selinux: allow dontauditx and auditallowx rules to take effect without allowx

This allows for dontauditing very specific ioctls e.g. TCGETS without dontauditing every ioctl or granting additional permissions. Now either an allowx, dontauditx or auditallowx rules enables checking for extended permissions. Signed-off-by: Jonathan Hettwer <j2468h@gmail.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
author: bauen1 <j2468h@googlemail.com> 2020-10-09 14:47:11 +0200
committer: Paul Moore <paul@paul-moore.com> 2020-10-27 22:21:11 -0400
commit: 44141f58e14317853698f994ca5c3785a0c230d0 (patch)
tree: ea3b09c6ede9b129ddfa82c9438d1cd2fc756c10 /security
parent: selinux: fix error initialization in inode_doinit_with_dentry() (diff)
download: linux-dev-44141f58e14317853698f994ca5c3785a0c230d0.tar.xz
linux-dev-44141f58e14317853698f994ca5c3785a0c230d0.zip
1 files changed, 1 insertions, 3 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 9704c8a32303..597b79703584 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -596,9 +596,7 @@ void services_compute_xperms_drivers(
 					node->datum.u.xperms->driver);
 	}
 
-	/* If no ioctl commands are allowed, ignore auditallow and auditdeny */
-	if (node->key.specified & AVTAB_XPERMS_ALLOWED)
-		xperms->len = 1;
+	xperms->len = 1;
 }
 
 /*
author	bauen1 <j2468h@googlemail.com>	2020-10-09 14:47:11 +0200
committer	Paul Moore <paul@paul-moore.com>	2020-10-27 22:21:11 -0400
commit	44141f58e14317853698f994ca5c3785a0c230d0 (patch)
tree	ea3b09c6ede9b129ddfa82c9438d1cd2fc756c10 /security
parent	selinux: fix error initialization in inode_doinit_with_dentry() (diff)
download	linux-dev-44141f58e14317853698f994ca5c3785a0c230d0.tar.xz linux-dev-44141f58e14317853698f994ca5c3785a0c230d0.zip