diff mbox series

[v2] selinux: allow dontauditx and auditallowx rules to take effect without allowx

Message ID a30c2b0c-d403-f296-5f15-aa7ec3a99db4@gmail.com
State Accepted
Delegated to: Paul Moore
Headers show
Series [v2] selinux: allow dontauditx and auditallowx rules to take effect without allowx | expand

Commit Message

bauen1 Oct. 9, 2020, 12:47 p.m. UTC
This allows for dontauditing very specific ioctls e.g. TCGETS without
dontauditing every ioctl or granting additional permissions.

Now either an allowx, dontauditx or auditallowx rules enables checking
for extended permissions.

Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
---

v2: dropped the precedence change, I will make my case for that seperately.

 security/selinux/ss/services.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

--
2.28.0

Comments

Paul Moore Oct. 28, 2020, 2:24 a.m. UTC | #1
On Fri, Oct 9, 2020 at 8:47 AM bauen1 <j2468h@googlemail.com> wrote:
>
> This allows for dontauditing very specific ioctls e.g. TCGETS without
> dontauditing every ioctl or granting additional permissions.
>
> Now either an allowx, dontauditx or auditallowx rules enables checking
> for extended permissions.
>
> Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
> ---
>
> v2: dropped the precedence change, I will make my case for that seperately.
>
>  security/selinux/ss/services.c | 4 +---
>  1 file changed, 1 insertion(+), 3 deletions(-)

I feel that the Android folks have had plenty of time to comment on
this, and they haven't, so I'm going to go ahead and merge this since
it seems to make sense.  Thanks for your patience Jonathan.

I think The SELinux Notebook probably needs an update with respect to
this patch, mentioning that in Linux v5.10 the xperms auditing
behavior changed.  Can you submit a patch for that as well?

> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> index 9704c8a32303..597b79703584 100644
> --- a/security/selinux/ss/services.c
> +++ b/security/selinux/ss/services.c
> @@ -596,9 +596,7 @@ void services_compute_xperms_drivers(
>                                         node->datum.u.xperms->driver);
>         }
>
> -       /* If no ioctl commands are allowed, ignore auditallow and auditdeny */
> -       if (node->key.specified & AVTAB_XPERMS_ALLOWED)
> -               xperms->len = 1;
> +       xperms->len = 1;
>  }
>
>  /*
> --
> 2.28.0
diff mbox series

Patch

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 9704c8a32303..597b79703584 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -596,9 +596,7 @@  void services_compute_xperms_drivers(
 					node->datum.u.xperms->driver);
 	}

-	/* If no ioctl commands are allowed, ignore auditallow and auditdeny */
-	if (node->key.specified & AVTAB_XPERMS_ALLOWED)
-		xperms->len = 1;
+	xperms->len = 1;
 }

 /*