From mboxrd@z Thu Jan 1 00:00:00 1970 From: Klaus Weidner Subject: Re: [PATCH] IPC_SET_PERM cleanup Date: Tue, 9 May 2006 15:36:08 -0500 Message-ID: <20060509203608.GF31457@w-m-p.com> References: <445BB351.2040303@hp.com> <20060509181523.GD31457@w-m-p.com> <4460DF17.8010304@hp.com> <200605091511.25780.sgrubb@redhat.com> <20060509201014.GA31028@w-m-p.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31]) by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id k49KaOA8012549 for ; Tue, 9 May 2006 16:36:24 -0400 Received: from mail.atsec.com (mail.atsec.com [195.30.252.105]) by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id k49KaM37026438 for ; Tue, 9 May 2006 16:36:22 -0400 Content-Disposition: inline In-Reply-To: <20060509201014.GA31028@w-m-p.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Tue, May 09, 2006 at 03:10:14PM -0500, Klaus Weidner wrote: > On Tue, May 09, 2006 at 03:11:25PM -0400, Steve Grubb wrote: > > Bottom line, for the search API, I want all similar types to have a common > > field name. They can have a modifier adjacent to them. > > If that's the way you want to do it, there needs to be a way to get the > modifier to disambiguate them. > > Is adding "new " modifiers the best way to do that? You could also > keep the field names the same and look at the syscall record type to find > out which context they get used in. A bit more detail... Here are the current audit records: type=SYSCALL msg=audit(1146691872.791:94): arch=c000003e syscall=66 success=yes exit=0 a0=10000 a1=1 a2=1 a3=7fff328a7e70 items=0 pid=4327 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="syscalls" exe="/usr/local/eal3_testing/audit-test/syscalls/syscalls" subj=user_u:system_r:unconfined_t:s0-s0:c0.c255 type=IPC_SET_PERM msg=audit(1146691872.791:94): new qbytes=0 new iuid=501 new igid=0 new mode=0 obj=user_u:system_r:unconfined_t:s0-s0:c0.c255 type=IPC msg=audit(1146691872.791:94): qbytes=5a5a5a5a5a5a5a5a iuid=0 igid=0 mode=1c0 obj=user_u:system_r:unconfined_t:s0-s0:c0.c255 The original patches by Dustin and Linda had used "new_iuid=501" to differentiate the values, which I personally think was fine since it's unlikely that people want to be searching for those. If you absolutely want to avoid adding new tag names, an alternative would be to get rid of the "new " modifiers, and use the "type=" name to differentiate them. The audit parsing library could then provide an auparse_get_field_type() function so that the clients that care can treat "IPC_SET_PERM" differently from type "IPC". Something like: while (ausearch_next_event(au)) { if (auparse_find_field(au, "ouid") && !strcmp(auparse_get_field_type(au), "IPC")) { printf("ouid=%s\n", auparse_interpret_field(au)); } } I still think that the new_* field names are fine and don't need fixing, but the "new" modifiers just look wrong. -Klaus