On Sat, Sep 12, 2020 at 3:54 PM bauen1 <j2468h@xxxxxxxxxxxxxx> wrote: > > This allows for dontauditing very specific ioctls e.g. TCGETS without > dontauditing every ioctl or granting additional permissions. > > Now either an allowx, dontauditx or auditallowx rules enables checking > for extended permissions. > > Dontaudit rules take precedence over dontauditx rules and auditallowx > rules take precedence over auditallow rules. I'm not following why you are providing different precedence for dontauditx vs auditallowx. Regardless, since this changes the semantics of such rules I'll need confirmation from Android that they want this change in behavior since they are the original developers of the ioctl whitelisting support and its primary users to date. We may also need to make the change conditional on a policy capability if backward compatibility is an issue. However, I suspect no one has been relying on the current behavior for dontauditx and auditallowx.
