Re: [PATCH v26 22/25] Audit: Add new record for multiple process LSM attributes
Hello Casey,
On Monday, May 24, 2021 11:53:30 AM EDT Casey Schaufler wrote:
On 5/22/2021 7:00 PM, Steve Grubb wrote:
> On Friday, May 21, 2021 6:05:41 PM EDT Casey Schaufler wrote:
>>>> The record is produced only in cases where there is more than one
>>>> security module with a process "context".
>>>> In cases where this record is produced the subj= fields of
>>>> other records in the audit event will be set to "subj=?".
>>>>
>>>> An example of the MAC_TASK_CONTEXTS (1420) record is:
>>>>
>>>> type=UNKNOWN[1420]
>>>> msg=audit(1600880931.832:113)
>>>> subj_apparmor==unconfined
>>>
>>> It should be just a single "=" in the line above.
>>
>> AppArmor provides the 2nd "=" as part of the subject context.
>> What's here is correct. I won't argue that it won't case confusion
>> or worse.
>
> We have a specification for a very long time:
>
> https://github.com/linux-audit/audit-documentation/wiki/SPEC-Writing-Good
> -Events
>
> Everyone has to obey rules or no tools work.
Right. Would quoting the value subj_apparmor="=unconfined" suffice?
Yes, if you really need that '=' as part of the value. I'd try to do away
with it entirely if possible. Generally '==' is used to convey "equal
to".
Where '=' means "is assigned". I'd argue that they are
interchangable in
meaning and can simply be converted to the log's expected format.
I think that's what the rulebook says, but I like to be sure.
:-)
-Steve