Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/2.6.36/4440_selinux-avc_audit-log-curr_ip.patch
diff options
context:
space:
mode:
Diffstat (limited to '2.6.36/4440_selinux-avc_audit-log-curr_ip.patch')
-rw-r--r--2.6.36/4440_selinux-avc_audit-log-curr_ip.patch65
1 files changed, 65 insertions, 0 deletions
diff --git a/2.6.36/4440_selinux-avc_audit-log-curr_ip.patch b/2.6.36/4440_selinux-avc_audit-log-curr_ip.patch
new file mode 100644
index 0000000..a0e0dfa
--- /dev/null
+++ b/2.6.36/4440_selinux-avc_audit-log-curr_ip.patch
@@ -0,0 +1,65 @@
+From: Gordon Malm <gengor@gentoo.org>
+
+This is a reworked version of the original
+*_selinux-avc_audit-log-curr_ip.patch carried in earlier releases of
+hardened-sources.
+
+Dropping the patch, or simply fixing the #ifdef of the original patch
+could break automated logging setups so this route was necessary.
+
+Suggestions for improving the help text are welcome.
+
+The original patch's description is still accurate and included below.
+
+---
+Provides support for a new field ipaddr within the SELinux
+AVC audit log, relying in task_struct->curr_ip (ipv4 only)
+provided by grSecurity patch to be applied before.
+
+Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org>
+---
+
+--- a/grsecurity/Kconfig
++++ b/grsecurity/Kconfig
+@@ -1380,6 +1380,27 @@
+ menu "Logging Options"
+ depends on GRKERNSEC
+
++config GRKERNSEC_SELINUX_AVC_LOG_IPADDR
++ def_bool n
++ prompt "Add source IP address to SELinux AVC log messages"
++ depends on GRKERNSEC && SECURITY_SELINUX
++ help
++ If you say Y here, a new field "ipaddr=" will be added to many SELinux
++ AVC log messages. The value of this field in any given message
++ represents the source IP address of the remote machine/user that created
++ the offending process.
++
++ This information is sourced from task_struct->curr_ip provided by
++ grsecurity's GRKERNSEC top-level configuration option. One limitation
++ is that only IPv4 is supported.
++
++ In many instances SELinux AVC log messages already log a superior level
++ of information that also includes source port and destination ip/port.
++ Additionally, SELinux's AVC log code supports IPv6.
++
++ However, grsecurity's task_struct->curr_ip will sometimes (often?)
++ provide the offender's IP address where stock SELinux logging fails to.
++
+ config GRKERNSEC_FLOODTIME
+ int "Seconds in between log messages (minimum)"
+ default 10
+--- a/security/selinux/avc.c
++++ b/security/selinux/avc.c
+@@ -143,6 +143,11 @@ static void avc_dump_query(struct audit_
+ char *scontext;
+ u32 scontext_len;
+
++#ifdef CONFIG_GRKERNSEC_SELINUX_AVC_LOG_IPADDR
++ if (current->signal->curr_ip)
++ audit_log_format(ab, "ipaddr=%u.%u.%u.%u ", NIPQUAD(current->signal->curr_ip));
++#endif
++
+ rc = security_sid_to_context(ssid, &scontext, &scontext_len);
+ if (rc)
+ audit_log_format(ab, "ssid=%d", ssid);