Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp3140698pxa;
        Tue, 18 Aug 2020 07:38:29 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJz6kS9cYElKb0/Uz41KX8m9KpOU3E8IjeEyOzw1zQgTpcoHzd4bH6IGGmRY08tYSWSjlrhb
X-Received: by 2002:a17:906:2451:: with SMTP id a17mr19909100ejb.274.1597761509032;
        Tue, 18 Aug 2020 07:38:29 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1597761509; cv=none;
        d=google.com; s=arc-20160816;
        b=K2n90Q0PEvWyfydOVlKSqFxT/20zSC8K946VKwh7Vfrc0uluKEkCVI2/t6MeDKVXWh
         El5JnOv/qM6LQZeVfPRFIWx5ZjfD19swbPr5UTITBwK7lbappQJaJGB6+4dqUO0MH/jU
         mEYlKimct7ci+4uk0CpmuJDRiFtEUt4ri6v+crwSh4ErAsomAhe0mV6WEN4j2gG2VlhY
         OjjzPP8qH1Y5jggA0MQWxyuXhhO05IvEe39QVBqBIXm5JJ01kOMq5kLPjhVYxcNh0N9W
         2aLVIjRLQvAuEOVAM7NNywwJPkDFcsxIIl3buKooZKgh4WL4s0UwRomY2yCgBkINhP/g
         QEAQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-language
         :content-transfer-encoding:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:dkim-signature;
        bh=syhPrpLTPHGhoYCnb/fg8zFy22s+NxIbyYHX8Ztv01w=;
        b=Y+aBweXn6aB8bhUVqYCl15+VrS5Gk3qkxrUXAbRX9nnV2xZAzbt15v9a6SEBaC/X7h
         ZWyZeVzyDoGqZRxA5Z1ur5Jy5TQ3Jq2r0I94RTGLanEfzh6dY/UEduB2ycUjc++O0Ilg
         AMt7IwwVXN2wnP0/DXMW+VLIG9+Nau8TFBqi9izvK5okCMj6r/G2YGzYtqsK8juo9ltS
         ygdoeRnRYSX6vQhtHRy5ss0JQwrkhK0dInvMU9jEyyjCK+rEqtJhC9u9wyvb90e7BAhV
         Sl3u6Hb/BXXHy9V+db7oUiyN75YN7e97ApzcXeINsQQo5YNKyzs+NGQCYxhqJ+qhPfnU
         NVcg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=OmNUdyoZ;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id me17si13571205ejb.258.2020.08.18.07.38.05;
        Tue, 18 Aug 2020 07:38:29 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=OmNUdyoZ;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727864AbgHROgS (ORCPT <rfc822;rao.subba.venkata@gmail.com>
        + 99 others); Tue, 18 Aug 2020 10:36:18 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52920 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727782AbgHROgQ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 18 Aug 2020 10:36:16 -0400
Received: from mail-qt1-x842.google.com (mail-qt1-x842.google.com [IPv6:2607:f8b0:4864:20::842])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 74BF1C061389;
        Tue, 18 Aug 2020 07:36:15 -0700 (PDT)
Received: by mail-qt1-x842.google.com with SMTP id h21so15226530qtp.11;
        Tue, 18 Aug 2020 07:36:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=subject:to:cc:references:from:message-id:date:user-agent
         :mime-version:in-reply-to:content-transfer-encoding:content-language;
        bh=syhPrpLTPHGhoYCnb/fg8zFy22s+NxIbyYHX8Ztv01w=;
        b=OmNUdyoZDA22FDYkRlFJ3PIH5KUQy3b7jRKfV1A484eoPSzMYGpbkByudOtTWqnlVs
         Zqy0LeHyINxDHcwW7cUmf5kaLo0GeHjBlk5vNKn3oaEapDWAaGamgOeLPXXDdgv3JRPy
         ri7R+foR2CSogVbRC1zhqT4mF1wCnC5LbP6AHdrhKPsAQkNZ55IoZRmfvWYt3IExfR1w
         dpPvSwzL0LpbuqbuSF7J9uenNga/m5PXkNCoRrPI9d7Bq5pGjZU47l+xSE5CmFittFa7
         lesLuPvx+DMaTPcLnkI0ErHhcNWMEUT2BLI+9kGnYto0BNiz1bMSXcZaPBdLDEr2lCw8
         d+0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:cc:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-transfer-encoding
         :content-language;
        bh=syhPrpLTPHGhoYCnb/fg8zFy22s+NxIbyYHX8Ztv01w=;
        b=QhpTyJ1Yt2OovowAHxr+sC0RCSip8isogzBtpEfRj2Mbe039U07HH270tavnRvHvcp
         +b6+eReFPQF8TZMvdMGv1XiblpOX4G95KubE0iYBv61iBYP9256tmU04ZDDXcFWpFtY2
         nGrPip5PwSabHY8ww2nY5NzFueEAdwobYaH53jEqNVc6gFSWVHUcNvmMJr3gEK6qYTKI
         0tLt3tF7WKciS/D3cZ2FQd8mkp78/Ltx7iKJY6G+l1STVX3ZfxZ5eHrl/sFpfjjdk7yk
         N2roLHYxNZzhffHjL87Z/Wn70QEUo3bWIY2ICS+eLvXxkgYW6xMpaCD8MCD/ABFosw+8
         yYPQ==
X-Gm-Message-State: AOAM533IcjCXXB7MqxCX8N1RyPs1GIFAjxF5xsNcFwsiC5LX7pxElgUG
        cdDbpdqJglyk638cxk1Uu+Hm485Hq4Q=
X-Received: by 2002:ac8:6a06:: with SMTP id t6mr17771209qtr.206.1597761373332;
        Tue, 18 Aug 2020 07:36:13 -0700 (PDT)
Received: from [192.168.1.190] (pool-68-134-6-11.bltmmd.fios.verizon.net. [68.134.6.11])
        by smtp.gmail.com with ESMTPSA id o47sm24550478qtk.19.2020.08.18.07.36.12
