From patchwork Mon Aug 17 17:07:12 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Thi=C3=A9baud_Weksteen?= X-Patchwork-Id: 11718933 X-Patchwork-Delegate: paul@paul-moore.com Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2260513A4 for ; Mon, 17 Aug 2020 17:29:29 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 02EC820716 for ; Mon, 17 Aug 2020 17:29:29 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="v0rOCwpT" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389409AbgHQR2m (ORCPT ); Mon, 17 Aug 2020 13:28:42 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49132 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389325AbgHQRI1 (ORCPT ); Mon, 17 Aug 2020 13:08:27 -0400 Received: from mail-qt1-x84a.google.com (mail-qt1-x84a.google.com [IPv6:2607:f8b0:4864:20::84a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 54C61C061344 for ; Mon, 17 Aug 2020 10:08:27 -0700 (PDT) Received: by mail-qt1-x84a.google.com with SMTP id w30so12508618qte.14 for ; Mon, 17 Aug 2020 10:08:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc:content-transfer-encoding; bh=UJJuAgJHQPnZMmpmLTzANSSOedGbmL0b+IVXcx3Ufzs=; b=v0rOCwpTkjRzfGnF2j8U3++ah+cWR7bAfIci0JLRCzHhoCND9w63qxJtFji0g8qm9H JW5ukYsE4fnaO28tNwcBnJBn+DfmI6r3Y8OpLmZ09l2xXBekBeJYwvliiHfSCzfZCYZr xpmhjHdU9y/aXL1u2l7zv4WdzHctL3iaH5QPKoW5+ZbyJAP434SVP1+HMc+UlaLV6csV 1f2KBTPi23YkBo9huXsOLBGbm8eUZlzOXnlnB7+nsmHQmjHxCwRIY0Vl8jnb8MnPPL7g kYLQTvVM+GkrKIDg644UJzInyNQ7U+yQcJke/tymBPP0BEs0jK63wAwJWMpVQW1GLoJ4 Mq2A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc:content-transfer-encoding; bh=UJJuAgJHQPnZMmpmLTzANSSOedGbmL0b+IVXcx3Ufzs=; b=X53D29TWyV/dWxk3jAWX3iqJ1bsycuN0eJvD7Q+Glf4ensS6joODcTCxt2oAYABD9E JHvpsHzeM3U6NO+RmT0c7pg8zcAR0IBulifMe13CNHrnBhHhmHhhdv81FwDaOLHyRu07 5D75R72HB1Ecnkpke8cH5bAYc8b3US/E5+tyr8AWiAnQoQu9kBYNKcUpLFCxazcftWjx OCsyNJJAJx6pquVA/GM/mrMWtfYnqGYfvlTl1GDVoqgVvLSNVxyWJmUO3ZWNxsP4TVrH m151fVdzFnrIBLnnmOrlrthspYkFEa1pWt1AyNxIOR0H9ccxu78un2Fnn0xa8Lozihak 6QcQ== X-Gm-Message-State: AOAM5334WzPI1p2j/UKXvFETx2kdFo3bc72qGbJl/b5WOv4pt1UNxDJl WQiMXPq28cACPnvFhyHuwsJl8/+SIA== X-Google-Smtp-Source: ABdhPJz6qBKxAvbT13/LVRv5sOiMCXyLh1r546HBd6vDU0zkwqi5WeiV04XRE3fbBoM67yo8+87qI6KMZw== X-Received: by 2002:a0c:f6cb:: with SMTP id d11mr15516103qvo.84.1597684106062; Mon, 17 Aug 2020 10:08:26 -0700 (PDT) Date: Mon, 17 Aug 2020 19:07:12 +0200 In-Reply-To: <20200817170729.2605279-1-tweek@google.com> Message-Id: <20200817170729.2605279-2-tweek@google.com> Mime-Version: 1.0 References: <20200817170729.2605279-1-tweek@google.com> X-Mailer: git-send-email 2.28.0.220.ged08abb693-goog Subject: [PATCH v3 1/3] selinux: add tracepoint on audited events From: " =?utf-8?q?Thi=C3=A9baud_Weksteen?= " To: Paul Moore Cc: Nick Kralevich , " =?utf-8?q?Thi=C3=A9baud_Weksteen?= " , Joel Fernandes , Peter Enderborg , Stephen Smalley , Eric Paris , Steven Rostedt , Ingo Molnar , Mauro Carvalho Chehab , "David S. Miller" , Rob Herring , linux-kernel@vger.kernel.org, selinux@vger.kernel.org Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org The audit data currently captures which process and which target is responsible for a denial. There is no data on where exactly in the process that call occurred. Debugging can be made easier by being able to reconstruct the unified kernel and userland stack traces [1]. Add a tracepoint on the SELinux denials which can then be used by userland (i.e. perf). Although this patch could manually be added by each OS developer to trouble shoot a denial, adding it to the kernel streamlines the developers workflow. It is possible to use perf for monitoring the event: # perf record -e avc:selinux_audited -g -a ^C # perf report -g [...] 