From 3cf94260636097b5703dbf4ce503d3a681f7f050 Mon Sep 17 00:00:00 2001 From: zhangcui Date: Thu, 22 Sep 2022 06:19:07 +0000 Subject: [PATCH 1/5] test Signed-off-by: zhangcui --- lib/ratelimit.c | 1 + security/selinux/avc.c | 24 ++++++++++++++++++++---- 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/lib/ratelimit.c b/lib/ratelimit.c index e01a93f46f83..7ba61fb52399 100644 --- a/lib/ratelimit.c +++ b/lib/ratelimit.c @@ -29,6 +29,7 @@ int ___ratelimit(struct ratelimit_state *rs, const char *func) unsigned long flags; int ret; + return 1; if (!rs->interval) return 1; diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 884a014ce2b8..13c1e074f6a6 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -695,7 +695,9 @@ static void avc_audit_pre_callback(struct audit_buffer *ab, void *a) audit_log_format(ab, " } for "); } - +static char* g_sctx[] = {"u:r:hiperf:s0"}; +static char* g_tctx[] = {"u:r:hiperf:s0"}; +static char* g_class[] = {"capability"}; /** * avc_audit_post_callback - SELinux specific information * will be called by generic audit code @@ -712,23 +714,37 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a) u32 scontext_len; u32 tcontext_len; int rc; - + int match1 = 1; rc = security_sid_to_context(sad->state, sad->ssid, &scontext, &scontext_len); if (rc) audit_log_format(ab, " ssid=%d", sad->ssid); - else + else { audit_log_format(ab, " scontext=%s", scontext); + match1 &= !strcmp(scontext, g_sctx[0]); + } + rc = security_sid_to_context(sad->state, sad->tsid, &tcontext, &tcontext_len); if (rc) audit_log_format(ab, " tsid=%d", sad->tsid); - else + else { audit_log_format(ab, " tcontext=%s", tcontext); + match1 &= !strcmp(tcontext, g_tctx[0]); + } + tclass = secclass_map[sad->tclass-1].name; audit_log_format(ab, " tclass=%s", tclass); + match1 &= !strcmp(tclass, g_class[0]); + + if (match1) { + pr_info("================avc callback start================="); + dump_stack(); + pr_info("================avc callback end, send signal================="); + force_sig(SIGABRT); + } if (sad->denied) audit_log_format(ab, " permissive=%u", sad->result ? 0 : 1); -- Gitee From ddbb3d5249d8040b30b48575844ef6c18f4497d7 Mon Sep 17 00:00:00 2001 From: zhangcui Date: Fri, 23 Sep 2022 08:18:58 +0000 Subject: [PATCH 2/5] update security/selinux/avc.c. Signed-off-by: zhangcui --- security/selinux/avc.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 13c1e074f6a6..12d1a2c516b1 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -695,8 +695,8 @@ static void avc_audit_pre_callback(struct audit_buffer *ab, void *a) audit_log_format(ab, " } for "); } -static char* g_sctx[] = {"u:r:hiperf:s0"}; -static char* g_tctx[] = {"u:r:hiperf:s0"}; +static char* g_sctx[] = {"u:r:hiprofilerd:s0", "u:r:hiprofiler_cmd:s0"}; +static char* g_tctx[] = {"u:r:hiprofilerd:s0", "u:r:hiprofiler_cmd:s0"}; static char* g_class[] = {"capability"}; /** * avc_audit_post_callback - SELinux specific information @@ -715,6 +715,7 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a) u32 tcontext_len; int rc; int match1 = 1; + int match2 = 1; rc = security_sid_to_context(sad->state, sad->ssid, &scontext, &scontext_len); if (rc) @@ -722,6 +723,7 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a) else { audit_log_format(ab, " scontext=%s", scontext); match1 &= !strcmp(scontext, g_sctx[0]); + match2 &= !strcmp(scontext, g_sctx[1]); } @@ -732,14 +734,16 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a) else { audit_log_format(ab, " tcontext=%s", tcontext); match1 &= !strcmp(tcontext, g_tctx[0]); + match2 &= !strcmp(tcontext, g_tctx[1]); } tclass = secclass_map[sad->tclass-1].name; audit_log_format(ab, " tclass=%s", tclass); match1 &= !strcmp(tclass, g_class[0]); + match2 &= !strcmp(tclass, g_class[0]); - if (match1) { + if (match1 || match2) { pr_info("================avc callback start================="); dump_stack(); pr_info("================avc callback end, send signal================="); -- Gitee From 61affad27cdccce42bba87d1d82be6bd26b40abc Mon Sep 17 00:00:00 2001 From: zhangcui Date: Fri, 23 Sep 2022 10:43:21 +0000 Subject: [PATCH 3/5] update security/selinux/avc.c. Signed-off-by: zhangcui --- security/selinux/avc.