[IPSEC]: xfrm audit hook misplaced in pfkey_delete and xfrm_del_sa Inside pfkey_delete and xfrm_del_sa the audit hooks were not called if there was any permission/security failures in attempting to do the del operation (such as permission denied from security_xfrm_state_delete). This patch moves the audit hook to the exit path such that all failures (and successes) will actually get audited. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Venkat Yekkirala <vyekkirala@trustedcs.com> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>

commit: 16bec31db751030171b31d7767fa3a5bdbe980ea [log] [tgz]
author: Eric Paris <eparis@redhat.com> Wed Mar 07 16:02:16 2007 -0800
committer: David S. Miller <davem@sunset.davemloft.net> Wed Mar 07 16:08:11 2007 -0800
tree: 60b69d571ba42ef0bf9f54833bd10228220c87bd
parent: 215a2dd3b43e0dc425e81d21de9d961416b1dad4 [diff] [blame]
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 1a2bd5f..a4e7e2d 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c

@@ -1467,9 +1467,6 @@
 
 	err = xfrm_state_delete(x);
 
-	xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
-		       AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
-
 	if (err < 0)
 		goto out;
 
@@ -1478,6 +1475,8 @@
 	c.event = XFRM_MSG_DELSA;
 	km_state_notify(x, &c);
 out:
+	xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
+		       AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
 	xfrm_state_put(x);
 
 	return err;
commit	16bec31db751030171b31d7767fa3a5bdbe980ea	[log] [tgz]
author	Eric Paris <eparis@redhat.com>	Wed Mar 07 16:02:16 2007 -0800
committer	David S. Miller <davem@sunset.davemloft.net>	Wed Mar 07 16:08:11 2007 -0800
tree	60b69d571ba42ef0bf9f54833bd10228220c87bd
parent	215a2dd3b43e0dc425e81d21de9d961416b1dad4 [diff] [blame]