From dd8166212d9a2eca3181567c953d5687aea4d7dc Mon Sep 17 00:00:00 2001 From: =?utf8?q?Thi=C3=A9baud=20Weksteen?= Date: Fri, 21 Aug 2020 16:08:21 +0200 Subject: [PATCH] selinux: add tracepoint on audited events MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit The audit data currently captures which process and which target is responsible for a denial. There is no data on where exactly in the process that call occurred. Debugging can be made easier by being able to reconstruct the unified kernel and userland stack traces [1]. Add a tracepoint on the SELinux denials which can then be used by userland (i.e. perf). Although this patch could manually be added by each OS developer to trouble shoot a denial, adding it to the kernel streamlines the developers workflow. It is possible to use perf for monitoring the event: # perf record -e avc:selinux_audited -g -a ^C # perf report -g [...] 6.40% 6.40% audited=800000 tclass=4 | __libc_start_main | |--4.60%--__GI___ioctl | entry_SYSCALL_64 | do_syscall_64 | __x64_sys_ioctl | ksys_ioctl | binder_ioctl | binder_set_nice | can_nice | capable | security_capable | cred_has_capability.isra.0 | slow_avc_audit | common_lsm_audit | avc_audit_post_callback | avc_audit_post_callback | It is also possible to use the ftrace interface: # echo 1 > /sys/kernel/debug/tracing/events/avc/selinux_audited/enable # cat /sys/kernel/debug/tracing/trace tracer: nop entries-in-buffer/entries-written: 1/1 #P:8 [...] dmesg-3624 [001] 13072.325358: selinux_denied: audited=800000 tclass=4 The tclass value can be mapped to a class by searching security/selinux/flask.h. The audited value is a bit field of the permissions described in security/selinux/av_permissions.h for the corresponding class. [1] https://source.android.com/devices/tech/debug/native_stack_dump Signed-off-by: Thiébaud Weksteen Suggested-by: Joel Fernandes Reviewed-by: Peter Enderborg Acked-by: Stephen Smalley Signed-off-by: Paul Moore --- MAINTAINERS | 1 + include/trace/events/avc.h | 37 +++++++++++++++++++++++++++++++++++++ security/selinux/avc.c | 5 +++++ 3 files changed, 43 insertions(+) create mode 100644 include/trace/events/avc.h diff --git a/MAINTAINERS b/MAINTAINERS index deaafb6..ed19f56 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -15569,6 +15569,7 @@ T: git git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git F: Documentation/ABI/obsolete/sysfs-selinux-checkreqprot F: Documentation/ABI/obsolete/sysfs-selinux-disable F: Documentation/admin-guide/LSM/SELinux.rst +F: include/trace/events/avc.h F: include/uapi/linux/selinux_netlink.h F: scripts/selinux/ F: security/selinux/ diff --git a/include/trace/events/avc.h b/include/trace/events/avc.h new file mode 100644 index 0000000..07c058a --- /dev/null +++ b/include/trace/events/avc.h @@ -0,0 +1,37 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Author: Thiébaud Weksteen + */ +#undef TRACE_SYSTEM +#define TRACE_SYSTEM avc + +#if !defined(_TRACE_SELINUX_H) || defined(TRACE_HEADER_MULTI_READ) +#define _TRACE_SELINUX_H + +#include + +TRACE_EVENT(selinux_audited, + + TP_PROTO(struct selinux_audit_data *sad), + + TP_ARGS(sad), + + TP_STRUCT__entry( + __field(unsigned int, tclass) + __field(unsigned int, audited) + ), + + TP_fast_assign( + __entry->tclass = sad->tclass; + __entry->audited = sad->audited; + ), + + TP_printk("tclass=%u audited=%x", + __entry->tclass, + __entry->audited) +); + +#endif + +/* This part must be outside protection */ +#include diff --git a/security/selinux/avc.c b/security/selinux/avc.c index d18cb32..b0a0af7 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -31,6 +31,9 @@ #include "avc_ss.h" #include "classmap.h" +#define CREATE_TRACE_POINTS +#include + #define AVC_CACHE_SLOTS 512 #define AVC_DEF_CACHE_THRESHOLD 512 #define AVC_CACHE_RECLAIM 16 @@ -706,6 +709,8 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a) u32 scontext_len; int rc; + trace_selinux_audited(sad); + rc = security_sid_to_context(sad->state, sad->ssid, &scontext, &scontext_len); if (rc) -- 2.7.4