lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 13 Aug 2020 11:49:48 -0400
From:   Stephen Smalley <stephen.smalley.work@...il.com>
To:     peter enderborg <peter.enderborg@...y.com>,
        Casey Schaufler <casey@...aufler-ca.com>,
        Thiébaud Weksteen <tweek@...gle.com>,
        Paul Moore <paul@...l-moore.com>
Cc:     Nick Kralevich <nnk@...gle.com>,
        Eric Paris <eparis@...isplace.org>,
        Steven Rostedt <rostedt@...dmis.org>,
        Ingo Molnar <mingo@...hat.com>,
        Mauro Carvalho Chehab <mchehab+huawei@...nel.org>,
        "David S. Miller" <davem@...emloft.net>,
        Rob Herring <robh@...nel.org>, Arnd Bergmann <arnd@...db.de>,
        linux-kernel@...r.kernel.org, selinux@...r.kernel.org
Subject: Re: [PATCH v2 2/2] selinux: add basic filtering for audit trace
 events

On 8/13/20 11:35 AM, peter enderborg wrote:

> On 8/13/20 5:05 PM, Casey Schaufler wrote:
>> On 8/13/2020 7:48 AM, Thiébaud Weksteen wrote:
>>> From: Peter Enderborg <peter.enderborg@...y.com>
>>>
>>> This patch adds further attributes to the event. These attributes are
>>> helpful to understand the context of the message and can be used
>>> to filter the events.
>>>
>>> There are three common items. Source context, target context and tclass.
>>> There are also items from the outcome of operation performed.
>>>
>>> An event is similar to:
>>>             <...>-1309  [002] ....  6346.691689: selinux_audited:
>>>         requested=0x4000000 denied=0x4000000 audited=0x4000000
>>>         result=-13 ssid=315 tsid=61
>> It may not be my place to ask, but *please please please* don't
>> externalize secids. I understand that it's easier to type "42"
>> than "system_r:cupsd_t:s0-s0:c0.c1023", and that it's easier for
>> your tools to parse and store the number. Once you start training
>> people that system_r:cupsd_t:s0-s0:c0.c1023 is secid 42 you'll
>> never be able to change it. The secid will start showing up in
>> scripts. Bad  Things  Will  Happen.
> Ok, it seems to mostly against having this performance options.
> Yes, it is a kernel internal data. So is most of the kernel tracing.
> I see it is a primary tool for kernel debugging but than can also be
> used for user-space debugging tools.  Hiding data for debuggers
> does not make any sense too me.

To be clear, userspace tools can't use fixed secid values because secids 
are dynamically assigned by SELinux and thus secid 42 need not 
correspond to the same security context across different boots even with 
the same kernel and policy.  I wouldn't include them in the event unless 
it is common practice to include fields that can only be interpreted if 
you can debug the running kernel.  It would be akin to including kernel 
pointers in the event (albeit without the KASLR ramifications).

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