From 02ebdfd7f29a0de4414ceaac2d7e803d5294d670 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Thu, 3 Dec 2020 13:20:32 -0700
Subject: [PATCH] Do not run the command if the audit accept function fails.
 Also add warnings if the audit reject or error functions fail.

---
 src/sudo.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/src/sudo.c b/src/sudo.c
index 799b36b19..7f8c4c61d 100644
--- a/src/sudo.c
+++ b/src/sudo.c
@@ -1639,7 +1639,6 @@ audit_accept(const char *plugin_name, unsigned int plugin_type,
     int ok;
     debug_decl(audit_accept, SUDO_DEBUG_PCOMM);
 
-    /* XXX - kill command if can't audit accept event */
     TAILQ_FOREACH(plugin, &audit_plugins, entries) {
 	if (plugin->u.audit->accept == NULL)
 	    continue;
@@ -1647,13 +1646,15 @@ audit_accept(const char *plugin_name, unsigned int plugin_type,
 	sudo_debug_set_active_instance(plugin->debug_instance);
 	ok = plugin->u.audit->accept(plugin_name, plugin_type,
 	    command_info, run_argv, run_envp, &errstr);
+	sudo_debug_set_active_instance(sudo_debug_instance);
 	if (ok != 1) {
-	    /* XXX - fatal error?  log error with other audit modules? */
+	    /* TODO: notify other audit plugins of the error. */
 	    sudo_debug_printf(SUDO_DEBUG_ERROR,
 		"%s: plugin %s accept failed, ret %d", __func__,
 		plugin->name, ok);
+	    sudo_fatalx(U_("%s: unable to log accept event%s%s"),
+		plugin->name, errstr ? ": " : "", errstr ? errstr : "");
 	}
-	sudo_debug_set_active_instance(sudo_debug_instance);
     }
 
     debug_return;
@@ -1678,13 +1679,15 @@ audit_reject(const char *plugin_name, unsigned int plugin_type,
 	sudo_debug_set_active_instance(plugin->debug_instance);
 	ok = plugin->u.audit->reject(plugin_name, plugin_type,
 	    audit_msg, command_info, &errstr);
+	sudo_debug_set_active_instance(sudo_debug_instance);
 	if (ok != 1) {
 	    /* TODO: notify other audit plugins of the error. */
 	    sudo_debug_printf(SUDO_DEBUG_ERROR,
 		"%s: plugin %s reject failed, ret %d", __func__,
 		plugin->name, ok);
+	    sudo_warnx(U_("%s: unable to log reject event%s%s"),
+		plugin->name, errstr ? ": " : "", errstr ? errstr : "");
 	}
-	sudo_debug_set_active_instance(sudo_debug_instance);
     }
 
     debug_return;
@@ -1709,13 +1712,15 @@ audit_error(const char *plugin_name, unsigned int plugin_type,
 	sudo_debug_set_active_instance(plugin->debug_instance);
 	ok = plugin->u.audit->error(plugin_name, plugin_type,
 	    audit_msg, command_info, &errstr);
+	sudo_debug_set_active_instance(sudo_debug_instance);
 	if (ok != 1) {
 	    /* TODO: notify other audit plugins of the error. */
 	    sudo_debug_printf(SUDO_DEBUG_ERROR,
 		"%s: plugin %s error failed, ret %d", __func__,
 		plugin->name, ok);
+	    sudo_warnx(U_("%s: unable to log error event%s%s"),
+		plugin->name, errstr ? ": " : "", errstr ? errstr : "");
 	}
-	sudo_debug_set_active_instance(sudo_debug_instance);
     }
 
     debug_return;