Re: [PATCH] TaskTracker : Simplified thread information tracker.
On Monday, January 12, 2015 10:14:34 AM Steve Grubb wrote:
On Monday, January 12, 2015 03:13:12 PM Tetsuo Handa wrote:
> This record contains multiple user-influenced comm names. If I use
> audit_log_untrustedstring(), I would need to split this record into
> multiple records like history[0]='...' history[1]='...'
history[2]='...'
> in order to avoid matching delimiters (i.e. ';', '=' and
'>') used in
> this record.
That sounds like a good change to me. Audit records are always name=value
with a space between fields. We need this to always stay like this because
the tooling expects that format. There is nowhere in the audit logs we use
=>.
As a FYI, I'm putting a hold on any new audit messages for the time being so
we can evaluate the current kernel audit API to determine the possibility of
transitioning to a less ugly API. I'll leave the door open for messages
needed to fix bugs, but that's it. If we do end up providing a new API and
record format, I want to limit the number of message types in the existing
API.
My apologies, but this is long overdue and the longer we wait the more
difficult it will become.
--
paul moore
www.paul-moore.com