On 7/16/2019 9:14 AM, Steve Grubb wrote: > On Tuesday, July 16, 2019 12:00:05 PM EDT Casey Schaufler wrote: >> >> Unless there's an objection I will use this format with >> a slight modification. Smack allows commas in labels, so >> using a bare comma can lead to ambiguity. >> >> lsms=smack,apparmor subj="TS/Alpha,Beta","a"
Oops! '/' isn't allowed in a Smack label. How embarrassing is that? >> >> It's more code change than some of the other options, >> but if it has the best chance of working with user space >> I'm game. > Quoting has a specific meaning in audit fields. So, we really shouldn't do > that. We can simply pick another field delimiter. I really don't care which > it > is as long as its illegal for use in a label. For example, we use > > #define AUDIT_KEY_SEPARATOR 0x01 > > to separate key fields. We can pick almost anything. (exclamation mark, semi- > colon, hash, plus symbol, tilde, 0x02, whatever) But it will need to be > documented and put into the API so that everyone is aware of the convention. Unless there's objection I'll document and use '/', lsms=selinux,apparmor subj=a:b:c:d/a If there is objection without alternative presented I'll use 0x02, because no one (I hope) is going to allow that in their label, and keys have set precedence for unprintable characters. > > -Steve > > -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
