This allows for dontauditing very specific ioctls e.g. TCGETS without dontauditing every ioctl or granting additional permissions. Now either an allowx, dontauditx or auditallowx rules enables checking for extended permissions. Dontaudit rules take precedence over dontauditx rules and auditallowx rules take precedence over auditallow rules. Signed-off-by: Jonathan Hettwer <j2468h@xxxxxxxxx> --- security/selinux/avc.c | 12 ++++++++---- security/selinux/ss/services.c | 4 +--- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 3c05827608b6..ad5b2e3b5abb 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -402,10 +402,14 @@ static inline u32 avc_xperms_audit_required(u32 requested, } else if (result) { audited = denied = requested; } else { - audited = requested & avd->auditallow; - if (audited && xpd) { - if (!avc_xperms_has_perm(xpd, perm, XPERMS_AUDITALLOW)) - audited &= ~requested; + if (xpd) { + if (avc_xperms_has_perm(xpd, perm, XPERMS_AUDITALLOW)) { + audited = requested; + } else { + audited = 0; + } + } else { + audited = requested & avd->auditallow; } } diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 9704c8a32303..597b79703584 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -596,9 +596,7 @@ void services_compute_xperms_drivers( node->datum.u.xperms->driver); } - /* If no ioctl commands are allowed, ignore auditallow and auditdeny */ - if (node->key.specified & AVTAB_XPERMS_ALLOWED) - xperms->len = 1; + xperms->len = 1; } /* -- 2.28.0