Re: Refactoring src/ausearch-report.c:output_interpreted_node()

Mon, 29 Sep 2014 13:51:35 -0700 

And here is the patch that updates audit_name_to_msg_type()


Rgds

On Mon, 2014-09-29 at 12:41 +1000, Burn Alting wrote:
> Steve,
> 
> In lib/lookup_table.c:audit_name_to_msg_type(), the event type value is
> parsed and converted to an integer as per,
> 
> Given
>         type=<type_value> 
> then
>         <type_value>
> is parsed for
>         - a known string 
>         - a long integer number, n, found in the specific string
>               "UNKNOWN[n]"
>         - a long integer number, n, found in the specific string
>               "n"
> 
> In src/ausearch-report.c:output_interpreted_node() it additionally
> parses for a <type_value> of
>         - a long integer number, n, found in the string "[^\[]*[n].*"
> i.e.
>         type=something[n]something_else
> 
> Is there any reason against adding this additional parsing into
> lib/lookup_table.c:audit_name_to_msg_type()?
> 
> If we can, then output_interpreted_node() can be re-factored so we are
> not parsing the same data twice for every event.
> 
> I am uncertain what effect of accepting this additional format would
> have when adding rules to the running audit system - i.e.
> audit_name_to_msg_type() is called by autrace/auditctl when parsing
> rules (ie the msgtype field name).
> 
> 
> Regards
> 
> Burn
> 
> 
> 
> 
> --
> Linux-audit mailing list
> [email protected]
> https://www.redhat.com/mailman/listinfo/linux-audit


diff -Npru audit-2.4/lib/lookup_table.c audit-2.4_type_parsing/lib/lookup_table.c
--- audit-2.4/lib/lookup_table.c	2014-08-25 02:39:27.000000000 +1000
+++ audit-2.4_type_parsing/lib/lookup_table.c	2014-09-29 12:54:22.555781561 +1000
@@ -224,23 +224,34 @@ const char *audit_action_to_name(int act
 int audit_name_to_msg_type(const char *msg_type)
 {
 	int rc;
+	char * bptr;
 
 	if (msg_type_s2i(msg_type, &rc) != 0)
 		return rc;
 
 	/* Take a stab at converting */
-	if (strncmp(msg_type, "UNKNOWN[", 8) == 0) {
+	if ((bptr = strchr(msg_type, '['))) {
 		int len;
 		char buf[8];
-		const char *end = strchr(msg_type + 8, ']');
+		const char *end;
+		/*
+ 		 * First check for "type=UNKNOWN[", otherwise
+ 		 * we accept anything before the '['
+ 		 */
+		if (strncmp(msg_type, "UNKNOWN[", 8) == 0) {
+			bptr = (char *)msg_type + 8;
+		} else {
+			bptr++;
+		}
+		end = strchr(bptr, ']');
 		if (end == NULL)
 			return -1;
 
-		len = end - (msg_type + 8);
+		len = end - bptr;
 		if (len > 7)
 			len = 7;
 		memset(buf, 0, sizeof(buf));
-		strncpy(buf, msg_type + 8, len);
+		strncpy(buf, bptr, len);
 		errno = 0;
 		return strtol(buf, NULL, 10);
 	} else if (isdigit(*msg_type)) {

--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit

Reply via email to