Re: [patch] Syscall auditing - move "name=" field to the end
I don't think this patch is enough -- either we need to escape
the text
completely or just dump it as hex instead of a string. One option would
be to dump it in quotes as a string if all chars in the string are in
the range 0x20-0x7e, and as hex otherwise. That slightly complicates the
parsing, but not by much, and still gives you plain text in the majority
of cases while protecting against abuse.
Dumping in hex instead of string would have a testing impact. Using a
string in quotes would be a
smaller hit, but there still would be additional impact to test the "hex
otherwise" case.
Kris Wilson
Linux Security
(512) 838-0126 T/L:678-0126
krisw(a)us.ibm.com
Attachments:
- attachment.html (text/html — 811 bytes)