[patch] Syscall auditing - move "name=" field to the end
Steve Grubb
sgrubb at redhat.com
Fri Mar 18 18:44:47 UTC 2005
On Friday 18 March 2005 11:20, Timothy R. Chavez wrote:
> I'm going to hold off on the next auditfs patch to add this support into my
> code and use it for my name= and filterkey= fields so we can have some
> uniformity.
I can see why you need it for name, but I cannot see a reason for filterkey.
I've tightened the communication between auditctl and the kernel in the 0.6.9
release. In this way, I can better detect and handle errors with the kernel.
I would think that you could scan filterkey when accepting the key and allow
only alpha numeric characters, underscore, and dash. Anything else generates
an EINVAL.
This would be less work for me to parse and faster for the kernel since it
doesn't spend time encoding that field.
-Steve
More information about the Linux-audit
mailing list