Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp1526494pxa; Thu, 13 Aug 2020 10:18:57 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzv8eIZPYx06BczFKCF9r4MzIDCjihtKHwAiWvNUNVyDnVeIGN4CNp4D8/W6izsAsdlhLIH X-Received: by 2002:a17:906:f2cb:: with SMTP id gz11mr5578319ejb.58.1597339137240; Thu, 13 Aug 2020 10:18:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597339137; cv=none; d=google.com; s=arc-20160816; b=MbJk9fKQVqm5GKtO56+m8lpyPKq92smNl4YB9pDOAnLjk/UHUF3lgVVqrrExBmFghK bIcsnE1x5oy0LNKtIv7GAktNPOdBQud+S6SuIPrdSRRzMwdg+S0lbKX9W27oDsla2/AP FMmgCZobgFK/qvV1il5/4irzBzDItCEn46w0WzL1iQ1rBPiBuQs3n9WV4r/ghJx3Tw55 HIsFLnjKh8682678vdholBsX35+BqhnTjbjFmTKM06U7yqNDCWhmJ8bgsqO2LPKm7O37 frL5vDJMd9qY9P6cEJUsTuEyuaCyREXEb31txJD21W+fjcVXuF7NZGvfpYTljHxdTWUm urQA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=1kw5LDeVY3NUopyF1X5ykfhnx0FcjJCpBQsvN5474cQ=; b=M4gqm7enkFKi/PUKhCPGyCQupAJOUfcU3BadvzRq2kB8eegngFZXNlPYta+JPVvYqP +rOQRElcSTmmIID/DdqAl+xH53xIrFgNn3oZK4OmIub/lQPX6h6rhdmehNp2IGcBFVPQ YuYC6DnWcN5xOxPZq1OSRrdI40nPzJ7SohdgBRdK/MAZ8CMLsdMPOhzza5YHy/22qUOh JyCdihAErJlhcS91zveM7UyADHy0VmP9oc/mzZCipsLAgeU444Ylg+aiDvMK1QfOR5Tc PPoqIGxcgGUwf3+nIp1FjFRBjT5cLAhtCNq/TXAoskw5AQfvuJTirQ0Ht2CW5Xmg5cCX j3nw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=sony.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id gw21si3640575ejb.656.2020.08.13.10.18.33; Thu, 13 Aug 2020 10:18:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=sony.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726691AbgHMROS convert rfc822-to-8bit (ORCPT + 99 others); Thu, 13 Aug 2020 13:14:18 -0400 Received: from seldsegrel01.sonyericsson.com ([37.139.156.29]:16394 "EHLO SELDSEGREL01.sonyericsson.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726682AbgHMROO (ORCPT ); Thu, 13 Aug 2020 13:14:14 -0400 Subject: Re: [PATCH v2 2/2] selinux: add basic filtering for audit trace events To: Stephen Smalley , Casey Schaufler , =?UTF-8?Q?Thi=c3=a9baud_Weksteen?= , Paul Moore CC: Nick Kralevich , Eric Paris , Steven Rostedt , Ingo Molnar , Mauro Carvalho Chehab , "David S. Miller" , Rob Herring , Arnd Bergmann , , References: <20200813144914.737306-1-tweek@google.com> <20200813144914.737306-2-tweek@google.com> <02c193e4-008a-5c3d-75e8-9be7bbcb941c@schaufler-ca.com> From: peter enderborg Message-ID: <1b40226f-d182-7ba7-a6f6-15520c3e3516@sony.com> Date: Thu, 13 Aug 2020 19:14:10 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8BIT Content-Language: en-GB X-SEG-SpamProfiler-Analysis: v=2.3 cv=frmim2wf c=1 sm=1 tr=0 a=kIrCkORFHx6JeP9rmF/Kww==:117 a=IkcTkHD0fZMA:10 a=y4yBn9ojGxQA:10 a=z6gsHLkEAAAA:8 a=8Sy57v111P6u6jvpLoQA:9 a=QEXdDO2ut3YA:10 a=d-OLMTCWyvARjPbQ-enb:22 X-SEG-SpamProfiler-Score: 0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 8/13/20 5:49 PM, Stephen Smalley wrote: > On 8/13/20 11:35 AM, peter enderborg wrote: > >> On 8/13/20 5:05 PM, Casey Schaufler wrote: >>> On 8/13/2020 7:48 AM, Thiébaud Weksteen wrote: >>>> From: Peter Enderborg >>>> >>>> This patch adds further attributes to the event. These attributes are >>>> helpful to understand the context of the message and can be used >>>> to filter the events. >>>> >>>> There are three common items. Source context, target context and tclass. >>>> There are also items from the outcome of operation performed. >>>> >>>> An event is similar to: >>>>             <...>-1309  [002] ....  6346.691689: selinux_audited: >>>>         requested=0x4000000 denied=0x4000000 audited=0x4000000 >>>>         result=-13 ssid=315 tsid=61 >>> It may not be my place to ask, but *please please please* don't >>> externalize secids. I understand that it's easier to type "42" >>> than "system_r:cupsd_t:s0-s0:c0.c1023", and that it's easier for >>> your tools to parse and store the number. Once you start training >>> people that system_r:cupsd_t:s0-s0:c0.c1023 is secid 42 you'll >>> never be able to change it. The secid will start showing up in >>> scripts. Bad  Things  Will  Happen. >> Ok, it seems to mostly against having this performance options. >> Yes, it is a kernel internal data. So is most of the kernel tracing. >> I see it is a primary tool for kernel debugging but than can also be >> used for user-space debugging tools.  Hiding data for debuggers >> does not make any sense too me. > > To be clear, userspace tools can't use fixed secid values because secids are dynamically assigned by SELinux and thus secid 42 need not correspond to the same security context across different boots even with the same kernel and policy.  I wouldn't include them in the event unless it is common practice to include fields that can only be interpreted if you can debug the running kernel.  It would be akin to including kernel pointers in the event (albeit without the KASLR ramifications). > > Just as a reference on my fedora system; out of 1808 events 244 as a pointer print. I don't see that there is any obfuscating aka "%pK" as there is for logs.