In auparse, when interpreting discard unknown enriched fields

RH-steve-grubb · RH-steve-grubb · commit 3e51f4c54a23 · 2017-04-10T10:18:28.000-04:00
diff --git a/ChangeLog b/ChangeLog
@@ -2,6 +2,7 @@
 - In auparse, output socket family name if unsupported but known
 - In auparse, store arch & syscall fields in SECCOMP records for interpretation
 - In auparse_normalize, create an event_kind for seccomp events
+- In auparse, when interpreting discard 'unknown' enriched fields
 
 2.7.4
 - Fix python3 byte compile for libaudit bindings
diff --git a/auparse/interpret.c b/auparse/interpret.c
@@ -2794,6 +2794,11 @@ char *auparse_do_interpretation(int type, const idata *id,
 			const char *val = il.cur->interp_val;
 
 			if (val) {
+				// If we don't know what it is when auditd
+				// recorded it, try it again incase the
+				// libraries have been updated to support it.
+				if (strncmp(val, "unknown-", 8 ) == 0)
+					goto unknown; 
 				if (type == AUPARSE_TYPE_UID ||
 						type == AUPARSE_TYPE_GID)
 					return print_escaped(val);
@@ -2802,6 +2807,7 @@ char *auparse_do_interpretation(int type, const idata *id,
 			}
 		}
 	}
+unknown:
 
 	switch(type) {
 		case AUPARSE_TYPE_UID:

Original file line number	Diff line number	Diff line change
`@@ -2794,6 +2794,11 @@ char auparse_do_interpretation(int type, const idata id,`
`2794`	`2794`	`const char *val = il.cur->interp_val;`
`2795`	`2795`
`2796`	`2796`	`if (val) {`
	`2797`	`+ // If we don't know what it is when auditd`
	`2798`	`+ // recorded it, try it again incase the`
	`2799`	`+ // libraries have been updated to support it.`
	`2800`	`+ if (strncmp(val, "unknown-", 8 ) == 0)`
	`2801`	`+ goto unknown;`
`2797`	`2802`	`if (type == AUPARSE_TYPE_UID \|\|`
`2798`	`2803`	`type == AUPARSE_TYPE_GID)`
`2799`	`2804`	`return print_escaped(val);`
`@@ -2802,6 +2807,7 @@ char auparse_do_interpretation(int type, const idata id,`
`2802`	`2807`	`}`
`2803`	`2808`	`}`
`2804`	`2809`	`}`
	`2810`	`+unknown:`
`2805`	`2811`
`2806`	`2812`	`switch(type) {`
`2807`	`2813`	`case AUPARSE_TYPE_UID:`