On Fri, 24 Jul 2020 11:15:03 +0200
"Thiébaud Weksteen" <tweek@xxxxxxxxxx> wrote:
> diff --git a/security/selinux/avc.c b/security/selinux/avc.c
> index d18cb32a242a..85d2e22ab656 100644
> --- a/security/selinux/avc.c
> +++ b/security/selinux/avc.c
> @@ -31,6 +31,9 @@
> #include "avc_ss.h"
> #include "classmap.h"
>
> +#define CREATE_TRACE_POINTS
> +#include <trace/events/selinux.h>
> +
> #define AVC_CACHE_SLOTS 512
> #define AVC_DEF_CACHE_THRESHOLD 512
> #define AVC_CACHE_RECLAIM 16
> @@ -672,6 +675,9 @@ static void avc_audit_pre_callback(struct audit_buffer *ab, void *a)
> return;
> }
>
> + if (sad->denied)
First, I would like to deny sadness as well ;-)
Now, there is a way to add that branch within the "nop" area of the
trace event, and remove the conditional branch from the main code.
> + trace_selinux_denied(sad->tclass, av);
> +
Instead have this:
trace_selinux_denied(sad, av);
> perms = secclass_map[sad->tclass-1].perms;
>
> audit_log_format(ab, " {");
> --- /dev/null
> +++ b/include/trace/events/selinux.h
> @@ -0,0 +1,35 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
> +#undef TRACE_SYSTEM
> +#define TRACE_SYSTEM selinux
> +
> +#if !defined(_TRACE_SELINUX_H) || defined(TRACE_HEADER_MULTI_READ)
> +#define _TRACE_SELINUX_H
> +
> +#include <linux/ktime.h>
> +#include <linux/tracepoint.h>
> +
> +TRACE_EVENT(selinux_denied,
TRACE_EVENT_CONDITION(selinux_denied,
> +
> + TP_PROTO(int cls, int av),
TP_PROTO(struct selinux_audit_data sad, int av)
> +
> + TP_ARGS(cls, av),
> +
TP_CONDITION(sad->denied),
The above condition will be tested before calling the tracepoint. But
only if the trace event is enabled.
> + TP_STRUCT__entry(
> + __field(int, cls)
> + __field(int, av)
> + ),
> +
> + TP_fast_assign(
> + __entry->cls = cls;
__entry->cls = sad->tclass;
> + __entry->av = av;
> + ),
> +
> + TP_printk("denied %d %d",
> + __entry->cls,
> + __entry->av)
> +);
> +
> +#endif
> +
> +/* This part must be outside protection */
> +#include <trace/define_trace.h>
-- Steve
