From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: gcwilson@us.ibm.com, bryntcor@us.ibm.com
Subject: Re: [PATCH 2/2] auvirt: Remove workaround for VM name searching
Date: Wed, 8 Feb 2012 14:06:25 -0500 [thread overview]
Message-ID: <201202081406.25471.sgrubb@redhat.com> (raw)
In-Reply-To: <1328720698-24633-2-git-send-email-mhcerri@linux.vnet.ibm.com>
On Wednesday, February 08, 2012 12:04:58 PM Marcelo Cerri wrote:
> Auvirt adds quotes to the given VM name when creating the search criteria.
> With the previous patch, this workaround is no longer needed and this
> patch removes it.
What you are seeing here is actually a different problem. The description you
have:
using the example above the following rule will not match:
ausearch_add_item(au, "vm", "=", "guest-name", how);
But this rule will match:
ausearch_add_item(au, "vm", "=", "\"guest-name\"", how);
describes the following issue. If you look at the vm field type, it has this
realtionship in typetab.h:
_S(AUPARSE_TYPE_ESCAPED, "vm"
Which means that if you are not getting a hit, the search algorithm might need
fixing. If the searched field type is escaped, the algorithm should escape the
field and then do the match. For example, what if you have a vm name of "test
run". It will wind up being escaped and looking like hex encoded ascii. This is
much worse than just adding quotes.
So, I think the best solution is make this invisible to the outside world. The
function call ausearch_add_item() should do a type lookup of the field and then
escape the value if the returned type is AUPARSE_TYPE_ESCAPED.
On output, your program probably wants to call auparse_get_field_type() and if
its AUPARSE_TYPE_ESCAPED, then call auparse_interpret_field() and output that.
-Steve
next prev parent reply other threads:[~2012-02-08 19:06 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-08 17:04 [PATCH 1/2] auparse: Remove quotes from parsed fields Marcelo Cerri
2012-02-08 17:04 ` [PATCH 2/2] auvirt: Remove workaround for VM name searching Marcelo Cerri
2012-02-08 19:06 ` Steve Grubb [this message]
2012-02-09 13:22 ` Marcelo Cerri
2012-02-09 13:35 ` Steve Grubb
2012-02-09 17:51 ` Marcelo Cerri
2012-02-09 18:04 ` Steve Grubb
2012-02-08 18:54 ` [PATCH 1/2] auparse: Remove quotes from parsed fields Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201202081406.25471.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=bryntcor@us.ibm.com \
--cc=gcwilson@us.ibm.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.