Re: [PATCH v2 2/2] selinux: add basic filtering for audit trace events

From: Steven Rostedt
Date: Thu Aug 13 2020 - 13:38:50 EST


On Thu, 13 Aug 2020 19:14:10 +0200
peter enderborg <peter.enderborg@xxxxxxxx> wrote:

> > To be clear, userspace tools can't use fixed secid values because
> > secids are dynamically assigned by SELinux and thus secid 42 need
> > not correspond to the same security context across different boots
> > even with the same kernel and policy.  I wouldn't include them in
> > the event unless it is common practice to include fields that can
> > only be interpreted if you can debug the running kernel.  It would
> > be akin to including kernel pointers in the event (albeit without
> > the KASLR ramifications).
> >
> >
> Just as a reference on my fedora system; out of 1808 events 244 as a
> pointer print. I don't see that there is any obfuscating aka "%pK" as
> there is for logs.

Which is a reason why tracefs is root only.

The "%p" gets obfuscated when printed from the trace file by default
now. But they are consistent (where the same pointer shows up as the
same hash).

It's used mainly to map together events. For example, if you print the
address of a skb in the networking events, it's good to know what
events reference the same skb, and the pointer is used for that.

-- Steve