Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp2018881ybh; Fri, 24 Jul 2020 02:17:29 -0700 (PDT) X-Google-Smtp-Source: ABdhPJybQ360SiPB1FHyI8k9fkvjSxdBAsIYBpDVMS+PsBvuolcIUxxqzzlydYAuiFQBXMa8j99a X-Received: by 2002:a17:906:4a45:: with SMTP id a5mr8060486ejv.384.1595582249024; Fri, 24 Jul 2020 02:17:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595582249; cv=none; d=google.com; s=arc-20160816; b=kDbjcsc2tMI64avOFB6lSFB5VzesFpQyE8uS4If2I3lwcQsbk5FcaV5DxQrVQLVFuZ p160gua+c+RVyoL6740rIdROLQZO4su10UV+5vjnpl1LvjdlfGMeFtCSD6GzJ2t3RJt2 GIh8jiGIE8bSxA14+Lk6bN+Jff8ZRcgAESLlBmT/QWQ8cIcS4Xued4XpkC6wikGgqf3s BcTy9Ota2c/uuCt6AksuZS+Fy1y7GNGpJXBQPvkLg0KMLcwOJi/A3AQjc9cyPilKfrRq yi6nYH4Xxt2S5/Ktrsplig5cb7zi+yV+M+Xkw7GXySCgAAwnbtulksRgpa5KcQJFAl2O W1aQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:from :subject:mime-version:message-id:date:dkim-signature; bh=igO9PGS75sNuJ8Wtx045r3V9fh7O7ARU1wRPKhhhbQE=; b=uarmnIaWHJth8N5lsETjB+Aa0pBKFauhZ2AoByUgIWUdo5/EcHKYBJS8tPLzJLsKUm 6BPx7FzfvofQ0sPRVeCeRx0d+3CQjNJ34bDl+iB3IQpICi6Z9343Wx+sZRCVo+gEZ8c7 iDCY2DCAf69HLR6zmURy3FvSTL5BGEZM9NrqcTC5gCO9JKFE00qUMJ7EUKyifcmkgA1v QtuLUBGuC11ZaMZWMa/9iBA/rqGfl63gZoNU+bafTt29ApEFmB11REBRltXSxVUY7pIc zwM6jZZ5Vqzl4hiY32EhISmOquJmebv0KwxVBg2QriyS6Lc0V2Y3V5I4lCr3dQK9jRIJ USmw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=R+rUbDNs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id qc24si226411ejb.398.2020.07.24.02.17.02; Fri, 24 Jul 2020 02:17:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=R+rUbDNs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726861AbgGXJPp (ORCPT + 99 others); Fri, 24 Jul 2020 05:15:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54460 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726692AbgGXJPo (ORCPT ); Fri, 24 Jul 2020 05:15:44 -0400 Received: from mail-yb1-xb4a.google.com (mail-yb1-xb4a.google.com [IPv6:2607:f8b0:4864:20::b4a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B8241C0619D3 for ; Fri, 24 Jul 2020 02:15:44 -0700 (PDT) Received: by mail-yb1-xb4a.google.com with SMTP id j187so9704671ybj.7 for ; Fri, 24 Jul 2020 02:15:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc :content-transfer-encoding; bh=igO9PGS75sNuJ8Wtx045r3V9fh7O7ARU1wRPKhhhbQE=; b=R+rUbDNs7Bx8jqcdI/0YnjROZGc4JO11o3nTpLn5lsj9M24wu/7TLUpdRlFQsdGfCa 6h8fwusAeBgzGxpmkfcbnTF8ArO9m1/wwq8SJ52rtE4kbBKp0UB0GhxYoINnPgvXBPio Xbl6/B7Roex2OG0din1MoSF8GcXY2ufWoCWrOJy8Ilhr9xM+ymkn4Qe8CoqsnZ2Q6LCb 0uLmPj0Hkq0xoCiU9GSmZoP+E8EizD92Yu7oYgDE+VbNfMObA6Jz2pF10TBEJ8iLaW0Y Pfcx8bnuvf0qigg9i+8Rm39+1xqJRhKfD0LVwRMWZRXtYLzd+TVKnPKrG/TVJmoZzZL/ tSdQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc :content-transfer-encoding; bh=igO9PGS75sNuJ8Wtx045r3V9fh7O7ARU1wRPKhhhbQE=; b=tAABIj5VYcbjIB880nKUsOjofWLXCbe+weEf3SGAUgKybfWpkIii/d1kjXkIojeqoe WgKbOzMqiMZ7UcvnA1xpVNvyKu25FARSqAuaWk8/bDyLvPAH1QU5aJw/PyiBbDh8K89d jbfi93yblXZlOkJs77DAvahlGBFUVTRbAC/KxDfYrWnL9RrBbicn2aYD53GS4ufXk++P 7RvIKdSnxR6G5XJBeazTghbWlFqPznWNFI6C3XLoMWiW0TrfNuLCmMSEQKBN9fSsNR+x crNQ9ItEj36H8ThzAPXC+quZt5mdYNg/pF7HyRLgQ7xW7238kaHX48YbNq4s0kXdoAJ1 1LOg== X-Gm-Message-State: AOAM531ktmxeO5mL/El83F0cEgdxkpcpNhhK/vUNKG3FDyRCxx83PqLh t7iHIb4npAPkk6j7D8qnKiKWlUPNYA== X-Received: by 2002:a5b:449:: with SMTP id s9mr2280682ybp.465.1595582143955; Fri, 24 Jul 2020 02:15:43 -0700 (PDT) Date: Fri, 24 Jul 2020 11:15:03 +0200 Message-Id: <20200724091520.880211-1-tweek@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.28.0.rc0.142.g3c755180ce-goog Subject: [PATCH] selinux: add tracepoint on denials From: "=?UTF-8?q?Thi=C3=A9baud=20Weksteen?