Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp341629pxa; Fri, 21 Aug 2020 08:37:13 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx6Ov12Kf4659kS7C6uSXfBX5wiVukY86/jKRCu+7gCKlrC6TgqhVJVuD4viMfsYUU0d6Ed X-Received: by 2002:a17:906:2a49:: with SMTP id k9mr3517312eje.117.1598024233262; Fri, 21 Aug 2020 08:37:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598024233; cv=none; d=google.com; s=arc-20160816; b=As2kq582Jn/mZva0Pzy+bLp06LGPKtcim3uqFEk87WGCwTJY0FT6e9j6COFjGG3fW8 ZHOfvao61NIDS4rHe0YWuz1hTb12tV+H26bSKHRqqVZvigBIDva1JJUfyqNvWzKlSx0N cK9JSWU9nIgtarOIVReOJIIHS68wJFsgeW9S32naMdSQOS2Xl5aE0+o0Pl+urqlnoizt U5HdR1QVvglCn2sH3CYG555tkt6m/CeaSq+nu5jHudOpmIpgcIsVnN9aQhEF9nSzVjSe oaluru36/Vpg7MAEXV8M+Nc05uSZKjIiRdHziEnKuZkzaZGI+EaXbTuWT3KclD3G573v qNMw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=0UODExHNr70hBlkw5NoS5M2zRCjpoudfpEgGYewpYzs=; b=gclA2T1wxiYreSFC94TmfgYaQN4G7CAHDaq+0XRZy2C68ItWdBgO5mkbr0C72z8RwC pzEDqwmgigq5JvRX/Aw4bvbkvgI5UFDwJZUUI+8hJIuU+eMYfyI8xaIgZ71hsDmbPaxj kuOYDmxe6Eyj6Qa1NWhaka/hJ8F+EmTjOwq90PkN0BkvVx4/hXdMVXEtvv4/njFJnaHx 6HaLuJ11eoiyZPuxmHbLeIYuQal+V+f6sVZCwDEe7BKu1k5WxzMB4h/wpkkoSycroLez 6Zs8VpHYjvgBwrxnSX/bDHH4L8g654+2KmiZ1wpsA4/LYR1L1mIkkbcxhmLggf+ZZ8cI Dxbg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=GNwFlwjs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b6si1564644eja.208.2020.08.21.08.36.49; Fri, 21 Aug 2020 08:37:13 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=GNwFlwjs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727971AbgHUPeQ (ORCPT + 99 others); Fri, 21 Aug 2020 11:34:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54348 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728141AbgHUPdi (ORCPT ); Fri, 21 Aug 2020 11:33:38 -0400 Received: from mail-ot1-x344.google.com (mail-ot1-x344.google.com [IPv6:2607:f8b0:4864:20::344]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CB2DDC061573; Fri, 21 Aug 2020 08:33:37 -0700 (PDT) Received: by mail-ot1-x344.google.com with SMTP id v6so1849709ota.13; Fri, 21 Aug 2020 08:33:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=0UODExHNr70hBlkw5NoS5M2zRCjpoudfpEgGYewpYzs=; b=GNwFlwjsiQxOVZviBYqlzbDjeXaxMBoPCAKXZVtOFmIvyuZ+huJwdDvOja03AHtGt2 0KnvciGXYm9+XVry8EWqq5D4Z8/qAeFs9X6Q8s5guGEHnhbVGfFDdPbKcetmLnlZnhQF S22FTMIHJoUzOJVOJczmL/WeK1fa6ogypu41P0M8KpkcioYvYbbfIGmtW186JpCNk5Eb OGvEMDRxL94maTmzwF7Ct57rq9lsoXPW8ZleHDPUYl08ovc8zXQ53YoJMFaa12Qlk0Xn dsrTdYHkqQex3f8K0IqoSQIxNAaRUTg3M4YyTLuHdbNaoAmfNgZil3wzjoKffSMnDf00 KCtA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=0UODExHNr70hBlkw5NoS5M2zRCjpoudfpEgGYewpYzs=; b=e7eWNYb5yiBMcNMHTiPjMX11ip9aaQiHHFC2hzuq065Rc3bzl+Y9MPKxx2rtogm+KK ysNv69r/ac3shc3ynuQ5ovG3OBmZcinbEs/3qdgpnpyibGG4qVGLFvzZOR2rXznB1Fcb A9RDNUGg/YFCt6siNryz9pxUTt2F8jDyBXeDeWDQZllQyWMo8b4PGNnLNWRa2jDmb+sU