Re: [PATCH V3] audit: normalize NETFILTER_PKT

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2017-03-03 13:45, Florian Westphal wrote:
> Richard Guy Briggs <rgb@xxxxxxxxxx> wrote:
> > > Perhaps I'm missing something here, but let me ask again, how does
> > > userspace distinguish between an unset nfmark and a nfmark of
> > > 0xffffffff?
> > 
> > It can't.
> 
> It can if you log it as 0, as I asked in patch 1 review.

I'd be inclined to do that, since it will always have a value even if
its default is zero.

The proto field would actually be unset if it was a protocol family that
did not have a protocol field.

> (You wouldn't log sk uid of 0 as -1 either, would you?)

No, but you would log auid and session id as -1 if it were unset.


- RGB

--
Richard Guy Briggs <rgb@xxxxxxxxxx>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux