[PATCH 2/2] auvirt: Remove workaround for VM name searching
Marcelo Cerri
mhcerri at linux.vnet.ibm.com
Thu Feb 9 17:51:24 UTC 2012
On 02/09/2012 11:35 AM, Steve Grubb wrote:
> On Thursday, February 09, 2012 08:22:34 AM Marcelo Cerri wrote:
>> Thanks for your explanation. I hadn't notice how escaped fields work.
>>
>> Regarding the search algorithm fix, sorry but it is not clear to me
>> where you meant to say to add the type check and the escape. Did you
>> mean inside the ausearch_add_item or in the function which is calling
>> the ausearch_add_item function?
>
> I think its best to put it inside the function so that app writers do not have
> to think about it. They just pass a string and its fixed up. I was also thinking
> about the alternative, which is to decode the fields during search and then
> compare. But this would be slower because we decode every field value whether it
> matches or not. So, we can just encode the item being searched for and then
> compare raw values. I suppose the man page should clarify this for app writers
> just in case.
Digging into auparse source code, I noticed there is an "interpreted"
version of ausearch_add_item (ausearch_add_interpreted_item). I could
get matches for the "vm" field using this function. Do you think that
it's still necessary to change ausearch_add_item?
>
>> I'll submit a patch to libvirt instead and then update auvirt.
>
> I wished I caught that sooner, too. As for auvirt, since you know vm is an
> escaped field, you don't actually need to put the "if" statement to check its
> type. You can just call the interpret function unconditionally and use its
> output.
>
Probably it'll also be necessary to add the "old-net" and "new-net"
fields to the typetab.h file. If a field isn't in typetab.h, what type
is considered for it? Is it considered just a regular string?
> Thanks,
> -Steve
>
More information about the Linux-audit
mailing list