Received: by 2002:a25:ca44:0:0:0:0:0 with SMTP id a65csp413690ybg;
        Tue, 28 Jul 2020 09:04:22 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxsEldIb6Jr/FA5npgKRPNur7Y91TBPHRiuggZVezIOlich0BhKoQ9Pgk27ZmKmq+sW958t
X-Received: by 2002:a05:6402:1597:: with SMTP id c23mr25691094edv.243.1595952262133;
        Tue, 28 Jul 2020 09:04:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1595952262; cv=none;
        d=google.com; s=arc-20160816;
        b=Fsmm67pfgjyhaUkUQOHlPjeQFNqFGPHungEhLTyePRsokuVGTf3JLVQE6Qa4Lccjd/
         oZ4NeN3lJmgSgMT095oRcfG/mmGCgcFTZdvWrMyGJykDB0YZxrF4ZuQEPAeLuOHxhfIF
         I56Ia9u4EDhOqItkCdkbVcM485MUAFxi2uLPK2iFBJWYa12YdkR8Kb4iaTfuvfhW2hL4
         dnktyBRxX3buKqeQ+lIZoFfsghcI1/dmzh6UnKa/1TMPkmLvc+yzsDcwIETKidqE3M8o
         ozm92DmOUI6YLfmTqUx4H2lHEHfdkYg5G5UPEo3+3TvNEwSHvESt+lYZQOFkS4l+C+oB
         I6iw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=BWgk9dNeTI7P5Harbraq661vRoSXP3YNIUIGuCS2xQs=;
        b=AFsV4X97Tz7JnhkHtaCtNG2oRUnB2PSLj4fGU0A3n0ddL0cKWyrSGsFxhLb8fyH7Dp
         4qiO4C+z2lpZHVGFHNnBqRniLF/Z8xqyFJ22pifFfpSri35hNt8zIsOlCWXol4YfufWs
         2XrCX8iryepoTa9Lz6mW940a9eetmUHbd/6ecd60BREdAx9+5ZOTRaqs1qFT7iVleJRQ
         bekjGKRpY6E9UDKm3S60jD1oDbRhqirWEbSBSocJA97ijIw+WfaLC7w4gwwqlspzC7tD
         eiGSr6FosnLDD5rsu68aeON05mSoTzbjLsV1PoOWdEptT/4IyK6c5uTvLQaciBUrU2gn
         vNGg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=Q5LhnhZs;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id y24si5003185eds.240.2020.07.28.09.03.58;
        Tue, 28 Jul 2020 09:04:22 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=Q5LhnhZs;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731270AbgG1QCc (ORCPT <rfc822;busarih159@gmail.com>
        + 99 others); Tue, 28 Jul 2020 12:02:32 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50054 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1731112AbgG1QC0 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 28 Jul 2020 12:02:26 -0400
Received: from mail-vs1-xe41.google.com (mail-vs1-xe41.google.com [IPv6:2607:f8b0:4864:20::e41])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D336EC061794
        for <linux-kernel@vger.kernel.org>; Tue, 28 Jul 2020 09:02:25 -0700 (PDT)
Received: by mail-vs1-xe41.google.com with SMTP id w22so5891537vsi.3
        for <linux-kernel@vger.kernel.org>; Tue, 28 Jul 2020 09:02:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=BWgk9dNeTI7P5Harbraq661vRoSXP3YNIUIGuCS2xQs=;
        b=Q5LhnhZsWYW2J7hzozGLPrvuwJvn6C3rRrmPX5F+uYYdEqmdPbgTr9v8m7SC3Jsc2r
         1XMUIyN6C64/Pzndv21km5JEt/aDywOOug9ONBPrfDTnfrYkM/RtFh5zuk+nGnxCtH9i
         aMosLGf8G1NTsyRDOkOETebByHSpd5RLUSOxfPc8KmK9H0TjxF9VZwHEV2v6cqt/6S55
         fodnl55bx2704i+Qdskcb2JXCLwrfU4lLVK8EBJubXu3g4Gb+poN4PbXGEs3Bje2ACMD
         BGXEUrFAZ2TNJI8M9A0/TeLWeC5Hpzo33DHSMsRBWVGsfljM07pd7+y6fRLMEAoqzQn9
         rfmA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=BWgk9dNeTI7P5Harbraq661vRoSXP3YNIUIGuCS2xQs=;
        b=huaduIevgcc36NqQ6PUmI4nFs4nuXi00hDe3EnXaHxlM/bZhC9Pmy5/Qh9tloC+kcb
