Re: watch structure
On Monday 04 April 2005 03:46 pm, Steve Grubb wrote:
Hello,
The way that the watch list is passed back currently is a string. This
diminishes its usefullness. The way it should really be passed back is in a
structure. This allows each part to have meaning (without parsing) and be
formatted in userspace as needed. The only problem is the structure is
defined as follows:
struct audit_watch {
uint32_t namelen;
uint32_t fklen;
char *name;
char *filterkey;
uint32_t perms;
};
name and filterkey are pointers. If we changed the structure to this:
struct audit_watch {
uint32_t namelen;
uint32_t fklen;
char name[MAX_PATH];
char filterkey[MAX_KEY_LEN];
uint32_t perms;
};
Then the structure can be used bi-directionally. Which brings up another
point...when the watch is being sent into the kernel, what guarantee do we
have that the app doesn't dissappear by the time the netlink packet is
dispositioned and the pointers dereferenced?
Yes, I intended to address this later this week. However, I do not plan on
passing them to and from the kernel as structures, but as a serialized
strings.
Also, I wouldn't recommend wasting so much space by statically allocating 4096
(or whatever MAX_PATH happens to be) for each name... considering any file
we're interested in auditing is unlikely to be MAX_PATH or even close to
MAX_PATH. Space is more valuable in the kernel, both on the stack and in
memory, then it is in user space.
And the memory should already be copied into the kernel by the time the
process ends.
-tim
-Steve
--
Linux-audit mailing list
Linux-audit(a)redhat.com
http://www.redhat.com/mailman/listinfo/linux-audit