From: "Thiébaud Weksteen" <tweek@google.com>
To: Paul Moore <paul@paul-moore.com>
Cc: "Nick Kralevich" <nnk@google.com>,
"Peter Enderborg" <peter.enderborg@sony.com>,
"Steven Rostedt" <rostedt@goodmis.org>,
"Stephen Smalley" <stephen.smalley.work@gmail.com>,
"Thiébaud Weksteen" <tweek@google.com>,
"Eric Paris" <eparis@parisplace.org>,
"Ingo Molnar" <mingo@redhat.com>,
"Mauro Carvalho Chehab" <mchehab+huawei@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
"Rob Herring" <robh@kernel.org>,
linux-kernel@vger.kernel.org, selinux@vger.kernel.org
Subject: [PATCH v3 3/3] selinux: add permission names to trace event
Date: Mon, 17 Aug 2020 19:07:14 +0200 [thread overview]
Message-ID: <20200817170729.2605279-4-tweek@google.com> (raw)
In-Reply-To: <20200817170729.2605279-1-tweek@google.com>
From: Peter Enderborg <peter.enderborg@sony.com>
In the print out add permissions, it will look like:
<...>-1042 [007] .... 201.965142: selinux_audited:
requested=0x4000000 denied=0x4000000 audited=0x4000000
result=-13
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:bin_t:s0
tclass=file permissions={ !entrypoint }
This patch is adding the "permissions={ !entrypoint }".
The permissions preceded by "!" have been denied and the permissions
without have been accepted.
Note that permission filtering is done on the audited, denied or
requested attributes.
Suggested-by: Steven Rostedt <rostedt@goodmis.org>
Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Reviewed-by: Thiébaud Weksteen <tweek@google.com>
Signed-off-by: Peter Enderborg <peter.enderborg@sony.com>
---
include/trace/events/avc.h | 11 +++++++++--
security/selinux/avc.c | 36 ++++++++++++++++++++++++++++++++++++
2 files changed, 45 insertions(+), 2 deletions(-)
diff --git a/include/trace/events/avc.h b/include/trace/events/avc.h
index b55fda2e0773..94bca8bef8d2 100644
--- a/include/trace/events/avc.h
+++ b/include/trace/events/avc.h
@@ -10,6 +10,10 @@
#define _TRACE_SELINUX_H
#include <linux/tracepoint.h>
+#include <linux/trace_seq.h>
+
+extern const char *avc_trace_perm_to_name(struct trace_seq *p, u16 class, u32 audited, u32 denied);
+#define __perm_to_name(class, audited, denied) avc_trace_perm_to_name(p, class, audited, denied)
TRACE_EVENT(selinux_audited,
@@ -29,6 +33,7 @@ TRACE_EVENT(selinux_audited,
__string(scontext, scontext)
__string(tcontext, tcontext)
__string(tclass, tclass)
+ __field(u16, utclass)
),
TP_fast_assign(
@@ -36,14 +41,16 @@ TRACE_EVENT(selinux_audited,
__entry->denied = sad->denied;
__entry->audited = sad->audited;
__entry->result = sad->result;
+ __entry->utclass = sad->tclass;
__assign_str(tcontext, tcontext);
__assign_str(scontext, scontext);
__assign_str(tclass, tclass);
),
- TP_printk("requested=0x%x denied=0x%x audited=0x%x result=%d scontext=%s tcontext=%s tclass=%s",
+ TP_printk("requested=0x%x denied=0x%x audited=0x%x result=%d scontext=%s tcontext=%s tclass=%s permissions={%s }",
__entry->requested, __entry->denied, __entry->audited, __entry->result,
- __get_str(scontext), __get_str(tcontext), __get_str(tclass)
+ __get_str(scontext), __get_str(tcontext), __get_str(tclass),
+ __perm_to_name(__entry->utclass, __entry->audited, __entry->denied)
)
);
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 7de5cc5169af..d585b68c2a50 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -695,6 +695,7 @@ static void avc_audit_pre_callback(struct audit_buffer *ab, void *a)
