commit 58f5fea5096d7b0a7b22066ec4dc4c0e85cc5551
author Nick Kralevich <nnk@google.com> Fri Feb 26 16:50:51 2016 -0800
committer Nick Kralevich <nnk@google.com> Fri Feb 26 17:00:15 2016 -0800
tree d02bf2b2438408d08d11e4c53e3ee07097c58798
parent 1a56de32010a4d837c7dec836bc2a380bdfb1de3

logd: Don't trigger an integrity failure on permissive SELinux denials

Only trigger an integrity failure if a policy is reloaded or
SELinux is disabled. Don't trigger the integrity failure if
we see a permissive=1 denial, which could occur if an SELinux
domain is in permissive mode.

Bug: 27313768
Bug: 26902605
Change-Id: Ib85a2799eb6378ae8acdb965b1812d691183fdd3

logd/LogAudit.cpp

diff --git a/logd/LogAudit.cpp b/logd/LogAudit.cpp
index 230dd11..7c35dc6 100644
--- a/logd/LogAudit.cpp
+++ b/logd/LogAudit.cpp
@@ -155,15 +155,15 @@
         }
     }
 
-    bool permissive = strstr(str, " enforcing=0") ||
-                      strstr(str, " permissive=1");
+    bool notEnforcing = strstr(str, " enforcing=0");
+    bool permissive = strstr(str, " permissive=1");
 
-    if (permissive) {
+    if (notEnforcing) {
         // SELinux in permissive mode is not allowed
         enforceIntegrity();
     }
 
-    bool info = loaded || permissive;
+    bool info = loaded || permissive || notEnforcing;
     if ((fdDmesg >= 0) && initialized) {
         struct iovec iov[3];
         static const char log_info[] = { KMSG_PRIORITY(LOG_INFO) };