Re: [patch] Syscall auditing - move "name=" field to the end
* David Woodhouse (dwmw2(a)infradead.org) wrote:
On Thu, 2005-03-17 at 14:17 -0500, Valdis.Kletnieks(a)vt.edu wrote:
> If you include "whitespace" as a "dubious" character, that would
kill
> several birds with one stone. Then you just need 'name=A:ascii_string'
> or 'name=H:hexstring' and most parsing issues go away. Works for me...
Untested:
I like this.
--- linux-2.6.9/kernel/audit.c.auditstr 2005-03-17 19:08:42.000000000
+0000
+++ linux-2.6.9/kernel/audit.c 2005-03-17 19:24:20.000000000 +0000
@@ -731,6 +731,29 @@ void audit_log_format(struct audit_buffe
va_end(args);
}
+void audit_log_hex(struct audit_buffer *ab, const unsigned char *buf, size_t len)
+{
+ int i;
+
+ for (i=0; i<len; i++)
+ audit_log_format(ab, "%02x", buf[i]);
Could use '\0' to terminate loop instead of doing extra strlen()
+void audit_log_untrustedstring(struct audit_buffer *ab, const char
*string)
+{
+ const char *p = string;
+
+ while (*p) {
+ if (*p == '"' || *p == ' ' || *p < 0x20 || *p > 0x7f) {
1) would '*p < 0x20 || *p > 0x7f -> !isprint(*p)' look cleaner?
2) i wonder, do we need dump hex if there's a space since it's wrapped
in quotes?
3) if so, what about other space (like tab)? dunno how the parsers are
defining whitespace.