selinux: log invalid contexts in AVCs (fede1483) · Commits · 戴 / test

security/selinux/avc.c

+15 −0

Original line number	Diff line number	Diff line
		@@ -734,6 +734,21 @@ static void avc_audit_post_callback(struct audit_buffer ab, void a)

		if (sad->denied)
		audit_log_format(ab, " permissive=%u", sad->result ? 0 : 1);

		/* in case of invalid context report also the actual context string */
		rc = security_sid_to_context_inval(sad->state, sad->ssid, &scontext,
		&scontext_len);
		if (!rc && scontext) {
		audit_log_format(ab, " srawcon=%s", scontext);
		kfree(scontext);
		}

		rc = security_sid_to_context_inval(sad->state, sad->tsid, &scontext,
		&scontext_len);
		if (!rc && scontext) {
		audit_log_format(ab, " trawcon=%s", scontext);
		kfree(scontext);
		}
		}

		/* This is the slow part of avc audit with big stack footprint */

security/selinux/include/security.h

+3 −0

Original line number	Diff line number	Diff line
		@@ -255,6 +255,9 @@ int security_sid_to_context(struct selinux_state *state, u32 sid,
		int security_sid_to_context_force(struct selinux_state *state,
		u32 sid, char *scontext, u32 scontext_len);

		int security_sid_to_context_inval(struct selinux_state *state,
		u32 sid, char *scontext, u32 scontext_len);

		int security_context_to_sid(struct selinux_state *state,
		const char *scontext, u32 scontext_len,
		u32 *out_sid, gfp_t gfp);

security/selinux/ss/services.c

+32 −5

Original line number	Diff line number	Diff line
		@@ -1281,7 +1281,8 @@ const char *security_get_initial_sid_context(u32 sid)

		static int security_sid_to_context_core(struct selinux_state *state,
		u32 sid, char **scontext,
		u32 *scontext_len, int force)
		u32 *scontext_len, int force,
		int only_invalid)
		{
		struct policydb *policydb;
		struct sidtab *sidtab;
		@@ -1326,8 +1327,14 @@ static int security_sid_to_context_core(struct selinux_state *state,
		rc = -EINVAL;
		goto out_unlock;
		}
		if (only_invalid && !context->len) {
		scontext = NULL;
		scontext_len = 0;
		rc = 0;
		} else {
		rc = context_struct_to_string(policydb, context, scontext,
		scontext_len);
		}
		out_unlock:
		read_unlock(&state->ss->policy_rwlock);
		out:
		@@ -1349,14 +1356,34 @@ int security_sid_to_context(struct selinux_state *state,
		u32 sid, char *scontext, u32 scontext_len)
		{
		return security_sid_to_context_core(state, sid, scontext,
		scontext_len, 0);
		scontext_len, 0, 0);
		}

		int security_sid_to_context_force(struct selinux_state *state, u32 sid,
		char *scontext, u32 scontext_len)
		{
		return security_sid_to_context_core(state, sid, scontext,
		scontext_len, 1);
		scontext_len, 1, 0);
		}

		/**
		* security_sid_to_context_inval - Obtain a context for a given SID if it
		* is invalid.
		* @sid: security identifier, SID
		* @scontext: security context
		* @scontext_len: length in bytes
		*
		* Write the string representation of the context associated with @sid
		* into a dynamically allocated string of the correct size, but only if the
		* context is invalid in the current policy. Set @scontext to point to
		* this string (or NULL if the context is valid) and set @scontext_len to
		* the length of the string (or 0 if the context is valid).
		*/
		int security_sid_to_context_inval(struct selinux_state *state, u32 sid,
		char *scontext, u32 scontext_len)
		{
		return security_sid_to_context_core(state, sid, scontext,
		scontext_len, 1, 1);
		}

		/*

Admin message