Re: [RFC PATCH] selinux: Add denied trace with permssion filter

From: Steven Rostedt
Date: Thu Sep 17 2020 - 21:47:58 EST


[ Late reply due to long vacation followed by drowning in the email
built up from said vacation! ]

On Tue, 1 Sep 2020 19:18:46 +0200
peter enderborg <peter.enderborg@xxxxxxxx> wrote:

> No. It can filter on strings. But it can not do any fuzzy matching.
> They are equal not not equal. So if you have a parameter value
> that is { open read !write } you need to specify a exact match.

That is not actually true.

It allows globing in filters.

# trace-cmd start -e sched_switch -f 'next_comm ~ "c*"'
# cat /etc/passwd
# trace-cmd show
# tracer: nop
#
# entries-in-buffer/entries-written: 3/3 #P:8
#
# _-----=> irqs-off
# / _----=> need-resched
# | / _---=> hardirq/softirq
# || / _--=> preempt-depth
# ||| / delay
# TASK-PID CPU# |||| TIMESTAMP FUNCTION
# | | | |||| | |
kworker/2:1-2137 [002] d..2 9263.286132: sched_switch: prev_comm=kworker/2:1 prev_pid=2137 prev_prio=120 prev_state=I ==> next_comm=cat next_pid=2146 next_prio=120
<idle>-0 [002] d..2 9264.390089: sched_switch: prev_comm=swapper/2 prev_pid=0 prev_prio=120 prev_state=R ==> next_comm=cat next_pid=2146 next_prio=120
kworker/2:1-2137 [002] d..2 9264.390440: sched_switch: prev_comm=kworker/2:1 prev_pid=2137 prev_prio=120 prev_state=I ==> next_comm=cat next_pid=2146 next_prio=120


Thus you can filter:

"foo*" - everything that starts with foo
"*foo" - everything that ends with foo
"*foo*" - everything that has foo in it.

-- Steve