Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp4315093pxu; Mon, 21 Dec 2020 09:18:52 -0800 (PST) X-Google-Smtp-Source: ABdhPJwHLngagIfSmlgTSwBiCFHYWn83SgwnkB746e4tJMCKvb/pApwqupfrkbQYq3HyH2kWYDg7 X-Received: by 2002:a05:6402:797:: with SMTP id d23mr16655397edy.302.1608571131810; Mon, 21 Dec 2020 09:18:51 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608571131; cv=none; d=google.com; s=arc-20160816; b=MnFRHXf+G9eOEikQ3aSDNCTJa9uycb6Zo09Lr61tIDO5KUcA8H3Ef2Mj7EE7w7c3pc 0zGF365BbgjtobD3v604lmCZ04qvEMzVw7UjEvvpTneKDp/iXUSObB3vRA4eXh56fXTt BIEDmRIu4aHLeQsla2+9dsFrsYsLTS9/mulYiqZMqmTypFhzoD1Fzrzt2Ljh4RQPWZtx GStJobIPQuSmXxZJ9pwe1fBnr0nuxKLTTQIFRIWheDHC5aI4hygIPd8A/CdERMETS1ho e6e+bE+kzAq3TjlEEpxLoIboP4p6sk4KZuRoJZzsrzB/cCjtghfzp9Qd1eKS/Ko7x+R5 e+1Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:references:in-reply-to:message-id:date:subject :cc:to:from:dkim-signature; bh=wfN0o0JokmbNz9DafEtBUD4PMjxJrKYE3OGEsWN7KpM=; b=bEnVZv7/wS5KHpMurp2R8UgknduGilgjudHVt7+xOnPsb0JFiOwTv7pqKPGb1MuqG/ IKER2KwRUVSPhdL65uuWvJuXe5daLPnrsG+FDOf2u416JBFb3ebLUTLDWaSPgVoV33ec GH+LtEasDUN74MsWH2Y6zk45XYzPpKRiLkUQ497ty+wyLWyD+CBPVPfjm4xO08xrZglg ii+mCxS2ibZ+OsYmUfbOAfABXFlZfndYe2QP92LwHojlMwk347bEc+jw7IPEvSIyl18E jf98Hhu5qoNQ1rqWP9nrA/w/kX+m++yclwQE045/oJvmr7UUZXBlpSqVr4ItqalOm4uz 7hMA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=EeUVgbMX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v3si8827457eje.650.2020.12.21.09.18.29; Mon, 21 Dec 2020 09:18:51 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=EeUVgbMX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726261AbgLURQE (ORCPT + 99 others); Mon, 21 Dec 2020 12:16:04 -0500 Received: from us-smtp-delivery-124.mimecast.com ([63.128.21.124]:29220 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725780AbgLURPs (ORCPT ); Mon, 21 Dec 2020 12:15:48 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1608570862; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:in-reply-to:in-reply-to:references:references; bh=wfN0o0JokmbNz9DafEtBUD4PMjxJrKYE3OGEsWN7KpM=; b=EeUVgbMXAoaj/NvdCoZq0dSQC4ZvSzSkkYcHtyiF6ZevQYSu87XP95JCY3qnlxcPOU2q0x iT+tVGFV2BApyLJRDhQEfjiZFqZ52ugN8VE8a0UVqg711pL6G6Wnw8YgSRE7I2Hmp+/46U ceLw0S173bBI+69vye8zVexKYfqoRbQ= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-30-tWC4IxGdNQ-Ac7YKD7fj0g-1; Mon, 21 Dec 2020 12:14:18 -0500 X-MC-Unique: tWC4IxGdNQ-Ac7YKD7fj0g-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id DACDB1934108; Mon, 21 Dec 2020 17:14:16 +0000 (UTC) Received: from madcap2.tricolour.ca (unknown [10.10.110.9]) by smtp.corp.redhat.com (Postfix) with ESMTP id 523865D9CA; Mon, 21 Dec 2020 17:14:15 +0000 (UTC) From: Richard Guy Briggs To: Linux Containers List , Linux-Audit Mailing List , LKML Cc: Neil Horman , Eric Paris , mpatel@redhat.com, Richard Guy Briggs Subject: [PATCH ghau51/ghau40 v10 09/11] contid: interpret correctly CONTAINER_ID contid field csv Date: Mon, 21 Dec 2020 12:12:49 -0500 Message-Id: <20201221171251.2610890-10-rgb@redhat.com> In-Reply-To: <20201221171251.2610890-1-rgb@redhat.com> References: <20201221171251.2610890-1-rgb@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The CONTAINER_ID record contid field can contain comma-separated values when accompanying a NETFILTER_PKT record. Records appeared interpreted as such: Wrong: CONTAINER_ID msg=audit(2019-04-10 13:20:18.746:1690) : contid=777 666,333 Right: CONTAINER_ID msg=audit(2019-04-10 13:20:18.746:1690) : contid=777,666,333 Signed-off-by: Richard Guy Briggs --- src/ausearch-report.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/ausearch-report.c b/src/ausearch-report.c index 416c2b13fa6a..754b28af2cb6 100644 --- a/src/ausearch-report.c +++ b/src/ausearch-report.c @@ -279,7 +279,7 @@ no_print: if (str && val && (str < val)) { // Value side has commas and another field exists // Known: LABEL_LEVEL_CHANGE banners=none,none - // Known: ROLL_ASSIGN new-role=r,r + // Known: ROLE_ASSIGN new-role=r,r // Known: any MAC LABEL can potentially have commas int ftype = auparse_interp_adjust_type(n->type, name, val); @@ -293,9 +293,11 @@ no_print: } else if (str && (val == NULL)) { // Goes all the way to the end. Done parsing // Known: MCS context in PATH rec obj=u:r:t:s0:c2,c7 + // Known: CONTAINER_ID/OP old-/contid can be a comma-separated list int ftype = auparse_interp_adjust_type(n->type, name, ptr); - if (ftype == AUPARSE_TYPE_MAC_LABEL) + if (ftype == AUPARSE_TYPE_MAC_LABEL + || ftype == AUPARSE_TYPE_CONTID) str = NULL; else { *str++ = 0; -- 2.18.4