6.40% 6.40% audited=800000 tclass=4 | __libc_start_main | |--4.60%--__GI___ioctl | entry_SYSCALL_64 | do_syscall_64 | __x64_sys_ioctl | ksys_ioctl | binder_ioctl | binder_set_nice | can_nice | capable | security_capable | cred_has_capability.isra.0 | slow_avc_audit | common_lsm_audit | avc_audit_post_callback | avc_audit_post_callback | It is also possible to use the ftrace interface: # echo 1 > /sys/kernel/debug/tracing/events/avc/selinux_audited/enable # cat /sys/kernel/debug/tracing/trace tracer: nop entries-in-buffer/entries-written: 1/1 #P:8 [...] dmesg-3624 [001] 13072.325358: selinux_denied: audited=800000 tclass=4 The tclass value can be mapped to a class by searching security/selinux/flask.h. The audited value is a bit field of the permissions described in security/selinux/av_permissions.h for the corresponding class. [1] https://source.android.com/devices/tech/debug/native_stack_dump Signed-off-by: Thiébaud Weksteen Suggested-by: Joel Fernandes Reviewed-by: Peter Enderborg Acked-by: Stephen Smalley --- MAINTAINERS | 1 + include/trace/events/avc.h | 37 +++++++++++++++++++++++++++++++++++++ security/selinux/avc.c | 5 +++++ 3 files changed, 43 insertions(+) create mode 100644 include/trace/events/avc.h diff --git a/MAINTAINERS b/MAINTAINERS index c8e8232c65da..0efaea0e144c 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -15426,6 +15426,7 @@ T: git git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git F: Documentation/ABI/obsolete/sysfs-selinux-checkreqprot F: Documentation/ABI/obsolete/sysfs-selinux-disable F: Documentation/admin-guide/LSM/SELinux.rst +F: include/trace/events/avc.h F: include/uapi/linux/selinux_netlink.h F: scripts/selinux/ F: security/selinux/ diff --git a/include/trace/events/avc.h b/include/trace/events/avc.h new file mode 100644 index 000000000000..07c058a9bbcd --- /dev/null +++ b/include/trace/events/avc.h @@ -0,0 +1,37 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Author: Thiébaud Weksteen + */ +#undef TRACE_SYSTEM +#define TRACE_SYSTEM avc + +#if !defined(_TRACE_SELINUX_H) || defined(TRACE_HEADER_MULTI_READ) +#define _TRACE_SELINUX_H + +#include + +TRACE_EVENT(selinux_audited, + + TP_PROTO(struct selinux_audit_data *sad), + + TP_ARGS(sad), + + TP_STRUCT__entry( + __field(unsigned int, tclass) + __field(unsigned int, audited) + ), + + TP_fast_assign( + __entry->tclass = sad->tclass; + __entry->audited = sad->audited; + ), + + TP_printk("tclass=%u audited=%x", + __entry->tclass, + __entry->audited) +); + +#endif + +/* This part must be outside protection */ +#include diff --git a/security/selinux/avc.c b/security/selinux/avc.c index d18cb32a242a..b0a0af778b70 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -31,6 +31,9 @@ #include "avc_ss.h" #include "classmap.h" +#define CREATE_TRACE_POINTS +#include + #define AVC_CACHE_SLOTS 512 #define AVC_DEF_CACHE_THRESHOLD 512 #define AVC_CACHE_RECLAIM 16 @@ -706,6 +709,8 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a) u32 scontext_len; int rc; + trace_selinux_audited(sad); + rc = security_sid_to_context(sad->state, sad->ssid, &scontext, &scontext_len); if (rc) From patchwork Mon Aug 17 17:07:13 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Thi=C3=A9baud_Weksteen?