audit_log_format(ab, " } for ");
}
+
/**
* avc_audit_post_callback - SELinux specific information
* will be called by generic audit code
@@ -991,6 +992,41 @@ int avc_ss_reset(struct selinux_avc *avc, u32 seqno)
return rc;
}
+/**
+ * avc_trace_perm_to_name - SELinux help function for trace
+ * @p pointer to output storage
+ * @tclass tclass for the event
+ * @av access vector
+ * @avdenied denied permissions in av format
+ */
+const char *avc_trace_perm_to_name(struct trace_seq *p, u16 tclass, u32 av, u32 avdenied)
+{
+ const char *ret = trace_seq_buffer_ptr(p);
+ int i, perm;
+ const char **perms;
+
+ if (WARN_ON(!tclass || tclass >= ARRAY_SIZE(secclass_map)))
+ return NULL;
+
+ perms = secclass_map[tclass-1].perms;
+
+ i = 0;
+ perm = 1;
+ while (i < (sizeof(av) * 8)) {
+ if ((perm & av) && perms[i]) {
+ if (!(perm & avdenied))
+ trace_seq_printf(p, " %s", perms[i]);
+ else
+ trace_seq_printf(p, " !%s", perms[i]);
+ av &= ~perm;
+ }
+ i++;
+ perm <<= 1;
+ }
+
+ return ret;
+}
+
/*
* Slow-path helper function for avc_has_perm_noaudit,
* when the avc_node lookup fails. We get called with
--
2.28.0.220.ged08abb693-goog
next prev parent reply other threads:[~2020-08-17 17:24 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-17 17:07 [PATCH v3 0/3] selinux: add detailed tracepoint on audited events Thiébaud Weksteen
2020-08-17 17:07 ` [PATCH v3 1/3] selinux: add " Thiébaud Weksteen
2020-08-18 14:31 ` Stephen Smalley
2020-08-17 17:07 ` [PATCH v3 2/3] selinux: add basic filtering for audit trace events Thiébaud Weksteen
2020-08-18 14:36 ` Stephen Smalley
2020-08-17 17:07 ` Thiébaud Weksteen [this message]
2020-08-17 20:13 ` [PATCH v3 3/3] selinux: add permission names to trace event Stephen Smalley
2020-08-17 20:29 ` Steven Rostedt
2020-08-18 16:09 ` Steven Rostedt
2020-08-19 13:11 ` Stephen Smalley
2020-08-21 2:31 ` Steven Rostedt
2020-08-21 12:29 ` Stephen Smalley
2020-08-21 13:19 ` Paul Moore
2020-08-21 13:39 ` peter enderborg
[not found] ` <CA+zpnLfNjDwxgoG2p3W8YfXxYVQDum4Eh_MJQvKP4rGLqsqACA@mail.gmail.com>
2020-08-21 13:46 ` Paul Moore
2020-08-17 20:16 ` Stephen Smalley
2020-08-18 8:11 ` peter enderborg
2020-08-18 12:13 ` Stephen Smalley
2020-08-21 2:22 ` Paul Moore
2020-08-21 5:53 ` peter enderborg
2020-08-21 12:14 ` Stephen Smalley
2020-08-21 13:10 ` Paul Moore
[not found] ` <20200824132252.31261-1-peter.enderborg@sony.com>
2020-08-24 13:22 ` [RFC PATCH] selinux: Add denied trace with permssion filter Peter Enderborg
2020-08-26 13:42 ` Paul Moore
2020-08-26 14:34 ` peter enderborg
2020-08-26 14:45 ` Paul Moore
2020-08-26 15:06 ` peter enderborg
2020-08-27 13:30 ` Paul Moore
2020-08-27 14:04 ` peter enderborg
2020-08-31 14:16 ` Paul Moore
2020-08-31 14:19 ` Robert Judy
2020-08-31 14:24 ` Paul Moore
2020-08-31 15:34 ` peter enderborg
2020-09-01 15:31 ` Paul Moore
2020-09-01 17:18 ` peter enderborg
2020-09-18 1:47 ` Steven Rostedt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200817170729.2605279-4-tweek@google.com \
--to=tweek@google.com \
--cc=davem@davemloft.net \
--cc=eparis@parisplace.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mchehab+huawei@kernel.org \
--cc=mingo@redhat.com \
--cc=nnk@google.com \
--cc=paul@paul-moore.com \
--cc=peter.enderborg@sony.com \
--cc=robh@kernel.org \
--cc=rostedt@goodmis.org \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox