From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-25.4 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6528FC433DF for ; Mon, 17 Aug 2020 17:29:14 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 317E920657 for ; Mon, 17 Aug 2020 17:29:14 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="v0rOCwpT" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389885AbgHQR3L (ORCPT ); Mon, 17 Aug 2020 13:29:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49134 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389342AbgHQRI1 (ORCPT ); Mon, 17 Aug 2020 13:08:27 -0400 Received: from mail-qv1-xf49.google.com (mail-qv1-xf49.google.com [IPv6:2607:f8b0:4864:20::f49]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6B166C061345 for ; Mon, 17 Aug 2020 10:08:27 -0700 (PDT) Received: by mail-qv1-xf49.google.com with SMTP id q12so11343660qvm.19 for ; Mon, 17 Aug 2020 10:08:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc:content-transfer-encoding; bh=UJJuAgJHQPnZMmpmLTzANSSOedGbmL0b+IVXcx3Ufzs=; b=v0rOCwpTkjRzfGnF2j8U3++ah+cWR7bAfIci0JLRCzHhoCND9w63qxJtFji0g8qm9H JW5ukYsE4fnaO28tNwcBnJBn+DfmI6r3Y8OpLmZ09l2xXBekBeJYwvliiHfSCzfZCYZr xpmhjHdU9y/aXL1u2l7zv4WdzHctL3iaH5QPKoW5+ZbyJAP434SVP1+HMc+UlaLV6csV 1f2KBTPi23YkBo9huXsOLBGbm8eUZlzOXnlnB7+nsmHQmjHxCwRIY0Vl8jnb8MnPPL7g kYLQTvVM+GkrKIDg644UJzInyNQ7U+yQcJke/tymBPP0BEs0jK63wAwJWMpVQW1GLoJ4 Mq2A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc:content-transfer-encoding; bh=UJJuAgJHQPnZMmpmLTzANSSOedGbmL0b+IVXcx3Ufzs=; b=EIjhpUiLgs5PwQ1NWNzRUFD6P9XIv7Vqp72Jqe+THXoRq4hmeW2Gd2ctJSF9xorlj4 41wgYOhi2Tx/Zo8Yzj2+QlhxWMTtekLyKVzHflNwzruSuRvUXKkk6MNSEYbrW1UzeNvE UNgFijiha3oL8G0hJ3UFJNeZ3pa6vlVvZ4xTyu39PmF/5VW5/Kza7XruRGZO8kO4dzW4 r2v/mvS6gLLG0Jw4+2q3QiVAtLA2RHn5RnIO9GNnZCUjp5f9kwvix2AAFfcRK4/uopdm ZUoffdy50/hGonDZQvTj+PWvD7M7CHW8uVAh6yaMHyGn7Zo51gWGG5XBBW4xmcZJhE4N YAZA== X-Gm-Message-State: AOAM53302yUOYCt3fcohZ5ngEA2HX32pTR1I9yLJGN1lw7xu9lAFEWat WSNctllWUb3tcseG65luupEjzT1iTQ== X-Google-Smtp-Source: ABdhPJz6qBKxAvbT13/LVRv5sOiMCXyLh1r546HBd6vDU0zkwqi5WeiV04XRE3fbBoM67yo8+87qI6KMZw== X-Received: by 2002:a0c:f6cb:: with SMTP id d11mr15516103qvo.84.1597684106062; Mon, 17 Aug 2020 10:08:26 -0700 (PDT) Date: Mon, 17 Aug 2020 19:07:12 +0200 In-Reply-To: <20200817170729.2605279-1-tweek@google.com> Message-Id: <20200817170729.2605279-2-tweek@google.com> Mime-Version: 1.0 References: <20200817170729.2605279-1-tweek@google.com> X-Mailer: git-send-email 2.28.0.220.ged08abb693-goog Subject: [PATCH v3 1/3] selinux: add tracepoint on audited events From: "=?UTF-8?q?Thi=C3=A9baud=20Weksteen?=" To: Paul Moore Cc: Nick Kralevich , "=?UTF-8?q?Thi=C3=A9baud=20Weksteen?=" , Joel Fernandes , Peter Enderborg , Stephen Smalley , Eric Paris , Steven Rostedt , Ingo Molnar , Mauro Carvalho Chehab , "David S. Miller" , Rob Herring , linux-kernel@vger.kernel.org, selinux@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The audit data currently captures which process and which target is responsible for a denial. There is no data on where exactly in the process that call occurred. Debugging can be made easier by being able to reconstruct the unified kernel and userland stack traces [1]. Add a tracepoint on the SELinux denials which can then be used by userland (i.e. perf). Although this patch could manually be added by each OS developer to trouble shoot a denial, adding it to the kernel streamlines the developers workflow. It is possible to use perf for monitoring the event: # perf record -e avc:selinux_audited -g -a ^C # perf report -g [...] 