The audit data currently captures which process and which target is responsible for a denial. There is no data on where exactly in the process that call occurred. Debugging can be made easier by being able to reconstruct the unified kernel and userland stack traces [1]. Add a tracepoint on the SELinux denials which can then be used by userland (i.e. perf). Although this patch could manually be added by each OS developer to trouble shoot a denial, adding it to the kernel streamlines the developers workflow. [1] https://source.android.com/devices/tech/debug/native_stack_dump Signed-off-by: Thiébaud Weksteen <tweek@xxxxxxxxxx> Signed-off-by: Joel Fernandes <joelaf@xxxxxxxxxx> --- Changes in v2: - Replace %d formatter with %x - Replace TRACE_EVENT with TRACE_EVENT_CONDITION - Add pid to structure and printk - Rename structure fields for clarity MAINTAINERS | 1 + include/trace/events/selinux.h | 39 ++++++++++++++++++++++++++++++++++ security/selinux/avc.c | 5 +++++ 3 files changed, 45 insertions(+) create mode 100644 include/trace/events/selinux.h diff --git a/MAINTAINERS b/MAINTAINERS index f0569cf304ca..0f74c8f073ab 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -15369,6 +15369,7 @@ T: git git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git F: Documentation/ABI/obsolete/sysfs-selinux-checkreqprot F: Documentation/ABI/obsolete/sysfs-selinux-disable F: Documentation/admin-guide/LSM/SELinux.rst +F: include/trace/events/selinux.h F: include/uapi/linux/selinux_netlink.h F: scripts/selinux/ F: security/selinux/ diff --git a/include/trace/events/selinux.h b/include/trace/events/selinux.h new file mode 100644 index 000000000000..287e1ecb4451 --- /dev/null +++ b/include/trace/events/selinux.h @@ -0,0 +1,39 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#undef TRACE_SYSTEM +#define TRACE_SYSTEM selinux + +#if !defined(_TRACE_SELINUX_H) || defined(TRACE_HEADER_MULTI_READ) +#define _TRACE_SELINUX_H + +#include <linux/tracepoint.h> + +TRACE_EVENT_CONDITION(selinux_denied, + + TP_PROTO(struct selinux_audit_data *sad, pid_t pid), + + TP_ARGS(sad, pid), + + TP_CONDITION(sad->denied), + + TP_STRUCT__entry( + __field(pid_t, pid) + __field(int, tclass) + __field(int, audited) + ), + + TP_fast_assign( + __entry->pid = pid; + __entry->tclass = sad->tclass; + __entry->audited = sad->audited; + ), + + TP_printk("denied pid=%d tclass=%x audited=%x", + __entry->pid, + __entry->tclass, + __entry->audited) +); + +#endif + +/* This part must be outside protection */ +#include <trace/define_trace.h> diff --git a/security/selinux/avc.c b/security/selinux/avc.c index d18cb32a242a..ca8206f38d8a 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -31,6 +31,9 @@ #include "avc_ss.h" #include "classmap.h" +#define CREATE_TRACE_POINTS +#include <trace/events/selinux.h> + #define AVC_CACHE_SLOTS 512 #define AVC_DEF_CACHE_THRESHOLD 512 #define AVC_CACHE_RECLAIM 16 @@ -665,6 +668,8 @@ static void avc_audit_pre_callback(struct audit_buffer *ab, void *a) const char **perms; int i, perm; + trace_selinux_denied(sad, task_tgid_nr(current)); + audit_log_format(ab, "avc: %s ", sad->denied ? "denied" : "granted"); if (av == 0) { -- 2.28.0.rc0.142.g3c755180ce-goog