= X-Patchwork-Id: 11718859 X-Patchwork-Delegate: paul@paul-moore.com Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 63F9F14F6 for ; Mon, 17 Aug 2020 17:11:16 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 44EE9206FA for ; Mon, 17 Aug 2020 17:11:16 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="Gy44oW7f" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389423AbgHQRLE (ORCPT ); Mon, 17 Aug 2020 13:11:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49416 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389388AbgHQRKT (ORCPT ); Mon, 17 Aug 2020 13:10:19 -0400 Received: from mail-ej1-x64a.google.com (mail-ej1-x64a.google.com [IPv6:2a00:1450:4864:20::64a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B0F52C061349 for ; Mon, 17 Aug 2020 10:08:46 -0700 (PDT) Received: by mail-ej1-x64a.google.com with SMTP id g18so5840483ejm.4 for ; Mon, 17 Aug 2020 10:08:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc:content-transfer-encoding; bh=EPrw5RnVluwXxcHuirD84lbrde8q2sR6O2SJbUiYZDY=; b=Gy44oW7fKCqNOu7gPn6b5s9Hw32Xq4yvq7Q8/WI+rSdRN/RrnCMqHlZokwohf6GGkz ypoB6AUHgyfz+bJDXMWm8Blt0UBD6/dGaIuQIvfl7bOt3jN4vxXJTDu2jOpZ4ewyPhrG YfljJu3kjA2wyvHtPaCjKBwl0przKWbYzsWQsdGdnLc4hfFX787wguDrmO4kprYWkhbv 9kmWDpjQzVkL2fxSU9KyBkHzj+rX/3HVxRRYRvYLEYt0N4IA1YunVE4CE5wFA26dT5Sn rUrfV1QDNrPwEPvMO5NDiStCmjaz0+nUPq4iRWwIJvzH0bytnrQlfiDS2GHAcmp5HOLN S45A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc:content-transfer-encoding; bh=EPrw5RnVluwXxcHuirD84lbrde8q2sR6O2SJbUiYZDY=; b=rb0a2rpYmM3wCqj88MiIgHMsmHatl79hBaBSy0j5O7bkT60WvPm7Ubudi9Wa3XClvU n3tpPh9Dg9oDOcY8nhDskMAIGM7at148QgVcBGNVwk/MCNIitriO8vwK7TUdJ3JdaB+2 5lLEoCrOZzpeDmGQnJyWwdM6cevmB3sxrQxK/IqhcMb5GGY5Qqc7P562W/PVDWnO3Jz+ DvjHnFSDPCNOGAGY/aqX+BtCX/ESjMRHOdbsafKB7rdR0yecoHIon8pze24oJGnKWGPi F6AzfddUcIJD4cR6qXdQJbJ4Ew12GLsVY60xYkY5yfHlDeiW6djBJX6mi0cKf1RjLLNe JMbw== X-Gm-Message-State: AOAM53308CgiCkYrs1R8tbgPAFaHEzGYqYK8qOd9ml3WD0z/LY2R1OBj Kwb4ydZxWt73ACZFdOyrDCugzCDffQ== X-Google-Smtp-Source: ABdhPJybsAInpFNA74sYWytsOjuXY3Qmc09wmwcrpFe5e0ysRNhDs7qvPGChjMLprINFNMZKElFXgEgVXg== X-Received: by 2002:aa7:da46:: with SMTP id w6mr16086222eds.7.1597684122851; Mon, 17 Aug 2020 10:08:42 -0700 (PDT) Date: Mon, 17 Aug 2020 19:07:13 +0200 In-Reply-To: <20200817170729.2605279-1-tweek@google.com> Message-Id: <20200817170729.2605279-3-tweek@google.com> Mime-Version: 1.0 References: <20200817170729.2605279-1-tweek@google.com> X-Mailer: git-send-email 2.28.0.220.ged08abb693-goog Subject: [PATCH v3 2/3] selinux: add basic filtering for audit trace events From: " =?utf-8?q?Thi=C3=A9baud_Weksteen?= " To: Paul Moore Cc: Nick Kralevich , Peter Enderborg , " =?utf-8?q?Thi=C3=A9baud_Wekst?= =?utf-8?q?een?= " , Stephen Smalley , Eric Paris , Steven Rostedt , Ingo Molnar , Mauro Carvalho Chehab , "David S. Miller" , Rob Herring , linux-kernel@vger.kernel.org, selinux@vger.kernel.org Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org From: Peter Enderborg This patch adds further attributes to the event. These attributes are helpful to understand the context of the message and can be used to filter the events. There are three common items. Source context, target context and tclass. There are also items from the outcome of operation performed. An event is similar to: <...>-1309 [002] .... 6346.691689: selinux_audited: requested=0x4000000 denied=0x4000000 audited=0x4000000 result=-13 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file With systems where many denials are occurring, it is useful to apply a filter. The filtering is a set of logic that is inserted with the filter file. Example: echo "tclass==\"file\" " > events/avc/selinux_audited/filter This adds that we only get tclass=file. The trace can also have extra properties. Adding the user stack can be done with echo 1 > options/userstacktrace Now the output will be runcon-1365 [003] .... 6960.955530: selinux_audited: requested=0x4000000 denied=0x4000000 audited=0x4000000 result=-13 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file runcon-1365 [003] .... 6960.955560: => <00007f325b4ce45b> => <00005607093efa57> Signed-off-by: Peter Enderborg Reviewed-by: Thiébaud Weksteen --- include/trace/events/avc.h | 36 ++++++++++++++++++++++++++---------- security/selinux/avc.c | 22 +++++++++++++--------- 2 files changed, 39 insertions(+), 19 deletions(-) diff --git a/include/trace/events/avc.h b/include/trace/events/avc.h index 07c058a9bbcd..b55fda2e0773 100644 --- a/include/trace/events/avc.h +++ b/include/trace/events/avc.h @@ -1,6 +1,7 @@ /* SPDX-License-Identifier: GPL-2.0 */ /* - * Author: Thiébaud Weksteen + * Authors: Thiébaud Weksteen + * Peter Enderborg */ #undef TRACE_SYSTEM #define TRACE_SYSTEM avc @@ -12,23 +13,38 @@ TRACE_EVENT(selinux_audited, - TP_PROTO(struct selinux_audit_data *sad), + TP_PROTO(struct selinux_audit_data *sad, + char *scontext, + char *tcontext, + const char *tclass + ), - TP_ARGS(sad), + TP_ARGS(sad, scontext, tcontext, tclass), TP_STRUCT__entry( - __field(unsigned int, tclass) - __field(unsigned int, audited) + __field(u32, requested) + __field(u32, denied) + __field(u32, audited) + __field(int, result) + __string(scontext, scontext) + __string(tcontext, tcontext) + __string(tclass, tclass) ), TP_fast_assign( - __entry->tclass = sad->tclass; - __entry->audited = sad->audited; + __entry->requested = sad->requested; + __entry->denied = sad->denied; + __entry->audited = sad->audited; + __entry->result = sad->result; + __assign_str(tcontext, tcontext); + __assign_str(scontext, scontext); + __assign_str(tclass, tclass); ), - TP_printk("tclass=%u audited=%x", - __entry->tclass, - __entry->audited) + TP_printk("requested=0x%x denied=0x%x audited=0x%x result=%d scontext=%s tcontext=%s tclass=%s", + __entry->requested, __entry->denied, __entry->audited, __entry->result, + __get_str(scontext), __get_str(tcontext), __get_str(tclass) + ) ); #endif diff --git a/security/selinux/avc.c b/security/selinux/avc.c index b0a0af778b70..7de5cc5169af 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -705,35 +705,39 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a) { struct common_audit_data *ad = a; struct selinux_audit_data *sad = ad->selinux_audit_data; - char *scontext; + char *scontext = NULL; + char *tcontext = NULL; + const char *tclass = NULL; u32 scontext_len; + u32 tcontext_len; int rc; - trace_selinux_audited(sad); - rc = security_sid_to_context(sad->state, sad->ssid, &scontext, &scontext_len); if (rc) audit_log_format(ab, " ssid=%d", sad->ssid); else { audit_log_format(ab, " scontext=%s", scontext); - kfree(scontext); } - rc = security_sid_to_context(sad->state, sad->tsid, &scontext, - &scontext_len); + rc = security_sid_to_context(sad->state, sad->tsid, &tcontext, + &tcontext_len); if (rc) audit_log_format(ab, " tsid=%d", sad->tsid); else { - audit_log_format(ab, " tcontext=%s", scontext); - kfree(scontext); + audit_log_format(ab, " tcontext=%s", tcontext); } - audit_log_format(ab, " tclass=%s", secclass_map[sad->tclass-1].name); + tclass = secclass_map[sad->tclass-1].name; + audit_log_format(ab, " tclass=%s", tclass); if (sad->denied) audit_log_format(ab, " permissive=%u", sad->result ? 