Re: [PATCH v3 1/3] selinux: add tracepoint on audited events

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 8/17/20 1:07 PM, Thiébaud Weksteen wrote:

The audit data currently captures which process and which target
is responsible for a denial. There is no data on where exactly in the
process that call occurred. Debugging can be made easier by being able to
reconstruct the unified kernel and userland stack traces [1]. Add a
tracepoint on the SELinux denials which can then be used by userland
(i.e. perf).

Although this patch could manually be added by each OS developer to
trouble shoot a denial, adding it to the kernel streamlines the
developers workflow.

It is possible to use perf for monitoring the event:
   # perf record -e avc:selinux_audited -g -a
   ^C
   # perf report -g
   [...]
       6.40%     6.40%  audited=800000 tclass=4
                |
                   __libc_start_main
                   |
                   |--4.60%--__GI___ioctl
                   |          entry_SYSCALL_64
                   |          do_syscall_64
                   |          __x64_sys_ioctl
                   |          ksys_ioctl
                   |          binder_ioctl
                   |          binder_set_nice
                   |          can_nice
                   |          capable
                   |          security_capable
                   |          cred_has_capability.isra.0
                   |          slow_avc_audit
                   |          common_lsm_audit
                   |          avc_audit_post_callback
                   |          avc_audit_post_callback
                   |

It is also possible to use the ftrace interface:
   # echo 1 > /sys/kernel/debug/tracing/events/avc/selinux_audited/enable
   # cat /sys/kernel/debug/tracing/trace
   tracer: nop
   entries-in-buffer/entries-written: 1/1   #P:8
   [...]
   dmesg-3624  [001] 13072.325358: selinux_denied: audited=800000 tclass=4

The tclass value can be mapped to a class by searching
security/selinux/flask.h. The audited value is a bit field of the
permissions described in security/selinux/av_permissions.h for the
corresponding class.

[1] https://source.android.com/devices/tech/debug/native_stack_dump

Signed-off-by: Thiébaud Weksteen <tweek@xxxxxxxxxx>
Suggested-by: Joel Fernandes <joelaf@xxxxxxxxxx>
Reviewed-by: Peter Enderborg <peter.enderborg@xxxxxxxx>
Acked-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>




[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux