diff options
author | Peter Zijlstra <a.p.zijlstra@chello.nl> | 2007-07-19 04:48:15 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@woody.linux-foundation.org> | 2007-07-19 13:04:45 -0400 |
commit | bdf4c48af20a3b0f01671799ace345e3d49576da (patch) | |
tree | 7c3b903d2de1cba6e212ad6f347bc8742b08035a /Documentation | |
parent | b111757c50ee30dad162192df6168e270a90c252 (diff) |
audit: rework execve audit
The purpose of audit_bprm() is to log the argv array to a userspace daemon at
the end of the execve system call. Since user-space hasn't had time to run,
this array is still in pristine state on the process' stack; so no need to
copy it, we can just grab it from there.
In order to minimize the damage to audit_log_*() copy each string into a
temporary kernel buffer first.
Currently the audit code requires that the full argument vector fits in a
single packet. So currently it does clip the argv size to a (sysctl) limit,
but only when execve auditing is enabled.
If the audit protocol gets extended to allow for multiple packets this check
can be removed.
Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Signed-off-by: Ollie Wild <aaw@google.com>
Cc: <linux-audit@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'Documentation')
-rw-r--r-- | Documentation/filesystems/proc.txt | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/Documentation/filesystems/proc.txt b/Documentation/filesystems/proc.txt index ebffdffb3d99..72e247ef6fa2 100644 --- a/Documentation/filesystems/proc.txt +++ b/Documentation/filesystems/proc.txt | |||
@@ -1065,6 +1065,13 @@ check the amount of free space (value is in seconds). Default settings are: 4, | |||
1065 | resume it if we have a value of 3 or more percent; consider information about | 1065 | resume it if we have a value of 3 or more percent; consider information about |
1066 | the amount of free space valid for 30 seconds | 1066 | the amount of free space valid for 30 seconds |
1067 | 1067 | ||
1068 | audit_argv_kb | ||
1069 | ------------- | ||
1070 | |||
1071 | The file contains a single value denoting the limit on the argv array size | ||
1072 | for execve (in KiB). This limit is only applied when system call auditing for | ||
1073 | execve is enabled, otherwise the value is ignored. | ||
1074 | |||
1068 | ctrl-alt-del | 1075 | ctrl-alt-del |
1069 | ------------ | 1076 | ------------ |
1070 | 1077 | ||