On 8/14/20 6:51 PM, Stephen Smalley wrote: > On Fri, Aug 14, 2020 at 9:05 AM ThiƩbaud Weksteen <tw...@google.com> wrote: >> On Thu, Aug 13, 2020 at 5:41 PM Stephen Smalley >> <stephen.smalley.w...@gmail.com> wrote: >>> An explanation here of how one might go about decoding audited and >>> tclass would be helpful to users (even better would be a script to do it >>> for them). Again, I know how to do that but not everyone using >>> perf/ftrace will. >> What about something along those lines: >> >> The tclass value can be mapped to a class by searching >> security/selinux/flask.h. The audited value is a bit field of the >> permissions described in security/selinux/av_permissions.h for the >> corresponding class. > Sure, I guess that works. Would be nice if we just included the class > and permission name(s) in the event itself but I guess you viewed that > as too heavyweight?
The class name is added in part 2. Im not sure how a proper format for permission would look like in trace terms. It is a list, right?
