[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFC][PATCH] collect security labels on user processes generating audit messages



On Wednesday 15 February 2006 11:37, Stephen Smalley wrote:
> > It creates parsing problems without a value. If I saw "tty="  and that's
> > all, I'd think the audit system malfunctioned and file a bugzilla. I
> > don't want that.
>
> OTOH, if I see (null), I tend to assume a bug in the code.  Isn't it
> saner to just omit the name=value pair altogether if the value is NULL?

No, cause then I have non-normalized records.

> Otherwise, you are adding extra processing on the generation and parsing
> side for no benefit, along with wasting space in the audit message.

There is a benefit...no missing fields means that the record is normalized. 
This is a required step before we create a binary format record. 

There are performance benefits in the kernel as well as user space. The kernel 
doesn't have to have an "if" statement with 2 nearly identical calls to 
audit_log_format or 2 back to back calls to the same function adding a new 
piece of info. 

In userspace, I can parse it faster since I don't have to backtrack and 
re-parse from the last good token to look for the next field after deciding 
one is missing.

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]