[PATCH][SELINUX] Audit any unmapped permissions
From: Stephen Smalley
Date: Tue Feb 01 2005 - 10:02:32 EST
This patch against 2.6.11-rc2-mm2 changes SELinux to display any
permission values that could not be mapped to names as a hex value when
generating an audit message. Please apply.
Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
Signed-off-by: James Morris <jmorris@xxxxxxxxxx>
security/selinux/avc.c | 11 +++++++++--
1 files changed, 9 insertions(+), 2 deletions(-)
Index: linux-2.6/security/selinux/avc.c
===================================================================
RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/avc.c,v
retrieving revision 1.50
diff -u -p -r1.50 avc.c
--- linux-2.6/security/selinux/avc.c 10 Dec 2004 17:16:30 -0000 1.50
+++ linux-2.6/security/selinux/avc.c 1 Feb 2005 12:50:14 -0000
@@ -162,8 +162,10 @@ void avc_dump_av(struct audit_buffer *ab
i = 0;
perm = 1;
while (perm < common_base) {
- if (perm & av)
+ if (perm & av) {
audit_log_format(ab, " %s", common_pts[i]);
+ av &= ~perm;
+ }
i++;
perm <<= 1;
}
@@ -175,14 +177,19 @@ void avc_dump_av(struct audit_buffer *ab
(av_perm_to_string[i2].value == perm))
break;
}
- if (i2 < ARRAY_SIZE(av_perm_to_string))
+ if (i2 < ARRAY_SIZE(av_perm_to_string)) {
audit_log_format(ab, " %s",
av_perm_to_string[i2].name);
+ av &= ~perm;
+ }
}
i++;
perm <<= 1;
}
+ if (av)
+ audit_log_format(ab, " 0x%x", av);
+
audit_log_format(ab, " }");
}
--
Stephen Smalley <sds@xxxxxxxxxxxxx>
National Security Agency
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/