From patchwork Thu Aug 6 08:03:41 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Thi=C3=A9baud_Weksteen?= X-Patchwork-Id: 11702821 X-Patchwork-Delegate: paul@paul-moore.com Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5EF0D17CB for ; Thu, 6 Aug 2020 11:04:31 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 595F5204FD for ; Thu, 6 Aug 2020 11:04:30 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="vpdDkZjd" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728680AbgHFIF4 (ORCPT ); Thu, 6 Aug 2020 04:05:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47006 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728430AbgHFIEN (ORCPT ); Thu, 6 Aug 2020 04:04:13 -0400 Received: from mail-ej1-x64a.google.com (mail-ej1-x64a.google.com [IPv6:2a00:1450:4864:20::64a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3C365C061575 for ; Thu, 6 Aug 2020 01:04:09 -0700 (PDT) Received: by mail-ej1-x64a.google.com with SMTP id gg11so7322819ejb.6 for ; Thu, 06 Aug 2020 01:04:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc :content-transfer-encoding; bh=LcmumI/w/Hm4tyicPdUaUNyCK6OWHY8oQP8ZiSpx1Fw=; b=vpdDkZjdkXkYqtDgFNnezY0woangi9BN3lrLOrCQwyy4EsZMw0fsi+t57Qm3ccQVBS 00a062McIzIhQbGYSxG5vsmjITQcYN7jdm5ab6WLIZ3FLWXcdmuCfuA88SxfBreLLCfc HE5HJAeSzQuQwkCwyHszArHeK6OIbutuS6bkiaRzXgo+P9NmpiU1tR/lerHt/LVOtw7T MOKsDoVAUy/jqkpdqagqAQviyhdOWfW0KowT2CG40pmUz2xRC5Vi0vE0um3Ad4yf3ddS k1epQ1Skpk0dMnKQmsw8O1rt7rQp6giPZOPMzCnhoGNv6YE6U1yX3g2Uk0DRUVOltRkA G4gQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc :content-transfer-encoding; bh=LcmumI/w/Hm4tyicPdUaUNyCK6OWHY8oQP8ZiSpx1Fw=; b=MQLK7hi1BcvFNBeTxdv7FkI21c1iefoVsfRqBdLkS7lq3s7q92Pcwkjupn6et1hNtV hzTR/kD/wd6G9Kf8l5ko0KsbknN/j8vdJENOk+/NWHKfh+O349b7XMn5EiCORxSfyVOu frlT//UHyPdhyBUh4pzNYwMx5LIouuHlDbX4rmZb5ji+DsccMEuZ3t0qCpGUmq5Bem9L H5iteS72PlR8utWR1dGwVgGWEwkN9pLWcdGmxr1tOupVuA/Gtb98SMEXtoa+6gEwJ+8q Fhbrfo+uCQTZuur2IqGJY3poQKmZEMvNUjAyxXxpXYxhUlGwuBsMmNF+q9UQW0VrB1rf WdaQ== X-Gm-Message-State: AOAM533KlhrtCYa2i92+pnPFyxqouPXU2JFFf7XkXTy1P7OsoN2L+4Tb MVb0mfSvMKcOwzZxjqxnRvwJNQAMKg== X-Google-Smtp-Source: ABdhPJzUel/EPiNJ94rUHLsYATT2qjBrxXNXOu8GqzYUfz1/Vy6keCPUJzpkyY5F3u6H+k+5Pnu0DEgsgA== X-Received: by 2002:a17:906:d930:: with SMTP id rn16mr3267737ejb.330.1596701044913; Thu, 06 Aug 2020 01:04:04 -0700 (PDT) Date: Thu, 6 Aug 2020 10:03:41 +0200 Message-Id: <20200806080358.3124505-1-tweek@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.28.0.163.g6104cc2f0b6-goog Subject: [PATCH 1/2] selinux: add tracepoint on denials From: " =?utf-8?q?Thi=C3=A9baud_Weksteen?= " To: Paul Moore Cc: Nick Kralevich , " =?utf-8?q?Thi=C3=A9baud_Weksteen?