oper_db_client;
+	system_events_t *system_events;
 #endif
 
 	bool audit_pesky_logs;

diff --git a/src/libcharon/plugins/kernel_super/Makefile.am b/src/libcharon/plugins/kernel_super/Makefile.am
@@ -24,11 +24,7 @@ libstrongswan_kernel_super_la_SOURCES = \
 	libike_client/ike_client.h \
 	picomsg_conversions.h picomsg_conversions.c \
 	config_connection.h config_connection.c \
-	routes_conn.h routes_conn.c \
-	system_events/sl_system_events/sl_system_events.h system_events/sl_system_events/sl_system_events.c \
-	system_events/empty_system_events/empty_system_events.h system_events/empty_system_events/empty_system_events.c \
-	system_events/system_events.h \
-	system_events/libsystem_events/libsystem_events.h
+	routes_conn.h routes_conn.c
 
 libstrongswan_kernel_super_la_LIBADD = $(DLLIB)
 

diff --git a/src/libcharon/plugins/kernel_super/kernel_super_ipsec.c b/src/libcharon/plugins/kernel_super/kernel_super_ipsec.c
@@ -14,9 +14,6 @@
 #include "oper_db_writer.h"
 #include "picomsg_conversions.h"
 #include "routes_conn.h"
-#include "system_events/empty_system_events/empty_system_events.h"
-#include "system_events/sl_system_events/sl_system_events.h"
-#include "system_events/system_events.h"
 
 #include <collections/array.h>
 #include <collections/hashtable.h>
@@ -70,7 +67,6 @@ struct private_kernel_super_ipsec_t {
 
 	struct sl_routes_conn *sl_routes_conn;
 
-	system_events_t *system_events;
 	/**
 	 * Holds all the SAs we installed
 	 */
@@ -859,6 +855,20 @@ static status_t add_policy_internal(private_kernel_super_ipsec_t *this,
 				*should_add_routes = true;
 				write_tunnel_oper_items(this, data, id, super_peer_info, data->child_sa, true);
 
+				if (super_peer_info->get_type(super_peer_info) == IKE_SUPER_PEER_INFO_TYPE_TERM)
+				{
+					const char *device_id = super_peer_info->get_device_id(super_peer_info);
+					const char *vrf_name = super_peer_info->get_vrf_name(super_peer_info);
+					const uint32_t term_id = picomsg_terminator_conn_get_id(terminator_conn);
+					char term_id_str[UINT32_LEN + 1];
+					sprintf(term_id_str, "%u", term_id);
+
+					charon->system_events->send_ipsec_tunnel_established(charon->system_events,
+																		 device_id,
+																		 term_id_str,
+																		 vrf_name);
+				}
+
 				break;
 
 			case ADD_SP_VERDICT_UPDATE:
@@ -898,6 +908,8 @@ static status_t add_policy_internal(private_kernel_super_ipsec_t *this,
 
 out_del_from_spd:
 	LOG(DBG_KNL, SL_LOG_ERR, "failed to add SP to terminator - deleting the SP from the SPD");
+	charon->system_events->send_ipsec_tunnel_establishment_failed(charon->system_events,
+																  "failed to add SP to terminator");
 	struct spd_del_policy_verdict _del_sp_verdict;
 	if (SUCCESS != del_policy_from_spd(this, id, data, super_peer_info, &_del_sp_verdict))
 	{
@@ -1637,6 +1649,7 @@ METHOD(kernel_ipsec_t, get_cpi, status_t, private_kernel_super_ipsec_t *this, ho
 METHOD(kernel_ipsec_t, add_sa, status_t, private_kernel_super_ipsec_t *this,
 	   kernel_ipsec_sa_id_t *id, kernel_ipsec_add_sa_t *data)
 {
+	char *system_event_err = NULL;
 	if (data->skip_sending_to_terminator)
 	{
 		return /*great*/ SUCCESS;
@@ -1645,6 +1658,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, private_kernel_super_ipsec_t *this,
 	if (! data->child_sa)
 	{
 		LOG(DBG_KNL, SL_LOG_CRIT, "add_sa() called with no matching child SA");
+		system_event_err = "add_sa() called with no matching child SA";
 		return FAILED;
 	}
 
@@ -1686,6 +1700,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, private_kernel_super_ipsec_t *this,
 		LOG(DBG_KNL, SL_LOG_ERR, "attempted to add SA " ADD_SA_FMT " with unsupported mode %d",
 			ADD_SA_FMT_ARGS(id, data), data->mode);
 		res = INVALID_ARG;
+		system_event_err = "attempted to add SA with unsupported mode";
 		goto out;
 	}
 
