> > For exec transitions (set-id, file caps, selinux), I'd originally figured > > an engine's report_exec could check for changes and decide to detach itself > > if appropriate. > > No, it can't. At this point S_ISUID/S_ISGID exid's were already dropped, > or exec can fail before before tracehook_report_exec().
If an exec fails, nothing changes and there is no security-relevant event to take notice of. I don't really follow your other comment. But ... > Yes, agreed, let's forget this for now. Indeed. > The only question: do you think the trivial 1st patch is correct? The one that just adds a macro defined to another existing macro? Any change that preprocesses out to the same code is "correct", sure... Thanks, Roland