Fwd: Re: Fw: Audit records for start/stop auditd
Stephen Smalley
sds at tycho.nsa.gov
Wed Apr 6 14:04:31 UTC 2005
On Wed, 2005-04-06 at 10:09 -0400, Steve Grubb wrote:
> On Wednesday 06 April 2005 09:57, Stephen Smalley wrote:
> > Won't that break the kernel ABI?
>
> I put it at the end so apps that have already been compiled with the old
> siginfo_t size won't break. The app is handed a pointer to the structure by
> the kernel, so its not like userspace ever allocates the struct, it just
> references the contents of it.
I think that the kernel _copies_ the structure to userspace (using a
pointer provided by userspace), so extending it will cause clobbering of
memory for any application that was built with the old structure. See
copy_siginfo_to_user in kernel/signal.c.
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the Linux-audit
mailing list