OK, I chased this down to make sure of what is happening. The audit
working 
 group has a test kernel, lspp.8, that has all the future audit and lspp 
 patches in it for testing. (it can be found at 
 
http://people.redhat.com/sgrubb/files/lspp). There is a patch 
 linux-2.6-audit-git.patch, which is not upstream, but should be in the next 
 kernel. That changes the code in audit_log_exit of auditsc.c to:
 
                 if (context->names[i].name)
                         audit_log_untrustedstring(ab, context->names[i].name);
                 else
                         audit_log_format(ab, "(null)");
 
 The code in audit_log_untrustedstring does this:
 
         while (*p) {
                 if (*p == '"' || *p == '(' || *p < 0x21 || *p
> 0x7f) {
                         audit_log_hex(ab, string, strlen(string));
                         return;
                 }
                 p++;
         }
         audit_log_format(ab, "\"%s\"", string);
 
 This means that a real NULL will never have the double-quote marks around it, 
 where a file named \(null\) will always have double-quote marks around it. I 
 confirmed this by looking in the audit logs. 
 
 However...ausearch does not make this distinction in its output. I will see 
 what I can do to make the necessary adjustments to ausearch so that its more 
 obvious. So, I think that puts this issue to bed... 
Except for what other code should do about NULL pointers in output.  If
they defer it to vsnprintf, they will end up with <NULL> in the output.
So should Tim's code be checking for !ctx and outputting (null) there as
well?
-- 
Stephen Smalley
National Security Agency