diff options
| author | Nick Kralevich <nnk@google.com> | 2016-02-26 16:50:51 -0800 |
|---|---|---|
| committer | Nick Kralevich <nnk@google.com> | 2016-02-26 17:00:15 -0800 |
| commit | 33ee84f87115f1e0a2a3a6bf61dc89b97a96daa2 (patch) | |
| tree | d02bf2b2438408d08d11e4c53e3ee07097c58798 /logd | |
| parent | 242393fec13d6703e1d2ef27873fc222cb1d3db3 (diff) | |
| download | system_core-33ee84f87115f1e0a2a3a6bf61dc89b97a96daa2.tar.gz system_core-33ee84f87115f1e0a2a3a6bf61dc89b97a96daa2.tar.bz2 system_core-33ee84f87115f1e0a2a3a6bf61dc89b97a96daa2.zip | |
logd: Don't trigger an integrity failure on permissive SELinux denials
Only trigger an integrity failure if a policy is reloaded or
SELinux is disabled. Don't trigger the integrity failure if
we see a permissive=1 denial, which could occur if an SELinux
domain is in permissive mode.
Bug: 27313768
Bug: 26902605
Change-Id: Ib85a2799eb6378ae8acdb965b1812d691183fdd3
Diffstat (limited to 'logd')
| -rw-r--r-- | logd/LogAudit.cpp | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/logd/LogAudit.cpp b/logd/LogAudit.cpp index 230dd1125..7c35dc60d 100644 --- a/logd/LogAudit.cpp +++ b/logd/LogAudit.cpp @@ -155,15 +155,15 @@ int LogAudit::logPrint(const char *fmt, ...) { } } - bool permissive = strstr(str, " enforcing=0") || - strstr(str, " permissive=1"); + bool notEnforcing = strstr(str, " enforcing=0"); + bool permissive = strstr(str, " permissive=1"); - if (permissive) { + if (notEnforcing) { // SELinux in permissive mode is not allowed enforceIntegrity(); } - bool info = loaded || permissive; + bool info = loaded || permissive || notEnforcing; if ((fdDmesg >= 0) && initialized) { struct iovec iov[3]; static const char log_info[] = { KMSG_PRIORITY(LOG_INFO) }; |