Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp727749pxb; Tue, 2 Feb 2021 16:53:13 -0800 (PST) X-Google-Smtp-Source: ABdhPJxcKx+6OR9XkpgfS7Kgy83j4V5SKqWDp9z4pJu4RUmoX5RCNuhAPtJhepxvscv40odk5P5d X-Received: by 2002:a50:ed97:: with SMTP id h23mr642767edr.278.1612313592900; Tue, 02 Feb 2021 16:53:12 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612313592; cv=none; d=google.com; s=arc-20160816; b=dY7U+Q2eDZFjs7o5q5WJNMT8oXdsBoznOS2q99dRBCDPBIIIYVRzFV6bOqbvjMtf/d v12qmc7WKBd98jVvYu3EmVBPrxy0oLOs4RP/0OBojtdr98Nk8IHcdPKJrkeFfmQMAzmi zvn/jgt8r5lSZuJkW38CMGna3u0ixlDV5xJBqlHNks3LPFkBzyS7iQpKixzZab4NB+Vz jNIzXHrKFDbgH+gYU4TquRh/qr5j7bObLmi28/asxmSV5NkWie3Sm2yJkd+BTUM/jSfM Aag1LEMXWdLK3LLouC6yjEKfc4ly29uinmuKqnzIUhloIVpwKo9qZV2O3tH/w3chdKG9 zkcw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=jqE3NBkcYof351zw0GZ4Pohphx1oYlmm/8WK6ccPjhk=; b=u0hbq9a/AVHWDru0m2PlFx1gOWXKNDaK6qp1HXTyoIXKIYeLyMMoS+Jk7lDzDyVhz6 ixnd2jsR6gD6C+uxpb9b3SnfLujpWgk2nM37sSYZrsvKq6pCzzIBibeYUqZ9sYWPhVKm KCvVRvWvDIAHH90KS1em3p8allZ6M8O8U+DW8E1WcMK53QqIPfSEoi/IsE0ITsmnh1RB Ooo0+QajMtZ9SWFluCHDf8LD0sNSBmjTueOdJfACd4TJ77WOQCrtOijFw8luS9JC26e0 cUWOrI7nMQd1/2VyHGXwekqZOEJ9wFXw/ueaz4PZof+RXu7ZdSqhMx0jZXHaWB7Y633y kAVQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=vyQwafCd; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id la19si294529ejc.445.2021.02.02.16.52.48; Tue, 02 Feb 2021 16:53:12 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=vyQwafCd; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232012AbhBBVpn (ORCPT + 99 others); Tue, 2 Feb 2021 16:45:43 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36962 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231406AbhBBVpl (ORCPT ); Tue, 2 Feb 2021 16:45:41 -0500 Received: from mail-ed1-x52b.google.com (mail-ed1-x52b.google.com [IPv6:2a00:1450:4864:20::52b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CC2F6C061573 for ; Tue, 2 Feb 2021 13:45:00 -0800 (PST) Received: by mail-ed1-x52b.google.com with SMTP id q2so9887545edi.4 for ; Tue, 02 Feb 2021 13:45:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=jqE3NBkcYof351zw0GZ4Pohphx1oYlmm/8WK6ccPjhk=; b=vyQwafCdNmvMb9BCPCrecMVqY9gMT8SYwMzFObX0IzV/enZAULSGo3VH4dZseE+H2U cqA29xvLCqyRLXD1l+jYUtJEcNJFtUp35vYZTyfxFDsziSZidOJug4qqzHFwveaOQCq4 CgOrT/a5qLhXsbKhhM80rxuFoMfNBucUHz7X2Rth/+gHQO9F+gCFg5xVLAiO2kFr6n73 I/sEUYMDTmZ2LZ3B3pl2dRXi0vj4tGjyx6FQNOfhDQm5uIT5MB8bzErLBc9BHJxAa+Q5 svfyf310gyAVuehwKZH/Jsbl4EGvF5cI1aAaC7KcSiFqtguU9oVlPPWRTJ8o78IaaIuA NmNQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jqE3NBkcYof351zw0GZ4Pohphx1oYlmm/8WK6ccPjhk=; b=L3ZlwaGQRzAonfx5fzefwLUpseDPdCSMeDZUBofCpw5nyY/RFLzH4rcUyGDEZ9KMrd 8hlpw4PoGXqjOW7CQbCxE9BRnYxN58xQZ0hM2SZd5s7bMj5zbkGVM8E9kRVkJn0vsRdO bQauTPnq7YigNojo+Td38/8fO/MiaqzAY49+VSS/ODASDrYLI1neIPJHlhwnQgEm6k70 cJNu9l+q52x4hD2aLI98ViSaOejXewXb1wlfvZ9Lc9tHKh3Gw6Vy8CqZB0YSd/Dab2RW pgDC/lNG2zB/tYtbYaiMH1SJC/Zh/2Gjk8VXwRh9zM4in7GQ8fPFk+i0b9hXfo5E9v17 