[PATCH 2/2] auvirt: Remove workaround for VM name searching

[Marcelo Cerri]

Thanks for your explanation. I hadn't notice how escaped fields work.

Regarding the search algorithm fix, sorry but it is not clear to me 
where you meant to say to add the type check and the escape. Did you 
mean inside the ausearch_add_item or in the function which is calling 
the ausearch_add_item function?

I'll submit a patch to libvirt instead and then update auvirt.

Regards,
Marcelo

On 02/08/2012 05:06 PM, Steve Grubb wrote:
> On Wednesday, February 08, 2012 12:04:58 PM Marcelo Cerri wrote:
>> Auvirt adds quotes to the given VM name when creating the search criteria.
>> With the previous patch, this workaround is no longer needed and this
>> patch removes it.
> What you are seeing here is actually a different problem. The description you
> have:
>
> using the example above the following rule will not match:
>   ausearch_add_item(au, "vm", "=", "guest-name", how);
>
> But this rule will match:
>   ausearch_add_item(au, "vm", "=", "\"guest-name\"", how);
>
> describes the following issue. If you look at the vm field type, it has this
> realtionship in typetab.h:
> _S(AUPARSE_TYPE_ESCAPED,	"vm"
>
> Which means that if you are not getting a hit, the search algorithm might need
> fixing. If the searched field type is escaped, the algorithm should escape the
> field and then do the match. For example, what if you have a vm name of "test
> run". It will wind up being escaped and looking like hex encoded ascii. This is
> much worse than just adding quotes.
>
> So, I think the best solution is make this invisible to the outside world. The
> function call ausearch_add_item() should do a type lookup of the field and then
> escape the value if the returned type is AUPARSE_TYPE_ESCAPED.
>
> On output, your program probably wants to call auparse_get_field_type() and if
> its AUPARSE_TYPE_ESCAPED, then call auparse_interpret_field() and output that.
>
> -Steve
>