• Peter Zijlstra's avatar
    audit: rework execve audit · bdf4c48a
    Peter Zijlstra authored
    The purpose of audit_bprm() is to log the argv array to a userspace daemon at
    the end of the execve system call.  Since user-space hasn't had time to run,
    this array is still in pristine state on the process' stack; so no need to
    copy it, we can just grab it from there.
    
    In order to minimize the damage to audit_log_*() copy each string into a
    temporary kernel buffer first.
    
    Currently the audit code requires that the full argument vector fits in a
    single packet.  So currently it does clip the argv size to a (sysctl) limit,
    but only when execve auditing is enabled.
    
    If the audit protocol gets extended to allow for multiple packets this check
    can be removed.
    Signed-off-by: default avatarPeter Zijlstra <a.p.zijlstra@chello.nl>
    Signed-off-by: default avatarOllie Wild <aaw@google.com>
    Cc: <linux-audit@redhat.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    bdf4c48a
exec.c 35.8 KB