[IPSEC]: xfrm audit hook misplaced in pfkey_delete and xfrm_del_sa
Inside pfkey_delete and xfrm_del_sa the audit hooks were not called if there was any permission/security failures in attempting to do the del operation (such as permission denied from security_xfrm_state_delete). This patch moves the audit hook to the exit path such that all failures (and successes) will actually get audited. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Venkat Yekkirala <vyekkirala@trustedcs.com> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Родитель
215a2dd3b4
Коммит
16bec31db7
|
@ -1467,9 +1467,6 @@ static int pfkey_delete(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h
|
|||
|
||||
err = xfrm_state_delete(x);
|
||||
|
||||
xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
|
||||
AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
|
||||
|
||||
if (err < 0)
|
||||
goto out;
|
||||
|
||||
|
@ -1478,6 +1475,8 @@ static int pfkey_delete(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h
|
|||
c.event = XFRM_MSG_DELSA;
|
||||
km_state_notify(x, &c);
|
||||
out:
|
||||
xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
|
||||
AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
|
||||
xfrm_state_put(x);
|
||||
|
||||
return err;
|
||||
|
|
|
@ -530,9 +530,6 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
|
|||
|
||||
err = xfrm_state_delete(x);
|
||||
|
||||
xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
|
||||
AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
|
||||
|
||||
if (err < 0)
|
||||
goto out;
|
||||
|
||||
|
@ -542,6 +539,8 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
|
|||
km_state_notify(x, &c);
|
||||
|
||||
out:
|
||||
xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
|
||||
AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
|
||||
xfrm_state_put(x);
|
||||
return err;
|
||||
}
|
||||
|
|
Загрузка…
Ссылка в новой задаче