From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Refactoring src/ausearch-report.c:output_interpreted_node() Date: Wed, 01 Oct 2014 18:28:35 -0400 Message-ID: <2237482.Rm13LQBSHi@x2> References: <1411958483.2752.33.camel@swtf.swtf.dyndns.org> <1528037.iuGHCJfh4q@x2> <1412200367.30162.43.camel@swtf.swtf.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1412200367.30162.43.camel@swtf.swtf.dyndns.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: burn@swtf.dyndns.org Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Thursday, October 02, 2014 07:52:47 AM Burn Alting wrote: > On Wed, 2014-10-01 at 17:19 -0400, Steve Grubb wrote: > > On Thursday, October 02, 2014 07:08:13 AM Burn Alting wrote: > > > On Wed, 2014-10-01 at 14:54 -0400, Steve Grubb wrote: > > > > > I am uncertain what effect of accepting this additional format would > > > > > have when adding rules to the running audit system - i.e. > > > > > audit_name_to_msg_type() is called by autrace/auditctl when parsing > > > > > rules (ie the msgtype field name). > > > > > > > > I think ausearch-report.c might be the place that needs updating. > > > > > > So, could we modify output_interpreted_node() to no longer re-parse the > > > > > > [node=] type= msg=audit(.:) > > > > > > header and pass both the lnode and llist->e which has this data already > > > as the code > > > > > > if (num == -1) { > > > > > > // see if we are older and wiser now. > > > bptr = strchr(str, '['); > > > if (bptr && bptr < ptr) { > > > > > > char *eptr; > > > bptr++; > > > eptr = strchr(bptr, ']'); > > > if (eptr) { > > > > > > *eptr = 0; > > > errno = 0; > > > num = strtoul(bptr, NULL, 10); > > > *eptr = ']'; > > > if (errno) > > > > > > num = -1; > > > > > > } > > > > > > } > > > > > > } > > > > > > which parses for > > > > > > type=.*[n].* > > > > > > is no longer needed as we don't have that format any more? > > > > That is a very loose check for UNKNOWN[####]. If you see a performance > > improvement by refactoring this function, please send a patch. The output > > needs to be identical to the old way. > > > > Thanks, > > -Steve > > I can provide a patch to refactor this part of the code, but I want to > confirm there is no longer a need to parse for > > type=some_text '[' integer_type ']' some_other_text While this may have been implied by the code, the fact is that [ ] would only be in type fields when its unknown[####]. > given my refactoring will rely upon the parsing already done by > lib/lookup_table.c:audit_name_to_msg_type(). Remember this routine only > parses for > Given > type= > then > > is parsed for > - a known string > - a long integer number, n, found in the specific string > "UNKNOWN[n]" > - a long integer number, n, found in the specific string > "n" These 3 formats are all that it can ever be. So, I think you have a correct understanding. -Steve