Re: [PATCH 2/2] auvirt: Remove workaround for VM name searching

[Steve Grubb <sgrubb@redhat.com>]

On Thursday, February 09, 2012 12:51:24 PM Marcelo Cerri wrote:
> On 02/09/2012 11:35 AM, Steve Grubb wrote:
> > On Thursday, February 09, 2012 08:22:34 AM Marcelo Cerri wrote:
> >> Thanks for your explanation. I hadn't notice how escaped fields work.
> >> 
> >> Regarding the search algorithm fix, sorry but it is not clear to me
> >> where you meant to say to add the type check and the escape. Did you
> >> mean inside the ausearch_add_item or in the function which is calling
> >> the ausearch_add_item function?
> > 
> > I think its best to put it inside the function so that app writers do not
> > have to think about it. They just pass a string and its fixed up. I was
> > also thinking about the alternative, which is to decode the fields
> > during search and then compare. But this would be slower because we
> > decode every field value whether it matches or not. So, we can just
> > encode the item being searched for and then compare raw values. I
> > suppose the man page should clarify this for app writers just in case.
> 
> Digging into auparse source code, I noticed there is an "interpreted"
> version of ausearch_add_item (ausearch_add_interpreted_item). I could
> get matches for the "vm" field using this function.

Sure. That makes it easier. :)

> Do you think that it's still necessary to change ausearch_add_item?

I guess not.


> >> I'll submit a patch to libvirt instead and then update auvirt.
> > 
> > I wished I caught that sooner, too. As for auvirt, since you know vm is
> > an escaped field, you don't actually need to put the "if" statement to
> > check its type. You can just call the interpret function unconditionally
> > and use its output.
> 
> Probably it'll also be necessary to add the "old-net" and "new-net"
> fields to the typetab.h file.

Why? They look like MAC addresses to me.


> If a field isn't in typetab.h, what type is considered for it? Is it considered
> just a regular string?

Yes. Generally to need to be in the type tab there might need to some kind of 
transformation from a binary form into a more readable presentation. For 
example, uid=500, what does 500 mean? exit=-2, what does -2 mean? In terms of 
transformations, areas that I think needs more work is translating some of the 
syscall parameters so ausearch output is more meaningful. But this is low on the 
list of things to do.

I guess at this point you can make a simple patch to auvirt that cleans it up.

-Steve