Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp728683pxb; Tue, 2 Feb 2021 16:55:07 -0800 (PST) X-Google-Smtp-Source: ABdhPJzpNP4dG4UfA9nFqKcQYeL1LJJDweB2x7hvYmFV0PLRP8T9lSHPUjHDI2+rLg91jw2FNgQ4 X-Received: by 2002:a50:f19a:: with SMTP id x26mr668459edl.354.1612313706925; Tue, 02 Feb 2021 16:55:06 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612313706; cv=none; d=google.com; s=arc-20160816; b=EdcbvliEfp33CmAWSpmtIO0wQXy2peYMECsFS0GLWuE+UiG2AtF+2uL4J6XTfUK7n8 KWPg0q0TouZ4KCrLpRROEnB0J6iiqZQzq9z5uFR9GToUKZy+O8FMYFIdxbBJjjRucR1b HSyVY6uMEUGFkVG9yudp2ZlIYG7K+6haAazRHGLfMJHvZ09mb5hKP/xXzC7svRMukqE3 T9A64oNYiPpYqMyx2mbs2U18RyjFCafO4koi2HrykW2ieUYHYQ9AOUCdhH0UTruosw5f RdjysMlFHR6ReUyLkQo8WxNvU6QmhAAN1bH04j0oA9Dkx8kWU+WGlJLtj6F8m0VLnjx3 hoLQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=3W0QXjSj6WJdZVt7QsEUQadUyum+DiV55Mp+gEhAQSA=; b=Mo1FNcaXPCvP9YfrJwW3TtyTMFb1XErfCtWMNv9FQlVgdc31j2wptqLxiOmmSn7Fu2 bFk8YI7nx/3zD0sIaKOsqjLiDeaBRILZcO39MbW+TyT3nN0Ky/uxLSUwEza3kAVkeNdP fQmuZ9X1MM2HuVTPLdFSFnW6r/HhSR2fpazN1sHDwJMnbgQs8JsTjdpLGyaiD1RBKSX0 3C6nhCZCLa1rDuc/iScuPixj9e2P9XF6/do38ge9xXEGNjtGQfF9daQdudd6n9kC4gzR COEhfldoRNcvDg0BZdWPl8QjupOZqCIXzMu2wKznfuivP0nvEEamwRufZsFM6l1V+92V VdcQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=d+ioP7sC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h24si367016ejt.89.2021.02.02.16.54.42; Tue, 02 Feb 2021 16:55:06 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=d+ioP7sC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231902AbhBBVgl (ORCPT + 99 others); Tue, 2 Feb 2021 16:36:41 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34982 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229502AbhBBVgf (ORCPT ); Tue, 2 Feb 2021 16:36:35 -0500 Received: from mail-ej1-x62c.google.com (mail-ej1-x62c.google.com [IPv6:2a00:1450:4864:20::62c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C278DC06174A for ; Tue, 2 Feb 2021 13:35:54 -0800 (PST) Received: by mail-ej1-x62c.google.com with SMTP id y9so10678011ejp.10 for ; Tue, 02 Feb 2021 13:35:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3W0QXjSj6WJdZVt7QsEUQadUyum+DiV55Mp+gEhAQSA=; b=d+ioP7sCaJBuJXvHwqoiZkEy1fSQnPjbkM3hLPyHPGkhyM12QUHqiQpfXxkBxOqlso g2oRQkNGTMdbOEClUK7wvNNJ1KRBiIqRoY6BLvWo6nvzYgSAugliNnm0CBfmxqfgVKax eFvR2xxj6KhPiaVr9ytFW5OZnKzSdr/adPKmrvwj43sjPcFi11sCcYNC1ESVuu7KkW+Z qk9K4GzNywex+/J0ypp2mfI8g2lB/oomiuYT6RsAdxwwGPcj1jb9M9TmG7xet3K/xzf6 TnJu03I1Y9vxqB4iU3fdu/h3rYxfVAEchEzZnlI5bmTkwVtjfqChKW2xMLWk+LAhkdrc Ky/Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3W0QXjSj6WJdZVt7QsEUQadUyum+DiV55Mp+gEhAQSA=; b=Q6HMGrJZAhOa3+lBZLDeEiiRwHgCfw3g4QpK8SYqUX/mlEvIwJ6fLSjxVaZqqFUa2b nXdIYeUDI/4IHNIQLOI40i3hkWFJNsSaY5XFlOkd2juSR4D+HuEJi1de26JrUr4ogiUb sfqvZPYDM0f0RFvZNPjVgJcsXAFJ2jZ1Sh9+3Fe4djx1SVRTZoEujpSm1kvTutzZnKtS yqDu3YQJNdsPqB72CnKBWkHcCfRhGa3woMkMaDLkBCLm8lVu68uJBv4UHo+1vBdxiM/O 3B6DraLGdb8EAsreHqabiOjyjjgIcZDwb3ObUDNpAyfAclE3ADszQ2IGw13GfxNCwymw bl5w== X-Gm-Message-State: AOAM531zpI6e77MvSJdArM7RFjejLiFpnJdPO85E1zmyYSpt/xxeBI6/ ecA3v8+QA/qn2Q0tet7Yt9qB9hM8iXMYbvAo9FVa X-Received: by 2002:a17:906:35d9:: with SMTP id p25mr10945ejb.398.1612301753339; Tue, 02 Feb 2021 13:35:53 -0800 (PST) MIME-Version: 1.0 References: <20210202212930.18845-1-danielwa@cisco.com> In-Reply-To: <20210202212930.18845-1-danielwa@cisco.com> From: Paul Moore Date: Tue, 2 Feb 2021 16:35:42 -0500 Message-ID: Subject: Re: [PATCH 1/2] audit: show user land backtrace as part of audit context messages To: Daniel Walker , Victor Kamensky Cc: Eric Paris , xe-linux-external@cisco.com, Ruslan Bilovol , linux-audit@redhat.com, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Feb 2, 2021 at 4:29 PM Daniel Walker wrote: > From: Victor Kamensky > > To efficiently find out where SELinux AVC denial is comming from > take backtrace of user land process and display it as type=UBACKTRACE > message that comes as audit context for SELinux AVC and other audit > messages ... Have you tried the new perf tracepoint for SELinux AVC decisions that trigger an audit event? It's a new feature for v5.10 and looks to accomplish most of what you are looking for with this patch. * https://www.paul-moore.com/blog/d/2020/12/linux_v510.html -- paul moore www.paul-moore.com