UbiquitousOS
/
OpenCloudOS-Kernel
mirror of https://gitee.com/OpenCloudOS/OpenCloudOS-Kernel.git
11
0
Fork 0
Code Issues Projects Releases Wiki Activity

selinux: allow dontauditx and auditallowx rules to take effect without allowx 

This allows for dontauditing very specific ioctls e.g. TCGETS without
dontauditing every ioctl or granting additional permissions.

Now either an allowx, dontauditx or auditallowx rules enables checking
for extended permissions.

Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
bauen1 2020-10-09 14:47:11 +02:00 committed by Paul Moore
parent 83370b31a9
commit 44141f58e1
1 changed files with 1 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
security/selinux/ss/services.c
View File

@ -596,9 +596,7 @@ void services_compute_xperms_drivers(
node->datum.u.xperms->driver);
}
/* If no ioctl commands are allowed, ignore auditallow and auditdeny */
if (node->key.specified & AVTAB_XPERMS_ALLOWED)
xperms->len = 1;
xperms->len = 1;
}
/*