diff options
author | Eric Paris <eparis@redhat.com> | 2007-03-07 19:02:16 -0500 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2007-03-07 19:08:11 -0500 |
commit | 16bec31db751030171b31d7767fa3a5bdbe980ea (patch) | |
tree | 60b69d571ba42ef0bf9f54833bd10228220c87bd /net | |
parent | 215a2dd3b43e0dc425e81d21de9d961416b1dad4 (diff) |
[IPSEC]: xfrm audit hook misplaced in pfkey_delete and xfrm_del_sa
Inside pfkey_delete and xfrm_del_sa the audit hooks were not called if
there was any permission/security failures in attempting to do the del
operation (such as permission denied from security_xfrm_state_delete).
This patch moves the audit hook to the exit path such that all failures
(and successes) will actually get audited.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Venkat Yekkirala <vyekkirala@trustedcs.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/key/af_key.c | 5 | ||||
-rw-r--r-- | net/xfrm/xfrm_user.c | 5 |
2 files changed, 4 insertions, 6 deletions
diff --git a/net/key/af_key.c b/net/key/af_key.c index 1a2bd5f88b7d..a4e7e2db0ff3 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c | |||
@@ -1467,9 +1467,6 @@ static int pfkey_delete(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h | |||
1467 | 1467 | ||
1468 | err = xfrm_state_delete(x); | 1468 | err = xfrm_state_delete(x); |
1469 | 1469 | ||
1470 | xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, | ||
1471 | AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); | ||
1472 | |||
1473 | if (err < 0) | 1470 | if (err < 0) |
1474 | goto out; | 1471 | goto out; |
1475 | 1472 | ||
@@ -1478,6 +1475,8 @@ static int pfkey_delete(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h | |||
1478 | c.event = XFRM_MSG_DELSA; | 1475 | c.event = XFRM_MSG_DELSA; |
1479 | km_state_notify(x, &c); | 1476 | km_state_notify(x, &c); |
1480 | out: | 1477 | out: |
1478 | xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, | ||
1479 | AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); | ||
1481 | xfrm_state_put(x); | 1480 | xfrm_state_put(x); |
1482 | 1481 | ||
1483 | return err; | 1482 | return err; |
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 30c244bbd8ac..96789952f6a3 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c | |||
@@ -530,9 +530,6 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
530 | 530 | ||
531 | err = xfrm_state_delete(x); | 531 | err = xfrm_state_delete(x); |
532 | 532 | ||
533 | xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, | ||
534 | AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); | ||
535 | |||
536 | if (err < 0) | 533 | if (err < 0) |
537 | goto out; | 534 | goto out; |
538 | 535 | ||
@@ -542,6 +539,8 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh, | |||
542 | km_state_notify(x, &c); | 539 | km_state_notify(x, &c); |
543 | 540 | ||
544 | out: | 541 | out: |
542 | xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, | ||
543 | AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); | ||
545 | xfrm_state_put(x); | 544 | xfrm_state_put(x); |
546 | return err; | 545 | return err; |
547 | } | 546 | } |