From a2ac27d04436891b55670054fc8cdc7ea9619ce3 Mon Sep 17 00:00:00 2001 From: Max N Date: Thu, 14 Jul 2022 13:00:10 +0300 Subject: [PATCH 1/2] fix(auditStatus): Add support of kernel >= 2.6.32; --- CHANGELOG.md | 2 +- audit.go | 9 +++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 604892c..577ec9c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,7 +12,7 @@ This project adheres to [Semantic Versioning](http://semver.org/). - Fix change in behaviour that causes error when unmarshaling `AuditStatus` with a short buffer. [#110](https://github.com/elastic/go-libaudit/pull/110) - Reduce heap allocations when parsing and enriching auditd events. [#111](https://github.com/elastic/go-libaudit/pull/111) - Relax short buffer requirement further to allow for kernels that do not support the backlog wait feature. [#113](https://github.com/elastic/go-libaudit/pull/113) - +- Fix minimum `AuditStatus` length so that library can support kernels from 2.6.32. [#119](https://github.com/elastic/go-libaudit/pull/119) ### Removed ### Deprecated diff --git a/audit.go b/audit.go index af81577..a5f4fc5 100644 --- a/audit.go +++ b/audit.go @@ -606,12 +606,13 @@ type AuditStatus struct { const ( sizeofAuditStatus = int(unsafe.Sizeof(AuditStatus{})) - // MinSizeofAuditStatus is the minimum usable message size that - // is acceptable for unmarshaling from the wire format. Messages - // this size do not report features after the FeatureBitmap field. + // MinSizeofAuditStatus is the minimum usable message size for + // the earliest 2.6.32 kernel supported by Go lang. + // https://elixir.bootlin.com/linux/v2.6.32/source/include/linux/audit.h#L317 + // Messages this size do not report features after the Backlog field. // Users should consult the feature bitmap to determine which // features are valid. - MinSizeofAuditStatus = int(unsafe.Offsetof(AuditStatus{}.FeatureBitmap) + unsafe.Sizeof(AuditStatus{}.FeatureBitmap)) + MinSizeofAuditStatus = int(unsafe.Offsetof(AuditStatus{}.Backlog) + unsafe.Sizeof(AuditStatus{}.Backlog)) ) func (s AuditStatus) toWireFormat() []byte { From 51112c56273b09f112f5c8c8be390188fd8ee4d5 Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Thu, 14 Jul 2022 15:53:56 -0400 Subject: [PATCH 2/2] Apply suggestions from code review --- CHANGELOG.md | 1 + audit.go | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 577ec9c..e0add3a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ This project adheres to [Semantic Versioning](http://semver.org/). - Reduce heap allocations when parsing and enriching auditd events. [#111](https://github.com/elastic/go-libaudit/pull/111) - Relax short buffer requirement further to allow for kernels that do not support the backlog wait feature. [#113](https://github.com/elastic/go-libaudit/pull/113) - Fix minimum `AuditStatus` length so that library can support kernels from 2.6.32. [#119](https://github.com/elastic/go-libaudit/pull/119) + ### Removed ### Deprecated diff --git a/audit.go b/audit.go index a5f4fc5..1a4c1b4 100644 --- a/audit.go +++ b/audit.go @@ -607,7 +607,7 @@ const ( sizeofAuditStatus = int(unsafe.Sizeof(AuditStatus{})) // MinSizeofAuditStatus is the minimum usable message size for - // the earliest 2.6.32 kernel supported by Go lang. + // the earliest 2.6.32 kernel supported by Go. // https://elixir.bootlin.com/linux/v2.6.32/source/include/linux/audit.h#L317 // Messages this size do not report features after the Backlog field. // Users should consult the feature bitmap to determine which