selinux: Report permissive mode in avc: denied messages.
We cannot presently tell from an avc: denied message whether access was in
fact denied or was allowed due to global or per-domain permissive mode.
Add a permissive= field to the avc message to reflect this information.
Change-Id: I23adf43e417687f1da7354d392d37f5fabbd805e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 8ee42b2..698cb05 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -455,11 +455,15 @@
avc_dump_query(ab, ad->selinux_audit_data->slad->ssid,
ad->selinux_audit_data->slad->tsid,
ad->selinux_audit_data->slad->tclass);
+ if (ad->selinux_audit_data->slad->denied) {
+ audit_log_format(ab, " permissive=%u",
+ ad->selinux_audit_data->slad->result ? 0 : 1);
+ }
}
/* This is the slow part of avc audit with big stack footprint */
static noinline int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass,
- u32 requested, u32 audited, u32 denied,
+ u32 requested, u32 audited, u32 denied, int result,
struct common_audit_data *a,
unsigned flags)
{
@@ -490,6 +494,7 @@
slad.tsid = tsid;
slad.audited = audited;
slad.denied = denied;
+ slad.result = result;
a->selinux_audit_data->slad = &slad;
common_lsm_audit(a, avc_audit_pre_callback, avc_audit_post_callback);
@@ -553,7 +558,7 @@
return 0;
return slow_avc_audit(ssid, tsid, tclass,
- requested, audited, denied,
+ requested, audited, denied, result,
a, flags);
}