From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthew Booth Subject: Expanding PATH records to be absolute paths Date: Wed, 12 Sep 2007 19:14:58 +0100 Message-ID: <1189620898.4764.52.camel@localhost.localdomain> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0347944909==" Return-path: Received: from [10.171.149.22] (sebastian-int.corp.redhat.com [172.16.52.221]) by pobox.fab.redhat.com (8.13.1/8.13.1) with ESMTP id l8CIFHg0009836 for ; Wed, 12 Sep 2007 14:15:18 -0400 List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit List-Id: linux-audit@redhat.com --===============0347944909== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-whQXnDCNQW4bjx09OuD8" --=-whQXnDCNQW4bjx09OuD8 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable As I mentioned in my austream email, I need to be able to rewrite outgoing PATH records to have absolute paths. I can obviously do this from scratch, and if there's no better way then this is what I will do. However, I'm aware that work has gone on in the userspace message parsing area, and I'd like to avoid reinventing the wheel. I have a few constraints, though: * Must work on libraries shipped with RHEL 4.5 If necessary, I will import bits of code from later versions into austream, however I'm not prepared to require updating from the shipped audit-libs. If I need to do this, how can I minimise maintenance pain? Maybe separate parsing libraries into a separate package and depend on it? * Must work on a stream I don't write anything to disk. It must work on messages as read from the audit netlink socket. * It must be fast I need to remain sure that I can put the tool into a performance critical environment with confidence that I won't kill it. If I were going to do this from scratch, I'd cache CWD records and rewrite PATH records on the way through. I don't believe any other record requires this. AVC paths are already absolute, and I don't think there are any other paths. Is this right? Thanks, Matt --=20 Matthew Booth, RHCA, RHCSS Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490 --=-whQXnDCNQW4bjx09OuD8 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQBG6CyiNEHqGdM8NJARAg29AJwIGb3w+kBsOA8XptQ0wXC+cJD+nQCdG48N eR3mFzNu1j40jbndAHh+iVw= =oz+S -----END PGP SIGNATURE----- --=-whQXnDCNQW4bjx09OuD8-- --===============0347944909== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============0347944909==--