On Tuesday, September 17, 2013 10:48:02 AM Richard Guy Briggs wrote:
On Wed, Jan 28, 2009 at 11:44:27AM -0600, LC Bruzenak wrote:
> On Wed, 2009-01-28 at 12:15 -0500, Steve Grubb wrote:
> > Offhand, I don't remember why the kernel sets the limit so low. It could
> > be
> > bumped some. How much, I don't know. 4K or 8K would seem fine.
I'm just reading this thread now, relating to
https://bugzilla.redhat.com/show_bug.cgi?id=1007069
> > -Steve
>
> To me the primary thing is consistency with the input text size.
> Seems strange to successfully send in some data and be unable to
> retrieve it.
>
> A secondary concern is - what is the input limit? If the total input
> buffer size is 8K and some of that needs to be used internally (by audit
> lib), maybe it should be clamped at 7K?
I did some tests. I set the format string in the kernel to 8970
characters. In my example, I had a kernel-generated prefix of 133
characters and userspace libaudit-appended suffix of 71 characters
included in the buffer. I got a limit of 8937 characters for the
resulting message sent to auditd. To fill the buffer, my text ended up
being 8733 octets with the message from userspace (including the
libaudit suffix) being 8804. I then deliberately overflowed it and
stopped receiving messages from userspace when the text was 8798
octets, truncating most of the suffix.
This tells me the kernel or auditd limit is 8937. I assume this depends
on netlink buffer structures, which could vary by message or by kernel.
It also tells me the auditctl-buffer limit is 8804. Given the
kernel-generated prefix could be a couple hundred characters, can we set
format string to at least something less than 8937 - 133, if not 8937 -
250(or more)? I'd suggest 8637 as a ballpark. Then, set
MAX_AUDIT_MESSAGE_LENGTH less than that, maybe 200 above 8K. 8K could
be easily accomodated.
Steve, can you give a sense as to the maximum added by libaudit? Do you
have a sense as to the maximum added by the kernel?
This is defined in the ABI:
#define MAX_AUDIT_MESSAGE_LENGTH 8970 // PATH_MAX*2+CONTEXT_SIZE*2+11+256+1
It cannot change without recompiling all of user space. But the kernel always
includes this in any event:
audit_log_format(ab, "audit(%lu.%03lu:%u): ",
t.tv_sec, t.tv_nsec/1000000, serial);
an unsigned is 4 bytes and long unsigned is 8 bytes. Translated to decimal
4026531839
18446744073709551615
So, I'd say the header can occupy 43 bytes max. (All the following numbers
assume maximum size.) Then if you look at the message body, it starts by
logging an identifier "user ", which is 5 bytes. Then:
audit_log_format(*ab, "pid=%d uid=%u", task_tgid_vnr(current), uid);
which my count is 29 bytes maximum.
and then session information:
audit_log_format(ab, " auid=%u ses=%u\n", auid, sessionid);
which is 32 characters...but I don't know why the \n is in there. That should
probably be deleted!!
And then task context:
audit_log_format(ab, " subj=%s", ctx);
which can be 262 bytes.
There is also a preamble that occupies 7 bytes before inserting the buffer from
user space. So, adding this all up and subtract from the ABI defined max, I get
8592 as the maximum possible. You can pad that a little bit in case something
changes in the future and maybe call it 8560...which should be plenty big.
-Steve