From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: [PATCH 2/2] auvirt: Remove workaround for VM name searching
Date: Wed, 8 Feb 2012 14:06:25 -0500
Message-ID: <201202081406.25471.sgrubb@redhat.com>
References: <1328720698-24633-1-git-send-email-mhcerri@linux.vnet.ibm.com>
	<1328720698-24633-2-git-send-email-mhcerri@linux.vnet.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1328720698-24633-2-git-send-email-mhcerri@linux.vnet.ibm.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: gcwilson@us.ibm.com, bryntcor@us.ibm.com
List-Id: linux-audit@redhat.com

On Wednesday, February 08, 2012 12:04:58 PM Marcelo Cerri wrote:
> Auvirt adds quotes to the given VM name when creating the search criteria.
> With the previous patch, this workaround is no longer needed and this
> patch removes it.

What you are seeing here is actually a different problem. The description you 
have:

using the example above the following rule will not match:
 ausearch_add_item(au, "vm", "=", "guest-name", how);

But this rule will match:
 ausearch_add_item(au, "vm", "=", "\"guest-name\"", how);

describes the following issue. If you look at the vm field type, it has this 
realtionship in typetab.h:
_S(AUPARSE_TYPE_ESCAPED,	"vm"

Which means that if you are not getting a hit, the search algorithm might need 
fixing. If the searched field type is escaped, the algorithm should escape the 
field and then do the match. For example, what if you have a vm name of "test 
run". It will wind up being escaped and looking like hex encoded ascii. This is 
much worse than just adding quotes.

So, I think the best solution is make this invisible to the outside world. The 
function call ausearch_add_item() should do a type lookup of the field and then 
escape the value if the returned type is AUPARSE_TYPE_ESCAPED.

On output, your program probably wants to call auparse_get_field_type() and if 
its AUPARSE_TYPE_ESCAPED, then call auparse_interpret_field() and output that.

-Steve