auditd netlink headers
Chris Wright
chrisw at osdl.org
Fri Apr 29 19:58:57 UTC 2005
* Steve Grubb (sgrubb at redhat.com) wrote:
> On Friday 29 April 2005 15:41, Chris Wright wrote:
> > We are (in theory, not sure about practice).
>
> The code was in a function called audit_listen that was removed after 0.6.4.
You mean I'm looking at old code, or old code to handle this was removed?
Apologies if I've got the old stuff.
> > Say a exe path of > 990 bytes, or any payload of that size.
>
> That was my concern. Paths can be 4096 bytes. (which is another reason I
> wanted to see test cases with big filenames - to see what all breaks.)
>
> > You should get two fragments, and auditd drops them both. The second
> > I'm suspecting it's pure luck because NLMSG_OK() is looking a audit
> > data as a netlink header.
>
> It has to be coded differently. I'll see if I can create this problem by
> making a long pathname and accessing it while doing syscall auditing.
I just made a kernel module that does it (it requires a patch to kernel
to export the needed symbols). It's just an ugly hack, but it shows
the problem.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
More information about the Linux-audit
mailing list