Received: by 2002:a25:ca44:0:0:0:0:0 with SMTP id a65csp1738648ybg; Thu, 30 Jul 2020 01:04:15 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzKDiRJCK+cxZobhgIZLrRuAuwNcwKa4SNwEHYnrRRxqEuQWENxRqZFxYJ2KuQh1Hg1KEb5 X-Received: by 2002:a17:906:7250:: with SMTP id n16mr1545729ejk.290.1596096255755; Thu, 30 Jul 2020 01:04:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1596096255; cv=none; d=google.com; s=arc-20160816; b=oHIM3nem8caUU51ByU/+YCv1RBnamfe5pRmk6THF/QEkw1wlNbWzi5WfsOA2VVz57T rWB3jc3nc5LWiXqyoA1Nyb470wSc6NM4p3EQB2u7cUGpglCRAIcqVnei0ppn2diQwfEI ldTt3mCBaeXWZeX4SL5LlgkjHKB5/4bKR9c0KRpfV08CwfNQz1Dl1oPNd58ShxdEP9Si 7EQw3oL/KZy8CqdORoLJMOr/QTAy/GhV0bbJ16RJ57/Sqfb1ZKCqegmUh2JiOfKPdhSA +X6zUDhbEphyA7S6swyloCXyxBhh5ujT6PXh8QXHI4RuT94paH2kROKeZCsGsCF6FSdS rDrg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=mQ1hrAk6FKstoe7Pi8aPaf4SufAhHFsHXjsPvIjZtTo=; b=pBFthdDpnHZPUUiqkb7zfokmgLMrlV5v0WQKiCpbmfWHtJIfruVDqP+z5UB8dmAUWz NxlcZjEqapOe4n0b9qg8QEM1ainBgebPSzlngHWm6XjqGMTy8ZtluF/tJ5TxuS4uygkz 6gkgI2x6+7LxI5RKPuXESFnEV9GMfZArkFGjCjgBgagpfTgs08OMX4ZYl1bUQCh1R6i3 vIZG9qy7KD4XWA14gzr/lZYBXRwXpI6RzyHnRRFKefHF3yIz8GHprpWCpFr0azVKq46y fgjNtYc3qVk3sxk2zXjHBurxFF9CJU5M+vMcYKMbZv2es87YibXet0G7/eT4nfR+umcf hSUA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=sony.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w4si2904169edi.438.2020.07.30.01.03.52; Thu, 30 Jul 2020 01:04:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=sony.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728896AbgG3IDq convert rfc822-to-8bit (ORCPT + 99 others); Thu, 30 Jul 2020 04:03:46 -0400 Received: from seldsegrel01.sonyericsson.com ([37.139.156.29]:17539 "EHLO SELDSEGREL01.sonyericsson.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725892AbgG3IDp (ORCPT ); Thu, 30 Jul 2020 04:03:45 -0400 Subject: Re: [PATCH] selinux: add tracepoint on denials To: =?UTF-8?Q?Thi=c3=a9baud_Weksteen?= , Paul Moore CC: Steven Rostedt , Stephen Smalley , Nick Kralevich , Joel Fernandes , Eric Paris , Ingo Molnar , Mauro Carvalho Chehab , "David S. Miller" , Rob Herring , linux-kernel , SElinux list References: <20200724091520.880211-1-tweek@google.com> From: peter enderborg Message-ID: Date: Thu, 30 Jul 2020 10:03:41 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8BIT Content-Language: en-GB X-SEG-SpamProfiler-Analysis: v=2.3 cv=DrAoB13+ c=1 sm=1 tr=0 a=kIrCkORFHx6JeP9rmF/Kww==:117 a=IkcTkHD0fZMA:10 a=_RQrkK6FrEwA:10 a=xVhDTqbCAAAA:8 a=kSkFpLqy8y9c_-cfnwsA:9 a=QEXdDO2ut3YA:10 a=GrmWmAYt4dzCMttCBZOh:22 X-SEG-SpamProfiler-Score: 0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 7/28/20 6:02 PM, ThiƩbaud Weksteen wrote: > On Tue, Jul 28, 2020 at 5:12 PM Paul Moore wrote: >> Perhaps it would be helpful if you provided an example of how one >> would be expected to use this new tracepoint? That would help put >> things in the proper perspective. > The best example is the one I provided in the commit message, that is > using perf (or a perf equivalent), to hook onto that tracepoint. > >> Well, to be honest, the very nature of this tracepoint is duplicating >> the AVC audit record with a focus on using perf to establish a full >> backtrace at the expense of reduced information. At least that is how >> it appears to me. > I see both methods as complementary. By default, the kernel itself can > do some reporting (i.e avc message) on which process triggered the > denial, what was the context, etc. This is useful even in production > and doesn't require any extra tooling. > The case for adding this tracepoint can be seen as advanced debugging. > That is, once an avc denial has been confirmed, a developer can use > this tracepoint to surface the userland stacktrace. It requires more > userland tools and symbols on the userland binaries. I think from development view you would like to have a better way to trap this events in userspace. One idea that I have is is to have more outcomes from a rule. We have today allow, dontaudit, auditallow i think it would be good to have signal sent too. "signal-xxx-allow" for some set of signals. SIGBUS, SIGSEGV, SIGABRT maybe. That will be a good way to pickup the problem with a debugger or generate a a core file. I have also done some selinux trace functions. I think they collide with this set, but I think I can rebase them upon yours and see if they give some more functionality. I see this functionality very much needed in some form.