Inside pfkey_delete and xfrm_del_sa the audit hooks were not called if
there was any permission/security failures in attempting to do the del
operation (such as permission denied from security_xfrm_state_delete).
This patch moves the audit hook to the exit path such that all failures
(and successes) will actually get audited.
Signed-off-by: Eric Paris <[EMAIL PROTECTED]>
net/key/af_key.c | 5 ++---
net/xfrm/xfrm_user.c | 5 ++---
2 files changed, 4 insertions(+), 6 deletions(-)
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 1c58204..d8fc88c 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1467,9 +1467,6 @@ static int pfkey_delete(struct sock *sk, struct sk_buff
*skb, struct sadb_msg *h
err = xfrm_state_delete(x);
- xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
- AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
-
if (err < 0)
goto out;
@@ -1478,6 +1475,8 @@ static int pfkey_delete(struct sock *sk, struct sk_buff
*skb, struct sadb_msg *h
c.event = XFRM_MSG_DELSA;
km_state_notify(x, &c);
out:
+ xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
+ AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
xfrm_state_put(x);
return err;
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 956cfe0..4264473 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -530,9 +530,6 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr
*nlh,
err = xfrm_state_delete(x);
- xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
- AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
-
if (err < 0)
goto out;
@@ -542,6 +539,8 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr
*nlh,
km_state_notify(x, &c);
out:
+ xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
+ AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
xfrm_state_put(x);
return err;
}
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
