> -----Original Message----- > From: Steve Grubb [mailto:sgrubb@xxxxxxxxxx] > Sent: Friday, July 15, 2016 11:54 AM > To: Paul Moore <paul@xxxxxxxxxxxxxx> > Cc: Roberts, William C <william.c.roberts@xxxxxxxxx>; selinux@xxxxxxxxxxxxx; > seandroid-list@xxxxxxxxxxxxx; Stephen Smalley <sds@xxxxxxxxxxxxx>; linux- > audit@xxxxxxxxxx > Subject: Re: [PATCH] selinux: print leading 0x on ioctlcmd audits > > On Thursday, July 14, 2016 6:17:32 PM EDT Paul Moore wrote: > > Re: [PATCH] selinux: print leading 0x on ioctlcmd audits > > From: Paul Moore <paul@xxxxxxxxxxxxxx> > > To: william.c.roberts@xxxxxxxxx > > CC: selinux@xxxxxxxxxxxxx, seandroid-list@xxxxxxxxxxxxx, Stephen Smalley > > <sds@xxxxxxxxxxxxx>, Me, linux-audit@xxxxxxxxxx Date: Yesterday 6:17 > PM > > > > On Thu, Jul 14, 2016 at 3:29 PM, <william.c.roberts@xxxxxxxxx> wrote: > > > From: William Roberts <william.c.roberts@xxxxxxxxx> > > > > > > ioctlcmd is currently printing hex numbers, but their is no leading > > > 0x. Thus things like ioctlcmd=1234 are misleading, as the base is > > > not evident. > > > > > > Correct this by adding 0x as a prefix, so ioctlcmd=1234 becomes > > > ioctlcmd=0x1234. > > > > > > Signed-off-by: William Roberts <william.c.roberts@xxxxxxxxx> > > > --- > > > security/lsm_audit.c | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > NOTE: adding Steve Grubb and the audit mailing list to the CC line > > > > Like it or not, I believe the general standard/convention when it > > comes to things like this is to leave off the "0x" prefix; the idea > > being that is saves precious space in the audit logs and the value is > > only ever going to be in hex anyway. > > We normally like the 0x prefix on anything that is hex so that stroul can figure it > out itself. And since AVC's should in theory be rare or occassional, log space is not > a concern. Does this mean then the patch will be applied? > > That said, what is this ioctlcmd field name? Is this the ioctl number? As in syscall > arg a1? If so, it should be hooked up to the interpretation for that. > > Also, we have a field dictionary with some basic info about each field used in > audit events: > > http://people.redhat.com/sgrubb/audit/field-dictionary.txt > > This is important so that people don't make up new ones that do the same thing. > The ioctlcmd field name should be recorded. Are there more that need > documenting? > > -Steve _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