= " , Joel Fernandes , Peter Enderborg , Stephen Smalley , Eric Paris , Steven Rostedt , Ingo Molnar , Mauro Carvalho Chehab , "David S. Miller" , Rob Herring , Arnd Bergmann , linux-kernel@vger.kernel.org, selinux@vger.kernel.org Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org The audit data currently captures which process and which target is responsible for a denial. There is no data on where exactly in the process that call occurred. Debugging can be made easier by being able to reconstruct the unified kernel and userland stack traces [1]. Add a tracepoint on the SELinux denials which can then be used by userland (i.e. perf). Although this patch could manually be added by each OS developer to trouble shoot a denial, adding it to the kernel streamlines the developers workflow. [1] https://source.android.com/devices/tech/debug/native_stack_dump Signed-off-by: Thiébaud Weksteen Suggested-by: Joel Fernandes Reviewed-by: Peter Enderborg --- MAINTAINERS | 1 + include/trace/events/avc.h | 37 +++++++++++++++++++++++++++++++++++++ security/selinux/avc.c | 5 +++++ 3 files changed, 43 insertions(+) create mode 100644 include/trace/events/avc.h diff --git a/MAINTAINERS b/MAINTAINERS index c8e8232c65da..0efaea0e144c 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -15426,6 +15426,7 @@ T: git git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git F: Documentation/ABI/obsolete/sysfs-selinux-checkreqprot F: Documentation/ABI/obsolete/sysfs-selinux-disable F: Documentation/admin-guide/LSM/SELinux.rst +F: include/trace/events/avc.h F: include/uapi/linux/selinux_netlink.h F: scripts/selinux/ F: security/selinux/ diff --git a/include/trace/events/avc.h b/include/trace/events/avc.h new file mode 100644 index 000000000000..07c058a9bbcd --- /dev/null +++ b/include/trace/events/avc.h @@ -0,0 +1,37 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Author: Thiébaud Weksteen + */ +#undef TRACE_SYSTEM +#define TRACE_SYSTEM avc + +#if !defined(_TRACE_SELINUX_H) || defined(TRACE_HEADER_MULTI_READ) +#define _TRACE_SELINUX_H + +#include + +TRACE_EVENT(selinux_audited, + + TP_PROTO(struct selinux_audit_data *sad), + + TP_ARGS(sad), + + TP_STRUCT__entry( + __field(unsigned int, tclass) + __field(unsigned int, audited) + ), + + TP_fast_assign( + __entry->tclass = sad->tclass; + __entry->audited = sad->audited; + ), + + TP_printk("tclass=%u audited=%x", + __entry->tclass, + __entry->audited) +); + +#endif + +/* This part must be outside protection */ +#include diff --git a/security/selinux/avc.c b/security/selinux/avc.c index d18cb32a242a..b0a0af778b70 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -31,6 +31,9 @@ #include "avc_ss.h" #include "classmap.h" +#define CREATE_TRACE_POINTS +#include + #define AVC_CACHE_SLOTS 512 #define AVC_DEF_CACHE_THRESHOLD 512 #define AVC_CACHE_RECLAIM 16 @@ -706,6 +709,8 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a) u32 scontext_len; int rc; + trace_selinux_audited(sad); + rc = security_sid_to_context(sad->state, sad->ssid, &scontext, &scontext_len); if (rc) From patchwork Thu Aug 6 08:03:42 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Thi=C3=A9baud_Weksteen?