On Fri, Aug 21, 2020 at 10:09 AM Thiébaud Weksteen <tweek@xxxxxxxxxx> wrote: > > The audit data currently captures which process and which target > is responsible for a denial. There is no data on where exactly in the > process that call occurred. Debugging can be made easier by being able to > reconstruct the unified kernel and userland stack traces [1]. Add a > tracepoint on the SELinux denials which can then be used by userland > (i.e. perf). > > Although this patch could manually be added by each OS developer to > trouble shoot a denial, adding it to the kernel streamlines the > developers workflow. > > It is possible to use perf for monitoring the event: > # perf record -e avc:selinux_audited -g -a > ^C > # perf report -g > [...] > 6.40% 6.40% audited=800000 tclass=4 > | > __libc_start_main > | > |--4.60%--__GI___ioctl > | entry_SYSCALL_64 > | do_syscall_64 > | __x64_sys_ioctl > | ksys_ioctl > | binder_ioctl > | binder_set_nice > | can_nice > | capable > | security_capable > | cred_has_capability.isra.0 > | slow_avc_audit > | common_lsm_audit > | avc_audit_post_callback > | avc_audit_post_callback > | > > It is also possible to use the ftrace interface: > # echo 1 > /sys/kernel/debug/tracing/events/avc/selinux_audited/enable > # cat /sys/kernel/debug/tracing/trace > tracer: nop > entries-in-buffer/entries-written: 1/1 #P:8 > [...] > dmesg-3624 [001] 13072.325358: selinux_denied: audited=800000 tclass=4 > > The tclass value can be mapped to a class by searching > security/selinux/flask.h. The audited value is a bit field of the > permissions described in security/selinux/av_permissions.h for the > corresponding class. > > [1] https://source.android.com/devices/tech/debug/native_stack_dump > > Signed-off-by: Thiébaud Weksteen <tweek@xxxxxxxxxx> > Suggested-by: Joel Fernandes <joelaf@xxxxxxxxxx> > Reviewed-by: Peter Enderborg <peter.enderborg@xxxxxxxx> Acked-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
