Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp1569464pxa; Thu, 13 Aug 2020 11:22:06 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwYPbVvej/aOuG77Z9LaDU5SjCWJZL74WBlitGujI6GZbdtDAB1MIaa5lLPjBoCq8k97B8r X-Received: by 2002:a17:906:a3d6:: with SMTP id ca22mr5936260ejb.78.1597342926580; Thu, 13 Aug 2020 11:22:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597342926; cv=none; d=google.com; s=arc-20160816; b=kyHeLJ9qXwmuU1KYaUsArxc6NzPSe07scL3r8yIAd0C0UM/ltlQfIsxE12HDsAr0fP D4VKhCk1phHAcpVz7PIe4kc3Wp0pOgGE8qLrqngxfVsPiSRgCC7r56Ex/YQLREpgfgL8 ccnWTCun+RWJ4iPbmVasqBeiIJCuVBMofh0oKHm5Gmk5ALBBDbALQWjCsLqwZrKKuwpA Q3sD6WknTJDtN+FFVSNiwE/fjMWl+6pAkCgr/blA/fyhTdn13IwrAyeIPffKjfo/p1w+ DHA5nE6Wkbl4QcIC5etkJb4qUsCaAtP4JARUe3EQ9fHKr3L1+CW0vvEGxMDXS7ynseRx KVyQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=2IdaTb6b4nZxeIRzGmeZDH0arAKpweU22lUkVJCwAmc=; b=xitdPePHr7HjBxDOvXCy6qXVXXR3cFN7fcOQ3UqK0SxlRcNRiWDcjT19xOHM3fn8rt d8wU973ljLIxtQ5HuMuaaLn5UEDghavU2AY8VCq3SFPC0AQi/tA/bCstXYT48T/fhNny zbCMjaI2i+E8Yv99nK9ESY6RjQVcYDZ9YpQbNvit3C4lQu9erNQJ1G4dDJnVDNiSIbn6 FvqUDhwHJK1mRTq8GpdnP+yHsXlly8m/tPhshxIMGbiqiF62pQHmgbmXboQOn5YPFLDN 8cyBBhHM6amirNrp+zqTw9o3NDM26NGS+JblpnIaSmi7FM+2BBCz/Th3PXXA6H7yh5HQ /D9Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=sony.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j7si4117001ejm.538.2020.08.13.11.21.41; Thu, 13 Aug 2020 11:22:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=sony.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726567AbgHMSS7 convert rfc822-to-8bit (ORCPT + 99 others); Thu, 13 Aug 2020 14:18:59 -0400 Received: from seldsegrel01.sonyericsson.com ([37.139.156.29]:17520 "EHLO SELDSEGREL01.sonyericsson.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726167AbgHMSS7 (ORCPT ); Thu, 13 Aug 2020 14:18:59 -0400 Subject: Re: [PATCH v2 2/2] selinux: add basic filtering for audit trace events To: Steven Rostedt CC: Stephen Smalley , Casey Schaufler , =?UTF-8?Q?Thi=c3=a9baud_Weksteen?= , Paul Moore , Nick Kralevich , Eric Paris , Ingo Molnar , Mauro Carvalho Chehab , "David S. Miller" , Rob Herring , Arnd Bergmann , , References: <20200813144914.737306-1-tweek@google.com> <20200813144914.737306-2-tweek@google.com> <02c193e4-008a-5c3d-75e8-9be7bbcb941c@schaufler-ca.com> <1b40226f-d182-7ba7-a6f6-15520c3e3516@sony.com> <20200813133842.655aff65@oasis.local.home> From: peter enderborg Message-ID: Date: Thu, 13 Aug 2020 20:18:55 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <20200813133842.655aff65@oasis.local.home> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8BIT Content-Language: en-GB X-SEG-SpamProfiler-Analysis: v=2.3 cv=frmim2wf c=1 sm=1 tr=0 a=Jtaq2Av1iV2Yg7i8w6AGMw==:117 a=IkcTkHD0fZMA:10 a=y4yBn9ojGxQA:10 a=z6gsHLkEAAAA:8 a=2Xgm7kxpWWB7vV7sCCAA:9 a=jdrQNCl8WPiarg2q:21 a=WUXUPrc1PcCH_Irx:21 a=QEXdDO2ut3YA:10 a=d-OLMTCWyvARjPbQ-enb:22 X-SEG-SpamProfiler-Score: 0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 8/13/20 7:38 PM, Steven Rostedt wrote: > On Thu, 13 Aug 2020 19:14:10 +0200 > peter enderborg wrote: > >>> To be clear, userspace tools can't use fixed secid values because >>> secids are dynamically assigned by SELinux and thus secid 42 need >>> not correspond to the same security context across different boots >>> even with the same kernel and policy.  I wouldn't include them in >>> the event unless it is common practice to include fields that can >>> only be interpreted if you can debug the running kernel.  It would >>> be akin to including kernel pointers in the event (albeit without >>> the KASLR ramifications). >>> >>> >> Just as a reference on my fedora system; out of 1808 events 244 as a >> pointer print. I don't see that there is any obfuscating aka "%pK" as >> there is for logs. > Which is a reason why tracefs is root only. > > The "%p" gets obfuscated when printed from the trace file by default > now. But they are consistent (where the same pointer shows up as the > same hash). > > It's used mainly to map together events. For example, if you print the > address of a skb in the networking events, it's good to know what > events reference the same skb, and the pointer is used for that. So what is your opinion on ssid? I dont mind removing them now since people dont like it and the strong use-case is not strong (yet). Is there any problem to put getting them back later if useful? And then before the strings so the evaluation of filter first come on number before stings Or is there already some mechanism that optimize for that? > -- Steve