Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp547179pxa; Fri, 21 Aug 2020 14:10:53 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwFcOvCknvRooLmQMhefyPeaOHfC9NJ7i0QTw0qiXR9d8M9T2Ohxamlpsa39Xm5WQQPvM06 X-Received: by 2002:a05:6402:1e5:: with SMTP id i5mr4648658edy.194.1598044253493; Fri, 21 Aug 2020 14:10:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598044253; cv=none; d=google.com; s=arc-20160816; b=S8bpzUbo/WbCE1DbMrMgAx8dyzxV+YxWmk8tq2YKO33VEQw9zN9EHG6EoidcBsg1rk VHcHJaPSfgJb4U89E9lpFFtRJhtUYTbTdAi2JWe/104/1ttKvLkQHwQn9Vs7hbTztLqt MHCq5jtMRm7qy48tUIQCG/3QmVXr8gwUU7Tc83yLvn/RrNlLDEY2bjwgbaABR0KR5Klb xPdzGRZ1//1YUr4rkCiqExDOKCkcI7DKxTB1OzWlqJiQutIrG+SB7YAC5Z9LDTAwMChJ ZmftEAH7VUo7xIjLcEiPuYeSwoSxbBtIN1u4X+rr6SYmuIykLTqQP2u2G0qqL3lmaBu3 EzBg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=mScZuT333eFPJltqlW+xpkpAoyeB+4wo8236mWISgBI=; b=pSe+T4/3DomwQbJyypsOLY8k7qt4gb9FKcOUmDFigLqXkomJBdwvFZmrahKf+28w4p rTXMZpdCZRCmiMTYsraR/JnQfHbYAAIAkwkNoA6WgvMGFsXsBsZjqL7u4BMiawnJhxVB qUQbRv869OyHEZDHlBp6hJ9nOQC2XsdXxKgFWOdDlBJqPBIfIdlCme1wNh7Z42haMMU3 A4G21lcqA8EaGxLPQm6I9L17ZEl742gaa/GGcxcf63lXy8xmZyQERv7bbHomwoSTboEl wmvVx5S2BS1zG689XpKEAIaOCeqXNvPhAgzZ+fS5aRhS9iXsJhE3Bvfn/+4tW2rvJWcY o7oQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=jQ8xvgEn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t19si2369493edi.420.2020.08.21.14.10.30; Fri, 21 Aug 2020 14:10:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=jQ8xvgEn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726661AbgHUVJN (ORCPT + 99 others); Fri, 21 Aug 2020 17:09:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50010 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726599AbgHUVJL (ORCPT ); Fri, 21 Aug 2020 17:09:11 -0400 Received: from mail-ej1-x644.google.com (mail-ej1-x644.google.com [IPv6:2a00:1450:4864:20::644]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D3B30C061574 for ; Fri, 21 Aug 2020 14:09:10 -0700 (PDT) Received: by mail-ej1-x644.google.com with SMTP id kq25so4055036ejb.3 for ; Fri, 21 Aug 2020 14:09:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=mScZuT333eFPJltqlW+xpkpAoyeB+4wo8236mWISgBI=; b=jQ8xvgEnc5aL2xYjcB4OF8wR+AxKYEy2Fva6FQTl37Wz1JvALyaaVQ0U6GSpKGD1oW ojrd6isMvbBQY1yC/d593Fp1O6k3zdEgWS/dZHMS1ZMlnLQXEFBSzUfr37APeD0WwmRZ jU6bYdRAlKc0xGYw7dvgtO7aKYTw5LnAp1u3vY8lB/Qqi4YUdQecU9zHLFnGk711XGU1 ijPaebpYJhd+PAz7E4kee5aaqP/mXytSloLwCT/1Dv3D7+6a9HZ81Nj0T1j/Aq1AJXey L+J5Rq27psI4+tYTUd9sRZScikl3x4tgw6T7cHUVSb9pAQiozwh3jR5PYK3fx+rphcL3 JobQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=mScZuT333eFPJltqlW+xpkpAoyeB+4wo8236mWISgBI=; b=TkIHCuqyQIPKCXvINLSo1BXYMf/cu+cx7KLQ+SmCi6iWKqjoecVY1Kz7k1gyNOmGz4 j4qMZHh8frsS34CIvgdT9E58D30wVtsIVdz062mvd5zUCxqzhPuiVY0tM7F96WLLLT53 Ebpqo8GV1jk2pcq3DhnwG0DJuRigCItnK2IaSKA0HzZTRjsnERE50Bs1J/27LiG8pFZM 9zH7FilsOHkOAp+HcJ6eWbzSa1nQwso+cGw7wGYy+G+9hxTeZT3bNlTJuHrqL6QgDDDT cXgY8QUlNsbPExV0cvfnI1bMk1YGIBDhTmcFSyhXGZWBRxL54EEpSDIwnFfnrBUxadCW