The audit data currently captures which process and which target is responsible for a denial. There is no data on where exactly in the process that call occurred. Debugging can be made easier by being able to reconstruct the unified kernel and userland stack traces [1]. Add a tracepoint on the SELinux denials which can then be used by userland (i.e. perf).
Although this patch could manually be added by each OS developer to trouble shoot a denial, adding it to the kernel streamlines the developers workflow. [1] https://source.android.com/devices/tech/debug/native_stack_dump Signed-off-by: Thiébaud Weksteen <tw...@google.com> Suggested-by: Joel Fernandes <joe...@google.com> Reviewed-by: Peter Enderborg <peter.enderb...@sony.com> --- MAINTAINERS | 1 + include/trace/events/avc.h | 37 +++++++++++++++++++++++++++++++++++++ security/selinux/avc.c | 5 +++++ 3 files changed, 43 insertions(+) create mode 100644 include/trace/events/avc.h diff --git a/MAINTAINERS b/MAINTAINERS index c8e8232c65da..0efaea0e144c 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -15426,6 +15426,7 @@ T: git git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git F: Documentation/ABI/obsolete/sysfs-selinux-checkreqprot F: Documentation/ABI/obsolete/sysfs-selinux-disable F: Documentation/admin-guide/LSM/SELinux.rst +F: include/trace/events/avc.h F: include/uapi/linux/selinux_netlink.h F: scripts/selinux/ F: security/selinux/ diff --git a/include/trace/events/avc.h b/include/trace/events/avc.h new file mode 100644 index 000000000000..07c058a9bbcd --- /dev/null +++ b/include/trace/events/avc.h @@ -0,0 +1,37 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Author: Thiébaud Weksteen <tw...@google.com> + */ +#undef TRACE_SYSTEM +#define TRACE_SYSTEM avc + +#if !defined(_TRACE_SELINUX_H) || defined(TRACE_HEADER_MULTI_READ) +#define _TRACE_SELINUX_H + +#include <linux/tracepoint.h> + +TRACE_EVENT(selinux_audited, + + TP_PROTO(struct selinux_audit_data *sad), + + TP_ARGS(sad), + + TP_STRUCT__entry( + __field(unsigned int, tclass) + __field(unsigned int, audited) + ), + + TP_fast_assign( + __entry->tclass = sad->tclass; + __entry->audited = sad->audited; + ), + + TP_printk("tclass=%u audited=%x", + __entry->tclass, + __entry->audited) +); + +#endif + +/* This part must be outside protection */ +#include <trace/define_trace.h> diff --git a/security/selinux/avc.c b/security/selinux/avc.c index d18cb32a242a..b0a0af778b70 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -31,6 +31,9 @@ #include "avc_ss.h" #include "classmap.h" +#define CREATE_TRACE_POINTS +#include <trace/events/avc.h> + #define AVC_CACHE_SLOTS 512 #define AVC_DEF_CACHE_THRESHOLD 512 #define AVC_CACHE_RECLAIM 16 @@ -706,6 +709,8 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a) u32 scontext_len; int rc; + trace_selinux_audited(sad); + rc = security_sid_to_context(sad->state, sad->ssid, &scontext, &scontext_len); if (rc) -- 2.28.0.163.g6104cc2f0b6-goog
