selinux: allow dontauditx and auditallowx rules to take effect without allowx

This allows for dontauditing very specific ioctls e.g. TCGETS without dontauditing every ioctl or granting additional permissions. Now either an allowx, dontauditx or auditallowx rules enables checking for extended permissions. Signed-off-by: Jonathan Hettwer <j2468h@gmail.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
author: bauen1 <j2468h@googlemail.com> 2020-10-09 15:47:11 +0300
committer: Paul Moore <paul@paul-moore.com> 2020-10-28 05:21:11 +0300
commit: 44141f58e14317853698f994ca5c3785a0c230d0 (patch)
tree: ea3b09c6ede9b129ddfa82c9438d1cd2fc756c10 /security
parent: 83370b31a915493231e5b9addc72e4bef69f8d31 (diff)
download: linux-44141f58e14317853698f994ca5c3785a0c230d0.tar.xz
1 files changed, 1 insertions, 3 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 9704c8a32303..597b79703584 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -596,9 +596,7 @@ void services_compute_xperms_drivers(
 					node->datum.u.xperms->driver);
 	}
 
-	/* If no ioctl commands are allowed, ignore auditallow and auditdeny */
-	if (node->key.specified & AVTAB_XPERMS_ALLOWED)
-		xperms->len = 1;
+	xperms->len = 1;
 }
 
 /*
author	bauen1 <j2468h@googlemail.com>	2020-10-09 15:47:11 +0300
committer	Paul Moore <paul@paul-moore.com>	2020-10-28 05:21:11 +0300
commit	44141f58e14317853698f994ca5c3785a0c230d0 (patch)
tree	ea3b09c6ede9b129ddfa82c9438d1cd2fc756c10 /security
parent	83370b31a915493231e5b9addc72e4bef69f8d31 (diff)
download	linux-44141f58e14317853698f994ca5c3785a0c230d0.tar.xz