[patch] Syscall auditing - move "name=" field to the end

David Woodhouse dwmw2 at infradead.org
Thu Mar 17 19:30:58 UTC 2005


On Thu, 2005-03-17 at 14:17 -0500, Valdis.Kletnieks at vt.edu wrote:
> If you include "whitespace" as a "dubious" character, that would kill
> several birds with one stone.  Then you just need 'name=A:ascii_string'
> or 'name=H:hexstring' and most parsing issues go away.  Works for me...

Untested:

--- linux-2.6.9/kernel/audit.c.auditstr	2005-03-17 19:08:42.000000000 +0000
+++ linux-2.6.9/kernel/audit.c	2005-03-17 19:24:20.000000000 +0000
@@ -731,6 +731,29 @@ void audit_log_format(struct audit_buffe
 	va_end(args);
 }
 
+void audit_log_hex(struct audit_buffer *ab, const unsigned char *buf, size_t len)
+{
+	int i;
+
+	for (i=0; i<len; i++)
+		audit_log_format(ab, "%02x", buf[i]);
+}
+
+void audit_log_untrustedstring(struct audit_buffer *ab, const char *string)
+{
+	const char *p = string;
+
+	while (*p) {
+		if (*p == '"' || *p == ' ' || *p < 0x20 || *p > 0x7f) {
+			audit_log_hex(ab, string, strlen(string));
+			return;
+		}
+		p++;
+	}
+	audit_log_format(ab, "\"%s\"", string);
+}
+
+
 /* This is a helper-function to print the d_path without using a static
  * buffer or allocating another buffer in addition to the one in
  * audit_buffer. */
--- linux-2.6.9/kernel/auditsc.c.auditstr	2005-03-17 19:08:42.000000000 +0000
+++ linux-2.6.9/kernel/auditsc.c	2005-03-17 19:19:41.000000000 +0000
@@ -726,9 +726,10 @@ static void audit_log_exit(struct audit_
 		if (!ab)
 			continue; /* audit_panic has been called */
 		audit_log_format(ab, "item=%d", i);
-		if (context->names[i].name)
-			audit_log_format(ab, " name=%s",
-					 context->names[i].name);
+		if (context->names[i].name) {
+			audit_log_format(ab, "name=");
+			audit_log_untrustedstring(ab, context->names[i].name);
+		}
 		if (context->names[i].ino != (unsigned long)-1)
 			audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#o"
 					     " uid=%d gid=%d rdev=%02x:%02x",
--- linux-2.6.9/include/linux/audit.h.auditstr	2005-03-17 19:08:42.000000000 +0000
+++ linux-2.6.9/include/linux/audit.h	2005-03-17 19:10:16.000000000 +0000
@@ -232,6 +232,10 @@ extern void		    audit_log_format(struct
 extern void		    audit_log_end(struct audit_buffer *ab);
 extern void		    audit_log_end_fast(struct audit_buffer *ab);
 extern void		    audit_log_end_irq(struct audit_buffer *ab);
+extern void		    audit_log_hex(struct audit_buffer *ab, const unsigned char *buf,
+					  size_t len);
+extern void		    audit_log_untrustedstring(struct audit_buffer *ab, 
+						      const char *string);
 extern void		    audit_log_d_path(struct audit_buffer *ab,
 					     const char *prefix,
 					     struct dentry *dentry,
@@ -254,6 +258,8 @@ extern void		    audit_log_lost(const ch
 #define audit_log_end(b) do { ; } while (0)
 #define audit_log_end_fast(b) do { ; } while (0)
 #define audit_log_end_irq(b) do { ; } while (0)
+#define audit_log_hex(a,b,l) do { ; } while (0)
+#define audit_log_untrustedstring(a,s) do { ; } while (0)
 #define audit_log_d_path(b,p,d,v) do { ; } while (0)
 #define audit_set_rate_limit(l) do { ; } while (0)
 #define audit_set_backlog_limit(l) do { ; } while (0)



-- 
dwmw2




More information about the Linux-audit mailing list