Re: [RFC][PATCH] (#5, U2) (resent) filesystem auditing support

On Tuesday 08 March 2005 06:14, David Woodhouse wrote: This is important because the user space tools use glibc-kernheaders' version of audit.h. If the offset changes for data elements that are known to userspace, bad things happen. I am wondering if a audit_status size comparison needs to be done upon receipt? The userspace tool sends the size like this: req.nlh.nlmsg_len = NLMSG_ALIGN(req.nlh.nlmsg_len) + NLMSG_SPACE(size); where size comes from sizeof(struct audit_status) In the kernel, the check is done like this in audit.c line 367: if (nlh->nlmsg_len < sizeof(struct audit_status)) return -EINVAL Shouldn't the check be something more like: if (nlh->nlmsg_len != sizeof(struct audit_status)+NLMSG_ALIGN(0)) return -EINVAL If this is a bad idea, because in it may introduce breakage where older tools don't work with newer kernels, maybe we can put a check in the status message where it compares the size of the status struct sent vs, the size the kernel knows and adds a message saying the userspace tools can't control new functionality? I think the status message should tell the user they are out of date. -Steve