From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marcelo Cerri Subject: Re: [PATCH 2/2] auvirt: Remove workaround for VM name searching Date: Thu, 09 Feb 2012 15:51:24 -0200 Message-ID: <4F34079C.8030607@linux.vnet.ibm.com> References: <1328720698-24633-1-git-send-email-mhcerri@linux.vnet.ibm.com> <201202081406.25471.sgrubb@redhat.com> <4F33C89A.1030901@linux.vnet.ibm.com> <201202090835.07008.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Format="flowed" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx11.extmail.prod.ext.phx2.redhat.com [10.5.110.16]) by int-mx12.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id q19HpVHL007490 for ; Thu, 9 Feb 2012 12:51:31 -0500 Received: from e24smtp04.br.ibm.com (e24smtp04.br.ibm.com [32.104.18.25]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q19HpTqQ005056 for ; Thu, 9 Feb 2012 12:51:30 -0500 Received: from /spool/local by e24smtp04.br.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 9 Feb 2012 15:51:28 -0200 In-Reply-To: <201202090835.07008.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com, gcwilson@us.ibm.com, bryntcor@us.ibm.com List-Id: linux-audit@redhat.com On 02/09/2012 11:35 AM, Steve Grubb wrote: > On Thursday, February 09, 2012 08:22:34 AM Marcelo Cerri wrote: >> Thanks for your explanation. I hadn't notice how escaped fields work. >> >> Regarding the search algorithm fix, sorry but it is not clear to me >> where you meant to say to add the type check and the escape. Did you >> mean inside the ausearch_add_item or in the function which is calling >> the ausearch_add_item function? > > I think its best to put it inside the function so that app writers do not have > to think about it. They just pass a string and its fixed up. I was also thinking > about the alternative, which is to decode the fields during search and then > compare. But this would be slower because we decode every field value whether it > matches or not. So, we can just encode the item being searched for and then > compare raw values. I suppose the man page should clarify this for app writers > just in case. Digging into auparse source code, I noticed there is an "interpreted" version of ausearch_add_item (ausearch_add_interpreted_item). I could get matches for the "vm" field using this function. Do you think that it's still necessary to change ausearch_add_item? > >> I'll submit a patch to libvirt instead and then update auvirt. > > I wished I caught that sooner, too. As for auvirt, since you know vm is an > escaped field, you don't actually need to put the "if" statement to check its > type. You can just call the interpret function unconditionally and use its > output. > Probably it'll also be necessary to add the "old-net" and "new-net" fields to the typetab.h file. If a field isn't in typetab.h, what type is considered for it? Is it considered just a regular string? > Thanks, > -Steve >