[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFC][PATCH] (#5, U2) (resent) filesystem auditing support



On Tuesday 08 March 2005 06:14, David Woodhouse wrote:
> Putting this in the middle of the structure breaks binary compatibility
> with existing audit userspace. I'll shift it to the end.

This is important because the user space tools use glibc-kernheaders' version 
of audit.h. If the offset changes for data elements that are known to 
userspace, bad things happen.

I am wondering if a audit_status size comparison needs to be done upon 
receipt? The userspace tool sends the size like this:

   req.nlh.nlmsg_len    = NLMSG_ALIGN(req.nlh.nlmsg_len) + NLMSG_SPACE(size);

where size comes from sizeof(struct audit_status)

In the kernel, the check is done like this in audit.c line 367:

if (nlh->nlmsg_len < sizeof(struct audit_status))
         return -EINVAL

Shouldn't the check be something more like:

if (nlh->nlmsg_len != sizeof(struct audit_status)+NLMSG_ALIGN(0))
        return -EINVAL

If this is a bad idea, because in it may introduce breakage where older tools 
don't work with newer kernels, maybe we can put a check in the status message 
where it compares the size of the status struct sent vs, the size the kernel 
knows and adds a message saying the userspace tools can't control new 
functionality? I think the status message should tell the user they are out 
of date.

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]