With this patch, auvirt also matches AVC denials performed by the guest and
generated by SELinux.
---
tools/auvirt/auvirt.c | 52 ++++++++++++++++++++++++++++++------------------
1 files changed, 32 insertions(+), 20 deletions(-)
diff --git a/tools/auvirt/auvirt.c b/tools/auvirt/auvirt.c
index 9b71a3c..a49a8b8 100644
--- a/tools/auvirt/auvirt.c
+++ b/tools/auvirt/auvirt.c
@@ -87,10 +87,10 @@ struct event {
/* Fields specific for machine id events: */
char *seclevel;
/* Fields specific for avc events: */
+ char *avc_result;
+ char *avc_operation;
char *target;
char *comm;
- char *seresult;
- char *seperms;
char *context;
/* Fields to print proof information: */
struct record_id proof[4];
@@ -123,11 +123,11 @@ void event_free(struct event *event)
free(event->reason);
free(event->res_type);
free(event->res);
+ free(event->avc_result);
+ free(event->avc_operation);
free(event->seclevel);
free(event->target);
free(event->comm);
- free(event->seresult);
- free(event->seperms);
free(event->cgroup_class);
free(event->cgroup_detail);
free(event->cgroup_acl);
@@ -468,7 +468,7 @@ int process_machine_id_event(auparse_state_t *au)
seclevel = get_seclevel(auparse_find_field(au, "vm-ctx"));
if (seclevel == NULL) {
if (debug)
- fprintf(stderr, "security context not found for "
+ fprintf(stderr, "Security context not found for "
"MACHINE_ID event.\n");
}
@@ -592,7 +592,7 @@ int add_stop_guest_event(auparse_state_t *au)
}
if (start == NULL) {
if (debug) {
- fprintf(stderr, "Couldn't find the correlated start i"
+ fprintf(stderr, "Couldn't find the correlated start "
"record to the stop event.\n");
}
return 0;
@@ -824,19 +824,18 @@ struct event *get_machine_id_by_seclevel(const char
*seclevel)
return machine_id;
}
-/* AVC records are correlated to guest through the selinux context. */
-int process_avc(auparse_state_t *au)
+int process_avc_selinux_context(auparse_state_t *au, const char *context)
{
const char *target, *seclevel;
struct event *machine_id, *avc;
uid_t uid;
time_t time;
- seclevel = get_seclevel(auparse_find_field(au, "tcontext"));
+ seclevel = get_seclevel(auparse_find_field(au, context));
if (seclevel == NULL) {
if (debug) {
- fprintf(stderr, "Security context not found for "
- "AVC event.\n");
+ fprintf(stderr, "Security context not found "
+ "for AVC event.\n");
}
return 0;
}
@@ -847,8 +846,8 @@ int process_avc(auparse_state_t *au)
machine_id = get_machine_id_by_seclevel(seclevel);
if (machine_id == NULL) {
if (debug) {
- fprintf(stderr, "Couldn't get the security level from "
- "the AVC event.\n");
+ fprintf(stderr, "Couldn't get the security "
+ "level from the AVC event.\n");
}
return 0;
}
@@ -868,19 +867,19 @@ int process_avc(auparse_state_t *au)
avc->uid = uid;
avc->seclevel = copy_str(seclevel);
auparse_first_record(au);
- avc->seresult = copy_str(auparse_find_field(au, "seresult"));
- avc->seperms = copy_str(auparse_find_field(au, "seperms"));
+ avc->avc_result = copy_str(auparse_find_field(au, "seresult"));
+ avc->avc_operation = copy_str(auparse_find_field(au, "seperms"));
if (auparse_find_field(au, "comm"))
avc->comm = copy_str(auparse_interpret_field(au));
if (auparse_find_field(au, "name"))
avc->target = copy_str(auparse_interpret_field(au));
/* get the context related to the permission that was denied. */
- if (avc->seperms) {
+ if (avc->avc_operation) {
const char *ctx = NULL;
- if (strcmp("relabelfrom", avc->seperms) == 0) {
+ if (strcmp("relabelfrom", avc->avc_operation) == 0) {
ctx = auparse_find_field(au, "scontext");
- } else if (strcmp("relabelto", avc->seperms) == 0) {
+ } else if (strcmp("relabelto", avc->avc_operation) == 0) {
ctx = auparse_find_field(au, "tcontext");
}
avc->context = copy_str(ctx);
@@ -894,6 +893,19 @@ int process_avc(auparse_state_t *au)
return 0;
}
+/* AVC records are correlated to guest through the selinux context. */
+int process_avc(auparse_state_t *au)
+{
+ const char **context;
+ const char *contexts[] = { "tcontext", "scontext", NULL };
+
+ for (context = contexts; context && *context; context++) {
+ if (process_avc_selinux_context(au, *context))
+ return 1;
+ }
+ return 0;
+}
+
/* This function tries to correlate an anomaly record to a guest using the qemu
* pid or the selinux context. */
int process_anom(auparse_state_t *au)
@@ -1152,8 +1164,8 @@ void print_event(struct event *event)
} else if (event->type == ET_MACHINE_ID) {
printf("\t%s", N(event->seclevel));
} else if (event->type == ET_AVC) {
- printf("\t%-12.12s", N(event->seperms));
- printf("\t%-10.10s", N(event->seresult));
+ printf("\t%-12.12s", N(event->avc_operation));
+ printf("\t%-10.10s", N(event->avc_result));
printf("\t%s\t%s\t%s", N(event->comm), N(event->target),
N(event->context));
}
--
1.7.1
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
