[PATCH v3.4] - audit cmdline on events
William Roberts
bill.c.roberts at gmail.com
Tue Nov 19 00:41:18 UTC 2013
Draft versions of some work I have been doing auditing the cmdline
value on events. The reason for this, is that I need to get the
package name in Android in the audit records. Often times, the app dies
before userspace would be able to get it from procfs.
I'll (attempt) to summarize the feedback so far.
* RGB - Can we make this dynamic?
** This was nak'd by Steve Grubb and subsequently dropped from these patches.
* Stephen Smalley - Can we cache this in audit struct for performance concerns?
** I think I address this in patch 2
* Steve Grubb - Is cmdline generic enough? Should we extend
prctl for an extended comm field?
** The heart of the matter is some spot the process can stick
more than 16 chars of data. I think this meets that, without
having to modify prctl.
* Steve Grubb - Can you use a user audit record?
** I can, but the downside is that it doesnt
keep the same id with the related issues, you
have to combine them by hand, by pid. Doesn't
seem like a generic solution.
Right now, the cache never gets invalidated, as their is no kernel
interface on which to invalidate the cache on. This would be one
win for adding to prctl.
Once we have a clear way forward on this, I can make the effort
to port to master.
[PATCH 1/2] audit: Allow auditing of proc/self/cmdline value
[PATCH 2/2] audit: Enable cacheing of cmdline in audit_context
More information about the Linux-audit
mailing list