selinux: Report permissive mode in avc: denied messages.

We cannot presently tell from an avc: denied message whether access was in
fact denied or was allowed due to global or per-domain permissive mode.
Add a permissive= field to the avc message to reflect this information.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>

diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index fc3e6628a8642e027c992cf500fd4c0a921c85fc..a18f1fa6440bb707e6b693c383c09c15b5dcaa3f 100644 (file)
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -444,11 +444,15 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a)
        avc_dump_query(ab, ad->selinux_audit_data->ssid,
                           ad->selinux_audit_data->tsid,
                           ad->selinux_audit_data->tclass);
+       if (ad->selinux_audit_data->denied) {
+               audit_log_format(ab, " permissive=%u",
+                                ad->selinux_audit_data->result ? 0 : 1);
+       }
 }
 
 /* This is the slow part of avc audit with big stack footprint */
 noinline int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass,
-               u32 requested, u32 audited, u32 denied,
+               u32 requested, u32 audited, u32 denied, int result,
                struct common_audit_data *a,
                unsigned flags)
 {
@@ -477,6 +481,7 @@ noinline int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass,
        sad.tsid = tsid;
        sad.audited = audited;
        sad.denied = denied;
+       sad.result = result;
 
        a->selinux_audit_data = &sad;
 

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 6ab22720c27794aa8d0e029c497cfa16283af883..d3a2c2e80fec9f80c20634979d61e680be95aa97 100644 (file)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2770,6 +2770,7 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *na
 
 static noinline int audit_inode_permission(struct inode *inode,
                                           u32 perms, u32 audited, u32 denied,
+                                          int result,
                                           unsigned flags)
 {
        struct common_audit_data ad;
@@ -2780,7 +2781,7 @@ static noinline int audit_inode_permission(struct inode *inode,
        ad.u.inode = inode;
 
        rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
-                           audited, denied, &ad, flags);
+                           audited, denied, result, &ad, flags);
        if (rc)
                return rc;
        return 0;
@@ -2822,7 +2823,7 @@ static int selinux_inode_permission(struct inode *inode, int mask)
        if (likely(!audited))
                return rc;
 
-       rc2 = audit_inode_permission(inode, perms, audited, denied, flags);
+       rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
        if (rc2)
                return rc2;
        return rc;

diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index f53ee3c58d0ffd5099879f2bcdc160c88c209c86..ddf8eec03f211757845de5378afd1c2d5ebfe774 100644 (file)
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -102,7 +102,7 @@ static inline u32 avc_audit_required(u32 requested,
 }
 
 int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass,
-                  u32 requested, u32 audited, u32 denied,
+                  u32 requested, u32 audited, u32 denied, int result,
                   struct common_audit_data *a,
                   unsigned flags);
 
@@ -137,7 +137,7 @@ static inline int avc_audit(u32 ssid, u32 tsid,
        if (likely(!audited))
                return 0;
        return slow_avc_audit(ssid, tsid, tclass,
-                             requested, audited, denied,
+                             requested, audited, denied, result,
                              a, 0);
 }