Provides support for a new field ipaddr within the SELinux
AVC audit log, relying in task_struct->curr_ip (ipv4 only)
provided by the task-curr_ip or grSecurity patch to be applied
before.It was first implemented by Joshua Brindle (a.k.a Method)
from the Hardened Gentoo project.
An example of the audit messages with ipaddr field:
audit(1110432234.161:0): avc: denied { search } for pid=19057
exe=/usr/bin/wget name=portage dev=hda3 ino=1024647 ipaddr=192.168.1.30
scontext=root:sysadm_r:portage_fetch_t tcontext=system_u:object_r:portage_tmp_t tclass=dir
It's also available at http://pearls.tuxedo-es.org/patches/selinux-avc_audit-log-curr_ip.patch
Signed-off-by: Lorenzo Hernandez Garcia-Hierro <[email protected]>
---
linux-2.6.11-lorenzo/security/selinux/avc.c | 6 ++++++
1 files changed, 6 insertions(+)
diff -puN security/selinux/avc.c~selinux-avc_audit-log-curr_ip security/selinux/avc.c
--- linux-2.6.11/security/selinux/avc.c~selinux-avc_audit-log-curr_ip 2005-03-10 15:52:12.810227040 +0100
+++ linux-2.6.11-lorenzo/security/selinux/avc.c 2005-03-10 15:52:12.817225976 +0100
@@ -205,6 +205,12 @@ void avc_dump_query(struct audit_buffer
char *scontext;
u32 scontext_len;
+/* CONFIG_GRKERNSEC_PROC_IPADDR if grSecurity is present */
+#ifdef CONFIG_PROC_IPADDR
+ if (current->curr_ip)
+ audit_log_format(ab, "ipaddr=%u.%u.%u.%u ", NIPQUAD(current->curr_ip));
+#endif /* CONFIG_PROC_IPADDR */
+
rc = security_sid_to_context(ssid, &scontext, &scontext_len);
if (rc)
audit_log_format(ab, "ssid=%d", ssid);
_
Cheers,
--
Lorenzo Hern?ndez Garc?a-Hierro <[email protected]>
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]
On Thu, 2005-03-10 at 16:05 +0100, Lorenzo Hernández García-Hierro
wrote:
> Provides support for a new field ipaddr within the SELinux
> AVC audit log, relying in task_struct->curr_ip (ipv4 only)
> provided by the task-curr_ip or grSecurity patch to be applied
> before.It was first implemented by Joshua Brindle (a.k.a Method)
> from the Hardened Gentoo project.
>
> An example of the audit messages with ipaddr field:
> audit(1110432234.161:0): avc: denied { search } for pid=19057
> exe=/usr/bin/wget name=portage dev=hda3 ino=1024647 ipaddr=192.168.1.30
> scontext=root:sysadm_r:portage_fetch_t tcontext=system_u:object_r:portage_tmp_t tclass=dir
Even if the basic idea were sound (doubtful), this would need to be
generalized (i.e. not ipv4-specific). Also, I think I'd rather see
extensions to the audit data be incorporated into the audit framework,
not the AVC-specific audit code, and some of the existing avc_audit()
code migrated into the audit framework (e.g. the exe= information
currently generated by avc_audit could be done by audit_log_exit
instead).
--
Stephen Smalley <[email protected]>
National Security Agency
On Thursday 10 March 2005 10:16, Stephen Smalley wrote:
> (e.g. the exe= information currently generated by avc_audit could be done
> by audit_log_exit instead).
I already have a patch that does that. It tells you what program is being run
instead of /bin/bash. I'll send it in a day or two for everyone to look over.
-Steve Grubb