[PATCH 2/2] Audit: remove the limit on execve arguments when audit is running

Peter Zijlstra a.p.zijlstra at chello.nl
Wed Oct 3 16:56:11 UTC 2007


Hi Eric,

Thanks for ridding us of this wart!

On Tue, 2007-10-02 at 17:29 -0400, Eric Paris wrote:
> Remove the limitation on argv size.  The audit system now logs arguments 8k at a
> time so the attempt to keep the size of the execve args smaller than one netlink
> message is no longer a requirement.
> 
> Signed-off-by: Eric Paris <eparis at redhat.com>

Acked-by: Peter Zijlstra <a.p.zijlstra at chello.nl>

> ---
>  kernel/auditsc.c |   10 ----------
>  kernel/sysctl.c  |   11 -----------
>  2 files changed, 0 insertions(+), 21 deletions(-)
> 
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index f9f61db..6627fce 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -1876,8 +1876,6 @@ int __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode
>  	return 0;
>  }
>  
> -int audit_argv_kb = 32;
> -
>  int audit_bprm(struct linux_binprm *bprm)
>  {
>  	struct audit_aux_data_execve *ax;
> @@ -1886,14 +1884,6 @@ int audit_bprm(struct linux_binprm *bprm)
>  	if (likely(!audit_enabled || !context || context->dummy))
>  		return 0;
>  
> -	/*
> -	 * Even though the stack code doesn't limit the arg+env size any more,
> -	 * the audit code requires that _all_ arguments be logged in a single
> -	 * netlink skb. Hence cap it :-(
> -	 */
> -	if (bprm->argv_len > (audit_argv_kb << 10))
> -		return -E2BIG;
> -
>  	ax = kmalloc(sizeof(*ax), GFP_KERNEL);
>  	if (!ax)
>  		return -ENOMEM;
> diff --git a/kernel/sysctl.c b/kernel/sysctl.c
> index 53a456e..88e5d06 100644
> --- a/kernel/sysctl.c
> +++ b/kernel/sysctl.c
> @@ -77,7 +77,6 @@ extern int percpu_pagelist_fraction;
>  extern int compat_log;
>  extern int maps_protect;
>  extern int sysctl_stat_interval;
> -extern int audit_argv_kb;
>  
>  /* this is needed for the proc_dointvec_minmax for [fs_]overflow UID and GID */
>  static int maxolduid = 65535;
> @@ -347,16 +346,6 @@ static ctl_table kern_table[] = {
>  		.mode		= 0644,
>  		.proc_handler	= &proc_dointvec,
>  	},
> -#ifdef CONFIG_AUDITSYSCALL
> -	{
> -		.ctl_name	= CTL_UNNUMBERED,
> -		.procname	= "audit_argv_kb",
> -		.data		= &audit_argv_kb,
> -		.maxlen		= sizeof(int),
> -		.mode		= 0644,
> -		.proc_handler	= &proc_dointvec,
> -	},
> -#endif
>  	{
>  		.ctl_name	= KERN_CORE_PATTERN,
>  		.procname	= "core_pattern",
> 
> 




More information about the Linux-audit mailing list