diff options
| author | Stephen Smalley <sds@tycho.nsa.gov> | 2014-04-29 14:29:04 -0400 |
|---|---|---|
| committer | Serge Hallyn <serge.hallyn@ubuntu.com> | 2014-06-03 15:21:48 -0400 |
| commit | ca7786a2f916540931d7114d441efa141c99c898 (patch) | |
| tree | 47af90d33b13780b1491cd751d8750a01668b884 /security | |
| parent | 2fd4e6698f0863f47558e63b67c7c3a026513541 (diff) | |
selinux: Report permissive mode in avc: denied messages.
We cannot presently tell from an avc: denied message whether access was in
fact denied or was allowed due to global or per-domain permissive mode.
Add a permissive= field to the avc message to reflect this information.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
Diffstat (limited to 'security')
| -rw-r--r-- | security/selinux/avc.c | 7 | ||||
| -rw-r--r-- | security/selinux/hooks.c | 5 | ||||
| -rw-r--r-- | security/selinux/include/avc.h | 4 |
3 files changed, 11 insertions, 5 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index fc3e6628a864..a18f1fa6440b 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c | |||
| @@ -444,11 +444,15 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a) | |||
| 444 | avc_dump_query(ab, ad->selinux_audit_data->ssid, | 444 | avc_dump_query(ab, ad->selinux_audit_data->ssid, |
| 445 | ad->selinux_audit_data->tsid, | 445 | ad->selinux_audit_data->tsid, |
| 446 | ad->selinux_audit_data->tclass); | 446 | ad->selinux_audit_data->tclass); |
| 447 | if (ad->selinux_audit_data->denied) { | ||
| 448 | audit_log_format(ab, " permissive=%u", | ||
| 449 | ad->selinux_audit_data->result ? 0 : 1); | ||
| 450 | } | ||
| 447 | } | 451 | } |
| 448 | 452 | ||
| 449 | /* This is the slow part of avc audit with big stack footprint */ | 453 | /* This is the slow part of avc audit with big stack footprint */ |
| 450 | noinline int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass, | 454 | noinline int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass, |
| 451 | u32 requested, u32 audited, u32 denied, | 455 | u32 requested, u32 audited, u32 denied, int result, |
| 452 | struct common_audit_data *a, | 456 | struct common_audit_data *a, |
| 453 | unsigned flags) | 457 | unsigned flags) |
| 454 | { | 458 | { |
| @@ -477,6 +481,7 @@ noinline int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass, | |||
| 477 | sad.tsid = tsid; | 481 | sad.tsid = tsid; |
| 478 | sad.audited = audited; | 482 | sad.audited = audited; |
| 479 | sad.denied = denied; | 483 | sad.denied = denied; |
| 484 | sad.result = result; | ||
| 480 | 485 | ||
| 481 | a->selinux_audit_data = &sad; | 486 | a->selinux_audit_data = &sad; |
| 482 | 487 | ||
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 6ab22720c277..d3a2c2e80fec 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -2770,6 +2770,7 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *na | |||
| 2770 | 2770 | ||
| 2771 | static noinline int audit_inode_permission(struct inode *inode, | 2771 | static noinline int audit_inode_permission(struct inode *inode, |
| 2772 | u32 perms, u32 audited, u32 denied, | 2772 | u32 perms, u32 audited, u32 denied, |
| 2773 | int result, | ||
| 2773 | unsigned flags) | 2774 | unsigned flags) |
| 2774 | { | 2775 | { |
| 2775 | struct common_audit_data ad; | 2776 | struct common_audit_data ad; |
| @@ -2780,7 +2781,7 @@ static noinline int audit_inode_permission(struct inode *inode, | |||
| 2780 | ad.u.inode = inode; | 2781 | ad.u.inode = inode; |
| 2781 | 2782 | ||
| 2782 | rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms, | 2783 | rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms, |
| 2783 | audited, denied, &ad, flags); | 2784 | audited, denied, result, &ad, flags); |
| 2784 | if (rc) | 2785 | if (rc) |
| 2785 | return rc; | 2786 | return rc; |
| 2786 | return 0; | 2787 | return 0; |
| @@ -2822,7 +2823,7 @@ static int selinux_inode_permission(struct inode *inode, int mask) | |||
| 2822 | if (likely(!audited)) | 2823 | if (likely(!audited)) |
| 2823 | return rc; | 2824 | return rc; |
| 2824 | 2825 | ||
| 2825 | rc2 = audit_inode_permission(inode, perms, audited, denied, flags); | 2826 | rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags); |
| 2826 | if (rc2) | 2827 | if (rc2) |
| 2827 | return rc2; | 2828 | return rc2; |
| 2828 | return rc; | 2829 | return rc; |
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h index f53ee3c58d0f..ddf8eec03f21 100644 --- a/security/selinux/include/avc.h +++ b/security/selinux/include/avc.h | |||
| @@ -102,7 +102,7 @@ static inline u32 avc_audit_required(u32 requested, | |||
| 102 | } | 102 | } |
| 103 | 103 | ||
| 104 | int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass, | 104 | int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass, |
| 105 | u32 requested, u32 audited, u32 denied, | 105 | u32 requested, u32 audited, u32 denied, int result, |
| 106 | struct common_audit_data *a, | 106 | struct common_audit_data *a, |
| 107 | unsigned flags); | 107 | unsigned flags); |
| 108 | 108 | ||
| @@ -137,7 +137,7 @@ static inline int avc_audit(u32 ssid, u32 tsid, | |||
| 137 | if (likely(!audited)) | 137 | if (likely(!audited)) |
| 138 | return 0; | 138 | return 0; |
| 139 | return slow_avc_audit(ssid, tsid, tclass, | 139 | return slow_avc_audit(ssid, tsid, tclass, |
| 140 | requested, audited, denied, | 140 | requested, audited, denied, result, |
| 141 | a, 0); | 141 | a, 0); |
| 142 | } | 142 | } |
| 143 | 143 | ||