[PATCH] new audit rule interface
Steve Grubb
sgrubb at redhat.com
Thu Jan 5 11:27:28 UTC 2006
On Wednesday 04 January 2006 22:36, Amy Griffis wrote:
> I understand the situation you're trying to address, but PATH_MAX may
> not make sense as a bound for other string fields.
Do you know of any that will be bigger? I can't think of any. The size can be
adjusted up if we ever need to.
> Wouldn't checking the specified string field length against the actual size
> of the provided buffer suffice?
No. We could fall victim to some attack that overflows the variable and
appears to be correct.
> > > > > +/* Pack a filter field's string representation into data block. */
> > > > > +static inline int audit_pack_string(void **bufp, char *str)
> > > >
> > > > What calls this?
> > >
> > > This should be called by a consumer from the switch in
> > > audit_krule_to_xprt().
> >
> > I really need to see the consumer to finish evaluating the use of the
> > interface.
>
> Makes sense. I'll post a consumer patch with the next iteration.
I just need to see a little more. The unpacking I think is all I need to see
to make sure this interface can't be abused.
-Steve
More information about the Linux-audit
mailing list