Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 33ee84f8 authored by Nick Kralevich's avatar Nick Kralevich
Browse files

logd: Don't trigger an integrity failure on permissive SELinux denials 

Only trigger an integrity failure if a policy is reloaded or
SELinux is disabled. Don't trigger the integrity failure if
we see a permissive=1 denial, which could occur if an SELinux
domain is in permissive mode.

Bug: 27313768
Bug: 26902605
Change-Id: Ib85a2799eb6378ae8acdb965b1812d691183fdd3
parent 242393fe

logd/LogAudit.cpp

+4 −4
Original line number Original line Diff line number Diff line
@@ -155,15 +155,15 @@ int LogAudit::logPrint(const char *fmt, ...) { 
        }

        }

    }

    }





    bool permissive = strstr(str, " enforcing=0") ||

    bool notEnforcing = strstr(str, " enforcing=0");

                      strstr(str, " permissive=1");

    bool permissive = strstr(str, " permissive=1");





    if (permissive) {

    if (notEnforcing) {

        // SELinux in permissive mode is not allowed

        // SELinux in permissive mode is not allowed

        enforceIntegrity();

        enforceIntegrity();

    }

    }





    bool info = loaded || permissive;

    bool info = loaded || permissive || notEnforcing;

    if ((fdDmesg >= 0) && initialized) {

    if ((fdDmesg >= 0) && initialized) {

        struct iovec iov[3];

        struct iovec iov[3];

        static const char log_info[] = { KMSG_PRIORITY(LOG_INFO) };

        static const char log_info[] = { KMSG_PRIORITY(LOG_INFO) };