selinux: add force_audit sysfs node to enable logging of dontaudit

* for kernel selinux debugging * to enable: * echo Y > /sys/module/selinux/parameters/force_audit Signed-off-by: Pranav Vashi <neobuddy89@gmail.com>
author: imoseyon <imoseyon@gmail.com> 2015-01-16 21:37:47 -0800
committer: Mister Oyster <oysterized@gmail.com> 2017-05-24 02:49:28 +0200
commit: baafda9652f3f719dd89aaa8ade1ee25bf752d4b (patch)
tree: 2bff3de64f6d9e5ca35baf4b721148b7ae173581
parent: 048f92f42d042161896d3f0e3eb785050bec117e (diff)
2 files changed, 7 insertions, 0 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 54b87f26c..572eb5e8d 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -29,6 +29,7 @@
 #include <linux/ip.h>
 #include <linux/audit.h>
 #include <linux/ipv6.h>
+#include <linux/moduleparam.h>
 #include <net/ipv6.h>
 #include "avc.h"
 #include "avc_ss.h"
@@ -44,6 +45,9 @@
 #define avc_cache_stats_incr(field)	do {} while (0)
 #endif
 
+bool force_audit = false;
+module_param(force_audit, bool, 0644);
+
 struct avc_entry {
 	u32			ssid;
 	u32			tsid;
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index af09f84e5..55d124495 100644
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -59,6 +59,8 @@ struct selinux_audit_data {
 	int result;
 };
 
+extern bool force_audit;
+
 /*
  * AVC operations
  */
@@ -93,6 +95,7 @@ static inline u32 avc_audit_required(u32 requested,
 		 */
 		if (auditdeny && !(auditdeny & avd->auditdeny))
 			audited = 0;
+		if (force_audit) audited = 1;
 	} else if (result)
 		audited = denied = requested;
 	else
author	imoseyon <imoseyon@gmail.com>	2015-01-16 21:37:47 -0800
committer	Mister Oyster <oysterized@gmail.com>	2017-05-24 02:49:28 +0200
commit	baafda9652f3f719dd89aaa8ade1ee25bf752d4b (patch)
tree	2bff3de64f6d9e5ca35baf4b721148b7ae173581
parent	048f92f42d042161896d3f0e3eb785050bec117e (diff)