I would like to be able to gather the result of permissive mode per domain from
a check_access() call for the userspace object managers on Android.
>From what I can tell check_access() calls avc_has_perm with a NULL 5th
>argument. That argument is for the struct avc_entry_ref.
That structure has a pointer to an opaque type, avc_entry. Which contains
struct av_decision.
Which contains flags that have a permissive flag:
struct av_decision {
access_vector_t allowed;
access_vector_t decided;
access_vector_t auditallow;
access_vector_t auditdeny;
unsigned int seqno;
unsigned int flags;
};
/* Definitions of av_decision.flags */
#define SELINUX_AVD_FLAGS_PERMISSIVE 0x0001
It looks like if check_access just passes this structure and then
avc_has_perm() when it calls avc_audit, it could supply the av_decision
structure to the avc_suppl_audit() call. We could then have an audit2 callback
that takes this parameter.
Is this mostly right, seem sane? Better way to do this?
_______________________________________________
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to
seandroid-list-requ...@tycho.nsa.gov.
