Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7b20ea25 authored by NeilBrown's avatar NeilBrown Committed by Al Viro
Browse files

security/selinux: pass 'flags' arg to avc_audit() and avc_has_perm_flags() 



This allows MAY_NOT_BLOCK to be passed, in RCU-walk mode, through
the new avc_has_perm_flags() to avc_audit() and thence the slow_avc_audit.

Signed-off-by: default avatarNeilBrown <neilb@suse.de>
Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
parent 181548c0

security/selinux/avc.c

+17 −1
Original line number Diff line number Diff line
@@ -761,7 +761,23 @@ int avc_has_perm(u32 ssid, u32 tsid, u16 tclass, 


	rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, &avd);



	rc2 = avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata);

	rc2 = avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata, 0);

	if (rc2)

		return rc2;

	return rc;

}



int avc_has_perm_flags(u32 ssid, u32 tsid, u16 tclass,

		       u32 requested, struct common_audit_data *auditdata,

		       int flags)

{

	struct av_decision avd;

	int rc, rc2;



	rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, &avd);



	rc2 = avc_audit(ssid, tsid, tclass, requested, &avd, rc,

			auditdata, flags);

	if (rc2)

		return rc2;

	return rc;

security/selinux/hooks.c

+1 −1
Original line number Diff line number Diff line
@@ -1564,7 +1564,7 @@ static int cred_has_capability(const struct cred *cred, 


	rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);

	if (audit == SECURITY_CAP_AUDIT) {

		int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);

		int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);

		if (rc2)

			return rc2;

	}

security/selinux/include/avc.h

+7 −2
Original line number Diff line number Diff line
@@ -130,7 +130,8 @@ static inline int avc_audit(u32 ssid, u32 tsid, 
			    u16 tclass, u32 requested,

			    struct av_decision *avd,

			    int result,

			    struct common_audit_data *a)

			    struct common_audit_data *a,

			    int flags)

{

	u32 audited, denied;

	audited = avc_audit_required(requested, avd, result, 0, &denied);
@@ -138,7 +139,7 @@ static inline int avc_audit(u32 ssid, u32 tsid, 
		return 0;

	return slow_avc_audit(ssid, tsid, tclass,

			      requested, audited, denied, result,

			      a, 0);

			      a, flags);

}



#define AVC_STRICT 1 /* Ignore permissive mode. */
@@ -150,6 +151,10 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid, 
int avc_has_perm(u32 ssid, u32 tsid,

		 u16 tclass, u32 requested,

		 struct common_audit_data *auditdata);

int avc_has_perm_flags(u32 ssid, u32 tsid,

		       u16 tclass, u32 requested,

		       struct common_audit_data *auditdata,

		       int flags);



u32 avc_policy_seqno(void);