Re: [PATCH] selinux: add tracepoint on denials

From: Joel Fernandes
Date: Tue Jul 28 2020 - 11:23:08 EST

On Fri, Jul 24, 2020 at 5:15 AM ThiÃbaud Weksteen <tweek@xxxxxxxxxx> wrote:
> The audit data currently captures which process and which target
> is responsible for a denial. There is no data on where exactly in the
> process that call occurred. Debugging can be made easier by being able to
> reconstruct the unified kernel and userland stack traces [1]. Add a
> tracepoint on the SELinux denials which can then be used by userland
> (i.e. perf).
> Although this patch could manually be added by each OS developer to
> trouble shoot a denial, adding it to the kernel streamlines the
> developers workflow.
> [1]
> Signed-off-by: ThiÃbaud Weksteen <tweek@xxxxxxxxxx>
> Signed-off-by: Joel Fernandes <joelaf@xxxxxxxxxx>

While I am in support of the general idea, could you change my SOB to
something like Inspired-by?

This is really your patch, but I did demonstrate the idea in an
article where the intention was to apply a patch out of tree to do
stack dumps / tracing. SOB on the other hand is supposed to track the
flow of a patch (the people who the patch goes through) when it is
sent upstream.


- Joel