Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp727758pxb; Tue, 2 Feb 2021 16:53:13 -0800 (PST) X-Google-Smtp-Source: ABdhPJzKyX0xr7JCGG4NmUcLcrtLYWgEthSaUnyrhSxmKFzn3KRYt4qI3fr1wgqKWCFxU1Cxc523 X-Received: by 2002:a17:906:34c3:: with SMTP id h3mr644014ejb.132.1612313593639; Tue, 02 Feb 2021 16:53:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612313593; cv=none; d=google.com; s=arc-20160816; b=QOpuDRNNWj46+b0UuoBQ8lRP8FPEnIzkHi+WtMSq+FJQKvRFTR9yZnKGITefAxwrPx af7bhQG69S2ef9QuRN3nfpMeEeKx8fujHOSEYcZw0ocVJvKA+FzJ4QgEZnowfaaMH1x4 apkaNHDjl7K+DaJMAUZuEe8kAv2IYpQM2qf2SPe9arbqQSeuuD/8DvwjWDd4CnQLhKHK 2e0OdRfCBEMe7P/GzEzgat3bugel86b3kd3qN/GcZgHktCrde6i73qpLdCs4GJ3E6jJ2 TgeueEMCY6uKGselvZaoXcBBAO2X/Je+V9xaiaQsgXVvJQLUqZcRU0+08LKzlcntM8a6 wtmg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=Vykfbz7/KbotLyXDV6UDBOVFIIhhqEAPP4iNreMMRi8=; b=dTktRLsPb8D3cDiFa/P0yoIEZe/yS+7kkQ97aGF2Ino3822gmOS41sj9cZrLM8UGh8 xSYmbDtVGPOqC0Fxel+ZLBcm6Ve2y5LSBRigg+r5jE21YS5zpQGHJfecESLrwT5NrJOe HJjgeYlhUidtEYOE4ji9V4Xq0ju+Ea6t8qL32mKa2GjwQ1cbQSHaxPJAELYIVwECmqsg JiOf6Xi4AK1eMobsEV+KQ5H9hVUlelIzBPL4wvBZ682wN9LroumBkOjFMkyO7kWlD08C JFn5emyZvR7AphHNGFtSRxlAtfIoWaCz6i0ryr1m6+8jMbfonpL2sNEzkPPbfllD+kgh 38LQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=cTrK9NT1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z23si278568edr.175.2021.02.02.16.52.49; Tue, 02 Feb 2021 16:53:13 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=cTrK9NT1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232382AbhBBVqw (ORCPT + 99 others); Tue, 2 Feb 2021 16:46:52 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37208 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232330AbhBBVqt (ORCPT ); Tue, 2 Feb 2021 16:46:49 -0500 Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 26133C0613D6 for ; Tue, 2 Feb 2021 13:46:09 -0800 (PST) Received: by mail-ed1-x533.google.com with SMTP id i5so2415191edu.10 for ; Tue, 02 Feb 2021 13:46:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Vykfbz7/KbotLyXDV6UDBOVFIIhhqEAPP4iNreMMRi8=; b=cTrK9NT1I4L5XvGBsX9/96Q8xL0d4ldCBYjlJ/hLt3TQFRwtaZ70F1K+bbMZTMTr2C RZ9TQMtF2esxFFSy8KDt2F00wlXJZKoo/IZ3ZM2XIsHP5A3QhSKKI2xfFtl0e1yCimrO Zf0rlrl6O6B43IkXsVaSv4E9tE5TLxR24+zhcuyYex1g/50RGgptalfMb5wlK0YOd9mY XmFaoEDj6FBKVN1jdAZ9qSJKqsFfF3IRGWPGXmq5eBUvCtgLLCEjgoXB+QEM1M/CdUjw GoFOYSD3Qt/snkBnE83qRek65mBAvFiqhEU3oXiPr5QsezgfjhHLUc2KWWS+B3+7yNpV +UAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Vykfbz7/KbotLyXDV6UDBOVFIIhhqEAPP4iNreMMRi8=; b=H+nXEKNFFSnYClrulTHGWC1AFjM0BGXUVAqgF9+SzK1rD+RLbq6ONnXZZdecIzHv0J i+RAM+06rhxjNIXMhEDHyhG3Tb0G7sH+CrrH4TArsErOSH514AZaoX8tAoCq7IrVqE/E KFBWobbigCm3ySMNeCYd9rPy2/AI67UTE9iVg5/vgtqheMgPsGPOK840p5Nfp3dDQqNf 3kGrrsQRZBidCIagjuvhSmbSuHzJ8+o9xv+QH6mbcKiHghpN0BXg5g89X9YtixV8ctwg HiJPbdpIE7xAT42agEfvDLZ6Sy4ZIKRWrvmLk4jYMPw7CYsNBJM0A3a42MsXNgLel0Xx 2jDw== X-Gm-Message-State: AOAM533/kAoTSej6AyPKPd3O7EDtsWLxQtoli2NLA4qiaAmowFTGI//b s5ImBrs2NfOlt4R32/KxuEWo0lVhI66O0+7WR+doJFrHE2a9 X-Received: by 2002:a05:6402:6d6:: with SMTP id n22mr136386edy.128.1612302367766; Tue, 02 Feb 2021 13:46:07 -0800 (PST) MIME-Version: 1.0 References: <20210202212930.18845-1-danielwa@cisco.com> <20210202214357.GD3710@zorba> In-Reply-To: <20210202214357.GD3710@zorba> From: Paul Moore Date: Tue, 2 Feb 2021 16:45:56 -0500 Message-ID: Subject: Re: [PATCH 1/2] audit: show user land backtrace as part of audit context messages To: "Daniel Walker (danielwa)" Cc: "Victor Kamensky (kamensky)" , Eric Paris , "xe-linux-external(mailer list)" , "Ruslan Bilovol -X (rbilovol - GLOBALLOGIC INC at Cisco)" , "linux-audit@redhat.com" , "linux-kernel@vger.kernel.org" Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Feb 2, 2021 at 4:44 PM Daniel Walker (danielwa) wrote: > On Tue, Feb 02, 2021 at 04:35:42PM -0500, Paul Moore wrote: > > On Tue, Feb 2, 2021 at 4:29 PM Daniel Walker wrote: > > > From: Victor Kamensky > > > > > > To efficiently find out where SELinux AVC denial is comming from > > > take backtrace of user land process and display it as type=UBACKTRACE > > > message that comes as audit context for SELinux AVC and other audit > > > messages ... > > > > Have you tried the new perf tracepoint for SELinux AVC decisions that > > trigger an audit event? It's a new feature for v5.10 and looks to > > accomplish most of what you are looking for with this patch. > > > > * https://www.paul-moore.com/blog/d/2020/12/linux_v510.html > > We haven't tried it, but I can look into it. We're not using v5.10 extensively > yet. Let us know if that works for you, and if it doesn't, let us know what might be missing. I hate seeing the kernel grow multiple features which do the same thing. -- paul moore www.paul-moore.com