[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAEjxPJ5tu=R20snbetzv+CCZMd-yD+obbkbf6MYVqQx3oZLkqA@mail.gmail.com>
Date: Thu, 30 Jul 2020 10:50:36 -0400
From: Stephen Smalley <stephen.smalley.work@...il.com>
To: peter enderborg <peter.enderborg@...y.com>
Cc: Steven Rostedt <rostedt@...dmis.org>,
ThiƩbaud Weksteen <tweek@...gle.com>,
Paul Moore <paul@...l-moore.com>,
Nick Kralevich <nnk@...gle.com>,
Joel Fernandes <joelaf@...gle.com>,
Eric Paris <eparis@...isplace.org>,
Ingo Molnar <mingo@...hat.com>,
Mauro Carvalho Chehab <mchehab+huawei@...nel.org>,
"David S. Miller" <davem@...emloft.net>,
Rob Herring <robh@...nel.org>,
linux-kernel <linux-kernel@...r.kernel.org>,
SElinux list <selinux@...r.kernel.org>
Subject: Re: [PATCH] RFC: selinux avc trace
On Thu, Jul 30, 2020 at 10:29 AM peter enderborg
<peter.enderborg@...y.com> wrote:
>
> I did manage to rebase it but this is about my approach.
>
> Compared to ThiƩbaud Weksteen patch this adds:
>
> 1 Filtering. Types goes to trace so we can put up a filter for contexts or type etc.
>
> 2 It tries also to cover non denies. And upon that you should be able to do coverage tools.
> I think many systems have a lot more rules that what is needed, but there is good way
> to find out what. A other way us to make a stat page for the rules, but this way connect to
> userspace and can be used for test cases.
>
> This code need a lot more work, but it shows how the filter should work (extra info is not right)
> and there are memory leaks, extra debug info and nonsense variable etc.
Perhaps the two of you could work together to come up with a common
tracepoint that addresses both needs.
On the one hand, we don't need/want to duplicate the avc message
itself; we just need enough to be able to correlate them.
With respect to non-denials, SELinux auditallow statements can be used
to generate avc: granted messages that can be used to support coverage
tools although you can easily flood the logs that way. One other
limitation of the other patch is that it doesn't support generating
trace information for denials silenced by dontaudit rules, which might
be challenging to debug especially on Android where you can't just run
semodule -DB to strip all dontaudits.
Powered by blists - more mailing lists