Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp1566823pxa; Thu, 6 Aug 2020 10:25:38 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwFQ+oE1t0NrEi/9DQt6k7q3hWcPefMGfBNRrFyJnxhPKGosWN8BwApqqaCmX9HxUlQOQvI X-Received: by 2002:aa7:dd91:: with SMTP id g17mr5243035edv.186.1596734738139; Thu, 06 Aug 2020 10:25:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1596734738; cv=none; d=google.com; s=arc-20160816; b=uzVtr+qnXigI7PVVUrw425lgdbe33w/iyhqgj84reg4v+kXHOg3MkO+w1rr5A3ueJy fcX4INgUExY2JPDL1baZoXR159udIcvcicBh1Wkz5SNjAYc6mEnq189VNHOEt/y3eHrZ 8pjF7VQp0O5zMaDgzY+BDMGoQBWHEfWZaYMYizH5dpCf7gyMxmWzXMLuNx7LqQ/042QR qE+HIa5EnoRBFmJzABihFr3zzgNmSCi+R9EKkezt7ECEK59fviGTItq/wmGWQL0sHHeU lALONRuUXoKWDn0cx9bgvydo1VRwL472kFxJaExHrFO1Y6aLIdioGbUhKpn9WRoGUK/F 6ysw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=SEjQBZlrTFsQloK4tn/llXwept9F2hPUgYtTajnb1LA=; b=sRFyLJjj5G8GYFHxOgs1XrBOsRsruwOj48LYjWVzmLtaIYz950ALG4tPjyH7dhEBXj bgiewC/VBRzsyAvOT2kSc5PIqkMECHRyKrdb8ITlkq+679BU16oE/mIROTDnt+Rm2aLE 0SYaDoEf/cflZu3dwbgTxFEVM6WxyMXsL+/n66MQ7oz5EcOCgk5v1eCVgTbOvXX9t6aG gCh5U8u1CTc5UL2oGBdHqTTyX6Z1d8APmZAprMle+se0yokLTnNLJHfKJIHT6KkRrmzb sAz04MPpBdEinGBVn9Xrsi/lWy7O7f4JcivLhWEdywk7uZS6nIOGs1cqi2IfZT83aZGD Z+oA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=MYFtD1vg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i23si3614456edb.556.2020.08.06.10.25.14; Thu, 06 Aug 2020 10:25:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=MYFtD1vg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730049AbgHFRYG (ORCPT + 99 others); Thu, 6 Aug 2020 13:24:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45080 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728798AbgHFREp (ORCPT ); Thu, 6 Aug 2020 13:04:45 -0400 Received: from mail-ot1-x343.google.com (mail-ot1-x343.google.com [IPv6:2607:f8b0:4864:20::343]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 694B5C0619CF; Thu, 6 Aug 2020 06:50:04 -0700 (PDT) Received: by mail-ot1-x343.google.com with SMTP id e11so11993641otk.4; Thu, 06 Aug 2020 06:50:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=SEjQBZlrTFsQloK4tn/llXwept9F2hPUgYtTajnb1LA=; b=MYFtD1vgNVKOxnDpEWoSNTcqVqARbDQ4iS+ttYasNnJ2A1Rymefw8vFcH2aHdZ4fye GG0GarjIsVRgTSxlorHMu76c0fQH4leeKMyq3Qp+mtVhv05KN0PVzAs/syXyvgvtjpA2 SXQQJ2fdCSlmi/tWZxKRI1zoZLoa63MUWdHV+S0E1cu9rouZrjPORjmndPu05a/1Kz/+ dy/CwGAqKZ1WG5gYYfgl86uxvWAORJ5Mx+oxIfngtOVXyH+qzhpRzl5BIW4h+NvzFPCU 8+xW+Q5DoC8gRPMtzE4pPnwpiMY21vrjrVOuKS/p0YXelP9PTFMnP3Coh3qv116+54n3 0dgQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=SEjQBZlrTFsQloK4tn/llXwept9F2hPUgYtTajnb1LA=; b=Jvqp5xtZLZpZd5N2KzIr4AM0wCrC09IChuLOj06IEvZ00M1Elwc7ds0uN5KlTKZkxt Nodv+r8o4vGuHJV2p82xSDySrFUWTL3pPuhT90kkbCfUqn3/kLdd7SgFeKqMGy2NHkZo 7rPclGILKIBJuXCLliJq8V0E1UTSpXbE4Y+pVfm7ORpKJ8xqkdw+giw0/5LG8nXFJbgy ptnfL4MimUnq5SscIgu6huXxi3kp+lCDRWbj19Z1qcbL0ECtSsr8epd+LjU4e6ClBnwb GznBWw3H6TZRLL0V6F02hpQpeHVI4M71jUZmnNl7Za38HR3h7hjZ6rgWpdkYxeTLwQhM LnFQ== X-Gm-Message-State: AOAM533JpofGkhaIuR0UjfUTNL6e5pZ1T1iEfBnOrAZAHsxnmNqyUDyB