Re: [PATCH v2 1/2] selinux: add tracepoint on denials

From: Steven Rostedt
Date: Fri Aug 14 2020 - 14:56:53 EST


On Fri, 14 Aug 2020 20:50:47 +0200
peter enderborg <peter.enderborg@xxxxxxxx> wrote:

> On 8/14/20 8:30 PM, Steven Rostedt wrote:
> > On Fri, 14 Aug 2020 20:06:34 +0200
> > peter enderborg <peter.enderborg@xxxxxxxx> wrote:
> >
> >> Im find with that, but then you  can not do filtering? I would be
> >> pretty neat with a filter saying tclass=file permission=write.
> >>
> > Well, if the mapping is stable, you could do:
> >
> > (tclass == 6) && (audited & 0x4)
>
> It does not happen to exist a hook for translate strings to numeric values when inserting filter?
>

How would you imagine such a hook existing?

Something that would be specific to each trace event class, where you
can register at boot up a mapping of names to values? Or a function
that would translate it?

-- Steve