From patchwork Fri Aug 21 14:08:21 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Thi=C3=A9baud_Weksteen?= X-Patchwork-Id: 11729547 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id BC452138C for ; Fri, 21 Aug 2020 14:09:23 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A037820FC3 for ; Fri, 21 Aug 2020 14:09:23 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=google.com header.i=@google.com header.b="EU+fJH0P" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727966AbgHUOJR (ORCPT ); Fri, 21 Aug 2020 10:09:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41232 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727931AbgHUOJO (ORCPT ); Fri, 21 Aug 2020 10:09:14 -0400 Received: from mail-ej1-x64a.google.com (mail-ej1-x64a.google.com [IPv6:2a00:1450:4864:20::64a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5F400C061574 for ; Fri, 21 Aug 2020 07:09:14 -0700 (PDT) Received: by mail-ej1-x64a.google.com with SMTP id n12so792422ejz.6 for ; Fri, 21 Aug 2020 07:09:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=sender:date:in-reply-to:message-id:mime-version:references:subject :from:to:cc:content-transfer-encoding; bh=WbkBQ4+3z/Ot6sbqqq8NLsjBfrTpm7bxNJKwF4zPNxs=; b=EU+fJH0P2XOsXa2F3Nzicvv6xCPoAKfudHYonTUsulkHtN42K6PJ8CGEH/iwXcYdh/ NsiSjQrdSMeLPWAlcODAwVY6KS9rOgo78reUXgPm+Ps5R6kDglPyp282hLGbpvAiS3lk wXN5GJmY9vvmENFW3T/SWgRTFd+GgOyWXsuy9SQZQyLB447hy4yUHKefFPyBZIXXn1Ob 82Fx+T1IEvjfZVSEp1jVgrq9koBj0/wsq/Synd7JWYQMF1cPvAlN4xvISeXFiY8tjf/4 w+M5EeJpDD2QjjOWRsQ4WX7KJKoy8ZXxr5tydVAjhnqcHetxbMAX9ioGNW2OHyLYuJkO WtjA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc:content-transfer-encoding; bh=WbkBQ4+3z/Ot6sbqqq8NLsjBfrTpm7bxNJKwF4zPNxs=; b=AAv6c1pZ3aWxZFiTAonlAvi+52TA3OGAuE+7FgX441CKkkXZmpfvUsFk9gl9+geF80 3qXMW3XN4mWV7kzgSHLYJDvCgCequa1t4ybGEZhlyDZn7yI6XEtEDYT2wlrecFKScGED +AfiBfJDhB34w/Evkmkg7mV2P8BoJFfdvuLe208k1TFmt5pF71CVB0ENnxbA8EsHSX0f E/3oxSoAJ7zRTxfT6ffXsnpphXTcwxAiyG6b+dwmtABk5ll5mT4bie58pIxSwETnm/HN cxQUXxenWBB+hUHM+HRHu82NWG9XWWRLoDqdfP6QRK34OkrMjQo32Tkt4eEXgl2GZtx4 eSWQ== X-Gm-Message-State: AOAM532iud6w267f6dYkWMhDACVD3q6MPXePp+n0EfBIUwI61OC+4qPH PbCsIYb1WihKKQHCg984Sp1zn6pFqA== X-Google-Smtp-Source: ABdhPJycYwIlgR1/3MQcUQpCA/jvMjkw1ymd9AtU6+k+l7ChKK3QeTYfeyDAta7wOHPvSUFI+S+KmQmAxQ== X-Received: from tweek1.zrh.corp.google.com ([2a00:79e0:61:100:f693:9fff:fef4:a93d]) (user=tweek job=sendgmr) by 2002:a17:906:c1d7:: with SMTP id bw23mr3089611ejb.315.1598018951604; Fri, 21 Aug 2020 07:09:11 -0700 (PDT) Date: Fri, 21 Aug 2020 16:08:21 +0200 In-Reply-To: <20200821140836.3707282-1-tweek@google.com> Message-Id: <20200821140836.3707282-2-tweek@google.com> Mime-Version: 1.0 References: <20200821140836.3707282-1-tweek@google.com> X-Mailer: git-send-email 2.28.0.297.g1956fa8f8d-goog Subject: [PATCH v4 1/2] selinux: add tracepoint on audited events From: " =?utf-8?q?Thi=C3=A9baud_Weksteen?= " To: Paul Moore Cc: Nick Kralevich , " =?utf-8?q?Thi=C3=A9baud_Weksteen?= " , Joel Fernandes , Peter Enderborg , Stephen Smalley , Eric Paris , Steven Rostedt , Ingo Molnar , Mauro Carvalho Chehab , "David S. Miller" , Rob Herring , linux-kernel@vger.kernel.org, selinux@vger.kernel.org Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org The audit data currently captures which process and which target is responsible for a denial. There is no data on where exactly in the process that call occurred. Debugging can be made easier by being able to reconstruct the unified kernel and userland stack traces [1]. Add a tracepoint on the SELinux denials which can then be used by userland (i.e. perf). Although this patch could manually be added by each OS developer to trouble shoot a denial, adding it to the kernel streamlines the developers workflow. It is possible to use perf for monitoring the event: # perf record -e avc:selinux_audited -g -a ^C # perf report -g [...] 