[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] xsm/flask: adjust print messages to use %pd

  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>
  • Date: Fri, 9 Sep 2022 07:34:53 -0400
  • Arc-authentication-results: i=1; mx.zohomail.com; dkim=pass header.i=apertussolutions.com; spf=pass smtp.mailfrom=dpsmith@xxxxxxxxxxxxxxxxxxxx; dmarc=pass header.from=<dpsmith@xxxxxxxxxxxxxxxxxxxx>
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1662723297; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=smoq3UFsJfa3jrjKUR5TUdYfFsv2j3mxZx/xfiWbjhM=; b=NuLsAhvsYSslj/ARxtnOTBsBb7j0OefkLjx9A1N6g8PlF2afn+u4OhIk1jA5BV3SiSGXkL/WyyFrFFWPyEXDBtwuCdA70qILiGeTBfgf08cgeKg8qH6vryaiaElJDzbIQ8UtBew+iHUfXY9EwbCgc3SnaFzPdLEfl065DI42DJ8=
  • Arc-seal: i=1; a=rsa-sha256; t=1662723297; cv=none; d=zohomail.com; s=zohoarc; b=ExxboEDXqRHhC0ZTFXzFQJIhdCcPBTepPGKp4qPRKJOd/ebfFzScjdpPkAlTvXEZ707hVr7BXNhPOrxADv+gvLsKvmN9N8euo1Ny8rSWmshCowM3YbZeGI635rlRw11T6NeHpFZqYvx5qRBrgS1xeWJFpOvr42srA5Ra6N68Jt4=
  • Cc: jandryuk@xxxxxxxxx, xen-devel@xxxxxxxxxxxxxxxxxxxx
  • Delivery-date: Fri, 09 Sep 2022 11:35:21 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 9/9/22 06:04, Jan Beulich wrote:

On 09.09.2022 11:50, Daniel P. Smith wrote:

--- a/xen/xsm/flask/avc.c
+++ b/xen/xsm/flask/avc.c
@@ -566,14 +566,14 @@ void avc_audit(u32 ssid, u32 tsid, u16 tclass, u32 
requested,
      if ( a && (a->sdom || a->tdom) )
      {
          if ( a->sdom && a->tdom && a->sdom != a->tdom )
-            avc_printk(&buf, "domid=%d target=%d ", a->sdom->domain_id, 
a->tdom->domain_id);
+            avc_printk(&buf, "source=%pd target=%dp ", a->sdom, a->tdom);
          else if ( a->sdom )
-            avc_printk(&buf, "domid=%d ", a->sdom->domain_id);
+            avc_printk(&buf, "source=%pd ", a->sdom);
          else
-            avc_printk(&buf, "target=%d ", a->tdom->domain_id);
+            avc_printk(&buf, "target=%pd ", a->tdom);


Apart from switching to %pd to also replace "domid" by "source". That's
fine in the first case (where both domain IDs are logged), but in the
second case it's a little questionable. Wouldn't it be better to be
able to distinguish the tdom == NULL case from the tdom == sdom one,
perhaps by using "source" in the former case but "domid" in the latter
one?
Apologies as I am not quite following your question. Let me provide my reasoning and if it doesn't address your question, then please help me understand your concern.
The function avc_printk() allows for the incremental build up of an AVC message. In this section, it is attempting to include the applicable source and target that was used to render the AVC. With the switch to %pd, the first and second lines would become "domid=d{id}". I personally find that a bit redundant. Adding to that, in the context of this function there is "sdom" which is source domain, "cdom" which is current domain, and tdom which is target domain. The print statements using cdom or tdom already denoted them with "current=" and "target=" respectively. Whereas, sdom was prefixed with "domid=" in the print statements. To me, it makes more sense to change the prefixes of sdom with "source=" to accurately reflect the context of that domid. 

v/r,
dps

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.