         Y9yn7oHMkY7vW/k0nJPQ1hrpW93RbDFP4zc6qDiWODays/a3wDfYZluyHlZcyHmLBzs8
         s6kZ65JcF4Pf8jrK9Hcb64pbho3PuZ3rhNNN8a+/8FoBLJICG29lsCxb5KvEY/6DJavw
         z/lKjbJKk5dzLczi+e4vb5b+lPCcz/AXD5aC7lpeXa5G9+WqNtFKSLi41A7ONnM0RAtt
         2l4xnRmecUfi8sDu09Gc9IoHUsXzY3DBRzRGRPl1pd5lWrbBG0O7s7BwUCudjgEshhQj
         140g==
X-Gm-Message-State: AOAM531dOPzINqIQqzpzzjlDl0NYSlzdZ6ymivSMP6YA2aqWDF+FaDao
        36vKoENeFZDWAgr5ph1AQsRJnTKGV/V775BtLx2NLA==
X-Received: by 2002:a67:b601:: with SMTP id d1mr19852614vsm.46.1595952144353;
 Tue, 28 Jul 2020 09:02:24 -0700 (PDT)
MIME-Version: 1.0
References: <20200724091520.880211-1-tweek@google.com> <CAEjxPJ45ij3obT37ywn_edb9xb89z-SdwzejfN6+jrvAtghXfA@mail.gmail.com>
 <CAHC9VhS4aXD8kcXnQ2MsYvjc--xXSUpsM1xtgq3X5DBT59ohhw@mail.gmail.com>
 <CA+zpnLfczC=9HQA8s1oBGKGQO+OkuydF85o89dhSxdOyKBHMgg@mail.gmail.com> <CAHC9VhT1sGSpfCKojbKR+O2Hf_h+wnKnBwwSo09CbFaCYLcOHA@mail.gmail.com>
In-Reply-To: <CAHC9VhT1sGSpfCKojbKR+O2Hf_h+wnKnBwwSo09CbFaCYLcOHA@mail.gmail.com>
From:   =?UTF-8?Q?Thi=C3=A9baud_Weksteen?= <tweek@google.com>
Date:   Tue, 28 Jul 2020 18:02:07 +0200
Message-ID: <CA+zpnLecz_gvXYnrwNGW8SLaJsu==M_n9MuJgjqX9nPJtuTZBg@mail.gmail.com>
Subject: Re: [PATCH] selinux: add tracepoint on denials
To:     Paul Moore <paul@paul-moore.com>
Cc:     Steven Rostedt <rostedt@goodmis.org>,
        Stephen Smalley <stephen.smalley.work@gmail.com>,
        Nick Kralevich <nnk@google.com>,
        Joel Fernandes <joelaf@google.com>,
        Eric Paris <eparis@parisplace.org>,
        Ingo Molnar <mingo@redhat.com>,
        Mauro Carvalho Chehab <mchehab+huawei@kernel.org>,
        "David S. Miller" <davem@davemloft.net>,
        Rob Herring <robh@kernel.org>,
        linux-kernel <linux-kernel@vger.kernel.org>,
        SElinux list <selinux@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Jul 28, 2020 at 5:12 PM Paul Moore <paul@paul-moore.com> wrote:
> Perhaps it would be helpful if you provided an example of how one
> would be expected to use this new tracepoint?  That would help put
> things in the proper perspective.

The best example is the one I provided in the commit message, that is
using perf (or a perf equivalent), to hook onto that tracepoint.

> Well, to be honest, the very nature of this tracepoint is duplicating
> the AVC audit record with a focus on using perf to establish a full
> backtrace at the expense of reduced information.  At least that is how
> it appears to me.

I see both methods as complementary. By default, the kernel itself can
do some reporting (i.e avc message) on which process triggered the
denial, what was the context, etc. This is useful even in production
and doesn't require any extra tooling.
The case for adding this tracepoint can be seen as advanced debugging.
That is, once an avc denial has been confirmed, a developer can use
this tracepoint to surface the userland stacktrace. It requires more
userland tools and symbols on the userland binaries.