Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S262838AbVCPWmB (ORCPT ); Wed, 16 Mar 2005 17:42:01 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S262843AbVCPWmA (ORCPT ); Wed, 16 Mar 2005 17:42:00 -0500 Received: from fire.osdl.org ([65.172.181.4]:63708 "EHLO smtp.osdl.org") by vger.kernel.org with ESMTP id S262838AbVCPWlk (ORCPT ); Wed, 16 Mar 2005 17:41:40 -0500 Date: Wed, 16 Mar 2005 14:41:17 -0800 From: Chris Wright To: Ondrej Zary Cc: linux-kernel@vger.kernel.org, linux-audit@redhat.com Subject: Re: [patch] Syscall auditing - move "name=" field to the end Message-ID: <20050316224117.GC28536@shell0.pdx.osdl.net> References: <4238A65C.7020908@rainbow-software.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4238A65C.7020908@rainbow-software.org> User-Agent: Mutt/1.5.6i Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 935 Lines: 23 * Ondrej Zary (linux@rainbow-software.org) wrote: > This patch moves the "name=" field to the end of audit records. The > original placement is bad because it cannot be properly parsed. It is > impossible to tell if the name is "/bin/true" or "/bin/true inode=469634 > dev=00:00" because the "inode=" and "dev=" fields can be omitted. > > Before: > audit(1111008486.824:89346): item=0 name=/bin/true inode=469634 dev=00:00 > > After: > audit(1111008486.824:89346): item=0 inode=469634 dev=00:00 name=/bin/true > > Signed-off-by: Ondrej Zary Looks reasonable. Thanks, -chris -- Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/