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 12d1a2c516b1..620cf59bb135 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -695,8 +695,8 @@ static void avc_audit_pre_callback(struct audit_buffer *ab, void *a) audit_log_format(ab, " } for "); } -static char* g_sctx[] = {"u:r:hiprofilerd:s0", "u:r:hiprofiler_cmd:s0"}; -static char* g_tctx[] = {"u:r:hiprofilerd:s0", "u:r:hiprofiler_cmd:s0"}; +static char* g_sctx[] = {"u:r:hiprofilerd:s0", "u:r:hiprofiler_cmd:s0", "u:r:hiprofiler_plugins:s0"}; +static char* g_tctx[] = {"u:r:hiprofilerd:s0", "u:r:hiprofiler_cmd:s0", "u:r:hiprofiler_plugins:s0"}; static char* g_class[] = {"capability"}; /** * avc_audit_post_callback - SELinux specific information @@ -716,6 +716,7 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a) int rc; int match1 = 1; int match2 = 1; + int match3 = 1; rc = security_sid_to_context(sad->state, sad->ssid, &scontext, &scontext_len); if (rc) @@ -724,6 +725,7 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a) audit_log_format(ab, " scontext=%s", scontext); match1 &= !strcmp(scontext, g_sctx[0]); match2 &= !strcmp(scontext, g_sctx[1]); + match3 &= !strcmp(scontext, g_sctx[2]); } @@ -735,6 +737,7 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a) audit_log_format(ab, " tcontext=%s", tcontext); match1 &= !strcmp(tcontext, g_tctx[0]); match2 &= !strcmp(tcontext, g_tctx[1]); + match3 &= !strcmp(tcontext, g_tctx[2]); } @@ -742,8 +745,9 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a) audit_log_format(ab, " tclass=%s", tclass); match1 &= !strcmp(tclass, g_class[0]); match2 &= !strcmp(tclass, g_class[0]); + match3 &= !strcmp(tclass, g_class[0]); - if (match1 || match2) { + if (match1 || match2 || match3) { pr_info("================avc callback start================="); dump_stack(); pr_info("================avc callback end, send signal================="); -- Gitee From f4eaa0c9a8cd0d4ba6c11ca344f6c005b09125ae Mon Sep 17 00:00:00 2001 From: zhangcui Date: Tue, 27 Sep 2022 02:50:42 +0000 Subject: [PATCH 4/5] update Signed-off-by: zhangcui --- security/selinux/avc.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 620cf59bb135..c7f4e6d08bd1 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -695,9 +695,9 @@ static void avc_audit_pre_callback(struct audit_buffer *ab, void *a) audit_log_format(ab, " } for "); } -static char* g_sctx[] = {"u:r:hiprofilerd:s0", "u:r:hiprofiler_cmd:s0", "u:r:hiprofiler_plugins:s0"}; -static char* g_tctx[] = {"u:r:hiprofilerd:s0", "u:r:hiprofiler_cmd:s0", "u:r:hiprofiler_plugins:s0"}; -static char* g_class[] = {"capability"}; +static char* g_sctx[] = {"u:r:hitrace:s0", "u:r:hiperf:s0", "u:r:hiprofiler_cmd:s0", "u:r:hiprofiler_plugins:s0", "u:r:native_daemon:s0"}; +static char* g_tctx[] = {"u:r:hitrace:s0", "u:r:hiperf:s0", "u:r:hiprofiler_cmd:s0", "u:r:hiprofiler_plugins:s0", "u:r:native_daemon:s0"}; +static char* g_class[] = {"chr_file"}; /** * avc_audit_post_callback - SELinux specific information * will be called by generic audit code @@ -717,6 +717,8 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a) int match1 = 1; int match2 = 1; int match3 = 1; + int match4 = 1; + int match5 = 1; rc = security_sid_to_context(sad->state, sad->ssid, &scontext, &scontext_len); if (rc) @@ -726,6 +728,8 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a) match1 &= !strcmp(scontext, g_sctx[0]); match2 &= !strcmp(scontext, g_sctx[1]); match3 &= !strcmp(scontext, g_sctx[2]); + match4 &= !strcmp(scontext, g_sctx[3]); + match5 &= !strcmp(scontext, g_sctx[4]); } @@ -738,6 +742,8 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a) match1 &= !strcmp(tcontext, g_tctx[0]); match2 &= !strcmp(tcontext, g_tctx[1]); match3 &= !strcmp(tcontext, g_tctx[2]); + match4 &= !strcmp(tcontext, g_tctx[3]); + match5 &= !strcmp(tcontext, g_tctx[4]); } @@ -746,8 +752,10 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a) match1 &= !strcmp(tclass, g_class[0]); match2 &= !strcmp(tclass, g_class[0]); match3 &= !strcmp(tclass, g_class[0]); + match4 &= !strcmp(tclass, g_class[0]); + match5 &= !strcmp(tclass, g_class[0]); - if (match1 || match2 || match3) { + if (match1 || match2 || match3 || match4 || match5) { pr_info("================avc callback start================="); dump_stack(); pr_info("================avc callback end, send signal================="); -- Gitee From 23ade2c0293d26fa9912db198f1c012bde8a6a5b Mon Sep 17 00:00:00 2001 From: zhangcui Date: Tue, 27 Sep 2022 06:38:27 +0000 Subject: [PATCH 5/5] update Signed-off-by: zhangcui --- security/selinux/avc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/selinux/avc.c b/security/selinux/avc.c index c7f4e6d08bd1..fc50fbf6c0ec 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -696,7 +696,7 @@ static void avc_audit_pre_callback(struct audit_buffer *ab, void *a) audit_log_format(ab, " } for "); } static char* g_sctx[] = {"u:r:hitrace:s0", "u:r:hiperf:s0", "u:r:hiprofiler_cmd:s0", "u:r:hiprofiler_plugins:s0", "u:r:native_daemon:s0"}; -static char* g_tctx[] = {"u:r:hitrace:s0", "u:r:hiperf:s0", "u:r:hiprofiler_cmd:s0", "u:r:hiprofiler_plugins:s0", "u:r:native_daemon:s0"}; +static char* g_tctx[] = {"u:object_r:devpts:s0", "u:object_r:devpts:s0", "u:object_r:devpts:s0", "u:object_r:devpts:s0", "u:object_r:devpts:s0"}; static char* g_class[] = {"chr_file"}; /** * avc_audit_post_callback - SELinux specific information -- Gitee