summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorbauen1 <j2468h@googlemail.com>2020-10-09 14:47:11 +0200
committerPaul Moore <paul@paul-moore.com>2020-10-27 22:21:11 -0400
commit44141f58e14317853698f994ca5c3785a0c230d0 (patch)
treeea3b09c6ede9b129ddfa82c9438d1cd2fc756c10 /security
parent83370b31a915493231e5b9addc72e4bef69f8d31 (diff)
downloadlinux-44141f58e14317853698f994ca5c3785a0c230d0.tar.gz
linux-44141f58e14317853698f994ca5c3785a0c230d0.tar.bz2
linux-44141f58e14317853698f994ca5c3785a0c230d0.zip
selinux: allow dontauditx and auditallowx rules to take effect without allowx
This allows for dontauditing very specific ioctls e.g. TCGETS without dontauditing every ioctl or granting additional permissions. Now either an allowx, dontauditx or auditallowx rules enables checking for extended permissions. Signed-off-by: Jonathan Hettwer <j2468h@gmail.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security')
-rw-r--r--security/selinux/ss/services.c4
1 files changed, 1 insertions, 3 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 9704c8a32303..597b79703584 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -596,9 +596,7 @@ void services_compute_xperms_drivers(
node->datum.u.xperms->driver);
}
- /* If no ioctl commands are allowed, ignore auditallow and auditdeny */
- if (node->key.specified & AVTAB_XPERMS_ALLOWED)
- xperms->len = 1;
+ xperms->len = 1;
}
/*