@@ -1707,6 +1722,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, private_kernel_super_ipsec_t *this,
 			"attempted to add SA " ADD_SA_FMT ", but no matching terminator connection was found",
 			ADD_SA_FMT_ARGS(id, data));
 		res = FAILED;
+		system_event_err = "attempted to add SA, but no matching terminator connection was found";
 		goto out;
 	}
 
@@ -1722,6 +1738,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, private_kernel_super_ipsec_t *this,
 		LOG(DBG_KNL, SL_LOG_ERR, "failed to add SA " ADD_SA_FMT " to the SAD",
 			ADD_SA_FMT_ARGS(id, data));
 		res = FAILED;
+		system_event_err = "failed to add SA to the SAD";
 		goto out;
 	}
 
@@ -1749,6 +1766,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, private_kernel_super_ipsec_t *this,
 		}
 
 		res = FAILED;
+		system_event_err = "attempted to add SA, but the terminator failed to add the SA";
 		goto out;
 	}
 
@@ -1807,6 +1825,11 @@ METHOD(kernel_ipsec_t, add_sa, status_t, private_kernel_super_ipsec_t *this,
 	{
 		picomsg_terminator_conn_unref(terminator_conn);
 	}
+	if (res != SUCCESS)
+	{
+		charon->system_events->send_ipsec_tunnel_establishment_failed(charon->system_events,
+																	  system_event_err);
+	}
 	return res;
 }
 
@@ -2992,6 +3015,19 @@ METHOD(kernel_ipsec_t, handle_ike_active_status, status_t, private_kernel_super_
 		child_ts_enumerator = NULL;
 	}
 
+	if (super_peer_info->get_type(super_peer_info) == IKE_SUPER_PEER_INFO_TYPE_TERM)
+	{
+		const char *device_id = super_peer_info->get_device_id(super_peer_info);
+		if (is_active)
+		{
+			charon->system_events->send_ipsec_tunnel_activated(charon->system_events, device_id);
+		}
+		else
+		{
+			charon->system_events->send_ipsec_tunnel_deactivated(charon->system_events, device_id);
+		}
+	}
+
 	res = SUCCESS;
 
 out:
@@ -3626,7 +3662,6 @@ METHOD(kernel_ipsec_t, destroy, void, private_kernel_super_ipsec_t *this)
 		}
 		free(this->tunnel_route_locks);
 	}
-	DESTROY_IF(this->system_events);
 
 	free(this);
 }
@@ -3801,49 +3836,6 @@ CALLBACK(terminator_tunnels_oper_timer_cb, job_requeue_t, private_kernel_super_i
 	return JOB_RESCHEDULE_MS(TERMINATORS_COUNTERS_TIMER_MS);
 }
 
-static bool init_system_events(private_kernel_super_ipsec_t *this)
-{
-	const char *system_events_type =
-		lib->settings->get_str(lib->settings, "%s.plugins.kernel-super.system_events_type", NULL,
-							   lib->ns);
-	system_events_t *system_events_interface = NULL;
-	LOG(DBG_KNL, SL_LOG_INFO, "using system_events_type '%s'", system_events_type);
-
-	if (streq("libsystem_events", system_events_type))
-	{
-		sl_system_events_t *const sl_system_events = sl_system_events_create();
-		if (! sl_system_events)
-		{
-			LOG(DBG_KNL, SL_LOG_ERR, "failed to create sl_system_events_t");
-			goto fail;
-		}
-		system_events_interface = &sl_system_events->interface;
-	}
-	else if (streq("empty", system_events_type))
-	{
-		empty_system_events_t *const empty_system_events = empty_system_events_create();
-		if (! empty_system_events)
-		{
-			LOG(DBG_KNL, SL_LOG_ERR, "failed to create empty_system_events_t");
-			goto fail;
-		}
-		system_events_interface = &empty_system_events->interface;
-	}
-	else
-	{
-		LOG(DBG_KNL, SL_LOG_ERR, "wrong system_events_type: %s", system_events_type);
-		goto fail;
-	}
-
-	this->system_events = system_events_interface;
-	return true;
-
-fail:
-	LOG(DBG_KNL, SL_LOG_ERR, "failed to create system_events_interface");
-	DESTROY_IF(system_events_interface);
-	return false;
-}
-
 static void run_sanity_checks(void)
 {
 	/**
@@ -3988,11 +3980,6 @@ kernel_super_ipsec_t *kernel_super_ipsec_create(void)
 
 	run_sanity_checks();
 
-	/**
-	 * System events
-	 */
-	init_system_events(this);
-
 	/**
 	 * Tunnels number counter
 	 */

diff --git a/src/libcharon/plugins/kernel_super/system_events/system_events.h b/src/libcharon/plugins/kernel_super/system_events/system_events.h