Re: [PATCH v2 2/2] selinux: add basic filtering for audit trace events

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 8/13/2020 7:48 AM, Thiébaud Weksteen wrote:
> From: Peter Enderborg <peter.enderborg@xxxxxxxx>
>
> This patch adds further attributes to the event. These attributes are
> helpful to understand the context of the message and can be used
> to filter the events.
>
> There are three common items. Source context, target context and tclass.
> There are also items from the outcome of operation performed.
>
> An event is similar to:
>            <...>-1309  [002] ....  6346.691689: selinux_audited:
>        requested=0x4000000 denied=0x4000000 audited=0x4000000
>        result=-13 ssid=315 tsid=61

It may not be my place to ask, but *please please please* don't
externalize secids. I understand that it's easier to type "42"
than "system_r:cupsd_t:s0-s0:c0.c1023", and that it's easier for
your tools to parse and store the number. Once you start training
people that system_r:cupsd_t:s0-s0:c0.c1023 is secid 42 you'll
never be able to change it. The secid will start showing up in
scripts. Bad  Things  Will  Happen.

>        scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
>        tcontext=system_u:object_r:bin_t:s0 tclass=file
>
> With systems where many denials are occurring, it is useful to apply a
> filter. The filtering is a set of logic that is inserted with
> the filter file. Example:
>  echo "tclass==\"file\" && ssid!=42" > events/avc/selinux_audited/filter
>
> This adds that we only get tclass=file but not for ssid 42.
>
> The trace can also have extra properties. Adding the user stack
> can be done with
>    echo 1 > options/userstacktrace
>
> Now the output will be
>          runcon-1365  [003] ....  6960.955530: selinux_audited:
>      requested=0x4000000 denied=0x4000000 audited=0x4000000
>      result=-13 ssid=315 tsid=61
>      scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
>      tcontext=system_u:object_r:bin_t:s0 tclass=file
>           runcon-1365  [003] ....  6960.955560: <user stack trace>
>  =>  <00007f325b4ce45b>
>  =>  <00005607093efa57>
>
> Note that the ssid is the internal numeric representation of scontext
> and tsid is numeric for tcontext. They are useful for filtering.
>
> Signed-off-by: Peter Enderborg <peter.enderborg@xxxxxxxx>
> Reviewed-by: Thiébaud Weksteen <tweek@xxxxxxxxxx>
> ---
> v2 changes:
> - update changelog to include usage examples
>
>  include/trace/events/avc.h | 41 ++++++++++++++++++++++++++++----------
>  security/selinux/avc.c     | 22 +++++++++++---------
>  2 files changed, 44 insertions(+), 19 deletions(-)
>
> diff --git a/include/trace/events/avc.h b/include/trace/events/avc.h
> index 07c058a9bbcd..ac5ef2e1c2c5 100644
> --- a/include/trace/events/avc.h
> +++ b/include/trace/events/avc.h
> @@ -1,6 +1,7 @@
>  /* SPDX-License-Identifier: GPL-2.0 */
>  /*
> - * Author: Thiébaud Weksteen <tweek@xxxxxxxxxx>
> + * Authors:	Thiébaud Weksteen <tweek@xxxxxxxxxx>
> + *		Peter Enderborg <Peter.Enderborg@xxxxxxxx>
>   */
>  #undef TRACE_SYSTEM
>  #define TRACE_SYSTEM avc
> @@ -12,23 +13,43 @@
>  
>  TRACE_EVENT(selinux_audited,
>  
> -	TP_PROTO(struct selinux_audit_data *sad),
> +	TP_PROTO(struct selinux_audit_data *sad,
> +		char *scontext,
> +		char *tcontext,
> +		const char *tclass
> +	),
>  
> -	TP_ARGS(sad),
> +	TP_ARGS(sad, scontext, tcontext, tclass),
>  
>  	TP_STRUCT__entry(
> -		__field(unsigned int, tclass)
> -		__field(unsigned int, audited)
> +		__field(u32, requested)
> +		__field(u32, denied)
> +		__field(u32, audited)
> +		__field(int, result)
> +		__string(scontext, scontext)
> +		__string(tcontext, tcontext)
> +		__string(tclass, tclass)
> +		__field(u32, ssid)
> +		__field(u32, tsid)
>  	),
>  
>  	TP_fast_assign(
> -		__entry->tclass = sad->tclass;
> -		__entry->audited = sad->audited;
> +		__entry->requested	= sad->requested;
> +		__entry->denied		= sad->denied;
> +		__entry->audited	= sad->audited;
> +		__entry->result		= sad->result;
> +		__entry->ssid		= sad->ssid;
> +		__entry->tsid		= sad->tsid;
> +		__assign_str(tcontext, tcontext);
> +		__assign_str(scontext, scontext);
> +		__assign_str(tclass, tclass);
>  	),
>  
> -	TP_printk("tclass=%u audited=%x",
> -		__entry->tclass,
> -		__entry->audited)
> +	TP_printk("requested=0x%x denied=0x%x audited=0x%x result=%d ssid=%u tsid=%u scontext=%s tcontext=%s tclass=%s",
> +		__entry->requested, __entry->denied, __entry->audited, __entry->result,
> +		__entry->ssid, __entry->tsid, __get_str(scontext), __get_str(tcontext),
> +		__get_str(tclass)
> +	)
>  );
>  
>  #endif
> diff --git a/security/selinux/avc.c b/security/selinux/avc.c
> index b0a0af778b70..7de5cc5169af 100644
> --- a/security/selinux/avc.c
> +++ b/security/selinux/avc.c
> @@ -705,35 +705,39 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a)
>  {
>  	struct common_audit_data *ad = a;
>  	struct selinux_audit_data *sad = ad->selinux_audit_data;
> -	char *scontext;
> +	char *scontext = NULL;
> +	char *tcontext = NULL;
> +	const char *tclass = NULL;
>  	u32 scontext_len;
> +	u32 tcontext_len;
>  	int rc;
>  
> -	trace_selinux_audited(sad);
> -
>  	rc = security_sid_to_context(sad->state, sad->ssid, &scontext,
>  				     &scontext_len);
>  	if (rc)
>  		audit_log_format(ab, " ssid=%d", sad->ssid);
>  	else {
>  		audit_log_format(ab, " scontext=%s", scontext);
> -		kfree(scontext);
>  	}
>  
> -	rc = security_sid_to_context(sad->state, sad->tsid, &scontext,
> -				     &scontext_len);
> +	rc = security_sid_to_context(sad->state, sad->tsid, &tcontext,
> +				     &tcontext_len);
>  	if (rc)
>  		audit_log_format(ab, " tsid=%d", sad->tsid);
>  	else {
> -		audit_log_format(ab, " tcontext=%s", scontext);
> -		kfree(scontext);
> +		audit_log_format(ab, " tcontext=%s", tcontext);
>  	}
>  
> -	audit_log_format(ab, " tclass=%s", secclass_map[sad->tclass-1].name);
> +	tclass = secclass_map[sad->tclass-1].name;
> +	audit_log_format(ab, " tclass=%s", tclass);
>  
>  	if (sad->denied)
>  		audit_log_format(ab, " permissive=%u", sad->result ? 0 : 1);
>  
> +	trace_selinux_audited(sad, scontext, tcontext, tclass);
> +	kfree(tcontext);
> +	kfree(scontext);
> +
>  	/* in case of invalid context report also the actual context string */
>  	rc = security_sid_to_context_inval(sad->state, sad->ssid, &scontext,
>  					   &scontext_len);



[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux