|
I would like to be able to gather the result of permissive mode per domain from a check_access() call for the userspace object managers on Android. From what I can tell check_access() calls avc_has_perm with a NULL 5th argument. That argument is for the struct avc_entry_ref. That structure has a pointer to an opaque type, avc_entry. Which contains struct av_decision.
Which contains flags that have a permissive flag: struct av_decision { access_vector_t allowed; access_vector_t decided; access_vector_t auditallow; access_vector_t auditdeny; unsigned int seqno; unsigned int flags; }; /* Definitions of av_decision.flags */ #define SELINUX_AVD_FLAGS_PERMISSIVE 0x0001 It looks like if check_access just passes this structure and then avc_has_perm() when it calls avc_audit, it could supply the av_decision structure to the avc_suppl_audit()
call. We could then have an audit2 callback that takes this parameter. Is this mostly right, seem sane? Better way to do this? |
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