0 : 1); + trace_selinux_audited(sad, scontext, tcontext, tclass); + kfree(tcontext); + kfree(scontext); + /* in case of invalid context report also the actual context string */ rc = security_sid_to_context_inval(sad->state, sad->ssid, &scontext, &scontext_len); From patchwork Mon Aug 17 17:07:14 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Thi=C3=A9baud_Weksteen?= X-Patchwork-Id: 11718929 X-Patchwork-Delegate: paul@paul-moore.com Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id AB70215E4 for ; Mon, 17 Aug 2020 17:28:42 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 86ECB20716 for ; Mon, 17 Aug 2020 17:28:42 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="qmB2whkq" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389321AbgHQR2a (ORCPT ); Mon, 17 Aug 2020 13:28:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49420 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389389AbgHQRKT (ORCPT ); Mon, 17 Aug 2020 13:10:19 -0400 Received: from mail-ej1-x649.google.com (mail-ej1-x649.google.com [IPv6:2a00:1450:4864:20::649]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EB5CFC06134A for ; Mon, 17 Aug 2020 10:09:00 -0700 (PDT) Received: by mail-ej1-x649.google.com with SMTP id bx27so5825360ejc.15 for ; Mon, 17 Aug 2020 10:09:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc:content-transfer-encoding; bh=WC3qwxqXOlSZ7jnjgYv3zuH5IVQQXftskmacAfSf8Yw=; b=qmB2whkq1uymJPwNU/dDDT6gtA/BtcTHWj8k0C5guxkVqvJZ5JF9mHavC6v7+R7mDf G8Fr+tSFgNpb6Sv7ozrK+Wle5+N1EXGfrR+vr0QfX0cqIKQ6vCOV9x2p2Ri+EPjZfbRq QE54d3Sq4JZHH4lkmMFWDhxtnaN0l2T6BTOe7Yo2GQQBZmdW1kpBpZrcbkJU8iRQlt8s D2SpbNF7gUuVIsjXMOKKpJe0ubhjI6cc7jVHbkG5IQQjnOu4Bx8oYVMIHUoptEN0JnZB OL5i19HZ5bl7yLF3kbLpyEt8SSLnPj/rfic6DqR3n03NK1Cmo6GqM/GHRtzIPyEsCg4s JHqg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc:content-transfer-encoding; bh=WC3qwxqXOlSZ7jnjgYv3zuH5IVQQXftskmacAfSf8Yw=; b=PJhwvBsZ38TMkslSkHVg5+fz5sE+yEh4rU5/eaWHtgUFBXDSDr1+uT0MhcVxSgVs1m n5ujVSao8th2v6ySiYJHQDt195lstenYurAcH9FUCNxJECmH8yMBlhMGqnHph61CIJc8 5sS/Od14Gdx+nGM2p3xyhsfb/2xIKSvPPbIGtO4xt5683IHGIHJN1NLrcJ6WIhVjoBcZ b9oouGVtQEz1Afj41EVW8CSizMeWI5OeZvp4Dp3jCrnpBvgGafUegUlnmuII5GNsMBaJ SXnAFgigDkWjFh27RD4fLTEE6k+qjQBeA6IplpCytbWqfiQJAUJETOIhP0az6HViHRZw bqmg== X-Gm-Message-State: AOAM530N7ZamzWvCFEHVSSqpQrHKfjMRz+TNsP7cK/bSxcCb9qD7vwPK 0+eZ+isf7J2tcqSZqcwCyLOXNPHzbg== X-Google-Smtp-Source: ABdhPJz7JK/4hALFPPtoFqZ5PnvZtUHs3KrjtksrheYnNRpGzoaAxixQEyGO565iJ4PqgGlDWXo2/lKFCQ== X-Received: by 2002:aa7:d410:: with SMTP id z16mr15548395edq.287.1597684139613; Mon, 17 Aug 2020 10:08:59 -0700 (PDT) Date: Mon, 17 Aug 2020 19:07:14 +0200 In-Reply-To: <20200817170729.2605279-1-tweek@google.com> Message-Id: <20200817170729.2605279-4-tweek@google.com> Mime-Version: 1.0 References: <20200817170729.2605279-1-tweek@google.com> X-Mailer: git-send-email 2.28.0.220.ged08abb693-goog Subject: [PATCH v3 3/3] selinux: add permission names to trace event From: " =?utf-8?q?Thi=C3=A9baud_Weksteen?= " To: Paul Moore Cc: Nick Kralevich , Peter Enderborg , Steven Rostedt , Stephen Smalley , " =?utf-8?q?Thi=C3=A9baud?= =?utf-8?q?_Weksteen?= " , Eric Paris , Ingo Molnar , Mauro Carvalho Chehab , "David S. Miller" , Rob Herring , linux-kernel@vger.kernel.org, selinux@vger.kernel.org Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org From: Peter Enderborg In the print out add permissions, it will look like: <...