Message ID | 20200821140836.3707282-3-tweek@google.com (mailing list archive) |
---|---|
State | Accepted |
Headers | show |
Series | selinux: add detailed tracepoint on audited events | expand |
On Fri, Aug 21, 2020 at 10:09 AM Thiébaud Weksteen <tweek@google.com> wrote: > > From: Peter Enderborg <peter.enderborg@sony.com> > > This patch adds further attributes to the event. These attributes are > helpful to understand the context of the message and can be used > to filter the events. > > There are three common items. Source context, target context and tclass. > There are also items from the outcome of operation performed. > > An event is similar to: > <...>-1309 [002] .... 6346.691689: selinux_audited: > requested=0x4000000 denied=0x4000000 audited=0x4000000 > result=-13 > scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:bin_t:s0 tclass=file > > With systems where many denials are occurring, it is useful to apply a > filter. The filtering is a set of logic that is inserted with > the filter file. Example: > echo "tclass==\"file\" " > events/avc/selinux_audited/filter > > This adds that we only get tclass=file. > > The trace can also have extra properties. Adding the user stack > can be done with > echo 1 > options/userstacktrace > > Now the output will be > runcon-1365 [003] .... 6960.955530: selinux_audited: > requested=0x4000000 denied=0x4000000 audited=0x4000000 > result=-13 > scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:bin_t:s0 tclass=file > runcon-1365 [003] .... 6960.955560: <user stack trace> > => <00007f325b4ce45b> > => <00005607093efa57> > > Signed-off-by: Peter Enderborg <peter.enderborg@sony.com> > Reviewed-by: Thiébaud Weksteen <tweek@google.com> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
On Fri, Aug 21, 2020 at 10:09 AM Thiébaud Weksteen <tweek@google.com> wrote: > > From: Peter Enderborg <peter.enderborg@sony.com> > > This patch adds further attributes to the event. These attributes are > helpful to understand the context of the message and can be used > to filter the events. > > There are three common items. Source context, target context and tclass. > There are also items from the outcome of operation performed. > > An event is similar to: > <...>-1309 [002] .... 6346.691689: selinux_audited: > requested=0x4000000 denied=0x4000000 audited=0x4000000 > result=-13 > scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:bin_t:s0 tclass=file > > With systems where many denials are occurring, it is useful to apply a > filter. The filtering is a set of logic that is inserted with > the filter file. Example: > echo "tclass==\"file\" " > events/avc/selinux_audited/filter > > This adds that we only get tclass=file. > > The trace can also have extra properties. Adding the user stack > can be done with > echo 1 > options/userstacktrace > > Now the output will be > runcon-1365 [003] .... 6960.955530: selinux_audited: > requested=0x4000000 denied=0x4000000 audited=0x4000000 > result=-13 > scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:bin_t:s0 tclass=file > runcon-1365 [003] .... 6960.955560: <user stack trace> > => <00007f325b4ce45b> > => <00005607093efa57> > > Signed-off-by: Peter Enderborg <peter.enderborg@sony.com> > Reviewed-by: Thiébaud Weksteen <tweek@google.com> > --- > include/trace/events/avc.h | 36 ++++++++++++++++++++++++++---------- > security/selinux/avc.c | 28 +++++++++++++++------------- > 2 files changed, 41 insertions(+), 23 deletions(-) ... also merged into selinux/next, thanks everyone!
diff --git a/include/trace/events/avc.h b/include/trace/events/avc.h index 07c058a9bbcd..b55fda2e0773 100644 --- a/include/trace/events/avc.h +++ b/include/trace/events/avc.h @@ -1,6 +1,7 @@ /* SPDX-License-Identifier: GPL-2.0 */ /* - * Author: Thiébaud Weksteen <tweek@google.com> + * Authors: Thiébaud Weksteen <tweek@google.com> + * Peter Enderborg <Peter.Enderborg@sony.com> */ #undef TRACE_SYSTEM #define TRACE_SYSTEM avc @@ -12,23 +13,38 @@ TRACE_EVENT(selinux_audited, - TP_PROTO(struct selinux_audit_data *sad), + TP_PROTO(struct selinux_audit_data *sad, + char *scontext, + char *tcontext, + const char *tclass + ), - TP_ARGS(sad), + TP_ARGS(sad, scontext, tcontext, tclass), TP_STRUCT__entry( - __field(unsigned int, tclass) - __field(unsigned int, audited) + __field(u32, requested) + __field(u32, denied) + __field(u32, audited) + __field(int, result) + __string(scontext, scontext) + __string(tcontext, tcontext) + __string(tclass, tclass) ), TP_fast_assign( - __entry->tclass = sad->tclass; - __entry->audited = sad->audited; + __entry->requested = sad->requested; + __entry->denied = sad->denied; + __entry->audited = sad->audited; + __entry->result = sad->result; + __assign_str(tcontext, tcontext); + __assign_str(scontext, scontext); + __assign_str(tclass, tclass); ), - TP_printk("tclass=%u audited=%x", - __entry->tclass, - __entry->audited) + TP_printk("requested=0x%x denied=0x%x audited=0x%x result=%d scontext=%s tcontext=%s tclass=%s", + __entry->requested, __entry->denied, __entry->audited, __entry->result, + __get_str(scontext), __get_str(tcontext), __get_str(tclass) + ) ); #endif diff --git a/security/selinux/avc.c b/security/selinux/avc.c index b0a0af778b70..3c05827608b6 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -705,35 +705,37 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a) { struct common_audit_data *ad = a; struct selinux_audit_data *sad = ad->selinux_audit_data; - char *scontext; + char *scontext = NULL; + char *tcontext = NULL; + const char *tclass = NULL; u32 scontext_len; + u32 tcontext_len; int rc; - trace_selinux_audited(sad); - rc = security_sid_to_context(sad->state, sad->ssid, &scontext, &scontext_len); if (rc) audit_log_format(ab, " ssid=%d", sad->ssid); - else { + else audit_log_format(ab, " scontext=%s", scontext); - kfree(scontext); - } - rc = security_sid_to_context(sad->state, sad->tsid, &scontext, - &scontext_len); + rc = security_sid_to_context(sad->state, sad->tsid, &tcontext, + &tcontext_len); if (rc) audit_log_format(ab, " tsid=%d", sad->tsid); - else { - audit_log_format(ab, " tcontext=%s", scontext); - kfree(scontext); - } + else + audit_log_format(ab, " tcontext=%s", tcontext); - audit_log_format(ab, " tclass=%s", secclass_map[sad->tclass-1].name); + tclass = secclass_map[sad->tclass-1].name; + audit_log_format(ab, " tclass=%s", tclass); if (sad->denied) audit_log_format(ab, " permissive=%u", sad->result ? 0 : 1); + trace_selinux_audited(sad, scontext, tcontext, tclass); + kfree(tcontext); + kfree(scontext); + /* in case of invalid context report also the actual context string */ rc = security_sid_to_context_inval(sad->state, sad->ssid, &scontext, &scontext_len);