[RFC][PATCH] audit: log join and part events to the read-only multicast log socket
Eric Paris
eparis at redhat.com
Wed Oct 22 14:30:12 UTC 2014
On Wed, 2014-10-22 at 10:25 -0400, Steve Grubb wrote:
> 12) The struct audit_status was extended to include version and
> backlog_wait_time. I cannot determine at runtime if they exist, meaning that
> software compiled on a new kernel runs on an old kernel, it will be reading
> random stack or heap to make decisions. The correct solution would be to make
> a new struct with planned expansion capability with version as the first
> element so any changes can be signaled. This new struct would be sent using a
> new netlink command.
Incorrect. The length of the message makes it perfectly clear how much
data the kernel sent, and thus if that data includes the version or
backlog_wait_time. I thought this had been discussed before...
The answer is 'check how much data you got from the kernel'
More information about the Linux-audit
mailing list