From f0804759cf168b201347ce8aa2faefa17376191c Mon Sep 17 00:00:00 2001 From: =?utf8?q?Christian=20G=C3=B6ttsche?= Date: Wed, 28 Jul 2021 16:59:51 +0200 Subject: [PATCH] selinux: add function name to audit data Include the systemd C function name in the audit message to improve the debug ability on denials. Similar like kernel denial messages include the syscall name. --- src/core/selinux-access.c | 14 ++++++++++---- src/core/selinux-access.h | 10 +++++++--- 2 files changed, 17 insertions(+), 7 deletions(-) diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c index 513a4fb00e7..f6d4e7cc508 100644 --- a/src/core/selinux-access.c +++ b/src/core/selinux-access.c @@ -31,6 +31,7 @@ struct audit_info { sd_bus_creds *creds; const char *path; const char *cmdline; + const char *function; }; /* @@ -58,10 +59,11 @@ static int audit_callback( xsprintf(gid_buf, GID_FMT, gid); (void) snprintf(msgbuf, msgbufsize, - "auid=%s uid=%s gid=%s%s%s%s%s%s%s", + "auid=%s uid=%s gid=%s%s%s%s%s%s%s%s%s%s", login_uid_buf, uid_buf, gid_buf, audit->path ? " path=\"" : "", strempty(audit->path), audit->path ? "\"" : "", - audit->cmdline ? " cmdline=\"" : "", strempty(audit->cmdline), audit->cmdline ? "\"" : ""); + audit->cmdline ? " cmdline=\"" : "", strempty(audit->cmdline), audit->cmdline ? "\"" : "", + audit->function ? " function=\"" : "", strempty(audit->function), audit->function ? "\"" : ""); return 0; } @@ -179,6 +181,7 @@ int mac_selinux_generic_access_check( sd_bus_message *message, const char *path, const char *permission, + const char *function, sd_bus_error *error) { _cleanup_(sd_bus_creds_unrefp) sd_bus_creds *creds = NULL; @@ -191,6 +194,7 @@ int mac_selinux_generic_access_check( assert(message); assert(permission); + assert(function); assert(error); r = access_init(error); @@ -263,6 +267,7 @@ int mac_selinux_generic_access_check( .creds = creds, .path = path, .cmdline = cl, + .function = function, }; r = selinux_check_access(scon, fcon, tclass, permission, &audit_info); @@ -274,8 +279,8 @@ int mac_selinux_generic_access_check( } log_full_errno_zerook(LOG_DEBUG, r, - "SELinux access check scon=%s tcon=%s tclass=%s perm=%s state=%s path=%s cmdline=%s: %m", - scon, fcon, tclass, permission, enforce ? "enforcing" : "permissive", path, cl); + "SELinux access check scon=%s tcon=%s tclass=%s perm=%s state=%s function=%s path=%s cmdline=%s: %m", + scon, fcon, tclass, permission, enforce ? "enforcing" : "permissive", function, path, cl); return enforce ? r : 0; } @@ -285,6 +290,7 @@ int mac_selinux_generic_access_check( sd_bus_message *message, const char *path, const char *permission, + const char *function, sd_bus_error *error) { return 0; diff --git a/src/core/selinux-access.h b/src/core/selinux-access.h index c6bfb325443..93aedc2347e 100644 --- a/src/core/selinux-access.h +++ b/src/core/selinux-access.h @@ -5,10 +5,14 @@ #include "manager.h" -int mac_selinux_generic_access_check(sd_bus_message *message, const char *path, const char *permission, sd_bus_error *error); +int mac_selinux_generic_access_check(sd_bus_message *message, + const char *path, + const char *permission, + const char *function, + sd_bus_error *error); #define mac_selinux_access_check(message, permission, error) \ - mac_selinux_generic_access_check((message), NULL, (permission), (error)) + mac_selinux_generic_access_check((message), NULL, (permission), __func__, (error)) #define mac_selinux_unit_access_check(unit, message, permission, error) \ - mac_selinux_generic_access_check((message), unit_label_path(unit), (permission), (error)) + mac_selinux_generic_access_check((message), unit_label_path(unit), (permission), __func__, (error)) -- 2.47.3