From 90b542df96386ea6d875d51195c4b331fdc21d06 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Tue, 29 Apr 2014 11:29:04 -0700 Subject: selinux: Report permissive mode in avc: denied messages. We cannot presently tell from an avc: denied message whether access was in fact denied or was allowed due to global or per-domain permissive mode. Add a permissive= field to the avc message to reflect this information. Change-Id: I23adf43e417687f1da7354d392d37f5fabbd805e Signed-off-by: Stephen Smalley --- security/selinux/avc.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'security') diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 05d46cd..cd45bd6 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -455,11 +455,15 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a) avc_dump_query(ab, ad->selinux_audit_data.ssid, ad->selinux_audit_data.tsid, ad->selinux_audit_data.tclass); + if (ad->selinux_audit_data.denied) { + audit_log_format(ab, " permissive=%u", + ad->selinux_audit_data.result ? 0 : 1); + } } /* This is the slow part of avc audit with big stack footprint */ static noinline int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass, - u32 requested, u32 audited, u32 denied, + u32 requested, u32 audited, u32 denied, int result, struct common_audit_data *a, unsigned flags) { @@ -487,6 +491,7 @@ static noinline int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass, a->selinux_audit_data.tsid = tsid; a->selinux_audit_data.audited = audited; a->selinux_audit_data.denied = denied; + a->selinux_audit_data.result = result; a->lsm_pre_audit = avc_audit_pre_callback; a->lsm_post_audit = avc_audit_post_callback; common_lsm_audit(a); @@ -550,7 +555,7 @@ inline int avc_audit(u32 ssid, u32 tsid, return 0; return slow_avc_audit(ssid, tsid, tclass, - requested, audited, denied, + requested, audited, denied, result, a, flags); } -- cgit v1.1