On Thu, Oct 31, 2013 at 12:25:55PM -0700, William Roberts wrote:
> > + if (msg_type != AUDIT_USER_TTY) {
> > + char fmt[64];
> > + strcat(fmt, " msg='%.");
> > + strcat(fmt, "AUDIT_MESSAGE_TEXT_MAX");
> > + strcat(fmt, "s'");
> > + audit_log_format(ab, fmt, (char *)data);
> > + } else {
>
> I am ok with this. In fact I was going to do this the first time, but I
> thought their would be some explicit reason to avoid the additional
> run time overhead as the concat could be made at compile time.
Ok, this was in danger of starting with fmt in an unknown state. Latest
patch:
diff --git a/kernel/audit.c b/kernel/audit.c
@@ -148,6 +148,8 @@ DEFINE_MUTEX(audit_cmd_mutex);
* should be at least that large. */
#define AUDIT_BUFSIZ 1024
+char usermsg_format[64] = "";
+
/* AUDIT_MAXFREE is the number of empty audit_buffers we keep on the
* audit_freelist. Doing so eliminates many kmalloc/kfree calls. */
#define AUDIT_MAXFREE (2*NR_CPUS)
@@ -714,11 +716,15 @@ static int audit_receive_msg(struct sk_buff *skb, struct
nlmsghdr *nlh)
break;
}
audit_log_common_recv_msg(&ab, msg_type);
- if (msg_type != AUDIT_USER_TTY)
- audit_log_format(ab,
- "
msg='%.AUDIT_MESSAGE_TEXT_MAXs'",
+ if (msg_type != AUDIT_USER_TTY) {
+ if (unlikely(usermsg_format[0] == 0))
+ snprintf(usermsg_format,
+ sizeof(usermsg_format),
+ " msg=\'%%.%ds\'",
+ AUDIT_MESSAGE_TEXT_MAX);
+ audit_log_format(ab, usermsg_format,
(char *)data);
- else {
+ } else {
int size;
audit_log_format(ab, " data=");
- RGB
--
Richard Guy Briggs <rbri...@redhat.com>
Senior Software Engineer
Kernel Security
AMER ENG Base Operating Systems
Remote, Ottawa, Canada
Voice: +1.647.777.2635
Internal: (81) 32635
Alt: +1.613.693.0684x3545
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
