From: Ondrej Mosnacek <omosnace@redhat.com> To: selinux@vger.kernel.org, Paul Moore <paul@paul-moore.com> Cc: Stephen Smalley <sds@tycho.nsa.gov>, linux-audit@redhat.com, Steve Grubb <sgrubb@redhat.com>, Ondrej Mosnacek <omosnace@redhat.com>, Daniel Walsh <dwalsh@redhat.com> Subject: [RFC PATCH] selinux: log invalid contexts in AVCs Date: Fri, 18 Jan 2019 11:04:29 +0100 [thread overview] Message-ID: <20190118100429.11703-1-omosnace@redhat.com> (raw) In case a file has an invalid context set, in an AVC record generated upon access to such file, the target context is always reported as unlabeled. This patch adds new optional fields to the AVC record (slcon and tlcon) that report the actual context string if it differs from the one reported in scontext/tcontext. This is useful for diagnosing SELinux denials. To trigger an AVC that illustrates this situation: # setenforce 0 # touch /tmp/testfile # setfattr -n security.selinux -v system_u:object_r:banana_t:s0 /tmp/testfile # runcon system_u:system_r:sshd_t:s0 cat /tmp/testfile AVC before: type=AVC msg=audit(1547801083.248:11): avc: denied { open } for pid=1149 comm="cat" path="/tmp/testfile" dev="tmpfs" ino=6608 scontext=system_u:system_r:sshd_t:s0 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file permissive=1 AVC after: type=AVC msg=audit(1547801083.248:11): avc: denied { open } for pid=1149 comm="cat" path="/tmp/testfile" dev="tmpfs" ino=6608 scontext=system_u:system_r:sshd_t:s0 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tlcon=system_u:object_r:banana_t:s0 tclass=file permissive=1 Cc: Daniel Walsh <dwalsh@redhat.com> Link: https://bugzilla.redhat.com/show_bug.cgi?id=1135683 Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> --- security/selinux/avc.c | 49 +++++++++++++++++++++++++----------------- 1 file changed, 29 insertions(+), 20 deletions(-) I'm not entirely sure about the record format here, so I'm Cc'ing linux-audit and Steve for feedback. I went for optional fields to minimize the size of the record, but maybe a different format is preferred. If so, let me know and I'll do a respin. Also, I accept suggestions for better field names than "slcon"/"tlcon" ("lcon" is meant as an acronym for "literal context", but I'm not sure if that's a good name...). diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 9b63d8ee1687..4a181ed56e37 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -165,6 +165,32 @@ static void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av) audit_log_format(ab, " }"); } +static void avc_dump_sid(struct audit_buffer *ab, struct selinux_state *state, + u32 sid, char type) +{ + int rc; + char *context, *lcontext; + u32 context_len, lcontext_len; + + rc = security_sid_to_context(state, sid, &context, &context_len); + if (rc) { + audit_log_format(ab, "%csid=%d ", type, sid); + return; + } + + audit_log_format(ab, "%ccontext=%s ", type, context); + + /* in case of invalid context report also the actual context string */ + rc = security_sid_to_context_force(state, sid, &lcontext, + &lcontext_len); + if (!rc) { + if (strcmp(context, lcontext)) + audit_log_format(ab, "%clcon=%s ", type, lcontext); + kfree(lcontext); + } + kfree(context); +} + /** * avc_dump_query - Display a SID pair and a class in human-readable form. * @ssid: source security identifier @@ -174,28 +200,11 @@ static void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av) static void avc_dump_query(struct audit_buffer *ab, struct selinux_state *state, u32 ssid, u32 tsid, u16 tclass) { - int rc; - char *scontext; - u32 scontext_len; - - rc = security_sid_to_context(state, ssid, &scontext, &scontext_len); - if (rc) - audit_log_format(ab, "ssid=%d", ssid); - else { - audit_log_format(ab, "scontext=%s", scontext); - kfree(scontext); - } - - rc = security_sid_to_context(state, tsid, &scontext, &scontext_len); - if (rc) - audit_log_format(ab, " tsid=%d", tsid); - else { - audit_log_format(ab, " tcontext=%s", scontext); - kfree(scontext); - } + avc_dump_sid(ab, state, ssid, 's'); + avc_dump_sid(ab, state, tsid, 't'); BUG_ON(!tclass || tclass >= ARRAY_SIZE(secclass_map)); - audit_log_format(ab, " tclass=%s", secclass_map[tclass-1].name); + audit_log_format(ab, "tclass=%s", secclass_map[tclass-1].name); } /** -- 2.20.1
WARNING: multiple messages have this Message-ID (diff)
