To make it possible for userspace tools to verify that all of the args were successfully logged add 2 new pieces of information to the execve audit messages: 1) All messages now start with argc=%d before the logging of a0. 2) When a single large argument is split into multiple records the first of those records will now include a lenX=%d stating the number of bytes in the original aX argument. example: record1: argc=2 a0=test_file record2: len1=12k a1[0]=first 7.5k chunk of a1 argument record3: a1[1]=remainder of a1 argument Signed-off-by: Eric Paris <eparis(a)redhat.com&gt; kernel/auditsc.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index b411737..f8ac79b 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -836,6 +836,8 @@ static void audit_log_execve_info(struct audit_context *context, p = (const char __user *)axi->mm->arg_start; + audit_log_format(*ab, "argc=%d ", axi->argc); + for (i = 0; i < axi->argc; i++, p += len) { char tmp_buf[12]; /* how many digits are in i? */ @@ -888,6 +890,9 @@ static void audit_log_execve_info(struct audit_context *context, kfree(buf); return; } + if (j == 0) + audit_log_format(*ab, "len%d=%ld ", i, + len + tmplen); audit_log_format(*ab, "a%d[%d]=", i, j); audit_log_untrustedstring(*ab, buf); audit_log_format(*ab, "\n");