diff options
author | Eric Paris <eparis@redhat.com> | 2007-03-07 16:02:16 -0800 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2007-03-07 16:08:11 -0800 |
commit | 16bec31db751030171b31d7767fa3a5bdbe980ea (patch) | |
tree | 60b69d571ba42ef0bf9f54833bd10228220c87bd /net/xfrm | |
parent | 215a2dd3b43e0dc425e81d21de9d961416b1dad4 (diff) | |
download | lwn-16bec31db751030171b31d7767fa3a5bdbe980ea.tar.gz lwn-16bec31db751030171b31d7767fa3a5bdbe980ea.zip |
[IPSEC]: xfrm audit hook misplaced in pfkey_delete and xfrm_del_sa
Inside pfkey_delete and xfrm_del_sa the audit hooks were not called if
there was any permission/security failures in attempting to do the del
operation (such as permission denied from security_xfrm_state_delete).
This patch moves the audit hook to the exit path such that all failures
(and successes) will actually get audited.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Venkat Yekkirala <vyekkirala@trustedcs.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/xfrm')
-rw-r--r-- | net/xfrm/xfrm_user.c | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 30c244bbd8ac..96789952f6a3 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -530,9 +530,6 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh, err = xfrm_state_delete(x); - xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, - AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); - if (err < 0) goto out; @@ -542,6 +539,8 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh, km_state_notify(x, &c); out: + xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, + AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); xfrm_state_put(x); return err; } |