[PATCH] Fix acct quoting in audit_log_acct_message())
Eric Paris
eparis at redhat.com
Tue Mar 4 19:05:36 UTC 2008
On Tue, 2008-03-04 at 13:29 -0500, John Dennis wrote:
> Tomas Mraz wrote:
> > 1. Messages contain <name>=<value> pairs separated by spaces.
> > 2. All <names> are just alphanumeric sequences.
> > 3. Values can be either:
> > a) byte sequences with the following special characters encoded as %XX
> > where XX is hexadecimal value of the encoded byte. Special characters
> > are: bytes with value <= 0x20 or >= 0x7F, '%', '(', ')', and '='.
> > b) recursively embedded messages enclosed in '(' and ')' parentheses.
>
> I think if a value is a string then the fact it is a string should be
> explicit and the boundaries of the string should be delimited.
>
> The simplest way to achieve this is by enclosing string values in double
> quotes and assuring any double quote contained in the string is escaped.
> If a value is not enclosed in double quotes it is not a string and is
> not subject to unescaping (decoding).
You also need to start looking at where messages come from before we
decide we can change them any way we want. Any message generated by the
audit system should be encoded according to the audit system standards.
Any message generated by a CONSUMER of the audit system is wholely
responsible for their own encoding decisions (although we obviously
should encourage them to follow standard practice.) The audit system
has no 'right' to change those messages just to make a userspace library
easier. I realize you don't want to ever look at the TYPE= part of the
message to make decisions, but that's just too bad.
Lets standardize syscall messages. Lets standardize audit config
messages. Lets standardize every message the audit system itself
generates. If the package owners so choose lets standardize each
userspace audit message. But avc messages are wholely the
responsibility of the selinux community and I don't want to see any
patches which makes them fail to be backwards compatible.
Like it or not I will not accept any kernel patch which causes a new
kernel to break SELinux usability with FC2 userspace. read that again.
-Eric
More information about the Linux-audit
mailing list