Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp1173500pxa; Thu, 6 Aug 2020 01:08:37 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw2Ni/lOLg73T0cdX0v0hHEGXMnSYZHLGXfpME2BqTrqv7tGDiOxlNymU+i4ZCeFjADCWy4 X-Received: by 2002:a17:906:c1d8:: with SMTP id bw24mr3092985ejb.91.1596701317375; Thu, 06 Aug 2020 01:08:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1596701317; cv=none; d=google.com; s=arc-20160816; b=qL8sZw1v0vOQdLycS2dPUbBymfgBk+PNYd5XS2fmvZo31OgfLE9D5i8MBktX1iAFIx wz7ygcFztBxg/GohZ6N/H98fMvEivITEMn7WpWDKGWBCIfMpDPOpRfZonF19YUHvZ4ES mf7SSEZjSTOF2gSr2mOTc3DE0rHH+mbQ6hC3Qa62Al5dcQWVaPi2yWRt7fAUHj0HTEGF pjM1R80WBHNRduDDRzMN25tzHom2vtQTePooGQ3AmalZU17ZsaqJRUiriJqw9E9BRSnq SSu8gNFQyudkV8yCAf9cM1+qzz7Vb4/8pwUuwJ2QaxUMUJ44a9J7UUHPx0jhPhjx/ayR +lPw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:from :subject:references:mime-version:message-id:in-reply-to:date :dkim-signature; bh=mOjwTlI4LaDoFAqHd/CEHg0Dqi+LihgQr+xeS1gXpis=; b=mRTL0BgwuTVS8TzzrW+Im9/MfZpd5Ks0d+WCWJAQfDb2Zm2dNKNu78DgI455yLGmf7 iYCwpb20+qOgw5O+7e6D+5ysyUlR8k3f9xVQBxnK5I8sBK7CzAGNTOGxgPvmvwKBqTD/ dlhs/pmEX//hxEtok3wNwbpsjYhgxUzOIhM0oMtl/8twjE1cRgkD5Xamtc0WPYl8zLar cTlUXwrrd5pqepCgp0qoOxwC8Cfhfnaj+1qEJSRVPmROqzzsswVmnYq+8LweaWEQqChF 326UOZKTlyLQlNxCAOS+wYiRE9+dJh3Q2ZNu4naxVBkMSkpTZbG+uYrGChcwWOtH1RTC 6yZQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=tDH0SpBJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q17si2975231edg.164.2020.08.06.01.08.14; Thu, 06 Aug 2020 01:08:37 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=tDH0SpBJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728726AbgHFIHd (ORCPT + 99 others); Thu, 6 Aug 2020 04:07:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47054 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728578AbgHFIFQ (ORCPT ); Thu, 6 Aug 2020 04:05:16 -0400 Received: from mail-ej1-x649.google.com (mail-ej1-x649.google.com [IPv6:2a00:1450:4864:20::649]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4334FC061757 for ; Thu, 6 Aug 2020 01:04:28 -0700 (PDT) Received: by mail-ej1-x649.google.com with SMTP id gg11so7323201ejb.6 for ; Thu, 06 Aug 2020 01:04:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc:content-transfer-encoding; bh=mOjwTlI4LaDoFAqHd/CEHg0Dqi+LihgQr+xeS1gXpis=; b=tDH0SpBJOVvaIUzPtmVuxUqyvnBSUCyMqFtYcMgVXHcDWUdJhLlmnBIESBCuGGSaNx AaAhbxZ2UhI28l81X3oB1EvwtIp1jgDi94nEgfOaNF2GVnHSpfYzELKPV5+2zEWAYCTr TWUkhoUsSXqNwPDg7Z0DUPSWlbins9V/M57xz4QQrPSG5eKVSJG22crM5gBg2HjWWM9P T34JtrSBzKMDvT7G6B0UvX+2439Pcg3AYzBn+vjjcorqRMI96vNu7DyKJvdF2Tb8bwDn HExshd30yG8HkERycM93BJ3soZw0kipbgYCmreSVmwsjTEAMxNuA1GUZBMwXXeXQlpoA P4Yw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc:content-transfer-encoding; bh=mOjwTlI4LaDoFAqHd/CEHg0Dqi+LihgQr+xeS1gXpis=; b=UpnF1VgsUxtWr6RgZr/FMKPmVb+u8HWD/NwT3jsM5sgvUgNePvSwKHFnp82kk9qM97 KSqCZfGgJxV7aqNu1WFwJJmMWr0s5LVr4C3wmBiVqcwJXfKdSi0t4Q4+XPk3jeqjQPab N6G51oAtBffaTUfsDF77t1d6LCmNIlF9IpQIkBSkBL0Ji6luawqNGYLHk7BtpztTtJ9c ruCDazFrUlDmRt4SZNiI4mF8e2vccbg+0NLZ8vW8BabqjzqFIYanMZ6N11VvcCO5dM0x mvQxvyBkc3psgXemnoyT++WG3JAE0rcENDptCaNND3Ozg09kfe3295nrkq/tF/xhuxTC YKkg== X-Gm-Message-State: AOAM5309MItNcy+HEcyO5SqvdOQ6f2RdAdZuB8dn6WFdZP8FBTHsFjcW ZkWL62cMDEHOj3IBxZByIHDT9VEJrg== X-Received: by 2002:a05:6402:297:: with SMTP id l23mr2957498edv.145.1596701065565; Thu, 06 Aug 2020 01:04:25 -0700 (PDT) Date: Thu, 6 Aug 2020 10:03:42 +0200 In-Reply-To: <20200806080358.3124505-1-tweek@google.com> Message-Id: <20200806080358.3124505-2-tweek@google.com> Mime-Version: 1.0 References: <20200806080358.3124505-1-tweek@google.com> X-Mailer: git-send-email 2.28.0.163.g6104cc2f0b6-goog Subject: [PATCH 2/2] selinux: add attributes to avc tracepoint From: "=?UTF-8?q?Thi=C3=A9baud=20Weksteen?=" To: Paul Moore Cc: Nick Kralevich , Peter Enderborg , "=?UTF-8?q?Thi=C3=A9baud=20Weksteen?