Re: [PATCH 2/2] seccomp: Audit SECCOMP_RET_ERRNO actions with errno values

On Monday, January 2, 2017 5:42:47 PM EST Tyler Hicks wrote: > On 2017-01-02 12:20:53, Steve Grubb wrote: > > On Monday, January 2, 2017 4:53:10 PM EST Tyler Hicks wrote:

> Thanks for having a look at the field name I was using. Although I > prefer "errno" over "exit" in terms of clarity, I agree that it makes > sense to be consistent with the field names across record types. "exit" > works for me.

> > http://people.redhat.com/sgrubb/files/auformat.tar.gz > > > > $ ausearch --start today --just-one -m syscall -sv no --raw | ./auformat > > "%EXIT\n" > > > > Also, I am working to normalize all the records. That mean every event > > record of the same type has the same fields, in the same order, with the > > same representation. I would think "exit" could be added to the current > > record after syscall so that its ordered similarly to a syscall record. > > This patch goes against your normalization efforts in more ways than > just the placement of the "exit" field. If the action is > SECCOMP_RET_KILL, a "sig" field is present but if the action is > SECCOMP_RET_ERRNO, the "sig" field will not be present but the "errno" > field will be present. This happens all within the AUDIT_SECCOMP record > type. How would you suggest normalizing AUDIT_SECCOMP records for > different seccomp return actions? Typically when the layout has to change, we just give it a new record type.