1 files changed, 5 insertions, 25 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index deeec6c013ae..500e6f78e115 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -410,6 +410,7 @@ static int context_struct_compute_av(struct context *scontext,
        avd->auditallow = 0;
        avd->auditdeny = 0xffffffff;
        avd->seqno = latest_granting;
+        avd->flags = 0;
        /*
         * Check for all the invalid cases.
@@ -528,31 +529,6 @@ inval_class:
        return 0;
 }
-/*
- * Given a sid find if the type has the permissive flag set
- */
-int security_permissive_sid(u32 sid)
-{
-        struct context *context;
-        u32 type;
-        int rc;
-        read_lock(&policy_rwlock);
-        context = sidtab_search(&sidtab, sid);
-        BUG_ON(!context);
-        type = context->type;
-        /*
-         * we are intentionally using type here, not type-1, the 0th bit may
-         * someday indicate that we are globally setting permissive in policy.
-         */
-        rc = ebitmap_get_bit(&policydb.permissive_map, type);
-        read_unlock(&policy_rwlock);
-        return rc;
-}
 static int security_validtrans_handle_fail(struct context *ocontext,
                                           struct context *ncontext,
                                           struct context *tcontext,
@@ -767,6 +743,10 @@ int security_compute_av(u32 ssid,
        rc = context_struct_compute_av(scontext, tcontext, tclass,
                                       requested, avd);
+        /* permissive domain? */
+        if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
+            avd->flags |= AVD_FLAGS_PERMISSIVE;
 out:
        read_unlock(&policy_rwlock);
        return rc;

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index deeec6c013ae..500e6f78e115 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c
@@ -410,6 +410,7 @@ static int context_struct_compute_av(struct context *scontext,
410	avd->auditallow = 0;	410	avd->auditallow = 0;
411	avd->auditdeny = 0xffffffff;	411	avd->auditdeny = 0xffffffff;
412	avd->seqno = latest_granting;	412	avd->seqno = latest_granting;
		413	avd->flags = 0;
413		414
414	/*	415	/*
415	* Check for all the invalid cases.	416	* Check for all the invalid cases.
@@ -528,31 +529,6 @@ inval_class:
528	return 0;	529	return 0;
529	}	530	}
530		531
531	/*
532	* Given a sid find if the type has the permissive flag set
533	*/
534	int security_permissive_sid(u32 sid)
535	{
536	struct context *context;
537	u32 type;
538	int rc;
539
540	read_lock(&policy_rwlock);
541
542	context = sidtab_search(&sidtab, sid);
543	BUG_ON(!context);
544
545	type = context->type;
546	/*
547	* we are intentionally using type here, not type-1, the 0th bit may
548	* someday indicate that we are globally setting permissive in policy.
549	*/
550	rc = ebitmap_get_bit(&policydb.permissive_map, type);
551
552	read_unlock(&policy_rwlock);
553	return rc;
554	}
555
556	static int security_validtrans_handle_fail(struct context *ocontext,	532	static int security_validtrans_handle_fail(struct context *ocontext,
557	struct context *ncontext,	533	struct context *ncontext,
558	struct context *tcontext,	534	struct context *tcontext,
@@ -767,6 +743,10 @@ int security_compute_av(u32 ssid,
767		743
768	rc = context_struct_compute_av(scontext, tcontext, tclass,	744	rc = context_struct_compute_av(scontext, tcontext, tclass,
769	requested, avd);	745	requested, avd);
		746
		747	/* permissive domain? */
		748	if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
		749	avd->flags \|= AVD_FLAGS_PERMISSIVE;
770	out:	750	out:
771	read_unlock(&policy_rwlock);	751	read_unlock(&policy_rwlock);
772	return rc;	752	return rc;