On Fri, Aug 14, 2020 at 1:07 PM peter enderborg <peter.enderborg@xxxxxxxx> wrote: > > On 8/14/20 6:51 PM, Stephen Smalley wrote: > > On Fri, Aug 14, 2020 at 9:05 AM Thiébaud Weksteen <tweek@xxxxxxxxxx> wrote: > >> On Thu, Aug 13, 2020 at 5:41 PM Stephen Smalley > >> <stephen.smalley.work@xxxxxxxxx> wrote: > >>> An explanation here of how one might go about decoding audited and > >>> tclass would be helpful to users (even better would be a script to do it > >>> for them). Again, I know how to do that but not everyone using > >>> perf/ftrace will. > >> What about something along those lines: > >> > >> The tclass value can be mapped to a class by searching > >> security/selinux/flask.h. The audited value is a bit field of the > >> permissions described in security/selinux/av_permissions.h for the > >> corresponding class. > > Sure, I guess that works. Would be nice if we just included the class > > and permission name(s) in the event itself but I guess you viewed that > > as too heavyweight? > > The class name is added in part 2. Im not sure how a proper format for permission > would look like in trace terms. It is a list, right? Yes. See avc_audit_pre_callback() for example code to log the permission names.