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 18 Aug 2020 07:36:12 -0700 (PDT)
Subject: Re: [PATCH v3 2/3] selinux: add basic filtering for audit trace
 events
To:     =?UTF-8?Q?Thi=c3=a9baud_Weksteen?= <tweek@google.com>,
        Paul Moore <paul@paul-moore.com>
Cc:     Nick Kralevich <nnk@google.com>,
        Peter Enderborg <peter.enderborg@sony.com>,
        Eric Paris <eparis@parisplace.org>,
        Steven Rostedt <rostedt@goodmis.org>,
        Ingo Molnar <mingo@redhat.com>,
        Mauro Carvalho Chehab <mchehab+huawei@kernel.org>,
        "David S. Miller" <davem@davemloft.net>,
        Rob Herring <robh@kernel.org>, linux-kernel@vger.kernel.org,
        selinux@vger.kernel.org
References: <20200817170729.2605279-1-tweek@google.com>
 <20200817170729.2605279-3-tweek@google.com>
From:   Stephen Smalley <stephen.smalley.work@gmail.com>
Message-ID: <15e3043b-f858-541a-dd2d-7ae60b9e9822@gmail.com>
Date:   Tue, 18 Aug 2020 10:36:12 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <20200817170729.2605279-3-tweek@google.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 8/17/20 1:07 PM, Thiébaud Weksteen wrote:

> From: Peter Enderborg <peter.enderborg@sony.com>
>
> This patch adds further attributes to the event. These attributes are
> helpful to understand the context of the message and can be used
> to filter the events.
>
> There are three common items. Source context, target context and tclass.
> There are also items from the outcome of operation performed.
>
> An event is similar to:
>             <...>-1309  [002] ....  6346.691689: selinux_audited:
>         requested=0x4000000 denied=0x4000000 audited=0x4000000
>         result=-13
>         scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
>         tcontext=system_u:object_r:bin_t:s0 tclass=file
>
> With systems where many denials are occurring, it is useful to apply a
> filter. The filtering is a set of logic that is inserted with
> the filter file. Example:
>   echo "tclass==\"file\" " > events/avc/selinux_audited/filter
>
> This adds that we only get tclass=file.
>
> The trace can also have extra properties. Adding the user stack
> can be done with
>     echo 1 > options/userstacktrace
>
> Now the output will be
>           runcon-1365  [003] ....  6960.955530: selinux_audited:
>       requested=0x4000000 denied=0x4000000 audited=0x4000000
>       result=-13
>       scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
>       tcontext=system_u:object_r:bin_t:s0 tclass=file
>            runcon-1365  [003] ....  6960.955560: <user stack trace>
>   =>  <00007f325b4ce45b>
>   =>  <00005607093efa57>
>
> Signed-off-by: Peter Enderborg <peter.enderborg@sony.com>
> Reviewed-by: Thiébaud Weksteen <tweek@google.com>
> ---
>   diff --git a/security/selinux/avc.c b/security/selinux/avc.c
> index b0a0af778b70..7de5cc5169af 100644
> --- a/security/selinux/avc.c
> +++ b/security/selinux/avc.c
> @@ -705,35 +705,39 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a)
>   {
>   	struct common_audit_data *ad = a;
>   	struct selinux_audit_data *sad = ad->selinux_audit_data;
> -	char *scontext;
> +	char *scontext = NULL;
> +	char *tcontext = NULL;
> +	const char *tclass = NULL;
>   	u32 scontext_len;
> +	u32 tcontext_len;
>   	int rc;
>   
> -	trace_selinux_audited(sad);
> -
>   	rc = security_sid_to_context(sad->state, sad->ssid, &scontext,
>   				     &scontext_len);
>   	if (rc)
>   		audit_log_format(ab, " ssid=%d", sad->ssid);
>   	else {
>   		audit_log_format(ab, " scontext=%s", scontext);
> -		kfree(scontext);
>   	}
I guess technically you should drop the { } above since it is reduced to 
a single statement body.
>   
> -	rc = security_sid_to_context(sad->state, sad->tsid, &scontext,
> -				     &scontext_len);
> +	rc = security_sid_to_context(sad->state, sad->tsid, &tcontext,
> +				     &tcontext_len);
>   	if (rc)
>   		audit_log_format(ab, " tsid=%d", sad->tsid);
>   	else {
> -		audit_log_format(ab, " tcontext=%s", scontext);
> -		kfree(scontext);
> +		audit_log_format(ab, " tcontext=%s", tcontext);
>   	}
Ditto.