mirror of
https://github.com/torvalds/linux
synced 2024-11-05 18:23:50 +00:00
selinux: add basic filtering for audit trace events
This patch adds further attributes to the event. These attributes are
helpful to understand the context of the message and can be used
to filter the events.
There are three common items. Source context, target context and tclass.
There are also items from the outcome of operation performed.
An event is similar to:
<...>-1309 [002] .... 6346.691689: selinux_audited:
requested=0x4000000 denied=0x4000000 audited=0x4000000
result=-13
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:bin_t:s0 tclass=file
With systems where many denials are occurring, it is useful to apply a
filter. The filtering is a set of logic that is inserted with
the filter file. Example:
echo "tclass==\"file\" " > events/avc/selinux_audited/filter
This adds that we only get tclass=file.
The trace can also have extra properties. Adding the user stack
can be done with
echo 1 > options/userstacktrace
Now the output will be
runcon-1365 [003] .... 6960.955530: selinux_audited:
requested=0x4000000 denied=0x4000000 audited=0x4000000
result=-13
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:bin_t:s0 tclass=file
runcon-1365 [003] .... 6960.955560: <user stack trace>
=> <00007f325b4ce45b>
=> <00005607093efa57>
Signed-off-by: Peter Enderborg <peter.enderborg@sony.com>
Reviewed-by: Thiébaud Weksteen <tweek@google.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
Peter Enderborg
Paul Moore
parent
dd8166212d
commit
30969bc8e0
2 changed files with 41 additions and 23 deletions
|
|
@ -1,6 +1,7 @@
|
|||
/* SPDX-License-Identifier: GPL-2.0 */
|
||||
/*
|
||||
* Author: Thiébaud Weksteen <tweek@google.com>
|
||||
* Authors: Thiébaud Weksteen <tweek@google.com>
|
||||
* Peter Enderborg <Peter.Enderborg@sony.com>
|
||||
*/
|
||||
#undef TRACE_SYSTEM
|
||||
#define TRACE_SYSTEM avc
|
||||
|
|
@ -12,23 +13,38 @@
|
|||
|
||||
TRACE_EVENT(selinux_audited,
|
||||
|
||||
TP_PROTO(struct selinux_audit_data *sad),
|
||||
TP_PROTO(struct selinux_audit_data *sad,
|
||||
char *scontext,
|
||||
char *tcontext,
|
||||
const char *tclass
|
||||
),
|
||||
|
||||
TP_ARGS(sad),
|
||||
TP_ARGS(sad, scontext, tcontext, tclass),
|
||||
|
||||
TP_STRUCT__entry(
|
||||
__field(unsigned int, tclass)
|
||||
__field(unsigned int, audited)
|
||||
__field(u32, requested)
|
||||
__field(u32, denied)
|
||||
__field(u32, audited)
|
||||
__field(int, result)
|
||||
__string(scontext, scontext)
|
||||
__string(tcontext, tcontext)
|
||||
__string(tclass, tclass)
|
||||
),
|
||||
|
||||
TP_fast_assign(
|
||||
__entry->tclass = sad->tclass;
|
||||
__entry->audited = sad->audited;
|
||||
__entry->requested = sad->requested;
|
||||
__entry->denied = sad->denied;
|
||||
__entry->audited = sad->audited;
|
||||
__entry->result = sad->result;
|
||||
__assign_str(tcontext, tcontext);
|
||||
__assign_str(scontext, scontext);
|
||||
__assign_str(tclass, tclass);
|
||||
),
|
||||
|
||||
TP_printk("tclass=%u audited=%x",
|
||||
__entry->tclass,
|
||||
__entry->audited)
|
||||
TP_printk("requested=0x%x denied=0x%x audited=0x%x result=%d scontext=%s tcontext=%s tclass=%s",
|
||||
__entry->requested, __entry->denied, __entry->audited, __entry->result,
|
||||
__get_str(scontext), __get_str(tcontext), __get_str(tclass)
|
||||
)
|
||||
);
|
||||
|
||||
#endif
|
||||
|
|
|
|||
|
|
@ -705,35 +705,37 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a)
|
|||
{
|
||||
struct common_audit_data *ad = a;
|
||||
struct selinux_audit_data *sad = ad->selinux_audit_data;
|
||||
char *scontext;
|
||||
char *scontext = NULL;
|
||||
char *tcontext = NULL;
|
||||
const char *tclass = NULL;
|
||||
u32 scontext_len;
|
||||
u32 tcontext_len;
|
||||
int rc;
|
||||
|
||||
trace_selinux_audited(sad);
|
||||
|
||||
rc = security_sid_to_context(sad->state, sad->ssid, &scontext,
|
||||
&scontext_len);
|
||||
if (rc)
|
||||
audit_log_format(ab, " ssid=%d", sad->ssid);
|
||||
else {
|
||||
else
|
||||
audit_log_format(ab, " scontext=%s", scontext);
|
||||
kfree(scontext);
|
||||
}
|
||||
|
||||
rc = security_sid_to_context(sad->state, sad->tsid, &scontext,
|
||||
&scontext_len);
|
||||
rc = security_sid_to_context(sad->state, sad->tsid, &tcontext,
|
||||
&tcontext_len);
|
||||
if (rc)
|
||||
audit_log_format(ab, " tsid=%d", sad->tsid);
|
||||
else {
|
||||
audit_log_format(ab, " tcontext=%s", scontext);
|
||||
kfree(scontext);
|
||||
}
|
||||
else
|
||||
audit_log_format(ab, " tcontext=%s", tcontext);
|
||||
|
||||
audit_log_format(ab, " tclass=%s", secclass_map[sad->tclass-1].name);
|
||||
tclass = secclass_map[sad->tclass-1].name;
|
||||
audit_log_format(ab, " tclass=%s", tclass);
|
||||
|
||||
if (sad->denied)
|
||||
audit_log_format(ab, " permissive=%u", sad->result ? 0 : 1);
|
||||
|
||||
trace_selinux_audited(sad, scontext, tcontext, tclass);
|
||||
kfree(tcontext);
|
||||
kfree(scontext);
|
||||
|
||||
/* in case of invalid context report also the actual context string */
|
||||
rc = security_sid_to_context_inval(sad->state, sad->ssid, &scontext,
|
||||
&scontext_len);
|
||||
|
|
|
|||
Loading…
Reference in a new issue