Hash ideas on adding an extended comm field

[William Roberts]

Previously I posted a patch to print during audit the proc/self/cmdline
value.

Steve Grubb had some concerns, as he has seen this before of "lets fix this
once and for all, properly"

The major concerns (consolidated) were:
1. The value could be set by the process at runtime and therefore easily
spoofed
2. The value could be too large (truncated at page level)
3. Performance concerns of copying a whole page from userspace on every
record

Steve Grubb proposed adding some field in struct task and extending the
prctl interface
for getter/setter.

My concern here, is the spoofing portion. Obviously this needs to be
controlled by someone
other then the process to which this applies, right now the PR_SET_NAME
would have the
same issue as cmdline, except be truncated to 16 bytes.

I don't see any capabilities or restrictions on existing prctl interfaces,
outside of the MAC hook.

Can anyone chime in and either tell me my concerns are over kill or what
here?

I don't want to go coding down a bad path on this.

-- 
Respectfully,

William C Roberts
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20131111/cd6e8e47/attachment.htm>