* [PATCH v2] selinux: add tracepoint on denials
@ 2020-07-28 13:01 Thiébaud Weksteen
0 siblings, 0 replies; only message in thread
From: Thiébaud Weksteen @ 2020-07-28 13:01 UTC (permalink / raw)
To: Paul Moore
Cc: Nick Kralevich, Thiébaud Weksteen, Joel Fernandes,
Stephen Smalley, Eric Paris, Steven Rostedt, Ingo Molnar,
Mauro Carvalho Chehab, David S. Miller, Rob Herring,
linux-kernel, selinux
The audit data currently captures which process and which target
is responsible for a denial. There is no data on where exactly in the
process that call occurred. Debugging can be made easier by being able to
reconstruct the unified kernel and userland stack traces [1]. Add a
tracepoint on the SELinux denials which can then be used by userland
(i.e. perf).
Although this patch could manually be added by each OS developer to
trouble shoot a denial, adding it to the kernel streamlines the
developers workflow.
[1] https://source.android.com/devices/tech/debug/native_stack_dump
Signed-off-by: Thiébaud Weksteen <tweek@google.com>
Signed-off-by: Joel Fernandes <joelaf@google.com>
---
Changes in v2:
- Replace %d formatter with %x
- Replace TRACE_EVENT with TRACE_EVENT_CONDITION
- Add pid to structure and printk
- Rename structure fields for clarity
MAINTAINERS | 1 +
include/trace/events/selinux.h | 39 ++++++++++++++++++++++++++++++++++
security/selinux/avc.c | 5 +++++
3 files changed, 45 insertions(+)
create mode 100644 include/trace/events/selinux.h
diff --git a/MAINTAINERS b/MAINTAINERS
index f0569cf304ca..0f74c8f073ab 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -15369,6 +15369,7 @@ T: git git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
F: Documentation/ABI/obsolete/sysfs-selinux-checkreqprot
F: Documentation/ABI/obsolete/sysfs-selinux-disable
F: Documentation/admin-guide/LSM/SELinux.rst
+F: include/trace/events/selinux.h
F: include/uapi/linux/selinux_netlink.h
F: scripts/selinux/
F: security/selinux/
diff --git a/include/trace/events/selinux.h b/include/trace/events/selinux.h
new file mode 100644
index 000000000000..287e1ecb4451
--- /dev/null
+++ b/include/trace/events/selinux.h
@@ -0,0 +1,39 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#undef TRACE_SYSTEM
+#define TRACE_SYSTEM selinux
+
+#if !defined(_TRACE_SELINUX_H) || defined(TRACE_HEADER_MULTI_READ)
+#define _TRACE_SELINUX_H
+
+#include <linux/tracepoint.h>
+
+TRACE_EVENT_CONDITION(selinux_denied,
+
+ TP_PROTO(struct selinux_audit_data *sad, pid_t pid),
+
+ TP_ARGS(sad, pid),
+
+ TP_CONDITION(sad->denied),
+
+ TP_STRUCT__entry(
+ __field(pid_t, pid)
+ __field(int, tclass)
+ __field(int, audited)
+ ),
+
+ TP_fast_assign(
+ __entry->pid = pid;
+ __entry->tclass = sad->tclass;
+ __entry->audited = sad->audited;
+ ),
+
+ TP_printk("denied pid=%d tclass=%x audited=%x",
+ __entry->pid,
+ __entry->tclass,
+ __entry->audited)
+);
+
+#endif
+
+/* This part must be outside protection */
+#include <trace/define_trace.h>
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index d18cb32a242a..ca8206f38d8a 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -31,6 +31,9 @@
#include "avc_ss.h"
#include "classmap.h"
+#define CREATE_TRACE_POINTS
+#include <trace/events/selinux.h>
+
#define AVC_CACHE_SLOTS 512
#define AVC_DEF_CACHE_THRESHOLD 512
#define AVC_CACHE_RECLAIM 16
@@ -665,6 +668,8 @@ static void avc_audit_pre_callback(struct audit_buffer *ab, void *a)
const char **perms;
int i, perm;
+ trace_selinux_denied(sad, task_tgid_nr(current));
+
audit_log_format(ab, "avc: %s ", sad->denied ? "denied" : "granted");
if (av == 0) {
--
2.28.0.rc0.142.g3c755180ce-goog
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2020-07-28 13:01 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-28 13:01 [PATCH v2] selinux: add tracepoint on denials Thiébaud Weksteen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.