6.40% 6.40% audited=800000 tclass=4 | __libc_start_main | |--4.60%--__GI___ioctl | entry_SYSCALL_64 | do_syscall_64 | __x64_sys_ioctl | ksys_ioctl | binder_ioctl | binder_set_nice | can_nice | capable | security_capable | cred_has_capability.isra.0 | slow_avc_audit | common_lsm_audit | avc_audit_post_callback | avc_audit_post_callback | It is also possible to use the ftrace interface: # echo 1 > /sys/kernel/debug/tracing/events/avc/selinux_audited/enable # cat /sys/kernel/debug/tracing/trace tracer: nop entries-in-buffer/entries-written: 1/1 #P:8 [...] dmesg-3624 [001] 13072.325358: selinux_denied: audited=800000 tclass=4 The tclass value can be mapped to a class by searching security/selinux/flask.h. The audited value is a bit field of the permissions described in security/selinux/av_permissions.h for the corresponding class. [1] https://source.android.com/devices/tech/debug/native_stack_dump Signed-off-by: Thiébaud Weksteen Suggested-by: Joel Fernandes Reviewed-by: Peter Enderborg Acked-by: Stephen Smalley --- MAINTAINERS | 1 + include/trace/events/avc.h | 37 +++++++++++++++++++++++++++++++++++++ security/selinux/avc.c | 5 +++++ 3 files changed, 43 insertions(+) create mode 100644 include/trace/events/avc.h diff --git a/MAINTAINERS b/MAINTAINERS index c8e8232c65da..0efaea0e144c 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -15426,6 +15426,7 @@ T: git git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git F: Documentation/ABI/obsolete/sysfs-selinux-checkreqprot F: Documentation/ABI/obsolete/sysfs-selinux-disable F: Documentation/admin-guide/LSM/SELinux.rst +F: include/trace/events/avc.h F: include/uapi/linux/selinux_netlink.h F: scripts/selinux/ F: security/selinux/ diff --git a/include/trace/events/avc.h b/include/trace/events/avc.h new file mode 100644 index 000000000000..07c058a9bbcd --- /dev/null +++ b/include/trace/events/avc.h @@ -0,0 +1,37 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Author: Thiébaud Weksteen + */ +#undef TRACE_SYSTEM +#define TRACE_SYSTEM avc + +#if !defined(_TRACE_SELINUX_H) || defined(TRACE_HEADER_MULTI_READ) +#define _TRACE_SELINUX_H + +#include + +TRACE_EVENT(selinux_audited, + + TP_PROTO(struct selinux_audit_data *sad), + + TP_ARGS(sad), + + TP_STRUCT__entry( + __field(unsigned int, tclass) + __field(unsigned int, audited) + ), + + TP_fast_assign( + __entry->tclass = sad->tclass; + __entry->audited = sad->audited; + ), + + TP_printk("tclass=%u audited=%x", + __entry->tclass, + __entry->audited) +); + +#endif + +/* This part must be outside protection */ +#include diff --git a/security/selinux/avc.c b/security/selinux/avc.c index d18cb32a242a..b0a0af778b70 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -31,6 +31,9 @@ #include "avc_ss.h" #include "classmap.h" +#define CREATE_TRACE_POINTS +#include + #define AVC_CACHE_SLOTS 512 #define AVC_DEF_CACHE_THRESHOLD 512 #define AVC_CACHE_RECLAIM 16 @@ -706,6 +709,8 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a) u32 scontext_len; int rc; + trace_selinux_audited(sad); + rc = security_sid_to_context(sad->state, sad->ssid, &scontext, &scontext_len); if (rc) From patchwork Fri Aug 21 14:08:22 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Thi=C3=A9baud_Weksteen?