= X-Patchwork-Id: 11702823 X-Patchwork-Delegate: paul@paul-moore.com Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7BFC9138A for ; Thu, 6 Aug 2020 11:04:31 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 75DA0204FD for ; Thu, 6 Aug 2020 11:04:30 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="tDH0SpBJ" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728688AbgHFIGF (ORCPT ); Thu, 6 Aug 2020 04:06:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47056 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728600AbgHFIFQ (ORCPT ); Thu, 6 Aug 2020 04:05:16 -0400 Received: from mail-ej1-x649.google.com (mail-ej1-x649.google.com [IPv6:2a00:1450:4864:20::649]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 43CD8C06179E for ; Thu, 6 Aug 2020 01:04:28 -0700 (PDT) Received: by mail-ej1-x649.google.com with SMTP id lg2so13408349ejb.23 for ; Thu, 06 Aug 2020 01:04:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc:content-transfer-encoding; bh=mOjwTlI4LaDoFAqHd/CEHg0Dqi+LihgQr+xeS1gXpis=; b=tDH0SpBJOVvaIUzPtmVuxUqyvnBSUCyMqFtYcMgVXHcDWUdJhLlmnBIESBCuGGSaNx AaAhbxZ2UhI28l81X3oB1EvwtIp1jgDi94nEgfOaNF2GVnHSpfYzELKPV5+2zEWAYCTr TWUkhoUsSXqNwPDg7Z0DUPSWlbins9V/M57xz4QQrPSG5eKVSJG22crM5gBg2HjWWM9P T34JtrSBzKMDvT7G6B0UvX+2439Pcg3AYzBn+vjjcorqRMI96vNu7DyKJvdF2Tb8bwDn HExshd30yG8HkERycM93BJ3soZw0kipbgYCmreSVmwsjTEAMxNuA1GUZBMwXXeXQlpoA P4Yw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc:content-transfer-encoding; bh=mOjwTlI4LaDoFAqHd/CEHg0Dqi+LihgQr+xeS1gXpis=; b=IA5jlSaIGYTUV4XdWdB19RUX6pdB4zyqwiGgvVE2ewSArxSxAm+fns1aKRj9Mlatul x90hm20YCroqyKoCC0/VRwlEdhqK0boohZO9V+5Re0c3vxgUVvDwSOUTZ7OLGnHnS3Ga EMuG5CfkolZBRd6vNbkDeJAAaqK6eZQA1ftiHPtJXUMw84EUdnfG+n4s1Uwq+odJ7B44 kySHRohg4TnTzJZ75j6SSajq1G3n3MsjGJK1NnEgQKs0n3OglZrovlQuqOfYl3FfwDb9 RgVdG5yBQIdO/y7NH3gbjhAdCwoHlRpBTcL5MpAzd7RE8oRx1+AYrQLZwRoQYef8QO32 eySw== X-Gm-Message-State: AOAM531w8UlsQo5Wv/9Bnv5cAWW6VWjoJjwC00ID1JtZu8zD7TT52qbc geSLh0F4/BSTVu2m73CbN312OH0ZTA== X-Google-Smtp-Source: ABdhPJw7+h3SDa+sB/Btd5MvQIu+UhCAl+l3KSnK/otVP3qHgJoDEOH9thLaoxF8EfWtBx/+v1vbL4HEQg== X-Received: by 2002:a05:6402:297:: with SMTP id l23mr2957498edv.145.1596701065565; Thu, 06 Aug 2020 01:04:25 -0700 (PDT) Date: Thu, 6 Aug 2020 10:03:42 +0200 In-Reply-To: <20200806080358.3124505-1-tweek@google.com> Message-Id: <20200806080358.3124505-2-tweek@google.com> Mime-Version: 1.0 References: <20200806080358.3124505-1-tweek@google.com> X-Mailer: git-send-email 2.28.0.163.g6104cc2f0b6-goog Subject: [PATCH 2/2] selinux: add attributes to avc tracepoint From: " =?utf-8?q?Thi=C3=A9baud_Weksteen?= " To: Paul Moore Cc: Nick Kralevich , Peter Enderborg , " =?utf-8?q?Thi=C3=A9baud_Wekst?= =?utf-8?q?een?= " , Stephen Smalley , Eric Paris , Steven Rostedt , Ingo Molnar , Mauro Carvalho Chehab , "David S. Miller" , Rob Herring , Arnd Bergmann , linux-kernel@vger.kernel.org, selinux@vger.kernel.org Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org From: Peter Enderborg Add further attributes to filter the trace events from AVC. Signed-off-by: Peter Enderborg Reviewed-by: Thiébaud Weksteen --- include/trace/events/avc.h | 41 ++++++++++++++++++++++++++++---------- security/selinux/avc.c | 22 +++++++++++--------- 2 files changed, 44 insertions(+), 19 deletions(-) diff --git a/include/trace/events/avc.h b/include/trace/events/avc.h index 07c058a9bbcd..ac5ef2e1c2c5 100644 --- a/include/trace/events/avc.h +++ b/include/trace/events/avc.h @@ -1,6 +1,7 @@ /* SPDX-License-Identifier: GPL-2.0 */ /* - * Author: Thiébaud Weksteen + * Authors: Thiébaud Weksteen + * Peter Enderborg */ #undef TRACE_SYSTEM #define TRACE_SYSTEM avc @@ -12,23 +13,43 @@ TRACE_EVENT(selinux_audited, - TP_PROTO(struct selinux_audit_data *sad), + TP_PROTO(struct selinux_audit_data *sad, + char *scontext, + char *tcontext, + const char *tclass + ), - TP_ARGS(sad), + TP_ARGS(sad, scontext, tcontext, tclass), TP_STRUCT__entry( - __field(unsigned int, tclass) - __field(unsigned int, audited) + __field(u32, requested) + __field(u32, denied) + __field(u32, audited) + __field(int, result) + __string(scontext, scontext) + __string(tcontext, tcontext) + __string(tclass, tclass) + __field(u32, ssid) + __field(u32, tsid) ), TP_fast_assign( - __entry->tclass = sad->tclass; - __entry->audited = sad->audited; + __entry->requested = sad->requested; + __entry->denied = sad->denied; + __entry->audited = sad->audited; + __entry->result = sad->result; + __entry->ssid = sad->ssid; + __entry->tsid = sad->tsid; + __assign_str(tcontext, tcontext); + __assign_str(scontext, scontext); + __assign_str(tclass, tclass); ), - TP_printk("tclass=%u audited=%x", - __entry->tclass, - __entry->audited) + TP_printk("requested=0x%x denied=0x%x audited=0x%x result=%d ssid=%u tsid=%u scontext=%s tcontext=%s tclass=%s", + __entry->requested, __entry->denied, __entry->audited, __entry->result, + __entry->ssid, __entry->tsid, __get_str(scontext), __get_str(tcontext), + __get_str(tclass) + ) ); #endif diff --git a/security/selinux/avc.c b/security/selinux/avc.c index b0a0af778b70..7de5cc5169af 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -705,35 +705,39 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a) { struct common_audit_data *ad = a; struct selinux_audit_data *sad = ad->selinux_audit_data; - char *scontext; + char *scontext = NULL; + char *tcontext = NULL; + const char *tclass = NULL; u32 scontext_len; + u32 tcontext_len; int rc; - trace_selinux_audited(sad); - rc = security_sid_to_context(sad->state, sad->ssid, &scontext, &scontext_len); if (rc) audit_log_format(ab, " ssid=%d", sad->ssid); else { audit_log_format(ab, " scontext=%s", scontext); - kfree(scontext); } - rc = security_sid_to_context(sad->state, sad->tsid, &scontext, - &scontext_len); + rc = security_sid_to_context(sad->state, sad->tsid, &tcontext, + &tcontext_len); if (rc) audit_log_format(ab, " tsid=%d", sad->tsid); else { - audit_log_format(ab, " tcontext=%s", scontext); - kfree(scontext); + audit_log_format(ab, " tcontext=%s", tcontext); } - audit_log_format(ab, " tclass=%s", secclass_map[sad->tclass-1].name); + tclass = secclass_map[sad->tclass-1].name; + audit_log_format(ab, " tclass=%s", tclass); if (sad->denied) audit_log_format(ab, " permissive=%u", sad->result ? 0 : 1); + trace_selinux_audited(sad, scontext, tcontext, tclass); + kfree(tcontext); + kfree(scontext); + /* in case of invalid context report also the actual context string */ rc = security_sid_to_context_inval(sad->state, sad->ssid, &scontext, &scontext_len);