Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp1000297pxk; Mon, 31 Aug 2020 07:18:35 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz87ByKFw9xFuVbO/bRP+jI7w7OBWQgN5PgqevX81fO/kWwCB8uNw0zfhHgOcoacUcp401H X-Received: by 2002:a17:906:37c1:: with SMTP id o1mr1345732ejc.279.1598883515235; Mon, 31 Aug 2020 07:18:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598883515; cv=none; d=google.com; s=arc-20160816; b=twkdX7qEREjZfZAX+r8mngYJOMWfwT+40SJcwy4+K6ItngGZQs/YCSWpFAO5VJRh7A iX6kETocXkeuqnnEF5ATckblrpVbb3EkC7rSSqn98SEVGFoeP2soixFL5imcWwUz9g+U CTLTOaztNY5VyLkHF8uQu6VsixW1E5rek+CppFaqWHBiqlzt8nLd9fRpG7qoxQU0fjpf rz61Cl2ZA2nXAEgo6OGaIr0oVmMioQb6VBP1MrbOzjCs0GBbkQpiugIQTNn5QPs+MBox ioRlAsPo/ZwhV4QffrnH5OILlwmwmT1mjMhDbWJI9K2knaMyMJseM0KLRQv5B6z+kr7E XjbA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=D+jgYWCECokgeMoKCt+yMfDkGgoonOPi28LQb80zcoc=; b=H66J+3k4K61CKrwhmthnQL8FSwyeenzUk0nluGIRg43En0/HK0O8GOYUaEf6W/pVL3 Sb+y3+4Oj0h2BlqVrcOCaq5YZKGvyUkNfY/it999lyYz1ue7zDe4JsewUBAmJaQJcpat XRCSfnNv3uI9fudiLc2AS+7paLjOTRLZ0WVgNuMZAdwd2GZQi06bgu27TpZlpzKOMdoW 0l9YjmTb9NroksHH87F96ybwKsM7xyunxi9gH0ZvnRw+ZTv360RkEEehzrrA7nEnHh/c JKAdzOaFxgan5r5h4frqMC4q1P1CrEjgC5xm/834wZEuAO/Gw2pzBezW01tsz0RW01nO ZO/w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=AS5SvMiY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id e19si5576591ejr.66.2020.08.31.07.18.12; Mon, 31 Aug 2020 07:18:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=AS5SvMiY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727901AbgHaOQl (ORCPT + 99 others); Mon, 31 Aug 2020 10:16:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43852 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727884AbgHaOQf (ORCPT ); Mon, 31 Aug 2020 10:16:35 -0400 Received: from mail-ej1-x643.google.com (mail-ej1-x643.google.com [IPv6:2a00:1450:4864:20::643]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 097F7C061575 for ; Mon, 31 Aug 2020 07:16:35 -0700 (PDT) Received: by mail-ej1-x643.google.com with SMTP id p9so2998293ejf.6 for ; Mon, 31 Aug 2020 07:16:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=D+jgYWCECokgeMoKCt+yMfDkGgoonOPi28LQb80zcoc=; b=AS5SvMiYtSI+CWXRGuTYCefWuAmJ0GhXJnEIwQxverbnwHsolVx/ZJLdUle6ekYccU aezPLF97GJEFqFILdvEgTTXvTMFslz6HQy//DP71I52yu6xKQQJFiz1KFA3PfHyAOS3O nrYdTuLFZUxQ8tydHhHNYDwPnSTAQU1e3byQXu/Oo96+i7pr2hxGrmL97/ehnXtijEFP Lsk/qSQ88coc7yz+QAY1lEJzKN+9u4eha26bJ3oIetiKzomepuUDrvQvKMBauCO4DShK rPJQl3yNo8WRpHPgnVVHC9T0HPNI6Qj4gy3nRCGcKRIx1p9OFs0fVfM3GrxPGkHfnPis KgjQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=D+jgYWCECokgeMoKCt+yMfDkGgoonOPi28LQb80zcoc=; b=UNdm+e2z8oLyLG82n9nvscFqyiyFoSIrDYkwhg7mfe5yMO8/2y6GXJkzOtIhAoxlXq G6kBiwmwhJSMwIHNXl2wGJ2d6Uhy8wtsKYCuFFhza3gc9XrSbthyno5J0rqyOqhHpp5e tH1XBE+jWeb/IWPiNudeMlE4JjBUrG4OKSJIY8+hy/7lianGQ/Lri0teWwObVcatV5yM si1akuxvexMiYkvwk9GN55KCdSGbOgfizoSgqRi/7zILB/k4gkcYEq0+a9xlgFA5aqbK +y6qOIoCtEgrKH3+5uyeU/pg/YBUC3wjHlIA076NnMAy8S9M+PHwuXYL9V9sqwvvGbEX mWMw== X-Gm-Message-State: AOAM530DD+7oE0lisULJPe9dYPydY4beDefojgKPBNN2GiJh5+kwMW8I Zsm+WMXp3nCHrLW9uxC7nvXsJkkZ3UDPgXMDcj4f X-Received: by 2002:a17:906:bc52:: with SMTP id s18mr1294329ejv.398.1598883393485; Mon, 31 Aug 2020 07:16:33 -0700 (PDT) MIME-Version: 1.0 References: <20200824132252.31261-1-peter.enderborg@sony.com> <20200824132252.31261-2-peter.enderborg@sony.com> <6cbe5d27-ebb2-70a6-bad4-31c9f310eff2@sony.com> <59fa190f-37c0-79f3-ea46-8f821d820e1c@sony.com> In-Reply-To: From: Paul Moore Date: Mon, 31 Aug 2020 10:16:22 -0400 Message-ID: Subject: Re: [RFC PATCH] selinux: Add denied trace with permssion filter To: peter enderborg Cc: linux-kernel@vger.kernel.org, SElinux list , Steven Rostedt , Stephen Smalley Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Aug 27, 2020 at 10:04 AM peter enderborg wrote: > > On 8/27/20 3:30 PM, Paul Moore wrote: > > On Wed, Aug 26, 2020 at 11:06 AM peter enderborg > > wrote: > >> On 8/26/20 4:45 PM, Paul Moore wrote: > >>> On Wed, Aug 26, 2020 at 10:34 AM peter enderborg > >>> wrote: > >>>> On 8/26/20 3:42 PM, Paul Moore wrote: > >>>>> On Mon, Aug 24, 2020 at 9:23 AM Peter Enderborg > >>>>> wrote: > >>>>>> This adds tracing of all denies. They are grouped with trace_seq f= or > >>>>>> each audit. > >>>>>> > >>>>>> A filter can be inserted