| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAHC9VhRiz1ezDj6J5Yuv17EU8nnrOBKfHScB-njVUKptSoxowg@mail.gmail.com>
Date: Fri, 21 Aug 2020 17:08:58 -0400
From: Paul Moore <paul@...l-moore.com>
To: Thiébaud Weksteen <tweek@...gle.com>
Cc: Nick Kralevich <nnk@...gle.com>,
Joel Fernandes <joelaf@...gle.com>,
Peter Enderborg <peter.enderborg@...y.com>,
Stephen Smalley <stephen.smalley.work@...il.com>,
Eric Paris <eparis@...isplace.org>,
Steven Rostedt <rostedt@...dmis.org>,
Ingo Molnar <mingo@...hat.com>,
Mauro Carvalho Chehab <mchehab+huawei@...nel.org>,
"David S. Miller" <davem@...emloft.net>,
Rob Herring <robh@...nel.org>, linux-kernel@...r.kernel.org,
selinux@...r.kernel.org
Subject: Re: [PATCH v4 1/2] selinux: add tracepoint on audited events
On Fri, Aug 21, 2020 at 10:09 AM Thiébaud Weksteen <tweek@...gle.com> wrote:
>
> The audit data currently captures which process and which target
> is responsible for a denial. There is no data on where exactly in the
> process that call occurred. Debugging can be made easier by being able to
> reconstruct the unified kernel and userland stack traces [1]. Add a
> tracepoint on the SELinux denials which can then be used by userland
> (i.e. perf).
>
> Although this patch could manually be added by each OS developer to
> trouble shoot a denial, adding it to the kernel streamlines the
> developers workflow.
>
> It is possible to use perf for monitoring the event:
> # perf record -e avc:selinux_audited -g -a
> ^C
> # perf report -g
> [...]
> 6.40% 6.40% audited=800000 tclass=4
> |
> __libc_start_main
> |
> |--4.60%--__GI___ioctl
> | entry_SYSCALL_64
> | do_syscall_64
> | __x64_sys_ioctl
> | ksys_ioctl
> | binder_ioctl
> | binder_set_nice
> | can_nice
> | capable
> | security_capable
> | cred_has_capability.isra.0
> | slow_avc_audit
> | common_lsm_audit
> | avc_audit_post_callback
> | avc_audit_post_callback
> |
>
> It is also possible to use the ftrace interface:
> # echo 1 > /sys/kernel/debug/tracing/events/avc/selinux_audited/enable
> # cat /sys/kernel/debug/tracing/trace
> tracer: nop
> entries-in-buffer/entries-written: 1/1 #P:8
> [...]
> dmesg-3624 [001] 13072.325358: selinux_denied: audited=800000 tclass=4
>
> The tclass value can be mapped to a class by searching
> security/selinux/flask.h. The audited value is a bit field of the
> permissions described in security/selinux/av_permissions.h for the
> corresponding class.
>
> [1] https://source.android.com/devices/tech/debug/native_stack_dump
>
> Signed-off-by: Thiébaud Weksteen <tweek@...gle.com>
> Suggested-by: Joel Fernandes <joelaf@...gle.com>
> Reviewed-by: Peter Enderborg <peter.enderborg@...y.com>
> ---
> MAINTAINERS | 1 +
> include/trace/events/avc.h | 37 +++++++++++++++++++++++++++++++++++++
> security/selinux/avc.c | 5 +++++
> 3 files changed, 43 insertions(+)
> create mode 100644 include/trace/events/avc.h
Merged into selinux/next, thanks!
--
paul moore
www.paul-moore.com
Powered by blists - more mailing lists