Re: [PATCH] selinux: add tracepoint on denials

From: Steven Rostedt
Date: Fri Jul 24 2020 - 09:52:37 EST

Next message: Krzysztof Kozlowski: "Re: [PATCH v2 05/29] memory: jz4780-nemc: Do not enable by default on every compile test"
Previous message: Arnd Bergmann: "Re: [PATCH v2 00/29] *memory: Cleanup, improve and compile test memory drivers"
In reply to: peter enderborg: "Re: [PATCH] selinux: add tracepoint on denials"
Next in thread: peter enderborg: "[PATCH] RFC: selinux avc trace"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 24 Jul 2020 11:15:03 +0200
"ThiÃbaud Weksteen" <tweek@xxxxxxxxxx> wrote:
> diff --git a/security/selinux/avc.c b/security/selinux/avc.c
> index d18cb32a242a..85d2e22ab656 100644
> --- a/security/selinux/avc.c
> +++ b/security/selinux/avc.c
> @@ -31,6 +31,9 @@
> #include "avc_ss.h"
> #include "classmap.h"
>
> +#define CREATE_TRACE_POINTS
> +#include <trace/events/selinux.h>
> +
> #define AVC_CACHE_SLOTS 512
> #define AVC_DEF_CACHE_THRESHOLD 512
> #define AVC_CACHE_RECLAIM 16
> @@ -672,6 +675,9 @@ static void avc_audit_pre_callback(struct audit_buffer *ab, void *a)
> return;
> }
>
> + if (sad->denied)

First, I would like to deny sadness as well ;-)

Now, there is a way to add that branch within the "nop" area of the
trace event, and remove the conditional branch from the main code.

> + trace_selinux_denied(sad->tclass, av);
> +

Instead have this:

trace_selinux_denied(sad, av);

> perms = secclass_map[sad->tclass-1].perms;
>
> audit_log_format(ab, " {");

> --- /dev/null
> +++ b/include/trace/events/selinux.h
> @@ -0,0 +1,35 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
> +#undef TRACE_SYSTEM
> +#define TRACE_SYSTEM selinux
> +
> +#if !defined(_TRACE_SELINUX_H) || defined(TRACE_HEADER_MULTI_READ)
> +#define _TRACE_SELINUX_H
> +
> +#include <linux/ktime.h>
> +#include <linux/tracepoint.h>
> +
> +TRACE_EVENT(selinux_denied,

TRACE_EVENT_CONDITION(selinux_denied,

> +
> + TP_PROTO(int cls, int av),

TP_PROTO(struct selinux_audit_data sad, int av)

> +
> + TP_ARGS(cls, av),
> +

TP_CONDITION(sad->denied),

The above condition will be tested before calling the tracepoint. But
only if the trace event is enabled.

> + TP_STRUCT__entry(
> + __field(int, cls)
> + __field(int, av)
> + ),
> +
> + TP_fast_assign(
> + __entry->cls = cls;

__entry->cls = sad->tclass;

> + __entry->av = av;
> + ),
> +
> + TP_printk("denied %d %d",
> + __entry->cls,
> + __entry->av)
> +);
> +
> +#endif
> +
> +/* This part must be outside protection */
> +#include <trace/define_trace.h>

-- Steve

Next message: Krzysztof Kozlowski: "Re: [PATCH v2 05/29] memory: jz4780-nemc: Do not enable by default on every compile test"
Previous message: Arnd Bergmann: "Re: [PATCH v2 00/29] *memory: Cleanup, improve and compile test memory drivers"
In reply to: peter enderborg: "Re: [PATCH] selinux: add tracepoint on denials"
Next in thread: peter enderborg: "[PATCH] RFC: selinux avc trace"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]