[PATCH 2/2] Audit: remove the limit on execve arguments when audit is running
Steve Grubb
sgrubb at redhat.com
Fri Oct 5 15:44:57 UTC 2007
On Friday 05 October 2007 11:11:27 Eric Paris wrote:
> My belief is that the solution to this problem is to allow audit to
> break individual arguments down to a size <8k. I guess my syntax would
> be something like
>
> a0[0]=(first 8k of a single huge argument)
> a0[1]=(second 8k of a single huge argument)
Sure go ahead. Also be sure to test with something that has spaces in the args
to see what happens when the argument gets encoded. I think this will be so
rare that no one will ever see it in practice. Either getopt or the shell
will probably limit the argument size.
I don't recall if the MAX size limit was a define in the previous patch. If
not, I'd suggest making it a define. I can make the audit buffers bigger at
some point, but we'll have to recompile everything that links with libaudit.
So, I'd want to hold off until there is a soname number bump just to make
sure everything gets recompiled. So, a define would allow us to easily raise
the kernel side after user space has been changed for a while.
-Steve
More information about the Linux-audit
mailing list