[RFC][PATCH] collect security labels on user processes generating audit messages
Stephen Smalley
sds at tycho.nsa.gov
Wed Feb 15 16:37:20 UTC 2006
On Wed, 2006-02-15 at 11:22 -0500, Steve Grubb wrote:
> This should be a separate thread since the topic is different.
>
> On Wednesday 15 February 2006 11:14, Linda Knippers wrote:
> > Amy submitted a patch a while back to eliminate the "name=" field
> > to avoid "name=(null)" from the audit records if there was no name
> > but I don't think the patch went anywhere.
>
> Right. I want all audit fields to have name=value. If we have %s in the
> message and pass NULL to it, snprintf is already going to put "(null)" so
> what's wrong with just using this precedent?
In that case, Tim doesn't need a special check for !ctx in his code at
all. But see below.
> It creates parsing problems without a value. If I saw "tty=" and that's all,
> I'd think the audit system malfunctioned and file a bugzilla. I don't want
> that.
OTOH, if I see (null), I tend to assume a bug in the code. Isn't it
saner to just omit the name=value pair altogether if the value is NULL?
Otherwise, you are adding extra processing on the generation and parsing
side for no benefit, along with wasting space in the audit message.
--
Stephen Smalley
National Security Agency
More information about the Linux-audit
mailing list