On Wednesday, September 8, 2021 9:16:16 AM EDT Richard Guy Briggs wrote: > Another minor oddity is the double "=" for the subj > > > > field, which doesn't appear to be a bug in your code, but still > > > puzzling. > > > > In the test setup, I had Apparmor enabled and set as default security > > module. This behavior occurs in any audit_log message. > > Seems that this is coming from the label handling there. Having a quick > > look at the code there is that they use '=' in the label to provide a > > root view as part of their policy virtualization. The corresponding > > commit is sitting there since 2017: > > "26b7899510ae243e392960704ebdba52d05fbb13" > > Interesting... Thanks for tracking down that cause. I don't know how > much pain that will cause the userspace parsing tools. I've added Steve > Grubb to the Cc: to get his input, but this should not derail this patch > set. It likely breaks any parser. I would even say that it's a malformed event that should be corrected. There's been a published a specification for audit events for at least 5 years. Latest copy is here: https://github.com/linux-audit/audit-documentation/wiki/SPEC-Writing-Good-Events -Steve
