aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2007-03-07 19:02:16 -0500
committerDavid S. Miller <davem@sunset.davemloft.net>2007-03-07 19:08:11 -0500
commit16bec31db751030171b31d7767fa3a5bdbe980ea (patch)
tree60b69d571ba42ef0bf9f54833bd10228220c87bd /net
parent215a2dd3b43e0dc425e81d21de9d961416b1dad4 (diff)
[IPSEC]: xfrm audit hook misplaced in pfkey_delete and xfrm_del_sa
Inside pfkey_delete and xfrm_del_sa the audit hooks were not called if there was any permission/security failures in attempting to do the del operation (such as permission denied from security_xfrm_state_delete). This patch moves the audit hook to the exit path such that all failures (and successes) will actually get audited. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Venkat Yekkirala <vyekkirala@trustedcs.com> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/key/af_key.c5
-rw-r--r--net/xfrm/xfrm_user.c5
2 files changed, 4 insertions, 6 deletions
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 1a2bd5f88b7d..a4e7e2db0ff3 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1467,9 +1467,6 @@ static int pfkey_delete(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h
1467 1467
1468 err = xfrm_state_delete(x); 1468 err = xfrm_state_delete(x);
1469 1469
1470 xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
1471 AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
1472
1473 if (err < 0) 1470 if (err < 0)
1474 goto out; 1471 goto out;
1475 1472
@@ -1478,6 +1475,8 @@ static int pfkey_delete(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h
1478 c.event = XFRM_MSG_DELSA; 1475 c.event = XFRM_MSG_DELSA;
1479 km_state_notify(x, &c); 1476 km_state_notify(x, &c);
1480out: 1477out:
1478 xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
1479 AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
1481 xfrm_state_put(x); 1480 xfrm_state_put(x);
1482 1481
1483 return err; 1482 return err;
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 30c244bbd8ac..96789952f6a3 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -530,9 +530,6 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
530 530
531 err = xfrm_state_delete(x); 531 err = xfrm_state_delete(x);
532 532
533 xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
534 AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
535
536 if (err < 0) 533 if (err < 0)
537 goto out; 534 goto out;
538 535
@@ -542,6 +539,8 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
542 km_state_notify(x, &c); 539 km_state_notify(x, &c);
543 540
544out: 541out:
542 xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
543 AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
545 xfrm_state_put(x); 544 xfrm_state_put(x);
546 return err; 545 return err;
547} 546}