From: Ondrej Mosnacek <omosnace@redhat.com> To: selinux@vger.kernel.org, Paul Moore <paul@paul-moore.com> Cc: linux-audit@redhat.com, Stephen Smalley <sds@tycho.nsa.gov> Subject: [RFC PATCH] selinux: log invalid contexts in AVCs Date: Fri, 18 Jan 2019 11:04:29 +0100 [thread overview] Message-ID: <20190118100429.11703-1-omosnace@redhat.com> (raw) In case a file has an invalid context set, in an AVC record generated upon access to such file, the target context is always reported as unlabeled. This patch adds new optional fields to the AVC record (slcon and tlcon) that report the actual context string if it differs from the one reported in scontext/tcontext. This is useful for diagnosing SELinux denials. To trigger an AVC that illustrates this situation: # setenforce 0 # touch /tmp/testfile # setfattr -n security.selinux -v system_u:object_r:banana_t:s0 /tmp/testfile # runcon system_u:system_r:sshd_t:s0 cat /tmp/testfile AVC before: type=AVC msg=audit(1547801083.248:11): avc: denied { open } for pid=1149 comm="cat" path="/tmp/testfile" dev="tmpfs" ino=6608 scontext=system_u:system_r:sshd_t:s0 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file permissive=1 AVC after: type=AVC msg=audit(1547801083.248:11): avc: denied { open } for pid=1149 comm="cat" path="/tmp/testfile" dev="tmpfs" ino=6608 scontext=system_u:system_r:sshd_t:s0 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tlcon=system_u:object_r:banana_t:s0 tclass=file permissive=1 Cc: Daniel Walsh <dwalsh@redhat.com> Link: https://bugzilla.redhat.com/show_bug.cgi?id=1135683 Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> --- security/selinux/avc.c | 49 +++++++++++++++++++++++++----------------- 1 file changed, 29 insertions(+), 20 deletions(-) I'm not entirely sure about the record format here, so I'm Cc'ing linux-audit and Steve for feedback. I went for optional fields to minimize the size of the record, but maybe a different format is preferred. If so, let me know and I'll do a respin. Also, I accept suggestions for better field names than "slcon"/"tlcon" ("lcon" is meant as an acronym for "literal context", but I'm not sure if that's a good name...). diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 9b63d8ee1687..4a181ed56e37 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -165,6 +165,32 @@ static void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av) audit_log_format(ab, " }"); } +static void avc_dump_sid(struct audit_buffer *ab, struct selinux_state *state, + u32 sid, char type) +{ + int rc; + char *context, *lcontext; + u32 context_len, lcontext_len; + + rc = security_sid_to_context(state, sid, &context, &context_len); + if (rc) { + audit_log_format(ab, "%csid=%d ", type, sid); + return; + } + + audit_log_format(ab, "%ccontext=%s ", type, context); + + /* in case of invalid context report also the actual context string */ + rc = security_sid_to_context_force(state, sid, &lcontext, + &lcontext_len); + if (!rc) { + if (strcmp(context, lcontext)) + audit_log_format(ab, "%clcon=%s ", type, lcontext); + kfree(lcontext); + } + kfree(context); +} + /** * avc_dump_query - Display a SID pair and a class in human-readable form. * @ssid: source security identifier @@ -174,28 +200,11 @@ static void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av) static void avc_dump_query(struct audit_buffer *ab, struct selinux_state *state, u32 ssid, u32 tsid, u16 tclass) { - int rc; - char *scontext; - u32 scontext_len; - - rc = security_sid_to_context(state, ssid, &scontext, &scontext_len); - if (rc) - audit_log_format(ab, "ssid=%d", ssid); - else { - audit_log_format(ab, "scontext=%s", scontext); - kfree(scontext); - } - - rc = security_sid_to_context(state, tsid, &scontext, &scontext_len); - if (rc) - audit_log_format(ab, " tsid=%d", tsid); - else { - audit_log_format(ab, " tcontext=%s", scontext); - kfree(scontext); - } + avc_dump_sid(ab, state, ssid, 's'); + avc_dump_sid(ab, state, tsid, 't'); BUG_ON(!tclass || tclass >= ARRAY_SIZE(secclass_map)); - audit_log_format(ab, " tclass=%s", secclass_map[tclass-1].name); + audit_log_format(ab, "tclass=%s", secclass_map[tclass-1].name); } /** -- 2.20.1
next reply other threads:[~2019-01-18 10:06 UTC|newest] Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-01-18 10:04 Ondrej Mosnacek [this message] 2019-01-18 10:04 ` [RFC PATCH] selinux: log invalid contexts in AVCs Ondrej Mosnacek 2019-01-18 13:38 ` Stephen Smalley 2019-01-18 13:38 ` Stephen Smalley 2019-01-19 13:23 ` Richard Guy Briggs 2019-01-19 13:23 ` Richard Guy Briggs 2019-01-21 8:36 ` Ondrej Mosnacek 2019-01-21 8:36 ` Ondrej Mosnacek 2019-01-21 10:26 ` Steve Grubb 2019-01-21 10:26 ` Steve Grubb 2019-01-21 14:30 ` Ondrej Mosnacek 2019-01-21 14:30 ` Ondrej Mosnacek 2019-01-21 14:37 ` Steve Grubb 2019-01-21 14:37 ` Steve Grubb
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20190118100429.11703-1-omosnace@redhat.com \ --to=omosnace@redhat.com \ --cc=dwalsh@redhat.com \ --cc=linux-audit@redhat.com \ --cc=paul@paul-moore.com \ --cc=sds@tycho.nsa.gov \ --cc=selinux@vger.kernel.org \ --cc=sgrubb@redhat.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.