On Tue, Feb 5, 2019 at 11:49 AM Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> commit a2c513835bb6c6 ("selinux: inline some AVC functions used only once")
> introduced usage of audit_log_string() in place of audit_log_format()
> for fixed strings. However, audit_log_string() quotes the string.
> This breaks the avc audit message format and userspace audit parsers.
> Switch back to using audit_log_format().
>
> Fixes: a2c513835bb6c6 ("selinux: inline some AVC functions used only once")
> Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
> ---
> security/selinux/avc.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
Thanks Stephen, I've been burned on this in the past too, I'm
disappointed that I didn't catch this originally :/
> diff --git a/security/selinux/avc.c b/security/selinux/avc.c
> index 33863298a9b5..8346a4f7c5d7 100644
> --- a/security/selinux/avc.c
> +++ b/security/selinux/avc.c
> @@ -674,13 +674,13 @@ static void avc_audit_pre_callback(struct audit_buffer *ab, void *a)
> audit_log_format(ab, "avc: %s ", sad->denied ? "denied" : "granted");
>
> if (av == 0) {
> - audit_log_string(ab, " null");
> + audit_log_format(ab, " null");
> return;
> }
>
> perms = secclass_map[sad->tclass-1].perms;
>
> - audit_log_string(ab, " {");
> + audit_log_format(ab, " {");
> i = 0;
> perm = 1;
> while (i < (sizeof(av) * 8)) {
> @@ -695,7 +695,7 @@ static void avc_audit_pre_callback(struct audit_buffer *ab, void *a)
> if (av)
> audit_log_format(ab, " 0x%x", av);
>
> - audit_log_string(ab, " } for ");
> + audit_log_format(ab, " } for ");
> }
>
> /**
> --
> 2.20.1
>
--
paul moore
www.paul-moore.com
