selinux: allow dontauditx and auditallowx rules to take effect without allowx

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

This allows for dontauditing very specific ioctls e.g. TCGETS without
dontauditing every ioctl or granting additional permissions.

Now either an allowx, dontauditx or auditallowx rules enables checking
for extended permissions.

Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

authored by

bauen1 and committed by

Paul Moore 5 years ago 44141f58 83370b31

+1 -3

1 changed file

expand all

security

selinux

services.c

+1 -3

security/selinux/ss/services.c

··· 596 596 node->datum.u.xperms->driver); 597 597 } 598 598 599 - /* If no ioctl commands are allowed, ignore auditallow and auditdeny */ 600 - if (node->key.specified & AVTAB_XPERMS_ALLOWED) 601 - xperms->len = 1; 599 + xperms->len = 1; 602 600 } 603 601 604 602 /*