Re: [RFC][PATCH] collect security labels on user processes generating audit messages

On Wednesday 15 February 2006 11:37, Stephen Smalley wrote: > > It creates parsing problems without a value. If I saw "tty=" and that's > > all, I'd think the audit system malfunctioned and file a bugzilla. I > > don't want that. > > OTOH, if I see (null), I tend to assume a bug in the code. Isn't it > saner to just omit the name=value pair altogether if the value is NULL? No, cause then I have non-normalized records. > Otherwise, you are adding extra processing on the generation and parsing > side for no benefit, along with wasting space in the audit message. There is a benefit...no missing fields means that the record is normalized. This is a required step before we create a binary format record. There are performance benefits in the kernel as well as user space. The kernel doesn't have to have an "if" statement with 2 nearly identical calls to audit_log_format or 2 back to back calls to the same function adding a new piece of info. In userspace, I can parse it faster since I don't have to backtrack and re-parse from the last good token to look for the next field after deciding one is missing. -Steve