[RFC][PATCH] audit: log join and part events to the read-only multicast log socket
Steve Grubb
sgrubb at redhat.com
Wed Oct 22 14:36:49 UTC 2014
On Wednesday, October 22, 2014 10:30:12 AM Eric Paris wrote:
> On Wed, 2014-10-22 at 10:25 -0400, Steve Grubb wrote:
> > 12) The struct audit_status was extended to include version and
> > backlog_wait_time. I cannot determine at runtime if they exist, meaning
> > that software compiled on a new kernel runs on an old kernel, it will be
> > reading random stack or heap to make decisions. The correct solution
> > would be to make a new struct with planned expansion capability with
> > version as the first element so any changes can be signaled. This new
> > struct would be sent using a new netlink command.
>
> Incorrect. The length of the message makes it perfectly clear how much
> data the kernel sent, and thus if that data includes the version or
> backlog_wait_time. I thought this had been discussed before...
>
> The answer is 'check how much data you got from the kernel'
Is the padding the same for all arches? :-)
-Steve
More information about the Linux-audit
mailing list