7ZCQ== X-Gm-Message-State: AOAM530/hWuDymsgjEYbr47jP21WGpGaUs4Xgy8+lwMMU3IFdMuhQeas oHOOI1nyCuNlqDFTha53CG/mAxzU02faAtKfKxwUJ8PODnwO X-Received: by 2002:aa7:c78e:: with SMTP id n14mr103716eds.31.1612302298389; Tue, 02 Feb 2021 13:44:58 -0800 (PST) MIME-Version: 1.0 References: <20210202212930.18845-2-danielwa@cisco.com> In-Reply-To: <20210202212930.18845-2-danielwa@cisco.com> From: Paul Moore Date: Tue, 2 Feb 2021 16:44:47 -0500 Message-ID: Subject: Re: [PATCH 2/2] audit: show (grand)parents information of an audit context To: Daniel Walker Cc: Eric Paris , Phil Zhang , xe-linux-external@cisco.com, linux-audit@redhat.com, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Feb 2, 2021 at 4:29 PM Daniel Walker wrote: > From: Phil Zhang > > To ease the root cause analysis of SELinux AVCs, this new feature > traverses task structs to iteratively find all parent processes > starting with the denied process and ending at the kernel. Meanwhile, > it prints out the command lines and subject contexts of those parents. > > This provides developers a clear view of how processes were spawned > and where transitions happened, without the need to reproduce the > issue and manually audit interesting events. > > Example on bash over ssh: > $ runcon -u system_u -r system_r -t polaris_hm_t ls > ... > type=PARENT msg=audit(1610548241.033:255): subj=root:unconfined_r:unconfined_t:s0-s0:c0.c1023 cmdline="-bash" > type=PARENT msg=audit(1610548241.033:255): subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 cmdline="sshd: root@pts/0" > type=PARENT msg=audit(1610548241.033:255): subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 cmdline="/tmp/sw/rp/0/0/rp_security/mount/usr/sbin/sshd > type=PARENT msg=audit(1610548241.033:255): subj=system_u:system_r:init_t:s0 cmdline="/init" > type=PARENT msg=audit(1610548241.033:255): subj=system_u:system_r:kernel_t:s0 > ... > > Cc: xe-linux-external@cisco.com > Signed-off-by: Phil Zhang > Signed-off-by: Daniel Walker > --- > include/uapi/linux/audit.h | 5 ++- > init/Kconfig | 7 +++++ > kernel/audit.c | 3 +- > kernel/auditsc.c | 64 ++++++++++++++++++++++++++++++++++++++ > 4 files changed, 77 insertions(+), 2 deletions(-) This is just for development/testing of SELinux policy, right? It seems like this is better done in userspace to me through a combination of policy analysis and just understanding of how your system is put together. If you really need this information in the audit log for some production use, it seems like you could audit the various fork()/exec() syscalls to get an understanding of the various process (sub)trees on the system. It would require a bit of work to sift through the audit log and reconstruct the events that led to a process being started, and generating the AVC you are interested in debugging, but folks who live The Audit Life supposedly do this sort of thing a lot (this sort of thing being tracing a process/session). -- paul moore www.paul-moore.com