Eric, thanks for making the changes.
-- ljk
Eric Paris wrote:
> To make it possible for userspace tools to verify that all of the args
> were successfully logged add 2 new pieces of information to the execve
> audit messages:
>
> 1) All messages now start with argc=%d before the logging of a0.
> 2) When a single large argument is split into multiple records the first
> of those records will now include a lenX=%d stating the number of bytes
> in the original aX argument.
>
> example:
>
> record1: argc=2 a0=test_file
> record2: len1=12k a1[0]=first 7.5k chunk of a1 argument
> record3: a1[1]=remainder of a1 argument
>
> Signed-off-by: Eric Paris <[EMAIL PROTECTED]>
>
> kernel/auditsc.c | 5 +++++
> 1 files changed, 5 insertions(+), 0 deletions(-)
>
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index b411737..f8ac79b 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -836,6 +836,8 @@ static void audit_log_execve_info(struct audit_context
> *context,
>
> p = (const char __user *)axi->mm->arg_start;
>
> + audit_log_format(*ab, "argc=%d ", axi->argc);
> +
> for (i = 0; i < axi->argc; i++, p += len) {
> char tmp_buf[12];
> /* how many digits are in i? */
> @@ -888,6 +890,9 @@ static void audit_log_execve_info(struct audit_context
> *context,
> kfree(buf);
> return;
> }
> + if (j == 0)
> + audit_log_format(*ab, "len%d=%ld ", i,
> + len + tmplen);
> audit_log_format(*ab, "a%d[%d]=", i, j);
> audit_log_untrustedstring(*ab, buf);
> audit_log_format(*ab, "\n");
>
>
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