ToHyO7jb3qfm3IB6l12whRhvCsT1V2VVdIbaQLU= X-Received: by 2002:a9d:67d3:: with SMTP id c19mr7420766otn.162.1596721798604; Thu, 06 Aug 2020 06:49:58 -0700 (PDT) MIME-Version: 1.0 References: <20200806080358.3124505-1-tweek@google.com> <20200806080358.3124505-2-tweek@google.com> <89d23362-39b9-79e5-84f1-d7b89204ef38@gmail.com> <8627d780-0e19-6755-0de5-c686deb0f5de@sony.com> <971592b6-5d5f-05d8-d243-b521fe65577d@gmail.com> <07e2c48d-3918-6ceb-a6b2-4e2f18f9ea01@gmail.com> In-Reply-To: <07e2c48d-3918-6ceb-a6b2-4e2f18f9ea01@gmail.com> From: Stephen Smalley Date: Thu, 6 Aug 2020 09:49:47 -0400 Message-ID: Subject: Re: [PATCH 2/2] selinux: add attributes to avc tracepoint To: peter enderborg , =?UTF-8?Q?Thi=C3=A9baud_Weksteen?= , Paul Moore Cc: Nick Kralevich , Eric Paris , Steven Rostedt , Ingo Molnar , Mauro Carvalho Chehab , "David S. Miller" , Rob Herring , Arnd Bergmann , linux-kernel , SElinux list Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Aug 6, 2020 at 9:45 AM Stephen Smalley wrote: > > On 8/6/20 8:32 AM, Stephen Smalley wrote: > > > On 8/6/20 8:24 AM, peter enderborg wrote: > > > >> On 8/6/20 2:11 PM, Stephen Smalley wrote: > >>> On 8/6/20 4:03 AM, Thi=C3=A9baud Weksteen wrote: > >>> > >>>> From: Peter Enderborg > >>>> > >>>> Add further attributes to filter the trace events from AVC. > >>> Please include sample usage and output in the description. > >>> > >>> > >> Im not sure where you want it to be. > >> > >> In the commit message or in a Documentation/trace/events-avc.rst ? > > > > I was just asking for it in the commit message / patch description. I > > don't know what is typical for Documentation/trace. > > For example, I just took the patches for a spin, running the > selinux-testsuite under perf like so: > > sudo perf record -e avc:selinux_audited -g make test > > and then ran: > > sudo perf report -g > > and a snippet of sample output included: > > 6.40% 6.40% requested=3D0x800000 denied=3D0x800000 > audited=3D0x800000 result=3D-13 ssid=3D922 tsid=3D922 > scontext=3Dunconfined_u:unconfined_r:test_binder_mgr_t:s0-s0:c0.c1023 > tcontext=3Dunconfined_u:unconfined_r:test_binder_mgr_t:s0-s0:c0.c1023 > tclass=3Dcapability So then the question becomes how do you use the above information, e.g. is that sufficient to correlate it to an actual avc: denied message, how do you decode the requested/denied/audited fields (or should the code do that for you and just report the string name(s) of the permission(s), do you need all three of those fields separately, is it useful to log the ssid/tsid at all given that you have the contexts and sids are dynamically assigned, etc. > | > ---0x495641000028933d > __libc_start_main > | > |--4.60%--__GI___ioctl > | entry_SYSCALL_64 > | do_syscall_64 > | __x64_sys_ioctl > | ksys_ioctl > | binder_ioctl > | binder_set_nice > | can_nice > | capable > | security_capable > | cred_has_capability.isra.0 > | slow_avc_audit > | common_lsm_audit > | avc_audit_post_callback > | avc_audit_post_callback