selinux: Report permissive mode in avc: denied messages.
We cannot presently tell from an avc: denied message whether access was in fact denied or was allowed due to global or per-domain permissive mode. Add a permissive= field to the avc message to reflect this information. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: Paul Moore <pmoore@redhat.com>
This commit is contained in:
parent
2fd4e6698f
commit
ca7786a2f9
3 changed files with 11 additions and 5 deletions
|
@ -444,11 +444,15 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a)
|
|||
avc_dump_query(ab, ad->selinux_audit_data->ssid,
|
||||
ad->selinux_audit_data->tsid,
|
||||
ad->selinux_audit_data->tclass);
|
||||
if (ad->selinux_audit_data->denied) {
|
||||
audit_log_format(ab, " permissive=%u",
|
||||
ad->selinux_audit_data->result ? 0 : 1);
|
||||
}
|
||||
}
|
||||
|
||||
/* This is the slow part of avc audit with big stack footprint */
|
||||
noinline int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass,
|
||||
u32 requested, u32 audited, u32 denied,
|
||||
u32 requested, u32 audited, u32 denied, int result,
|
||||
struct common_audit_data *a,
|
||||
unsigned flags)
|
||||
{
|
||||
|
@ -477,6 +481,7 @@ noinline int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass,
|
|||
sad.tsid = tsid;
|
||||
sad.audited = audited;
|
||||
sad.denied = denied;
|
||||
sad.result = result;
|
||||
|
||||
a->selinux_audit_data = &sad;
|
||||
|
||||
|
|
|
@ -2770,6 +2770,7 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *na
|
|||
|
||||
static noinline int audit_inode_permission(struct inode *inode,
|
||||
u32 perms, u32 audited, u32 denied,
|
||||
int result,
|
||||
unsigned flags)
|
||||
{
|
||||
struct common_audit_data ad;
|
||||
|
@ -2780,7 +2781,7 @@ static noinline int audit_inode_permission(struct inode *inode,
|
|||
ad.u.inode = inode;
|
||||
|
||||
rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
|
||||
audited, denied, &ad, flags);
|
||||
audited, denied, result, &ad, flags);
|
||||
if (rc)
|
||||
return rc;
|
||||
return 0;
|
||||
|
@ -2822,7 +2823,7 @@ static int selinux_inode_permission(struct inode *inode, int mask)
|
|||
if (likely(!audited))
|
||||
return rc;
|
||||
|
||||
rc2 = audit_inode_permission(inode, perms, audited, denied, flags);
|
||||
rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
|
||||
if (rc2)
|
||||
return rc2;
|
||||
return rc;
|
||||
|
|
|
@ -102,7 +102,7 @@ static inline u32 avc_audit_required(u32 requested,
|
|||
}
|
||||
|
||||
int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass,
|
||||
u32 requested, u32 audited, u32 denied,
|
||||
u32 requested, u32 audited, u32 denied, int result,
|
||||
struct common_audit_data *a,
|
||||
unsigned flags);
|
||||
|
||||
|
@ -137,7 +137,7 @@ static inline int avc_audit(u32 ssid, u32 tsid,
|
|||
if (likely(!audited))
|
||||
return 0;
|
||||
return slow_avc_audit(ssid, tsid, tclass,
|
||||
requested, audited, denied,
|
||||
requested, audited, denied, result,
|
||||
a, 0);
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue