From: Stephen Smalley <sds@tycho.nsa.gov>
To: Zhi Xin <xinzhi@marvell.com>,
"selinux@tycho.nsa.gov" <selinux@tycho.nsa.gov>
Cc: "seandroid-list@tycho.nsa.gov" <seandroid-list@tycho.nsa.gov>
Subject: Re: Give out all the avc logs in ome time
Date: Fri, 08 May 2015 08:57:05 -0400 [thread overview]
Message-ID: <554CB2A1.4030402@tycho.nsa.gov> (raw)
In-Reply-To: <F766E4F80769BD478052FB6533FA745D66612A3FE0@SC-VEXCH4.marvell.com>
On 05/08/2015 04:46 AM, Zhi Xin wrote:
> Thanks for details information!
>
> For the switch question, I get your point. logd.auditd is the switch of whether logd can record selinux audit log. But I'm looking for the switch of ratelimit. I mean, removing ratelimit is really helpful for selinux debugging, especially in bringup stage. But meanwhile, removing it just opens the gate for potential DOS. So should we have a simple command that can disable ratelimit during bringup debugging and enable it for release. Just like we can switch to permissive mode by setenforce 0.
For this, you'd need an audit boot parameter in order to fully disable
the printk ratelimit even before logd starts. So it would require a
kernel patch to define such a parameter. There are existing audit boot
parameters for enabling/disabling audit (audit=0|1) and for setting the
backlog limit (audit_backlog_limit=N). Those are defined in
kernel/audit.c via __setup() calls. You could add an audit_ratelimit=N
and/or an audit_printk_ratelimit=0|1 boot parameters.
Kernel audit patches would need to go to the audit maintainers (see the
MAINTAINERS entry for AUDIT) and the linux-audit@redhat.com mailing
list, subscribe via:
https://www.redhat.com/mailman/listinfo/linux-audit
Once the kernel audit patch was accepted, then you could submit it to
kernel/common in AOSP and also submit a patch for logd so that it would
check /proc/cmdline for the parameter and if set, honor it rather than
overriding it.
next prev parent reply other threads:[~2015-05-08 12:57 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-05 2:06 Give out all the avc logs in ome time Zhi Xin
2015-05-05 2:37 ` William Roberts
2015-05-05 2:43 ` Zhi Xin
2015-05-05 2:51 ` William Roberts
2015-05-05 3:00 ` William Roberts
2015-05-05 5:55 ` Ravi Kumar
2015-05-05 7:32 ` Zhi Xin
2015-05-05 8:39 ` Gaurav Gangwar
2015-05-05 8:55 ` Zhi Xin
2015-05-05 13:41 ` Stephen Smalley
2015-05-05 14:06 ` william.c.roberts
2015-05-05 12:41 ` Stephen Smalley
2015-05-06 2:18 ` Zhi Xin
2015-05-06 12:19 ` Stephen Smalley
2015-05-07 3:18 ` Zhi Xin
2015-05-07 4:02 ` William Roberts
2015-05-07 13:00 ` Stephen Smalley
2015-05-08 8:46 ` Zhi Xin
2015-05-08 12:57 ` Stephen Smalley [this message]
2015-05-08 13:31 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=554CB2A1.4030402@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=seandroid-list@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=xinzhi@marvell.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.