Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp1447718pxa; Thu, 13 Aug 2020 08:43:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwKe2JpQJBfnzHuh3sG51VZaCCK8Bz9wDD1GHInqj5fU/eNE4zKcLWhB31yjzOzwq+APnTG X-Received: by 2002:a05:6402:22c2:: with SMTP id dm2mr5112782edb.182.1597333416753; Thu, 13 Aug 2020 08:43:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597333416; cv=none; d=google.com; s=arc-20160816; b=jWxBP9xs5IuUIQIBJzpmDYDtAZdo1zHqYVwcJAK8/fkPijLF++rf8nPVXHe+UT6trw fFMiVEPVFjZ0q8+p1bw8DK2DHurQ4mdRtlhqlWdK0K8tmaMLFzej5Dqvd1saE3hVQ17u MzVtb93XZrkHDZn3mhtCNFxOVBCnpKEa7oFZE/xfxzpl3pz6zAt+YHn1wUhNPd1byVcA 3FfhExtZm5BZRnaH5fsIagOxVlRCNOQIzCQ7eYmbW5RGLwGU7j10MAEHpXDjl63wumUZ ZJZ4l0ZE6aqLwt4YLzsqwiSEoe0qVFyxxRj9B9bGTcJOuCJyPHjw4QSkJmb9eCk2xmg2 YteA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=T7OhuuwqfjmZPOHt/vuVyRTlO6DVRYXp/MrPZLRwoQM=; b=fR/Q0Tlf+UNO8XYgsrWNIwoV/lAeGYEhMo/lIMq8kPHZ/4fW4IMUPxeHczKW5/4Ytm v6aQPIcqr9LjeTt13ak6NSEdq4mAFfEx4c6nOwXmPw4D0Wy0RC9Y6xLgktXxjxhoLQgK 01xZPtg0U+2gahV0lsxJ/kM3pro1LrFBM0M1tChbguiQgohYIswDzFEN55mGY8pHMma4 0Nic8SbWB6conXhd6HgBeKZDEFESV9pXs2bqSSOaEv3O4pA4upr4atf5POVH/6f9mEqE Ba/c2qx1GG5NErQokcv+JhCiAiiphF987hcZLre0xSs9kqTkumRWJRusvhbiV2hnzou1 IvRg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=FoiCx99n; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id dn23si3393904edb.206.2020.08.13.08.43.13; Thu, 13 Aug 2020 08:43:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=FoiCx99n; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726893AbgHMPly (ORCPT + 99 others); Thu, 13 Aug 2020 11:41:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53588 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726522AbgHMPlu (ORCPT ); Thu, 13 Aug 2020 11:41:50 -0400 Received: from mail-qt1-x842.google.com (mail-qt1-x842.google.com [IPv6:2607:f8b0:4864:20::842]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CDE2DC061757; Thu, 13 Aug 2020 08:41:50 -0700 (PDT) Received: by mail-qt1-x842.google.com with SMTP id 6so4707693qtt.0; Thu, 13 Aug 2020 08:41:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=T7OhuuwqfjmZPOHt/vuVyRTlO6DVRYXp/MrPZLRwoQM=; b=FoiCx99n9BHbB2/qprMvfuSCLcC6D1MR3TRY/6MiZ6/+q90nfkSd+OUiL2MrxQemZP 8dJmX7M2iAZWx0p6pxz2uoz/DTEQAp+KS4XB1p5jnlc1bB0UyOPRVnHvzRGOjsEh2h/q am2l8mkSlXCYHjcHMY5gjMb08urEtd21VDfl/AuAW0tkAiIkvhpltH7xH5UGvKiBHs7F 9xhNHs537P5PPkA4w7c0CaGqcUQ8MKtPI0v6ZzaLUh4ZWAFuJL/7hRIbTGWx817aHpkI 4M/5Kr/jb7yiTrH5c0ZkwH+eYlDkqlmAGOtLSPk5rXbrj9WCctY872Zcvi8LY+gK/KHY Ghug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=T7OhuuwqfjmZPOHt/vuVyRTlO6DVRYXp/MrPZLRwoQM=; b=ljwEjNS6POil/BM/EFPI/PxEc0291x4s2MZnbMFGwsWvTS5O/0bkEyiGLzKKwHK1s3 Av0vBeMfzsa6y1kNRQp7Ablom+pQn/x7PIGu4QvCaKr5Mq2f0uUlhBNnKzftJnYwBo7B T1jkIGe2ufG+RvG9REA1TxdxNmRMVTptov95luewd22DTQ/1YFpfRVoX/vE3c5oXcIq0 88cCqY6asdjW90C9Rta/qfPxkBQp6rGs4QKpzwdzmrQHKXTNwjW38rHn0/cBMHO/42dM