summaryrefslogtreecommitdiffstats
path: root/security/selinux
diff options
context:
space:
mode:
authorbauen1 <j2468h@googlemail.com>2020-10-09 14:47:11 +0200
committerPaul Moore <paul@paul-moore.com>2020-10-28 03:21:11 +0100
commit44141f58e14317853698f994ca5c3785a0c230d0 (patch)
treeea3b09c6ede9b129ddfa82c9438d1cd2fc756c10 /security/selinux
parentselinux: fix error initialization in inode_doinit_with_dentry() (diff)
downloadlinux-44141f58e14317853698f994ca5c3785a0c230d0.tar.xz
linux-44141f58e14317853698f994ca5c3785a0c230d0.zip
selinux: allow dontauditx and auditallowx rules to take effect without allowx
This allows for dontauditing very specific ioctls e.g. TCGETS without dontauditing every ioctl or granting additional permissions. Now either an allowx, dontauditx or auditallowx rules enables checking for extended permissions. Signed-off-by: Jonathan Hettwer <j2468h@gmail.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/ss/services.c4
1 files changed, 1 insertions, 3 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 9704c8a32303..597b79703584 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -596,9 +596,7 @@ void services_compute_xperms_drivers(
node->datum.u.xperms->driver);
}
- /* If no ioctl commands are allowed, ignore auditallow and auditdeny */
- if (node->key.specified & AVTAB_XPERMS_ALLOWED)
- xperms->len = 1;
+ xperms->len = 1;
}
/*