selinux: Report permissive mode in avc: denied messages.

We cannot presently tell from an avc: denied message whether access was in
fact denied or was allowed due to global or per-domain permissive mode.
Add a permissive= field to the avc message to reflect this information.

Change-Id: I23adf43e417687f1da7354d392d37f5fabbd805e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

1 files changed, 7 insertions, 2 deletions

diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 90ef968..ecb2e9f 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -455,11 +455,15 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a)
 	avc_dump_query(ab, ad->selinux_audit_data->ssid,
 			   ad->selinux_audit_data->tsid,
 			   ad->selinux_audit_data->tclass);
+	if (ad->selinux_audit_data->denied) {
+		audit_log_format(ab, " permissive=%u",
+				 ad->selinux_audit_data->result ? 0 : 1);
+	}
 }
 
 /* This is the slow part of avc audit with big stack footprint */
 static noinline int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass,
-		u32 requested, u32 audited, u32 denied,
+		u32 requested, u32 audited, u32 denied, int result,
 		struct av_decision *avd, struct common_audit_data *a,
 		unsigned flags)
 {
@@ -489,6 +493,7 @@ static noinline int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass,
 	a->selinux_audit_data->tsid = tsid;
 	a->selinux_audit_data->audited = audited;
 	a->selinux_audit_data->denied = denied;
+        a->selinux_audit_data->result = result;
 	a->lsm_pre_audit = avc_audit_pre_callback;
 	a->lsm_post_audit = avc_audit_post_callback;
 	common_lsm_audit(a);
@@ -552,7 +557,7 @@ inline int avc_audit(u32 ssid, u32 tsid,
 		return 0;
 
 	return slow_avc_audit(ssid, tsid, tclass,
-		requested, audited, denied,
+		requested, audited, denied, result,
 		avd, a, flags);
 }