Re: [Fwd: [PATCH][RFC] SMACK : add logging support V1]
Eric Paris wrote:
> ...
>
> or using audit_log_untrustedstring and live with the fact that Labels with
'"' will be
> printed in hex (i dont expect '"' to be frequently used in labels.)
>
Since it can contain a " you may not use %s. Just go with
audit_log_untrustedstring and hope people don't use a "
I am willing to declare that ' and " may not be used in labels.
I've already done so with "/" to accommodate anyone who wants to
use a label in a path name. I've never allowed whitespace.
>> Can I suggest if you write userspace tools to do anything with these
>> audit records that you use libauparse? So if we do make changes, SMACK
>> tools keep working (this is the main problem with changing how SELinux
>> uses audit, the userspace tools don't use libauparse so we can't make
>> changes in just the kernel+library...)
>>
>>
> i can have a look, but my first need is /var/log/messages being pretty obvious to
read
>
The changes to string encoding and we want to do would actually make
records more human readable, so if that's your concern we are good.
But, if you ever make tools that parse the raw audit.log rather than
using libauparse it possible (likely?) they break someday down the line.
Don't forget these are going to show up in /var/log/audit/audit.log if
you have auditd running. They'll show up in dmesg/syslog if not.
Thanks for trying to share code between LSMs!
-Eric