audit netlink multicast code

[Zbigniew Jędrzejewski-Szmek]

Hi,

it seems that current kernel code sets the nlmsg_len field in multicast audit
netlink messages to a fixed size (16 bytes), and does not include the size
of the payload. I'm forwarding the message from Richard Briggs below in case
someone else runs into the same issue.

On Thu, Aug 21, 2014 at 01:39:24PM -0400, Richard Guy Briggs wrote:
> On 14/08/19, Zbigniew Jędrzejewski-Szmek wrote:
> > I was looking at adding support in journald for reading audit multicast
> > messages, but there's something I don't quite understand. Looking at your
> > example code in http://people.redhat.com/rbriggs/audit-multicast-listen/audit-multicast-listen.c,
> > it seems that nlmsg_len field in the received messages is supposed to contain
> > the length of the header + payload, but it is always set to the size of the
> > header only, i.e. 16. The example program works, because the printf
> > format specifies the minimum width, not "precision", so it simply prints
> > out the payload until the first zero byte. This isn't too much of a problem,
> > but precludes the use of recvmmsg, iiuc?
> > 
> > (gdb) p *(struct nlmsghdr*)nlh
> > $14 = {nlmsg_len = 16, nlmsg_type = 1100, nlmsg_flags = 0, nlmsg_seq = 0, nlmsg_pid = 9910}
> 
> Interesting.  Ok, I thought I had traced down the code to verify that
> nlh->nlmsg_len was properly set by each step before audit_log_end(), but
> it appears the only time it would have been done was at
> audit_buffer_alloc() inside audit_log_start() and never updated after.
> It should arguably be done in audit_log_vformat(), but would be more
> efficient in audit_log_end().  I'll fix it in the latter.
> 
> Thanks for tracking this down!
> 
> > This is with kernel 3.16.1-300.playground.fc21.x86_64.

Zbyszek