[PATCH] context based audit filtering (take 3)

Wed Feb 22 14:46:32 UTC 2006

On Tue, 2006-02-21 at 15:32 -0600, Darrel Goeddel wrote:
> diff --git a/security/selinux/exports.c b/security/selinux/exports.c
> new file mode 100644
> index 0000000..5129add
> --- /dev/null
> +++ b/security/selinux/exports.c
> +int selinux_audit_rule_init(u32 field, u32 op, char *rulestr,
> +                            struct selinux_audit_rule **rule)
> +{
> +	return security_aurule_init(field, op, rulestr, rule);
> +}

I'd drop these wrapper functions, and just name the underlying functions
in services.c with the exported names (i.e. selinux_ prefix).  The use
of security_ prefix in the SELinux code should likely be converted in
general to selinux_ (via separate patch) along with other namespace
cleanups; it is a legacy of when SELinux was a kernel patch and there
was no LSM.

> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> index d877cd1..5e05c5a 100644
> --- a/security/selinux/ss/services.c
> +++ b/security/selinux/ss/services.c
<snip>
> +int security_aurule_init(u32 field, u32 op, char *rulestr,
> +                         struct selinux_audit_rule **rule)
> +{
<snip>
> +	case AUDIT_SE_SEN:
> +	case AUDIT_SE_CLR:
> +		/* we need freestr because mls_context_to_sid will change
> +		   the value of tmpstr */
> +		tmpstr = freestr = kstrdup(rulestr, GFP_ATOMIC);
> +		if (!tmpstr) {
> +			rc = -ENOMEM;
> +		} else {
> +			rc = mls_context_to_sid(':', &tmpstr, &tmprule->au_ctxt,
> +			                        NULL, SECSID_NULL);
> +			kfree(freestr);
> +		}

Let's move this into a helper in mls.c with a nicer interface, similar
to what Ivan has done in libsepol (mls_from_string).

> +int security_aurule_match(u32 ctxid, u32 field, u32 op,
> +                          struct selinux_audit_rule *rule)
> +{
> +	struct context *ctxt;
> +	struct mls_level *level;
> +	int match = 0;
> +
> +	if (!rule)
> +		return 0;

Should this be an error?

> +	ctxt = sidtab_search(&sidtab, ctxid);
> +	if (!ctxt) {
> +		printk(KERN_ERR "security_aurule_match: unrecognized SID %d\n",
> +		       ctxid);

Should we be using printk(KERN_ERR...) or
audit_log(...AUDIT_SELINUX_ERR) for SELinux errors for all new code?

> +		case AUDIT_LESS_THAN:
> +			match = (mls_level_dom(&rule->au_ctxt.range.level[0],
> +			                       level) &&
> +			         !mls_level_eq(&rule->au_ctxt.range.level[0],
> +			                       level));
> +			break;
> +		case AUDIT_LESS_THAN_OR_EQUAL:
> +			match = mls_level_dom(&rule->au_ctxt.range.level[0],
> +			                      level);
> +			break;

I'm not clear as to why we truly need both sets of operators in the
audit filters (<= n versus just < (n+1)), but that is unrelated to
SELinux per se.

I take it that you either decided against leveraging the constraint code
or haven't looked at that option yet?  IOW, convert an audit filter to a
constraint expression when the rule is initialized, and later just call
a common helper shared with constraint_expr_eval?

> +static int (*aurule_callback)(void) = NULL;
> +
> +static int aurule_avc_callback(u32 event, u32 ssid, u32 tsid,
> +                               u16 class, u32 perms, u32 *retained)
> +{
> +	int err = 0;
> +
> +	if (event == AVC_CALLBACK_RESET && aurule_callback)
> +		err = aurule_callback();
> +	return err;
> +}

Hmm...on an error return, we will stop walking the callback list
presently on avc_ss_reset, which could prevent other callbacks (like the
netif one) from occurring.  Likely should change that.  

-- 
Stephen Smalley
National Security Agency