From: "Thiébaud Weksteen" <tweek@google.com>
To: Paul Moore <paul@paul-moore.com>,
Steven Rostedt <rostedt@goodmis.org>,
Stephen Smalley <stephen.smalley.work@gmail.com>
Cc: Nick Kralevich <nnk@google.com>,
Joel Fernandes <joelaf@google.com>,
Eric Paris <eparis@parisplace.org>,
Ingo Molnar <mingo@redhat.com>,
Mauro Carvalho Chehab <mchehab+huawei@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Rob Herring <robh@kernel.org>,
linux-kernel <linux-kernel@vger.kernel.org>,
SElinux list <selinux@vger.kernel.org>
Subject: Re: [PATCH] selinux: add tracepoint on denials
Date: Tue, 28 Jul 2020 14:49:24 +0200 [thread overview]
Message-ID: <CA+zpnLfczC=9HQA8s1oBGKGQO+OkuydF85o89dhSxdOyKBHMgg@mail.gmail.com> (raw)
In-Reply-To: <CAHC9VhS4aXD8kcXnQ2MsYvjc--xXSUpsM1xtgq3X5DBT59ohhw@mail.gmail.com>
Thanks for the review! I'll send a new revision of the patch with the
%x formatter and using the TP_CONDITION macro.
On adding further information to the trace event, I would prefer
adding the strict minimum to be able to correlate the event with the
avc message. The reason is that tracevents have a fixed size (see
https://www.kernel.org/doc/Documentation/trace/events.txt). For
instance, we would need to decide on a maximum size for the string
representation of the list of permissions. This would also duplicate
the reporting done in the avc audit event. I'll simply add the pid as
part of the printk, which should be sufficient for the correlation.
On Fri, Jul 24, 2020 at 3:55 PM Paul Moore <paul@paul-moore.com> wrote:
>
> On Fri, Jul 24, 2020 at 9:32 AM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
> > On Fri, Jul 24, 2020 at 5:15 AM Thiébaud Weksteen <tweek@google.com> wrote:
> > > The audit data currently captures which process and which target
> > > is responsible for a denial. There is no data on where exactly in the
> > > process that call occurred. Debugging can be made easier by being able to
> > > reconstruct the unified kernel and userland stack traces [1]. Add a
> > > tracepoint on the SELinux denials which can then be used by userland
> > > (i.e. perf).
> > >
> > > Although this patch could manually be added by each OS developer to
> > > trouble shoot a denial, adding it to the kernel streamlines the
> > > developers workflow.
> > >
> > > [1] https://source.android.com/devices/tech/debug/native_stack_dump
> > >
> > > Signed-off-by: Thiébaud Weksteen <tweek@google.com>
> > > Signed-off-by: Joel Fernandes <joelaf@google.com>
> > > ---
> > > MAINTAINERS | 1 +
> > > include/trace/events/selinux.h | 35 ++++++++++++++++++++++++++++++++++
> > > security/selinux/avc.c | 6 ++++++
> > > 3 files changed, 42 insertions(+)
> > > create mode 100644 include/trace/events/selinux.h
> > >
> > > diff --git a/MAINTAINERS b/MAINTAINERS
> > > index e64cdde81851..6b6cd5e13537 100644
> > > --- a/MAINTAINERS
> > > +++ b/MAINTAINERS
> > > @@ -15358,6 +15358,7 @@ T: git git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
> > > F: Documentation/ABI/obsolete/sysfs-selinux-checkreqprot
> > > F: Documentation/ABI/obsolete/sysfs-selinux-disable
> > > F: Documentation/admin-guide/LSM/SELinux.rst
> > > +F: include/trace/events/selinux.h
> > > F: include/uapi/linux/selinux_netlink.h
> > > F: scripts/selinux/
> > > F: security/selinux/
> > > diff --git a/include/trace/events/selinux.h b/include/trace/events/selinux.h
> > > new file mode 100644
> > > index 000000000000..e247187a8135
