selinux: add basic filtering for audit trace events

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

This patch adds further attributes to the event. These attributes are
helpful to understand the context of the message and can be used
to filter the events.

There are three common items. Source context, target context and tclass.
There are also items from the outcome of operation performed.

An event is similar to:
<...>-1309 [002] .... 6346.691689: selinux_audited:
requested=0x4000000 denied=0x4000000 audited=0x4000000
result=-13
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:bin_t:s0 tclass=file

With systems where many denials are occurring, it is useful to apply a
filter. The filtering is a set of logic that is inserted with
the filter file. Example:
echo "tclass==\"file\" " > events/avc/selinux_audited/filter

This adds that we only get tclass=file.

The trace can also have extra properties. Adding the user stack
can be done with
echo 1 > options/userstacktrace

Now the output will be
runcon-1365 [003] .... 6960.955530: selinux_audited:
requested=0x4000000 denied=0x4000000 audited=0x4000000
result=-13
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:bin_t:s0 tclass=file
runcon-1365 [003] .... 6960.955560: <user stack trace>
=> <00007f325b4ce45b>
=> <00005607093efa57>

Signed-off-by: Peter Enderborg <peter.enderborg@sony.com>
Reviewed-by: Thiébaud Weksteen <tweek@google.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

authored by

Peter Enderborg and committed by

Paul Moore 5 years ago 30969bc8 dd816621

+41 -23

2 changed files

expand all

include

trace

events

avc.h

security

selinux

avc.c

+26 -10

include/trace/events/avc.h

··· 1 1 /* SPDX-License-Identifier: GPL-2.0 */ 2 2 /* 3 - * Author: Thiébaud Weksteen <tweek@google.com> 3 + * Authors: Thiébaud Weksteen <tweek@google.com> 4 + * Peter Enderborg <Peter.Enderborg@sony.com> 4 5 */ 5 6 #undef TRACE_SYSTEM 6 7 #define TRACE_SYSTEM avc ··· 13 12 14 13 TRACE_EVENT(selinux_audited, 15 14 16 - TP_PROTO(struct selinux_audit_data *sad), 15 + TP_PROTO(struct selinux_audit_data *sad, 16 + char *scontext, 17 + char *tcontext, 18 + const char *tclass 19 + ), 17 20 18 - TP_ARGS(sad), 21 + TP_ARGS(sad, scontext, tcontext, tclass), 19 22 20 23 TP_STRUCT__entry( 21 - __field(unsigned int, tclass) 22 - __field(unsigned int, audited) 24 + __field(u32, requested) 25 + __field(u32, denied) 26 + __field(u32, audited) 27 + __field(int, result) 28 + __string(scontext, scontext) 29 + __string(tcontext, tcontext) 30 + __string(tclass, tclass) 23 31 ), 24 32 25 33 TP_fast_assign( 26 - __entry->tclass = sad->tclass; 27 - __entry->audited = sad->audited; 34 + __entry->requested = sad->requested; 35 + __entry->denied = sad->denied; 36 + __entry->audited = sad->audited; 37 + __entry->result = sad->result; 38 + __assign_str(tcontext, tcontext); 39 + __assign_str(scontext, scontext); 40 + __assign_str(tclass, tclass); 28 41 ), 29 42 30 - TP_printk("tclass=%u audited=%x", 31 - __entry->tclass, 32 - __entry->audited) 43 + TP_printk("requested=0x%x denied=0x%x audited=0x%x result=%d scontext=%s tcontext=%s tclass=%s", 44 + __entry->requested, __entry->denied, __entry->audited, __entry->result, 45 + __get_str(scontext), __get_str(tcontext), __get_str(tclass) 46 + ) 33 47 ); 34 48 35 49 #endif

+15 -13

security/selinux/avc.c

··· 705 705 { 706 706 struct common_audit_data *ad = a; 707 707 struct selinux_audit_data *sad = ad->selinux_audit_data; 708 - char *scontext; 708 + char *scontext = NULL; 709 + char *tcontext = NULL; 710 + const char *tclass = NULL; 709 711 u32 scontext_len; 712 + u32 tcontext_len; 710 713 int rc; 711 - 712 - trace_selinux_audited(sad); 713 714 714 715 rc = security_sid_to_context(sad->state, sad->ssid, &scontext, 715 716 &scontext_len); 716 717 if (rc) 717 718 audit_log_format(ab, " ssid=%d", sad->ssid); 718 - else { 719 + else 719 720 audit_log_format(ab, " scontext=%s", scontext); 720 - kfree(scontext); 721 - } 722 721 723 - rc = security_sid_to_context(sad->state, sad->tsid, &scontext, 724 - &scontext_len); 722 + rc = security_sid_to_context(sad->state, sad->tsid, &tcontext, 723 + &tcontext_len); 725 724 if (rc) 726 725 audit_log_format(ab, " tsid=%d", sad->tsid); 727 - else { 728 - audit_log_format(ab, " tcontext=%s", scontext); 729 - kfree(scontext); 730 - } 726 + else 727 + audit_log_format(ab, " tcontext=%s", tcontext); 731 728 732 - audit_log_format(ab, " tclass=%s", secclass_map[sad->tclass-1].name); 729 + tclass = secclass_map[sad->tclass-1].name; 730 + audit_log_format(ab, " tclass=%s", tclass); 733 731 734 732 if (sad->denied) 735 733 audit_log_format(ab, " permissive=%u", sad->result ? 0 : 1); 734 + 735 + trace_selinux_audited(sad, scontext, tcontext, tclass); 736 + kfree(tcontext); 737 + kfree(scontext); 736 738 737 739 /* in case of invalid context report also the actual context string */ 738 740 rc = security_sid_to_context_inval(sad->state, sad->ssid, &scontext,