Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp1602597pxa; Thu, 13 Aug 2020 12:18:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzBEDLH3wDcy/9uwpaeCT7HVcByxJGb3IOpXuYr1iJfXrXCPG+k/AQHGRjMDdD0pah/z+Ko X-Received: by 2002:a17:906:4c46:: with SMTP id d6mr6518644ejw.14.1597346316044; Thu, 13 Aug 2020 12:18:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597346316; cv=none; d=google.com; s=arc-20160816; b=kU5A1N4LSzzdqdx3j+Zp9ygPistsZhqqHGiBE9f32wl40k9hoKzmmdxPJVWhQe4NwT wxYgVdWmf/lGwcXUUkPR8JfauodjqwDVkj/JN0a07c3z/hY/1Cmc4cYQ6uFFYebOnX+9 6LK0vEI1Py1K75ionRS9oBRQRAIw6wq8JMUywABrhGDw3b4wiM4gjI3XDq4iW+IkpMUU l0aush9HOumXwKrgwhwgBwbj+C7tWODLIQpp1xcAZSef7A0BjeJr9hX4Sl/HsVHVCR1Z j3CKvAJqlIW7ZGADGGmmQ8gxoYpn+MdFbm+5KVYxgt1GaPwLqmhaVVnvPcsz93JewCiv 6Wzg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date; bh=qOuvnV8CSpKgPQw/wHPOUXtq1s7WTm8Y2Op6tovxGzI=; b=T/SRgE6wBUki/Tbry8hlrTlLikCCxu3o5s2FimmKqhr7QXibHjYtb7XFR8KHs3RxuR gOAKvd02GrFZewjSBWRt4Jg0/UZljjKSRL0J0QpePYsiGaFKPAnUMFiimjSTg3r5Lvx9 LxCq+gQv47RxHgSuwL67B96U2DC457qgc6BKieQMUEmIzFry3aCFVXy95UfAnh5YTEbT kS8C6/gM/QUqjT8sl+DUsi3SPjf+ZsaBOQUSt3ZCnECocRQWNeA7sJJz4iJXWFsH0qrR vK9ggY4u+VixoDFigTKyisAFAdYndKZZrU2zVpbnRPEZwhi3YxQEUcV4C+WRR3i1VHRD jodw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id rp21si3849526ejb.0.2020.08.13.12.18.12; Thu, 13 Aug 2020 12:18:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726612AbgHMTQu (ORCPT + 99 others); Thu, 13 Aug 2020 15:16:50 -0400 Received: from mail.kernel.org ([198.145.29.99]:56676 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726167AbgHMTQt (ORCPT ); Thu, 13 Aug 2020 15:16:49 -0400 Received: from oasis.local.home (cpe-66-24-58-225.stny.res.rr.com [66.24.58.225]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 1D03C20774; Thu, 13 Aug 2020 19:16:48 +0000 (UTC) Date: Thu, 13 Aug 2020 15:16:46 -0400 From: Steven Rostedt To: peter enderborg Cc: Stephen Smalley , Casey Schaufler , =?UTF-8?B?VGhpw6liYXVk?= Weksteen , Paul Moore , Nick Kralevich , Eric Paris , Ingo Molnar , Mauro Carvalho Chehab , "David S. Miller" , Rob Herring , Arnd Bergmann , , Subject: Re: [PATCH v2 2/2] selinux: add basic filtering for audit trace events Message-ID: <20200813151646.513423a3@oasis.local.home> In-Reply-To: References: <20200813144914.737306-1-tweek@google.com> <20200813144914.737306-2-tweek@google.com> <02c193e4-008a-5c3d-75e8-9be7bbcb941c@schaufler-ca.com> <1b40226f-d182-7ba7-a6f6-15520c3e3516@sony.com> <20200813133842.655aff65@oasis.local.home> X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 13 Aug 2020 20:18:55 +0200 peter enderborg wrote: > > The "%p" gets obfuscated when printed from the trace file by default > > now. But they are consistent (where the same pointer shows up as the > > same hash). > > > > It's used mainly to map together events. For example, if you print the > > address of a skb in the networking events, it's good to know what > > events reference the same skb, and the pointer is used for that. > > So what is your opinion on ssid? I dont mind removing them > now since people dont like it and the strong use-case is not > strong (yet). Is there any problem to put getting them back > later if useful? And then before the strings so the evaluation > of filter first come on number before stings Or is there already > some mechanism that optimize for that? It's up to the owner of the trace event. I only replied to why pointers in general are useful, but they are mostly just "ids" to map to other trace events. We have the libtraceevent that should be used for parsing raw trace events in binary form. The library (which currently lives in the kernel's tools/lib/traceeevnt directory) I'm trying to get to have its own home that distros can package. It should never be an issue adding another field to an event, as the library gives the tools the ability to find a field of an event regardless of where it is positioned, and also let the tools know if the field exists or not. If that's what you are asking. -- Steve