On Tue, Jul 28, 2020 at 8:49 AM Thiébaud Weksteen <tweek@xxxxxxxxxx> wrote: > > Thanks for the review! I'll send a new revision of the patch with the > %x formatter and using the TP_CONDITION macro. > > On adding further information to the trace event, I would prefer > adding the strict minimum to be able to correlate the event with the > avc message. The reason is that tracevents have a fixed size (see > https://www.kernel.org/doc/Documentation/trace/events.txt). For > instance, we would need to decide on a maximum size for the string > representation of the list of permissions. It sounds like this is no longer an issue, hopefully this changes your thinking as I'm not sure how usable it would be in practice for users not overly familiar with SELinux. Perhaps it would be helpful if you provided an example of how one would be expected to use this new tracepoint? That would help put things in the proper perspective. > This would also duplicate > the reporting done in the avc audit event. I'll simply add the pid as > part of the printk, which should be sufficient for the correlation. Well, to be honest, the very nature of this tracepoint is duplicating the AVC audit record with a focus on using perf to establish a full backtrace at the expense of reduced information. At least that is how it appears to me. -- paul moore www.paul-moore.com
