Re: [PATCH v2 2/2] selinux: add basic filtering for audit trace events

From: Casey Schaufler
Date: Thu Aug 13 2020 - 11:05:52 EST

On 8/13/2020 7:48 AM, Thiébaud Weksteen wrote:
> From: Peter Enderborg <peter.enderborg@xxxxxxxx>
>
> This patch adds further attributes to the event. These attributes are
> helpful to understand the context of the message and can be used
> to filter the events.
>
> There are three common items. Source context, target context and tclass.
> There are also items from the outcome of operation performed.
>
> An event is similar to:
> <...>-1309 [002] .... 6346.691689: selinux_audited:
> requested=0x4000000 denied=0x4000000 audited=0x4000000
> result=-13 ssid=315 tsid=61

It may not be my place to ask, but *please please please* don't
externalize secids. I understand that it's easier to type "42"
than "system_r:cupsd_t:s0-s0:c0.c1023", and that it's easier for
your tools to parse and store the number. Once you start training
people that system_r:cupsd_t:s0-s0:c0.c1023 is secid 42 you'll
never be able to change it. The secid will start showing up in
scripts. Bad Things Will Happen.

> scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:bin_t:s0 tclass=file
>
> With systems where many denials are occurring, it is useful to apply a
> filter. The filtering is a set of logic that is inserted with
> the filter file. Example:
> echo "tclass==\"file\" && ssid!=42" > events/avc/selinux_audited/filter
>
> This adds that we only get tclass=file but not for ssid 42.
>
> The trace can also have extra properties. Adding the user stack
> can be done with
> echo 1 > options/userstacktrace
>
> Now the output will be
> runcon-1365 [003] .... 6960.955530: selinux_audited:
> requested=0x4000000 denied=0x4000000 audited=0x4000000
> result=-13 ssid=315 tsid=61
> scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:bin_t:s0 tclass=file
> runcon-1365 [003] .... 6960.955560: <user stack trace>
> => <00007f325b4ce45b>
> => <00005607093efa57>
>
> Note that the ssid is the internal numeric representation of scontext
> and tsid is numeric for tcontext. They are useful for filtering.
>
> Signed-off-by: Peter Enderborg <peter.enderborg@xxxxxxxx>
> Reviewed-by: Thiébaud Weksteen <tweek@xxxxxxxxxx>
> ---
> v2 changes:
> - update changelog to include usage examples
>
> include/trace/events/avc.h | 41 ++++++++++++++++++++++++++++----------
> security/selinux/avc.c | 22 +++++++++++---------
> 2 files changed, 44 insertions(+), 19 deletions(-)
>
> diff --git a/include/trace/events/avc.h b/include/trace/events/avc.h
> index 07c058a9bbcd..ac5ef2e1c2c5 100644
> --- a/include/trace/events/avc.h
> +++ b/include/trace/events/avc.h
> @@ -1,6 +1,7 @@
> /* SPDX-License-Identifier: GPL-2.0 */
> /*
> - * Author: Thiébaud Weksteen <tweek@xxxxxxxxxx>
> + * Authors: Thiébaud Weksteen <tweek@xxxxxxxxxx>
> + * Peter Enderborg <Peter.Enderborg@xxxxxxxx>
> */
> #undef TRACE_SYSTEM
> #define TRACE_SYSTEM avc
> @@ -12,23 +13,43 @@
>
> TRACE_EVENT(selinux_audited,
>
> - TP_PROTO(struct selinux_audit_data *sad),
> + TP_PROTO(struct selinux_audit_data *sad,
> + char *scontext,
> + char *tcontext,
> + const char *tclass
> + ),
>
> - TP_ARGS(sad),
> + TP_ARGS(sad, scontext, tcontext, tclass),
>
> TP_STRUCT__entry(
> - __field(unsigned int, tclass)
> - __field(unsigned int, audited)
> + __field(u32, requested)
> + __field(u32, denied)
> + __field(u32, audited)
> + __field(int, result)
> + __string(scontext, scontext)
> + __string(tcontext, tcontext)
> + __string(tclass, tclass)
> + __field(u32, ssid)
> + __field(u32, tsid)
> ),
>
> TP_fast_assign(
> - __entry->tclass = sad->tclass;
> - __entry->audited = sad->audited;
> + __entry->requested = sad->requested;
> + __entry->denied = sad->denied;
> + __entry->audited = sad->audited;
> + __entry->result = sad->result;
> + __entry->ssid = sad->ssid;
> + __entry->tsid = sad->tsid;
> + __assign_str(tcontext, tcontext);
> + __assign_str(scontext, scontext);
> + __assign_str(tclass, tclass);
> ),
>
> - TP_printk("tclass=%u audited=%x",
> - __entry->tclass,
> - __entry->audited)
> + TP_printk("requested=0x%x denied=0x%x audited=0x%x result=%d ssid=%u tsid=%u scontext=%s tcontext=%s tclass=%s",
> + __entry->requested, __entry->denied, __entry->audited, __entry->result,
> + __entry->ssid, __entry->tsid, __get_str(scontext), __get_str(tcontext),
> + __get_str(tclass)
> + )
> );
>
> #endif
> diff --git a/security/selinux/avc.c b/security/selinux/avc.c
> index b0a0af778b70..7de5cc5169af 100644
> --- a/security/selinux/avc.c
> +++ b/security/selinux/avc.c
> @@ -705,35 +705,39 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a)
> {
> struct common_audit_data *ad = a;
> struct selinux_audit_data *sad = ad->selinux_audit_data;
> - char *scontext;
> + char *scontext = NULL;
> + char *tcontext = NULL;
> + const char *tclass = NULL;
> u32 scontext_len;
> + u32 tcontext_len;
> int rc;
>
> - trace_selinux_audited(sad);
> -
> rc = security_sid_to_context(sad->state, sad->ssid, &scontext,
> &scontext_len);
> if (rc)
> audit_log_format(ab, " ssid=%d", sad->ssid);
> else {
> audit_log_format(ab, " scontext=%s", scontext);
> - kfree(scontext);
> }
>
> - rc = security_sid_to_context(sad->state, sad->tsid, &scontext,
> - &scontext_len);
> + rc = security_sid_to_context(sad->state, sad->tsid, &tcontext,
> + &tcontext_len);
> if (rc)
> audit_log_format(ab, " tsid=%d", sad->tsid);
> else {
> - audit_log_format(ab, " tcontext=%s", scontext);
> - kfree(scontext);
> + audit_log_format(ab, " tcontext=%s", tcontext);
> }
>
> - audit_log_format(ab, " tclass=%s", secclass_map[sad->tclass-1].name);
> + tclass = secclass_map[sad->tclass-1].name;
> + audit_log_format(ab, " tclass=%s", tclass);
>
> if (sad->denied)
> audit_log_format(ab, " permissive=%u", sad->result ? 0 : 1);
>
> + trace_selinux_audited(sad, scontext, tcontext, tclass);
> + kfree(tcontext);
> + kfree(scontext);
> +
> /* in case of invalid context report also the actual context string */
> rc = security_sid_to_context_inval(sad->state, sad->ssid, &scontext,
> &scontext_len);