6.40% 6.40% audited=3D800000 tclass=3D4 | __libc_start_main | |--4.60%--__GI___ioctl | entry_SYSCALL_64 | do_syscall_64 | __x64_sys_ioctl | ksys_ioctl | binder_ioctl | binder_set_nice | can_nice | capable | security_capable | cred_has_capability.isra.0 | slow_avc_audit | common_lsm_audit | avc_audit_post_callback | avc_audit_post_callback | It is also possible to use the ftrace interface: # echo 1 > /sys/kernel/debug/tracing/events/avc/selinux_audited/enable # cat /sys/kernel/debug/tracing/trace tracer: nop entries-in-buffer/entries-written: 1/1 #P:8 [...] dmesg-3624 [001] 13072.325358: selinux_denied: audited=3D800000 tclass= =3D4 The tclass value can be mapped to a class by searching security/selinux/flask.h. The audited value is a bit field of the permissions described in security/selinux/av_permissions.h for the corresponding class. [1] https://source.android.com/devices/tech/debug/native_stack_dump Signed-off-by: Thi=C3=A9baud Weksteen Suggested-by: Joel Fernandes Reviewed-by: Peter Enderborg --- MAINTAINERS | 1 + include/trace/events/avc.h | 37 +++++++++++++++++++++++++++++++++++++ security/selinux/avc.c | 5 +++++ 3 files changed, 43 insertions(+) create mode 100644 include/trace/events/avc.h diff --git a/MAINTAINERS b/MAINTAINERS index c8e8232c65da..0efaea0e144c 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -15426,6 +15426,7 @@ T: git git://git.kernel.org/pub/scm/linux/kernel/gi= t/pcmoore/selinux.git F: Documentation/ABI/obsolete/sysfs-selinux-checkreqprot F: Documentation/ABI/obsolete/sysfs-selinux-disable F: Documentation/admin-guide/LSM/SELinux.rst +F: include/trace/events/avc.h F: include/uapi/linux/selinux_netlink.h F: scripts/selinux/ F: security/selinux/ diff --git a/include/trace/events/avc.h b/include/trace/events/avc.h new file mode 100644 index 000000000000..07c058a9bbcd --- /dev/null +++ b/include/trace/events/avc.h @@ -0,0 +1,37 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Author: Thi=C3=A9baud Weksteen + */ +#undef TRACE_SYSTEM +#define TRACE_SYSTEM avc + +#if !defined(_TRACE_SELINUX_H) || defined(TRACE_HEADER_MULTI_READ) +#define _TRACE_SELINUX_H + +#include + +TRACE_EVENT(selinux_audited, + + TP_PROTO(struct selinux_audit_data *sad), + + TP_ARGS(sad), + + TP_STRUCT__entry( + __field(unsigned int, tclass) + __field(unsigned int, audited) + ), + + TP_fast_assign( + __entry->tclass =3D sad->tclass; + __entry->audited =3D sad->audited; + ), + + TP_printk("tclass=3D%u audited=3D%x", + __entry->tclass, + __entry->audited) +); + +#endif + +/* This part must be outside protection */ +#include diff --git a/security/selinux/avc.c b/security/selinux/avc.c index d18cb32a242a..b0a0af778b70 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -31,6 +31,9 @@ #include "avc_ss.h" #include "classmap.h" =20 +#define CREATE_TRACE_POINTS +#include + #define AVC_CACHE_SLOTS 512 #define AVC_DEF_CACHE_THRESHOLD 512 #define AVC_CACHE_RECLAIM 16 @@ -706,6 +709,8 @@ static void avc_audit_post_callback(struct audit_buffer= *ab, void *a) u32 scontext_len; int rc; =20 + trace_selinux_audited(sad); + rc =3D security_sid_to_context(sad->state, sad->ssid, &scontext, &scontext_len); if (rc) --=20 2.28.0.220.ged08abb693-goog