All of lore.kernel.org
 help / color / mirror / Atom feed
From: Stephen Smalley <stephen.smalley.work@gmail.com>
To: peter enderborg <peter.enderborg@sony.com>
Cc: "Steven Rostedt" <rostedt@goodmis.org>,
	"Thiébaud Weksteen" <tweek@google.com>,
	"Paul Moore" <paul@paul-moore.com>,
	"Nick Kralevich" <nnk@google.com>,
	"Joel Fernandes" <joelaf@google.com>,
	"Eric Paris" <eparis@parisplace.org>,
	"Ingo Molnar" <mingo@redhat.com>,
	"Mauro Carvalho Chehab" <mchehab+huawei@kernel.org>,
	"David S. Miller" <davem@davemloft.net>,
	"Rob Herring" <robh@kernel.org>,
	linux-kernel <linux-kernel@vger.kernel.org>,
	"SElinux list" <selinux@vger.kernel.org>
Subject: Re: [PATCH] RFC: selinux avc trace
Date: Thu, 30 Jul 2020 10:50:36 -0400	[thread overview]
Message-ID: <CAEjxPJ5tu=R20snbetzv+CCZMd-yD+obbkbf6MYVqQx3oZLkqA@mail.gmail.com> (raw)
In-Reply-To: <80a23580-5067-93b0-53fa-3bd53253c056@sony.com>

On Thu, Jul 30, 2020 at 10:29 AM peter enderborg
<peter.enderborg@sony.com> wrote:
>
> I did manage to rebase it but this is about my approach.
>
> Compared to Thiébaud Weksteen patch this adds:
>
> 1 Filtering. Types goes to trace so we can put up a filter for contexts or type etc.
>
> 2 It tries also to cover non denies.  And upon that you should be able to do coverage tools.
> I think many systems have a lot more rules that what is needed, but there is good way
> to find out what.  A other way us to make a stat page for the rules, but this way connect to
> userspace and can be used for test cases.
>
> This code need a lot more work, but it shows how the filter should work (extra info is not right)
> and there are  memory leaks, extra debug info and nonsense variable etc.

Perhaps the two of you could work together to come up with a common
tracepoint that addresses both needs.
On the one hand, we don't need/want to duplicate the avc message
itself; we just need enough to be able to correlate them.
With respect to non-denials, SELinux auditallow statements can be used
to generate avc: granted messages that can be used to support coverage
tools although you can easily flood the logs that way.  One other
limitation of the other patch is that it doesn't support generating
trace information for denials silenced by dontaudit rules, which might
be challenging to debug especially on Android where you can't just run
semodule -DB to strip all dontaudits.

  reply	other threads:[~2020-07-30 14:50 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-24  9:15 [PATCH] selinux: add tracepoint on denials Thiébaud Weksteen
2020-07-24 13:32 ` Stephen Smalley
2020-07-24 13:54   ` Paul Moore
2020-07-28 12:49     ` Thiébaud Weksteen
2020-07-28 13:04       ` Stephen Smalley
2020-07-28 13:19         ` Thiébaud Weksteen
2020-07-28 13:12       ` Steven Rostedt
2020-07-28 13:23         ` Thiébaud Weksteen
2020-07-28 15:12       ` Paul Moore
2020-07-28 16:02         ` Thiébaud Weksteen
2020-07-28 16:19           ` Stephen Smalley
2020-07-28 16:20           ` Paul Moore
2020-07-30 15:50             ` Thiébaud Weksteen
2020-07-30  8:03           ` peter enderborg
2020-07-24 13:52 ` Steven Rostedt
2020-07-30 14:29   ` [PATCH] RFC: selinux avc trace peter enderborg
2020-07-30 14:50     ` Stephen Smalley [this message]
2020-07-30 15:47       ` peter enderborg
2020-07-30 15:04     ` Steven Rostedt
2020-07-30 15:31       ` peter enderborg
2020-07-30 16:02         ` Steven Rostedt
2020-07-30 17:05           ` peter enderborg
2020-07-30 17:16             ` Steven Rostedt
2020-07-30 19:12               ` peter enderborg
2020-07-30 19:29                 ` Steven Rostedt
2020-07-30 19:50                   ` peter enderborg
2020-07-31 11:07     ` Thiébaud Weksteen
2020-07-28 15:22 ` [PATCH] selinux: add tracepoint on denials Joel Fernandes

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAEjxPJ5tu=R20snbetzv+CCZMd-yD+obbkbf6MYVqQx3oZLkqA@mail.gmail.com' \
    --to=stephen.smalley.work@gmail.com \
    --cc=davem@davemloft.net \
    --cc=eparis@parisplace.org \
    --cc=joelaf@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mchehab+huawei@kernel.org \
    --cc=mingo@redhat.com \
    --cc=nnk@google.com \
    --cc=paul@paul-moore.com \
    --cc=peter.enderborg@sony.com \
    --cc=robh@kernel.org \
    --cc=rostedt@goodmis.org \
    --cc=selinux@vger.kernel.org \
    --cc=tweek@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.