=" To: Paul Moore Cc: Nick Kralevich , "=?UTF-8?q?Thi=C3=A9baud=20Weksteen?=" , Joel Fernandes , Stephen Smalley , Eric Paris , Steven Rostedt , Ingo Molnar , Mauro Carvalho Chehab , "David S. Miller" , Rob Herring , linux-kernel@vger.kernel.org, selinux@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The audit data currently captures which process and which target is responsible for a denial. There is no data on where exactly in the process that call occurred. Debugging can be made easier by being able to reconstruct the unified kernel and userland stack traces [1]. Add a tracepoint on the SELinux denials which can then be used by userland (i.e. perf). Although this patch could manually be added by each OS developer to trouble shoot a denial, adding it to the kernel streamlines the developers workflow. [1] https://source.android.com/devices/tech/debug/native_stack_dump Signed-off-by: Thi=C3=A9baud Weksteen Signed-off-by: Joel Fernandes --- MAINTAINERS | 1 + include/trace/events/selinux.h | 35 ++++++++++++++++++++++++++++++++++ security/selinux/avc.c | 6 ++++++ 3 files changed, 42 insertions(+) create mode 100644 include/trace/events/selinux.h diff --git a/MAINTAINERS b/MAINTAINERS index e64cdde81851..6b6cd5e13537 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -15358,6 +15358,7 @@ T: git git://git.kernel.org/pub/scm/linux/kernel/gi= t/pcmoore/selinux.git F: Documentation/ABI/obsolete/sysfs-selinux-checkreqprot F: Documentation/ABI/obsolete/sysfs-selinux-disable F: Documentation/admin-guide/LSM/SELinux.rst +F: include/trace/events/selinux.h F: include/uapi/linux/selinux_netlink.h F: scripts/selinux/ F: security/selinux/ diff --git a/include/trace/events/selinux.h b/include/trace/events/selinux.= h new file mode 100644 index 000000000000..e247187a8135 --- /dev/null +++ b/include/trace/events/selinux.h @@ -0,0 +1,35 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#undef TRACE_SYSTEM +#define TRACE_SYSTEM selinux + +#if !defined(_TRACE_SELINUX_H) || defined(TRACE_HEADER_MULTI_READ) +#define _TRACE_SELINUX_H + +#include +#include + +TRACE_EVENT(selinux_denied, + + TP_PROTO(int cls, int av), + + TP_ARGS(cls, av), + + TP_STRUCT__entry( + __field(int, cls) + __field(int, av) + ), + + TP_fast_assign( + __entry->cls =3D cls; + __entry->av =3D av; + ), + + TP_printk("denied %d %d", + __entry->cls, + __entry->av) +); + +#endif + +/* This part must be outside protection */ +#include diff --git a/security/selinux/avc.c b/security/selinux/avc.c index d18cb32a242a..85d2e22ab656 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -31,6 +31,9 @@ #include "avc_ss.h" #include "classmap.h" =20 +#define CREATE_TRACE_POINTS +#include + #define AVC_CACHE_SLOTS 512 #define AVC_DEF_CACHE_THRESHOLD 512 #define AVC_CACHE_RECLAIM 16 @@ -672,6 +675,9 @@ static void avc_audit_pre_callback(struct audit_buffer = *ab, void *a) return; } =20 + if (sad->denied) + trace_selinux_denied(sad->tclass, av); + perms =3D secclass_map[sad->tclass-1].perms; =20 audit_log_format(ab, " {"); --=20 2.28.0.rc0.142.g3c755180ce-goog