diff options
| author | Christian Göttsche <cgzones@googlemail.com> | 2021-07-28 16:59:51 +0200 |
|---|---|---|
| committer | Topi Miettinen <topimiettinen@users.noreply.github.com> | 2021-11-20 17:38:03 +0100 |
| commit | f0804759cf168b201347ce8aa2faefa17376191c (patch) | |
| tree | 856052029f63bd3309461ce34830963dc92cd121 /src | |
| parent | update TODO (diff) | |
| download | systemd-f0804759cf168b201347ce8aa2faefa17376191c.tar.xz systemd-f0804759cf168b201347ce8aa2faefa17376191c.zip | |
selinux: add function name to audit data
Include the systemd C function name in the audit message to improve the
debug ability on denials.
Similar like kernel denial messages include the syscall name.
Diffstat (limited to 'src')
| -rw-r--r-- | src/core/selinux-access.c | 14 | ||||
| -rw-r--r-- | src/core/selinux-access.h | 10 |
2 files changed, 17 insertions, 7 deletions
diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c index 513a4fb00e..f6d4e7cc50 100644 --- a/src/core/selinux-access.c +++ b/src/core/selinux-access.c @@ -31,6 +31,7 @@ struct audit_info { sd_bus_creds *creds; const char *path; const char *cmdline; + const char *function; }; /* @@ -58,10 +59,11 @@ static int audit_callback( xsprintf(gid_buf, GID_FMT, gid); (void) snprintf(msgbuf, msgbufsize, - "auid=%s uid=%s gid=%s%s%s%s%s%s%s", + "auid=%s uid=%s gid=%s%s%s%s%s%s%s%s%s%s", login_uid_buf, uid_buf, gid_buf, audit->path ? " path=\"" : "", strempty(audit->path), audit->path ? "\"" : "", - audit->cmdline ? " cmdline=\"" : "", strempty(audit->cmdline), audit->cmdline ? "\"" : ""); + audit->cmdline ? " cmdline=\"" : "", strempty(audit->cmdline), audit->cmdline ? "\"" : "", + audit->function ? " function=\"" : "", strempty(audit->function), audit->function ? "\"" : ""); return 0; } @@ -179,6 +181,7 @@ int mac_selinux_generic_access_check( sd_bus_message *message, const char *path, const char *permission, + const char *function, sd_bus_error *error) { _cleanup_(sd_bus_creds_unrefp) sd_bus_creds *creds = NULL; @@ -191,6 +194,7 @@ int mac_selinux_generic_access_check( assert(message); assert(permission); + assert(function); assert(error); r = access_init(error); @@ -263,6 +267,7 @@ int mac_selinux_generic_access_check( .creds = creds, .path = path, .cmdline = cl, + .function = function, }; r = selinux_check_access(scon, fcon, tclass, permission, &audit_info); @@ -274,8 +279,8 @@ int mac_selinux_generic_access_check( } log_full_errno_zerook(LOG_DEBUG, r, - "SELinux access check scon=%s tcon=%s tclass=%s perm=%s state=%s path=%s cmdline=%s: %m", - scon, fcon, tclass, permission, enforce ? "enforcing" : "permissive", path, cl); + "SELinux access check scon=%s tcon=%s tclass=%s perm=%s state=%s function=%s path=%s cmdline=%s: %m", + scon, fcon, tclass, permission, enforce ? "enforcing" : "permissive", function, path, cl); return enforce ? r : 0; } @@ -285,6 +290,7 @@ int mac_selinux_generic_access_check( sd_bus_message *message, const char *path, const char *permission, + const char *function, sd_bus_error *error) { return 0; diff --git a/src/core/selinux-access.h b/src/core/selinux-access.h index c6bfb32544..93aedc2347 100644 --- a/src/core/selinux-access.h +++ b/src/core/selinux-access.h @@ -5,10 +5,14 @@ #include "manager.h" -int mac_selinux_generic_access_check(sd_bus_message *message, const char *path, const char *permission, sd_bus_error *error); +int mac_selinux_generic_access_check(sd_bus_message *message, + const char *path, + const char *permission, + const char *function, + sd_bus_error *error); #define mac_selinux_access_check(message, permission, error) \ - mac_selinux_generic_access_check((message), NULL, (permission), (error)) + mac_selinux_generic_access_check((message), NULL, (permission), __func__, (error)) #define mac_selinux_unit_access_check(unit, message, permission, error) \ - mac_selinux_generic_access_check((message), unit_label_path(unit), (permission), (error)) + mac_selinux_generic_access_check((message), unit_label_path(unit), (permission), __func__, (error)) |