Re: [PATCH RESEND 2/2] selinux: provide matching audit timestamp in the AVC trace event
On Mon, Dec 19, 2022 at 1:00 PM Ondrej Mosnacek <omosnace(a)redhat.com> wrote:
In order to make it possible for the users and tooling to associate an
SELinux AVC trace event with the corresponding audit event, make it
include the audit timestamp (including the "serial number") of the
event.
First make audit_log_start() include the timestamp in the audit_buffer
struct and add a public helper to retrieve it from an audit_buffer
instance. Then retrieve it in SELinux's avc_audit_post_callback() and
include it in the "avc:selinux_audited" trace event.
After this patch the even includes the numeric fields that make up the
timestamp and the text representation includes the timestamp in the same
format as used in the audit log - e.g. "audit_ts=1671454430.092:1671".
Signed-off-by: Ondrej Mosnacek <omosnace(a)redhat.com>
---
include/linux/audit.h | 8 ++++++++
include/trace/events/avc.h | 25 +++++++++++++++++--------
kernel/audit.c | 15 +++++++++++----
security/selinux/avc.c | 4 +++-
4 files changed, 39 insertions(+), 13 deletions(-)
I'm not really liking the idea of exposing the audit timestamp for use
in other subsystems, even if it is just for use in a trace event. I
generally take the approach that audit's charter is to capture and log
security relevant events to userspace where admins and security
officers can use the events to help meet their security goals. While
audit may have some value to developers as a debugging tool, that is
not its primary purpose, and at this point in time I'm not supportive
of adding additional burdens to the audit subsystem to support a
debugging use case (I view exporting and maintaining a proper
timestamp value/struct an additional requirement on the audit
subsystem).
--
paul-moore.com