lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 24 Jul 2020 09:52:32 -0400
From:   Steven Rostedt <rostedt@...dmis.org>
To:     "ThiƩbaud Weksteen" <tweek@...gle.com>
Cc:     Paul Moore <paul@...l-moore.com>, Nick Kralevich <nnk@...gle.com>,
        Joel Fernandes <joelaf@...gle.com>,
        Stephen Smalley <stephen.smalley.work@...il.com>,
        Eric Paris <eparis@...isplace.org>,
        Ingo Molnar <mingo@...hat.com>,
        Mauro Carvalho Chehab <mchehab+huawei@...nel.org>,
        "David S. Miller" <davem@...emloft.net>,
        Rob Herring <robh@...nel.org>, linux-kernel@...r.kernel.org,
        selinux@...r.kernel.org
Subject: Re: [PATCH] selinux: add tracepoint on denials

On Fri, 24 Jul 2020 11:15:03 +0200
"ThiƩbaud Weksteen" <tweek@...gle.com> wrote:
> diff --git a/security/selinux/avc.c b/security/selinux/avc.c
> index d18cb32a242a..85d2e22ab656 100644
> --- a/security/selinux/avc.c
> +++ b/security/selinux/avc.c
> @@ -31,6 +31,9 @@
>  #include "avc_ss.h"
>  #include "classmap.h"
>  
> +#define CREATE_TRACE_POINTS
> +#include <trace/events/selinux.h>
> +
>  #define AVC_CACHE_SLOTS			512
>  #define AVC_DEF_CACHE_THRESHOLD		512
>  #define AVC_CACHE_RECLAIM		16
> @@ -672,6 +675,9 @@ static void avc_audit_pre_callback(struct audit_buffer *ab, void *a)
>  		return;
>  	}
>  
> +	if (sad->denied)

First, I would like to deny sadness as well ;-)

Now, there is a way to add that branch within the "nop" area of the
trace event, and remove the conditional branch from the main code.

> +		trace_selinux_denied(sad->tclass, av);
> +

Instead have this:

	trace_selinux_denied(sad, av);

>  	perms = secclass_map[sad->tclass-1].perms;
>  
>  	audit_log_format(ab, " {");

> --- /dev/null
> +++ b/include/trace/events/selinux.h
> @@ -0,0 +1,35 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
> +#undef TRACE_SYSTEM
> +#define TRACE_SYSTEM selinux
> +
> +#if !defined(_TRACE_SELINUX_H) || defined(TRACE_HEADER_MULTI_READ)
> +#define _TRACE_SELINUX_H
> +
> +#include <linux/ktime.h>
> +#include <linux/tracepoint.h>
> +
> +TRACE_EVENT(selinux_denied,

TRACE_EVENT_CONDITION(selinux_denied,

> +
> +	TP_PROTO(int cls, int av),

	TP_PROTO(struct selinux_audit_data sad, int av)

> +
> +	TP_ARGS(cls, av),
> +

	TP_CONDITION(sad->denied),

The above condition will be tested before calling the tracepoint. But
only if the trace event is enabled.

> +	TP_STRUCT__entry(
> +		__field(int, cls)
> +		__field(int, av)
> +	),
> +
> +	TP_fast_assign(
> +		__entry->cls = cls;

		__entry->cls = sad->tclass;

> +		__entry->av = av;
> +	),
> +
> +	TP_printk("denied %d %d",
> +		__entry->cls,
> +		__entry->av)
> +);
> +
> +#endif
> +
> +/* This part must be outside protection */
> +#include <trace/define_trace.h>

-- Steve

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