From: "Thiébaud Weksteen" <tweek@google.com>
To: Paul Moore <paul@paul-moore.com>
Cc: "Nick Kralevich" <nnk@google.com>,
"Thiébaud Weksteen" <tweek@google.com>,
"Joel Fernandes" <joelaf@google.com>,
"Peter Enderborg" <peter.enderborg@sony.com>,
"Stephen Smalley" <stephen.smalley.work@gmail.com>,
"Eric Paris" <eparis@parisplace.org>,
"Steven Rostedt" <rostedt@goodmis.org>,
"Ingo Molnar" <mingo@redhat.com>,
"Mauro Carvalho Chehab" <mchehab+huawei@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
"Rob Herring" <robh@kernel.org>,
linux-kernel@vger.kernel.org, selinux@vger.kernel.org
Subject: [PATCH v3 1/3] selinux: add tracepoint on audited events
Date: Mon, 17 Aug 2020 19:07:12 +0200 [thread overview]
Message-ID: <20200817170729.2605279-2-tweek@google.com> (raw)
In-Reply-To: <20200817170729.2605279-1-tweek@google.com>
The audit data currently captures which process and which target
is responsible for a denial. There is no data on where exactly in the
process that call occurred. Debugging can be made easier by being able to
reconstruct the unified kernel and userland stack traces [1]. Add a
tracepoint on the SELinux denials which can then be used by userland
(i.e. perf).
Although this patch could manually be added by each OS developer to
trouble shoot a denial, adding it to the kernel streamlines the
developers workflow.
It is possible to use perf for monitoring the event:
# perf record -e avc:selinux_audited -g -a
^C
# perf report -g
[...]
6.40% 6.40% audited=800000 tclass=4
|
__libc_start_main
|
|--4.60%--__GI___ioctl
| entry_SYSCALL_64
| do_syscall_64
| __x64_sys_ioctl
| ksys_ioctl
| binder_ioctl
| binder_set_nice
| can_nice
| capable
| security_capable
| cred_has_capability.isra.0
| slow_avc_audit
| common_lsm_audit
| avc_audit_post_callback
| avc_audit_post_callback
|
It is also possible to use the ftrace interface:
# echo 1 > /sys/kernel/debug/tracing/events/avc/selinux_audited/enable
# cat /sys/kernel/debug/tracing/trace
tracer: nop
entries-in-buffer/entries-written: 1/1 #P:8
[...]
dmesg-3624 [001] 13072.325358: selinux_denied: audited=800000 tclass=4
The tclass value can be mapped to a class by searching
security/selinux/flask.h. The audited value is a bit field of the
permissions described in security/selinux/av_permissions.h for the
corresponding class.
[1] https://source.android.com/devices/tech/debug/native_stack_dump
Signed-off-by: Thiébaud Weksteen <tweek@google.com>
Suggested-by: Joel Fernandes <joelaf@google.com>
Reviewed-by: Peter Enderborg <peter.enderborg@sony.com>
---
MAINTAINERS | 1 +
include/trace/events/avc.h | 37 +++++++++++++++++++++++++++++++++++++
security/selinux/avc.c | 5 +++++
3 files changed, 43 insertions(+)
create mode 100644 include/trace/events/avc.h
diff --git a/MAINTAINERS b/MAINTAINERS
index c8e8232c65da..0efaea0e144c 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -15426,6 +15426,7 @@ T: git git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
F: Documentation/ABI/obsolete/sysfs-selinux-checkreqprot
F: Documentation/ABI/obsolete/sysfs-selinux-disable
F: Documentation/admin-guide/LSM/SELinux.rst
+F: include/trace/events/avc.h
F: include/uapi/linux/selinux_netlink.h
F: scripts/selinux/
F: security/selinux/
diff --git a/include/trace/events/avc.h b/include/trace/events/avc.h
new file mode 100644
index 000000000000..07c058a9bbcd
--- /dev/null
+++ b/include/trace/events/avc.h
@@ -0,0 +1,37 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Author: Thiébaud Weksteen <tweek@google.com>
