Re: [PATCH 02/13] AppArmor: basic auditing infrastructure.
From: John Johansen
Date: Thu Jul 15 2010 - 14:07:30 EST
On 07/15/2010 10:36 AM, Eric Paris wrote:
> On Thu, 15 Jul 2010 09:36:46 -0700
> John Johansen <john.johansen@xxxxxxxxxxxxx> wrote:
>
>> On 07/15/2010 08:18 AM, Eric Paris wrote:
>>> On Wed, Jul 14, 2010 at 8:43 PM, John Johansen
>>> <john.johansen@xxxxxxxxxxxxx> wrote:
>
>>>> + if (sa->aad.profile) {
>>>> + struct aa_profile *profile = sa->aad.profile;
>>>> + pid_t pid;
>>>> + rcu_read_lock();
>>>> + pid = tsk->real_parent->pid;
>>>> + rcu_read_unlock();
>>>> + audit_log_format(ab, " parent=%d", pid);
>>>> + audit_log_format(ab, " profile=");
>>>> + if (profile->ns != root_ns) {
>>>> + audit_log_format(ab, ":");
>>>> + audit_log_untrustedstring(ab,
>>>> profile->ns->base.hname);
>>>> + audit_log_format(ab, "://");
>>>> + }
>>>> + audit_log_untrustedstring(ab, profile->base.hname);
>>>> + }
>>>
>>> what does this message look like? I don't think it fits the nice
>>> key=value rules of the audit system.... Are you sure this is what
>>> you want?
>>>
>> it looks like
>> profile=:ns_name://profile_name
>
> Actually it would be:
>
> profile=:"ns_name"://"profile_name"
>
> The 'untrustedstring' call is going to add "" just making sure you are
> ok with that. I guess the audit libs will deal with it ok.
right, lets just be on the safe side and switch to namespace=" ", and
profile=" ". That will avoid any potential problems
thanks Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/