SoulWJcRSbF6puV9Jr6vuooIJjaYnIddbFOWmez/qTyIKb/+LjJLwzcMM4nWlAf3mFaN +q6w== X-Gm-Message-State: AOAM532OBphy1YK1rwpk529Al874+QLpxMH//Rntlm9CfeMbaDIFzTir 5OZqbI0Op1r1xh7/2HnliPF/emmr X-Received: by 2002:aed:2825:: with SMTP id r34mr5518049qtd.321.1597333309560; Thu, 13 Aug 2020 08:41:49 -0700 (PDT) Received: from [192.168.1.190] (pool-68-134-6-11.bltmmd.fios.verizon.net. [68.134.6.11]) by smtp.gmail.com with ESMTPSA id y3sm7176981qtj.55.2020.08.13.08.41.48 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 13 Aug 2020 08:41:49 -0700 (PDT) Subject: Re: [PATCH v2 1/2] selinux: add tracepoint on denials To: =?UTF-8?Q?Thi=c3=a9baud_Weksteen?= , Paul Moore Cc: Nick Kralevich , Joel Fernandes , Peter Enderborg , Eric Paris , Steven Rostedt , Ingo Molnar , Mauro Carvalho Chehab , "David S. Miller" , Rob Herring , Arnd Bergmann , linux-kernel@vger.kernel.org, selinux@vger.kernel.org References: <20200813144914.737306-1-tweek@google.com> From: Stephen Smalley Message-ID: <15e2e26d-fe4b-679c-b5c0-c96d56e09853@gmail.com> Date: Thu, 13 Aug 2020 11:41:48 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <20200813144914.737306-1-tweek@google.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 8/13/20 10:48 AM, Thiébaud Weksteen wrote: > The audit data currently captures which process and which target > is responsible for a denial. There is no data on where exactly in the > process that call occurred. Debugging can be made easier by being able to > reconstruct the unified kernel and userland stack traces [1]. Add a > tracepoint on the SELinux denials which can then be used by userland > (i.e. perf). > > Although this patch could manually be added by each OS developer to > trouble shoot a denial, adding it to the kernel streamlines the > developers workflow. > > It is possible to use perf for monitoring the event: > # perf record -e avc:selinux_audited -g -a > ^C > # perf report -g > [...] > 6.40% 6.40% audited=800000 tclass=4 > | > __libc_start_main > | > |--4.60%--__GI___ioctl > | entry_SYSCALL_64 > | do_syscall_64 > | __x64_sys_ioctl > | ksys_ioctl > | binder_ioctl > | binder_set_nice > | can_nice > | capable > | security_capable > | cred_has_capability.isra.0 > | slow_avc_audit > | common_lsm_audit > | avc_audit_post_callback > | avc_audit_post_callback > | > > It is also possible to use the ftrace interface: > # echo 1 > /sys/kernel/debug/tracing/events/avc/selinux_audited/enable > # cat /sys/kernel/debug/tracing/trace > tracer: nop > entries-in-buffer/entries-written: 1/1 #P:8 > [...] > dmesg-3624 [001] 13072.325358: selinux_denied: audited=800000 tclass=4 An explanation here of how one might go about decoding audited and tclass would be helpful to users (even better would be a script to do it for them).  Again, I know how to do that but not everyone using perf/ftrace will.