| Message ID | a30c2b0c-d403-f296-5f15-aa7ec3a99db4@gmail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Paul Moore |
| Headers | show |
| Series | [v2] selinux: allow dontauditx and auditallowx rules to take effect without allowx | expand |
On Fri, Oct 9, 2020 at 8:47 AM bauen1 <j2468h@googlemail.com> wrote: > > This allows for dontauditing very specific ioctls e.g. TCGETS without > dontauditing every ioctl or granting additional permissions. > > Now either an allowx, dontauditx or auditallowx rules enables checking > for extended permissions. > > Signed-off-by: Jonathan Hettwer <j2468h@gmail.com> > --- > > v2: dropped the precedence change, I will make my case for that seperately. > > security/selinux/ss/services.c | 4 +--- > 1 file changed, 1 insertion(+), 3 deletions(-) I feel that the Android folks have had plenty of time to comment on this, and they haven't, so I'm going to go ahead and merge this since it seems to make sense. Thanks for your patience Jonathan. I think The SELinux Notebook probably needs an update with respect to this patch, mentioning that in Linux v5.10 the xperms auditing behavior changed. Can you submit a patch for that as well? > diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c > index 9704c8a32303..597b79703584 100644 > --- a/security/selinux/ss/services.c > +++ b/security/selinux/ss/services.c > @@ -596,9 +596,7 @@ void services_compute_xperms_drivers( > node->datum.u.xperms->driver); > } > > - /* If no ioctl commands are allowed, ignore auditallow and auditdeny */ > - if (node->key.specified & AVTAB_XPERMS_ALLOWED) > - xperms->len = 1; > + xperms->len = 1; > } > > /* > -- > 2.28.0
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 9704c8a32303..597b79703584 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -596,9 +596,7 @@ void services_compute_xperms_drivers( node->datum.u.xperms->driver); } - /* If no ioctl commands are allowed, ignore auditallow and auditdeny */ - if (node->key.specified & AVTAB_XPERMS_ALLOWED) - xperms->len = 1; + xperms->len = 1; } /*
This allows for dontauditing very specific ioctls e.g. TCGETS without dontauditing every ioctl or granting additional permissions. Now either an allowx, dontauditx or auditallowx rules enables checking for extended permissions. Signed-off-by: Jonathan Hettwer <j2468h@gmail.com> --- v2: dropped the precedence change, I will make my case for that seperately. security/selinux/ss/services.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) -- 2.28.0