[RFC][PATCH] new audit rule interface
Steve Grubb
sgrubb at redhat.com
Thu Dec 15 15:54:53 UTC 2005
On Thursday 15 December 2005 10:40, Amy Griffis wrote:
> +struct audit_rule_xprt {
> + __u32 flags; /* AUDIT_PER_{TASK,CALL}, AUDIT_PREPEND */
> + __u32 action; /* AUDIT_NEVER, AUDIT_POSSIBLE,
> AUDIT_ALWAYS */ + __u32 field_count;
> + __u32 mask[AUDIT_BITMASK_SIZE];
> + __u32 fields[AUDIT_MAX_FIELDS];
> + __u32 values[AUDIT_MAX_FIELDS];
> + __u32 buflen; /* total length of string fields */
> + char buf[0]; /* string fields buffer */
> +};
First of many comments. :) Thanks for posting this patch.
There is a need to specify more than one string per rule. What I had proposed
was to simply use the values field as the buflen. Then each string would be
packed one after another with no terminating NUL. We would scan the fields
and if it's one associated with a string, the value would indicate the
length. A payload pointer would be incremented that many bytes and point to
the beginning of the next string.
We have to have a way to specify more than 1 string per rule.
>+ case AUDIT_ADD_RULE:
>+ case AUDIT_DEL_RULE:
>+ if (nlh->nlmsg_len < sizeof(struct audit_rule_xprt))
>+ return -EINVAL;
>+ /* fallthrough */
Along the same lines...checking the packet size to be sizeof(struct
audit_rule_xprt) + buflen would be prudent.
Thanks,
-Steve
More information about the Linux-audit
mailing list