diff --git a/src/exec.c b/src/exec.c
index 9f5730702..4861eb377 100644
--- a/src/exec.c
+++ b/src/exec.c
@@ -582,8 +582,6 @@ intercept_check_policy(PolicyCheckRequest *req,
 
     switch (ok) {
     case 1:
-	/* TODO: call approval plugin too */
-
 	/* Extract command path from command_info[] */
 	if (command_info != NULL) {
 	    for (n = 0; command_info[n] != NULL; n++) {
@@ -640,11 +638,16 @@ intercept_check_policy(PolicyCheckRequest *req,
 	}
 	closure->run_envp[n] = NULL;
 
-	/* Audit the event twice: once for the plugin, once for sudo. */
 	audit_accept(policy_plugin.name, SUDO_POLICY_PLUGIN, command_info,
 		closure->run_argv, closure->run_envp);
-	audit_accept("sudo", SUDO_FRONT_END, command_info,
-		closure->run_argv, closure->run_envp);
+
+	/* Call approval plugins and audit the result. */
+	if (!approval_check(command_info, closure->run_argv, closure->run_envp))
+	    debug_return_int(0);
+
+	/* Audit the event again for the sudo front-end. */
+	audit_accept("sudo", SUDO_FRONT_END, command_info, closure->run_argv,
+	    closure->run_envp);
 	debug_return_int(1);
     case 0:
 	if (*errstr == NULL)
@@ -743,8 +746,7 @@ intercept_read(int fd, struct intercept_closure *closure)
     ret = true;
 
 done:
-    // XXX
-    //intercept_message__free_unpacked(msg, NULL);
+    intercept_message__free_unpacked(msg, NULL);
     free(buf);
     debug_return_bool(ret);
 }
diff --git a/src/sudo.c b/src/sudo.c
index 35981fee3..2c42b39b5 100644
--- a/src/sudo.c
+++ b/src/sudo.c
@@ -123,14 +123,12 @@ static void iolog_show_version(int verbose, int argc, char * const argv[],
 static void unlink_plugin(struct plugin_container_list *plugin_list, struct plugin_container *plugin);
 static void free_plugin_container(struct plugin_container *plugin, bool ioplugin);
 
-/* Audit plugin convenience functions. */
+/* Audit plugin convenience functions (some are public). */
 static void audit_open(void);
 static void audit_close(int exit_status, int error);
 static void audit_show_version(int verbose);
 
-/* Approval plugin convenience functions. */
-static bool approval_check(char * const command_info[], char * const run_argv[],
-    char * const run_envp[]);
+/* Approval plugin convenience functions (some are public). */
 static void approval_show_version(int verbose);
 
 sudo_dso_public int main(int argc, char *argv[], char *envp[]);
@@ -1832,7 +1830,7 @@ approval_show_version(int verbose)
  * This is a "one-shot" plugin that has no open/close and is only
  * called if the policy plugin accepts the command first.
  */
-static bool
+bool
 approval_check(char * const command_info[], char * const run_argv[],
     char * const run_envp[])
 {
diff --git a/src/sudo.h b/src/sudo.h
index 9a0972482..3052ea344 100644
--- a/src/sudo.h
+++ b/src/sudo.h
@@ -230,6 +230,8 @@ bool audit_reject(const char *plugin_name, unsigned int plugin_type,
     const char *audit_msg, char * const command_info[]);
 bool audit_error(const char *plugin_name, unsigned int plugin_type,
     const char *audit_msg, char * const command_info[]);
+bool approval_check(char * const command_info[], char * const run_argv[],
+    char * const run_envp[]);
 extern const char *list_user;
 extern struct user_details user_details;
 extern int sudo_debug_instance;