aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/avc.c
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2009-11-23 16:47:23 -0500
committerJames Morris <jmorris@namei.org>2009-11-24 14:30:49 +1100
commit0bce95279909aa4cc401a2e3140b4295ca22e72a (patch)
tree5b98e4ebe7ef30fa1edf627c79501c531b346a8b /security/selinux/avc.c
parentSilence the existing API for capability version compatibility check. (diff)
downloadlinux-dev-0bce95279909aa4cc401a2e3140b4295ca22e72a.tar.xz
linux-dev-0bce95279909aa4cc401a2e3140b4295ca22e72a.zip
SELinux: print denials for buggy kernel with unknown perms
Historically we've seen cases where permissions are requested for classes where they do not exist. In particular we have seen CIFS forget to set i_mode to indicate it is a directory so when we later check something like remove_name we have problems since it wasn't defined in tclass file. This used to result in a avc which included the permission 0x2000 or something. Currently the kernel will deny the operations (good thing) but will not print ANY information (bad thing). First the auditdeny field is no extended to include unknown permissions. After that is fixed the logic in avc_dump_query to output this information isn't right since it will remove the permission from the av and print the phrase "<NULL>". This takes us back to the behavior before the classmap rewrite. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/avc.c')
-rw-r--r--security/selinux/avc.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 18f4103e02b7..f2dde268165a 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -117,7 +117,7 @@ static void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av)
i = 0;
perm = 1;
while (i < (sizeof(av) * 8)) {
- if (perm & av) {
+ if ((perm & av) && perms[i]) {
audit_log_format(ab, " %s", perms[i]);
av &= ~perm;
}