[patch] Syscall auditing - move "name=" field to the end
Chris Wright
chrisw at osdl.org
Thu Mar 17 19:55:17 UTC 2005
* David Woodhouse (dwmw2 at infradead.org) wrote:
> On Thu, 2005-03-17 at 14:17 -0500, Valdis.Kletnieks at vt.edu wrote:
> > If you include "whitespace" as a "dubious" character, that would kill
> > several birds with one stone. Then you just need 'name=A:ascii_string'
> > or 'name=H:hexstring' and most parsing issues go away. Works for me...
>
> Untested:
I like this.
> --- linux-2.6.9/kernel/audit.c.auditstr 2005-03-17 19:08:42.000000000 +0000
> +++ linux-2.6.9/kernel/audit.c 2005-03-17 19:24:20.000000000 +0000
> @@ -731,6 +731,29 @@ void audit_log_format(struct audit_buffe
> va_end(args);
> }
>
> +void audit_log_hex(struct audit_buffer *ab, const unsigned char *buf, size_t len)
> +{
> + int i;
> +
> + for (i=0; i<len; i++)
> + audit_log_format(ab, "%02x", buf[i]);
Could use '\0' to terminate loop instead of doing extra strlen()
> +void audit_log_untrustedstring(struct audit_buffer *ab, const char *string)
> +{
> + const char *p = string;
> +
> + while (*p) {
> + if (*p == '"' || *p == ' ' || *p < 0x20 || *p > 0x7f) {
1) would '*p < 0x20 || *p > 0x7f -> !isprint(*p)' look cleaner?
2) i wonder, do we need dump hex if there's a space since it's wrapped
in quotes?
3) if so, what about other space (like tab)? dunno how the parsers are
defining whitespace.
More information about the Linux-audit
mailing list