[RFC][PATCH] (#5, U2) (resent) filesystem auditing support
Steve Grubb
sgrubb at redhat.com
Tue Mar 8 14:15:48 UTC 2005
On Tuesday 08 March 2005 06:14, David Woodhouse wrote:
> Putting this in the middle of the structure breaks binary compatibility
> with existing audit userspace. I'll shift it to the end.
This is important because the user space tools use glibc-kernheaders' version
of audit.h. If the offset changes for data elements that are known to
userspace, bad things happen.
I am wondering if a audit_status size comparison needs to be done upon
receipt? The userspace tool sends the size like this:
req.nlh.nlmsg_len = NLMSG_ALIGN(req.nlh.nlmsg_len) + NLMSG_SPACE(size);
where size comes from sizeof(struct audit_status)
In the kernel, the check is done like this in audit.c line 367:
if (nlh->nlmsg_len < sizeof(struct audit_status))
return -EINVAL
Shouldn't the check be something more like:
if (nlh->nlmsg_len != sizeof(struct audit_status)+NLMSG_ALIGN(0))
return -EINVAL
If this is a bad idea, because in it may introduce breakage where older tools
don't work with newer kernels, maybe we can put a check in the status message
where it compares the size of the status struct sent vs, the size the kernel
knows and adds a message saying the userspace tools can't control new
functionality? I think the status message should tell the user they are out
of date.
-Steve
More information about the Linux-audit
mailing list