On Fri, 2007-03-23 at 01:39 -0400, Eric Paris wrote: > > In either case though proper auditing needs to be addressed. I see that > the first patch from Joy wouldn't audit deletion failures. It appears > to me if the check is done per policy then the security hook return code > needs to be recorded and passed to xfrm_audit_log instead of the hard > coded 1 result used now. > > Assuming we go with James's double loop what should we be auditing for a > security hook denial? Just audit the first policy entry which we tried > to remove but couldn't and then leave the rest of the auditing in those > functions the way it is now in case there was no denial, calling > xfrm_audit_log with a hard coded 1 for the result? > Actually, I thought the original intent of the ipsec auditing was to just audit changes made to the SAD/SPD databases, not securiy hook denials, right?
Joy - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
