watch structure
Steve Grubb
sgrubb at redhat.com
Mon Apr 4 20:46:01 UTC 2005
Hello,
The way that the watch list is passed back currently is a string. This
diminishes its usefullness. The way it should really be passed back is in a
structure. This allows each part to have meaning (without parsing) and be
formatted in userspace as needed. The only problem is the structure is
defined as follows:
struct audit_watch {
uint32_t namelen;
uint32_t fklen;
char *name;
char *filterkey;
uint32_t perms;
};
name and filterkey are pointers. If we changed the structure to this:
struct audit_watch {
uint32_t namelen;
uint32_t fklen;
char name[MAX_PATH];
char filterkey[MAX_KEY_LEN];
uint32_t perms;
};
Then the structure can be used bi-directionally. Which brings up another
point...when the watch is being sent into the kernel, what guarantee do we
have that the app doesn't dissappear by the time the netlink packet is
dispositioned and the pointers dereferenced?
-Steve
More information about the Linux-audit
mailing list