Hi SEAndroid, I am trying to capture all operations (mainly system calls) of a specific domain type, such as platform_app. I do want to keep all duplicated denials of a specific domain type along with every related system calls in the audit log for my analysis.
I am reading the code in selinux/avc.c. I think the functions "avc_audit, slow_avc_audit" should be related to this. Suppose the domain type I want is "platform_app", is it possible to first check the ssid/tsid of platform_app and then bypass the audited checking, which can force it to call slow_avc_audit? Furthermore, if later on I want to focus on another domain, such as media_app, it is possible to pass the domain type as an argument from user space to the selinux avc module to do the above job? I notice the "auditd" daemon has some ways to send some info to the kernel. Can I use that? Thanks in advance. ---- Best Regards! Ruowen
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
