From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Refactoring src/ausearch-report.c:output_interpreted_node() Date: Wed, 01 Oct 2014 17:19:39 -0400 Message-ID: <1528037.iuGHCJfh4q@x2> References: <1411958483.2752.33.camel@swtf.swtf.dyndns.org> <74328756.3cWZp6NFET@x2> <1412197693.30162.9.camel@swtf.swtf.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1412197693.30162.9.camel@swtf.swtf.dyndns.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: burn@swtf.dyndns.org Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Thursday, October 02, 2014 07:08:13 AM Burn Alting wrote: > On Wed, 2014-10-01 at 14:54 -0400, Steve Grubb wrote: > > > I am uncertain what effect of accepting this additional format would > > > have when adding rules to the running audit system - i.e. > > > audit_name_to_msg_type() is called by autrace/auditctl when parsing > > > rules (ie the msgtype field name). > > > > I think ausearch-report.c might be the place that needs updating. > > So, could we modify output_interpreted_node() to no longer re-parse the > [node=] type= msg=audit(.:) > header and pass both the lnode and llist->e which has this data already > as the code > if (num == -1) { > // see if we are older and wiser now. > bptr = strchr(str, '['); > if (bptr && bptr < ptr) { > char *eptr; > bptr++; > eptr = strchr(bptr, ']'); > if (eptr) { > *eptr = 0; > errno = 0; > num = strtoul(bptr, NULL, 10); > *eptr = ']'; > if (errno) > num = -1; > } > } > } > which parses for > type=.*[n].* > is no longer needed as we don't have that format any more? That is a very loose check for UNKNOWN[####]. If you see a performance improvement by refactoring this function, please send a patch. The output needs to be identical to the old way. Thanks, -Steve