Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp1333779pxa; Sat, 15 Aug 2020 16:28:50 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy0qK0Y+DfkdvxRCpylqiw0lz5nFwCfD8+/QpGx/2Y6ypQ5sAUunCdIytPyzkUZs6kVz870 X-Received: by 2002:a17:906:1756:: with SMTP id d22mr8605879eje.29.1597534130478; Sat, 15 Aug 2020 16:28:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597534130; cv=none; d=google.com; s=arc-20160816; b=laOplTcoRBF/u7ocUNf3E0u2RSfP/BBgUCKDtKAQUlvl0zUMQMkT133Prxx/KuATAm t7C5LA5Q+YwsHEvYnHdYTpb/SL1g/e8rmQ59jxh2hipjT2OVWL6vgHkYsEQqgNpraZrQ KQzqWybYiKIXpC7RLmZyzWdAiKVMWfWbcQcPQ+jiPYRIjUEzIhiJDYOlbVOSWU4yoW2k MW5jCKJt3R42NiB8X5e1xa+2KBV3w1nkx6NltFv4nmexcS++z/ZxaFuxkrzehiehCP54 xGhegJOt7J3ftpYvTtmhNvwuNui9qqduSPoc/6ILntsfuApkZVvAqdB8eq3b3O+X5aj7 oAfg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=uICzGss/qC0kzplJ2gHv0UIbCN0NQV7EWjPcmSOzWyI=; b=vQhEgW1UTWoS7PiVJ+xv9JJ9FA5dZ9gzSh9ctHsm0Wjfsl/S60nVH9ZzjlDmcXVuqT d0SIxcHinANOki1ItVP4w5KQyJuWROZVE/ncd5YoJI5pWM40CkOHqLoKTvU5ln+sXMza YUpkEF+zcUA601Brn5uiyWdduY8MMiQ2zCjVhOsNuhIRI7/QN0ftHdLgFIQfd7Rfn1pl 20cWu7aPeTDGCELyLtl+unTWzzl2kCVopc2y20VA4N/Q2zyVlb8hw7h2aS6x1NTPhhCZ dQaPYf0gvHuSMyEwWQGylbTIo4Wf5GWjAkcP1FvVMDOIztdTk1ShTk9S7ShsvT0G+Fqp azLw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=sony.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id qw24si7947676ejb.416.2020.08.15.16.28.28; Sat, 15 Aug 2020 16:28:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=sony.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726717AbgHOVgZ convert rfc822-to-8bit (ORCPT + 99 others); Sat, 15 Aug 2020 17:36:25 -0400 Received: from seldsegrel01.sonyericsson.com ([37.139.156.29]:11565 "EHLO SELDSEGREL01.sonyericsson.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726407AbgHOVgZ (ORCPT ); Sat, 15 Aug 2020 17:36:25 -0400 Subject: Re: [PATCH v2 1/2] selinux: add tracepoint on denials To: Steven Rostedt , =?UTF-8?Q?Thi=c3=a9baud_Weksteen?= CC: Stephen Smalley , Paul Moore , Nick Kralevich , Joel Fernandes , Eric Paris , Ingo Molnar , Mauro Carvalho Chehab , "David S. Miller" , Rob Herring , Arnd Bergmann , linux-kernel , SElinux list References: <20200813144914.737306-1-tweek@google.com> <15e2e26d-fe4b-679c-b5c0-c96d56e09853@gmail.com> <3518887d-9083-2836-a8db-c7c27a70c990@sony.com> <20200814134653.0ba7f64e@oasis.local.home> From: peter enderborg Message-ID: <4427545e-d4ea-b64e-91d9-3ccd2a483df1@sony.com> Date: Sat, 15 Aug 2020 09:17:07 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <20200814134653.0ba7f64e@oasis.local.home> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8BIT Content-Language: en-GB X-SEG-SpamProfiler-Analysis: v=2.3 cv=frmim2wf c=1 sm=1 tr=0 a=Jtaq2Av1iV2Yg7i8w6AGMw==:117 a=IkcTkHD0fZMA:10 a=y4yBn9ojGxQA:10 a=z6gsHLkEAAAA:8 a=1XWaLZrsAAAA:8 a=pGLkceISAAAA:8 a=N3zAGw_37jy3WdHjj-MA:9 a=QEXdDO2ut3YA:10 a=d-OLMTCWyvARjPbQ-enb:22 X-SEG-SpamProfiler-Score: 0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 8/14/20 7:46 PM, Steven Rostedt wrote: > On Fri, 14 Aug 2020 19:22:13 +0200 > peter enderborg wrote: > >> On 8/14/20 7:08 PM, Stephen Smalley wrote: >>> On Fri, Aug 14, 2020 at 1:07 PM peter enderborg >>> wrote: >>>> On 8/14/20 6:51 PM, Stephen Smalley wrote: >>>>> On Fri, Aug 14, 2020 at 9:05 AM Thiébaud Weksteen wrote: >>>>>> On Thu, Aug 13, 2020 at 5:41 PM Stephen Smalley >>>>>> wrote: >>>>>>> An explanation here of how one might go about decoding audited and >>>>>>> tclass would be helpful to users (even better would be a script to do it >>>>>>> for them). Again, I know how to do that but not everyone using >>>>>>> perf/ftrace will. >>>>>> What about something along those lines: >>>>>> >>>>>> The tclass value can be mapped to a class by searching >>>>>> security/selinux/flask.h. The audited value is a bit field of the >>>>>> permissions described in security/selinux/av_permissions.h for the >>>>>> corresponding class. >>>>> Sure, I guess that works. Would be nice if we just included the class >>>>> and permission name(s) in the event itself but I guess you viewed that >>>>> as too heavyweight? >>>> The class name is added in part 2. Im not sure how a proper format for permission >>>> would look like in trace terms. It is a list, right? >>> Yes. See avc_audit_pre_callback() for example code to log the permission names. >> I wrote about that on some of the previous sets. The problem is that trace format is quite fixed. So it is lists are not >> that easy to handle if you want to filter in them. You can have a trace event for each of them. You can also add >> additional trace event "selinux_audied_permission" for each permission. With that you can filter out tclass or permissions. >> >> But the basic thing we would like at the moment is a event that we can debug in user space. > We have a trace_seq p helper, that lets you create strings in > TP_printk(). I should document this more. Thus you can do: > > extern const char *audit_perm_to_name(struct trace_seq *p, u16 class, u32 audited); > #define __perm_to_name(p, class, audited) audit_perm_to_name(p, class, audited) > > TP_printk("tclass=%u audited=%x (%s)", > __entry->tclass, > __entry->audited, > __perm_to_name(__entry->tclass, __entry->audited)) > > > const char *audit_perm_to_name(struct trace_seq *p, u16 tclass, u32 av) > { > const char *ret = trace_seq_buffer_ptr(p); > int i, perm; > > ( some check for tclass integrity here) > > perms = secclass_map[tclass-1].perms; > > i = 0; > perm = 1; > while (i < (sizeof(av) * 8)) { > if ((perm & av) && perms[i]) { > trace_seq_printf(p, " %s", perms[i]); > av &= ~perm; > } > i++; > perm <<= 1; > } > > return ret; > } > > Note, this wont work for perf and trace-cmd as it wouldn't know how to > parse it, but if the tclass perms are stable, you could create a plugin > to libtraceevent that can do the above as well. > > -- Steve That works fine. I will do this as third patch in our patch-set.  But I think we also should export the permission-map somewhere. I don’t think there is any good place for it in tracefs. So selinuxfs or debugfs might do? And I think it is more useful to print what is denied than what is audited but that does not match the trace event name.