with a write to it's filter section. > >>>>>> > >>>>>> echo "permission=3D=3D\"entrypoint\"" > events/avc/selinux_denied/= filter > >>>>>> > >>>>>> A output will be like: > >>>>>> runcon-1046 [002] .N.. 156.351738: selinux_denied: > >>>>>> trace_seq=3D2 result=3D-13 > >>>>>> scontext=3Dsystem_u:system_r:cupsd_t:s0-s0:c0. > >>>>>> c1023 tcontext=3Dsystem_u:object_r:bin_t:s0 > >>>>>> tclass=3Dfile permission=3Dentrypoint > >>>>>> > >>>>>> Signed-off-by: Peter Enderborg > >>>>>> --- > >>>>>> include/trace/events/avc.h | 37 +++++++++++++++++++++++++++++++++= ++++ > >>>>>> security/selinux/avc.c | 27 +++++++++++++++++++++++++-- > >>>>>> 2 files changed, 62 insertions(+), 2 deletions(-) > >>>>> My most significant comment is that I don't think we want, or need, > >>>>> two trace points in the avc_audit_post_callback() function. Yes, I > >>>>> understand they are triggered slightly differently, but from my > >>>>> perspective there isn't enough difference between the two tracepoin= ts > >>>>> to warrant including both. However, while the tracepoints may be > >>>> We tried that but that was problematic too. > >>> My apologies if I was on that thread, but can you remind me why it wa= s > >>> a problem? Why can't we use a single tracepoint to capture the AVC > >>> information? > >> The problem is parsing the event. > >> > >> https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__lkml.org_lkml_2= 020_8_18_842&d=3DDwIBaQ&c=3DfP4tf--1dS0biCFlB0saz0I0kjO5v7-GLPtvShAo4cc&r= =3DoO5HuGEGxznA2F3djiiYxmxxWQonw0h6Sks-BEoB4ys&m=3Dqmi2ROWsLC_0mLLhHkpb71j1= YoicydLh-7l4cOsLYcY&s=3DiS3eZr3TFrN5I7BbnvPFYOKd6DfW1FHTFcwI7joS_fk&e=3D > >> > >> https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__lkml.org_lkml_2= 020_8_21_526&d=3DDwIBaQ&c=3DfP4tf--1dS0biCFlB0saz0I0kjO5v7-GLPtvShAo4cc&r= =3DoO5HuGEGxznA2F3djiiYxmxxWQonw0h6Sks-BEoB4ys&m=3Dqmi2ROWsLC_0mLLhHkpb71j1= YoicydLh-7l4cOsLYcY&s=3D9OsLN0Y5mUWxEAAqUE6K4PS57Pn1XyZz7GXak6uc_Ls&e=3D > >> > >> and the "single list" version > >> > >> https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__lkml.org_lkml_2= 020_8_17_1346&d=3DDwIBaQ&c=3DfP4tf--1dS0biCFlB0saz0I0kjO5v7-GLPtvShAo4cc&r= =3DoO5HuGEGxznA2F3djiiYxmxxWQonw0h6Sks-BEoB4ys&m=3Dqmi2ROWsLC_0mLLhHkpb71j1= YoicydLh-7l4cOsLYcY&s=3DtWSY2ry2IT6RcT5BIUwMuqBL_yPObDE1VljbLqI1zrA&e=3D > >> > >> With this patch we follow standard message format so no plugin should = be needed. > > I'm evidently missing something very fundamental (likely), and/or I'm > > just not communicating very clearly (also likely), because the above > > links don't appear to make any sense with respect to my question. > > > > Let me try a reset ... Why can't we basically take the > > "selinux_denied" TRACE_EVENT implementation in your patch and use it > > to replace the "selinux_audited" TRACE_EVENT in the selinux/next tree > > (of course with the necessary changes to the AVC callback code)? > > > > If the "selinux_denied" implementation is valid from a tracing point > > of view, why can we not do this? Of course if the "selinux_denied" > > implementation is not a valid TRACE_EVENT then I'm not sure why this > > was suggested for SELinux :) > > Im happly fine with replacing the selinux_audited with selinux_denied. H= owever it is the case where there are more than one denial at the same time= . Im not sure how and when it might happen. One thing I wondered about was why not build up a single string with all of the permissions instead of generating multiple trace events? In the previous discussion it was implied that this was due to limitations in the tracing subsystem's filtering, and based on the discussion thus far I'm guessing there is little desire for this information if it can't be filtered on? If that's the case then I think we are stuck with the tracing code that currently lives in selinux/next, as I currently have little desire to add more than one tracepoint in the SELinux permission checking codepath. > When that happen we got more than one event. I have no problems with that= , but im not sure if the debug tools and perf can make sense of that. > > A other feature with the selinux_audited event it might be inserted on ot= her places in the code too. A denial is sort of final. --=20 paul moore www.paul-moore.com