[PATCH 2/2] Audit: remove the limit on execve arguments when audit is running
Eric Paris
eparis at redhat.com
Fri Oct 5 15:11:27 UTC 2007
On Tue, 2007-10-02 at 17:29 -0400, Eric Paris wrote:
> Remove the limitation on argv size. The audit system now logs arguments 8k at a
> time so the attempt to keep the size of the execve args smaller than one netlink
> message is no longer a requirement.
>
> Signed-off-by: Eric Paris <eparis at redhat.com>
I think I need to pull this patch. (uggh) Turns out that one argument
is allowed to be 32 pages long. Which is almost guaranteed to OOM a
running i686 in audit_expand when we try to get that much memory. My
1/2 patch in this series doesn't address the SINGLE argument that is
huge case. Just that a list of arguments is huge.
My belief is that the solution to this problem is to allow audit to
break individual arguments down to a size <8k. I guess my syntax would
be something like
a0[0]=(first 8k of a single huge argument)
a0[1]=(second 8k of a single huge argument)
....
My 1/2 patch in this series keeps lists or arguments <8k and if people
are ok with that syntax of messages getting sent to userspace we can
audit single message >8k.
If this is a good syntax I'll send a patch for it. Note that I doubt
there are very many programs that can handle a single argument that big,
but the kernel allows it so we need some syntax to support it....
I guess the other options might be to change this audit_bprm hook to
only limit execve args the way it does now if audit is running AND we
are auditing execve, but i'd rather fix this 'right' rather than keep
around this little wart....
who has a problem with that syntax? will userspace puke?
-Eric
More information about the Linux-audit
mailing list