summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--security/selinux/avc.c2
-rw-r--r--security/selinux/ss/services.c7
2 files changed, 8 insertions, 1 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 18f4103e02b7..f2dde268165a 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -117,7 +117,7 @@ static void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av)
i = 0;
perm = 1;
while (i < (sizeof(av) * 8)) {
- if (perm & av) {
+ if ((perm & av) && perms[i]) {
audit_log_format(ab, " %s", perms[i]);
av &= ~perm;
}
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 77f6e54bb43f..d6bb20cbad62 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -239,6 +239,13 @@ static void map_decision(u16 tclass, struct av_decision *avd,
if (!allow_unknown && !current_mapping[tclass].perms[i])
result |= 1<<i;
}
+ /*
+ * In case the kernel has a bug and requests a permission
+ * between num_perms and the maximum permission number, we
+ * should audit that denial
+ */
+ for (; i < (sizeof(u32)*8); i++)
+ result |= 1<<i;
avd->auditdeny = result;
}
}