From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: [PATCH 2/2] Audit: remove the limit on execve arguments when audit is running Date: Fri, 5 Oct 2007 11:44:57 -0400 Message-ID: <200710051144.58454.sgrubb@redhat.com> References: <1191360589.9506.34.camel@localhost.localdomain> <1191597087.3198.7.camel@dhcp231-215.rdu.redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <1191597087.3198.7.camel@dhcp231-215.rdu.redhat.com> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Eric Paris Cc: linux-audit@redhat.com, a.p.zijlstra@chello.nl List-Id: linux-audit@redhat.com On Friday 05 October 2007 11:11:27 Eric Paris wrote: > My belief is that the solution to this problem is to allow audit to > break individual arguments down to a size <8k. =C2=A0I guess my syntax = would > be something like > > a0[0]=3D(first 8k of a single huge argument) > a0[1]=3D(second 8k of a single huge argument) Sure go ahead. Also be sure to test with something that has spaces in the= args=20 to see what happens when the argument gets encoded. I think this will be = so=20 rare that no one will ever see it in practice. Either getopt or the shell= =20 will probably limit the argument size. I don't recall if the MAX size limit was a define in the previous patch. = If=20 not, I'd suggest making it a define. I can make the audit buffers bigger = at=20 some point, but we'll have to recompile everything that links with libaud= it.=20 So, I'd want to hold off until there is a soname number bump just to make= =20 sure everything gets recompiled. So, a define would allow us to easily ra= ise=20 the kernel side after user space has been changed for a while. -Steve