= X-Patchwork-Id: 11729551 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 192B1618 for ; Fri, 21 Aug 2020 14:09:34 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id EF6B42224D for ; Fri, 21 Aug 2020 14:09:33 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=google.com header.i=@google.com header.b="Mf3mggQS" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726988AbgHUOJc (ORCPT ); Fri, 21 Aug 2020 10:09:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41276 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725948AbgHUOJa (ORCPT ); Fri, 21 Aug 2020 10:09:30 -0400 Received: from mail-qv1-xf49.google.com (mail-qv1-xf49.google.com [IPv6:2607:f8b0:4864:20::f49]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8CCD9C061573 for ; Fri, 21 Aug 2020 07:09:30 -0700 (PDT) Received: by mail-qv1-xf49.google.com with SMTP id r12so1266695qvx.20 for ; Fri, 21 Aug 2020 07:09:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=sender:date:in-reply-to:message-id:mime-version:references:subject :from:to:cc:content-transfer-encoding; bh=mzo3bIF9byNcf8Gl3Pbcb+/Bpb29k89cyN2k9ceMpns=; b=Mf3mggQSdrKDPQsBOH3gtsZfBGpO7r2dOWChft5esXAiYIk71TfGMpcC1TCoQ5kdL3 Op+SYLRW/DYec87S/OfuzthKqPSbHbwkY7/xX35cdw5NicfZxX3W420OYz1Yl6GsQ/Hi uznY+jbWpq2gism8plh7pyaNm1UqnVcXHiw6bjHSE8rZel2fT7qtKMxM0o1N8S71IF3E N/NkbOEw4JszPGNpDW7b4pXxT4PfifBYPhDRFo5wAzf1tJWAxkiZrrsfQ3pR5WFkwuzL TpFQNtzg8OAlcxUkLtgxq2eJVWAoz+zVRNDBXHe8HE8ajCLbqIpHcH8N/cEtP6djOe+s S3Og== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc:content-transfer-encoding; bh=mzo3bIF9byNcf8Gl3Pbcb+/Bpb29k89cyN2k9ceMpns=; b=OtuovXdCJ5HCg9Y8N61ug44RQNy/pc4qbZZK0mbt/8i9DTMREmQibLL8kPWby/R+wo 9V7LP6vUpYbHrQuEGWgLik1uD5VnrkgvLVjZdDDS+zCGkhXYb/fAEGKdVQb1jkWDoGgN cOK/oz6J3U/WNqaPKVEL7NZahiwJGmxPCBxRS+ph+29uo37GPwuprm+rSQTkI3F42YR1 0c8+wQS8t/XwYUMqlcQqpr/ZZYOm6PQ7GwrIROeYsSX5JNy0rDC3kndBLFnyr2tdPzHV yowBJB3d6PC9i79oqXKvFGQuLdtj6m8mpUjgjML66pinh8tlO/Y/9DWKtKLCcodvEZ/l m6Bg== X-Gm-Message-State: AOAM531/gYTM54jDeamluvULeXqkcE4TnJnsFhke7MKG0fxU7mHjGmjK H1kKZit68YQl5GE1piqO8we37g2ZUA== X-Google-Smtp-Source: ABdhPJw2BTayen9+uqtI4lTYdHFA2WP7YfwhIqjiHGCx2TASLNaM9o/7BLXGvmdngOMXzaMdSDzpjIdVzA== X-Received: from tweek1.zrh.corp.google.com ([2a00:79e0:61:100:f693:9fff:fef4:a93d]) (user=tweek job=sendgmr) by 2002:ad4:414b:: with SMTP id z11mr2433320qvp.116.1598018969628; Fri, 21 Aug 2020 07:09:29 -0700 (PDT) Date: Fri, 21 Aug 2020 16:08:22 +0200 In-Reply-To: <20200821140836.3707282-1-tweek@google.com> Message-Id: <20200821140836.3707282-3-tweek@google.com> Mime-Version: 1.0 References: <20200821140836.3707282-1-tweek@google.com> X-Mailer: git-send-email 2.28.0.297.g1956fa8f8d-goog Subject: [PATCH v4 2/2] selinux: add basic filtering for audit trace events From: " =?utf-8?q?Thi=C3=A9baud_Weksteen?= " To: Paul Moore Cc: Nick Kralevich , Peter Enderborg , " =?utf-8?q?Thi=C3=A9baud_Wekst?= =?utf-8?q?een?= " , Stephen Smalley , Eric Paris , Steven Rostedt , Ingo Molnar , Mauro Carvalho Chehab , "David S. Miller" , Rob Herring , linux-kernel@vger.kernel.org, selinux@vger.kernel.org Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org From: Peter Enderborg This patch adds further attributes to the event. These attributes are helpful to understand the context of the message and can be used to filter the events. There are three common items. Source context, target context and tclass. There are also items from the outcome of operation performed. An event is similar to: <...>-1309 [002] .... 6346.691689: selinux_audited: requested=0x4000000 denied=0x4000000 audited=0x4000000 result=-13 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file With systems where many denials are occurring, it is useful to apply a filter. The filtering is a set of logic that is inserted with the filter file. Example: echo "tclass==\"file\" " > events/avc/selinux_audited/filter This adds that we only get tclass=file. The trace can also have extra properties. Adding the user stack can be done with echo 1 > options/userstacktrace Now the output will be runcon-1365 [003] .... 