summaryrefslogtreecommitdiffstats
path: root/security/selinux/hooks.c
diff options
context:
space:
mode:
authorStephen Smalley <sds@tycho.nsa.gov>2014-04-29 11:29:04 -0700
committerSerge Hallyn <serge.hallyn@ubuntu.com>2014-06-03 14:21:48 -0500
commitca7786a2f916540931d7114d441efa141c99c898 (patch)
tree47af90d33b13780b1491cd751d8750a01668b884 /security/selinux/hooks.c
parent2fd4e6698f0863f47558e63b67c7c3a026513541 (diff)
downloadlinux-ca7786a2f916540931d7114d441efa141c99c898.tar.gz
linux-ca7786a2f916540931d7114d441efa141c99c898.tar.bz2
linux-ca7786a2f916540931d7114d441efa141c99c898.zip
selinux: Report permissive mode in avc: denied messages.
We cannot presently tell from an avc: denied message whether access was in fact denied or was allowed due to global or per-domain permissive mode. Add a permissive= field to the avc message to reflect this information. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: Paul Moore <pmoore@redhat.com>
Diffstat (limited to 'security/selinux/hooks.c')
-rw-r--r--security/selinux/hooks.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 6ab22720c277..d3a2c2e80fec 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2770,6 +2770,7 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *na
static noinline int audit_inode_permission(struct inode *inode,
u32 perms, u32 audited, u32 denied,
+ int result,
unsigned flags)
{
struct common_audit_data ad;
@@ -2780,7 +2781,7 @@ static noinline int audit_inode_permission(struct inode *inode,
ad.u.inode = inode;
rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
- audited, denied, &ad, flags);
+ audited, denied, result, &ad, flags);
if (rc)
return rc;
return 0;
@@ -2822,7 +2823,7 @@ static int selinux_inode_permission(struct inode *inode, int mask)
if (likely(!audited))
return rc;
- rc2 = audit_inode_permission(inode, perms, audited, denied, flags);
+ rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
if (rc2)
return rc2;
return rc;