From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eric Paris Subject: [PATCH 4/3] Audit: add argc and len fields for split records Date: Tue, 09 Oct 2007 16:34:28 -0400 Message-ID: <1191962068.3202.11.camel@localhost.localdomain> Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Return-path: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com To make it possible for userspace tools to verify that all of the args were successfully logged add 2 new pieces of information to the execve audit messages: 1) All messages now start with argc=%d before the logging of a0. 2) When a single large argument is split into multiple records the first of those records will now include a lenX=%d stating the number of bytes in the original aX argument. example: record1: argc=2 a0=test_file record2: len1=12k a1[0]=first 7.5k chunk of a1 argument record3: a1[1]=remainder of a1 argument Signed-off-by: Eric Paris kernel/auditsc.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index b411737..f8ac79b 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -836,6 +836,8 @@ static void audit_log_execve_info(struct audit_context *context, p = (const char __user *)axi->mm->arg_start; + audit_log_format(*ab, "argc=%d ", axi->argc); + for (i = 0; i < axi->argc; i++, p += len) { char tmp_buf[12]; /* how many digits are in i? */ @@ -888,6 +890,9 @@ static void audit_log_execve_info(struct audit_context *context, kfree(buf); return; } + if (j == 0) + audit_log_format(*ab, "len%d=%ld ", i, + len + tmplen); audit_log_format(*ab, "a%d[%d]=", i, j); audit_log_untrustedstring(*ab, buf); audit_log_format(*ab, "\n");