The audit data currently captures which process and which target is responsible for a denial. There is no data on where exactly in the process that call occurred. Debugging can be made easier by being able to reconstruct the unified kernel and userland stack traces [1]. Add a tracepoint on the SELinux denials which can then be used by userland (i.e. perf). Although this patch could manually be added by each OS developer to trouble shoot a denial, adding it to the kernel streamlines the developers workflow. [1] https://source.android.com/devices/tech/debug/native_stack_dump Signed-off-by: Thiébaud Weksteen <tweek@xxxxxxxxxx> Signed-off-by: Joel Fernandes <joelaf@xxxxxxxxxx> --- MAINTAINERS | 1 + include/trace/events/selinux.h | 35 ++++++++++++++++++++++++++++++++++ security/selinux/avc.c | 6 ++++++ 3 files changed, 42 insertions(+) create mode 100644 include/trace/events/selinux.h diff --git a/MAINTAINERS b/MAINTAINERS index e64cdde81851..6b6cd5e13537 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -15358,6 +15358,7 @@ T: git git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git F: Documentation/ABI/obsolete/sysfs-selinux-checkreqprot F: Documentation/ABI/obsolete/sysfs-selinux-disable F: Documentation/admin-guide/LSM/SELinux.rst +F: include/trace/events/selinux.h F: include/uapi/linux/selinux_netlink.h F: scripts/selinux/ F: security/selinux/ diff --git a/include/trace/events/selinux.h b/include/trace/events/selinux.h new file mode 100644 index 000000000000..e247187a8135 --- /dev/null +++ b/include/trace/events/selinux.h @@ -0,0 +1,35 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#undef TRACE_SYSTEM +#define TRACE_SYSTEM selinux + +#if !defined(_TRACE_SELINUX_H) || defined(TRACE_HEADER_MULTI_READ) +#define _TRACE_SELINUX_H + +#include <linux/ktime.h> +#include <linux/tracepoint.h> + +TRACE_EVENT(selinux_denied, + + TP_PROTO(int cls, int av), + + TP_ARGS(cls, av), + + TP_STRUCT__entry( + __field(int, cls) + __field(int, av) + ), + + TP_fast_assign( + __entry->cls = cls; + __entry->av = av; + ), + + TP_printk("denied %d %d", + __entry->cls, + __entry->av) +); + +#endif + +/* This part must be outside protection */ +#include <trace/define_trace.h> diff --git a/security/selinux/avc.c b/security/selinux/avc.c index d18cb32a242a..85d2e22ab656 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -31,6 +31,9 @@ #include "avc_ss.h" #include "classmap.h" +#define CREATE_TRACE_POINTS +#include <trace/events/selinux.h> + #define AVC_CACHE_SLOTS 512 #define AVC_DEF_CACHE_THRESHOLD 512 #define AVC_CACHE_RECLAIM 16 @@ -672,6 +675,9 @@ static void avc_audit_pre_callback(struct audit_buffer *ab, void *a) return; } + if (sad->denied) + trace_selinux_denied(sad->tclass, av); + perms = secclass_map[sad->tclass-1].perms; audit_log_format(ab, " {"); -- 2.28.0.rc0.142.g3c755180ce-goog