aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorStephen Smalley <sds@tycho.nsa.gov>2014-04-29 11:29:04 -0700
committerGerrit Code Review <gerrit@cyanogenmod.org>2015-11-09 06:36:33 -0800
commit90b542df96386ea6d875d51195c4b331fdc21d06 (patch)
tree4b49f2ea56fbc9307ca6d5adff25148d8d039e33 /security
parentccec3aa9fda8483a2e0e0b9de6ba612f4bdcc314 (diff)
downloadkernel_samsung_smdk4412-90b542df96386ea6d875d51195c4b331fdc21d06.zip
kernel_samsung_smdk4412-90b542df96386ea6d875d51195c4b331fdc21d06.tar.gz
kernel_samsung_smdk4412-90b542df96386ea6d875d51195c4b331fdc21d06.tar.bz2
selinux: Report permissive mode in avc: denied messages.
We cannot presently tell from an avc: denied message whether access was in fact denied or was allowed due to global or per-domain permissive mode. Add a permissive= field to the avc message to reflect this information. Change-Id: I23adf43e417687f1da7354d392d37f5fabbd805e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Diffstat (limited to 'security')
-rw-r--r--security/selinux/avc.c9
1 files changed, 7 insertions, 2 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 05d46cd..cd45bd6 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -455,11 +455,15 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a)
avc_dump_query(ab, ad->selinux_audit_data.ssid,
ad->selinux_audit_data.tsid,
ad->selinux_audit_data.tclass);
+ if (ad->selinux_audit_data.denied) {
+ audit_log_format(ab, " permissive=%u",
+ ad->selinux_audit_data.result ? 0 : 1);
+ }
}
/* This is the slow part of avc audit with big stack footprint */
static noinline int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass,
- u32 requested, u32 audited, u32 denied,
+ u32 requested, u32 audited, u32 denied, int result,
struct common_audit_data *a,
unsigned flags)
{
@@ -487,6 +491,7 @@ static noinline int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass,
a->selinux_audit_data.tsid = tsid;
a->selinux_audit_data.audited = audited;
a->selinux_audit_data.denied = denied;
+ a->selinux_audit_data.result = result;
a->lsm_pre_audit = avc_audit_pre_callback;
a->lsm_post_audit = avc_audit_post_callback;
common_lsm_audit(a);
@@ -550,7 +555,7 @@ inline int avc_audit(u32 ssid, u32 tsid,
return 0;
return slow_avc_audit(ssid, tsid, tclass,
- requested, audited, denied,
+ requested, audited, denied, result,
a, flags);
}