Re: [RFC][PATCH] audit: log join and part events to the read-only multicast log socket

On Wednesday, October 22, 2014 10:30:12 AM Eric Paris wrote: > On Wed, 2014-10-22 at 10:25 -0400, Steve Grubb wrote: > > 12) The struct audit_status was extended to include version and > > backlog_wait_time. I cannot determine at runtime if they exist, meaning > > that software compiled on a new kernel runs on an old kernel, it will be > > reading random stack or heap to make decisions. The correct solution > > would be to make a new struct with planned expansion capability with > > version as the first element so any changes can be signaled. This new > > struct would be sent using a new netlink command. > > Incorrect. The length of the message makes it perfectly clear how much > data the kernel sent, and thus if that data includes the version or > backlog_wait_time. I thought this had been discussed before... > > The answer is 'check how much data you got from the kernel' Is the padding the same for all arches? :-)