lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 13 Aug 2020 15:16:46 -0400
From:   Steven Rostedt <>
To:     peter enderborg <>
Cc:     Stephen Smalley <>,
        Casey Schaufler <>,
        ThiƩbaud Weksteen <>,
        Paul Moore <>,
        Nick Kralevich <>,
        Eric Paris <>,
        Ingo Molnar <>,
        Mauro Carvalho Chehab <>,
        "David S. Miller" <>,
        Rob Herring <>, Arnd Bergmann <>,
        <>, <>
Subject: Re: [PATCH v2 2/2] selinux: add basic filtering for audit trace

On Thu, 13 Aug 2020 20:18:55 +0200
peter enderborg <> wrote:

> > The "%p" gets obfuscated when printed from the trace file by default
> > now. But they are consistent (where the same pointer shows up as the
> > same hash).
> >
> > It's used mainly to map together events. For example, if you print the
> > address of a skb in the networking events, it's good to know what
> > events reference the same skb, and the pointer is used for that.  
> So what is your opinion on ssid? I dont mind removing them
> now since people dont like it and the strong use-case is not
> strong (yet). Is there any problem to put getting them back
> later if useful? And then before the strings so the evaluation
> of filter first come on number before stings Or is there already
> some mechanism that optimize for that?

It's up to the owner of the trace event. I only replied to why pointers
in general are useful, but they are mostly just "ids" to map to other
trace events.

We have the libtraceevent that should be used for parsing raw trace
events in binary form. The library (which currently lives in the
kernel's tools/lib/traceeevnt directory) I'm trying to get to have its
own home that distros can package. It should never be an issue adding
another field to an event, as the library gives the tools the ability
to find a field of an event regardless of where it is positioned, and
also let the tools know if the field exists or not.

If that's what you are asking.

-- Steve

Powered by blists - more mailing lists