From mboxrd@z Thu Jan  1 00:00:00 1970
From: Linda Knippers <linda.knippers@hp.com>
Subject: Re: [PATCH 4/3] Audit: add argc and len fields for split records
Date: Tue, 09 Oct 2007 18:53:18 -0400
Message-ID: <470C065E.8080009@hp.com>
References: <1191962068.3202.11.camel@localhost.localdomain>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1191962068.3202.11.camel@localhost.localdomain>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Eric Paris <eparis@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Eric, thanks for making the changes.

-- ljk
Eric Paris wrote:
> To make it possible for userspace tools to verify that all of the args
> were successfully logged add 2 new pieces of information to the execve
> audit messages:
> 
> 1) All messages now start with argc=%d before the logging of a0.  
> 2) When a single large argument is split into multiple records the first
> of those records will now include a lenX=%d stating the number of bytes
> in the original aX argument.
> 
> example:
> 
> record1: argc=2 a0=test_file
> record2: len1=12k a1[0]=first 7.5k chunk of a1 argument
> record3: a1[1]=remainder of a1 argument
> 
> Signed-off-by: Eric Paris <eparis@redhat.com>
> 
>  kernel/auditsc.c |    5 +++++
>  1 files changed, 5 insertions(+), 0 deletions(-)
> 
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index b411737..f8ac79b 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -836,6 +836,8 @@ static void audit_log_execve_info(struct audit_context *context,
>  
>  	p = (const char __user *)axi->mm->arg_start;
>  
> +	audit_log_format(*ab, "argc=%d ", axi->argc);
> +
>  	for (i = 0; i < axi->argc; i++, p += len) {
>  		char tmp_buf[12];
>  		/* how many digits are in i? */
> @@ -888,6 +890,9 @@ static void audit_log_execve_info(struct audit_context *context,
>  					kfree(buf);
>  					return;
>  				}
> +				if (j == 0)
> +					audit_log_format(*ab, "len%d=%ld ", i,
> +							 len + tmplen);
>  				audit_log_format(*ab, "a%d[%d]=", i, j);
>  				audit_log_untrustedstring(*ab, buf);
>  				audit_log_format(*ab, "\n");
> 
>