diff mbox series

[SYSTEMD,1/7] selinux: add function name to audit data

Message ID 20210805142445.61725-2-cgzones@googlemail.com (mailing list archive)
State Handled Elsewhere
Headers show
Series Re-add SELinux checks for unit install operations | expand

Commit Message

Christian Göttsche Aug. 5, 2021, 2:24 p.m. UTC 
Include the systemd C function name in the audit message to improve the
debug ability on denials.
Similar like kernel denial messages include the syscall name.
---
 src/core/selinux-access.c | 18 ++++++++++++------
 src/core/selinux-access.h | 10 +++++++---
 2 files changed, 19 insertions(+), 9 deletions(-)
diff mbox series

Patch

diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
index d077d5dea7..e8e73a5951 100644
--- a/src/core/selinux-access.c
+++ b/src/core/selinux-access.c
@@ -31,6 +31,7 @@  struct audit_info {
         sd_bus_creds *creds;
         const char *path;
         const char *cmdline;
+        const char *function;
 };
 
 /*
@@ -58,10 +59,11 @@  static int audit_callback(
                 xsprintf(gid_buf, GID_FMT, gid);
 
         snprintf(msgbuf, msgbufsize,
-                 "auid=%s uid=%s gid=%s%s%s%s%s%s%s",
+                 "auid=%s uid=%s gid=%s%s%s%s%s%s%s%s%s%s",
                  login_uid_buf, uid_buf, gid_buf,
                  audit->path ? " path=\"" : "", strempty(audit->path), audit->path ? "\"" : "",
-                 audit->cmdline ? " cmdline=\"" : "", strempty(audit->cmdline), audit->cmdline ? "\"" : "");
+                 audit->cmdline ? " cmdline=\"" : "", strempty(audit->cmdline), audit->cmdline ? "\"" : "",
+                 audit->function ? " function=\"" : "", strempty(audit->function), audit->function ? "\"" : "");
 
         return 0;
 }
@@ -179,7 +181,8 @@  int mac_selinux_generic_access_check(
                 sd_bus_message *message,
                 const char *path,
                 const char *permission,
-                sd_bus_error *error) {
+                sd_bus_error *error,
+                const char *func) {
 
         _cleanup_(sd_bus_creds_unrefp) sd_bus_creds *creds = NULL;
         const char *tclass, *scon;
@@ -192,6 +195,7 @@  int mac_selinux_generic_access_check(
         assert(message);
         assert(permission);
         assert(error);
+        assert(func);
 
         r = access_init(error);
         if (r <= 0)
@@ -263,6 +267,7 @@  int mac_selinux_generic_access_check(
                 .creds = creds,
                 .path = path,
                 .cmdline = cl,
+                .function = func,
         };
 
         r = selinux_check_access(scon, fcon, tclass, permission, &audit_info);
@@ -274,8 +279,8 @@  int mac_selinux_generic_access_check(
         }
 
         log_full_errno_zerook(LOG_DEBUG, r,
-                              "SELinux access check scon=%s tcon=%s tclass=%s perm=%s state=%s path=%s cmdline=%s: %m",
-                              scon, fcon, tclass, permission, enforce ? "enforcing" : "permissive", path, cl);
+                              "SELinux access check scon=%s tcon=%s tclass=%s perm=%s state=%s func=%s path=%s cmdline=%s: %m",
+                              scon, fcon, tclass, permission, enforce ? "enforcing" : "permissive", func, path, cl);
         return enforce ? r : 0;
 }
 
@@ -285,7 +290,8 @@  int mac_selinux_generic_access_check(
                 sd_bus_message *message,
                 const char *path,
                 const char *permission,
-                sd_bus_error *error) {
+                sd_bus_error *error,
+                const char *func) {
 
         return 0;
 }
diff --git a/src/core/selinux-access.h b/src/core/selinux-access.h
index c6bfb32544..8931e998d0 100644
--- a/src/core/selinux-access.h
+++ b/src/core/selinux-access.h
@@ -5,10 +5,14 @@ 
 
 #include "manager.h"
 
-int mac_selinux_generic_access_check(sd_bus_message *message, const char *path, const char *permission, sd_bus_error *error);
+int mac_selinux_generic_access_check(sd_bus_message *message,
+                                     const char *path,
+                                     const char *permission,
+                                     sd_bus_error *error,
+                                     const char *func);
 
 #define mac_selinux_access_check(message, permission, error) \
-        mac_selinux_generic_access_check((message), NULL, (permission), (error))
+        mac_selinux_generic_access_check((message), NULL, (permission), (error), __func__)
 
 #define mac_selinux_unit_access_check(unit, message, permission, error) \
-        mac_selinux_generic_access_check((message), unit_label_path(unit), (permission), (error))
+        mac_selinux_generic_access_check((message), unit_label_path(unit), (permission), (error), __func__)