+ */
+#undef TRACE_SYSTEM
+#define TRACE_SYSTEM avc
+
+#if !defined(_TRACE_SELINUX_H) || defined(TRACE_HEADER_MULTI_READ)
+#define _TRACE_SELINUX_H
+
+#include <linux/tracepoint.h>
+
+TRACE_EVENT(selinux_audited,
+
+ TP_PROTO(struct selinux_audit_data *sad),
+
+ TP_ARGS(sad),
+
+ TP_STRUCT__entry(
+ __field(unsigned int, tclass)
+ __field(unsigned int, audited)
+ ),
+
+ TP_fast_assign(
+ __entry->tclass = sad->tclass;
+ __entry->audited = sad->audited;
+ ),
+
+ TP_printk("tclass=%u audited=%x",
+ __entry->tclass,
+ __entry->audited)
+);
+
+#endif
+
+/* This part must be outside protection */
+#include <trace/define_trace.h>
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index d18cb32a242a..b0a0af778b70 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -31,6 +31,9 @@
#include "avc_ss.h"
#include "classmap.h"
+#define CREATE_TRACE_POINTS
+#include <trace/events/avc.h>
+
#define AVC_CACHE_SLOTS 512
#define AVC_DEF_CACHE_THRESHOLD 512
#define AVC_CACHE_RECLAIM 16
@@ -706,6 +709,8 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a)
u32 scontext_len;
int rc;
+ trace_selinux_audited(sad);
+
rc = security_sid_to_context(sad->state, sad->ssid, &scontext,
&scontext_len);
if (rc)
--
2.28.0.220.ged08abb693-goog
next prev parent reply other threads:[~2020-08-17 17:29 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-17 17:07 [PATCH v3 0/3] selinux: add detailed tracepoint on audited events Thiébaud Weksteen
2020-08-17 17:07 ` Thiébaud Weksteen [this message]
2020-08-18 14:31 ` [PATCH v3 1/3] selinux: add " Stephen Smalley
2020-08-17 17:07 ` [PATCH v3 2/3] selinux: add basic filtering for audit trace events Thiébaud Weksteen
2020-08-18 14:36 ` Stephen Smalley
2020-08-17 17:07 ` [PATCH v3 3/3] selinux: add permission names to trace event Thiébaud Weksteen
2020-08-17 20:13 ` Stephen Smalley
2020-08-17 20:29 ` Steven Rostedt
2020-08-18 16:09 ` Steven Rostedt
2020-08-19 13:11 ` Stephen Smalley
2020-08-21 2:31 ` Steven Rostedt
2020-08-21 12:29 ` Stephen Smalley
2020-08-21 13:19 ` Paul Moore
2020-08-21 13:39 ` peter enderborg
[not found] ` <CA+zpnLfNjDwxgoG2p3W8YfXxYVQDum4Eh_MJQvKP4rGLqsqACA@mail.gmail.com>
2020-08-21 13:46 ` Paul Moore
2020-08-17 20:16 ` Stephen Smalley
2020-08-18 8:11 ` peter enderborg
2020-08-18 12:13 ` Stephen Smalley
2020-08-21 2:22 ` Paul Moore
2020-08-21 5:53 ` peter enderborg
2020-08-21 12:14 ` Stephen Smalley
2020-08-21 13:10 ` Paul Moore
[not found] ` <20200824132252.31261-1-peter.enderborg@sony.com>
2020-08-24 13:22 ` [RFC PATCH] selinux: Add denied trace with permssion filter Peter Enderborg
2020-08-26 13:42 ` Paul Moore
2020-08-26 14:34 ` peter enderborg
2020-08-26 14:45 ` Paul Moore
2020-08-26 15:06 ` peter enderborg
2020-08-27 13:30 ` Paul Moore
2020-08-27 14:04 ` peter enderborg
2020-08-31 14:16 ` Paul Moore
2020-08-31 14:19 ` Robert Judy
2020-08-31 14:24 ` Paul Moore
2020-08-31 15:34 ` peter enderborg
2020-09-01 15:31 ` Paul Moore
2020-09-01 17:18 ` peter enderborg
2020-09-18 1:47 ` Steven Rostedt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200817170729.2605279-2-tweek@google.com \
--to=tweek@google.com \
--cc=davem@davemloft.net \
--cc=eparis@parisplace.org \
--cc=joelaf@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mchehab+huawei@kernel.org \
--cc=mingo@redhat.com \
--cc=nnk@google.com \
--cc=paul@paul-moore.com \
--cc=peter.enderborg@sony.com \
--cc=robh@kernel.org \
--cc=rostedt@goodmis.org \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.