Getting the program name in audit messages

[Stephen Smalley]

On Fri, 2005-04-01 at 14:36 +0100, David Woodhouse wrote:
> Setting the auditable flag is only going to cause audit_log_exit() to be
> called on syscall exit _if_ audit_syscall_exit() is actually called.
> 
> That's often in the slow path of the syscall return, and triggered only
> if something like TIF_SYSCALL_AUDIT is set in the thread_info flags.

Sorry, do you have an example of where this would be a problem?  

Also, the only truly required information in avc_audit is the relevant
security contexts, security class, and permission(s); everything else is
just supplemental data to help track down the causes of policy denials.
I always expected that the audit framework would ultimately take over
handling of such supplemental data for SELinux, leaving it to only deal
with the MAC-specific information.

-- 
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency