From: "Thiébaud Weksteen" <tweek@google.com>
To: Paul Moore <paul@paul-moore.com>
Cc: "Nick Kralevich" <nnk@google.com>,
"Peter Enderborg" <peter.enderborg@sony.com>,
"Thiébaud Weksteen" <tweek@google.com>,
"Stephen Smalley" <stephen.smalley.work@gmail.com>,
"Eric Paris" <eparis@parisplace.org>,
"Steven Rostedt" <rostedt@goodmis.org>,
"Ingo Molnar" <mingo@redhat.com>,
"Mauro Carvalho Chehab" <mchehab+huawei@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
"Rob Herring" <robh@kernel.org>,
linux-kernel@vger.kernel.org, selinux@vger.kernel.org
Subject: [PATCH v4 2/2] selinux: add basic filtering for audit trace events
Date: Fri, 21 Aug 2020 16:08:22 +0200 [thread overview]
Message-ID: <20200821140836.3707282-3-tweek@google.com> (raw)
In-Reply-To: <20200821140836.3707282-1-tweek@google.com>
From: Peter Enderborg <peter.enderborg@sony.com>
This patch adds further attributes to the event. These attributes are
helpful to understand the context of the message and can be used
to filter the events.
There are three common items. Source context, target context and tclass.
There are also items from the outcome of operation performed.
An event is similar to:
<...>-1309 [002] .... 6346.691689: selinux_audited:
requested=0x4000000 denied=0x4000000 audited=0x4000000
result=-13
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:bin_t:s0 tclass=file
With systems where many denials are occurring, it is useful to apply a
filter. The filtering is a set of logic that is inserted with
the filter file. Example:
echo "tclass==\"file\" " > events/avc/selinux_audited/filter
This adds that we only get tclass=file.
The trace can also have extra properties. Adding the user stack
can be done with
echo 1 > options/userstacktrace
Now the output will be
runcon-1365 [003] .... 6960.955530: selinux_audited:
requested=0x4000000 denied=0x4000000 audited=0x4000000
result=-13
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:bin_t:s0 tclass=file
runcon-1365 [003] .... 6960.955560: <user stack trace>
=> <00007f325b4ce45b>
=> <00005607093efa57>
Signed-off-by: Peter Enderborg <peter.enderborg@sony.com>
Reviewed-by: Thiébaud Weksteen <tweek@google.com>
---
include/trace/events/avc.h | 36 ++++++++++++++++++++++++++----------
security/selinux/avc.c | 28 +++++++++++++++-------------
2 files changed, 41 insertions(+), 23 deletions(-)
diff --git a/include/trace/events/avc.h b/include/trace/events/avc.h
index 07c058a9bbcd..b55fda2e0773 100644
--- a/include/trace/events/avc.h
+++ b/include/trace/events/avc.h
@@ -1,6 +1,7 @@
/* SPDX-License-Identifier: GPL-2.0 */
/*
- * Author: Thiébaud Weksteen <tweek@google.com>
+ * Authors: Thiébaud Weksteen <tweek@google.com>
+ * Peter Enderborg <Peter.Enderborg@sony.com>
*/
#undef TRACE_SYSTEM
#define TRACE_SYSTEM avc
@@ -12,23 +13,38 @@
TRACE_EVENT(selinux_audited,
- TP_PROTO(struct selinux_audit_data *sad),
+ TP_PROTO(struct selinux_audit_data *sad,
+ char *scontext,
+ char *tcontext,
+ const char *tclass
+ ),
- TP_ARGS(sad),
+ TP_ARGS(sad, scontext, tcontext, tclass),
TP_STRUCT__entry(
- __field(unsigned int, tclass)
- __field(unsigned int, audited)
+ __field(u32, requested)
+ __field(u32, denied)
+ __field(u32, audited)
+ __field(int, result)
+ __string(scontext, scontext)
+ __string(tcontext, tcontext)
+ __string(tclass, tclass)
),
TP_fast_assign(
- __entry->tclass = sad->tclass;
- __entry->audited = sad->audited;
+ __entry->requested = sad->requested;
+ __entry->denied = sad->denied;
+ __entry->audited = sad->audited;
+ __entry->result = sad->result;
+ __assign_str(tcontext, tcontext);
+ __assign_str(scontext, scontext);
+ __assign_str(tclass, tclass);
),
- TP_printk("tclass=%u audited=%x",
- __entry->tclass,
- __entry->audited)
+ TP_printk("requested=0x%x denied=0x%x audited=0x%x result=%d scontext=%s tcontext=%s tclass=%s",
+ __entry->requested, __entry->denied, __entry->audited, __entry->result,
+ __get_str(scontext), __get_str(tcontext), __get_str(tclass)
+ )
);
#endif
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index b0a0af778b70..3c05827608b6 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -705,35 +705,37 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a)
{
struct common_audit_data *ad = a;
struct selinux_audit_data *sad = ad->selinux_audit_data;
- char *scontext;
+ char *scontext = NULL;
+ char *tcontext = NULL;
+ const char *tclass = NULL;
u32 scontext_len;
+ u32 tcontext_len;
int rc;
- trace_selinux_audited(sad);
-
rc = security_sid_to_context(sad->state, sad->ssid, &scontext,
&scontext_len);
if (rc)
audit_log_format(ab, " ssid=%d", sad->ssid);
- else {
+ else
audit_log_format(ab, " scontext=%s", scontext);
- kfree(scontext);
- }
- rc = security_sid_to_context(sad->state, sad->tsid, &scontext,
- &scontext_len);
+ rc = security_sid_to_context(sad->state, sad->tsid, &tcontext,
+ &tcontext_len);
if (rc)
audit_log_format(ab, " tsid=%d", sad->tsid);
- else {
- audit_log_format(ab, " tcontext=%s", scontext);
- kfree(scontext);
- }
+ else
+ audit_log_format(ab, " tcontext=%s", tcontext);
- audit_log_format(ab, " tclass=%s", secclass_map[sad->tclass-1].name);
+ tclass = secclass_map[sad->tclass-1].name;
+ audit_log_format(ab, " tclass=%s", tclass);
if (sad->denied)
audit_log_format(ab, " permissive=%u", sad->result ? 0 : 1);
+ trace_selinux_audited(sad, scontext, tcontext, tclass);
+ kfree(tcontext);
+ kfree(scontext);
+
/* in case of invalid context report also the actual context string */
rc = security_sid_to_context_inval(sad->state, sad->ssid, &scontext,
&scontext_len);
--
2.28.0.297.g1956fa8f8d-goog
next prev parent reply other threads:[~2020-08-21 14:09 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-21 14:08 [PATCH v4 0/2] selinux: add detailed tracepoint on audited events Thiébaud Weksteen
2020-08-21 14:08 ` [PATCH v4 1/2] selinux: add " Thiébaud Weksteen
2020-08-21 15:33 ` Stephen Smalley
2020-08-21 21:08 ` Paul Moore
2020-08-24 8:01 ` Thiébaud Weksteen
2020-08-21 14:08 ` Thiébaud Weksteen [this message]
2020-08-21 15:35 ` [PATCH v4 2/2] selinux: add basic filtering for audit trace events Stephen Smalley
2020-08-21 21:09 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200821140836.3707282-3-tweek@google.com \
--to=tweek@google.com \
--cc=davem@davemloft.net \
--cc=eparis@parisplace.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mchehab+huawei@kernel.org \
--cc=mingo@redhat.com \
--cc=nnk@google.com \
--cc=paul@paul-moore.com \
--cc=peter.enderborg@sony.com \
--cc=robh@kernel.org \
--cc=rostedt@goodmis.org \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox