[PATCH] audit: Add cmdline to taskinfo output
William Roberts
bill.c.roberts at gmail.com
Tue Oct 29 19:12:29 UTC 2013
On Tue, Oct 29, 2013 at 12:01 PM, Steve Grubb <sgrubb at redhat.com> wrote:
> Hello,
>
> On Tuesday, October 29, 2013 10:44:48 AM William Roberts wrote:
> > On Tue, Oct 29, 2013 at 8:14 AM, Steve Grubb <sgrubb at redhat.com> wrote:
> > > On Monday, October 28, 2013 04:50:38 PM William Roberts wrote:
> > I'm 100% ok with the dynamic option changing it from NULL to a real value
> > IMO a like that better then what I currently have.
> >
> > Old:
> > type=1300 msg=audit(1383022671.232:230): arch=40000028
>
> This arch is not defined:
> arch=unknown elf type(40000028)
>
> Which one is it?
>
FYI this is on Android with my patch backported to a 3.4 Kernel, so pretty
much all of my testing is
around this setup. Also were running a custom stripped down auditd over
here, so it doesn't fix anything up.
The architecture is ARM
>
> > syscall=54
> > per=840000 success=yes exit=0 a0=23 a1=fa05 a2=0 a3=74e1ee34 items=0
> > ppid=298 pid=1431 auid=4294967295 uid=1027 gid=1027 euid=1027 suid=1027
> > fsuid=1027 egid=1027 sgid=1027 fsgid=1027 tty=(none) ses=4294967295
> > comm=4173796E635461736B202331
>
> comm=AsyncTask #1
>
> > exe="/system/bin/app_process" subj=u:r:nfc:s0
> > key=(null)
> >
> > Issue:
> > comm field in task is only 16 chars,
>
> Yes, its a limitation on ALL arches.
>
> > to small for most package names, and
> > already contains the VM command. I really have no information of what
> > Android App has created the issue.
>
> This is true for all arches. Usually you can have it pretty narrowly
> defined to
> where you have a pretty good guess between 2 or 3 apps with the same root
> name. But in your case its totally named wrong.
>
I could set the title via prctl and PR_SET_NAME, but again I would be
limited
at 16 bytes, at least with cmdline I am limited at a page. As a simple
example,
a basic example from samsung gets truncated.
com.samsung.myapp
>
>
> > Solution:
> > Get the proc cmdline info (not trust worthy, but can help debugging
> Android)
> >
> > type=1300 msg=audit(1383068585.326:205): arch=40000028 syscall=5
> per=840000
> > success=yes exit=38 a0=74d86d34 a1=20241 a2=180 a3=74d86d0c items=1
> > ppid=296 pid=1378 auid=4294967295 uid=1027 gid=1027 euid=1027 suid=1027
> > fsuid=1027 egid=1027 sgid=1027 fsgid=1027 tty=(none) ses=4294967295
> > comm=4173796E635461736B202331 exe="/system/bin/app_process"
> > cmdline="com.android.nfc" subj=u:r:nfc:s0 key=(null)
> >
> > Now I know it was the NFC app
>
> What do you get on x86_64 auditing a shell or python script with your same
> patch? Also, does cmdline potentially include arguments?
>
I would have to get back to you on this, but whatever is set in
/proc/<pid>/cmdline shows up here, which means
it could have arguments etc.
>
> -Steve
>
--
Respectfully,
William C Roberts
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20131029/c779bf06/attachment.htm>
More information about the Linux-audit
mailing list