[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] xsm/flask: adjust print messages to use %pd

  • To: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Mon, 12 Sep 2022 08:35:30 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=084nf392cCI1P826PCCE/SQbqNwDObDQ09A3n9hmV6k=; b=Ur7HQY5jdD44faSHmmA8oPmNZOdixO6vC6ycLTpdRz4J63kluFLF15dL+9K6dAq37Wmzs6VBv67Bt+hM6TIp9cnnkQVnisfjjIh7mf5mL6y/6Yii4650hUd9I29fJEMBpNDTC30QpjVvHxe+iGNoIbxECZ+NxUJ1O6FOA0upU3yY31MB8ZXHGDafkPRaf0HKTdxG2LQnT64IImhCwrywuaQ7aZTZ1qeqKLebRBTAf/d2jLwtrTOVUYXOHIADanqoh+d/piEQwcvwaE1x9dbuCFvAsY/F2uHkI0+kpUtFLmi1R9P2vOTjdDZBz8TNhs3O5t2445vL5UUmzs4uI3byhg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XjqHVwKzCmZNpPKkRuAat+QMkwbMcIRNNdAMSx15OcVcoEaLmsugcSqdDFls+xxCkkMsuOThPADAIMlidNFdeSBUdby7hyQd739KfVCVzIfvhibZA/A7gO6YhBZ5l99z0YupChY9EXOzLxo3eXbiC0HAg8yqTMob7ws61YzKcamXP1NB1252t3hCPWBuz7yisc1V56uhRfllVLerxwphN1vOW0yPYz3+58G1D3LvcjOC6Yds62ohOF046hsNkkEPYBRNy7jXmA/8DX+vvTOvGE5Qs84n61EwtGJcQcJkcZUoMzhjHsMY1m/YFW8L3Utca85XhRET5IdaUbqMItnfng==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: jandryuk@xxxxxxxxx, xen-devel@xxxxxxxxxxxxxxxxxxxx
  • Delivery-date: Mon, 12 Sep 2022 06:35:53 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 09.09.2022 17:41, Daniel P. Smith wrote:
> 
> On 9/9/22 08:10, Jan Beulich wrote:
>> On 09.09.2022 13:34, Daniel P. Smith wrote:
>>> On 9/9/22 06:04, Jan Beulich wrote:
>>>> On 09.09.2022 11:50, Daniel P. Smith wrote:
>>>>> --- a/xen/xsm/flask/avc.c
>>>>> +++ b/xen/xsm/flask/avc.c
>>>>> @@ -566,14 +566,14 @@ void avc_audit(u32 ssid, u32 tsid, u16 tclass, u32 
>>>>> requested,
>>>>>       if ( a && (a->sdom || a->tdom) )
>>>>>       {
>>>>>           if ( a->sdom && a->tdom && a->sdom != a->tdom )
>>>>> -            avc_printk(&buf, "domid=%d target=%d ", a->sdom->domain_id, 
>>>>> a->tdom->domain_id);
>>>>> +            avc_printk(&buf, "source=%pd target=%dp ", a->sdom, a->tdom);
>>>>>           else if ( a->sdom )
>>>>> -            avc_printk(&buf, "domid=%d ", a->sdom->domain_id);
>>>>> +            avc_printk(&buf, "source=%pd ", a->sdom);
>>>>>           else
>>>>> -            avc_printk(&buf, "target=%d ", a->tdom->domain_id);
>>>>> +            avc_printk(&buf, "target=%pd ", a->tdom);
>>>>
>>>> Apart from switching to %pd to also replace "domid" by "source". That's
>>>> fine in the first case (where both domain IDs are logged), but in the
>>>> second case it's a little questionable. Wouldn't it be better to be
>>>> able to distinguish the tdom == NULL case from the tdom == sdom one,
>>>> perhaps by using "source" in the former case but "domid" in the latter
>>>> one?
>>>
>>> Apologies as I am not quite following your question. Let me provide my 
>>> reasoning and if it doesn't address your question, then please help me 
>>> understand your concern.
>>>
>>> The function avc_printk() allows for the incremental build up of an AVC 
>>> message. In this section, it is attempting to include the applicable 
>>> source and target that was used to render the AVC. With the switch to 
>>> %pd, the first and second lines would become "domid=d{id}". I personally 
>>> find that a bit redundant. Adding to that, in the context of this 
>>> function there is "sdom" which is source domain, "cdom" which is current 
>>> domain, and tdom which is target domain. The print statements using cdom 
>>> or tdom already denoted them with "current=" and "target=" respectively. 
>>> Whereas, sdom was prefixed with "domid=" in the print statements. To me, 
>>> it makes more sense to change the prefixes of sdom with "source=" to 
>>> accurately reflect the context of that domid.
>>
>> Well, yes, perhaps "domain" would be better than "domid" with the change
>> to %pd. But I still think the middle of the three printk()s would better
>> distinguish tdom == NULL from tdom == sdom:
>>
>>         else if ( a->sdom )
>>             avc_printk(&buf, "%s=%pd ", a->tdom ? "domain" : "source", 
>> a->sdom);
> 
> Okay, I see you are trying to reduce away the last "else", but I have
> several concerns about doing this suggestion.

No, I don't. And I therefore think you further reply (left intact below)
also doesn't really apply. The last else only applies when sdom == NULL,
but the goal of my suggestion is to distinguish tdom == NULL from
tdom == sdom.

>  - The biggest concern is the fact that in the past, a domain referred
> to strictly as "domain" or "domid" in an AVC has always implied it was
> the source. At the same time, the target domain has always been
> referenced as "target". This suggestion would completely flip that
> implied understanding around. In part, this change was to move source
> from being implied to being explicitly reported. The end result is it
> then makes source explicit as it is for current and target.
> 
>  - AFAICT the suggestion is not logically equivalent. The current form
> checks first if sdom is defined, then prints it. If sdom is not defined,
> then it is presumed that tdom will be defined, and will then print it.
> AIUI, the suggestion will lose the case where sdom is not defined.
> 
>  - I haven't went to confirm this, but I believe the logic here is based
> on an understanding of when sdom and tdom are defined. Specifically, the
> expected situations are,
>   1. sdom and tdom are defined and not equal, report both
>   2. if sdom and tdom are defined and equal, report only sdom as tdom
>        is implied to be the same

This isn't describing the behavior - tdom could also be NULL here. This
is the case I think wants expressing in a way different from sdom == tdom.

>   3. if sdom is not defined, then tdom must be defined, report only tdom
>      and sdom is implied to be cdom

There are also no assumptions - see the enclosing if(). cdom is printed
only if "a" is NULL (implying sdom and tdom to be NULL) or both sdom and
tdom are NULL.

Jan

> Finally, as I was typing this up, I had a realization that I may not be
> able to relabel the reference. It is believed at some point you could
> feed Xen AVCs to audit2allow to generate an allow rule for the AVC.
> Though recent versions do not appear to work, so I am going to try to
> find a day or two to dig in and determine what influence this might have
> on the change.
> 
> v/r,
> dps

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.