From: bauen1 <j2468h@xxxxxxxxxxxxxx> commit 44141f58e14317853698f994ca5c3785a0c230d0 upstream. This allows for dontauditing very specific ioctls e.g. TCGETS without dontauditing every ioctl or granting additional permissions. Now either an allowx, dontauditx or auditallowx rules enables checking for extended permissions. Signed-off-by: Jonathan Hettwer <j2468h@xxxxxxxxx> Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx> Signed-off-by: Alexander Grund <theflamefire89@xxxxxxxxx> --- security/selinux/ss/services.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 6ca297821d459..c27c3ce76abbc 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -610,9 +610,7 @@ void services_compute_xperms_drivers( node->datum.u.xperms->driver); } - /* If no ioctl commands are allowed, ignore auditallow and auditdeny */ - if (node->key.specified & AVTAB_XPERMS_ALLOWED) - xperms->len = 1; + xperms->len = 1; } /* -- 2.25.1