DPfBZgPiITlCUWJknuTn39NDdif2I4xJr5qIMwFhfMKR5DPrmeQ1bxO2rkkMtmbel25B w6Bqu+1q1a7zdQc/m3xUb5740EYgG3Qk9Im8gT3SRvI3VJq4WL9CJxcDx9OzoSGu2dhT 2AAA== X-Gm-Message-State: AOAM532/bGdpdKSFUQK41elDDTqG9BlgCimRZEa9EHn30EL5YubhkJnn 6Jc7w3Xlgt/A4Upr4vsNg6Kklqw1JGw7X3Celj4= X-Received: by 2002:a05:6830:16d8:: with SMTP id l24mr2243264otr.89.1598024016342; Fri, 21 Aug 2020 08:33:36 -0700 (PDT) MIME-Version: 1.0 References: <20200821140836.3707282-1-tweek@google.com> <20200821140836.3707282-2-tweek@google.com> In-Reply-To: <20200821140836.3707282-2-tweek@google.com> From: Stephen Smalley Date: Fri, 21 Aug 2020 11:33:25 -0400 Message-ID: Subject: Re: [PATCH v4 1/2] selinux: add tracepoint on audited events To: =?UTF-8?Q?Thi=C3=A9baud_Weksteen?= Cc: Paul Moore , Nick Kralevich , Joel Fernandes , Peter Enderborg , Eric Paris , Steven Rostedt , Ingo Molnar , Mauro Carvalho Chehab , "David S. Miller" , Rob Herring , linux-kernel , SElinux list Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Aug 21, 2020 at 10:09 AM Thi=C3=A9baud Weksteen = wrote: > > The audit data currently captures which process and which target > is responsible for a denial. There is no data on where exactly in the > process that call occurred. Debugging can be made easier by being able to > reconstruct the unified kernel and userland stack traces [1]. Add a > tracepoint on the SELinux denials which can then be used by userland > (i.e. perf). > > Although this patch could manually be added by each OS developer to > trouble shoot a denial, adding it to the kernel streamlines the > developers workflow. > > It is possible to use perf for monitoring the event: > # perf record -e avc:selinux_audited -g -a > ^C > # perf report -g > [...] > 6.40% 6.40% audited=3D800000 tclass=3D4 > | > __libc_start_main > | > |--4.60%--__GI___ioctl > | entry_SYSCALL_64 > | do_syscall_64 > | __x64_sys_ioctl > | ksys_ioctl > | binder_ioctl > | binder_set_nice > | can_nice > | capable > | security_capable > | cred_has_capability.isra.0 > | slow_avc_audit > | common_lsm_audit > | avc_audit_post_callback > | avc_audit_post_callback > | > > It is also possible to use the ftrace interface: > # echo 1 > /sys/kernel/debug/tracing/events/avc/selinux_audited/enable > # cat /sys/kernel/debug/tracing/trace > tracer: nop > entries-in-buffer/entries-written: 1/1 #P:8 > [...] > dmesg-3624 [001] 13072.325358: selinux_denied: audited=3D800000 tclass= =3D4 > > The tclass value can be mapped to a class by searching > security/selinux/flask.h. The audited value is a bit field of the > permissions described in security/selinux/av_permissions.h for the > corresponding class. > > [1] https://source.android.com/devices/tech/debug/native_stack_dump > > Signed-off-by: Thi=C3=A9baud Weksteen > Suggested-by: Joel Fernandes > Reviewed-by: Peter Enderborg Acked-by: Stephen Smalley