=" , Stephen Smalley , Eric Paris , Steven Rostedt , Ingo Molnar , Mauro Carvalho Chehab , "David S. Miller" , Rob Herring , Arnd Bergmann , linux-kernel@vger.kernel.org, selinux@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Peter Enderborg Add further attributes to filter the trace events from AVC. Signed-off-by: Peter Enderborg Reviewed-by: Thi=C3=A9baud Weksteen --- include/trace/events/avc.h | 41 ++++++++++++++++++++++++++++---------- security/selinux/avc.c | 22 +++++++++++--------- 2 files changed, 44 insertions(+), 19 deletions(-) diff --git a/include/trace/events/avc.h b/include/trace/events/avc.h index 07c058a9bbcd..ac5ef2e1c2c5 100644 --- a/include/trace/events/avc.h +++ b/include/trace/events/avc.h @@ -1,6 +1,7 @@ /* SPDX-License-Identifier: GPL-2.0 */ /* - * Author: Thi=C3=A9baud Weksteen + * Authors: Thi=C3=A9baud Weksteen + * Peter Enderborg */ #undef TRACE_SYSTEM #define TRACE_SYSTEM avc @@ -12,23 +13,43 @@ =20 TRACE_EVENT(selinux_audited, =20 - TP_PROTO(struct selinux_audit_data *sad), + TP_PROTO(struct selinux_audit_data *sad, + char *scontext, + char *tcontext, + const char *tclass + ), =20 - TP_ARGS(sad), + TP_ARGS(sad, scontext, tcontext, tclass), =20 TP_STRUCT__entry( - __field(unsigned int, tclass) - __field(unsigned int, audited) + __field(u32, requested) + __field(u32, denied) + __field(u32, audited) + __field(int, result) + __string(scontext, scontext) + __string(tcontext, tcontext) + __string(tclass, tclass) + __field(u32, ssid) + __field(u32, tsid) ), =20 TP_fast_assign( - __entry->tclass =3D sad->tclass; - __entry->audited =3D sad->audited; + __entry->requested =3D sad->requested; + __entry->denied =3D sad->denied; + __entry->audited =3D sad->audited; + __entry->result =3D sad->result; + __entry->ssid =3D sad->ssid; + __entry->tsid =3D sad->tsid; + __assign_str(tcontext, tcontext); + __assign_str(scontext, scontext); + __assign_str(tclass, tclass); ), =20 - TP_printk("tclass=3D%u audited=3D%x", - __entry->tclass, - __entry->audited) + TP_printk("requested=3D0x%x denied=3D0x%x audited=3D0x%x result=3D%d ssid= =3D%u tsid=3D%u scontext=3D%s tcontext=3D%s tclass=3D%s", + __entry->requested, __entry->denied, __entry->audited, __entry->result, + __entry->ssid, __entry->tsid, __get_str(scontext), __get_str(tcontext), + __get_str(tclass) + ) ); =20 #endif diff --git a/security/selinux/avc.c b/security/selinux/avc.c index b0a0af778b70..7de5cc5169af 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -705,35 +705,39 @@ static void avc_audit_post_callback(struct audit_buff= er *ab, void *a) { struct common_audit_data *ad =3D a; struct selinux_audit_data *sad =3D ad->selinux_audit_data; - char *scontext; + char *scontext =3D NULL; + char *tcontext =3D NULL; + const char *tclass =3D NULL; u32 scontext_len; + u32 tcontext_len; int rc; =20 - trace_selinux_audited(sad); - rc =3D security_sid_to_context(sad->state, sad->ssid, &scontext, &scontext_len); if (rc) audit_log_format(ab, " ssid=3D%d", sad->ssid); else { audit_log_format(ab, " scontext=3D%s", scontext); - kfree(scontext); } =20 - rc =3D security_sid_to_context(sad->state, sad->tsid, &scontext, - &scontext_len); + rc =3D security_sid_to_context(sad->state, sad->tsid, &tcontext, + &tcontext_len); if (rc) audit_log_format(ab, " tsid=3D%d", sad->tsid); else { - audit_log_format(ab, " tcontext=3D%s", scontext); - kfree(scontext); + audit_log_format(ab, " tcontext=3D%s", tcontext); } =20 - audit_log_format(ab, " tclass=3D%s", secclass_map[sad->tclass-1].name); + tclass =3D secclass_map[sad->tclass-1].name; + audit_log_format(ab, " tclass=3D%s", tclass); =20 if (sad->denied) audit_log_format(ab, " permissive=3D%u", sad->result ? 0 : 1); =20 + trace_selinux_audited(sad, scontext, tcontext, tclass); + kfree(tcontext); + kfree(scontext); + /* in case of invalid context report also the actual context string */ rc =3D security_sid_to_context_inval(sad->state, sad->ssid, &scontext, &scontext_len); --=20 2.28.0.163.g6104cc2f0b6-goog