watch structure
Timothy R. Chavez
tinytim at us.ibm.com
Mon Apr 4 21:36:10 UTC 2005
On Monday 04 April 2005 03:46 pm, Steve Grubb wrote:
> Hello,
>
> The way that the watch list is passed back currently is a string. This
> diminishes its usefullness. The way it should really be passed back is in a
> structure. This allows each part to have meaning (without parsing) and be
> formatted in userspace as needed. The only problem is the structure is
> defined as follows:
>
> struct audit_watch {
> uint32_t namelen;
> uint32_t fklen;
> char *name;
> char *filterkey;
> uint32_t perms;
> };
>
> name and filterkey are pointers. If we changed the structure to this:
>
> struct audit_watch {
> uint32_t namelen;
> uint32_t fklen;
> char name[MAX_PATH];
> char filterkey[MAX_KEY_LEN];
> uint32_t perms;
> };
>
> Then the structure can be used bi-directionally. Which brings up another
> point...when the watch is being sent into the kernel, what guarantee do we
> have that the app doesn't dissappear by the time the netlink packet is
> dispositioned and the pointers dereferenced?
Yes, I intended to address this later this week. However, I do not plan on
passing them to and from the kernel as structures, but as a serialized
strings.
Also, I wouldn't recommend wasting so much space by statically allocating 4096
(or whatever MAX_PATH happens to be) for each name... considering any file
we're interested in auditing is unlikely to be MAX_PATH or even close to
MAX_PATH. Space is more valuable in the kernel, both on the stack and in
memory, then it is in user space.
And the memory should already be copied into the kernel by the time the
process ends.
-tim
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> http://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list