Re: auditd netlink headers
* Steve Grubb (sgrubb(a)redhat.com) wrote:
On Friday 29 April 2005 15:41, Chris Wright wrote:
> We are (in theory, not sure about practice).
The code was in a function called audit_listen that was removed after 0.6.4.
You mean I'm looking at old code, or old code to handle this was removed?
Apologies if I've got the old stuff.
> Say a exe path of > 990 bytes, or any payload of that size.
That was my concern. Paths can be 4096 bytes. (which is another reason I
wanted to see test cases with big filenames - to see what all breaks.)
> You should get two fragments, and auditd drops them both. The second
> I'm suspecting it's pure luck because NLMSG_OK() is looking a audit
> data as a netlink header.
It has to be coded differently. I'll see if I can create this problem by
making a long pathname and accessing it while doing syscall auditing.
I just made a kernel module that does it (it requires a patch to kernel
to export the needed symbols). It's just an ugly hack, but it shows
the problem.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net