Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp1333783pxa; Sat, 15 Aug 2020 16:28:51 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzsLmOPQND/2aaTDFzErc13jL+HON03xEH8YKqm0OFE6GLiKNQoCnlofAe5FLSZtnD6ru78 X-Received: by 2002:a17:906:3445:: with SMTP id d5mr8534228ejb.348.1597534131135; Sat, 15 Aug 2020 16:28:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597534131; cv=none; d=google.com; s=arc-20160816; b=ITSpVy9AM+1JF0aNx4Ta8Z6YNe18guZJDT28huXWpfhJNWzkaD1iDSxuGzEJz4M+0Q bMRYCk+gwjHpRcaWXSdaeXFJ9TC1Imc/otGO3McoV0xWIXAHh1SwcrSVZqQ/guN4l2rH ifBuzUsEMXo/0LilAvQ1RMv3kmBGG55XHGu8O75IYZQDguTQSp5x1M3N1fKu+4AZpA5/ 4xUi/fNiPN0UQMZSRvG1yXrLW1KDulFO1iTCZ4XGNWTYQCdqJ9OsIf7DLhGEXSL93xtA 9op9f4en00jRGif6wb0r4ZowHPgCIUB+w5A7RcmQ7s7AaTHkEDbFnFaxbAxU2KpQCvNi EuHw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=aqogV+bopjP7wRWLwFse3f0eXvE4eyWium4puzfv1Fs=; b=Y/StY04TYgljaIQggWuGuD36+eukQOFck3bEwl+Oo4uq7TKXYea17gSoEfNV6dqDLu SFbRpFpQlPE3G4Nthzl4CeZFqd9y2bYwfgRj6koqOu/hOEqI7DBcDH7yqnr8ZYezFW05 gSGx6LYHQ6GSf63EoKRNlFz9J9Vf7hRt0zKFxvxvC/w6d7sati+S0pqGOQTcUwbwZNlz ZJT7JuULvLMG5OvWAslgce0h21idXokodGWiaFSHBd/q+e7hP3VoVZCkJZU+ZQEFYKDX wYQVp0OsCpVT4nDPbod821BPArS5s9r7mP06YP2incFZvRgJc/v6+2pY4I2ng+cDRG8j KAgg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=sony.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d17si7935689edp.462.2020.08.15.16.28.28; Sat, 15 Aug 2020 16:28:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=sony.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727061AbgHOVg0 convert rfc822-to-8bit (ORCPT + 99 others); Sat, 15 Aug 2020 17:36:26 -0400 Received: from seldsegrel01.sonyericsson.com ([37.139.156.29]:11564 "EHLO SELDSEGREL01.sonyericsson.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726251AbgHOVg0 (ORCPT ); Sat, 15 Aug 2020 17:36:26 -0400 Subject: Re: [PATCH v2 1/2] selinux: add tracepoint on denials To: Steven Rostedt CC: Stephen Smalley , =?UTF-8?Q?Thi=c3=a9baud_Weksteen?= , Paul Moore , Nick Kralevich , Joel Fernandes , Eric Paris , Ingo Molnar , Mauro Carvalho Chehab , "David S. Miller" , Rob Herring , Arnd Bergmann , linux-kernel , SElinux list References: <20200813144914.737306-1-tweek@google.com> <15e2e26d-fe4b-679c-b5c0-c96d56e09853@gmail.com> <3518887d-9083-2836-a8db-c7c27a70c990@sony.com> <20200814134653.0ba7f64e@oasis.local.home> From: peter enderborg Message-ID: <0d283b71-df19-d82b-318d-04e5816db517@sony.com> Date: Sat, 15 Aug 2020 10:45:22 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <20200814134653.0ba7f64e@oasis.local.home> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8BIT Content-Language: en-GB X-SEG-SpamProfiler-Analysis: v=2.3 cv=frmim2wf c=1 sm=1 tr=0 a=Jtaq2Av1iV2Yg7i8w6AGMw==:117 a=IkcTkHD0fZMA:10 a=y4yBn9ojGxQA:10 a=z6gsHLkEAAAA:8 a=1XWaLZrsAAAA:8 a=pGLkceISAAAA:8 a=N3zAGw_37jy3WdHjj-MA:9 a=QEXdDO2ut3YA:10 a=d-OLMTCWyvARjPbQ-enb:22 X-SEG-SpamProfiler-Score: 0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 8/14/20 7:46 PM, Steven Rostedt wrote: > On Fri, 14 Aug 2020 19:22:13 +0200 > peter enderborg wrote: > >> On 8/14/20 7:08 PM, Stephen Smalley wrote: >>> On Fri, Aug 14, 2020 at 1:07 PM peter enderborg >>> wrote: >>>> On 8/14/20 6:51 PM, Stephen Smalley wrote: >>>>> On Fri, Aug 14, 2020 at 9:05 AM Thiébaud Weksteen wrote: >>>>>> On Thu, Aug 13, 2020 at 5:41 PM Stephen Smalley >>>>>> wrote: >>>>>>> An explanation here of how one might go about decoding audited and >>>>>>> tclass would be helpful to users (even better would be a script to do it >>>>>>> for them). Again, I know how to do that but not everyone using >>>>>>> perf/ftrace will. >>>>>> What about something along those lines: >>>>>> >>>>>> The tclass value can be mapped to a class by searching >>>>>> security/selinux/flask.h. The audited value is a bit field of the >>>>>> permissions described in security/selinux/av_permissions.h for the >>>>>> corresponding class. >>>>> Sure, I guess that works. Would be nice if we just included the class >>>>> and permission name(s) in the event itself but I guess you viewed that >>>>> as too heavyweight? >>>> The class name is added in part 2. Im not sure how a proper format for permission >>>> would look like in trace terms. It is a list, right? >>> Yes. See avc_audit_pre_callback() for example code to log the permission names. >> I wrote about that on some of the previous sets. The problem is that trace format is quite fixed. So it is lists are not >> that easy to handle if you want to filter in them. You can have a trace event for each of them. You can also add >> additional trace event "selinux_audied_permission" for each permission. With that you can filter out tclass or permissions. >> >> But the basic thing we would like at the moment is a event that we can debug in user space. > We have a trace_seq p helper, that lets you create strings in > TP_printk(). I should document this more. Thus you can do: > > extern const char *audit_perm_to_name(struct trace_seq *p, u16 class, u32 audited); > #define __perm_to_name(p, class, audited) audit_perm_to_name(p, class, audited) > > TP_printk("tclass=%u audited=%x (%s)", > __entry->tclass, > __entry->audited, > __perm_to_name(__entry->tclass, __entry->audited)) > > > const char *audit_perm_to_name(struct trace_seq *p, u16 tclass, u32 av) > { > const char *ret = trace_seq_buffer_ptr(p); > int i, perm; > > ( some check for tclass integrity here) > > perms = secclass_map[tclass-1].perms; > > i = 0; > perm = 1; > while (i < (sizeof(av) * 8)) { > if ((perm & av) && perms[i]) { > trace_seq_printf(p, " %s", perms[i]); > av &= ~perm; > } > i++; > perm <<= 1; > } > > return ret; > } > > Note, this wont work for perf and trace-cmd as it wouldn't know how to > parse it, but if the tclass perms are stable, you could create a plugin > to libtraceevent that can do the above as well. > > -- Steve Something like:     while (i < (sizeof(av) * 8)) {         if ((perm & av)  && perms[i]) {             if (!(perm & avdenied))                 trace_seq_printf(p, " %s", perms[i]);             else                 trace_seq_printf(p, " !%s", perms[i]);             av &= ~perm; And you get information about denied too.