From: Christian Göttsche Date: Wed, 28 Jul 2021 14:59:51 +0000 (+0200) Subject: selinux: add function name to audit data X-Git-Tag: v250-rc1~201 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f0804759cf168b201347ce8aa2faefa17376191c;p=thirdparty%2Fsystemd.git selinux: add function name to audit data Include the systemd C function name in the audit message to improve the debug ability on denials. Similar like kernel denial messages include the syscall name. --- diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c index 513a4fb00e7..f6d4e7cc508 100644 --- a/src/core/selinux-access.c +++ b/src/core/selinux-access.c @@ -31,6 +31,7 @@ struct audit_info { sd_bus_creds *creds; const char *path; const char *cmdline; + const char *function; }; /* @@ -58,10 +59,11 @@ static int audit_callback( xsprintf(gid_buf, GID_FMT, gid); (void) snprintf(msgbuf, msgbufsize, - "auid=%s uid=%s gid=%s%s%s%s%s%s%s", + "auid=%s uid=%s gid=%s%s%s%s%s%s%s%s%s%s", login_uid_buf, uid_buf, gid_buf, audit->path ? " path=\"" : "", strempty(audit->path), audit->path ? "\"" : "", - audit->cmdline ? " cmdline=\"" : "", strempty(audit->cmdline), audit->cmdline ? "\"" : ""); + audit->cmdline ? " cmdline=\"" : "", strempty(audit->cmdline), audit->cmdline ? "\"" : "", + audit->function ? " function=\"" : "", strempty(audit->function), audit->function ? "\"" : ""); return 0; } @@ -179,6 +181,7 @@ int mac_selinux_generic_access_check( sd_bus_message *message, const char *path, const char *permission, + const char *function, sd_bus_error *error) { _cleanup_(sd_bus_creds_unrefp) sd_bus_creds *creds = NULL; @@ -191,6 +194,7 @@ int mac_selinux_generic_access_check( assert(message); assert(permission); + assert(function); assert(error); r = access_init(error); @@ -263,6 +267,7 @@ int mac_selinux_generic_access_check( .creds = creds, .path = path, .cmdline = cl, + .function = function, }; r = selinux_check_access(scon, fcon, tclass, permission, &audit_info); @@ -274,8 +279,8 @@ int mac_selinux_generic_access_check( } log_full_errno_zerook(LOG_DEBUG, r, - "SELinux access check scon=%s tcon=%s tclass=%s perm=%s state=%s path=%s cmdline=%s: %m", - scon, fcon, tclass, permission, enforce ? "enforcing" : "permissive", path, cl); + "SELinux access check scon=%s tcon=%s tclass=%s perm=%s state=%s function=%s path=%s cmdline=%s: %m", + scon, fcon, tclass, permission, enforce ? "enforcing" : "permissive", function, path, cl); return enforce ? r : 0; } @@ -285,6 +290,7 @@ int mac_selinux_generic_access_check( sd_bus_message *message, const char *path, const char *permission, + const char *function, sd_bus_error *error) { return 0; diff --git a/src/core/selinux-access.h b/src/core/selinux-access.h index c6bfb325443..93aedc2347e 100644 --- a/src/core/selinux-access.h +++ b/src/core/selinux-access.h @@ -5,10 +5,14 @@ #include "manager.h" -int mac_selinux_generic_access_check(sd_bus_message *message, const char *path, const char *permission, sd_bus_error *error); +int mac_selinux_generic_access_check(sd_bus_message *message, + const char *path, + const char *permission, + const char *function, + sd_bus_error *error); #define mac_selinux_access_check(message, permission, error) \ - mac_selinux_generic_access_check((message), NULL, (permission), (error)) + mac_selinux_generic_access_check((message), NULL, (permission), __func__, (error)) #define mac_selinux_unit_access_check(unit, message, permission, error) \ - mac_selinux_generic_access_check((message), unit_label_path(unit), (permission), (error)) + mac_selinux_generic_access_check((message), unit_label_path(unit), (permission), __func__, (error))