On Mon, Sep 14, 2020 at 2:49 PM bauen1 <j2468h@xxxxxxxxxxxxxx> wrote: > On 9/14/20 7:51 PM, Stephen Smalley wrote: > > On Sat, Sep 12, 2020 at 3:54 PM bauen1 <j2468h@xxxxxxxxxxxxxx> wrote: > >> > >> This allows for dontauditing very specific ioctls e.g. TCGETS without > >> dontauditing every ioctl or granting additional permissions. > >> > >> Now either an allowx, dontauditx or auditallowx rules enables checking > >> for extended permissions. > >> > >> Dontaudit rules take precedence over dontauditx rules and auditallowx > >> rules take precedence over auditallow rules. > > > > I'm not following why you are providing different precedence for > > dontauditx vs auditallowx. > > I selected this because I thought it is the most useful. > I think my original take was that with dontaudit you want to be broad if necessary, but with auditallowx you want to be specific. But now I'm not sure if the precedence of auditallow in the RFC is actually good. > At least the precedence of dontaudit/dontauditx is good because it doesn't change the behavior of dontaudit in any (unexpected) way. > I will probably change it in a v2. I think that (dropping the precedence changes) is a good idea at this point. Let's focus on the change to services_compute_xperms_drivers() as I suspect this is the bigger issue. > > Regardless, since this changes the semantics of such rules I'll need > > confirmation from Android that they want this change in behavior since > > they are the original developers of the ioctl whitelisting support and > > its primary users to date. > > I've copied Jeff Vander Stoep since he submitted the original patch, I don't know anyone else involved with this but I see you also added Nick Kralevich. We really should hear from the Android folks on this as they are probably the biggest user of the xperms code. I'm a little surprised and disappointed that we haven't heard from them yet, but they may be out of the office at the moment. I would suggest posting a v2 patch as you mentioned above and we'll see if we can get the attention of the Android folks. -- paul moore www.paul-moore.com
