From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: [PATCH 2/2] auvirt: Remove workaround for VM name searching Date: Thu, 9 Feb 2012 13:04:54 -0500 Message-ID: <201202091304.54898.sgrubb@redhat.com> References: <1328720698-24633-1-git-send-email-mhcerri@linux.vnet.ibm.com> <201202090835.07008.sgrubb@redhat.com> <4F34079C.8030607@linux.vnet.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <4F34079C.8030607@linux.vnet.ibm.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Marcelo Cerri Cc: linux-audit@redhat.com, gcwilson@us.ibm.com, bryntcor@us.ibm.com List-Id: linux-audit@redhat.com On Thursday, February 09, 2012 12:51:24 PM Marcelo Cerri wrote: > On 02/09/2012 11:35 AM, Steve Grubb wrote: > > On Thursday, February 09, 2012 08:22:34 AM Marcelo Cerri wrote: > >> Thanks for your explanation. I hadn't notice how escaped fields work. > >> > >> Regarding the search algorithm fix, sorry but it is not clear to me > >> where you meant to say to add the type check and the escape. Did you > >> mean inside the ausearch_add_item or in the function which is calling > >> the ausearch_add_item function? > > > > I think its best to put it inside the function so that app writers do not > > have to think about it. They just pass a string and its fixed up. I was > > also thinking about the alternative, which is to decode the fields > > during search and then compare. But this would be slower because we > > decode every field value whether it matches or not. So, we can just > > encode the item being searched for and then compare raw values. I > > suppose the man page should clarify this for app writers just in case. > > Digging into auparse source code, I noticed there is an "interpreted" > version of ausearch_add_item (ausearch_add_interpreted_item). I could > get matches for the "vm" field using this function. Sure. That makes it easier. :) > Do you think that it's still necessary to change ausearch_add_item? I guess not. > >> I'll submit a patch to libvirt instead and then update auvirt. > > > > I wished I caught that sooner, too. As for auvirt, since you know vm is > > an escaped field, you don't actually need to put the "if" statement to > > check its type. You can just call the interpret function unconditionally > > and use its output. > > Probably it'll also be necessary to add the "old-net" and "new-net" > fields to the typetab.h file. Why? They look like MAC addresses to me. > If a field isn't in typetab.h, what type is considered for it? Is it considered > just a regular string? Yes. Generally to need to be in the type tab there might need to some kind of transformation from a binary form into a more readable presentation. For example, uid=500, what does 500 mean? exit=-2, what does -2 mean? In terms of transformations, areas that I think needs more work is translating some of the syscall parameters so ausearch output is more meaningful. But this is low on the list of things to do. I guess at this point you can make a simple patch to auvirt that cleans it up. -Steve