From: peter enderborg <peter.enderborg@sony.com>
To: Stephen Smalley <stephen.smalley.work@gmail.com>
Cc: "Steven Rostedt" <rostedt@goodmis.org>,
"Thiébaud Weksteen" <tweek@google.com>,
"Paul Moore" <paul@paul-moore.com>,
"Nick Kralevich" <nnk@google.com>,
"Joel Fernandes" <joelaf@google.com>,
"Eric Paris" <eparis@parisplace.org>,
"Ingo Molnar" <mingo@redhat.com>,
"Mauro Carvalho Chehab" <mchehab+huawei@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
"Rob Herring" <robh@kernel.org>,
linux-kernel <linux-kernel@vger.kernel.org>,
"SElinux list" <selinux@vger.kernel.org>
Subject: Re: [PATCH] RFC: selinux avc trace
Date: Thu, 30 Jul 2020 17:47:21 +0200 [thread overview]
Message-ID: <b2bde77e-98cf-2c62-79ed-ca7d58b10bca@sony.com> (raw)
In-Reply-To: <CAEjxPJ5tu=R20snbetzv+CCZMd-yD+obbkbf6MYVqQx3oZLkqA@mail.gmail.com>
On 7/30/20 4:50 PM, Stephen Smalley wrote:
> On Thu, Jul 30, 2020 at 10:29 AM peter enderborg
> <peter.enderborg@sony.com> wrote:
>> I did manage to rebase it but this is about my approach.
>>
>> Compared to Thiébaud Weksteen patch this adds:
>>
>> 1 Filtering. Types goes to trace so we can put up a filter for contexts or type etc.
>>
>> 2 It tries also to cover non denies. And upon that you should be able to do coverage tools.
>> I think many systems have a lot more rules that what is needed, but there is good way
>> to find out what. A other way us to make a stat page for the rules, but this way connect to
>> userspace and can be used for test cases.
>>
>> This code need a lot more work, but it shows how the filter should work (extra info is not right)
>> and there are memory leaks, extra debug info and nonsense variable etc.
> Perhaps the two of you could work together to come up with a common
> tracepoint that addresses both needs.
Sounds good to me.
> On the one hand, we don't need/want to duplicate the avc message
> itself; we just need enough to be able to correlate them.
> With respect to non-denials, SELinux auditallow statements can be used
> to generate avc: granted messages that can be used to support coverage
> tools although you can easily flood the logs that way. One other
That is one reason to use trace. I can be used for things that
generate a lot of data. Like memory allocations and scheduler etc,
and it is a developer tool so you should not have to worry about DOS etc.
Both netlink and android logging are too happy to throw away data for
developers to be happy.
> limitation of the other patch is that it doesn't support generating
> trace information for denials silenced by dontaudit rules, which might
> be challenging to debug especially on Android where you can't just run
> semodule -DB to strip all dontaudits.
I think that only work for rooted devices. Many application developers
run on commercial devices that are locked, but they do have access
to trace. But I have no idea if they (google) have intended the selinux traces to
available there.
next prev parent reply other threads:[~2020-07-30 15:47 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-24 9:15 [PATCH] selinux: add tracepoint on denials Thiébaud Weksteen
2020-07-24 13:32 ` Stephen Smalley
2020-07-24 13:54 ` Paul Moore
2020-07-28 12:49 ` Thiébaud Weksteen
2020-07-28 13:04 ` Stephen Smalley
2020-07-28 13:19 ` Thiébaud Weksteen
2020-07-28 13:12 ` Steven Rostedt
2020-07-28 13:23 ` Thiébaud Weksteen
2020-07-28 15:12 ` Paul Moore
2020-07-28 16:02 ` Thiébaud Weksteen
2020-07-28 16:19 ` Stephen Smalley
2020-07-28 16:20 ` Paul Moore
2020-07-30 15:50 ` Thiébaud Weksteen
2020-07-30 8:03 ` peter enderborg
2020-07-24 13:52 ` Steven Rostedt
2020-07-30 14:29 ` [PATCH] RFC: selinux avc trace peter enderborg
2020-07-30 14:50 ` Stephen Smalley
2020-07-30 15:47 ` peter enderborg [this message]
2020-07-30 15:04 ` Steven Rostedt
2020-07-30 15:31 ` peter enderborg
2020-07-30 16:02 ` Steven Rostedt
2020-07-30 17:05 ` peter enderborg
2020-07-30 17:16 ` Steven Rostedt
2020-07-30 19:12 ` peter enderborg
2020-07-30 19:29 ` Steven Rostedt
2020-07-30 19:50 ` peter enderborg
2020-07-31 11:07 ` Thiébaud Weksteen
2020-07-28 15:22 ` [PATCH] selinux: add tracepoint on denials Joel Fernandes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b2bde77e-98cf-2c62-79ed-ca7d58b10bca@sony.com \
--to=peter.enderborg@sony.com \
--cc=davem@davemloft.net \
--cc=eparis@parisplace.org \
--cc=joelaf@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mchehab+huawei@kernel.org \
--cc=mingo@redhat.com \
--cc=nnk@google.com \
--cc=paul@paul-moore.com \
--cc=robh@kernel.org \
--cc=rostedt@goodmis.org \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
--cc=tweek@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).