The audit data currently captures which process and which target is responsible for a denial. There is no data on where exactly in the process that call occurred. Debugging can be made easier by adding a trace point when an event is audited. This series of patch defines this new trace point and extra attributes to easily match the tracepoint event with the audit event. It is also possible to filter the events based on these attributes. Changes since v3 ================ - Remove patch to include decoded permissions. - Remove extra braces in patch 2. Changes since v2 ================ - Add patch to include decoded permissions. - Remove ssid and tsid from attributes list. - Update commit log with more context. Peter Enderborg (1): selinux: add basic filtering for audit trace events Thiébaud Weksteen (1): selinux: add tracepoint on audited events MAINTAINERS | 1 + include/trace/events/avc.h | 53 ++++++++++++++++++++++++++++++++++++++ security/selinux/avc.c | 29 +++++++++++++-------- 3 files changed, 72 insertions(+), 11 deletions(-) create mode 100644 include/trace/events/avc.h -- 2.28.0.297.g1956fa8f8d-goog
