From mboxrd@z Thu Jan  1 00:00:00 1970
From: Marcelo Cerri <mhcerri@linux.vnet.ibm.com>
Subject: [PATCH] auvirt: Remove workaround for VM name searching
Date: Thu,  9 Feb 2012 17:18:40 -0200
Message-ID: <1328815120-6691-1-git-send-email-mhcerri@linux.vnet.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx11.extmail.prod.ext.phx2.redhat.com
	[10.5.110.16])
	by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id q19JIlVo006966
	for <linux-audit@redhat.com>; Thu, 9 Feb 2012 14:18:47 -0500
Received: from e24smtp03.br.ibm.com (e24smtp03.br.ibm.com [32.104.18.24])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q19JIjs1002991
	for <linux-audit@redhat.com>; Thu, 9 Feb 2012 14:18:45 -0500
Received: from /spool/local
	by e24smtp03.br.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use
	Only! Violators will be prosecuted
	for <linux-audit@redhat.com> from <mhcerri@linux.vnet.ibm.com>;
	Thu, 9 Feb 2012 17:18:44 -0200
Received: from d24av01.br.ibm.com (d24av01.br.ibm.com [9.8.31.91])
	by mailhub1.br.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id
	q19JKKrE1101886
	for <linux-audit@redhat.com>; Thu, 9 Feb 2012 17:20:21 -0200
Received: from d24av01.br.ibm.com (loopback [127.0.0.1])
	by d24av01.br.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id
	q19HIZf0031563
	for <linux-audit@redhat.com>; Thu, 9 Feb 2012 15:18:35 -0200
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: gcwilson@us.ibm.com, bryntcor@us.ibm.com
List-Id: linux-audit@redhat.com

With this patch, the workaround for creating the search criteria is removed and
escaped fields are properly retrieved.

The unexpected single quote at the beginning of MAC addresses is fixed by a
patch in libvirt:

https://www.redhat.com/archives/libvir-list/2012-February/msg00502.html
---
 tools/auvirt/auvirt.c |   39 +++++++++++++++------------------------
 1 files changed, 15 insertions(+), 24 deletions(-)

diff --git a/tools/auvirt/auvirt.c b/tools/auvirt/auvirt.c
index c04780a..a89b097 100644
--- a/tools/auvirt/auvirt.c
+++ b/tools/auvirt/auvirt.c
@@ -312,23 +312,7 @@ int create_search_criteria(auparse_state_t *au)
 		}
 	}
 	if (vm) {
-		/*
-		 * If a field has its value quoted in the audit log, for
-		 * example:
-		 *	vm="guest-name"
-		 *
-		 * auparse will consider the field value with quotes when
-		 * matching a rule. For example, using the example above the
-		 * following rule will not match:
-		 *     ausearch_add_item(au, "vm", "=", "guest-name", how);
-		 *
-		 * But this rule will match:
-		 *     ausearch_add_item(au, "vm", "=", "\"guest-name\"", how);
-		 *
-		 * TODO use a better approach for this problem...
-		 */
-		snprintf(expr, sizeof(expr), "\"%s\"", vm);
-		if (ausearch_add_item(au, "vm", "=", expr,
+		if (ausearch_add_interpreted_item(au, "vm", "=", vm,
 					AUSEARCH_RULE_AND)) {
 			fprintf(stderr, "Criteria error: id\n");
 			return 1;
@@ -390,7 +374,7 @@ int extract_virt_fields(auparse_state_t *au, const char **p_uuid,
 	if (p_name) {
 		if (!auparse_find_field(au, field = "vm"))
 			goto error;
-		*p_name = auparse_get_field_str(au);
+		*p_name = auparse_interpret_field(au);
 	}
 	if (p_uuid) {
 		if (!auparse_find_field(au, field = "uuid"))
@@ -759,10 +743,11 @@ int process_resource_event(auparse_state_t *au)
 	    strcmp("vcpu", res_type) == 0 ||
 	    strcmp("mem", res_type) == 0 ||
 	    strcmp("net", res_type) == 0) {
-		const char *res;
+		const char *res = NULL;
 		/* Resource removed */
 		snprintf(field, sizeof(field), "old-%s", res_type);
-		res = auparse_find_field(au, field);
+		if(auparse_find_field(au, field))
+			res = auparse_interpret_field(au);
 		if (res == NULL && debug) {
 			fprintf(stderr, "Failed to get %s field.\n", field);
 		} else {
@@ -771,8 +756,10 @@ int process_resource_event(auparse_state_t *au)
 		}
 
 		/* Resource added */
+		res = NULL;
 		snprintf(field, sizeof(field), "new-%s", res_type);
-		res = auparse_find_field(au, field);
+		if (auparse_find_field(au, field))
+			res = auparse_interpret_field(au);
 		if (res == NULL && debug) {
 			fprintf(stderr, "Failed to get %s field.\n", field);
 		} else {
@@ -781,7 +768,9 @@ int process_resource_event(auparse_state_t *au)
 		}
 	} else if (strcmp("cgroup", res_type) == 0) {
 		auparse_first_record(au);
-		const char *cgroup = auparse_find_field(au, "cgroup");
+		const char *cgroup = NULL;
+		if (auparse_find_field(au, "cgroup"))
+			cgroup = auparse_interpret_field(au);
 		rc += add_resource(au, uuid, uid, time, name, success, reason,
 				res_type, cgroup);
 	} else if (debug) {
@@ -856,8 +845,10 @@ int process_avc(auparse_state_t *au)
 	auparse_first_record(au);
 	avc->seresult = copy_str(auparse_find_field(au, "seresult"));
 	avc->seperms = copy_str(auparse_find_field(au, "seperms"));
-	avc->comm = copy_str(auparse_find_field(au, "comm"));
-	avc->target = copy_str(auparse_find_field(au, "name"));
+	if (auparse_find_field(au, "comm"))
+		avc->comm = copy_str(auparse_interpret_field(au));
+	if (auparse_find_field(au, "name"))
+		avc->target = copy_str(auparse_interpret_field(au));
 	add_proof(avc, au);
 	if (list_append(events, avc) == NULL) {
 		event_free(avc);
-- 
1.7.1