<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Oct 29, 2013 at 12:01 PM, Steve Grubb <span dir="ltr"><<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Hello,<br> <div class="im"><br> On Tuesday, October 29, 2013 10:44:48 AM William Roberts wrote:<br> > On Tue, Oct 29, 2013 at 8:14 AM, Steve Grubb <<a href="mailto:sgrubb@redhat.com">sgrubb@redhat.com</a>> wrote:<br> > > On Monday, October 28, 2013 04:50:38 PM William Roberts wrote:<br> </div><div class="im">> I'm 100% ok with the dynamic option changing it from NULL to a real value<br> > IMO a like that better then what I currently have.<br> ><br> > Old:<br> > type=1300 msg=audit(1383022671.232:230): arch=40000028<br> <br> </div>This arch is not defined:<br> arch=unknown elf type(40000028)<br> <br> Which one is it?<br></blockquote><div><br></div><div>FYI this is on Android with my patch backported to a 3.4 Kernel, so pretty much all of my testing is</div><div>around this setup. Also were running a custom stripped down auditd over here, so it doesn't fix anything up.</div> <div><br></div><div>The architecture is ARM</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> <div class="im"><br> > syscall=54<br> > per=840000 success=yes exit=0 a0=23 a1=fa05 a2=0 a3=74e1ee34 items=0<br> > ppid=298 pid=1431 auid=4294967295 uid=1027 gid=1027 euid=1027 suid=1027<br> > fsuid=1027 egid=1027 sgid=1027 fsgid=1027 tty=(none) ses=4294967295<br> > comm=4173796E635461736B202331<br> <br> </div>comm=AsyncTask #1<br> <div class="im"><br> > exe="/system/bin/app_process" subj=u:r:nfc:s0<br> > key=(null)<br> ><br> > Issue:<br> > comm field in task is only 16 chars,<br> <br> </div>Yes, its a limitation on ALL arches.<br> <div class="im"><br> > to small for most package names, and<br> > already contains the VM command. I really have no information of what<br> > Android App has created the issue.<br> <br> </div>This is true for all arches. Usually you can have it pretty narrowly defined to<br> where you have a pretty good guess between 2 or 3 apps with the same root<br> name. But in your case its totally named wrong.<br></blockquote><div><br></div><div>I could set the title via prctl and PR_SET_NAME, but again I would be limited</div><div>at 16 bytes, at least with cmdline I am limited at a page. As a simple example,</div> <div>a basic example from samsung gets truncated.</div><div><br></div><div>com.samsung.myapp</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> <div class="im"><br> <br> > Solution:<br> > Get the proc cmdline info (not trust worthy, but can help debugging Android)<br> ><br> > type=1300 msg=audit(1383068585.326:205): arch=40000028 syscall=5 per=840000<br> > success=yes exit=38 a0=74d86d34 a1=20241 a2=180 a3=74d86d0c items=1<br> > ppid=296 pid=1378 auid=4294967295 uid=1027 gid=1027 euid=1027 suid=1027<br> > fsuid=1027 egid=1027 sgid=1027 fsgid=1027 tty=(none) ses=4294967295<br> > comm=4173796E635461736B202331 exe="/system/bin/app_process"<br> > cmdline="com.android.nfc" subj=u:r:nfc:s0 key=(null)<br> ><br> > Now I know it was the NFC app<br> <br> </div>What do you get on x86_64 auditing a shell or python script with your same<br> patch? Also, does cmdline potentially include arguments?<br></blockquote><div><br></div><div>I would have to get back to you on this, but whatever is set in /proc/<pid>/cmdline shows up here, which means</div><div> it could have arguments etc.</div><div> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> <span class=""><font color="#888888"><br> -Steve<br> </font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br>Respectfully,<br><br>William C Roberts<br><br> </div></div>