From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marcelo Cerri Subject: Re: [PATCH 2/2] auvirt: Remove workaround for VM name searching Date: Thu, 09 Feb 2012 11:22:34 -0200 Message-ID: <4F33C89A.1030901@linux.vnet.ibm.com> References: <1328720698-24633-1-git-send-email-mhcerri@linux.vnet.ibm.com> <1328720698-24633-2-git-send-email-mhcerri@linux.vnet.ibm.com> <201202081406.25471.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Format="flowed" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx13.extmail.prod.ext.phx2.redhat.com [10.5.110.18]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id q19DMjRM008878 for ; Thu, 9 Feb 2012 08:22:45 -0500 Received: from e24smtp04.br.ibm.com (e24smtp04.br.ibm.com [32.104.18.25]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q19DMh3A016793 for ; Thu, 9 Feb 2012 08:22:44 -0500 Received: from /spool/local by e24smtp04.br.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 9 Feb 2012 11:22:39 -0200 In-Reply-To: <201202081406.25471.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com, gcwilson@us.ibm.com, bryntcor@us.ibm.com List-Id: linux-audit@redhat.com Thanks for your explanation. I hadn't notice how escaped fields work. Regarding the search algorithm fix, sorry but it is not clear to me where you meant to say to add the type check and the escape. Did you mean inside the ausearch_add_item or in the function which is calling the ausearch_add_item function? I'll submit a patch to libvirt instead and then update auvirt. Regards, Marcelo On 02/08/2012 05:06 PM, Steve Grubb wrote: > On Wednesday, February 08, 2012 12:04:58 PM Marcelo Cerri wrote: >> Auvirt adds quotes to the given VM name when creating the search criteria. >> With the previous patch, this workaround is no longer needed and this >> patch removes it. > What you are seeing here is actually a different problem. The description you > have: > > using the example above the following rule will not match: > ausearch_add_item(au, "vm", "=", "guest-name", how); > > But this rule will match: > ausearch_add_item(au, "vm", "=", "\"guest-name\"", how); > > describes the following issue. If you look at the vm field type, it has this > realtionship in typetab.h: > _S(AUPARSE_TYPE_ESCAPED, "vm" > > Which means that if you are not getting a hit, the search algorithm might need > fixing. If the searched field type is escaped, the algorithm should escape the > field and then do the match. For example, what if you have a vm name of "test > run". It will wind up being escaped and looking like hex encoded ascii. This is > much worse than just adding quotes. > > So, I think the best solution is make this invisible to the outside world. The > function call ausearch_add_item() should do a type lookup of the field and then > escape the value if the returned type is AUPARSE_TYPE_ESCAPED. > > On output, your program probably wants to call auparse_get_field_type() and if > its AUPARSE_TYPE_ESCAPED, then call auparse_interpret_field() and output that. > > -Steve >