From: Marcelo Cerri <mhcerri@linux.vnet.ibm.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com, gcwilson@us.ibm.com, bryntcor@us.ibm.com
Subject: Re: [PATCH 2/2] auvirt: Remove workaround for VM name searching
Date: Thu, 09 Feb 2012 11:22:34 -0200 [thread overview]
Message-ID: <4F33C89A.1030901@linux.vnet.ibm.com> (raw)
In-Reply-To: <201202081406.25471.sgrubb@redhat.com>
Thanks for your explanation. I hadn't notice how escaped fields work.
Regarding the search algorithm fix, sorry but it is not clear to me
where you meant to say to add the type check and the escape. Did you
mean inside the ausearch_add_item or in the function which is calling
the ausearch_add_item function?
I'll submit a patch to libvirt instead and then update auvirt.
Regards,
Marcelo
On 02/08/2012 05:06 PM, Steve Grubb wrote:
> On Wednesday, February 08, 2012 12:04:58 PM Marcelo Cerri wrote:
>> Auvirt adds quotes to the given VM name when creating the search criteria.
>> With the previous patch, this workaround is no longer needed and this
>> patch removes it.
> What you are seeing here is actually a different problem. The description you
> have:
>
> using the example above the following rule will not match:
> ausearch_add_item(au, "vm", "=", "guest-name", how);
>
> But this rule will match:
> ausearch_add_item(au, "vm", "=", "\"guest-name\"", how);
>
> describes the following issue. If you look at the vm field type, it has this
> realtionship in typetab.h:
> _S(AUPARSE_TYPE_ESCAPED, "vm"
>
> Which means that if you are not getting a hit, the search algorithm might need
> fixing. If the searched field type is escaped, the algorithm should escape the
> field and then do the match. For example, what if you have a vm name of "test
> run". It will wind up being escaped and looking like hex encoded ascii. This is
> much worse than just adding quotes.
>
> So, I think the best solution is make this invisible to the outside world. The
> function call ausearch_add_item() should do a type lookup of the field and then
> escape the value if the returned type is AUPARSE_TYPE_ESCAPED.
>
> On output, your program probably wants to call auparse_get_field_type() and if
> its AUPARSE_TYPE_ESCAPED, then call auparse_interpret_field() and output that.
>
> -Steve
>
next prev parent reply other threads:[~2012-02-09 13:22 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-08 17:04 [PATCH 1/2] auparse: Remove quotes from parsed fields Marcelo Cerri
2012-02-08 17:04 ` [PATCH 2/2] auvirt: Remove workaround for VM name searching Marcelo Cerri
2012-02-08 19:06 ` Steve Grubb
2012-02-09 13:22 ` Marcelo Cerri [this message]
2012-02-09 13:35 ` Steve Grubb
2012-02-09 17:51 ` Marcelo Cerri
2012-02-09 18:04 ` Steve Grubb
2012-02-08 18:54 ` [PATCH 1/2] auparse: Remove quotes from parsed fields Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F33C89A.1030901@linux.vnet.ibm.com \
--to=mhcerri@linux.vnet.ibm.com \
--cc=bryntcor@us.ibm.com \
--cc=gcwilson@us.ibm.com \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox