[PATCH 2/2] auvirt: Remove workaround for VM name searching
Steve Grubb
sgrubb at redhat.com
Wed Feb 8 19:06:25 UTC 2012
On Wednesday, February 08, 2012 12:04:58 PM Marcelo Cerri wrote:
> Auvirt adds quotes to the given VM name when creating the search criteria.
> With the previous patch, this workaround is no longer needed and this
> patch removes it.
What you are seeing here is actually a different problem. The description you
have:
using the example above the following rule will not match:
ausearch_add_item(au, "vm", "=", "guest-name", how);
But this rule will match:
ausearch_add_item(au, "vm", "=", "\"guest-name\"", how);
describes the following issue. If you look at the vm field type, it has this
realtionship in typetab.h:
_S(AUPARSE_TYPE_ESCAPED, "vm"
Which means that if you are not getting a hit, the search algorithm might need
fixing. If the searched field type is escaped, the algorithm should escape the
field and then do the match. For example, what if you have a vm name of "test
run". It will wind up being escaped and looking like hex encoded ascii. This is
much worse than just adding quotes.
So, I think the best solution is make this invisible to the outside world. The
function call ausearch_add_item() should do a type lookup of the field and then
escape the value if the returned type is AUPARSE_TYPE_ESCAPED.
On output, your program probably wants to call auparse_get_field_type() and if
its AUPARSE_TYPE_ESCAPED, then call auparse_interpret_field() and output that.
-Steve
More information about the Linux-audit
mailing list