On 2017-03-03 13:45, Florian Westphal wrote: > Richard Guy Briggs <[email protected]> wrote: > > > Perhaps I'm missing something here, but let me ask again, how does > > > userspace distinguish between an unset nfmark and a nfmark of > > > 0xffffffff? > > > > It can't. > > It can if you log it as 0, as I asked in patch 1 review.
I'd be inclined to do that, since it will always have a value even if its default is zero. The proto field would actually be unset if it was a protocol family that did not have a protocol field. > (You wouldn't log sk uid of 0 as -1 either, would you?) No, but you would log auid and session id as -1 if it were unset. - RGB -- Richard Guy Briggs <[email protected]> Kernel Security Engineering, Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
