Re: [PATCH] selinux: add tracepoint on denials

[Stephen Smalley]

On 7/28/20 12:02 PM, ThiÃbaud Weksteen wrote:

> On Tue, Jul 28, 2020 at 5:12 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
> > Perhaps it would be helpful if you provided an example of how one
> > would be expected to use this new tracepoint?  That would help put
> > things in the proper perspective.
> The best example is the one I provided in the commit message, that is
> using perf (or a perf equivalent), to hook onto that tracepoint.
>
> > Well, to be honest, the very nature of this tracepoint is duplicating
> > the AVC audit record with a focus on using perf to establish a full
> > backtrace at the expense of reduced information.  At least that is how
> > it appears to me.
> I see both methods as complementary. By default, the kernel itself can
> do some reporting (i.e avc message) on which process triggered the
> denial, what was the context, etc. This is useful even in production
> and doesn't require any extra tooling.
> The case for adding this tracepoint can be seen as advanced debugging.
> That is, once an avc denial has been confirmed, a developer can use
> this tracepoint to surface the userland stacktrace. It requires more
> userland tools and symbols on the userland binaries.

Providing an example of the tracepoint output in the patch description 
would be helpful IMHO.