From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: Miloslav Trmac <mitr@redhat.com>
Subject: Re: auparse question
Date: Wed, 31 Aug 2011 14:29:38 -0400 [thread overview]
Message-ID: <201108311429.38512.sgrubb@redhat.com> (raw)
In-Reply-To: <441829808.1008931.1314746282860.JavaMail.root@zmail07.collab.prod.int.phx2.redhat.com>
On Tuesday, August 30, 2011 07:18:02 PM Miloslav Trmac wrote:
> ----- Original Message -----
> > I'm using auparse_get_field_type from the parse lib.
> > The return value for error is "0" which is also that of the AUDIT_PID
> > field.
> >
> > Right? I am getting some errors that thought they were PIDs.
>
> The return value of auparse_get_field_type() is a value from auparse_type_t
> defined in auparse-defs.h.
Right. AUDIT_PID is an event record type which would be returned by
auparse_get_type(). If you look in auparse.h, you can see the groupings of functions
that access event level, record level, and field level components.
> 0 is AUPARSE_TYPE_UNCLASSIFIED (i.e. "there is
> no current field, or we don't know what kind of data is in the field").
Yes, but the intent of AUPARSE_TYPE_UNCLASSIFIED is to say that the field contains data
that needs no special cross reference or conversion to be human readable (or as you
say we don't know about the field). This is different from returning something to say
that you are not pointed at a valid field - i.e. you ran off the end. From what I can
tell, you can only get the error if you are moving the internal pointer around without
checking return codes. There really is an unintended API mistake in there. :)
> AUPARSE_TYPE_* and the AUDIT_* field enums both deal with fields, but are
> distinct. It is somewhat confusing I'm afraid.
Maybe looking at the auparse.h file clarifies a few things since they are grouped?
-Steve
next prev parent reply other threads:[~2011-08-31 18:29 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-30 21:12 auparse question LC Bruzenak
2011-08-30 23:18 ` Miloslav Trmac
2011-08-31 18:29 ` Steve Grubb [this message]
2011-08-31 16:49 ` Steve Grubb
-- strict thread matches above, loose matches on Subject: below --
2011-08-31 18:07 LC Bruzenak
2011-08-30 21:09 LC Bruzenak
2008-06-06 19:20 LC Bruzenak
2008-06-06 19:36 ` Miloslav Trmač
2008-06-06 19:53 ` LC Bruzenak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201108311429.38512.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=mitr@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox