From: "Thiébaud Weksteen" <tweek@google.com>
To: Paul Moore <paul@paul-moore.com>,
peter enderborg <peter.enderborg@sony.com>
Cc: Steven Rostedt <rostedt@goodmis.org>,
Stephen Smalley <stephen.smalley.work@gmail.com>,
Nick Kralevich <nnk@google.com>,
Joel Fernandes <joelaf@google.com>,
Eric Paris <eparis@parisplace.org>,
Ingo Molnar <mingo@redhat.com>,
Mauro Carvalho Chehab <mchehab+huawei@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Rob Herring <robh@kernel.org>,
linux-kernel <linux-kernel@vger.kernel.org>,
SElinux list <selinux@vger.kernel.org>
Subject: Re: [PATCH] selinux: add tracepoint on denials
Date: Thu, 30 Jul 2020 17:50:11 +0200 [thread overview]
Message-ID: <CA+zpnLfgqY-ZgaBFoBN0_VATU-YM4jQ-1nBuD1Cv_nT-pqg9yQ@mail.gmail.com> (raw)
In-Reply-To: <CAHC9VhReYQwxvHeJ8jAUKZ8P+N2yyGNN3rGRb_9t7hZpW=+HVQ@mail.gmail.com>
On Tue, Jul 28, 2020 at 6:20 PM Paul Moore <paul@paul-moore.com> wrote:
> I probably wasn't as clear as I should have been. I think it would be
> helpful if you demonstrated how one would take the SELinux data in the
> perf event and translated that into something meaningful.
So the data itself is not that relevant. What is important is the
ability to hook the kernel at the right location, at the right time.
Here is an example on how this patch can be used on Android
(simpleperf is the Android equivalent of perf), running dmesg as the
shell user which is not permitted:
# simpleperf record -e selinux:selinux_denied -a -g --duration 10
# simpleperf report -g --full-callgraph
Cmdline: /system/bin/simpleperf record -e selinux:selinux_denied -a -g
--duration 10
Arch: arm64
Event: selinux:selinux_denied (type 2, config 493)
Samples: 1
Event count: 1
Children Self Command Pid Tid Shared Object
Symbol
100.00% 0.00% dmesg 3511 3511
/apex/com.android.runtime/lib64/bionic/libc.so __libc_init
|
-- __libc_init
|
-- main
toybox_main
toy_exec_which
dmesg_main
klogctl
el0_svc_naked
sys_syslog
do_syslog
security_syslog
selinux_syslog
avc_has_perm
slow_avc_audit
common_lsm_audit
avc_audit_pre_callback
You can see the combined user and kernel stacks which is useful to
understand where and why the denial happened.
The key point is that simpleperf is doing the heavy work (i.e names
resolution), while the kernel only shares the strict minimum for that
to happen.
This can be correlated with the pid of the avc denial message (I'm
assuming we are trouble shooting one specific denial).
It is also possible to manually use ftrace. For instance, after
enabling and triggering the denial:
bonito:/sys/kernel/debug/tracing # cat trace
# tracer: nop
#
# entries-in-buffer/entries-written: 1/1 #P:8
#
# _-----=> irqs-off
# / _----=> need-resched
# | / _---=> hardirq/softirq
# || / _--=> preempt-depth
# ||| / delay
# TASK-PID CPU# |||| TIMESTAMP FUNCTION
# | | | |||| | |
dmesg-3624 [001] .... 13072.325358: selinux_denied: denied
pid=3624 tclass=4 audited=2
This can be correlated with the following avc denial:
[ 2180.183062] type=1400 audit(1596111144.026:27): avc: denied {
syslog_read } for comm="dmesg" scontext=u:r:shell:s0
tcontext=u:r:kernel:s0 tclass=system permissive=0
Here, there is limited value of having that tracepoint as we are only
duplicating the avc message content.
Nevertheless, the filtering part of Peter's patch would be useful to
be more precise on which denial we are targeting (I'll reply to the
other thread as well).
I hope this clarifies the usage. Thanks.
next prev parent reply other threads:[~2020-07-30 15:50 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-24 9:15 [PATCH] selinux: add tracepoint on denials Thiébaud Weksteen
2020-07-24 13:32 ` Stephen Smalley
2020-07-24 13:54 ` Paul Moore
2020-07-28 12:49 ` Thiébaud Weksteen
2020-07-28 13:04 ` Stephen Smalley
2020-07-28 13:19 ` Thiébaud Weksteen
2020-07-28 13:12 ` Steven Rostedt
2020-07-28 13:23 ` Thiébaud Weksteen
2020-07-28 15:12 ` Paul Moore
2020-07-28 16:02 ` Thiébaud Weksteen
2020-07-28 16:19 ` Stephen Smalley
2020-07-28 16:20 ` Paul Moore
2020-07-30 15:50 ` Thiébaud Weksteen [this message]
2020-07-30 8:03 ` peter enderborg
2020-07-24 13:52 ` Steven Rostedt
2020-07-30 14:29 ` [PATCH] RFC: selinux avc trace peter enderborg
2020-07-30 14:50 ` Stephen Smalley
2020-07-30 15:47 ` peter enderborg
2020-07-30 15:04 ` Steven Rostedt
2020-07-30 15:31 ` peter enderborg
2020-07-30 16:02 ` Steven Rostedt
2020-07-30 17:05 ` peter enderborg
2020-07-30 17:16 ` Steven Rostedt
2020-07-30 19:12 ` peter enderborg
2020-07-30 19:29 ` Steven Rostedt
2020-07-30 19:50 ` peter enderborg
2020-07-31 11:07 ` Thiébaud Weksteen
2020-07-28 15:22 ` [PATCH] selinux: add tracepoint on denials Joel Fernandes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CA+zpnLfgqY-ZgaBFoBN0_VATU-YM4jQ-1nBuD1Cv_nT-pqg9yQ@mail.gmail.com \
--to=tweek@google.com \
--cc=davem@davemloft.net \
--cc=eparis@parisplace.org \
--cc=joelaf@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mchehab+huawei@kernel.org \
--cc=mingo@redhat.com \
--cc=nnk@google.com \
--cc=paul@paul-moore.com \
--cc=peter.enderborg@sony.com \
--cc=robh@kernel.org \
--cc=rostedt@goodmis.org \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).