>-1042 [007] .... 201.965142: selinux_audited: requested=0x4000000 denied=0x4000000 audited=0x4000000 result=-13 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissions={ !entrypoint } This patch is adding the "permissions={ !entrypoint }". The permissions preceded by "!" have been denied and the permissions without have been accepted. Note that permission filtering is done on the audited, denied or requested attributes. Suggested-by: Steven Rostedt Suggested-by: Stephen Smalley Reviewed-by: Thiébaud Weksteen Signed-off-by: Peter Enderborg Signed-off-by: Steven Rostedt (VMware) --- include/trace/events/avc.h | 11 +++++++++-- security/selinux/avc.c | 36 ++++++++++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+), 2 deletions(-) diff --git a/include/trace/events/avc.h b/include/trace/events/avc.h index b55fda2e0773..94bca8bef8d2 100644 --- a/include/trace/events/avc.h +++ b/include/trace/events/avc.h @@ -10,6 +10,10 @@ #define _TRACE_SELINUX_H #include +#include + +extern const char *avc_trace_perm_to_name(struct trace_seq *p, u16 class, u32 audited, u32 denied); +#define __perm_to_name(class, audited, denied) avc_trace_perm_to_name(p, class, audited, denied) TRACE_EVENT(selinux_audited, @@ -29,6 +33,7 @@ TRACE_EVENT(selinux_audited, __string(scontext, scontext) __string(tcontext, tcontext) __string(tclass, tclass) + __field(u16, utclass) ), TP_fast_assign( @@ -36,14 +41,16 @@ TRACE_EVENT(selinux_audited, __entry->denied = sad->denied; __entry->audited = sad->audited; __entry->result = sad->result; + __entry->utclass = sad->tclass; __assign_str(tcontext, tcontext); __assign_str(scontext, scontext); __assign_str(tclass, tclass); ), - TP_printk("requested=0x%x denied=0x%x audited=0x%x result=%d scontext=%s tcontext=%s tclass=%s", + TP_printk("requested=0x%x denied=0x%x audited=0x%x result=%d scontext=%s tcontext=%s tclass=%s permissions={%s }", __entry->requested, __entry->denied, __entry->audited, __entry->result, - __get_str(scontext), __get_str(tcontext), __get_str(tclass) + __get_str(scontext), __get_str(tcontext), __get_str(tclass), + __perm_to_name(__entry->utclass, __entry->audited, __entry->denied) ) ); diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 7de5cc5169af..d585b68c2a50 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -695,6 +695,7 @@ static void avc_audit_pre_callback(struct audit_buffer *ab, void *a) audit_log_format(ab, " } for "); } + /** * avc_audit_post_callback - SELinux specific information * will be called by generic audit code @@ -991,6 +992,41 @@ int avc_ss_reset(struct selinux_avc *avc, u32 seqno) return rc; } +/** + * avc_trace_perm_to_name - SELinux help function for trace + * @p pointer to output storage + * @tclass tclass for the event + * @av access vector + * @avdenied denied permissions in av format + */ +const char *avc_trace_perm_to_name(struct trace_seq *p, u16 tclass, u32 av, u32 avdenied) +{ + const char *ret = trace_seq_buffer_ptr(p); + int i, perm; + const char **perms; + + if (WARN_ON(!tclass || tclass >= ARRAY_SIZE(secclass_map))) + return NULL; + + perms = secclass_map[tclass-1].perms; + + i = 0; + perm = 1; + while (i < (sizeof(av) * 8)) { + if ((perm & av) && perms[i]) { + if (!(perm & avdenied)) + trace_seq_printf(p, " %s", perms[i]); + else + trace_seq_printf(p, " !%s", perms[i]); + av &= ~perm; + } + i++; + perm <<= 1; + } + + return ret; +} + /* * Slow-path helper function for avc_has_perm_noaudit, * when the avc_node lookup fails. We get called with