> > > --- /dev/null
> > > +++ b/include/trace/events/selinux.h
> > > @@ -0,0 +1,35 @@
> > > +/* SPDX-License-Identifier: GPL-2.0 */
> > > +#undef TRACE_SYSTEM
> > > +#define TRACE_SYSTEM selinux
> > > +
> > > +#if !defined(_TRACE_SELINUX_H) || defined(TRACE_HEADER_MULTI_READ)
> > > +#define _TRACE_SELINUX_H
> > > +
> > > +#include <linux/ktime.h>
> > > +#include <linux/tracepoint.h>
> > > +
> > > +TRACE_EVENT(selinux_denied,
> > > +
> > > + TP_PROTO(int cls, int av),
> > > +
> > > + TP_ARGS(cls, av),
> > > +
> > > + TP_STRUCT__entry(
> > > + __field(int, cls)
> > > + __field(int, av)
> > > + ),
> > > +
> > > + TP_fast_assign(
> > > + __entry->cls = cls;
> > > + __entry->av = av;
> > > + ),
> > > +
> > > + TP_printk("denied %d %d",
> > > + __entry->cls,
> > > + __entry->av)
> > > +);
> >
> > I would think you would want to log av as %x for easier interpretation
> > especially when there are multiple permissions being checked at once
> > (which can happen). Also both cls and av would properly be unsigned
> > values. Only other question I have is whether it would be beneficial
> > to include other information here to help uniquely identify/correlate
> > the denial with the avc: message and whether any decoding of the
> > class, av, or other information could/should be done here versus in
> > some userland helper.
>
> It does seem like at the very least it would be nice to see the av as
> hex values instead of integers, e.g. "%x" in the TP_printk() call.
> Considering this patch is about making dev's lives easier, I tend to
> agree with Stephen questioning if you should go a step further and
> convert both the class and av values into string representations.
>
> --
> paul moore
> www.paul-moore.com
next prev parent reply other threads:[~2020-07-28 12:49 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-24 9:15 [PATCH] selinux: add tracepoint on denials Thiébaud Weksteen
2020-07-24 13:32 ` Stephen Smalley
2020-07-24 13:54 ` Paul Moore
2020-07-28 12:49 ` Thiébaud Weksteen [this message]
2020-07-28 13:04 ` Stephen Smalley
2020-07-28 13:19 ` Thiébaud Weksteen
2020-07-28 13:12 ` Steven Rostedt
2020-07-28 13:23 ` Thiébaud Weksteen
2020-07-28 15:12 ` Paul Moore
2020-07-28 16:02 ` Thiébaud Weksteen
2020-07-28 16:19 ` Stephen Smalley
2020-07-28 16:20 ` Paul Moore
2020-07-30 15:50 ` Thiébaud Weksteen
2020-07-30 8:03 ` peter enderborg
2020-07-24 13:52 ` Steven Rostedt
2020-07-30 14:29 ` [PATCH] RFC: selinux avc trace peter enderborg
2020-07-30 14:50 ` Stephen Smalley
2020-07-30 15:47 ` peter enderborg
2020-07-30 15:04 ` Steven Rostedt
2020-07-30 15:31 ` peter enderborg
2020-07-30 16:02 ` Steven Rostedt
2020-07-30 17:05 ` peter enderborg
2020-07-30 17:16 ` Steven Rostedt
2020-07-30 19:12 ` peter enderborg
2020-07-30 19:29 ` Steven Rostedt
2020-07-30 19:50 ` peter enderborg
2020-07-31 11:07 ` Thiébaud Weksteen
2020-07-28 15:22 ` [PATCH] selinux: add tracepoint on denials Joel Fernandes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CA+zpnLfczC=9HQA8s1oBGKGQO+OkuydF85o89dhSxdOyKBHMgg@mail.gmail.com' \
--to=tweek@google.com \
--cc=davem@davemloft.net \
--cc=eparis@parisplace.org \
--cc=joelaf@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mchehab+huawei@kernel.org \
--cc=mingo@redhat.com \
--cc=nnk@google.com \
--cc=paul@paul-moore.com \
--cc=robh@kernel.org \
--cc=rostedt@goodmis.org \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).