42b4a44b74
Add support for extended permissions to audit2allow. Extend AuditParser to parse the 'ioctlcmd' field in AVC message. Extend PolicyGenerator to generate allowxperm rules. Add the '-x'/'--xperms' option to audit2allow to turn on generating of extended permission AV rules. AVCMessage parses the ioctlcmd field in AVC messages. AuditParser converts the ioctlcmd values into generic representation of extended permissions that is stored in access vectors. Extended permissions are represented by operations (currently only 'ioctl') and values associated to the operations. Values (for example '~{ 0x42 1234 23-34 }') are stored in the XpermSet class. PolicyGenerator contains new method to turn on generating of xperms. When turned on, for each access vector, standard AV rule and possibly several xperm AV rules are generated. Xperm AV rules are represented by the AVExtRule class. With xperm generating turned off, PolicyGenerator provides comments about extended permissions in certain situations. When the AVC message contains the ioctlcmd field and the access would be allowed according to the policy, PolicyGenerator warns about xperm rules being the possible cause of the denial. Signed-off-by: Jan Zarsky <jzarsky@redhat.com> |
||
---|---|---|
.. | ||
src | ||
tests | ||
COPYING | ||
HACKING | ||
Makefile | ||
VERSION |