VMNQ== X-Gm-Message-State: AOAM532tWRNYHR2q7OkjIhuDY+a4ngbtKC2tuO18CRKSwVpSZUsLyfvs W2miEwgk+WhlQKco1GgbSMX4jgFDvHqZZgj6wehr X-Received: by 2002:a17:906:43c9:: with SMTP id j9mr4713021ejn.542.1598044149342; Fri, 21 Aug 2020 14:09:09 -0700 (PDT) MIME-Version: 1.0 References: <20200821140836.3707282-1-tweek@google.com> <20200821140836.3707282-2-tweek@google.com> In-Reply-To: <20200821140836.3707282-2-tweek@google.com> From: Paul Moore Date: Fri, 21 Aug 2020 17:08:58 -0400 Message-ID: Subject: Re: [PATCH v4 1/2] selinux: add tracepoint on audited events To: =?UTF-8?Q?Thi=C3=A9baud_Weksteen?= Cc: Nick Kralevich , Joel Fernandes , Peter Enderborg , Stephen Smalley , Eric Paris , Steven Rostedt , Ingo Molnar , Mauro Carvalho Chehab , "David S. Miller" , Rob Herring , linux-kernel@vger.kernel.org, selinux@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Aug 21, 2020 at 10:09 AM Thi=C3=A9baud Weksteen = wrote: > > The audit data currently captures which process and which target > is responsible for a denial. There is no data on where exactly in the > process that call occurred. Debugging can be made easier by being able to > reconstruct the unified kernel and userland stack traces [1]. Add a > tracepoint on the SELinux denials which can then be used by userland > (i.e. perf). > > Although this patch could manually be added by each OS developer to > trouble shoot a denial, adding it to the kernel streamlines the > developers workflow. > > It is possible to use perf for monitoring the event: > # perf record -e avc:selinux_audited -g -a > ^C > # perf report -g > [...] > 6.40% 6.40% audited=3D800000 tclass=3D4 > | > __libc_start_main > | > |--4.60%--__GI___ioctl > | entry_SYSCALL_64 > | do_syscall_64 > | __x64_sys_ioctl > | ksys_ioctl > | binder_ioctl > | binder_set_nice > | can_nice > | capable > | security_capable > | cred_has_capability.isra.0 > | slow_avc_audit > | common_lsm_audit > | avc_audit_post_callback > | avc_audit_post_callback > | > > It is also possible to use the ftrace interface: > # echo 1 > /sys/kernel/debug/tracing/events/avc/selinux_audited/enable > # cat /sys/kernel/debug/tracing/trace > tracer: nop > entries-in-buffer/entries-written: 1/1 #P:8 > [...] > dmesg-3624 [001] 13072.325358: selinux_denied: audited=3D800000 tclass= =3D4 > > The tclass value can be mapped to a class by searching > security/selinux/flask.h. The audited value is a bit field of the > permissions described in security/selinux/av_permissions.h for the > corresponding class. > > [1] https://source.android.com/devices/tech/debug/native_stack_dump > > Signed-off-by: Thi=C3=A9baud Weksteen > Suggested-by: Joel Fernandes > Reviewed-by: Peter Enderborg > --- > MAINTAINERS | 1 + > include/trace/events/avc.h | 37 +++++++++++++++++++++++++++++++++++++ > security/selinux/avc.c | 5 +++++ > 3 files changed, 43 insertions(+) > create mode 100644 include/trace/events/avc.h Merged into selinux/next, thanks! --=20 paul moore www.paul-moore.com