Description of problem: If the kernel sends a huge message to the audit userspace (>8k) audit userspace (somewhere) drops the message on the floor. The kernel doesn't typically send messages that big, but in rawhide it's possible to send a message up to size 32k. I'd prefer to see audit userspace handle arbitrary message size, audit that it dropped something, really anything other than silently losing information. (p.s. i'm fixing the kernel to not be able to send such a large message where i know it is possible)
recvfrom(3, "\275$\0\0\35\5\0\0\0\0\0\0\0\0\0\0audit(1191367234.497:17): a0=\"ls\"\na1=\"--color=tty\"\na2=\"dir1/file1\"\na3=\"dir1/file10\"\na4=\"dir1/file11\"\na5=\"dir1/file12\"\na6=\"dir1/file13\"\na7=\"dir1/file14\"\na8=\"dir1/file15\"\na9=\"dir1/file16\"\na10=\"dir1/file17\"\na11=\"dir1/file18\"\na12=\"dir1/file19\"\na13=\"dir1/file2\"\na14=\"dir1/file20\"\na15=\"dir1/file21\"\na16=\"dir1/file22\"\na17=\"dir1/file23\"\na18=\"dir1/file24\"\na19=\"dir1/file25\"\na20=\"dir1/file26\"\na21=\"dir1/file27\"\na22=\"dir1/file28\"\na23=\"dir1/file29\"\na24=\"dir1/file3\"\na25=\"dir1/file30\"\na26=\"dir1/file31\"\na27=\"dir1/file32\"\na28=\"dir1/file33\"\na29=\"dir1/file34\"\na30=\"dir1/file35\"\na31=\"dir1/file36\"\na32=\"dir1/file37\"\na33=\"dir1/file38\"\na34=\"dir1/file39\"\na35=\"dir1/file4\"\na36=\"dir1/file40\"\na37=\"dir1/file41\"\na38=\"dir1/file42\"\na39=\"dir1/file43\"\na40=\"dir1/file44\"\na41=\"dir1/file45\"\na42=\"dir1/file46\"\na43=\"dir1/file47\"\na44=\"dir1/file48\"\na45=\"dir1/file49\"\na46=\"dir1/file5\"\na47=\"dir1/file50\"\na48=\"dir1/file6\"\na49=\"dir1/file7\"\na50=\"dir1/file8\"\na51=\"dir1/file9\"\na52=\"dir2/file1\"\na53=\"dir2/file10\"\na54=\"dir2/file11\"\na55=\"dir2/file12\"\na56"..., 8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 8988
Created attachment 213671 [details] strace of auditd when I exec'd ls with a huge arg list
Since 1.6.4, the audit daemon now logs that a message was too large. This is about all that can be done given the design.