Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp1541988pxa;
        Thu, 13 Aug 2020 10:40:10 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyINYqF4vkcPhAkNqdDyar/rMcnADzxOy3RT1hhxa8BWao9tz9u1y4Y4JZQnSCE8XU+CnWC
X-Received: by 2002:a17:906:386:: with SMTP id b6mr5750698eja.538.1597340409890;
        Thu, 13 Aug 2020 10:40:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1597340409; cv=none;
        d=google.com; s=arc-20160816;
        b=dAKuNPrx6YlPQux4H7ZGykw6SvxqgqOy0uGR33mLy2pdOqHbUHoDpcUuGXhKrQj5BV
         XM5lp3GTkaiZs11Djcz8ftG4WLGKIhWyW/8+zOieoHpglAkvtK7/VSB2AGf/QYUYI2uK
         oS04cAFEuSmFlkuWIDenk7o7I2M326857O3+tsN1FTihHZ+/dSiwuxxt/No12mAgUbds
         /i5tNUJJxh67Rc/FlJ7w57mRnSrAB6asBq0RRE5cDkObv5d2S64AFq/crwBdMa7yCw3q
         /lMa6MM+EU8Bh+jvMl5oefdTyfuWUVPuGE9HZKI6xqHF7DsGaM02w6XKBaJLBxo7IKBv
         cBVA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:subject:cc:to:from:date;
        bh=ZvZcPk3MYPY+5XFVzq/EasQOgXnKtqBX9TWtA0VF7PA=;
        b=GhYvquCmrJG8+8RWtwzaQH3WA22dwlKMtMdHFd/hC3K4VPljFIUonDJavXnIdtrvnV
         0fVrbcey66HWUda4LMpo5WhhR0Lb3dW29hMxbYWH7XFB3vsfvxaoEI+7M6F1/EBJuUnd
         k0APCeML1pqjS1S0TJzkyR2ozn67p+Mm8eM5WL9jOZ0XpNHqjsubRkHy1OR7zsBr9TUG
         aDARmiuI3VVTH+X3nAXXEf0bjxds2GQ/3nYbIX/jd+w531/QvFhR0DAmoZSSP55iN4IJ
         fsjGF6KQP717xny1RTErUVpLBicdATA3hdWcdP3krotrb+5bgfRdswIIfkMWqSCTjHYI
         UBwg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id a16si3677625ejx.411.2020.08.13.10.39.46;
        Thu, 13 Aug 2020 10:40:09 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726564AbgHMRir convert rfc822-to-8bit (ORCPT
        <rfc822;rajatbajpailinux@gmail.com> + 99 others);
        Thu, 13 Aug 2020 13:38:47 -0400
Received: from mail.kernel.org ([198.145.29.99]:50866 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726192AbgHMRiq (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 13 Aug 2020 13:38:46 -0400
Received: from oasis.local.home (cpe-66-24-58-225.stny.res.rr.com [66.24.58.225])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id B172320791;
        Thu, 13 Aug 2020 17:38:44 +0000 (UTC)
Date:   Thu, 13 Aug 2020 13:38:42 -0400
From:   Steven Rostedt <rostedt@goodmis.org>
To:     peter enderborg <peter.enderborg@sony.com>
Cc:     Stephen Smalley <stephen.smalley.work@gmail.com>,
        Casey Schaufler <casey@schaufler-ca.com>,
        =?UTF-8?B?VGhpw6liYXVk?= Weksteen <tweek@google.com>,
        Paul Moore <paul@paul-moore.com>,
        Nick Kralevich <nnk@google.com>,
        Eric Paris <eparis@parisplace.org>,
        Ingo Molnar <mingo@redhat.com>,
        Mauro Carvalho Chehab <mchehab+huawei@kernel.org>,
        "David S. Miller" <davem@davemloft.net>,
        Rob Herring <robh@kernel.org>, Arnd Bergmann <arnd@arndb.de>,
        <linux-kernel@vger.kernel.org>, <selinux@vger.kernel.org>
Subject: Re: [PATCH v2 2/2] selinux: add basic filtering for audit trace
 events
Message-ID: <20200813133842.655aff65@oasis.local.home>
In-Reply-To: <1b40226f-d182-7ba7-a6f6-15520c3e3516@sony.com>
References: <20200813144914.737306-1-tweek@google.com>
        <20200813144914.737306-2-tweek@google.com>
        <02c193e4-008a-5c3d-75e8-9be7bbcb941c@schaufler-ca.com>
        <a82d50bd-a0ec-bd06-7a3a-c2696398c4c3@sony.com>
        <c4424850-645f-5788-fb35-922c81eace6b@gmail.com>
        <1b40226f-d182-7ba7-a6f6-15520c3e3516@sony.com>
X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8BIT
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, 13 Aug 2020 19:14:10 +0200
peter enderborg <peter.enderborg@sony.com> wrote:

> > To be clear, userspace tools can't use fixed secid values because
> > secids are dynamically assigned by SELinux and thus secid 42 need
> > not correspond to the same security context across different boots
> > even with the same kernel and policy.  I wouldn't include them in
> > the event unless it is common practice to include fields that can
> > only be interpreted if you can debug the running kernel.  It would
> > be akin to including kernel pointers in the event (albeit without
> > the KASLR ramifications).
> >
> >  
> Just as a reference on my fedora system; out of 1808 events 244 as a
> pointer print. I don't see that there is any obfuscating aka "%pK" as
> there is for logs.

Which is a reason why tracefs is root only.

The "%p" gets obfuscated when printed from the trace file by default
now. But they are consistent (where the same pointer shows up as the
same hash).

It's used mainly to map together events. For example, if you print the
address of a skb in the networking events, it's good to know what
events reference the same skb, and the pointer is used for that.

-- Steve