lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 6 Aug 2020 09:49:47 -0400 From: Stephen Smalley <stephen.smalley.work@...il.com> To: peter enderborg <peter.enderborg@...y.com>, ThiƩbaud Weksteen <tweek@...gle.com>, Paul Moore <paul@...l-moore.com> Cc: Nick Kralevich <nnk@...gle.com>, Eric Paris <eparis@...isplace.org>, Steven Rostedt <rostedt@...dmis.org>, Ingo Molnar <mingo@...hat.com>, Mauro Carvalho Chehab <mchehab+huawei@...nel.org>, "David S. Miller" <davem@...emloft.net>, Rob Herring <robh@...nel.org>, Arnd Bergmann <arnd@...db.de>, linux-kernel <linux-kernel@...r.kernel.org>, SElinux list <selinux@...r.kernel.org> Subject: Re: [PATCH 2/2] selinux: add attributes to avc tracepoint On Thu, Aug 6, 2020 at 9:45 AM Stephen Smalley <stephen.smalley.work@...il.com> wrote: > > On 8/6/20 8:32 AM, Stephen Smalley wrote: > > > On 8/6/20 8:24 AM, peter enderborg wrote: > > > >> On 8/6/20 2:11 PM, Stephen Smalley wrote: > >>> On 8/6/20 4:03 AM, ThiƩbaud Weksteen wrote: > >>> > >>>> From: Peter Enderborg <peter.enderborg@...y.com> > >>>> > >>>> Add further attributes to filter the trace events from AVC. > >>> Please include sample usage and output in the description. > >>> > >>> > >> Im not sure where you want it to be. > >> > >> In the commit message or in a Documentation/trace/events-avc.rst ? > > > > I was just asking for it in the commit message / patch description. I > > don't know what is typical for Documentation/trace. > > For example, I just took the patches for a spin, running the > selinux-testsuite under perf like so: > > sudo perf record -e avc:selinux_audited -g make test > > and then ran: > > sudo perf report -g > > and a snippet of sample output included: > > 6.40% 6.40% requested=0x800000 denied=0x800000 > audited=0x800000 result=-13 ssid=922 tsid=922 > scontext=unconfined_u:unconfined_r:test_binder_mgr_t:s0-s0:c0.c1023 > tcontext=unconfined_u:unconfined_r:test_binder_mgr_t:s0-s0:c0.c1023 > tclass=capability So then the question becomes how do you use the above information, e.g. is that sufficient to correlate it to an actual avc: denied message, how do you decode the requested/denied/audited fields (or should the code do that for you and just report the string name(s) of the permission(s), do you need all three of those fields separately, is it useful to log the ssid/tsid at all given that you have the contexts and sids are dynamically assigned, etc. > | > ---0x495641000028933d > __libc_start_main > | > |--4.60%--__GI___ioctl > | entry_SYSCALL_64 > | do_syscall_64 > | __x64_sys_ioctl > | ksys_ioctl > | binder_ioctl > | binder_set_nice > | can_nice > | capable > | security_capable > | cred_has_capability.isra.0 > | slow_avc_audit > | common_lsm_audit > | avc_audit_post_callback > | avc_audit_post_callback
Powered by blists - more mailing lists