From: Steve Grubb <firstname.lastname@example.org> To: "Weiß, Michael" <email@example.com>, "Richard Guy Briggs" <firstname.lastname@example.org> Cc: "email@example.com" <firstname.lastname@example.org>, "email@example.com" <firstname.lastname@example.org>, "email@example.com" <firstname.lastname@example.org>, "email@example.com" <firstname.lastname@example.org>, "email@example.com" <firstname.lastname@example.org>, "email@example.com" <firstname.lastname@example.org>, "email@example.com" <firstname.lastname@example.org>, "email@example.com" <firstname.lastname@example.org>, "email@example.com" <firstname.lastname@example.org>, "email@example.com" <firstname.lastname@example.org> Subject: Re: [PATCH v4 0/3] dm: audit event logging Date: Wed, 08 Sep 2021 11:39:02 -0400 [thread overview] Message-ID: <4344604.LvFx2qVVIh@x2> (raw) In-Reply-To: <20210908131616.GK490529@madcap2.tricolour.ca> On Wednesday, September 8, 2021 9:16:16 AM EDT Richard Guy Briggs wrote: > Another minor oddity is the double "=" for the subj > > > > field, which doesn't appear to be a bug in your code, but still > > > puzzling. > > > > In the test setup, I had Apparmor enabled and set as default security > > module. This behavior occurs in any audit_log message. > > Seems that this is coming from the label handling there. Having a quick > > look at the code there is that they use '=' in the label to provide a > > root view as part of their policy virtualization. The corresponding > > commit is sitting there since 2017: > > "26b7899510ae243e392960704ebdba52d05fbb13" > > Interesting... Thanks for tracking down that cause. I don't know how > much pain that will cause the userspace parsing tools. I've added Steve > Grubb to the Cc: to get his input, but this should not derail this patch > set. It likely breaks any parser. I would even say that it's a malformed event that should be corrected. There's been a published a specification for audit events for at least 5 years. Latest copy is here: https://github.com/linux-audit/audit-documentation/wiki/SPEC-Writing-Good-Events -Steve
next prev parent reply other threads:[~2021-09-08 15:39 UTC|newest] Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-09-04 9:59 Michael Weiß 2021-09-04 9:59 ` [PATCH v4 1/3] dm: introduce audit event module for device mapper Michael Weiß 2021-09-04 9:59 ` [PATCH v4 2/3] dm integrity: log audit events for dm-integrity target Michael Weiß 2021-09-04 9:59 ` [PATCH v4 3/3] dm crypt: log aead integrity violations to audit subsystem Michael Weiß 2021-09-08 0:59 ` [PATCH v4 0/3] dm: audit event logging Richard Guy Briggs 2021-09-08 8:26 ` Weiß, Michael 2021-09-08 13:16 ` Richard Guy Briggs 2021-09-08 15:39 ` Steve Grubb [this message] 2021-09-12 9:38 ` Weiß, Michael
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=4344604.LvFx2qVVIh@x2 \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --subject='Re: [PATCH v4 0/3] dm: audit event logging' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).