selinux: add basic filtering for audit trace events (30969bc8) · Commits · 戴 / test

include/trace/events/avc.h

+26 −10

Original line number	Diff line number	Diff line
		/* SPDX-License-Identifier: GPL-2.0 */
		/*
		* Author: Thiébaud Weksteen <tweek@google.com>
		* Authors: Thiébaud Weksteen <tweek@google.com>
		* Peter Enderborg <Peter.Enderborg@sony.com>
		*/
		#undef TRACE_SYSTEM
		#define TRACE_SYSTEM avc
		@@ -12,23 +13,38 @@

		TRACE_EVENT(selinux_audited,

		TP_PROTO(struct selinux_audit_data *sad),
		TP_PROTO(struct selinux_audit_data *sad,
		char *scontext,
		char *tcontext,
		const char *tclass
		),

		TP_ARGS(sad),
		TP_ARGS(sad, scontext, tcontext, tclass),

		TP_STRUCT__entry(
		__field(unsigned int, tclass)
		__field(unsigned int, audited)
		__field(u32, requested)
		__field(u32, denied)
		__field(u32, audited)
		__field(int, result)
		__string(scontext, scontext)
		__string(tcontext, tcontext)
		__string(tclass, tclass)
		),

		TP_fast_assign(
		__entry->tclass = sad->tclass;
		__entry->requested = sad->requested;
		__entry->denied = sad->denied;
		__entry->audited = sad->audited;
		__entry->result = sad->result;
		__assign_str(tcontext, tcontext);
		__assign_str(scontext, scontext);
		__assign_str(tclass, tclass);
		),

		TP_printk("tclass=%u audited=%x",
		__entry->tclass,
		__entry->audited)
		TP_printk("requested=0x%x denied=0x%x audited=0x%x result=%d scontext=%s tcontext=%s tclass=%s",
		__entry->requested, __entry->denied, __entry->audited, __entry->result,
		__get_str(scontext), __get_str(tcontext), __get_str(tclass)
		)
		);

		#endif

+15 −13

Original line number	Diff line number	Diff line
		@@ -705,35 +705,37 @@ static void avc_audit_post_callback(struct audit_buffer ab, void a)
		{
		struct common_audit_data *ad = a;
		struct selinux_audit_data *sad = ad->selinux_audit_data;
		char *scontext;
		char *scontext = NULL;
		char *tcontext = NULL;
		const char *tclass = NULL;
		u32 scontext_len;
		u32 tcontext_len;
		int rc;

		trace_selinux_audited(sad);

		rc = security_sid_to_context(sad->state, sad->ssid, &scontext,
		&scontext_len);
		if (rc)
		audit_log_format(ab, " ssid=%d", sad->ssid);
		else {
		else
		audit_log_format(ab, " scontext=%s", scontext);
		kfree(scontext);
		}

		rc = security_sid_to_context(sad->state, sad->tsid, &scontext,
		&scontext_len);
		rc = security_sid_to_context(sad->state, sad->tsid, &tcontext,
		&tcontext_len);
		if (rc)
		audit_log_format(ab, " tsid=%d", sad->tsid);
		else {
		audit_log_format(ab, " tcontext=%s", scontext);
		kfree(scontext);
		}
		else
		audit_log_format(ab, " tcontext=%s", tcontext);

		audit_log_format(ab, " tclass=%s", secclass_map[sad->tclass-1].name);
		tclass = secclass_map[sad->tclass-1].name;
		audit_log_format(ab, " tclass=%s", tclass);

		if (sad->denied)
		audit_log_format(ab, " permissive=%u", sad->result ? 0 : 1);

		trace_selinux_audited(sad, scontext, tcontext, tclass);
		kfree(tcontext);
		kfree(scontext);

		/* in case of invalid context report also the actual context string */
		rc = security_sid_to_context_inval(sad->state, sad->ssid, &scontext,
		&scontext_len);