On 9/14/20 7:51 PM, Stephen Smalley wrote: > On Sat, Sep 12, 2020 at 3:54 PM bauen1 <j2468h@xxxxxxxxxxxxxx> wrote: >> >> This allows for dontauditing very specific ioctls e.g. TCGETS without >> dontauditing every ioctl or granting additional permissions. >> >> Now either an allowx, dontauditx or auditallowx rules enables checking >> for extended permissions. >> >> Dontaudit rules take precedence over dontauditx rules and auditallowx >> rules take precedence over auditallow rules. > > I'm not following why you are providing different precedence for > dontauditx vs auditallowx. I selected this because I thought it is the most useful. I think my original take was that with dontaudit you want to be broad if necessary, but with auditallowx you want to be specific. But now I'm not sure if the precedence of auditallow in the RFC is actually good. At least the precedence of dontaudit/dontauditx is good because it doesn't change the behavior of dontaudit in any (unexpected) way. I will probably change it in a v2. > Regardless, since this changes the semantics of such rules I'll need > confirmation from Android that they want this change in behavior since > they are the original developers of the ioctl whitelisting support and > its primary users to date. I've copied Jeff Vander Stoep since he submitted the original patch, I don't know anyone else involved with this but I see you also added Nick Kralevich. > We may also need to make the change > conditional on a policy capability if backward compatibility is an > issue. However, I suspect no one has been relying on the current > behavior for dontauditx and auditallowx. > This would break any policy that relies on the old behavior that dontauditx/auditallowx don't enable extended permission checks. If a policy does require this behavior it will grant less access. But at the same time I have yet to find any policy other than seandroid that actually utilizes extended permissions and even it only has 2 dontauditxperm statements (at least that is what a grep of a recent checkout found). -- bauen1 https://dn42.bauen1.xyz/