[PATCH 1/1] Add CONFIG_SECURITY_SELINUX_PERMISSIVE_DONTAUDIT

[jeffxu at chromium.org]

From: Jeff Xu <jeffxu at chromium.org>

When SECURITY_SELINUX_DEVELOP=y and the system is running in permissive
mode, it is useful to disable logging from permissive domain, so audit
log does not get spamed.

Signed-off-by: Jeff Xu <jeffxu at chromium.org>
Signed-off-by: Luis Hector Chavez <lhchavez at google.com>
Tested-by: Luis Hector Chavez <lhchavez at chromium.org>
Tested-by: Jeff Xu<jeffxu at chromium.org>
---
 security/selinux/Kconfig | 10 ++++++++++
 security/selinux/avc.c   |  9 +++++++++
 2 files changed, 19 insertions(+)

diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index 9e921fc72538..99b8b88abc3d 100644
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -61,6 +61,16 @@ config SECURITY_SELINUX_DEVELOP
 	  permissive mode (if permitted by the policy) via
 	  /sys/fs/selinux/enforce.
 
+config SECURITY_SELINUX_PERMISSIVE_DONTAUDIT
+	bool "NSA SELinux don't audit permissive"
+	depends on SECURITY_SELINUX
+	default n
+	help
+	  This prevents logging when permissive=1.  If unsure, say N.  With
+	  this option enabled, any avc logs that would occur on a permissive
+	  domain won't be logged.  This can prevent a significant amount of
+	  logspam.
+
 config SECURITY_SELINUX_AVC_STATS
 	bool "NSA SELinux AVC Statistics"
 	depends on SECURITY_SELINUX
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 9a43af0ebd7d..2f0a49d7c714 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -777,6 +777,15 @@ noinline int slow_avc_audit(struct selinux_state *state,
 	if (WARN_ON(!tclass || tclass >= ARRAY_SIZE(secclass_map)))
 		return -EINVAL;
 
+	/*
+	 * Avoid logging permissive=1 messages for
+	 * SECURITY_SELINUX_PERMISSIVE_DONTAUDIT.
+	 */
+	if (IS_ENABLED(CONFIG_SECURITY_SELINUX_PERMISSIVE_DONTAUDIT) && denied
+	    && !result) {
+		return 0;
+	}
+
 	if (!a) {
 		a = &stack_data;
 		a->type = LSM_AUDIT_DATA_NONE;
-- 
2.37.3.968.ga6b4b080e4-goog