path: root/security/selinux
diff options
authorThiƩbaud Weksteen <>2020-08-21 16:08:21 +0200
committerPaul Moore <>2020-08-21 17:05:22 -0400
commitdd8166212d9a2eca3181567c953d5687aea4d7dc (patch)
tree8e5bbcd78580c50a5bd50e238073a7ad655eb040 /security/selinux
parent0eea6091539b15572cd278b8d62893c058bdb292 (diff)
selinux: add tracepoint on audited events
The audit data currently captures which process and which target is responsible for a denial. There is no data on where exactly in the process that call occurred. Debugging can be made easier by being able to reconstruct the unified kernel and userland stack traces [1]. Add a tracepoint on the SELinux denials which can then be used by userland (i.e. perf). Although this patch could manually be added by each OS developer to trouble shoot a denial, adding it to the kernel streamlines the developers workflow. It is possible to use perf for monitoring the event: # perf record -e avc:selinux_audited -g -a ^C # perf report -g [...] 6.40% 6.40% audited=800000 tclass=4 | __libc_start_main | |--4.60%--__GI___ioctl | entry_SYSCALL_64 | do_syscall_64 | __x64_sys_ioctl | ksys_ioctl | binder_ioctl | binder_set_nice | can_nice | capable | security_capable | cred_has_capability.isra.0 | slow_avc_audit | common_lsm_audit | avc_audit_post_callback | avc_audit_post_callback | It is also possible to use the ftrace interface: # echo 1 > /sys/kernel/debug/tracing/events/avc/selinux_audited/enable # cat /sys/kernel/debug/tracing/trace tracer: nop entries-in-buffer/entries-written: 1/1 #P:8 [...] dmesg-3624 [001] 13072.325358: selinux_denied: audited=800000 tclass=4 The tclass value can be mapped to a class by searching security/selinux/flask.h. The audited value is a bit field of the permissions described in security/selinux/av_permissions.h for the corresponding class. [1] Signed-off-by: ThiƩbaud Weksteen <> Suggested-by: Joel Fernandes <> Reviewed-by: Peter Enderborg <> Acked-by: Stephen Smalley <> Signed-off-by: Paul Moore <>
Diffstat (limited to 'security/selinux')
1 files changed, 5 insertions, 0 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index d18cb32a242a..b0a0af778b70 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -31,6 +31,9 @@
#include "avc_ss.h"
#include "classmap.h"
+#include <trace/events/avc.h>
#define AVC_CACHE_SLOTS 512
@@ -706,6 +709,8 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a)
u32 scontext_len;
int rc;
+ trace_selinux_audited(sad);
rc = security_sid_to_context(sad->state, sad->ssid, &scontext,
if (rc)