On Wednesday 17 March 2010 02:49:38 pm John Dennis wrote:
> comm's value should be in double-quotes unless it has
special characters
> and then it should be hex encoded. The reason being is comm could have a
> white space in its name .
Why would white space inside a quoted string cause it to be hex encoded?
Because someone could start a log injection attack. Comm is controlled by the
user which is untrusted. Although they are limited to 15 characters, it might
be enough to throw parsing off.
Maybe my memory is fuzzy and I haven't been carefully tracking
the audit
changes lately. String values never used to be quoted, right?
When they are controlled by users, yes.
When did quotes get added?
Back around 2005.
Did we add quotes around strings but preserve the hex encoding for
strings?
If the string starts with ", then its safe to parse as is. If not, it is
assumed to be hex-encoded.
What happened to the position that changing audit output from the
kernel was
verboten?
This particular avc originates from user space. The application needs to
follow the rules correctly so it doesn't mess up the logs.
-Steve