[PATCH 2/3] expand audit tmp buffer as needed

Chris Wright chrisw at osdl.org
Fri May 6 20:43:24 UTC 2005 

* Steve Grubb (sgrubb at redhat.com) wrote:
> On Friday 06 May 2005 03:54, Chris Wright wrote:
> > @@ -132,14 +132,11 @@ static DECLARE_MUTEX(audit_netlink_sem);
> >   * use simultaneously. */
> >  struct audit_buffer {
> >         struct list_head     list;
> > -       struct sk_buff_head  sklist;    /* formatted skbs ready to send */
> > +       struct sk_buff       *skb;      /* formatted skb ready to send */
> >         struct audit_context *ctx;      /* NULL or associated context */
> >         int                  len;       /* used area of tmp */
> > -       char                 tmp[AUDIT_BUFSIZ];
> > -
> > -                               /* Pointer to header and contents */
> > -       struct nlmsghdr      *nlh;
> > -       int                  total;
> > +       int                  size;      /* size of tmp */
> > +       char                 *tmp;      
> >         int                  type;
> >         int                  pid;
> >  };
> 
> I have a feeling this will impact all the parsers and the message type work 
> that I was just starting to do. The way I understand this patch, we will no 
> longer iterate in audit_log_drain spitting out separate messages for d_path 
> or anything else that gets added.

There's only one skb now.  All data is acutally in that skb.  Userspace
does not handle (now) the multiple skb case anyway.  It drops the
subsequent data.


> So what are we going to have for a separator between the audit context dump 
> and any supplemental information? Can you post a couple example records 
> (since we can't actually try out the netlink changes yet)?

Sure, here's some that went to syslog (I'll have to reboot to a working
kernel, and I'm still waiting for it to build this rpm kernel with some
debugging and the patch i sent).

May  6 00:33:18 vas kernel: audit(1115364505.576:1013290): item=0 name="/dev/null" inode=2035 dev=00:0e mode=020666 uid=0 gid=0 rdev=01:03

May  6 00:33:18 vas kernel: audit(1115364505.577:1013333): syscall=5 arch=40000003 success=yes exit=3 a0=a50fd9 a1=0 a2=0 a3=0 items=1 pid=15519 loginuid=-1 uid=23 gid=500 euid=23 suid=23 fsuid=23 egid=500 sgid=500 fsgid=500 comm=usleep exe=/bin/usleep

May  6 00:33:18 vas kernel: audit(1115364505.577:1013333): item=0 name="/etc/ld.so.cache" inode=84283 dev=03:03 mode=0100644 uid=0 gid=0 rdev=00:00

> I was planning to change audit_log_start to take a type parameter as well as 
> audit_log_format and put the type into the message.

I have that patch here already.  In my next batch of cleanups.  I'll
send them out as soon as I nail the current issue.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net

More information about the Linux-audit mailing list