SELinux: print denials for buggy kernel with unknown perms

Historically we've seen cases where permissions are requested for classes
where they do not exist.  In particular we have seen CIFS forget to set
i_mode to indicate it is a directory so when we later check something like
remove_name we have problems since it wasn't defined in tclass file.  This
used to result in a avc which included the permission 0x2000 or something.
Currently the kernel will deny the operations (good thing) but will not
print ANY information (bad thing).  First the auditdeny field is no
extended to include unknown permissions.  After that is fixed the logic in
avc_dump_query to output this information isn't right since it will remove
the permission from the av and print the phrase "<NULL>".  This takes us
back to the behavior before the classmap rewrite.

Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
This commit is contained in:
Eric Paris 2009-11-23 16:47:23 -05:00 committed by James Morris
parent c4a5af54c8
commit 0bce952799
2 changed files with 8 additions and 1 deletions

View file

@ -117,7 +117,7 @@ static void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av)
i = 0; i = 0;
perm = 1; perm = 1;
while (i < (sizeof(av) * 8)) { while (i < (sizeof(av) * 8)) {
if (perm & av) { if ((perm & av) && perms[i]) {
audit_log_format(ab, " %s", perms[i]); audit_log_format(ab, " %s", perms[i]);
av &= ~perm; av &= ~perm;
} }

View file

@ -239,6 +239,13 @@ static void map_decision(u16 tclass, struct av_decision *avd,
if (!allow_unknown && !current_mapping[tclass].perms[i]) if (!allow_unknown && !current_mapping[tclass].perms[i])
result |= 1<<i; result |= 1<<i;
} }
/*
* In case the kernel has a bug and requests a permission
* between num_perms and the maximum permission number, we
* should audit that denial
*/
for (; i < (sizeof(u32)*8); i++)
result |= 1<<i;
avd->auditdeny = result; avd->auditdeny = result;
} }
} }