From: Stephen Smalley <sds@tycho.nsa.gov>
To: Zhi Xin <xinzhi@marvell.com>,
"selinux@tycho.nsa.gov" <selinux@tycho.nsa.gov>
Cc: "seandroid-list@tycho.nsa.gov" <seandroid-list@tycho.nsa.gov>
Subject: Re: Give out all the avc logs in ome time
Date: Tue, 05 May 2015 08:41:57 -0400 [thread overview]
Message-ID: <5548BA95.2040908@tycho.nsa.gov> (raw)
In-Reply-To: <F766E4F80769BD478052FB6533FA745D66611C3FD9@SC-VEXCH4.marvell.com>
On 05/04/2015 10:06 PM, Zhi Xin wrote:
> Hi All,
>
>
>
> In my daily work, I’m always solving the selinux deny as presented by
> avc log. But I found that, for one particular test, selinux cannot give
> me all the avc deny log in one time, which has slowed down a lot of my
> daily work.
>
>
>
> For example, I trigger a process called test_daemon to access a
> /dev/test_device in a particular test. Totally, it should have “open,
> read, write, ioctl” for permissions. But for one time test, I only catch
> “open, read” related avc log. And only after I have merged a patch to
> give the “open” and “read” permission, I rerun the test. The “write
> ioctl” related avc logs start to occur. So my question is how can I get
> “open, read, write, ioctl” avc log in one test.
>
>
>
> I have done a little study on this issue. selinux avc log depends on
> audit subsystem. In /kernel/kernel/audit.c, some code has indicated that
> we may lost the records in five ways:
>
> 115 <http://10.38.120.31:8080/source/xref/pxa1928-lp5.0/kernel/kernel/audit.c#115>/* Records can be lost in several ways:
>
> 116 <http://10.38.120.31:8080/source/xref/pxa1928-lp5.0/kernel/kernel/audit.c#116> 0) [suppressed in audit_alloc]
>
> 117 <http://10.38.120.31:8080/source/xref/pxa1928-lp5.0/kernel/kernel/audit.c#117> 1) out of memory in audit_log_start [kmalloc of struct audit_buffer]
>
> 118 <http://10.38.120.31:8080/source/xref/pxa1928-lp5.0/kernel/kernel/audit.c#118> 2) out of memory in audit_log_move [alloc_skb]
>
> 119 <http://10.38.120.31:8080/source/xref/pxa1928-lp5.0/kernel/kernel/audit.c#119> 3) suppressed due to audit_rate_limit
>
> 120 <http://10.38.120.31:8080/source/xref/pxa1928-lp5.0/kernel/kernel/audit.c#120> 4) suppressed due to audit_backlog_limit
>
> 121 <http://10.38.120.31:8080/source/xref/pxa1928-lp5.0/kernel/kernel/audit.c#121>*/
>
>
>
> So is this the root-cause of my issue ? How can I modify kernel code to
> archieve my purpose or there already is a open/off switch to help me on
> giving all the logs in one time test ?
(cc'ing seandroid-list as you later mentioned that you are encountering
this in the context of Android, although I don't know if it is truly
specific to Android)
Generally you should see audit_lost= log messages in dmesg if audit log
messages were lost, although those are also subject to the printk
ratelimit and could be suppressed.
One thing you can try is to disable the audit ratelimit, which in
Android is set by system/core/logd/libaudit.c. Just remove the
AUDIT_STATUS_RATE_LIMIT flag from status.mask and don't bother setting
status.rate_limit.
We also carry a patch in our kernel branches for Nexus devices that
disables the printk ratelimit for audit messages. e.g.
https://bitbucket.org/seandroid/kernel-msm/commits/0388e1630648c481e42929135babb1dbba272e27
next prev parent reply other threads:[~2015-05-05 12:41 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-05 2:06 Give out all the avc logs in ome time Zhi Xin
2015-05-05 2:37 ` William Roberts
2015-05-05 2:43 ` Zhi Xin
2015-05-05 2:51 ` William Roberts
2015-05-05 3:00 ` William Roberts
2015-05-05 5:55 ` Ravi Kumar
2015-05-05 7:32 ` Zhi Xin
2015-05-05 8:39 ` Gaurav Gangwar
2015-05-05 8:55 ` Zhi Xin
2015-05-05 13:41 ` Stephen Smalley
2015-05-05 14:06 ` william.c.roberts
2015-05-05 12:41 ` Stephen Smalley [this message]
2015-05-06 2:18 ` Zhi Xin
2015-05-06 12:19 ` Stephen Smalley
2015-05-07 3:18 ` Zhi Xin
2015-05-07 4:02 ` William Roberts
2015-05-07 13:00 ` Stephen Smalley
2015-05-08 8:46 ` Zhi Xin
2015-05-08 12:57 ` Stephen Smalley
2015-05-08 13:31 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5548BA95.2040908@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=seandroid-list@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=xinzhi@marvell.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.