Hi - I'm working on an LKM for a security software product that does real-time file system change monitoring. The product has been in the field for a number of years and in use by many customers with great success.
Recently we ran into an installation that is making use of Audit in addition to some Symantec products along with our product. This "stack" of security and detection software all running simultaneously is causing an issue that they're blaming on our driver. After lots of digging, the real issue is that the audit_context->name_count is growing during certain syscall paths (sys_rename in particular), and at some point a getname() (which ends up in audit_getname() ) is called that hits the following line in auditsc.c: BUG_ON(context->name_count >= AUDIT_NAMES); This is on RHEL 5.8 with a 2.6.18-330el5 kernel, but looking at kernel sources shows this same code exists in most of the 2.6 kernel lines. The question is this: Is there any sane way for my code to check that name_count value in current->audit_context BEFORE calling getname() so I can avoid the BUG_ON and subsequent mayhem that ensues? I'd rather fail gracefully than crash their system every time too many people call getname(). Unfortunately the structure definition for audit_context is inside the C file, which makes it opaque to my LKM code. That structure changes enough between kernel versions that it would be difficult (and stupid anyway) to put a manual "copy" of the structure definition in my own code so that I could access that value. My own code only uses a maximum of 4 of the available AUDIT_NAMES (20) slots in the audit_context structure. It's the presence of other 3rd party LKMs and their use of Audit that is causing this condition, and the reason it is somewhat beyond my control. Any suggestions or hints would be greatly appreciated! Thanks to all! - Andy -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