6960.955530: selinux_audited: requested=0x4000000 denied=0x4000000 audited=0x4000000 result=-13 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file runcon-1365 [003] .... 6960.955560: => <00007f325b4ce45b> => <00005607093efa57> Signed-off-by: Peter Enderborg Reviewed-by: Thiébaud Weksteen Acked-by: Stephen Smalley --- include/trace/events/avc.h | 36 ++++++++++++++++++++++++++---------- security/selinux/avc.c | 28 +++++++++++++++------------- 2 files changed, 41 insertions(+), 23 deletions(-) diff --git a/include/trace/events/avc.h b/include/trace/events/avc.h index 07c058a9bbcd..b55fda2e0773 100644 --- a/include/trace/events/avc.h +++ b/include/trace/events/avc.h @@ -1,6 +1,7 @@ /* SPDX-License-Identifier: GPL-2.0 */ /* - * Author: Thiébaud Weksteen + * Authors: Thiébaud Weksteen + * Peter Enderborg */ #undef TRACE_SYSTEM #define TRACE_SYSTEM avc @@ -12,23 +13,38 @@ TRACE_EVENT(selinux_audited, - TP_PROTO(struct selinux_audit_data *sad), + TP_PROTO(struct selinux_audit_data *sad, + char *scontext, + char *tcontext, + const char *tclass + ), - TP_ARGS(sad), + TP_ARGS(sad, scontext, tcontext, tclass), TP_STRUCT__entry( - __field(unsigned int, tclass) - __field(unsigned int, audited) + __field(u32, requested) + __field(u32, denied) + __field(u32, audited) + __field(int, result) + __string(scontext, scontext) + __string(tcontext, tcontext) + __string(tclass, tclass) ), TP_fast_assign( - __entry->tclass = sad->tclass; - __entry->audited = sad->audited; + __entry->requested = sad->requested; + __entry->denied = sad->denied; + __entry->audited = sad->audited; + __entry->result = sad->result; + __assign_str(tcontext, tcontext); + __assign_str(scontext, scontext); + __assign_str(tclass, tclass); ), - TP_printk("tclass=%u audited=%x", - __entry->tclass, - __entry->audited) + TP_printk("requested=0x%x denied=0x%x audited=0x%x result=%d scontext=%s tcontext=%s tclass=%s", + __entry->requested, __entry->denied, __entry->audited, __entry->result, + __get_str(scontext), __get_str(tcontext), __get_str(tclass) + ) ); #endif diff --git a/security/selinux/avc.c b/security/selinux/avc.c index b0a0af778b70..3c05827608b6 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -705,35 +705,37 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a) { struct common_audit_data *ad = a; struct selinux_audit_data *sad = ad->selinux_audit_data; - char *scontext; + char *scontext = NULL; + char *tcontext = NULL; + const char *tclass = NULL; u32 scontext_len; + u32 tcontext_len; int rc; - trace_selinux_audited(sad); - rc = security_sid_to_context(sad->state, sad->ssid, &scontext, &scontext_len); if (rc) audit_log_format(ab, " ssid=%d", sad->ssid); - else { + else audit_log_format(ab, " scontext=%s", scontext); - kfree(scontext); - } - rc = security_sid_to_context(sad->state, sad->tsid, &scontext, - &scontext_len); + rc = security_sid_to_context(sad->state, sad->tsid, &tcontext, + &tcontext_len); if (rc) audit_log_format(ab, " tsid=%d", sad->tsid); - else { - audit_log_format(ab, " tcontext=%s", scontext); - kfree(scontext); - } + else + audit_log_format(ab, " tcontext=%s", tcontext); - audit_log_format(ab, " tclass=%s", secclass_map[sad->tclass-1].name); + tclass = secclass_map[sad->tclass-1].name; + audit_log_format(ab, " tclass=%s", tclass); if (sad->denied) audit_log_format(ab, " permissive=%u", sad->result ? 0 : 1); + trace_selinux_audited(sad, scontext, tcontext, tclass); + kfree(tcontext); + kfree(scontext); + /* in case of invalid context report also the actual context string */ rc = security_sid_to_context_inval(sad->state, sad->ssid, &scontext, &scontext_len);