[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFC][PATCH] new audit rule interface



On Thursday 15 December 2005 10:40, Amy Griffis wrote:
> +struct audit_rule_xprt {
> +       __u32           flags;  /* AUDIT_PER_{TASK,CALL}, AUDIT_PREPEND */
> +       __u32           action; /* AUDIT_NEVER, AUDIT_POSSIBLE,
> AUDIT_ALWAYS */ +       __u32           field_count;
> +       __u32           mask[AUDIT_BITMASK_SIZE];
> +       __u32           fields[AUDIT_MAX_FIELDS];
> +       __u32           values[AUDIT_MAX_FIELDS];
> +       __u32           buflen; /* total length of string fields */
> +       char            buf[0]; /* string fields buffer */
> +};

First of many comments. :)  Thanks for posting this patch.

There is a need to specify more than one string per rule. What I had proposed 
was to simply use the values field as the buflen. Then each string would be 
packed one after another with no terminating NUL. We would scan the fields 
and if it's one associated with a string, the value would indicate the 
length. A payload pointer would be incremented that many bytes and point to 
the beginning of the next string.

We have to have a way to specify more than 1 string per rule.

>+       case AUDIT_ADD_RULE:
>+       case AUDIT_DEL_RULE:
>+               if (nlh->nlmsg_len < sizeof(struct audit_rule_xprt))
>+                       return -EINVAL;
>+               /* fallthrough */

Along the same lines...checking the packet size to be sizeof(struct 
audit_rule_xprt)  +  buflen   would be prudent.

Thanks,
-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]