From: bauen1 <j2468h@googlemail.com>
Date: Fri, 9 Oct 2020 12:47:11 +0000 (+0200)
Subject: selinux: allow dontauditx and auditallowx rules to take effect without allowx
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=44141f58e14317853698f994ca5c3785a0c230d0;p=linux.git

selinux: allow dontauditx and auditallowx rules to take effect without allowx

This allows for dontauditing very specific ioctls e.g. TCGETS without
dontauditing every ioctl or granting additional permissions.

Now either an allowx, dontauditx or auditallowx rules enables checking
for extended permissions.

Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
---

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 9704c8a32303f..597b79703584e 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -596,9 +596,7 @@ void services_compute_xperms_drivers(
 					node->datum.u.xperms->driver);
 	}
 
-	/* If no ioctl commands are allowed, ignore auditallow and auditdeny */
-	if (node->key.specified & AVTAB_XPERMS_ALLOWED)
-		xperms->len = 1;
+	xperms->len = 1;
 }
 
 /*