git.ipfire.org Git - thirdparty/linux.git/commit

author	Stephen Smalley <stephen.smalley.work@gmail.com>
	Wed, 21 May 2025 14:41:23 +0000 (10:41 -0400)
committer	Paul Moore <paul@paul-moore.com>
	Thu, 19 Jun 2025 21:23:04 +0000 (17:23 -0400)
commit	1106896146d8711fdc899e6fc792e1d01f9b9f15
tree	15902e6e531166619f1184b9a30da1cdbd1fd0c8	tree
parent	17bd3c01667aafaa267e64be70f9627e287ec210	commit \| diff

selinux: introduce neveraudit types

Introduce neveraudit types i.e. types that should never trigger
audit messages. This allows the AVC to skip all audit-related
processing for such types. Note that neveraudit differs from
dontaudit not only wrt being applied for all checks with a given
source type but also in that it disables all auditing, not just
permission denials.

When a type is both a permissive type and a neveraudit type,
the security server can short-circuit the security_compute_av()
logic, allowing all permissions and not auditing any permissions.

This change just introduces the basic support but does not yet
further optimize the AVC or hook function logic when a type
is both a permissive type and a dontaudit type.

Suggested-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

security/selinux/include/avc.h		diff \| blob \| blame \| history
security/selinux/include/security.h		diff \| blob \| blame \| history
security/selinux/ss/policydb.c		diff \| blob \| blame \| history
security/selinux/ss/policydb.h		diff \| blob \| blame \| history
security/selinux/ss/services.c		diff \| blob \| blame \| history