diff options
author | Stephen Smalley <sds@tycho.nsa.gov> | 2014-04-29 11:29:04 -0700 |
---|---|---|
committer | Ziyan <jaraidaniel@gmail.com> | 2016-03-11 16:01:59 +0100 |
commit | ff7200ace139986a76c4f03f8a45478914dbb559 (patch) | |
tree | 59e555d3e6610cf15aa8ce0ee64e8ccb7b02b71e /security | |
parent | 7281b6cd5bd22bb0319f65b1db9b1766cf06e478 (diff) | |
download | kernel_samsung_espresso10-ff7200ace139986a76c4f03f8a45478914dbb559.zip kernel_samsung_espresso10-ff7200ace139986a76c4f03f8a45478914dbb559.tar.gz kernel_samsung_espresso10-ff7200ace139986a76c4f03f8a45478914dbb559.tar.bz2 |
selinux: Report permissive mode in avc: denied messages.
We cannot presently tell from an avc: denied message whether access was in
fact denied or was allowed due to global or per-domain permissive mode.
Add a permissive= field to the avc message to reflect this information.
Change-Id: I23adf43e417687f1da7354d392d37f5fabbd805e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Diffstat (limited to 'security')
-rw-r--r-- | security/selinux/avc.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 90ef968..ecb2e9f 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -455,11 +455,15 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a) avc_dump_query(ab, ad->selinux_audit_data->ssid, ad->selinux_audit_data->tsid, ad->selinux_audit_data->tclass); + if (ad->selinux_audit_data->denied) { + audit_log_format(ab, " permissive=%u", + ad->selinux_audit_data->result ? 0 : 1); + } } /* This is the slow part of avc audit with big stack footprint */ static noinline int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass, - u32 requested, u32 audited, u32 denied, + u32 requested, u32 audited, u32 denied, int result, struct av_decision *avd, struct common_audit_data *a, unsigned flags) { @@ -489,6 +493,7 @@ static noinline int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass, a->selinux_audit_data->tsid = tsid; a->selinux_audit_data->audited = audited; a->selinux_audit_data->denied = denied; + a->selinux_audit_data->result = result; a->lsm_pre_audit = avc_audit_pre_callback; a->lsm_post_audit = avc_audit_post_callback; common_lsm_audit(a); @@ -552,7 +557,7 @@ inline int avc_audit(u32 ssid, u32 tsid, return 0; return slow_avc_audit(ssid, tsid, tclass, - requested, audited, denied, + requested, audited, denied, result, avd, a, flags); } |