1 files changed, 13 insertions, 7 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 7fd4de46b2a9..88a3ee33068a 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1365,12 +1365,14 @@ static int task_has_perm(struct task_struct *tsk1,
 /* Check whether a task is allowed to use a capability. */
 static int task_has_capability(struct task_struct *tsk,
-                               int cap)
+                               int cap, int audit)
 {
        struct task_security_struct *tsec;
        struct avc_audit_data ad;
+        struct av_decision avd;
        u16 sclass;
        u32 av = CAP_TO_MASK(cap);
+        int rc;
        tsec = tsk->security;
@@ -1390,7 +1392,11 @@ static int task_has_capability(struct task_struct *tsk,
                       "SELinux:  out of range capability %d\n", cap);
                BUG();
        }
-        return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
+        rc = avc_has_perm_noaudit(tsec->sid, tsec->sid, sclass, av, 0, &avd);
+        if (audit == SECURITY_CAP_AUDIT)
+                avc_audit(tsec->sid, tsec->sid, sclass, av, &avd, rc, &ad);
+        return rc;
 }
 /* Check whether a task is allowed to use a system operation. */
@@ -1802,15 +1808,15 @@ static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effecti
        secondary_ops->capset_set(target, effective, inheritable, permitted);
 }
-static int selinux_capable(struct task_struct *tsk, int cap)
+static int selinux_capable(struct task_struct *tsk, int cap, int audit)
 {
        int rc;
-        rc = secondary_ops->capable(tsk, cap);
+        rc = secondary_ops->capable(tsk, cap, audit);
        if (rc)
                return rc;
-        return task_has_capability(tsk, cap);
+        return task_has_capability(tsk, cap, audit);
 }
 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
@@ -1975,7 +1981,7 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
        int rc, cap_sys_admin = 0;
        struct task_security_struct *tsec = current->security;
-        rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
+        rc = secondary_ops->capable(current, CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT);
        if (rc == 0)
                rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
                                          SECCLASS_CAPABILITY,
@@ -2829,7 +2835,7 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
         * and lack of permission just means that we fall back to the
         * in-core context value, not a denial.
         */
-        error = secondary_ops->capable(current, CAP_MAC_ADMIN);
+        error = secondary_ops->capable(current, CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT);
        if (!error)
                error = avc_has_perm_noaudit(tsec->sid, tsec->sid,
                                             SECCLASS_CAPABILITY2,

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 7fd4de46b2a9..88a3ee33068a 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -1365,12 +1365,14 @@ static int task_has_perm(struct task_struct *tsk1,
1365		1365
1366	/* Check whether a task is allowed to use a capability. */	1366	/* Check whether a task is allowed to use a capability. */
1367	static int task_has_capability(struct task_struct *tsk,	1367	static int task_has_capability(struct task_struct *tsk,
1368	int cap)	1368	int cap, int audit)
1369	{	1369	{
1370	struct task_security_struct *tsec;	1370	struct task_security_struct *tsec;
1371	struct avc_audit_data ad;	1371	struct avc_audit_data ad;
		1372	struct av_decision avd;
1372	u16 sclass;	1373	u16 sclass;
1373	u32 av = CAP_TO_MASK(cap);	1374	u32 av = CAP_TO_MASK(cap);
		1375	int rc;
1374		1376
1375	tsec = tsk->security;	1377	tsec = tsk->security;
1376		1378
@@ -1390,7 +1392,11 @@ static int task_has_capability(struct task_struct *tsk,
1390	"SELinux: out of range capability %d\n", cap);	1392	"SELinux: out of range capability %d\n", cap);
1391	BUG();	1393	BUG();
1392	}	1394	}
1393	return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);	1395
		1396	rc = avc_has_perm_noaudit(tsec->sid, tsec->sid, sclass, av, 0, &avd);
		1397	if (audit == SECURITY_CAP_AUDIT)
		1398	avc_audit(tsec->sid, tsec->sid, sclass, av, &avd, rc, &ad);
		1399	return rc;
1394	}	1400	}
1395		1401
1396	/* Check whether a task is allowed to use a system operation. */	1402	/* Check whether a task is allowed to use a system operation. */
@@ -1802,15 +1808,15 @@ static void selinux_capset_set(struct task_struct target, kernel_cap_t effecti
1802	secondary_ops->capset_set(target, effective, inheritable, permitted);	1808	secondary_ops->capset_set(target, effective, inheritable, permitted);
1803	}	1809	}
1804		1810
1805	static int selinux_capable(struct task_struct *tsk, int cap)	1811	static int selinux_capable(struct task_struct *tsk, int cap, int audit)
1806	{	1812	{
1807	int rc;	1813	int rc;
1808		1814
1809	rc = secondary_ops->capable(tsk, cap);	1815	rc = secondary_ops->capable(tsk, cap, audit);
1810	if (rc)	1816	if (rc)
1811	return rc;	1817	return rc;
1812		1818
1813	return task_has_capability(tsk, cap);	1819	return task_has_capability(tsk, cap, audit);
1814	}	1820	}
1815		1821
1816	static int selinux_sysctl_get_sid(ctl_table table, u16 tclass, u32 sid)	1822	static int selinux_sysctl_get_sid(ctl_table table, u16 tclass, u32 sid)
@@ -1975,7 +1981,7 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1975	int rc, cap_sys_admin = 0;	1981	int rc, cap_sys_admin = 0;
1976	struct task_security_struct *tsec = current->security;	1982	struct task_security_struct *tsec = current->security;
1977		1983
1978	rc = secondary_ops->capable(current, CAP_SYS_ADMIN);	1984	rc = secondary_ops->capable(current, CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT);
1979	if (rc == 0)	1985	if (rc == 0)
1980	rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,	1986	rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1981	SECCLASS_CAPABILITY,	1987	SECCLASS_CAPABILITY,
@@ -2829,7 +2835,7 @@ static int selinux_inode_getsecurity(const struct inode inode, const char name
2829	* and lack of permission just means that we fall back to the	2835	* and lack of permission just means that we fall back to the
2830	* in-core context value, not a denial.	2836	* in-core context value, not a denial.
2831	*/	2837	*/
2832	error = secondary_ops->capable(current, CAP_MAC_ADMIN);	2838	error = secondary_ops->capable(current, CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT);
2833	if (!error)	2839	if (!error)
2834	error = avc_has_perm_noaudit(tsec->sid, tsec->sid,	2840	error = avc_has_perm_noaudit(tsec->sid, tsec->sid,
2835	SECCLASS_CAPABILITY2,	2841	SECCLASS_CAPABILITY2,