selinux: Report permissive mode in avc: denied messages.

We cannot presently tell from an avc: denied message whether access was in fact denied or was allowed due to global or per-domain permissive mode. Add a permissive= field to the avc message to reflect this information. Change-Id: I78176f8184e01226ece12f0eb38760cdcdc1ff87 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Git-commit: 6cb247b4ad17862ca47cb251c23b69a2dc321e89 Git-repo: https://android.googlesource.com/kernel/common.git Signed-off-by: Ian Maund <imaund@codeaurora.org>
2024-11-23 20:09:51 +00:00 · 2014-04-29 11:29:04 -07:00 · 2014-04-29 11:29:04 -07:00 · cb4e5dae17
commit cb4e5dae17
parent 06dc54089f
3 changed files with 11 additions and 5 deletions
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@ -444,11 +444,15 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a)
 	avc_dump_query(ab, ad->selinux_audit_data->ssid,
 			   ad->selinux_audit_data->tsid,
 			   ad->selinux_audit_data->tclass);
+	if (ad->selinux_audit_data->denied) {
+		audit_log_format(ab, " permissive=%u",
+				 ad->selinux_audit_data->result ? 0 : 1);
+	}
 }

 /* This is the slow part of avc audit with big stack footprint */
 noinline int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass,
-		u32 requested, u32 audited, u32 denied,
+		u32 requested, u32 audited, u32 denied, int result,
 		struct common_audit_data *a,
 		unsigned flags)
 {
@ -477,6 +481,7 @@ noinline int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass,
 	sad.tsid = tsid;
 	sad.audited = audited;
 	sad.denied = denied;
+	sad.result = result;

 	a->selinux_audit_data = &sad;

--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@ -2768,6 +2768,7 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *na

 static noinline int audit_inode_permission(struct inode *inode,
 					   u32 perms, u32 audited, u32 denied,
+					   int result,
 					   unsigned flags)
 {
 	struct common_audit_data ad;
@ -2778,7 +2779,7 @@ static noinline int audit_inode_permission(struct inode *inode,
 	ad.u.inode = inode;

 	rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
-			    audited, denied, &ad, flags);
+			    audited, denied, result, &ad, flags);
 	if (rc)
 		return rc;
 	return 0;
@ -2820,7 +2821,7 @@ static int selinux_inode_permission(struct inode *inode, int mask)
 	if (likely(!audited))
 		return rc;

-	rc2 = audit_inode_permission(inode, perms, audited, denied, flags);
+	rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
 	if (rc2)
 		return rc2;
 	return rc;
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@ -102,7 +102,7 @@ static inline u32 avc_audit_required(u32 requested,
 }

 int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass,
-		   u32 requested, u32 audited, u32 denied,
+		   u32 requested, u32 audited, u32 denied, int result,
 		   struct common_audit_data *a,
 		   unsigned flags);

@ -137,7 +137,7 @@ static inline int avc_audit(u32 ssid, u32 tsid,
 	if (likely(!audited))
 		return 0;
 	return slow_avc_audit(ssid, tsid, tclass,
-			      requested, audited, denied,
+			      requested, audited, denied, result,
 			      a, flags);
 }