From 5e213e268195c28636900a672d7c595f4297bd6e Mon Sep 17 00:00:00 2001 From: zhangjian22 <8904344+jakemiao@user.noreply.gitee.com> Date: Tue, 3 Jan 2023 13:46:12 +0000 Subject: [PATCH 1/3] =?UTF-8?q?update=20lib/ratelimit.c.=20=E6=89=93?= =?UTF-8?q?=E5=8D=B0selinux=20avc=E5=91=8A=E8=AD=A6=E6=A0=88=E4=BF=A1?= =?UTF-8?q?=E6=81=AF?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: zhangjian22 <8904344+jakemiao@user.noreply.gitee.com> --- lib/ratelimit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/ratelimit.c b/lib/ratelimit.c index ce945c17980b..67ef85dd0e0d 100644 --- a/lib/ratelimit.c +++ b/lib/ratelimit.c @@ -34,7 +34,7 @@ int ___ratelimit(struct ratelimit_state *rs, const char *func) int burst = READ_ONCE(rs->burst); unsigned long flags; int ret; - + return 1; if (!interval) return 1; -- Gitee From 2c656e82f6adcfbef9dfe184177dc9cbf9fc48fa Mon Sep 17 00:00:00 2001 From: zhangjian22 <8904344+jakemiao@user.noreply.gitee.com> Date: Tue, 3 Jan 2023 13:51:23 +0000 Subject: [PATCH 2/3] =?UTF-8?q?update=20security/selinux/avc.c.=20?= =?UTF-8?q?=E5=BC=80=E5=90=AFselinux=20avc=E6=89=93=E5=8D=B0=E8=B0=83?= =?UTF-8?q?=E7=94=A8=E6=A0=88?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: zhangjian22 <8904344+jakemiao@user.noreply.gitee.com> --- security/selinux/avc.c | 45 ++++++++++++++++++++++++++++++++++++++---- 1 file changed, 41 insertions(+), 4 deletions(-) diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 884a014ce2b8..9327632acd52 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -696,6 +696,10 @@ static void avc_audit_pre_callback(struct audit_buffer *ab, void *a) audit_log_format(ab, " } for "); } +static char* g_sctx[] = {"u:r:hitrace:s0", "u:r:hiperf:s0", "u:r:hiprofiler_cmd:s0", "u:r:hiprofiler_plugins:s0", "u:r:native_daemon:s0"}; +static char* g_tctx[] = {"u:object_r:devpts:s0", "u:object_r:devpts:s0", "u:object_r:devpts:s0", "u:object_r:devpts:s0", "u:object_r:devpts:s0"}; +static char* g_class[] = {"chr_file"}; + /** * avc_audit_post_callback - SELinux specific information * will be called by generic audit code @@ -713,23 +717,56 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a) u32 tcontext_len; int rc; + int match1 = 1; + int match2 = 1; + int match3 = 1; + int match4 = 1; + int match5 = 1; + rc = security_sid_to_context(sad->state, sad->ssid, &scontext, &scontext_len); if (rc) audit_log_format(ab, " ssid=%d", sad->ssid); - else - audit_log_format(ab, " scontext=%s", scontext); + else { + audit_log_format(ab, " scontext=%s", scontext); + match1 &= !strcmp(scontext, g_sctx[0]); + match2 &= !strcmp(scontext, g_sctx[1]); + match3 &= !strcmp(scontext, g_sctx[2]); + match4 &= !strcmp(scontext, g_sctx[3]); + match5 &= !strcmp(scontext, g_sctx[4]); + } + rc = security_sid_to_context(sad->state, sad->tsid, &tcontext, &tcontext_len); if (rc) audit_log_format(ab, " tsid=%d", sad->tsid); - else - audit_log_format(ab, " tcontext=%s", tcontext); + else { + audit_log_format(ab, " tcontext=%s", tcontext); + match1 &= !strcmp(tcontext, g_tctx[0]); + match2 &= !strcmp(tcontext, g_tctx[1]); + match3 &= !strcmp(tcontext, g_tctx[2]); + match4 &= !strcmp(tcontext, g_tctx[3]); + match5 &= !strcmp(tcontext, g_tctx[4]); + } + tclass = secclass_map[sad->tclass-1].name; audit_log_format(ab, " tclass=%s", tclass); + match1 &= !strcmp(tclass, g_class[0]); + match2 &= !strcmp(tclass, g_class[0]); + match3 &= !strcmp(tclass, g_class[0]); + match4 &= !strcmp(tclass, g_class[0]); + match5 &= !strcmp(tclass, g_class[0]); + + if (match1 || match2 || match3 || match4 || match5) { + pr_info("================avc callback start================="); + dump_stack(); + pr_info("================avc callback end, send signal================="); + force_sig(SIGABRT); + } + if (sad->denied) audit_log_format(ab, " permissive=%u", sad->result ? 0 : 1); -- Gitee From 832a9a210f1df1cc30b7a55a9aca43096cfe822c Mon Sep 17 00:00:00 2001 From: zhangjian22 <8904344+jakemiao@user.noreply.gitee.com> Date: Wed, 4 Jan 2023 02:16:06 +0000 Subject: [PATCH 3/3] =?UTF-8?q?update=20security/selinux/avc.c.=20avc?= =?UTF-8?q?=E5=91=8A=E8=AD=A6=E6=89=93=E5=8D=B0=E8=B0=83=E7=94=A8=E6=A0=88?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: zhangjian22 <8904344+jakemiao@user.noreply.gitee.com> --- security/selinux/avc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 9327632acd52..a45a7fbf3bd8 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -696,9 +696,9 @@ static void avc_audit_pre_callback(struct audit_buffer *ab, void *a) audit_log_format(ab, " } for "); } -static char* g_sctx[] = {"u:r:hitrace:s0", "u:r:hiperf:s0", "u:r:hiprofiler_cmd:s0", "u:r:hiprofiler_plugins:s0", "u:r:native_daemon:s0"}; -static char* g_tctx[] = {"u:object_r:devpts:s0", "u:object_r:devpts:s0", "u:object_r:devpts:s0", "u:object_r:devpts:s0", "u:object_r:devpts:s0"}; -static char* g_class[] = {"chr_file"}; +static char* g_sctx[] = {"u:r:hiperf:s0", "u:r:hiperf:s0", "u:r:hiprofiler_cmd:s0", "u:r:hiprofiler_plugins:s0", "u:r:native_daemon:s0"}; +static char* g_tctx[] = {"u:r:hiperf:s0", "u:r:hiperf:s0", "u:r:hiprofiler_cmd:s0", "u:r:hiprofiler_plugins:s0", "u:r:native_daemon:s0"}; +static char* g_class[] = {"capability"}; /** * avc_audit_post_callback - SELinux specific information -- Gitee