dasharo/systemd
0
0
Fork 0
mirror of https://github.com/Dasharo/systemd.git synced 2026-03-06 15:02:31 -08:00
Code Issues Packages Projects Releases Wiki Activity

selinux: add function name to audit data

Browse Source 
Include the systemd C function name in the audit message to improve the
debug ability on denials.
Similar like kernel denial messages include the syscall name.
This commit is contained in:
Christian Göttsche
2021-07-28 16:59:51 +02:00
committed by Topi Miettinen
parent 1ccfb792e4
commit f0804759cf
2 changed files with 17 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/core/selinux-access.c
View File

@@ -31,6 +31,7 @@ struct audit_info {
sd_bus_creds *creds;
const char *path;
const char *cmdline;
const char *function;
};
/*
@@ -58,10 +59,11 @@ static int audit_callback(
xsprintf(gid_buf, GID_FMT, gid);
(void) snprintf(msgbuf, msgbufsize,
"auid=%s uid=%s gid=%s%s%s%s%s%s%s",
"auid=%s uid=%s gid=%s%s%s%s%s%s%s%s%s%s",
login_uid_buf, uid_buf, gid_buf,
audit->path ? " path=\"" : "", strempty(audit->path), audit->path ? "\"" : "",
audit->cmdline ? " cmdline=\"" : "", strempty(audit->cmdline), audit->cmdline ? "\"" : "");
audit->cmdline ? " cmdline=\"" : "", strempty(audit->cmdline), audit->cmdline ? "\"" : "",
audit->function ? " function=\"" : "", strempty(audit->function), audit->function ? "\"" : "");
return 0;
}
@@ -179,6 +181,7 @@ int mac_selinux_generic_access_check(
sd_bus_message *message,
const char *path,
const char *permission,
const char *function,
sd_bus_error *error) {
_cleanup_(sd_bus_creds_unrefp) sd_bus_creds *creds = NULL;
@@ -191,6 +194,7 @@ int mac_selinux_generic_access_check(
assert(message);
assert(permission);
assert(function);
assert(error);
r = access_init(error);
@@ -263,6 +267,7 @@ int mac_selinux_generic_access_check(
.creds = creds,
.path = path,
.cmdline = cl,
.function = function,
};
r = selinux_check_access(scon, fcon, tclass, permission, &audit_info);
@@ -274,8 +279,8 @@ int mac_selinux_generic_access_check(
}
log_full_errno_zerook(LOG_DEBUG, r,
"SELinux access check scon=%s tcon=%s tclass=%s perm=%s state=%s path=%s cmdline=%s: %m",
scon, fcon, tclass, permission, enforce ? "enforcing" : "permissive", path, cl);
"SELinux access check scon=%s tcon=%s tclass=%s perm=%s state=%s function=%s path=%s cmdline=%s: %m",
scon, fcon, tclass, permission, enforce ? "enforcing" : "permissive", function, path, cl);
return enforce ? r : 0;
}
@@ -285,6 +290,7 @@ int mac_selinux_generic_access_check(
sd_bus_message *message,
const char *path,
const char *permission,
const char *function,
sd_bus_error *error) {
return 0;

10
src/core/selinux-access.h
View File

@@ -5,10 +5,14 @@
#include "manager.h"
int mac_selinux_generic_access_check(sd_bus_message *message, const char *path, const char *permission, sd_bus_error *error);
int mac_selinux_generic_access_check(sd_bus_message *message,
const char *path,
const char *permission,
const char *function,
sd_bus_error *error);
#define mac_selinux_access_check(message, permission, error) \
mac_selinux_generic_access_check((message), NULL, (permission), (error))
mac_selinux_generic_access_check((message), NULL, (permission), __func__, (error))
#define mac_selinux_unit_access_check(unit, message, permission, error) \
mac_selinux_generic_access_check((message), unit_label_path(unit), (permission), (error))
mac_selinux_generic_access_check((message), unit_label_path(unit), (permission), __func__, (error))