On Tue, 28 Jul 2020 14:49:24 +0200 Thiébaud Weksteen <tweek@xxxxxxxxxx> wrote: > Thanks for the review! I'll send a new revision of the patch with the > %x formatter and using the TP_CONDITION macro. > > On adding further information to the trace event, I would prefer > adding the strict minimum to be able to correlate the event with the > avc message. The reason is that tracevents have a fixed size (see > https://www.kernel.org/doc/Documentation/trace/events.txt). For Wait! What? Where in that document does it say that trace events have a fixed size. We have a lot of dynamically sized trace events. > instance, we would need to decide on a maximum size for the string > representation of the list of permissions. This would also duplicate > the reporting done in the avc audit event. I'll simply add the pid as > part of the printk, which should be sufficient for the correlation. > Please take a look at samples/trace_events/trace_events_sample.h and read the example on __print_symbolic(). I think that's what you are looking for. -- Steve
