[PATCH 2/2] audit string fields interface + consumer
Timothy R. Chavez
tinytim at us.ibm.com
Tue Jan 17 23:05:15 UTC 2006
On Tue, 2006-01-17 at 17:19 -0500, Amy Griffis wrote:
> Here is an update that incorporates changes based on Tim's feedback:
> - sanity check for path with trailing /
> - call path_release
> - use audit_compare_watch
>
> and fixes panics due to the assumption of the existence of
> rule->watch.
>
> diff --git a/kernel/audit.h b/kernel/audit.h
> index f3b2a00..cc979e9 100644
> --- a/kernel/audit.h
> +++ b/kernel/audit.h
> @@ -52,6 +52,12 @@ enum audit_state {
> };
>
> /* Rule lists */
> +struct audit_watch {
> + char *path; /* watch insertion path */
> + struct list_head mlist; /* entry in master_watchlist */
> + struct list_head rules; /* associated rules */
> +};
> +
> struct audit_field {
> u32 type;
> u32 val;
> @@ -67,6 +73,8 @@ struct audit_krule {
> u32 buflen; /* for data alloc on list rules */
> u32 field_count;
> struct audit_field fields[AUDIT_MAX_FIELDS];
> + struct audit_watch *watch; /* associated watch */
> + struct list_head rlist; /* entry in audit_watch.rules list */
> };
This may not really be that important, but if you switch to hlist_head
you have a 4-byte savings, which is something...
AUDIT_MAX_FIELDS defaults to 64, sizeof(audit_field) is 12-bytes...
768-bytes... 788-bytes per audit_krule?
Not sure if this qualifies as stack abuse though, which is why I say it
might not be that important. I'm still a little concerned about
AUDIT_MAX_FIELDS though... How much of that stack space is actually
being used on average?
-tim
More information about the Linux-audit
mailing list