auditd netlink headers

[Chris Wright]

* Steve Grubb (sgrubb at redhat.com) wrote:
> On Friday 29 April 2005 15:58, Chris Wright wrote:
> > You mean I'm looking at old code, or old code to handle this was removed?
> 
> Old code was removed. I did not want the added complexity if it wasn't a 
> problem. The basic gist is you cannot use recvfrom to do it. You switch over 
> to recvmsg to do the job and loop. I think there are some other bits that I 
> didn't put there yet.

I think you did the right thing.  I'd like to do the same on kernel side
(the whole fragmentation scheme is to complex).  But I was confused by
some behaviour, and then realized it's just broken ;-)

> >I just made a kernel module that does it (it requires a patch to kernel
> >to export the needed symbols).
> 
> It takes an hour to compile a kernel. Its a friday afternoon.

Heh no worries, I'm 3 hours behind you, I'll plug at it a bit.
The basics are:

1) Not all audit messages the kernel sends have a netlink header only the
first fragment.  Note, however, that most calls don't fragment.
2) All audit netlink headers tell you how long the reassembled packet would be.
3) Any fragmentation completely confuses userspace.  First one is dropped
because NLMSG_OK() is false (netlink header says packet is bigger
still).  Subsequent ones are subject to random chance whether they'll be
handled (and how, since header is just audit message bytestream data).

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net