[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHC9VhT1sGSpfCKojbKR+O2Hf_h+wnKnBwwSo09CbFaCYLcOHA@mail.gmail.com>
Date: Tue, 28 Jul 2020 11:12:36 -0400
From: Paul Moore <paul@...l-moore.com>
To: ThiƩbaud Weksteen <tweek@...gle.com>
Cc: Steven Rostedt <rostedt@...dmis.org>,
Stephen Smalley <stephen.smalley.work@...il.com>,
Nick Kralevich <nnk@...gle.com>,
Joel Fernandes <joelaf@...gle.com>,
Eric Paris <eparis@...isplace.org>,
Ingo Molnar <mingo@...hat.com>,
Mauro Carvalho Chehab <mchehab+huawei@...nel.org>,
"David S. Miller" <davem@...emloft.net>,
Rob Herring <robh@...nel.org>,
linux-kernel <linux-kernel@...r.kernel.org>,
SElinux list <selinux@...r.kernel.org>
Subject: Re: [PATCH] selinux: add tracepoint on denials
On Tue, Jul 28, 2020 at 8:49 AM ThiƩbaud Weksteen <tweek@...gle.com> wrote:
>
> Thanks for the review! I'll send a new revision of the patch with the
> %x formatter and using the TP_CONDITION macro.
>
> On adding further information to the trace event, I would prefer
> adding the strict minimum to be able to correlate the event with the
> avc message. The reason is that tracevents have a fixed size (see
> https://www.kernel.org/doc/Documentation/trace/events.txt). For
> instance, we would need to decide on a maximum size for the string
> representation of the list of permissions.
It sounds like this is no longer an issue, hopefully this changes your
thinking as I'm not sure how usable it would be in practice for users
not overly familiar with SELinux.
Perhaps it would be helpful if you provided an example of how one
would be expected to use this new tracepoint? That would help put
things in the proper perspective.
> This would also duplicate
> the reporting done in the avc audit event. I'll simply add the pid as
> part of the printk, which should be sufficient for the correlation.
Well, to be honest, the very nature of this tracepoint is duplicating
the AVC audit record with a focus on using perf to establish a full
backtrace at the expense of reduced information. At least that is how
it appears to me.
--
paul moore
www.paul-moore.com
Powered by blists - more mailing lists