On Wed, 19 Aug 2020 09:11:08 -0400 Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > So we'll need to update this plugin whenever we modify > security/selinux/include/classmap.h to keep them in sync. Is that a > concern? I don't suppose the plugin could directly include classmap.h? > I guess we'd have to export it as a public header. It isn't considered > to be part of the kernel API/ABI and can change anytime (but in practice > changes are not that frequent, and usually just additive in nature). Yes, it would require some stability between userspace and the plugin. If the value indexes don't change then that would work fine. If you add new ones, that too should be OK, just have a way to state "unknown" in the plugin. -- Steve